1*13effbfbSDon Lewis--- misc/nss-3.39/nss/cmd/signtool/sign.c 2016-06-20 14:11:28.000000000 -0300 2*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/cmd/signtool/sign.c 2019-11-01 13:32:56.496828470 -0300 3*13effbfbSDon Lewis@@ -8,6 +8,10 @@ 4*13effbfbSDon Lewis #include "blapi.h" 5*13effbfbSDon Lewis #include "sechash.h" /* for HASH_GetHashObject() */ 6*13effbfbSDon Lewis 7*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1900 8*13effbfbSDon Lewis+#define snprintf _snprintf 9*13effbfbSDon Lewis+#endif 10*13effbfbSDon Lewis+ 11*13effbfbSDon Lewis static int create_pk7(char *dir, char *keyName, int *keyType); 12*13effbfbSDon Lewis static int jar_find_key_type(CERTCertificate *cert); 13*13effbfbSDon Lewis static int manifesto(char *dirname, char *install_script, PRBool recurse); 14*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/cmd/Makefile misc/build/nss-3.39/nss/cmd/Makefile 15*13effbfbSDon Lewis--- misc/nss-3.39/nss/cmd/Makefile 2018-08-31 05:55:53.000000000 -0700 16*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/cmd/Makefile 2018-10-22 14:53:30.297923000 -0700 17*13effbfbSDon Lewis@@ -21,7 +21,8 @@ 18*13effbfbSDon Lewis FIPSTEST_SRCDIR = 19*13effbfbSDon Lewis SHLIBSIGN_SRCDIR = 20*13effbfbSDon Lewis else 21*13effbfbSDon Lewis-BLTEST_SRCDIR = bltest 22*13effbfbSDon Lewis+# BLTEST_SRCDIR = bltest 23*13effbfbSDon Lewis+BLTEST_SRCDIR = 24*13effbfbSDon Lewis ECPERF_SRCDIR = ecperf 25*13effbfbSDon Lewis FREEBL_ECTEST_SRCDIR = fbectest 26*13effbfbSDon Lewis FIPSTEST_SRCDIR = fipstest 27*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/cmd/lib/secutil.c misc/build/nss-3.39/nss/cmd/lib/secutil.c 28*13effbfbSDon Lewis--- misc/nss-3.39/nss/cmd/lib/secutil.c 2018-08-31 05:55:53.000000000 -0700 29*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/cmd/lib/secutil.c 2018-10-22 10:44:05.694582000 -0700 30*13effbfbSDon Lewis@@ -217,6 +217,7 @@ 31*13effbfbSDon Lewis secuPWData *pwdata = (secuPWData *)arg; 32*13effbfbSDon Lewis secuPWData pwnull = { PW_NONE, 0 }; 33*13effbfbSDon Lewis secuPWData pwxtrn = { PW_EXTERNAL, "external" }; 34*13effbfbSDon Lewis+ char *pw; 35*13effbfbSDon Lewis 36*13effbfbSDon Lewis if (pwdata == NULL) 37*13effbfbSDon Lewis pwdata = &pwnull; 38*13effbfbSDon Lewis@@ -240,7 +241,7 @@ 39*13effbfbSDon Lewis sprintf(prompt, 40*13effbfbSDon Lewis "Press Enter, then enter PIN for \"%s\" on external device.\n", 41*13effbfbSDon Lewis PK11_GetTokenName(slot)); 42*13effbfbSDon Lewis- char *pw = SECU_GetPasswordString(NULL, prompt); 43*13effbfbSDon Lewis+ pw = SECU_GetPasswordString(NULL, prompt); 44*13effbfbSDon Lewis PORT_Free(pw); 45*13effbfbSDon Lewis /* Fall Through */ 46*13effbfbSDon Lewis case PW_PLAINTEXT: 47*13effbfbSDon Lewis@@ -3841,10 +3842,11 @@ 48*13effbfbSDon Lewis countItems(const char *arg, unsigned int *numItems) 49*13effbfbSDon Lewis { 50*13effbfbSDon Lewis char *str = PORT_Strdup(arg); 51*13effbfbSDon Lewis+ char *p; 52*13effbfbSDon Lewis if (!str) { 53*13effbfbSDon Lewis return SECFailure; 54*13effbfbSDon Lewis } 55*13effbfbSDon Lewis- char *p = strtok(str, ","); 56*13effbfbSDon Lewis+ p = strtok(str, ","); 57*13effbfbSDon Lewis while (p) { 58*13effbfbSDon Lewis ++(*numItems); 59*13effbfbSDon Lewis p = strtok(NULL, ","); 60*13effbfbSDon Lewis@@ -3943,6 +3945,8 @@ 61*13effbfbSDon Lewis SSLSignatureScheme *schemes; 62*13effbfbSDon Lewis unsigned int numValues = 0; 63*13effbfbSDon Lewis unsigned int count = 0; 64*13effbfbSDon Lewis+ char *str; 65*13effbfbSDon Lewis+ char *p; 66*13effbfbSDon Lewis 67*13effbfbSDon Lewis if (countItems(arg, &numValues) != SECSuccess) { 68*13effbfbSDon Lewis return SECFailure; 69*13effbfbSDon Lewis@@ -3953,11 +3957,11 @@ 70*13effbfbSDon Lewis } 71*13effbfbSDon Lewis 72*13effbfbSDon Lewis /* Get group names. */ 73*13effbfbSDon Lewis- char *str = PORT_Strdup(arg); 74*13effbfbSDon Lewis+ str = PORT_Strdup(arg); 75*13effbfbSDon Lewis if (!str) { 76*13effbfbSDon Lewis goto done; 77*13effbfbSDon Lewis } 78*13effbfbSDon Lewis- char *p = strtok(str, ","); 79*13effbfbSDon Lewis+ p = strtok(str, ","); 80*13effbfbSDon Lewis while (p) { 81*13effbfbSDon Lewis SSLSignatureScheme scheme = schemeNameToScheme(p); 82*13effbfbSDon Lewis if (scheme == ssl_sig_none) { 83*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/cmd/signtool/javascript.c misc/build/nss-3.39/nss/cmd/signtool/javascript.c 84*13effbfbSDon Lewis--- misc/nss-3.39/nss/cmd/signtool/javascript.c 2018-08-31 05:55:53.000000000 -0700 85*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/cmd/signtool/javascript.c 2018-10-22 15:02:16.878938000 -0700 86*13effbfbSDon Lewis@@ -1672,7 +1672,7 @@ 87*13effbfbSDon Lewis { 88*13effbfbSDon Lewis char fn[FNSIZE]; 89*13effbfbSDon Lewis PRDir *dir; 90*13effbfbSDon Lewis- int c = snprintf(fn, sizeof(fn), "%s/%s", basepath, path); 91*13effbfbSDon Lewis+ int c = PR_snprintf(fn, sizeof(fn), "%s/%s", basepath, path); 92*13effbfbSDon Lewis if (c >= sizeof(fn)) { 93*13effbfbSDon Lewis return PR_FAILURE; 94*13effbfbSDon Lewis } 95*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/cmd/signtool/sign.c misc/build/nss-3.39/nss/cmd/signtool/sign.c 96*13effbfbSDon Lewis--- misc/nss-3.39/nss/cmd/signtool/sign.c 2018-08-31 05:55:53.000000000 -0700 97*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/cmd/signtool/sign.c 2018-10-22 15:01:53.353243000 -0700 98*13effbfbSDon Lewis@@ -82,13 +82,13 @@ 99*13effbfbSDon Lewis } 100*13effbfbSDon Lewis 101*13effbfbSDon Lewis /* rsa/dsa to zip */ 102*13effbfbSDon Lewis- count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); 103*13effbfbSDon Lewis+ count = PR_snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); 104*13effbfbSDon Lewis if (count >= sizeof(tempfn)) { 105*13effbfbSDon Lewis PR_fprintf(errorFD, "unable to write key metadata\n"); 106*13effbfbSDon Lewis errorCount++; 107*13effbfbSDon Lewis exit(ERRX); 108*13effbfbSDon Lewis } 109*13effbfbSDon Lewis- count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 110*13effbfbSDon Lewis+ count = PR_snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 111*13effbfbSDon Lewis if (count >= sizeof(fullfn)) { 112*13effbfbSDon Lewis PR_fprintf(errorFD, "unable to write key metadata\n"); 113*13effbfbSDon Lewis errorCount++; 114*13effbfbSDon Lewis@@ -103,7 +103,7 @@ 115*13effbfbSDon Lewis } 116*13effbfbSDon Lewis /* mf to zip */ 117*13effbfbSDon Lewis strcpy(tempfn, "META-INF/manifest.mf"); 118*13effbfbSDon Lewis- count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 119*13effbfbSDon Lewis+ count = PR_snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 120*13effbfbSDon Lewis if (count >= sizeof(fullfn)) { 121*13effbfbSDon Lewis PR_fprintf(errorFD, "unable to write manifest\n"); 122*13effbfbSDon Lewis errorCount++; 123*13effbfbSDon Lewis@@ -112,13 +112,13 @@ 124*13effbfbSDon Lewis JzipAdd(fullfn, tempfn, zipfile, compression_level); 125*13effbfbSDon Lewis 126*13effbfbSDon Lewis /* sf to zip */ 127*13effbfbSDon Lewis- count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.sf", base); 128*13effbfbSDon Lewis+ count = PR_snprintf(tempfn, sizeof(tempfn), "META-INF/%s.sf", base); 129*13effbfbSDon Lewis if (count >= sizeof(tempfn)) { 130*13effbfbSDon Lewis PR_fprintf(errorFD, "unable to write sf metadata\n"); 131*13effbfbSDon Lewis errorCount++; 132*13effbfbSDon Lewis exit(ERRX); 133*13effbfbSDon Lewis } 134*13effbfbSDon Lewis- count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 135*13effbfbSDon Lewis+ count = PR_snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 136*13effbfbSDon Lewis if (count >= sizeof(fullfn)) { 137*13effbfbSDon Lewis PR_fprintf(errorFD, "unable to write sf metadata\n"); 138*13effbfbSDon Lewis errorCount++; 139*13effbfbSDon Lewis@@ -129,13 +129,13 @@ 140*13effbfbSDon Lewis /* Add the rsa/dsa file to the zip archive normally */ 141*13effbfbSDon Lewis if (!xpi_arc) { 142*13effbfbSDon Lewis /* rsa/dsa to zip */ 143*13effbfbSDon Lewis- count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); 144*13effbfbSDon Lewis+ count = PR_snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); 145*13effbfbSDon Lewis if (count >= sizeof(tempfn)) { 146*13effbfbSDon Lewis PR_fprintf(errorFD, "unable to write key metadata\n"); 147*13effbfbSDon Lewis errorCount++; 148*13effbfbSDon Lewis exit(ERRX); 149*13effbfbSDon Lewis } 150*13effbfbSDon Lewis- count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 151*13effbfbSDon Lewis+ count = PR_snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 152*13effbfbSDon Lewis if (count >= sizeof(fullfn)) { 153*13effbfbSDon Lewis PR_fprintf(errorFD, "unable to write key metadata\n"); 154*13effbfbSDon Lewis errorCount++; 155*13effbfbSDon Lewis@@ -456,7 +456,7 @@ 156*13effbfbSDon Lewis if (!PL_HashTableLookup(extensions, ext)) 157*13effbfbSDon Lewis return 0; 158*13effbfbSDon Lewis } 159*13effbfbSDon Lewis- count = snprintf(fullname, sizeof(fullname), "%s/%s", basedir, relpath); 160*13effbfbSDon Lewis+ count = PR_snprintf(fullname, sizeof(fullname), "%s/%s", basedir, relpath); 161*13effbfbSDon Lewis if (count >= sizeof(fullname)) { 162*13effbfbSDon Lewis return 1; 163*13effbfbSDon Lewis } 164*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/gtests/freebl_gtest/kat/blake2b_kat.h misc/build/nss-3.39/nss/gtests/freebl_gtest/kat/blake2b_kat.h 165*13effbfbSDon Lewis--- misc/nss-3.39/nss/gtests/freebl_gtest/kat/blake2b_kat.h 2018-08-31 05:55:53.000000000 -0700 166*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/gtests/freebl_gtest/kat/blake2b_kat.h 2018-10-21 01:47:24.131348000 -0700 167*13effbfbSDon Lewis@@ -5,7 +5,23 @@ 168*13effbfbSDon Lewis /* https://github.com/BLAKE2/BLAKE2/blob/master/testvectors/blake2b-kat.txt */ 169*13effbfbSDon Lewis 170*13effbfbSDon Lewis #include <vector> 171*13effbfbSDon Lewis-#include <stdint.h> 172*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 173*13effbfbSDon Lewis+ #ifdef _WIN64 174*13effbfbSDon Lewis+typedef unsigned __int64 uintptr_t; 175*13effbfbSDon Lewis+ #else 176*13effbfbSDon Lewis+typedef unsigned int uintptr_t; 177*13effbfbSDon Lewis+ #endif 178*13effbfbSDon Lewis+typedef unsigned char uint8_t; 179*13effbfbSDon Lewis+typedef unsigned short uint16_t; 180*13effbfbSDon Lewis+typedef unsigned int uint32_t; 181*13effbfbSDon Lewis+typedef unsigned __int64 uint64_t; 182*13effbfbSDon Lewis+#define UINT8_MAX 0xff 183*13effbfbSDon Lewis+#define UINT16_MAX 0xffff 184*13effbfbSDon Lewis+#define UINT32_MAX 0xffffffffu 185*13effbfbSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 186*13effbfbSDon Lewis+#else 187*13effbfbSDon Lewis+ #include <stdint.h> 188*13effbfbSDon Lewis+#endif 189*13effbfbSDon Lewis 190*13effbfbSDon Lewis const std::vector<uint8_t> kat_key = { 191*13effbfbSDon Lewis 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 192*13effbfbSDon Lewis@@ -4643,4 +4659,4 @@ 193*13effbfbSDon Lewis 0x10, 0x70, 0xfa, 0xa0, 0x37, 0x2a, 0xa4, 0x3e, 0x92, 0x48, 0x4b, 194*13effbfbSDon Lewis 0xe1, 0xc1, 0xe7, 0x3b, 0xa1, 0x09, 0x06, 0xd5, 0xd1, 0x85, 0x3d, 195*13effbfbSDon Lewis 0xb6, 0xa4, 0x10, 0x6e, 0x0a, 0x7b, 0xf9, 0x80, 0x0d, 0x37, 0x3d, 196*13effbfbSDon Lewis- 0x6d, 0xee, 0x2d, 0x46, 0xd6, 0x2e, 0xf2, 0xa4, 0x61}))}; 197*13effbfbSDon Lewis\ No newline at end of file 198*13effbfbSDon Lewis+ 0x6d, 0xee, 0x2d, 0x46, 0xd6, 0x2e, 0xf2, 0xa4, 0x61}))}; 199*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/gtests/ssl_gtest/libssl_internals.h misc/build/nss-3.39/nss/gtests/ssl_gtest/libssl_internals.h 200*13effbfbSDon Lewis--- misc/nss-3.39/nss/gtests/ssl_gtest/libssl_internals.h 2018-08-31 05:55:53.000000000 -0700 201*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/gtests/ssl_gtest/libssl_internals.h 2018-10-21 01:47:16.342484000 -0700 202*13effbfbSDon Lewis@@ -7,7 +7,23 @@ 203*13effbfbSDon Lewis #ifndef libssl_internals_h_ 204*13effbfbSDon Lewis #define libssl_internals_h_ 205*13effbfbSDon Lewis 206*13effbfbSDon Lewis-#include <stdint.h> 207*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 208*13effbfbSDon Lewis+ #ifdef _WIN64 209*13effbfbSDon Lewis+typedef unsigned __int64 uintptr_t; 210*13effbfbSDon Lewis+ #else 211*13effbfbSDon Lewis+typedef unsigned int uintptr_t; 212*13effbfbSDon Lewis+ #endif 213*13effbfbSDon Lewis+typedef unsigned char uint8_t; 214*13effbfbSDon Lewis+typedef unsigned short uint16_t; 215*13effbfbSDon Lewis+typedef unsigned int uint32_t; 216*13effbfbSDon Lewis+typedef unsigned __int64 uint64_t; 217*13effbfbSDon Lewis+#define UINT8_MAX 0xff 218*13effbfbSDon Lewis+#define UINT16_MAX 0xffff 219*13effbfbSDon Lewis+#define UINT32_MAX 0xffffffffu 220*13effbfbSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 221*13effbfbSDon Lewis+#else 222*13effbfbSDon Lewis+ #include <stdint.h> 223*13effbfbSDon Lewis+#endif 224*13effbfbSDon Lewis 225*13effbfbSDon Lewis #include "prio.h" 226*13effbfbSDon Lewis #include "seccomon.h" 227*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/blake2b.c misc/build/nss-3.39/nss/lib/freebl/blake2b.c 228*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/blake2b.c 2018-08-31 05:55:53.000000000 -0700 229*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/blake2b.c 2018-10-21 15:08:03.065644000 -0700 230*13effbfbSDon Lewis@@ -147,6 +147,7 @@ 231*13effbfbSDon Lewis blake2b_Begin(BLAKE2BContext* ctx, uint8_t outlen, const uint8_t* key, 232*13effbfbSDon Lewis size_t keylen) 233*13effbfbSDon Lewis { 234*13effbfbSDon Lewis+ uint64_t param; 235*13effbfbSDon Lewis PORT_Assert(ctx != NULL); 236*13effbfbSDon Lewis if (!ctx) { 237*13effbfbSDon Lewis goto failure; 238*13effbfbSDon Lewis@@ -164,7 +165,7 @@ 239*13effbfbSDon Lewis } 240*13effbfbSDon Lewis 241*13effbfbSDon Lewis /* Mix key size(keylen) and desired hash length(outlen) into h0 */ 242*13effbfbSDon Lewis- uint64_t param = outlen ^ (keylen << 8) ^ (1 << 16) ^ (1 << 24); 243*13effbfbSDon Lewis+ param = outlen ^ (keylen << 8) ^ (1 << 16) ^ (1 << 24); 244*13effbfbSDon Lewis PORT_Memcpy(ctx->h, iv, 8 * 8); 245*13effbfbSDon Lewis ctx->h[0] ^= param; 246*13effbfbSDon Lewis ctx->outlen = outlen; 247*13effbfbSDon Lewis@@ -402,12 +403,13 @@ 248*13effbfbSDon Lewis BLAKE2BContext* 249*13effbfbSDon Lewis BLAKE2B_Resurrect(unsigned char* space, void* arg) 250*13effbfbSDon Lewis { 251*13effbfbSDon Lewis+ BLAKE2BContext* ctx; 252*13effbfbSDon Lewis PORT_Assert(space != NULL); 253*13effbfbSDon Lewis if (!space) { 254*13effbfbSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 255*13effbfbSDon Lewis return NULL; 256*13effbfbSDon Lewis } 257*13effbfbSDon Lewis- BLAKE2BContext* ctx = BLAKE2B_NewContext(); 258*13effbfbSDon Lewis+ ctx = BLAKE2B_NewContext(); 259*13effbfbSDon Lewis if (ctx == NULL) { 260*13effbfbSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 261*13effbfbSDon Lewis return NULL; 262*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/blake2b.h misc/build/nss-3.39/nss/lib/freebl/blake2b.h 263*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/blake2b.h 2018-08-31 05:55:53.000000000 -0700 264*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/blake2b.h 2018-10-21 01:46:57.467020000 -0700 265*13effbfbSDon Lewis@@ -9,7 +9,23 @@ 266*13effbfbSDon Lewis #define BLAKE_H 267*13effbfbSDon Lewis 268*13effbfbSDon Lewis #include <stddef.h> 269*13effbfbSDon Lewis-#include <stdint.h> 270*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 271*13effbfbSDon Lewis+ #ifdef _WIN64 272*13effbfbSDon Lewis+typedef unsigned __int64 uintptr_t; 273*13effbfbSDon Lewis+ #else 274*13effbfbSDon Lewis+typedef unsigned int uintptr_t; 275*13effbfbSDon Lewis+ #endif 276*13effbfbSDon Lewis+typedef unsigned char uint8_t; 277*13effbfbSDon Lewis+typedef unsigned short uint16_t; 278*13effbfbSDon Lewis+typedef unsigned int uint32_t; 279*13effbfbSDon Lewis+typedef unsigned __int64 uint64_t; 280*13effbfbSDon Lewis+#define UINT8_MAX 0xff 281*13effbfbSDon Lewis+#define UINT16_MAX 0xffff 282*13effbfbSDon Lewis+#define UINT32_MAX 0xffffffffu 283*13effbfbSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 284*13effbfbSDon Lewis+#else 285*13effbfbSDon Lewis+ #include <stdint.h> 286*13effbfbSDon Lewis+#endif 287*13effbfbSDon Lewis 288*13effbfbSDon Lewis struct Blake2bContextStr { 289*13effbfbSDon Lewis uint64_t h[8]; /* chained state */ 290*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/chacha20poly1305.c misc/build/nss-3.39/nss/lib/freebl/chacha20poly1305.c 291*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/chacha20poly1305.c 2018-08-31 05:55:53.000000000 -0700 292*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/chacha20poly1305.c 2018-10-21 21:01:18.295557000 -0700 293*13effbfbSDon Lewis@@ -77,14 +77,14 @@ 294*13effbfbSDon Lewis Hacl_Poly1305_mk_state(stateStack, stateStack + offset); 295*13effbfbSDon Lewis 296*13effbfbSDon Lewis unsigned char block[16] = { 0 }; 297*13effbfbSDon Lewis+ unsigned int i; 298*13effbfbSDon Lewis+ unsigned int j; 299*13effbfbSDon Lewis Hacl_Poly1305_init(state, (uint8_t *)key); 300*13effbfbSDon Lewis 301*13effbfbSDon Lewis Poly1305PadUpdate(state, block, ad, adLen); 302*13effbfbSDon Lewis memset(block, 0, 16); 303*13effbfbSDon Lewis Poly1305PadUpdate(state, block, ciphertext, ciphertextLen); 304*13effbfbSDon Lewis 305*13effbfbSDon Lewis- unsigned int i; 306*13effbfbSDon Lewis- unsigned int j; 307*13effbfbSDon Lewis for (i = 0, j = adLen; i < 8; i++, j >>= 8) { 308*13effbfbSDon Lewis block[i] = j; 309*13effbfbSDon Lewis } 310*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/ecl/ecp_25519.c misc/build/nss-3.39/nss/lib/freebl/ecl/ecp_25519.c 311*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/ecl/ecp_25519.c 2018-08-31 05:55:53.000000000 -0700 312*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/ecl/ecp_25519.c 2018-10-21 21:06:07.350639000 -0700 313*13effbfbSDon Lewis@@ -104,6 +104,7 @@ 314*13effbfbSDon Lewis { 315*13effbfbSDon Lewis PRUint8 *px; 316*13effbfbSDon Lewis PRUint8 basePoint[32] = { 9 }; 317*13effbfbSDon Lewis+ SECStatus rv; 318*13effbfbSDon Lewis 319*13effbfbSDon Lewis if (!P) { 320*13effbfbSDon Lewis px = basePoint; 321*13effbfbSDon Lewis@@ -115,7 +116,7 @@ 322*13effbfbSDon Lewis px = P->data; 323*13effbfbSDon Lewis } 324*13effbfbSDon Lewis 325*13effbfbSDon Lewis- SECStatus rv = ec_Curve25519_mul(X->data, k->data, px); 326*13effbfbSDon Lewis+ rv = ec_Curve25519_mul(X->data, k->data, px); 327*13effbfbSDon Lewis if (NSS_SecureMemcmpZero(X->data, X->len) == 0) { 328*13effbfbSDon Lewis return SECFailure; 329*13effbfbSDon Lewis } 330*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/gcm.h misc/build/nss-3.39/nss/lib/freebl/gcm.h 331*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/gcm.h 2018-08-31 05:55:53.000000000 -0700 332*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/gcm.h 2018-10-21 01:46:50.706497000 -0700 333*13effbfbSDon Lewis@@ -6,7 +6,23 @@ 334*13effbfbSDon Lewis #define GCM_H 1 335*13effbfbSDon Lewis 336*13effbfbSDon Lewis #include "blapii.h" 337*13effbfbSDon Lewis-#include <stdint.h> 338*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 339*13effbfbSDon Lewis+ #ifdef _WIN64 340*13effbfbSDon Lewis+typedef unsigned __int64 uintptr_t; 341*13effbfbSDon Lewis+ #else 342*13effbfbSDon Lewis+typedef unsigned int uintptr_t; 343*13effbfbSDon Lewis+ #endif 344*13effbfbSDon Lewis+typedef unsigned char uint8_t; 345*13effbfbSDon Lewis+typedef unsigned short uint16_t; 346*13effbfbSDon Lewis+typedef unsigned int uint32_t; 347*13effbfbSDon Lewis+typedef unsigned __int64 uint64_t; 348*13effbfbSDon Lewis+#define UINT8_MAX 0xff 349*13effbfbSDon Lewis+#define UINT16_MAX 0xffff 350*13effbfbSDon Lewis+#define UINT32_MAX 0xffffffffu 351*13effbfbSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 352*13effbfbSDon Lewis+#else 353*13effbfbSDon Lewis+ #include <stdint.h> 354*13effbfbSDon Lewis+#endif 355*13effbfbSDon Lewis 356*13effbfbSDon Lewis #ifdef NSS_X86_OR_X64 357*13effbfbSDon Lewis /* GCC <= 4.8 doesn't support including emmintrin.h without enabling SSE2 */ 358*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/rijndael.h misc/build/nss-3.39/nss/lib/freebl/rijndael.h 359*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/rijndael.h 2018-08-31 05:55:53.000000000 -0700 360*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/rijndael.h 2018-10-21 01:47:05.758087000 -0700 361*13effbfbSDon Lewis@@ -6,7 +6,23 @@ 362*13effbfbSDon Lewis #define _RIJNDAEL_H_ 1 363*13effbfbSDon Lewis 364*13effbfbSDon Lewis #include "blapii.h" 365*13effbfbSDon Lewis-#include <stdint.h> 366*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 367*13effbfbSDon Lewis+ #ifdef _WIN64 368*13effbfbSDon Lewis+typedef unsigned __int64 uintptr_t; 369*13effbfbSDon Lewis+ #else 370*13effbfbSDon Lewis+typedef unsigned int uintptr_t; 371*13effbfbSDon Lewis+ #endif 372*13effbfbSDon Lewis+typedef unsigned char uint8_t; 373*13effbfbSDon Lewis+typedef unsigned short uint16_t; 374*13effbfbSDon Lewis+typedef unsigned int uint32_t; 375*13effbfbSDon Lewis+typedef unsigned __int64 uint64_t; 376*13effbfbSDon Lewis+#define UINT8_MAX 0xff 377*13effbfbSDon Lewis+#define UINT16_MAX 0xffff 378*13effbfbSDon Lewis+#define UINT32_MAX 0xffffffffu 379*13effbfbSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 380*13effbfbSDon Lewis+#else 381*13effbfbSDon Lewis+ #include <stdint.h> 382*13effbfbSDon Lewis+#endif 383*13effbfbSDon Lewis 384*13effbfbSDon Lewis #if defined(NSS_X86_OR_X64) 385*13effbfbSDon Lewis /* GCC <= 4.8 doesn't support including emmintrin.h without enabling SSE2 */ 386*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/FStar.c misc/build/nss-3.39/nss/lib/freebl/verified/FStar.c 387*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/FStar.c 2018-08-31 05:55:53.000000000 -0700 388*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/FStar.c 2018-10-21 23:50:44.099188000 -0700 389*13effbfbSDon Lewis@@ -32,37 +32,37 @@ 390*13effbfbSDon Lewis FStar_UInt128_uint128 391*13effbfbSDon Lewis FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 392*13effbfbSDon Lewis { 393*13effbfbSDon Lewis- return ( 394*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 395*13effbfbSDon Lewis- .low = a.low + b.low, 396*13effbfbSDon Lewis- .high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) }); 397*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 398*13effbfbSDon Lewis+ ret.low = a.low + b.low; 399*13effbfbSDon Lewis+ ret.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); 400*13effbfbSDon Lewis+ return (ret); 401*13effbfbSDon Lewis } 402*13effbfbSDon Lewis 403*13effbfbSDon Lewis FStar_UInt128_uint128 404*13effbfbSDon Lewis FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 405*13effbfbSDon Lewis { 406*13effbfbSDon Lewis- return ( 407*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 408*13effbfbSDon Lewis- .low = a.low + b.low, 409*13effbfbSDon Lewis- .high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) }); 410*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 411*13effbfbSDon Lewis+ ret.low = a.low + b.low; 412*13effbfbSDon Lewis+ ret.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); 413*13effbfbSDon Lewis+ return (ret); 414*13effbfbSDon Lewis } 415*13effbfbSDon Lewis 416*13effbfbSDon Lewis FStar_UInt128_uint128 417*13effbfbSDon Lewis FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 418*13effbfbSDon Lewis { 419*13effbfbSDon Lewis- return ( 420*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 421*13effbfbSDon Lewis- .low = a.low - b.low, 422*13effbfbSDon Lewis- .high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) }); 423*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 424*13effbfbSDon Lewis+ ret.low = a.low - b.low; 425*13effbfbSDon Lewis+ ret.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); 426*13effbfbSDon Lewis+ return (ret); 427*13effbfbSDon Lewis } 428*13effbfbSDon Lewis 429*13effbfbSDon Lewis static FStar_UInt128_uint128 430*13effbfbSDon Lewis FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 431*13effbfbSDon Lewis { 432*13effbfbSDon Lewis- return ( 433*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 434*13effbfbSDon Lewis- .low = a.low - b.low, 435*13effbfbSDon Lewis- .high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) }); 436*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 437*13effbfbSDon Lewis+ ret.low = a.low - b.low; 438*13effbfbSDon Lewis+ ret.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); 439*13effbfbSDon Lewis+ return (ret); 440*13effbfbSDon Lewis } 441*13effbfbSDon Lewis 442*13effbfbSDon Lewis FStar_UInt128_uint128 443*13effbfbSDon Lewis@@ -74,25 +74,37 @@ 444*13effbfbSDon Lewis FStar_UInt128_uint128 445*13effbfbSDon Lewis FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 446*13effbfbSDon Lewis { 447*13effbfbSDon Lewis- return ((FStar_UInt128_uint128){.low = a.low & b.low, .high = a.high & b.high }); 448*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 449*13effbfbSDon Lewis+ ret.low = a.low & b.low; 450*13effbfbSDon Lewis+ ret.high = a.high & b.high; 451*13effbfbSDon Lewis+ return (ret); 452*13effbfbSDon Lewis } 453*13effbfbSDon Lewis 454*13effbfbSDon Lewis FStar_UInt128_uint128 455*13effbfbSDon Lewis FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 456*13effbfbSDon Lewis { 457*13effbfbSDon Lewis- return ((FStar_UInt128_uint128){.low = a.low ^ b.low, .high = a.high ^ b.high }); 458*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 459*13effbfbSDon Lewis+ ret.low = a.low ^ b.low; 460*13effbfbSDon Lewis+ ret.high = a.high ^ b.high; 461*13effbfbSDon Lewis+ return (ret); 462*13effbfbSDon Lewis } 463*13effbfbSDon Lewis 464*13effbfbSDon Lewis FStar_UInt128_uint128 465*13effbfbSDon Lewis FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 466*13effbfbSDon Lewis { 467*13effbfbSDon Lewis- return ((FStar_UInt128_uint128){.low = a.low | b.low, .high = a.high | b.high }); 468*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 469*13effbfbSDon Lewis+ ret.low = a.low | b.low; 470*13effbfbSDon Lewis+ ret.high = a.high | b.high; 471*13effbfbSDon Lewis+ return (ret); 472*13effbfbSDon Lewis } 473*13effbfbSDon Lewis 474*13effbfbSDon Lewis FStar_UInt128_uint128 475*13effbfbSDon Lewis FStar_UInt128_lognot(FStar_UInt128_uint128 a) 476*13effbfbSDon Lewis { 477*13effbfbSDon Lewis- return ((FStar_UInt128_uint128){.low = ~a.low, .high = ~a.high }); 478*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 479*13effbfbSDon Lewis+ ret.low = ~a.low; 480*13effbfbSDon Lewis+ ret.high = ~a.high; 481*13effbfbSDon Lewis+ return (ret); 482*13effbfbSDon Lewis } 483*13effbfbSDon Lewis 484*13effbfbSDon Lewis static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; 485*13effbfbSDon Lewis@@ -112,19 +124,23 @@ 486*13effbfbSDon Lewis static FStar_UInt128_uint128 487*13effbfbSDon Lewis FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) 488*13effbfbSDon Lewis { 489*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 490*13effbfbSDon Lewis if (s == (uint32_t)0U) 491*13effbfbSDon Lewis return a; 492*13effbfbSDon Lewis- else 493*13effbfbSDon Lewis- return ( 494*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 495*13effbfbSDon Lewis- .low = a.low << s, 496*13effbfbSDon Lewis- .high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s) }); 497*13effbfbSDon Lewis+ else { 498*13effbfbSDon Lewis+ ret.low = a.low << s; 499*13effbfbSDon Lewis+ ret.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s); 500*13effbfbSDon Lewis+ return (ret); 501*13effbfbSDon Lewis+ } 502*13effbfbSDon Lewis } 503*13effbfbSDon Lewis 504*13effbfbSDon Lewis static FStar_UInt128_uint128 505*13effbfbSDon Lewis FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) 506*13effbfbSDon Lewis { 507*13effbfbSDon Lewis- return ((FStar_UInt128_uint128){.low = (uint64_t)0U, .high = a.low << (s - FStar_UInt128_u32_64) }); 508*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 509*13effbfbSDon Lewis+ ret.low = (uint64_t)0U; 510*13effbfbSDon Lewis+ ret.high = a.low << (s - FStar_UInt128_u32_64); 511*13effbfbSDon Lewis+ return (ret); 512*13effbfbSDon Lewis } 513*13effbfbSDon Lewis 514*13effbfbSDon Lewis FStar_UInt128_uint128 515*13effbfbSDon Lewis@@ -151,19 +167,23 @@ 516*13effbfbSDon Lewis static FStar_UInt128_uint128 517*13effbfbSDon Lewis FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) 518*13effbfbSDon Lewis { 519*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 520*13effbfbSDon Lewis if (s == (uint32_t)0U) 521*13effbfbSDon Lewis return a; 522*13effbfbSDon Lewis- else 523*13effbfbSDon Lewis- return ( 524*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 525*13effbfbSDon Lewis- .low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s), 526*13effbfbSDon Lewis- .high = a.high >> s }); 527*13effbfbSDon Lewis+ else { 528*13effbfbSDon Lewis+ ret.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s); 529*13effbfbSDon Lewis+ ret.high = a.high >> s; 530*13effbfbSDon Lewis+ return (ret); 531*13effbfbSDon Lewis+ } 532*13effbfbSDon Lewis } 533*13effbfbSDon Lewis 534*13effbfbSDon Lewis static FStar_UInt128_uint128 535*13effbfbSDon Lewis FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) 536*13effbfbSDon Lewis { 537*13effbfbSDon Lewis- return ((FStar_UInt128_uint128){.low = a.high >> (s - FStar_UInt128_u32_64), .high = (uint64_t)0U }); 538*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 539*13effbfbSDon Lewis+ ret.low = a.high >> (s - FStar_UInt128_u32_64); 540*13effbfbSDon Lewis+ ret.high = (uint64_t)0U; 541*13effbfbSDon Lewis+ return (ret); 542*13effbfbSDon Lewis } 543*13effbfbSDon Lewis 544*13effbfbSDon Lewis FStar_UInt128_uint128 545*13effbfbSDon Lewis@@ -178,25 +198,28 @@ 546*13effbfbSDon Lewis FStar_UInt128_uint128 547*13effbfbSDon Lewis FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 548*13effbfbSDon Lewis { 549*13effbfbSDon Lewis- return ( 550*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 551*13effbfbSDon Lewis- .low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high), 552*13effbfbSDon Lewis- .high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high) }); 553*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 554*13effbfbSDon Lewis+ ret.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); 555*13effbfbSDon Lewis+ ret.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); 556*13effbfbSDon Lewis+ return (ret); 557*13effbfbSDon Lewis } 558*13effbfbSDon Lewis 559*13effbfbSDon Lewis FStar_UInt128_uint128 560*13effbfbSDon Lewis FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 561*13effbfbSDon Lewis { 562*13effbfbSDon Lewis- return ( 563*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 564*13effbfbSDon Lewis- .low = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)), 565*13effbfbSDon Lewis- .high = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)) }); 566*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 567*13effbfbSDon Lewis+ ret.low = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); 568*13effbfbSDon Lewis+ ret.high = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); 569*13effbfbSDon Lewis+ return (ret); 570*13effbfbSDon Lewis } 571*13effbfbSDon Lewis 572*13effbfbSDon Lewis FStar_UInt128_uint128 573*13effbfbSDon Lewis FStar_UInt128_uint64_to_uint128(uint64_t a) 574*13effbfbSDon Lewis { 575*13effbfbSDon Lewis- return ((FStar_UInt128_uint128){.low = a, .high = (uint64_t)0U }); 576*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 577*13effbfbSDon Lewis+ ret.low = a; 578*13effbfbSDon Lewis+ ret.high = (uint64_t)0U; 579*13effbfbSDon Lewis+ return (ret); 580*13effbfbSDon Lewis } 581*13effbfbSDon Lewis 582*13effbfbSDon Lewis uint64_t 583*13effbfbSDon Lewis@@ -218,12 +241,13 @@ 584*13effbfbSDon Lewis static K___uint64_t_uint64_t_uint64_t_uint64_t 585*13effbfbSDon Lewis FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y) 586*13effbfbSDon Lewis { 587*13effbfbSDon Lewis- return ( 588*13effbfbSDon Lewis- (K___uint64_t_uint64_t_uint64_t_uint64_t){ 589*13effbfbSDon Lewis- .fst = FStar_UInt128_u64_mod_32(x), 590*13effbfbSDon Lewis- .snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)), 591*13effbfbSDon Lewis- .thd = x >> FStar_UInt128_u32_32, 592*13effbfbSDon Lewis- .f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32) }); 593*13effbfbSDon Lewis+ 594*13effbfbSDon Lewis+ K___uint64_t_uint64_t_uint64_t_uint64_t ret; 595*13effbfbSDon Lewis+ ret.fst = FStar_UInt128_u64_mod_32(x); 596*13effbfbSDon Lewis+ ret.snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)); 597*13effbfbSDon Lewis+ ret.thd = x >> FStar_UInt128_u32_32; 598*13effbfbSDon Lewis+ ret.f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32); 599*13effbfbSDon Lewis+ return (ret); 600*13effbfbSDon Lewis } 601*13effbfbSDon Lewis 602*13effbfbSDon Lewis static uint64_t 603*13effbfbSDon Lewis@@ -240,12 +264,12 @@ 604*13effbfbSDon Lewis uint64_t w3 = scrut.snd; 605*13effbfbSDon Lewis uint64_t x_ = scrut.thd; 606*13effbfbSDon Lewis uint64_t t_ = scrut.f3; 607*13effbfbSDon Lewis- return ( 608*13effbfbSDon Lewis- (FStar_UInt128_uint128){ 609*13effbfbSDon Lewis- .low = FStar_UInt128_u32_combine_(u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), 610*13effbfbSDon Lewis- w3), 611*13effbfbSDon Lewis- .high = x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) + 612*13effbfbSDon Lewis- ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> FStar_UInt128_u32_32) }); 613*13effbfbSDon Lewis+ FStar_UInt128_uint128 ret; 614*13effbfbSDon Lewis+ ret.low = FStar_UInt128_u32_combine_(u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), 615*13effbfbSDon Lewis+ w3); 616*13effbfbSDon Lewis+ ret.high = x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) + 617*13effbfbSDon Lewis+ ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> FStar_UInt128_u32_32); 618*13effbfbSDon Lewis+ return (ret); 619*13effbfbSDon Lewis } 620*13effbfbSDon Lewis 621*13effbfbSDon Lewis FStar_UInt128_uint128 622*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/FStar.h misc/build/nss-3.39/nss/lib/freebl/verified/FStar.h 623*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/FStar.h 2018-08-31 05:55:53.000000000 -0700 624*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/FStar.h 2018-10-21 23:03:05.151005000 -0700 625*13effbfbSDon Lewis@@ -17,6 +17,7 @@ 626*13effbfbSDon Lewis #ifndef __FStar_H 627*13effbfbSDon Lewis #define __FStar_H 628*13effbfbSDon Lewis 629*13effbfbSDon Lewis+#include "secport.h" 630*13effbfbSDon Lewis #include "kremlib_base.h" 631*13effbfbSDon Lewis 632*13effbfbSDon Lewis typedef struct 633*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.c misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.c 634*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.c 2018-08-31 05:55:53.000000000 -0700 635*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.c 2018-10-21 21:47:24.553180000 -0700 636*13effbfbSDon Lewis@@ -18,7 +18,8 @@ 637*13effbfbSDon Lewis static void 638*13effbfbSDon Lewis Hacl_Lib_LoadStore32_uint32s_from_le_bytes(uint32_t *output, uint8_t *input, uint32_t len) 639*13effbfbSDon Lewis { 640*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 641*13effbfbSDon Lewis+ uint32_t i; 642*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 643*13effbfbSDon Lewis uint8_t *x0 = input + (uint32_t)4U * i; 644*13effbfbSDon Lewis uint32_t inputi = load32_le(x0); 645*13effbfbSDon Lewis output[i] = inputi; 646*13effbfbSDon Lewis@@ -28,7 +29,8 @@ 647*13effbfbSDon Lewis static void 648*13effbfbSDon Lewis Hacl_Lib_LoadStore32_uint32s_to_le_bytes(uint8_t *output, uint32_t *input, uint32_t len) 649*13effbfbSDon Lewis { 650*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 651*13effbfbSDon Lewis+ uint32_t i; 652*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 653*13effbfbSDon Lewis uint32_t hd1 = input[i]; 654*13effbfbSDon Lewis uint8_t *x0 = output + (uint32_t)4U * i; 655*13effbfbSDon Lewis store32_le(x0, hd1); 656*13effbfbSDon Lewis@@ -46,31 +48,49 @@ 657*13effbfbSDon Lewis { 658*13effbfbSDon Lewis uint32_t sa = st[a]; 659*13effbfbSDon Lewis uint32_t sb0 = st[b]; 660*13effbfbSDon Lewis+ uint32_t sd; 661*13effbfbSDon Lewis+ uint32_t sa10; 662*13effbfbSDon Lewis+ uint32_t sda; 663*13effbfbSDon Lewis+ uint32_t sa0; 664*13effbfbSDon Lewis+ uint32_t sb1; 665*13effbfbSDon Lewis+ uint32_t sd0; 666*13effbfbSDon Lewis+ uint32_t sa11; 667*13effbfbSDon Lewis+ uint32_t sda0; 668*13effbfbSDon Lewis+ uint32_t sa2; 669*13effbfbSDon Lewis+ uint32_t sb2; 670*13effbfbSDon Lewis+ uint32_t sd1; 671*13effbfbSDon Lewis+ uint32_t sa12; 672*13effbfbSDon Lewis+ uint32_t sda1; 673*13effbfbSDon Lewis+ uint32_t sa3; 674*13effbfbSDon Lewis+ uint32_t sb; 675*13effbfbSDon Lewis+ uint32_t sd2; 676*13effbfbSDon Lewis+ uint32_t sa1; 677*13effbfbSDon Lewis+ uint32_t sda2; 678*13effbfbSDon Lewis st[a] = sa + sb0; 679*13effbfbSDon Lewis- uint32_t sd = st[d]; 680*13effbfbSDon Lewis- uint32_t sa10 = st[a]; 681*13effbfbSDon Lewis- uint32_t sda = sd ^ sa10; 682*13effbfbSDon Lewis+ sd = st[d]; 683*13effbfbSDon Lewis+ sa10 = st[a]; 684*13effbfbSDon Lewis+ sda = sd ^ sa10; 685*13effbfbSDon Lewis st[d] = Hacl_Impl_Chacha20_rotate_left(sda, (uint32_t)16U); 686*13effbfbSDon Lewis- uint32_t sa0 = st[c]; 687*13effbfbSDon Lewis- uint32_t sb1 = st[d]; 688*13effbfbSDon Lewis+ sa0 = st[c]; 689*13effbfbSDon Lewis+ sb1 = st[d]; 690*13effbfbSDon Lewis st[c] = sa0 + sb1; 691*13effbfbSDon Lewis- uint32_t sd0 = st[b]; 692*13effbfbSDon Lewis- uint32_t sa11 = st[c]; 693*13effbfbSDon Lewis- uint32_t sda0 = sd0 ^ sa11; 694*13effbfbSDon Lewis+ sd0 = st[b]; 695*13effbfbSDon Lewis+ sa11 = st[c]; 696*13effbfbSDon Lewis+ sda0 = sd0 ^ sa11; 697*13effbfbSDon Lewis st[b] = Hacl_Impl_Chacha20_rotate_left(sda0, (uint32_t)12U); 698*13effbfbSDon Lewis- uint32_t sa2 = st[a]; 699*13effbfbSDon Lewis- uint32_t sb2 = st[b]; 700*13effbfbSDon Lewis+ sa2 = st[a]; 701*13effbfbSDon Lewis+ sb2 = st[b]; 702*13effbfbSDon Lewis st[a] = sa2 + sb2; 703*13effbfbSDon Lewis- uint32_t sd1 = st[d]; 704*13effbfbSDon Lewis- uint32_t sa12 = st[a]; 705*13effbfbSDon Lewis- uint32_t sda1 = sd1 ^ sa12; 706*13effbfbSDon Lewis+ sd1 = st[d]; 707*13effbfbSDon Lewis+ sa12 = st[a]; 708*13effbfbSDon Lewis+ sda1 = sd1 ^ sa12; 709*13effbfbSDon Lewis st[d] = Hacl_Impl_Chacha20_rotate_left(sda1, (uint32_t)8U); 710*13effbfbSDon Lewis- uint32_t sa3 = st[c]; 711*13effbfbSDon Lewis- uint32_t sb = st[d]; 712*13effbfbSDon Lewis+ sa3 = st[c]; 713*13effbfbSDon Lewis+ sb = st[d]; 714*13effbfbSDon Lewis st[c] = sa3 + sb; 715*13effbfbSDon Lewis- uint32_t sd2 = st[b]; 716*13effbfbSDon Lewis- uint32_t sa1 = st[c]; 717*13effbfbSDon Lewis- uint32_t sda2 = sd2 ^ sa1; 718*13effbfbSDon Lewis+ sd2 = st[b]; 719*13effbfbSDon Lewis+ sa1 = st[c]; 720*13effbfbSDon Lewis+ sda2 = sd2 ^ sa1; 721*13effbfbSDon Lewis st[b] = Hacl_Impl_Chacha20_rotate_left(sda2, (uint32_t)7U); 722*13effbfbSDon Lewis } 723*13effbfbSDon Lewis 724*13effbfbSDon Lewis@@ -90,14 +110,16 @@ 725*13effbfbSDon Lewis inline static void 726*13effbfbSDon Lewis Hacl_Impl_Chacha20_rounds(uint32_t *st) 727*13effbfbSDon Lewis { 728*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 729*13effbfbSDon Lewis+ uint32_t i; 730*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 731*13effbfbSDon Lewis Hacl_Impl_Chacha20_double_round(st); 732*13effbfbSDon Lewis } 733*13effbfbSDon Lewis 734*13effbfbSDon Lewis inline static void 735*13effbfbSDon Lewis Hacl_Impl_Chacha20_sum_states(uint32_t *st, uint32_t *st_) 736*13effbfbSDon Lewis { 737*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) { 738*13effbfbSDon Lewis+ uint32_t i; 739*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) { 740*13effbfbSDon Lewis uint32_t xi = st[i]; 741*13effbfbSDon Lewis uint32_t yi = st_[i]; 742*13effbfbSDon Lewis st[i] = xi + yi; 743*13effbfbSDon Lewis@@ -150,9 +172,10 @@ 744*13effbfbSDon Lewis uint32_t *k = b; 745*13effbfbSDon Lewis uint32_t *ib = b + (uint32_t)16U; 746*13effbfbSDon Lewis uint32_t *ob = b + (uint32_t)32U; 747*13effbfbSDon Lewis+ uint32_t i; 748*13effbfbSDon Lewis Hacl_Impl_Chacha20_chacha20_core(k, st, ctr); 749*13effbfbSDon Lewis Hacl_Lib_LoadStore32_uint32s_from_le_bytes(ib, plain, (uint32_t)16U); 750*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) { 751*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) { 752*13effbfbSDon Lewis uint32_t xi = ib[i]; 753*13effbfbSDon Lewis uint32_t yi = k[i]; 754*13effbfbSDon Lewis ob[i] = xi ^ yi; 755*13effbfbSDon Lewis@@ -169,9 +192,11 @@ 756*13effbfbSDon Lewis uint32_t ctr) 757*13effbfbSDon Lewis { 758*13effbfbSDon Lewis uint8_t block[64U] = { 0U }; 759*13effbfbSDon Lewis+ uint8_t *mask; 760*13effbfbSDon Lewis+ uint32_t i; 761*13effbfbSDon Lewis Hacl_Impl_Chacha20_chacha20_block(block, st, ctr); 762*13effbfbSDon Lewis- uint8_t *mask = block; 763*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 764*13effbfbSDon Lewis+ mask = block; 765*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 766*13effbfbSDon Lewis uint8_t xi = plain[i]; 767*13effbfbSDon Lewis uint8_t yi = mask[i]; 768*13effbfbSDon Lewis output[i] = xi ^ yi; 769*13effbfbSDon Lewis@@ -186,7 +211,8 @@ 770*13effbfbSDon Lewis uint32_t *st, 771*13effbfbSDon Lewis uint32_t ctr) 772*13effbfbSDon Lewis { 773*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < num_blocks; i = i + (uint32_t)1U) { 774*13effbfbSDon Lewis+ uint32_t i; 775*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < num_blocks; i = i + (uint32_t)1U) { 776*13effbfbSDon Lewis uint8_t *b = plain + (uint32_t)64U * i; 777*13effbfbSDon Lewis uint8_t *o = output + (uint32_t)64U * i; 778*13effbfbSDon Lewis Hacl_Impl_Chacha20_update(o, b, st, ctr + i); 779*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.h misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.h 780*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.h 2018-08-31 05:55:53.000000000 -0700 781*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.h 2018-10-21 21:12:36.078858000 -0700 782*13effbfbSDon Lewis@@ -13,6 +13,7 @@ 783*13effbfbSDon Lewis * limitations under the License. 784*13effbfbSDon Lewis */ 785*13effbfbSDon Lewis 786*13effbfbSDon Lewis+#include "secport.h" 787*13effbfbSDon Lewis #include "kremlib.h" 788*13effbfbSDon Lewis #ifndef __Hacl_Chacha20_H 789*13effbfbSDon Lewis #define __Hacl_Chacha20_H 790*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c 791*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c 2018-08-31 05:55:53.000000000 -0700 792*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c 2018-10-21 22:13:55.130785000 -0700 793*13effbfbSDon Lewis@@ -25,14 +25,18 @@ 794*13effbfbSDon Lewis inline static void 795*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_State_state_to_key_block(uint8_t *stream_block, vec *k) 796*13effbfbSDon Lewis { 797*13effbfbSDon Lewis+ uint8_t *a; 798*13effbfbSDon Lewis+ uint8_t *b; 799*13effbfbSDon Lewis+ uint8_t *c; 800*13effbfbSDon Lewis+ uint8_t *d; 801*13effbfbSDon Lewis vec k0 = k[0U]; 802*13effbfbSDon Lewis vec k1 = k[1U]; 803*13effbfbSDon Lewis vec k2 = k[2U]; 804*13effbfbSDon Lewis vec k3 = k[3U]; 805*13effbfbSDon Lewis- uint8_t *a = stream_block; 806*13effbfbSDon Lewis- uint8_t *b = stream_block + (uint32_t)16U; 807*13effbfbSDon Lewis- uint8_t *c = stream_block + (uint32_t)32U; 808*13effbfbSDon Lewis- uint8_t *d = stream_block + (uint32_t)48U; 809*13effbfbSDon Lewis+ a = stream_block; 810*13effbfbSDon Lewis+ b = stream_block + (uint32_t)16U; 811*13effbfbSDon Lewis+ c = stream_block + (uint32_t)32U; 812*13effbfbSDon Lewis+ d = stream_block + (uint32_t)48U; 813*13effbfbSDon Lewis vec_store_le(a, k0); 814*13effbfbSDon Lewis vec_store_le(b, k1); 815*13effbfbSDon Lewis vec_store_le(c, k2); 816*13effbfbSDon Lewis@@ -42,21 +46,29 @@ 817*13effbfbSDon Lewis inline static void 818*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_State_state_setup(vec *st, uint8_t *k, uint8_t *n1, uint32_t c) 819*13effbfbSDon Lewis { 820*13effbfbSDon Lewis+ vec k0; 821*13effbfbSDon Lewis+ vec k1; 822*13effbfbSDon Lewis+ uint32_t n0; 823*13effbfbSDon Lewis+ uint8_t *x00; 824*13effbfbSDon Lewis+ uint32_t n10; 825*13effbfbSDon Lewis+ uint8_t *x0; 826*13effbfbSDon Lewis+ uint32_t n2; 827*13effbfbSDon Lewis+ vec v1; 828*13effbfbSDon Lewis st[0U] = 829*13effbfbSDon Lewis vec_load_32x4((uint32_t)0x61707865U, 830*13effbfbSDon Lewis (uint32_t)0x3320646eU, 831*13effbfbSDon Lewis (uint32_t)0x79622d32U, 832*13effbfbSDon Lewis (uint32_t)0x6b206574U); 833*13effbfbSDon Lewis- vec k0 = vec_load128_le(k); 834*13effbfbSDon Lewis- vec k1 = vec_load128_le(k + (uint32_t)16U); 835*13effbfbSDon Lewis+ k0 = vec_load128_le(k); 836*13effbfbSDon Lewis+ k1 = vec_load128_le(k + (uint32_t)16U); 837*13effbfbSDon Lewis st[1U] = k0; 838*13effbfbSDon Lewis st[2U] = k1; 839*13effbfbSDon Lewis- uint32_t n0 = load32_le(n1); 840*13effbfbSDon Lewis- uint8_t *x00 = n1 + (uint32_t)4U; 841*13effbfbSDon Lewis- uint32_t n10 = load32_le(x00); 842*13effbfbSDon Lewis- uint8_t *x0 = n1 + (uint32_t)8U; 843*13effbfbSDon Lewis- uint32_t n2 = load32_le(x0); 844*13effbfbSDon Lewis- vec v1 = vec_load_32x4(c, n0, n10, n2); 845*13effbfbSDon Lewis+ n0 = load32_le(n1); 846*13effbfbSDon Lewis+ x00 = n1 + (uint32_t)4U; 847*13effbfbSDon Lewis+ n10 = load32_le(x00); 848*13effbfbSDon Lewis+ x0 = n1 + (uint32_t)8U; 849*13effbfbSDon Lewis+ n2 = load32_le(x0); 850*13effbfbSDon Lewis+ v1 = vec_load_32x4(c, n0, n10, n2); 851*13effbfbSDon Lewis st[3U] = v1; 852*13effbfbSDon Lewis } 853*13effbfbSDon Lewis 854*13effbfbSDon Lewis@@ -68,27 +80,42 @@ 855*13effbfbSDon Lewis vec sd0 = st[3U]; 856*13effbfbSDon Lewis vec sa10 = vec_add(sa, sb0); 857*13effbfbSDon Lewis vec sd10 = vec_rotate_left(vec_xor(sd0, sa10), (uint32_t)16U); 858*13effbfbSDon Lewis+ vec sa0; 859*13effbfbSDon Lewis+ vec sb1; 860*13effbfbSDon Lewis+ vec sd2; 861*13effbfbSDon Lewis+ vec sa11; 862*13effbfbSDon Lewis+ vec sd11; 863*13effbfbSDon Lewis+ vec sa2; 864*13effbfbSDon Lewis+ vec sb2; 865*13effbfbSDon Lewis+ vec sd3; 866*13effbfbSDon Lewis+ vec sa12; 867*13effbfbSDon Lewis+ vec sd12; 868*13effbfbSDon Lewis+ vec sa3; 869*13effbfbSDon Lewis+ vec sb; 870*13effbfbSDon Lewis+ vec sd; 871*13effbfbSDon Lewis+ vec sa1; 872*13effbfbSDon Lewis+ vec sd1; 873*13effbfbSDon Lewis st[0U] = sa10; 874*13effbfbSDon Lewis st[3U] = sd10; 875*13effbfbSDon Lewis- vec sa0 = st[2U]; 876*13effbfbSDon Lewis- vec sb1 = st[3U]; 877*13effbfbSDon Lewis- vec sd2 = st[1U]; 878*13effbfbSDon Lewis- vec sa11 = vec_add(sa0, sb1); 879*13effbfbSDon Lewis- vec sd11 = vec_rotate_left(vec_xor(sd2, sa11), (uint32_t)12U); 880*13effbfbSDon Lewis+ sa0 = st[2U]; 881*13effbfbSDon Lewis+ sb1 = st[3U]; 882*13effbfbSDon Lewis+ sd2 = st[1U]; 883*13effbfbSDon Lewis+ sa11 = vec_add(sa0, sb1); 884*13effbfbSDon Lewis+ sd11 = vec_rotate_left(vec_xor(sd2, sa11), (uint32_t)12U); 885*13effbfbSDon Lewis st[2U] = sa11; 886*13effbfbSDon Lewis st[1U] = sd11; 887*13effbfbSDon Lewis- vec sa2 = st[0U]; 888*13effbfbSDon Lewis- vec sb2 = st[1U]; 889*13effbfbSDon Lewis- vec sd3 = st[3U]; 890*13effbfbSDon Lewis- vec sa12 = vec_add(sa2, sb2); 891*13effbfbSDon Lewis- vec sd12 = vec_rotate_left(vec_xor(sd3, sa12), (uint32_t)8U); 892*13effbfbSDon Lewis+ sa2 = st[0U]; 893*13effbfbSDon Lewis+ sb2 = st[1U]; 894*13effbfbSDon Lewis+ sd3 = st[3U]; 895*13effbfbSDon Lewis+ sa12 = vec_add(sa2, sb2); 896*13effbfbSDon Lewis+ sd12 = vec_rotate_left(vec_xor(sd3, sa12), (uint32_t)8U); 897*13effbfbSDon Lewis st[0U] = sa12; 898*13effbfbSDon Lewis st[3U] = sd12; 899*13effbfbSDon Lewis- vec sa3 = st[2U]; 900*13effbfbSDon Lewis- vec sb = st[3U]; 901*13effbfbSDon Lewis- vec sd = st[1U]; 902*13effbfbSDon Lewis- vec sa1 = vec_add(sa3, sb); 903*13effbfbSDon Lewis- vec sd1 = vec_rotate_left(vec_xor(sd, sa1), (uint32_t)7U); 904*13effbfbSDon Lewis+ sa3 = st[2U]; 905*13effbfbSDon Lewis+ sb = st[3U]; 906*13effbfbSDon Lewis+ sd = st[1U]; 907*13effbfbSDon Lewis+ sa1 = vec_add(sa3, sb); 908*13effbfbSDon Lewis+ sd1 = vec_rotate_left(vec_xor(sd, sa1), (uint32_t)7U); 909*13effbfbSDon Lewis st[2U] = sa1; 910*13effbfbSDon Lewis st[1U] = sd1; 911*13effbfbSDon Lewis } 912*13effbfbSDon Lewis@@ -96,17 +123,23 @@ 913*13effbfbSDon Lewis inline static void 914*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_double_round(vec *st) 915*13effbfbSDon Lewis { 916*13effbfbSDon Lewis+ vec r1; 917*13effbfbSDon Lewis+ vec r20; 918*13effbfbSDon Lewis+ vec r30; 919*13effbfbSDon Lewis+ vec r10; 920*13effbfbSDon Lewis+ vec r2; 921*13effbfbSDon Lewis+ vec r3; 922*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_round(st); 923*13effbfbSDon Lewis- vec r1 = st[1U]; 924*13effbfbSDon Lewis- vec r20 = st[2U]; 925*13effbfbSDon Lewis- vec r30 = st[3U]; 926*13effbfbSDon Lewis+ r1 = st[1U]; 927*13effbfbSDon Lewis+ r20 = st[2U]; 928*13effbfbSDon Lewis+ r30 = st[3U]; 929*13effbfbSDon Lewis st[1U] = vec_shuffle_right(r1, (uint32_t)1U); 930*13effbfbSDon Lewis st[2U] = vec_shuffle_right(r20, (uint32_t)2U); 931*13effbfbSDon Lewis st[3U] = vec_shuffle_right(r30, (uint32_t)3U); 932*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_round(st); 933*13effbfbSDon Lewis- vec r10 = st[1U]; 934*13effbfbSDon Lewis- vec r2 = st[2U]; 935*13effbfbSDon Lewis- vec r3 = st[3U]; 936*13effbfbSDon Lewis+ r10 = st[1U]; 937*13effbfbSDon Lewis+ r2 = st[2U]; 938*13effbfbSDon Lewis+ r3 = st[3U]; 939*13effbfbSDon Lewis st[1U] = vec_shuffle_right(r10, (uint32_t)3U); 940*13effbfbSDon Lewis st[2U] = vec_shuffle_right(r2, (uint32_t)2U); 941*13effbfbSDon Lewis st[3U] = vec_shuffle_right(r3, (uint32_t)1U); 942*13effbfbSDon Lewis@@ -153,8 +186,9 @@ 943*13effbfbSDon Lewis inline static void 944*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core(vec *k, vec *st) 945*13effbfbSDon Lewis { 946*13effbfbSDon Lewis+ uint32_t i; 947*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_copy_state(k, st); 948*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 949*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 950*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_double_round(k); 951*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_sum_states(k, st); 952*13effbfbSDon Lewis } 953*13effbfbSDon Lewis@@ -188,8 +222,9 @@ 954*13effbfbSDon Lewis inline static void 955*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core3(vec *k0, vec *k1, vec *k2, vec *st) 956*13effbfbSDon Lewis { 957*13effbfbSDon Lewis+ uint32_t i; 958*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_incr3(k0, k1, k2, st); 959*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 960*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 961*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_double_round3(k0, k1, k2); 962*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_sum3(k0, k1, k2, st); 963*13effbfbSDon Lewis } 964*13effbfbSDon Lewis@@ -197,9 +232,10 @@ 965*13effbfbSDon Lewis inline static void 966*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_block(uint8_t *stream_block, vec *st) 967*13effbfbSDon Lewis { 968*13effbfbSDon Lewis- KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 969*13effbfbSDon Lewis vec k[4U]; 970*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 971*13effbfbSDon Lewis+ uint32_t _i; 972*13effbfbSDon Lewis+ KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 973*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 974*13effbfbSDon Lewis k[_i] = vec_zero(); 975*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core(k, st); 976*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_State_state_to_key_block(stream_block, k); 977*13effbfbSDon Lewis@@ -215,9 +251,11 @@ 978*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_update_last(uint8_t *output, uint8_t *plain, uint32_t len, vec *st) 979*13effbfbSDon Lewis { 980*13effbfbSDon Lewis uint8_t block[64U] = { 0U }; 981*13effbfbSDon Lewis+ uint8_t *mask; 982*13effbfbSDon Lewis+ uint32_t i; 983*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_block(block, st); 984*13effbfbSDon Lewis- uint8_t *mask = block; 985*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 986*13effbfbSDon Lewis+ mask = block; 987*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 988*13effbfbSDon Lewis uint8_t xi = plain[i]; 989*13effbfbSDon Lewis uint8_t yi = mask[i]; 990*13effbfbSDon Lewis output[i] = xi ^ yi; 991*13effbfbSDon Lewis@@ -252,9 +290,10 @@ 992*13effbfbSDon Lewis static void 993*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_update(uint8_t *output, uint8_t *plain, vec *st) 994*13effbfbSDon Lewis { 995*13effbfbSDon Lewis- KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 996*13effbfbSDon Lewis vec k[4U]; 997*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 998*13effbfbSDon Lewis+ uint32_t _i; 999*13effbfbSDon Lewis+ KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1000*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1001*13effbfbSDon Lewis k[_i] = vec_zero(); 1002*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core(k, st); 1003*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_xor_block(output, plain, k); 1004*13effbfbSDon Lewis@@ -263,25 +302,32 @@ 1005*13effbfbSDon Lewis static void 1006*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_update3(uint8_t *output, uint8_t *plain, vec *st) 1007*13effbfbSDon Lewis { 1008*13effbfbSDon Lewis- KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1009*13effbfbSDon Lewis vec k0[4U]; 1010*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 1011*13effbfbSDon Lewis+ uint32_t _i; 1012*13effbfbSDon Lewis+ vec k1[4U]; 1013*13effbfbSDon Lewis+ vec k2[4U]; 1014*13effbfbSDon Lewis+ uint8_t *p0; 1015*13effbfbSDon Lewis+ uint8_t *p1; 1016*13effbfbSDon Lewis+ uint8_t *p2; 1017*13effbfbSDon Lewis+ uint8_t *o0; 1018*13effbfbSDon Lewis+ uint8_t *o1; 1019*13effbfbSDon Lewis+ uint8_t *o2; 1020*13effbfbSDon Lewis+ KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1021*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1022*13effbfbSDon Lewis k0[_i] = vec_zero(); 1023*13effbfbSDon Lewis KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1024*13effbfbSDon Lewis- vec k1[4U]; 1025*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 1026*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1027*13effbfbSDon Lewis k1[_i] = vec_zero(); 1028*13effbfbSDon Lewis KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1029*13effbfbSDon Lewis- vec k2[4U]; 1030*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 1031*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1032*13effbfbSDon Lewis k2[_i] = vec_zero(); 1033*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core3(k0, k1, k2, st); 1034*13effbfbSDon Lewis- uint8_t *p0 = plain; 1035*13effbfbSDon Lewis- uint8_t *p1 = plain + (uint32_t)64U; 1036*13effbfbSDon Lewis- uint8_t *p2 = plain + (uint32_t)128U; 1037*13effbfbSDon Lewis- uint8_t *o0 = output; 1038*13effbfbSDon Lewis- uint8_t *o1 = output + (uint32_t)64U; 1039*13effbfbSDon Lewis- uint8_t *o2 = output + (uint32_t)128U; 1040*13effbfbSDon Lewis+ p0 = plain; 1041*13effbfbSDon Lewis+ p1 = plain + (uint32_t)64U; 1042*13effbfbSDon Lewis+ p2 = plain + (uint32_t)128U; 1043*13effbfbSDon Lewis+ o0 = output; 1044*13effbfbSDon Lewis+ o1 = output + (uint32_t)64U; 1045*13effbfbSDon Lewis+ o2 = output + (uint32_t)128U; 1046*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_xor_block(o0, p0, k0); 1047*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_xor_block(o1, p1, k1); 1048*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_xor_block(o2, p2, k2); 1049*13effbfbSDon Lewis@@ -308,7 +354,8 @@ 1050*13effbfbSDon Lewis uint32_t len, 1051*13effbfbSDon Lewis vec *st) 1052*13effbfbSDon Lewis { 1053*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) 1054*13effbfbSDon Lewis+ uint32_t i; 1055*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) 1056*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_update3_(output, plain, len, st, i); 1057*13effbfbSDon Lewis } 1058*13effbfbSDon Lewis 1059*13effbfbSDon Lewis@@ -368,11 +415,13 @@ 1060*13effbfbSDon Lewis uint8_t *n1, 1061*13effbfbSDon Lewis uint32_t ctr) 1062*13effbfbSDon Lewis { 1063*13effbfbSDon Lewis- KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1064*13effbfbSDon Lewis vec buf[4U]; 1065*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 1066*13effbfbSDon Lewis+ uint32_t _i; 1067*13effbfbSDon Lewis+ vec *st; 1068*13effbfbSDon Lewis+ KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1069*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1070*13effbfbSDon Lewis buf[_i] = vec_zero(); 1071*13effbfbSDon Lewis- vec *st = buf; 1072*13effbfbSDon Lewis+ st = buf; 1073*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_init(st, k, n1, ctr); 1074*13effbfbSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode(output, plain, len, st); 1075*13effbfbSDon Lewis } 1076*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h 1077*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h 2018-08-31 05:55:53.000000000 -0700 1078*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h 2018-10-21 21:52:15.090683000 -0700 1079*13effbfbSDon Lewis@@ -13,6 +13,7 @@ 1080*13effbfbSDon Lewis * limitations under the License. 1081*13effbfbSDon Lewis */ 1082*13effbfbSDon Lewis 1083*13effbfbSDon Lewis+#include "secport.h" 1084*13effbfbSDon Lewis #include "kremlib.h" 1085*13effbfbSDon Lewis #ifndef __Hacl_Chacha20_Vec128_H 1086*13effbfbSDon Lewis #define __Hacl_Chacha20_Vec128_H 1087*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.c misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.c 1088*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.c 2018-08-31 05:55:53.000000000 -0700 1089*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.c 2018-10-21 22:57:57.044565000 -0700 1090*13effbfbSDon Lewis@@ -129,6 +129,7 @@ 1091*13effbfbSDon Lewis Hacl_Bignum_Fmul_shift_reduce(uint64_t *output) 1092*13effbfbSDon Lewis { 1093*13effbfbSDon Lewis uint64_t tmp = output[4U]; 1094*13effbfbSDon Lewis+ uint64_t b0; 1095*13effbfbSDon Lewis { 1096*13effbfbSDon Lewis uint32_t ctr = (uint32_t)5U - (uint32_t)0U - (uint32_t)1U; 1097*13effbfbSDon Lewis uint64_t z = output[ctr - (uint32_t)1U]; 1098*13effbfbSDon Lewis@@ -150,13 +151,15 @@ 1099*13effbfbSDon Lewis output[ctr] = z; 1100*13effbfbSDon Lewis } 1101*13effbfbSDon Lewis output[0U] = tmp; 1102*13effbfbSDon Lewis- uint64_t b0 = output[0U]; 1103*13effbfbSDon Lewis+ b0 = output[0U]; 1104*13effbfbSDon Lewis output[0U] = (uint64_t)19U * b0; 1105*13effbfbSDon Lewis } 1106*13effbfbSDon Lewis 1107*13effbfbSDon Lewis static void 1108*13effbfbSDon Lewis Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input21) 1109*13effbfbSDon Lewis { 1110*13effbfbSDon Lewis+ uint32_t i; 1111*13effbfbSDon Lewis+ uint64_t input2i; 1112*13effbfbSDon Lewis { 1113*13effbfbSDon Lewis uint64_t input2i = input21[0U]; 1114*13effbfbSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1115*13effbfbSDon Lewis@@ -177,8 +180,8 @@ 1116*13effbfbSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1117*13effbfbSDon Lewis Hacl_Bignum_Fmul_shift_reduce(input); 1118*13effbfbSDon Lewis } 1119*13effbfbSDon Lewis- uint32_t i = (uint32_t)4U; 1120*13effbfbSDon Lewis- uint64_t input2i = input21[i]; 1121*13effbfbSDon Lewis+ i = (uint32_t)4U; 1122*13effbfbSDon Lewis+ input2i = input21[i]; 1123*13effbfbSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1124*13effbfbSDon Lewis } 1125*13effbfbSDon Lewis 1126*13effbfbSDon Lewis@@ -186,29 +189,35 @@ 1127*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input21) 1128*13effbfbSDon Lewis { 1129*13effbfbSDon Lewis uint64_t tmp[5U] = { 0U }; 1130*13effbfbSDon Lewis+ uint32_t _i; 1131*13effbfbSDon Lewis+ FStar_UInt128_t b4; 1132*13effbfbSDon Lewis+ FStar_UInt128_t b0; 1133*13effbfbSDon Lewis+ FStar_UInt128_t b4_; 1134*13effbfbSDon Lewis+ FStar_UInt128_t b0_; 1135*13effbfbSDon Lewis+ FStar_UInt128_t t[5U]; 1136*13effbfbSDon Lewis+ uint64_t i0; 1137*13effbfbSDon Lewis+ uint64_t i1; 1138*13effbfbSDon Lewis+ uint64_t i0_; 1139*13effbfbSDon Lewis+ uint64_t i1_; 1140*13effbfbSDon Lewis memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); 1141*13effbfbSDon Lewis KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1142*13effbfbSDon Lewis- FStar_UInt128_t t[5U]; 1143*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) 1144*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)5U; ++_i) 1145*13effbfbSDon Lewis t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 1146*13effbfbSDon Lewis Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input21); 1147*13effbfbSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(t); 1148*13effbfbSDon Lewis- FStar_UInt128_t b4 = t[4U]; 1149*13effbfbSDon Lewis- FStar_UInt128_t b0 = t[0U]; 1150*13effbfbSDon Lewis- FStar_UInt128_t 1151*13effbfbSDon Lewis- b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1152*13effbfbSDon Lewis- FStar_UInt128_t 1153*13effbfbSDon Lewis- b0_ = 1154*13effbfbSDon Lewis- FStar_UInt128_add(b0, 1155*13effbfbSDon Lewis+ b4 = t[4U]; 1156*13effbfbSDon Lewis+ b0 = t[0U]; 1157*13effbfbSDon Lewis+ b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1158*13effbfbSDon Lewis+ b0_ = FStar_UInt128_add(b0, 1159*13effbfbSDon Lewis FStar_UInt128_mul_wide((uint64_t)19U, 1160*13effbfbSDon Lewis FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 1161*13effbfbSDon Lewis t[4U] = b4_; 1162*13effbfbSDon Lewis t[0U] = b0_; 1163*13effbfbSDon Lewis Hacl_Bignum_Fproduct_copy_from_wide_(output, t); 1164*13effbfbSDon Lewis- uint64_t i0 = output[0U]; 1165*13effbfbSDon Lewis- uint64_t i1 = output[1U]; 1166*13effbfbSDon Lewis- uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1167*13effbfbSDon Lewis- uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); 1168*13effbfbSDon Lewis+ i0 = output[0U]; 1169*13effbfbSDon Lewis+ i1 = output[1U]; 1170*13effbfbSDon Lewis+ i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1171*13effbfbSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)51U); 1172*13effbfbSDon Lewis output[0U] = i0_; 1173*13effbfbSDon Lewis output[1U] = i1_; 1174*13effbfbSDon Lewis } 1175*13effbfbSDon Lewis@@ -226,28 +235,28 @@ 1176*13effbfbSDon Lewis uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U; 1177*13effbfbSDon Lewis uint64_t d419 = r4 * (uint64_t)19U; 1178*13effbfbSDon Lewis uint64_t d4 = d419 * (uint64_t)2U; 1179*13effbfbSDon Lewis- FStar_UInt128_t 1180*13effbfbSDon Lewis- s0 = 1181*13effbfbSDon Lewis+ FStar_UInt128_t s0; 1182*13effbfbSDon Lewis+ FStar_UInt128_t s1; 1183*13effbfbSDon Lewis+ FStar_UInt128_t s2; 1184*13effbfbSDon Lewis+ FStar_UInt128_t s3; 1185*13effbfbSDon Lewis+ FStar_UInt128_t s4; 1186*13effbfbSDon Lewis+ s0 = 1187*13effbfbSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0), 1188*13effbfbSDon Lewis FStar_UInt128_mul_wide(d4, r1)), 1189*13effbfbSDon Lewis FStar_UInt128_mul_wide(d2, r3)); 1190*13effbfbSDon Lewis- FStar_UInt128_t 1191*13effbfbSDon Lewis- s1 = 1192*13effbfbSDon Lewis+ s1 = 1193*13effbfbSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1), 1194*13effbfbSDon Lewis FStar_UInt128_mul_wide(d4, r2)), 1195*13effbfbSDon Lewis FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3)); 1196*13effbfbSDon Lewis- FStar_UInt128_t 1197*13effbfbSDon Lewis- s2 = 1198*13effbfbSDon Lewis+ s2 = 1199*13effbfbSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2), 1200*13effbfbSDon Lewis FStar_UInt128_mul_wide(r1, r1)), 1201*13effbfbSDon Lewis FStar_UInt128_mul_wide(d4, r3)); 1202*13effbfbSDon Lewis- FStar_UInt128_t 1203*13effbfbSDon Lewis- s3 = 1204*13effbfbSDon Lewis+ s3 = 1205*13effbfbSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3), 1206*13effbfbSDon Lewis FStar_UInt128_mul_wide(d1, r2)), 1207*13effbfbSDon Lewis FStar_UInt128_mul_wide(r4, d419)); 1208*13effbfbSDon Lewis- FStar_UInt128_t 1209*13effbfbSDon Lewis- s4 = 1210*13effbfbSDon Lewis+ s4 = 1211*13effbfbSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4), 1212*13effbfbSDon Lewis FStar_UInt128_mul_wide(d1, r3)), 1213*13effbfbSDon Lewis FStar_UInt128_mul_wide(r2, r2)); 1214*13effbfbSDon Lewis@@ -261,24 +270,30 @@ 1215*13effbfbSDon Lewis inline static void 1216*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_t *tmp, uint64_t *output) 1217*13effbfbSDon Lewis { 1218*13effbfbSDon Lewis+ FStar_UInt128_t b4; 1219*13effbfbSDon Lewis+ FStar_UInt128_t b0; 1220*13effbfbSDon Lewis+ FStar_UInt128_t b4_; 1221*13effbfbSDon Lewis+ FStar_UInt128_t b0_; 1222*13effbfbSDon Lewis+ uint64_t i0; 1223*13effbfbSDon Lewis+ uint64_t i1; 1224*13effbfbSDon Lewis+ uint64_t i0_; 1225*13effbfbSDon Lewis+ uint64_t i1_; 1226*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare__(tmp, output); 1227*13effbfbSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(tmp); 1228*13effbfbSDon Lewis- FStar_UInt128_t b4 = tmp[4U]; 1229*13effbfbSDon Lewis- FStar_UInt128_t b0 = tmp[0U]; 1230*13effbfbSDon Lewis- FStar_UInt128_t 1231*13effbfbSDon Lewis- b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1232*13effbfbSDon Lewis- FStar_UInt128_t 1233*13effbfbSDon Lewis- b0_ = 1234*13effbfbSDon Lewis+ b4 = tmp[4U]; 1235*13effbfbSDon Lewis+ b0 = tmp[0U]; 1236*13effbfbSDon Lewis+ b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1237*13effbfbSDon Lewis+ b0_ = 1238*13effbfbSDon Lewis FStar_UInt128_add(b0, 1239*13effbfbSDon Lewis FStar_UInt128_mul_wide((uint64_t)19U, 1240*13effbfbSDon Lewis FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 1241*13effbfbSDon Lewis tmp[4U] = b4_; 1242*13effbfbSDon Lewis tmp[0U] = b0_; 1243*13effbfbSDon Lewis Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); 1244*13effbfbSDon Lewis- uint64_t i0 = output[0U]; 1245*13effbfbSDon Lewis- uint64_t i1 = output[1U]; 1246*13effbfbSDon Lewis- uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1247*13effbfbSDon Lewis- uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); 1248*13effbfbSDon Lewis+ i0 = output[0U]; 1249*13effbfbSDon Lewis+ i1 = output[1U]; 1250*13effbfbSDon Lewis+ i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1251*13effbfbSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)51U); 1252*13effbfbSDon Lewis output[0U] = i0_; 1253*13effbfbSDon Lewis output[1U] = i1_; 1254*13effbfbSDon Lewis } 1255*13effbfbSDon Lewis@@ -286,17 +301,19 @@ 1256*13effbfbSDon Lewis static void 1257*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, FStar_UInt128_t *tmp, uint32_t count1) 1258*13effbfbSDon Lewis { 1259*13effbfbSDon Lewis+ uint32_t i; 1260*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_(tmp, input); 1261*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U) 1262*13effbfbSDon Lewis+ for (i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U) 1263*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_(tmp, input); 1264*13effbfbSDon Lewis } 1265*13effbfbSDon Lewis 1266*13effbfbSDon Lewis inline static void 1267*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1) 1268*13effbfbSDon Lewis { 1269*13effbfbSDon Lewis- KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1270*13effbfbSDon Lewis FStar_UInt128_t t[5U]; 1271*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) 1272*13effbfbSDon Lewis+ uint32_t _i; 1273*13effbfbSDon Lewis+ KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1274*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)5U; ++_i) 1275*13effbfbSDon Lewis t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 1276*13effbfbSDon Lewis memcpy(output, input, (uint32_t)5U * sizeof input[0U]); 1277*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); 1278*13effbfbSDon Lewis@@ -305,9 +322,10 @@ 1279*13effbfbSDon Lewis inline static void 1280*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1) 1281*13effbfbSDon Lewis { 1282*13effbfbSDon Lewis- KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1283*13effbfbSDon Lewis FStar_UInt128_t t[5U]; 1284*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) 1285*13effbfbSDon Lewis+ uint32_t _i; 1286*13effbfbSDon Lewis+ KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1287*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)5U; ++_i) 1288*13effbfbSDon Lewis t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 1289*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); 1290*13effbfbSDon Lewis } 1291*13effbfbSDon Lewis@@ -319,6 +337,13 @@ 1292*13effbfbSDon Lewis uint64_t *a = buf; 1293*13effbfbSDon Lewis uint64_t *t00 = buf + (uint32_t)5U; 1294*13effbfbSDon Lewis uint64_t *b0 = buf + (uint32_t)10U; 1295*13effbfbSDon Lewis+ uint64_t *t01; 1296*13effbfbSDon Lewis+ uint64_t *b1; 1297*13effbfbSDon Lewis+ uint64_t *c0; 1298*13effbfbSDon Lewis+ uint64_t *a0; 1299*13effbfbSDon Lewis+ uint64_t *t0; 1300*13effbfbSDon Lewis+ uint64_t *b; 1301*13effbfbSDon Lewis+ uint64_t *c; 1302*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U); 1303*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U); 1304*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(b0, t00, z); 1305*13effbfbSDon Lewis@@ -326,9 +351,9 @@ 1306*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U); 1307*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(b0, t00, b0); 1308*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U); 1309*13effbfbSDon Lewis- uint64_t *t01 = buf + (uint32_t)5U; 1310*13effbfbSDon Lewis- uint64_t *b1 = buf + (uint32_t)10U; 1311*13effbfbSDon Lewis- uint64_t *c0 = buf + (uint32_t)15U; 1312*13effbfbSDon Lewis+ t01 = buf + (uint32_t)5U; 1313*13effbfbSDon Lewis+ b1 = buf + (uint32_t)10U; 1314*13effbfbSDon Lewis+ c0 = buf + (uint32_t)15U; 1315*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(b1, t01, b1); 1316*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U); 1317*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(c0, t01, b1); 1318*13effbfbSDon Lewis@@ -337,10 +362,10 @@ 1319*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U); 1320*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(b1, t01, b1); 1321*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U); 1322*13effbfbSDon Lewis- uint64_t *a0 = buf; 1323*13effbfbSDon Lewis- uint64_t *t0 = buf + (uint32_t)5U; 1324*13effbfbSDon Lewis- uint64_t *b = buf + (uint32_t)10U; 1325*13effbfbSDon Lewis- uint64_t *c = buf + (uint32_t)15U; 1326*13effbfbSDon Lewis+ a0 = buf; 1327*13effbfbSDon Lewis+ t0 = buf + (uint32_t)5U; 1328*13effbfbSDon Lewis+ b = buf + (uint32_t)10U; 1329*13effbfbSDon Lewis+ c = buf + (uint32_t)15U; 1330*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(c, t0, b); 1331*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U); 1332*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(t0, t0, c); 1333*13effbfbSDon Lewis@@ -384,12 +409,17 @@ 1334*13effbfbSDon Lewis Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b) 1335*13effbfbSDon Lewis { 1336*13effbfbSDon Lewis uint64_t tmp[5U] = { 0U }; 1337*13effbfbSDon Lewis+ uint64_t b0; 1338*13effbfbSDon Lewis+ uint64_t b1; 1339*13effbfbSDon Lewis+ uint64_t b2; 1340*13effbfbSDon Lewis+ uint64_t b3; 1341*13effbfbSDon Lewis+ uint64_t b4; 1342*13effbfbSDon Lewis memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]); 1343*13effbfbSDon Lewis- uint64_t b0 = tmp[0U]; 1344*13effbfbSDon Lewis- uint64_t b1 = tmp[1U]; 1345*13effbfbSDon Lewis- uint64_t b2 = tmp[2U]; 1346*13effbfbSDon Lewis- uint64_t b3 = tmp[3U]; 1347*13effbfbSDon Lewis- uint64_t b4 = tmp[4U]; 1348*13effbfbSDon Lewis+ b0 = tmp[0U]; 1349*13effbfbSDon Lewis+ b1 = tmp[1U]; 1350*13effbfbSDon Lewis+ b2 = tmp[2U]; 1351*13effbfbSDon Lewis+ b3 = tmp[3U]; 1352*13effbfbSDon Lewis+ b4 = tmp[4U]; 1353*13effbfbSDon Lewis tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U; 1354*13effbfbSDon Lewis tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U; 1355*13effbfbSDon Lewis tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U; 1356*13effbfbSDon Lewis@@ -425,9 +455,14 @@ 1357*13effbfbSDon Lewis inline static void 1358*13effbfbSDon Lewis Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s) 1359*13effbfbSDon Lewis { 1360*13effbfbSDon Lewis- KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1361*13effbfbSDon Lewis FStar_UInt128_t tmp[5U]; 1362*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) 1363*13effbfbSDon Lewis+ uint32_t _i; 1364*13effbfbSDon Lewis+ FStar_UInt128_t b4; 1365*13effbfbSDon Lewis+ FStar_UInt128_t b0; 1366*13effbfbSDon Lewis+ FStar_UInt128_t b4_; 1367*13effbfbSDon Lewis+ FStar_UInt128_t b0_; 1368*13effbfbSDon Lewis+ KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1369*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)5U; ++_i) 1370*13effbfbSDon Lewis tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 1371*13effbfbSDon Lewis { 1372*13effbfbSDon Lewis uint64_t xi = b[0U]; 1373*13effbfbSDon Lewis@@ -450,12 +485,10 @@ 1374*13effbfbSDon Lewis tmp[4U] = FStar_UInt128_mul_wide(xi, s); 1375*13effbfbSDon Lewis } 1376*13effbfbSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(tmp); 1377*13effbfbSDon Lewis- FStar_UInt128_t b4 = tmp[4U]; 1378*13effbfbSDon Lewis- FStar_UInt128_t b0 = tmp[0U]; 1379*13effbfbSDon Lewis- FStar_UInt128_t 1380*13effbfbSDon Lewis- b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1381*13effbfbSDon Lewis- FStar_UInt128_t 1382*13effbfbSDon Lewis- b0_ = 1383*13effbfbSDon Lewis+ b4 = tmp[4U]; 1384*13effbfbSDon Lewis+ b0 = tmp[0U]; 1385*13effbfbSDon Lewis+ b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1386*13effbfbSDon Lewis+ b0_ = 1387*13effbfbSDon Lewis FStar_UInt128_add(b0, 1388*13effbfbSDon Lewis FStar_UInt128_mul_wide((uint64_t)19U, 1389*13effbfbSDon Lewis FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 1390*13effbfbSDon Lewis@@ -492,9 +525,10 @@ 1391*13effbfbSDon Lewis static void 1392*13effbfbSDon Lewis Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr) 1393*13effbfbSDon Lewis { 1394*13effbfbSDon Lewis+ uint32_t i; 1395*13effbfbSDon Lewis if (!(ctr == (uint32_t)0U)) { 1396*13effbfbSDon Lewis Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr); 1397*13effbfbSDon Lewis- uint32_t i = ctr - (uint32_t)1U; 1398*13effbfbSDon Lewis+ i = ctr - (uint32_t)1U; 1399*13effbfbSDon Lewis Hacl_EC_Point_swap_conditional_(a, b, swap1, i); 1400*13effbfbSDon Lewis } 1401*13effbfbSDon Lewis } 1402*13effbfbSDon Lewis@@ -538,6 +572,16 @@ 1403*13effbfbSDon Lewis uint64_t *origxprime = buf + (uint32_t)5U; 1404*13effbfbSDon Lewis uint64_t *xxprime0 = buf + (uint32_t)25U; 1405*13effbfbSDon Lewis uint64_t *zzprime0 = buf + (uint32_t)30U; 1406*13effbfbSDon Lewis+ uint64_t *origxprime0; 1407*13effbfbSDon Lewis+ uint64_t *xx0; 1408*13effbfbSDon Lewis+ uint64_t *zz0; 1409*13effbfbSDon Lewis+ uint64_t *xxprime; 1410*13effbfbSDon Lewis+ uint64_t *zzprime; 1411*13effbfbSDon Lewis+ uint64_t *zzzprime; 1412*13effbfbSDon Lewis+ uint64_t *zzz; 1413*13effbfbSDon Lewis+ uint64_t *xx; 1414*13effbfbSDon Lewis+ uint64_t *zz; 1415*13effbfbSDon Lewis+ uint64_t scalar = (uint64_t)121665U; 1416*13effbfbSDon Lewis memcpy(origx, x, (uint32_t)5U * sizeof x[0U]); 1417*13effbfbSDon Lewis Hacl_Bignum_fsum(x, z); 1418*13effbfbSDon Lewis Hacl_Bignum_fdifference(z, origx); 1419*13effbfbSDon Lewis@@ -546,12 +590,12 @@ 1420*13effbfbSDon Lewis Hacl_Bignum_fdifference(zprime, origxprime); 1421*13effbfbSDon Lewis Hacl_Bignum_fmul(xxprime0, xprime, z); 1422*13effbfbSDon Lewis Hacl_Bignum_fmul(zzprime0, x, zprime); 1423*13effbfbSDon Lewis- uint64_t *origxprime0 = buf + (uint32_t)5U; 1424*13effbfbSDon Lewis- uint64_t *xx0 = buf + (uint32_t)15U; 1425*13effbfbSDon Lewis- uint64_t *zz0 = buf + (uint32_t)20U; 1426*13effbfbSDon Lewis- uint64_t *xxprime = buf + (uint32_t)25U; 1427*13effbfbSDon Lewis- uint64_t *zzprime = buf + (uint32_t)30U; 1428*13effbfbSDon Lewis- uint64_t *zzzprime = buf + (uint32_t)35U; 1429*13effbfbSDon Lewis+ origxprime0 = buf + (uint32_t)5U; 1430*13effbfbSDon Lewis+ xx0 = buf + (uint32_t)15U; 1431*13effbfbSDon Lewis+ zz0 = buf + (uint32_t)20U; 1432*13effbfbSDon Lewis+ xxprime = buf + (uint32_t)25U; 1433*13effbfbSDon Lewis+ zzprime = buf + (uint32_t)30U; 1434*13effbfbSDon Lewis+ zzzprime = buf + (uint32_t)35U; 1435*13effbfbSDon Lewis memcpy(origxprime0, xxprime, (uint32_t)5U * sizeof xxprime[0U]); 1436*13effbfbSDon Lewis Hacl_Bignum_fsum(xxprime, zzprime); 1437*13effbfbSDon Lewis Hacl_Bignum_fdifference(zzprime, origxprime0); 1438*13effbfbSDon Lewis@@ -560,12 +604,11 @@ 1439*13effbfbSDon Lewis Hacl_Bignum_fmul(z3, zzzprime, qx); 1440*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U); 1441*13effbfbSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U); 1442*13effbfbSDon Lewis- uint64_t *zzz = buf + (uint32_t)10U; 1443*13effbfbSDon Lewis- uint64_t *xx = buf + (uint32_t)15U; 1444*13effbfbSDon Lewis- uint64_t *zz = buf + (uint32_t)20U; 1445*13effbfbSDon Lewis+ zzz = buf + (uint32_t)10U; 1446*13effbfbSDon Lewis+ xx = buf + (uint32_t)15U; 1447*13effbfbSDon Lewis+ zz = buf + (uint32_t)20U; 1448*13effbfbSDon Lewis Hacl_Bignum_fmul(x2, xx, zz); 1449*13effbfbSDon Lewis Hacl_Bignum_fdifference(zz, xx); 1450*13effbfbSDon Lewis- uint64_t scalar = (uint64_t)121665U; 1451*13effbfbSDon Lewis Hacl_Bignum_fscalar(zzz, zz, scalar); 1452*13effbfbSDon Lewis Hacl_Bignum_fsum(zzz, xx); 1453*13effbfbSDon Lewis Hacl_Bignum_fmul(z2, zzz, zz); 1454*13effbfbSDon Lewis@@ -581,9 +624,10 @@ 1455*13effbfbSDon Lewis uint8_t byt) 1456*13effbfbSDon Lewis { 1457*13effbfbSDon Lewis uint64_t bit = (uint64_t)(byt >> (uint32_t)7U); 1458*13effbfbSDon Lewis+ uint64_t bit0; 1459*13effbfbSDon Lewis Hacl_EC_Point_swap_conditional(nq, nqpq, bit); 1460*13effbfbSDon Lewis Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q); 1461*13effbfbSDon Lewis- uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U); 1462*13effbfbSDon Lewis+ bit0 = (uint64_t)(byt >> (uint32_t)7U); 1463*13effbfbSDon Lewis Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit0); 1464*13effbfbSDon Lewis } 1465*13effbfbSDon Lewis 1466*13effbfbSDon Lewis@@ -596,8 +640,9 @@ 1467*13effbfbSDon Lewis uint64_t *q, 1468*13effbfbSDon Lewis uint8_t byt) 1469*13effbfbSDon Lewis { 1470*13effbfbSDon Lewis+ uint8_t byt1; 1471*13effbfbSDon Lewis Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt); 1472*13effbfbSDon Lewis- uint8_t byt1 = byt << (uint32_t)1U; 1473*13effbfbSDon Lewis+ byt1 = byt << (uint32_t)1U; 1474*13effbfbSDon Lewis Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1); 1475*13effbfbSDon Lewis } 1476*13effbfbSDon Lewis 1477*13effbfbSDon Lewis@@ -613,8 +658,9 @@ 1478*13effbfbSDon Lewis { 1479*13effbfbSDon Lewis if (!(i == (uint32_t)0U)) { 1480*13effbfbSDon Lewis uint32_t i_ = i - (uint32_t)1U; 1481*13effbfbSDon Lewis+ uint8_t byt_; 1482*13effbfbSDon Lewis Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt); 1483*13effbfbSDon Lewis- uint8_t byt_ = byt << (uint32_t)2U; 1484*13effbfbSDon Lewis+ byt_ = byt << (uint32_t)2U; 1485*13effbfbSDon Lewis Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_); 1486*13effbfbSDon Lewis } 1487*13effbfbSDon Lewis } 1488*13effbfbSDon Lewis@@ -731,12 +777,16 @@ 1489*13effbfbSDon Lewis static void 1490*13effbfbSDon Lewis Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input) 1491*13effbfbSDon Lewis { 1492*13effbfbSDon Lewis+ uint64_t i0; 1493*13effbfbSDon Lewis+ uint64_t i1; 1494*13effbfbSDon Lewis+ uint64_t i0_; 1495*13effbfbSDon Lewis+ uint64_t i1_; 1496*13effbfbSDon Lewis Hacl_EC_Format_fcontract_second_carry_pass(input); 1497*13effbfbSDon Lewis Hacl_Bignum_Modulo_carry_top(input); 1498*13effbfbSDon Lewis- uint64_t i0 = input[0U]; 1499*13effbfbSDon Lewis- uint64_t i1 = input[1U]; 1500*13effbfbSDon Lewis- uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1501*13effbfbSDon Lewis- uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); 1502*13effbfbSDon Lewis+ i0 = input[0U]; 1503*13effbfbSDon Lewis+ i1 = input[1U]; 1504*13effbfbSDon Lewis+ i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1505*13effbfbSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)51U); 1506*13effbfbSDon Lewis input[0U] = i0_; 1507*13effbfbSDon Lewis input[1U] = i1_; 1508*13effbfbSDon Lewis } 1509*13effbfbSDon Lewis@@ -817,22 +867,31 @@ 1510*13effbfbSDon Lewis uint64_t buf0[10U] = { 0U }; 1511*13effbfbSDon Lewis uint64_t *x0 = buf0; 1512*13effbfbSDon Lewis uint64_t *z = buf0 + (uint32_t)5U; 1513*13effbfbSDon Lewis+ uint64_t *q; 1514*13effbfbSDon Lewis+ uint8_t e[32U] = { 0U }; 1515*13effbfbSDon Lewis+ uint8_t e0; 1516*13effbfbSDon Lewis+ uint8_t e31; 1517*13effbfbSDon Lewis+ uint8_t e01; 1518*13effbfbSDon Lewis+ uint8_t e311; 1519*13effbfbSDon Lewis+ uint8_t e312; 1520*13effbfbSDon Lewis+ uint8_t *scalar; 1521*13effbfbSDon Lewis+ uint64_t buf[15U] = { 0U }; 1522*13effbfbSDon Lewis+ uint64_t *nq; 1523*13effbfbSDon Lewis+ uint64_t *x; 1524*13effbfbSDon Lewis Hacl_EC_Format_fexpand(x0, basepoint); 1525*13effbfbSDon Lewis z[0U] = (uint64_t)1U; 1526*13effbfbSDon Lewis- uint64_t *q = buf0; 1527*13effbfbSDon Lewis- uint8_t e[32U] = { 0U }; 1528*13effbfbSDon Lewis+ q = buf0; 1529*13effbfbSDon Lewis memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]); 1530*13effbfbSDon Lewis- uint8_t e0 = e[0U]; 1531*13effbfbSDon Lewis- uint8_t e31 = e[31U]; 1532*13effbfbSDon Lewis- uint8_t e01 = e0 & (uint8_t)248U; 1533*13effbfbSDon Lewis- uint8_t e311 = e31 & (uint8_t)127U; 1534*13effbfbSDon Lewis- uint8_t e312 = e311 | (uint8_t)64U; 1535*13effbfbSDon Lewis+ e0 = e[0U]; 1536*13effbfbSDon Lewis+ e31 = e[31U]; 1537*13effbfbSDon Lewis+ e01 = e0 & (uint8_t)248U; 1538*13effbfbSDon Lewis+ e311 = e31 & (uint8_t)127U; 1539*13effbfbSDon Lewis+ e312 = e311 | (uint8_t)64U; 1540*13effbfbSDon Lewis e[0U] = e01; 1541*13effbfbSDon Lewis e[31U] = e312; 1542*13effbfbSDon Lewis- uint8_t *scalar = e; 1543*13effbfbSDon Lewis- uint64_t buf[15U] = { 0U }; 1544*13effbfbSDon Lewis- uint64_t *nq = buf; 1545*13effbfbSDon Lewis- uint64_t *x = nq; 1546*13effbfbSDon Lewis+ scalar = e; 1547*13effbfbSDon Lewis+ nq = buf; 1548*13effbfbSDon Lewis+ x = nq; 1549*13effbfbSDon Lewis x[0U] = (uint64_t)1U; 1550*13effbfbSDon Lewis Hacl_EC_Ladder_cmult(nq, scalar, q); 1551*13effbfbSDon Lewis Hacl_EC_Format_scalar_of_point(mypublic, nq); 1552*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.h misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.h 1553*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.h 2018-08-31 05:55:53.000000000 -0700 1554*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.h 2018-10-21 22:18:23.286647000 -0700 1555*13effbfbSDon Lewis@@ -13,6 +13,7 @@ 1556*13effbfbSDon Lewis * limitations under the License. 1557*13effbfbSDon Lewis */ 1558*13effbfbSDon Lewis 1559*13effbfbSDon Lewis+#include "secport.h" 1560*13effbfbSDon Lewis #include "kremlib.h" 1561*13effbfbSDon Lewis #ifndef __Hacl_Curve25519_H 1562*13effbfbSDon Lewis #define __Hacl_Curve25519_H 1563*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.c misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.c 1564*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.c 2018-08-31 05:55:53.000000000 -0700 1565*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.c 2018-10-22 00:58:55.601973000 -0700 1566*13effbfbSDon Lewis@@ -47,7 +47,8 @@ 1567*13effbfbSDon Lewis inline static void 1568*13effbfbSDon Lewis Hacl_Bignum_Fproduct_copy_from_wide_(uint32_t *output, uint64_t *input) 1569*13effbfbSDon Lewis { 1570*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1571*13effbfbSDon Lewis+ uint32_t i; 1572*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1573*13effbfbSDon Lewis uint64_t xi = input[i]; 1574*13effbfbSDon Lewis output[i] = (uint32_t)xi; 1575*13effbfbSDon Lewis } 1576*13effbfbSDon Lewis@@ -56,7 +57,8 @@ 1577*13effbfbSDon Lewis inline static void 1578*13effbfbSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(uint64_t *output, uint32_t *input, uint32_t s) 1579*13effbfbSDon Lewis { 1580*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1581*13effbfbSDon Lewis+ uint32_t i; 1582*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1583*13effbfbSDon Lewis uint64_t xi = output[i]; 1584*13effbfbSDon Lewis uint32_t yi = input[i]; 1585*13effbfbSDon Lewis uint64_t x_wide = (uint64_t)yi; 1586*13effbfbSDon Lewis@@ -68,7 +70,8 @@ 1587*13effbfbSDon Lewis inline static void 1588*13effbfbSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(uint64_t *tmp) 1589*13effbfbSDon Lewis { 1590*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1591*13effbfbSDon Lewis+ uint32_t i; 1592*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1593*13effbfbSDon Lewis uint32_t ctr = i; 1594*13effbfbSDon Lewis uint64_t tctr = tmp[ctr]; 1595*13effbfbSDon Lewis uint64_t tctrp1 = tmp[ctr + (uint32_t)1U]; 1596*13effbfbSDon Lewis@@ -82,7 +85,8 @@ 1597*13effbfbSDon Lewis inline static void 1598*13effbfbSDon Lewis Hacl_Bignum_Fproduct_carry_limb_(uint32_t *tmp) 1599*13effbfbSDon Lewis { 1600*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1601*13effbfbSDon Lewis+ uint32_t i; 1602*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1603*13effbfbSDon Lewis uint32_t ctr = i; 1604*13effbfbSDon Lewis uint32_t tctr = tmp[ctr]; 1605*13effbfbSDon Lewis uint32_t tctrp1 = tmp[ctr + (uint32_t)1U]; 1606*13effbfbSDon Lewis@@ -97,7 +101,8 @@ 1607*13effbfbSDon Lewis Hacl_Bignum_Fmul_shift_reduce(uint32_t *output) 1608*13effbfbSDon Lewis { 1609*13effbfbSDon Lewis uint32_t tmp = output[4U]; 1610*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1611*13effbfbSDon Lewis+ uint32_t i; 1612*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1613*13effbfbSDon Lewis uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U; 1614*13effbfbSDon Lewis uint32_t z = output[ctr - (uint32_t)1U]; 1615*13effbfbSDon Lewis output[ctr] = z; 1616*13effbfbSDon Lewis@@ -109,13 +114,15 @@ 1617*13effbfbSDon Lewis static void 1618*13effbfbSDon Lewis Hacl_Bignum_Fmul_mul_shift_reduce_(uint64_t *output, uint32_t *input, uint32_t *input2) 1619*13effbfbSDon Lewis { 1620*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1621*13effbfbSDon Lewis+ uint32_t i; 1622*13effbfbSDon Lewis+ uint32_t input2i; 1623*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1624*13effbfbSDon Lewis uint32_t input2i = input2[i]; 1625*13effbfbSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1626*13effbfbSDon Lewis Hacl_Bignum_Fmul_shift_reduce(input); 1627*13effbfbSDon Lewis } 1628*13effbfbSDon Lewis- uint32_t i = (uint32_t)4U; 1629*13effbfbSDon Lewis- uint32_t input2i = input2[i]; 1630*13effbfbSDon Lewis+ i = (uint32_t)4U; 1631*13effbfbSDon Lewis+ input2i = input2[i]; 1632*13effbfbSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1633*13effbfbSDon Lewis } 1634*13effbfbSDon Lewis 1635*13effbfbSDon Lewis@@ -123,16 +130,20 @@ 1636*13effbfbSDon Lewis Hacl_Bignum_Fmul_fmul(uint32_t *output, uint32_t *input, uint32_t *input2) 1637*13effbfbSDon Lewis { 1638*13effbfbSDon Lewis uint32_t tmp[5U] = { 0U }; 1639*13effbfbSDon Lewis- memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); 1640*13effbfbSDon Lewis uint64_t t[5U] = { 0U }; 1641*13effbfbSDon Lewis+ uint32_t i0; 1642*13effbfbSDon Lewis+ uint32_t i1; 1643*13effbfbSDon Lewis+ uint32_t i0_; 1644*13effbfbSDon Lewis+ uint32_t i1_; 1645*13effbfbSDon Lewis+ memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); 1646*13effbfbSDon Lewis Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2); 1647*13effbfbSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(t); 1648*13effbfbSDon Lewis Hacl_Bignum_Modulo_carry_top_wide(t); 1649*13effbfbSDon Lewis Hacl_Bignum_Fproduct_copy_from_wide_(output, t); 1650*13effbfbSDon Lewis- uint32_t i0 = output[0U]; 1651*13effbfbSDon Lewis- uint32_t i1 = output[1U]; 1652*13effbfbSDon Lewis- uint32_t i0_ = i0 & (uint32_t)0x3ffffffU; 1653*13effbfbSDon Lewis- uint32_t i1_ = i1 + (i0 >> (uint32_t)26U); 1654*13effbfbSDon Lewis+ i0 = output[0U]; 1655*13effbfbSDon Lewis+ i1 = output[1U]; 1656*13effbfbSDon Lewis+ i0_ = i0 & (uint32_t)0x3ffffffU; 1657*13effbfbSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)26U); 1658*13effbfbSDon Lewis output[0U] = i0_; 1659*13effbfbSDon Lewis output[1U] = i1_; 1660*13effbfbSDon Lewis } 1661*13effbfbSDon Lewis@@ -140,7 +151,8 @@ 1662*13effbfbSDon Lewis inline static void 1663*13effbfbSDon Lewis Hacl_Bignum_AddAndMultiply_add_and_multiply(uint32_t *acc, uint32_t *block, uint32_t *r) 1664*13effbfbSDon Lewis { 1665*13effbfbSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1666*13effbfbSDon Lewis+ uint32_t i; 1667*13effbfbSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1668*13effbfbSDon Lewis uint32_t xi = acc[i]; 1669*13effbfbSDon Lewis uint32_t yi = block[i]; 1670*13effbfbSDon Lewis acc[i] = xi + yi; 1671*13effbfbSDon Lewis@@ -175,13 +187,15 @@ 1672*13effbfbSDon Lewis uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU; 1673*13effbfbSDon Lewis uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU; 1674*13effbfbSDon Lewis uint32_t r4 = i4 >> (uint32_t)8U; 1675*13effbfbSDon Lewis+ uint32_t b4; 1676*13effbfbSDon Lewis+ uint32_t b4_; 1677*13effbfbSDon Lewis tmp[0U] = r0; 1678*13effbfbSDon Lewis tmp[1U] = r1; 1679*13effbfbSDon Lewis tmp[2U] = r2; 1680*13effbfbSDon Lewis tmp[3U] = r3; 1681*13effbfbSDon Lewis tmp[4U] = r4; 1682*13effbfbSDon Lewis- uint32_t b4 = tmp[4U]; 1683*13effbfbSDon Lewis- uint32_t b4_ = (uint32_t)0x1000000U | b4; 1684*13effbfbSDon Lewis+ b4 = tmp[4U]; 1685*13effbfbSDon Lewis+ b4_ = (uint32_t)0x1000000U | b4; 1686*13effbfbSDon Lewis tmp[4U] = b4_; 1687*13effbfbSDon Lewis Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r5); 1688*13effbfbSDon Lewis } 1689*13effbfbSDon Lewis@@ -209,15 +223,19 @@ 1690*13effbfbSDon Lewis uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU; 1691*13effbfbSDon Lewis uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU; 1692*13effbfbSDon Lewis uint32_t r4 = i4 >> (uint32_t)8U; 1693*13effbfbSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0; 1694*13effbfbSDon Lewis+ uint32_t *h; 1695*13effbfbSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut; 1696*13effbfbSDon Lewis+ uint32_t *r; 1697*13effbfbSDon Lewis tmp[0U] = r0; 1698*13effbfbSDon Lewis tmp[1U] = r1; 1699*13effbfbSDon Lewis tmp[2U] = r2; 1700*13effbfbSDon Lewis tmp[3U] = r3; 1701*13effbfbSDon Lewis tmp[4U] = r4; 1702*13effbfbSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; 1703*13effbfbSDon Lewis- uint32_t *h = scrut0.h; 1704*13effbfbSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; 1705*13effbfbSDon Lewis- uint32_t *r = scrut.r; 1706*13effbfbSDon Lewis+ scrut0 = st; 1707*13effbfbSDon Lewis+ h = scrut0.h; 1708*13effbfbSDon Lewis+ scrut = st; 1709*13effbfbSDon Lewis+ r = scrut.r; 1710*13effbfbSDon Lewis Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r); 1711*13effbfbSDon Lewis } 1712*13effbfbSDon Lewis 1713*13effbfbSDon Lewis@@ -228,12 +246,15 @@ 1714*13effbfbSDon Lewis uint64_t rem_) 1715*13effbfbSDon Lewis { 1716*13effbfbSDon Lewis uint8_t zero1 = (uint8_t)0U; 1717*13effbfbSDon Lewis- KRML_CHECK_SIZE(zero1, (uint32_t)16U); 1718*13effbfbSDon Lewis uint8_t block[16U]; 1719*13effbfbSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) 1720*13effbfbSDon Lewis+ uint32_t _i; 1721*13effbfbSDon Lewis+ uint32_t i0; 1722*13effbfbSDon Lewis+ uint32_t i; 1723*13effbfbSDon Lewis+ KRML_CHECK_SIZE(zero1, (uint32_t)16U); 1724*13effbfbSDon Lewis+ for (_i = 0U; _i < (uint32_t)16U; ++_i) 1725*13effbfbSDon Lewis block[_i] = zero1; 1726*13effbfbSDon Lewis- uint32_t i0 = (uint32_t)rem_; 1727*13effbfbSDon Lewis- uint32_t i = (uint32_t)rem_; 1728*13effbfbSDon Lewis+ i0 = (uint32_t)rem_; 1729*13effbfbSDon Lewis+ i = (uint32_t)rem_; 1730*13effbfbSDon Lewis memcpy(block, m, i * sizeof m[0U]); 1731*13effbfbSDon Lewis block[i0] = (uint8_t)1U; 1732*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_poly1305_process_last_block_(block, st, m, rem_); 1733*13effbfbSDon Lewis@@ -242,69 +263,116 @@ 1734*13effbfbSDon Lewis static void 1735*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_poly1305_last_pass(uint32_t *acc) 1736*13effbfbSDon Lewis { 1737*13effbfbSDon Lewis+ uint32_t t0; 1738*13effbfbSDon Lewis+ uint32_t t10; 1739*13effbfbSDon Lewis+ uint32_t t20; 1740*13effbfbSDon Lewis+ uint32_t t30; 1741*13effbfbSDon Lewis+ uint32_t t40; 1742*13effbfbSDon Lewis+ uint32_t t1_; 1743*13effbfbSDon Lewis+ uint32_t mask_261; 1744*13effbfbSDon Lewis+ uint32_t t0_; 1745*13effbfbSDon Lewis+ uint32_t t2_; 1746*13effbfbSDon Lewis+ uint32_t t1__; 1747*13effbfbSDon Lewis+ uint32_t t3_; 1748*13effbfbSDon Lewis+ uint32_t t2__; 1749*13effbfbSDon Lewis+ uint32_t t4_; 1750*13effbfbSDon Lewis+ uint32_t t3__; 1751*13effbfbSDon Lewis+ uint32_t t00; 1752*13effbfbSDon Lewis+ uint32_t t1; 1753*13effbfbSDon Lewis+ uint32_t t2; 1754*13effbfbSDon Lewis+ uint32_t t3; 1755*13effbfbSDon Lewis+ uint32_t t4; 1756*13effbfbSDon Lewis+ uint32_t t1_0; 1757*13effbfbSDon Lewis+ uint32_t t0_0; 1758*13effbfbSDon Lewis+ uint32_t t2_0; 1759*13effbfbSDon Lewis+ uint32_t t1__0; 1760*13effbfbSDon Lewis+ uint32_t t3_0; 1761*13effbfbSDon Lewis+ uint32_t t2__0; 1762*13effbfbSDon Lewis+ uint32_t t4_0; 1763*13effbfbSDon Lewis+ uint32_t t3__0; 1764*13effbfbSDon Lewis+ uint32_t i0; 1765*13effbfbSDon Lewis+ uint32_t i1; 1766*13effbfbSDon Lewis+ uint32_t i0_; 1767*13effbfbSDon Lewis+ uint32_t i1_; 1768*13effbfbSDon Lewis+ uint32_t a0; 1769*13effbfbSDon Lewis+ uint32_t a1; 1770*13effbfbSDon Lewis+ uint32_t a2; 1771*13effbfbSDon Lewis+ uint32_t a3; 1772*13effbfbSDon Lewis+ uint32_t a4; 1773*13effbfbSDon Lewis+ uint32_t mask0; 1774*13effbfbSDon Lewis+ uint32_t mask1; 1775*13effbfbSDon Lewis+ uint32_t mask2; 1776*13effbfbSDon Lewis+ uint32_t mask3; 1777*13effbfbSDon Lewis+ uint32_t mask4; 1778*13effbfbSDon Lewis+ uint32_t mask; 1779*13effbfbSDon Lewis+ uint32_t a0_; 1780*13effbfbSDon Lewis+ uint32_t a1_; 1781*13effbfbSDon Lewis+ uint32_t a2_; 1782*13effbfbSDon Lewis+ uint32_t a3_; 1783*13effbfbSDon Lewis+ uint32_t a4_; 1784*13effbfbSDon Lewis Hacl_Bignum_Fproduct_carry_limb_(acc); 1785*13effbfbSDon Lewis Hacl_Bignum_Modulo_carry_top(acc); 1786*13effbfbSDon Lewis- uint32_t t0 = acc[0U]; 1787*13effbfbSDon Lewis- uint32_t t10 = acc[1U]; 1788*13effbfbSDon Lewis- uint32_t t20 = acc[2U]; 1789*13effbfbSDon Lewis- uint32_t t30 = acc[3U]; 1790*13effbfbSDon Lewis- uint32_t t40 = acc[4U]; 1791*13effbfbSDon Lewis- uint32_t t1_ = t10 + (t0 >> (uint32_t)26U); 1792*13effbfbSDon Lewis- uint32_t mask_261 = (uint32_t)0x3ffffffU; 1793*13effbfbSDon Lewis- uint32_t t0_ = t0 & mask_261; 1794*13effbfbSDon Lewis- uint32_t t2_ = t20 + (t1_ >> (uint32_t)26U); 1795*13effbfbSDon Lewis- uint32_t t1__ = t1_ & mask_261; 1796*13effbfbSDon Lewis- uint32_t t3_ = t30 + (t2_ >> (uint32_t)26U); 1797*13effbfbSDon Lewis- uint32_t t2__ = t2_ & mask_261; 1798*13effbfbSDon Lewis- uint32_t t4_ = t40 + (t3_ >> (uint32_t)26U); 1799*13effbfbSDon Lewis- uint32_t t3__ = t3_ & mask_261; 1800*13effbfbSDon Lewis+ t0 = acc[0U]; 1801*13effbfbSDon Lewis+ t10 = acc[1U]; 1802*13effbfbSDon Lewis+ t20 = acc[2U]; 1803*13effbfbSDon Lewis+ t30 = acc[3U]; 1804*13effbfbSDon Lewis+ t40 = acc[4U]; 1805*13effbfbSDon Lewis+ t1_ = t10 + (t0 >> (uint32_t)26U); 1806*13effbfbSDon Lewis+ mask_261 = (uint32_t)0x3ffffffU; 1807*13effbfbSDon Lewis+ t0_ = t0 & mask_261; 1808*13effbfbSDon Lewis+ t2_ = t20 + (t1_ >> (uint32_t)26U); 1809*13effbfbSDon Lewis+ t1__ = t1_ & mask_261; 1810*13effbfbSDon Lewis+ t3_ = t30 + (t2_ >> (uint32_t)26U); 1811*13effbfbSDon Lewis+ t2__ = t2_ & mask_261; 1812*13effbfbSDon Lewis+ t4_ = t40 + (t3_ >> (uint32_t)26U); 1813*13effbfbSDon Lewis+ t3__ = t3_ & mask_261; 1814*13effbfbSDon Lewis acc[0U] = t0_; 1815*13effbfbSDon Lewis acc[1U] = t1__; 1816*13effbfbSDon Lewis acc[2U] = t2__; 1817*13effbfbSDon Lewis acc[3U] = t3__; 1818*13effbfbSDon Lewis acc[4U] = t4_; 1819*13effbfbSDon Lewis Hacl_Bignum_Modulo_carry_top(acc); 1820*13effbfbSDon Lewis- uint32_t t00 = acc[0U]; 1821*13effbfbSDon Lewis- uint32_t t1 = acc[1U]; 1822*13effbfbSDon Lewis- uint32_t t2 = acc[2U]; 1823*13effbfbSDon Lewis- uint32_t t3 = acc[3U]; 1824*13effbfbSDon Lewis- uint32_t t4 = acc[4U]; 1825*13effbfbSDon Lewis- uint32_t t1_0 = t1 + (t00 >> (uint32_t)26U); 1826*13effbfbSDon Lewis- uint32_t t0_0 = t00 & (uint32_t)0x3ffffffU; 1827*13effbfbSDon Lewis- uint32_t t2_0 = t2 + (t1_0 >> (uint32_t)26U); 1828*13effbfbSDon Lewis- uint32_t t1__0 = t1_0 & (uint32_t)0x3ffffffU; 1829*13effbfbSDon Lewis- uint32_t t3_0 = t3 + (t2_0 >> (uint32_t)26U); 1830*13effbfbSDon Lewis- uint32_t t2__0 = t2_0 & (uint32_t)0x3ffffffU; 1831*13effbfbSDon Lewis- uint32_t t4_0 = t4 + (t3_0 >> (uint32_t)26U); 1832*13effbfbSDon Lewis- uint32_t t3__0 = t3_0 & (uint32_t)0x3ffffffU; 1833*13effbfbSDon Lewis+ t00 = acc[0U]; 1834*13effbfbSDon Lewis+ t1 = acc[1U]; 1835*13effbfbSDon Lewis+ t2 = acc[2U]; 1836*13effbfbSDon Lewis+ t3 = acc[3U]; 1837*13effbfbSDon Lewis+ t4 = acc[4U]; 1838*13effbfbSDon Lewis+ t1_0 = t1 + (t00 >> (uint32_t)26U); 1839*13effbfbSDon Lewis+ t0_0 = t00 & (uint32_t)0x3ffffffU; 1840*13effbfbSDon Lewis+ t2_0 = t2 + (t1_0 >> (uint32_t)26U); 1841*13effbfbSDon Lewis+ t1__0 = t1_0 & (uint32_t)0x3ffffffU; 1842*13effbfbSDon Lewis+ t3_0 = t3 + (t2_0 >> (uint32_t)26U); 1843*13effbfbSDon Lewis+ t2__0 = t2_0 & (uint32_t)0x3ffffffU; 1844*13effbfbSDon Lewis+ t4_0 = t4 + (t3_0 >> (uint32_t)26U); 1845*13effbfbSDon Lewis+ t3__0 = t3_0 & (uint32_t)0x3ffffffU; 1846*13effbfbSDon Lewis acc[0U] = t0_0; 1847*13effbfbSDon Lewis acc[1U] = t1__0; 1848*13effbfbSDon Lewis acc[2U] = t2__0; 1849*13effbfbSDon Lewis acc[3U] = t3__0; 1850*13effbfbSDon Lewis acc[4U] = t4_0; 1851*13effbfbSDon Lewis Hacl_Bignum_Modulo_carry_top(acc); 1852*13effbfbSDon Lewis- uint32_t i0 = acc[0U]; 1853*13effbfbSDon Lewis- uint32_t i1 = acc[1U]; 1854*13effbfbSDon Lewis- uint32_t i0_ = i0 & (uint32_t)0x3ffffffU; 1855*13effbfbSDon Lewis- uint32_t i1_ = i1 + (i0 >> (uint32_t)26U); 1856*13effbfbSDon Lewis+ i0 = acc[0U]; 1857*13effbfbSDon Lewis+ i1 = acc[1U]; 1858*13effbfbSDon Lewis+ i0_ = i0 & (uint32_t)0x3ffffffU; 1859*13effbfbSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)26U); 1860*13effbfbSDon Lewis acc[0U] = i0_; 1861*13effbfbSDon Lewis acc[1U] = i1_; 1862*13effbfbSDon Lewis- uint32_t a0 = acc[0U]; 1863*13effbfbSDon Lewis- uint32_t a1 = acc[1U]; 1864*13effbfbSDon Lewis- uint32_t a2 = acc[2U]; 1865*13effbfbSDon Lewis- uint32_t a3 = acc[3U]; 1866*13effbfbSDon Lewis- uint32_t a4 = acc[4U]; 1867*13effbfbSDon Lewis- uint32_t mask0 = FStar_UInt32_gte_mask(a0, (uint32_t)0x3fffffbU); 1868*13effbfbSDon Lewis- uint32_t mask1 = FStar_UInt32_eq_mask(a1, (uint32_t)0x3ffffffU); 1869*13effbfbSDon Lewis- uint32_t mask2 = FStar_UInt32_eq_mask(a2, (uint32_t)0x3ffffffU); 1870*13effbfbSDon Lewis- uint32_t mask3 = FStar_UInt32_eq_mask(a3, (uint32_t)0x3ffffffU); 1871*13effbfbSDon Lewis- uint32_t mask4 = FStar_UInt32_eq_mask(a4, (uint32_t)0x3ffffffU); 1872*13effbfbSDon Lewis- uint32_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4; 1873*13effbfbSDon Lewis- uint32_t a0_ = a0 - ((uint32_t)0x3fffffbU & mask); 1874*13effbfbSDon Lewis- uint32_t a1_ = a1 - ((uint32_t)0x3ffffffU & mask); 1875*13effbfbSDon Lewis- uint32_t a2_ = a2 - ((uint32_t)0x3ffffffU & mask); 1876*13effbfbSDon Lewis- uint32_t a3_ = a3 - ((uint32_t)0x3ffffffU & mask); 1877*13effbfbSDon Lewis- uint32_t a4_ = a4 - ((uint32_t)0x3ffffffU & mask); 1878*13effbfbSDon Lewis+ a0 = acc[0U]; 1879*13effbfbSDon Lewis+ a1 = acc[1U]; 1880*13effbfbSDon Lewis+ a2 = acc[2U]; 1881*13effbfbSDon Lewis+ a3 = acc[3U]; 1882*13effbfbSDon Lewis+ a4 = acc[4U]; 1883*13effbfbSDon Lewis+ mask0 = FStar_UInt32_gte_mask(a0, (uint32_t)0x3fffffbU); 1884*13effbfbSDon Lewis+ mask1 = FStar_UInt32_eq_mask(a1, (uint32_t)0x3ffffffU); 1885*13effbfbSDon Lewis+ mask2 = FStar_UInt32_eq_mask(a2, (uint32_t)0x3ffffffU); 1886*13effbfbSDon Lewis+ mask3 = FStar_UInt32_eq_mask(a3, (uint32_t)0x3ffffffU); 1887*13effbfbSDon Lewis+ mask4 = FStar_UInt32_eq_mask(a4, (uint32_t)0x3ffffffU); 1888*13effbfbSDon Lewis+ mask = (((mask0 & mask1) & mask2) & mask3) & mask4; 1889*13effbfbSDon Lewis+ a0_ = a0 - ((uint32_t)0x3fffffbU & mask); 1890*13effbfbSDon Lewis+ a1_ = a1 - ((uint32_t)0x3ffffffU & mask); 1891*13effbfbSDon Lewis+ a2_ = a2 - ((uint32_t)0x3ffffffU & mask); 1892*13effbfbSDon Lewis+ a3_ = a3 - ((uint32_t)0x3ffffffU & mask); 1893*13effbfbSDon Lewis+ a4_ = a4 - ((uint32_t)0x3ffffffU & mask); 1894*13effbfbSDon Lewis acc[0U] = a0_; 1895*13effbfbSDon Lewis acc[1U] = a1_; 1896*13effbfbSDon Lewis acc[2U] = a2_; 1897*13effbfbSDon Lewis@@ -315,7 +383,10 @@ 1898*13effbfbSDon Lewis static Hacl_Impl_Poly1305_32_State_poly1305_state 1899*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_mk_state(uint32_t *r, uint32_t *h) 1900*13effbfbSDon Lewis { 1901*13effbfbSDon Lewis- return ((Hacl_Impl_Poly1305_32_State_poly1305_state){.r = r, .h = h }); 1902*13effbfbSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state ret; 1903*13effbfbSDon Lewis+ ret.r = r; 1904*13effbfbSDon Lewis+ ret.h = h; 1905*13effbfbSDon Lewis+ return (ret); 1906*13effbfbSDon Lewis } 1907*13effbfbSDon Lewis 1908*13effbfbSDon Lewis static void 1909*13effbfbSDon Lewis@@ -327,8 +398,9 @@ 1910*13effbfbSDon Lewis if (!(len1 == (uint64_t)0U)) { 1911*13effbfbSDon Lewis uint8_t *block = m; 1912*13effbfbSDon Lewis uint8_t *tail1 = m + (uint32_t)16U; 1913*13effbfbSDon Lewis+ uint64_t len2; 1914*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_poly1305_update(st, block); 1915*13effbfbSDon Lewis- uint64_t len2 = len1 - (uint64_t)1U; 1916*13effbfbSDon Lewis+ len2 = len1 - (uint64_t)1U; 1917*13effbfbSDon Lewis Hacl_Standalone_Poly1305_32_poly1305_blocks(st, tail1, len2); 1918*13effbfbSDon Lewis } 1919*13effbfbSDon Lewis } 1920*13effbfbSDon Lewis@@ -363,14 +435,17 @@ 1921*13effbfbSDon Lewis uint32_t 1922*13effbfbSDon Lewis r4 = 1923*13effbfbSDon Lewis (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U)) & (uint32_t)0x3ffffffU; 1924*13effbfbSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0; 1925*13effbfbSDon Lewis+ uint32_t *h; 1926*13effbfbSDon Lewis+ uint32_t *x00; 1927*13effbfbSDon Lewis x0[0U] = r0; 1928*13effbfbSDon Lewis x0[1U] = r1; 1929*13effbfbSDon Lewis x0[2U] = r2; 1930*13effbfbSDon Lewis x0[3U] = r3; 1931*13effbfbSDon Lewis x0[4U] = r4; 1932*13effbfbSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; 1933*13effbfbSDon Lewis- uint32_t *h = scrut0.h; 1934*13effbfbSDon Lewis- uint32_t *x00 = h; 1935*13effbfbSDon Lewis+ scrut0 = st; 1936*13effbfbSDon Lewis+ h = scrut0.h; 1937*13effbfbSDon Lewis+ x00 = h; 1938*13effbfbSDon Lewis x00[0U] = (uint32_t)0U; 1939*13effbfbSDon Lewis x00[1U] = (uint32_t)0U; 1940*13effbfbSDon Lewis x00[2U] = (uint32_t)0U; 1941*13effbfbSDon Lewis@@ -391,12 +466,15 @@ 1942*13effbfbSDon Lewis uint64_t rem16 = len1 & (uint64_t)0xfU; 1943*13effbfbSDon Lewis uint8_t *part_input = m; 1944*13effbfbSDon Lewis uint8_t *last_block = m + (uint32_t)((uint64_t)16U * len16); 1945*13effbfbSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut; 1946*13effbfbSDon Lewis+ uint32_t *h; 1947*13effbfbSDon Lewis+ uint32_t *acc; 1948*13effbfbSDon Lewis Hacl_Standalone_Poly1305_32_poly1305_partial(st, part_input, len16, kr); 1949*13effbfbSDon Lewis if (!(rem16 == (uint64_t)0U)) 1950*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, last_block, rem16); 1951*13effbfbSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; 1952*13effbfbSDon Lewis- uint32_t *h = scrut.h; 1953*13effbfbSDon Lewis- uint32_t *acc = h; 1954*13effbfbSDon Lewis+ scrut = st; 1955*13effbfbSDon Lewis+ h = scrut.h; 1956*13effbfbSDon Lewis+ acc = h; 1957*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_poly1305_last_pass(acc); 1958*13effbfbSDon Lewis } 1959*13effbfbSDon Lewis 1960*13effbfbSDon Lewis@@ -410,20 +488,31 @@ 1961*13effbfbSDon Lewis uint32_t buf[10U] = { 0U }; 1962*13effbfbSDon Lewis uint32_t *r = buf; 1963*13effbfbSDon Lewis uint32_t *h = buf + (uint32_t)5U; 1964*13effbfbSDon Lewis+ uint8_t *key_s; 1965*13effbfbSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut; 1966*13effbfbSDon Lewis+ uint32_t *h5; 1967*13effbfbSDon Lewis+ uint32_t *acc; 1968*13effbfbSDon Lewis+ FStar_UInt128_t k_; 1969*13effbfbSDon Lewis+ uint32_t h0; 1970*13effbfbSDon Lewis+ uint32_t h1; 1971*13effbfbSDon Lewis+ uint32_t h2; 1972*13effbfbSDon Lewis+ uint32_t h3; 1973*13effbfbSDon Lewis+ uint32_t h4; 1974*13effbfbSDon Lewis+ FStar_UInt128_t acc_; 1975*13effbfbSDon Lewis+ FStar_UInt128_t mac_; 1976*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_State_poly1305_state st = Hacl_Impl_Poly1305_32_mk_state(r, h); 1977*13effbfbSDon Lewis- uint8_t *key_s = k1 + (uint32_t)16U; 1978*13effbfbSDon Lewis+ key_s = k1 + (uint32_t)16U; 1979*13effbfbSDon Lewis Hacl_Standalone_Poly1305_32_poly1305_complete(st, input, len1, k1); 1980*13effbfbSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; 1981*13effbfbSDon Lewis- uint32_t *h5 = scrut.h; 1982*13effbfbSDon Lewis- uint32_t *acc = h5; 1983*13effbfbSDon Lewis- FStar_UInt128_t k_ = load128_le(key_s); 1984*13effbfbSDon Lewis- uint32_t h0 = acc[0U]; 1985*13effbfbSDon Lewis- uint32_t h1 = acc[1U]; 1986*13effbfbSDon Lewis- uint32_t h2 = acc[2U]; 1987*13effbfbSDon Lewis- uint32_t h3 = acc[3U]; 1988*13effbfbSDon Lewis- uint32_t h4 = acc[4U]; 1989*13effbfbSDon Lewis- FStar_UInt128_t 1990*13effbfbSDon Lewis- acc_ = 1991*13effbfbSDon Lewis+ scrut = st; 1992*13effbfbSDon Lewis+ h5 = scrut.h; 1993*13effbfbSDon Lewis+ acc = h5; 1994*13effbfbSDon Lewis+ k_ = load128_le(key_s); 1995*13effbfbSDon Lewis+ h0 = acc[0U]; 1996*13effbfbSDon Lewis+ h1 = acc[1U]; 1997*13effbfbSDon Lewis+ h2 = acc[2U]; 1998*13effbfbSDon Lewis+ h3 = acc[3U]; 1999*13effbfbSDon Lewis+ h4 = acc[4U]; 2000*13effbfbSDon Lewis+ acc_ = 2001*13effbfbSDon Lewis FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h4), 2002*13effbfbSDon Lewis (uint32_t)104U), 2003*13effbfbSDon Lewis FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h3), 2004*13effbfbSDon Lewis@@ -433,7 +522,7 @@ 2005*13effbfbSDon Lewis FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h1), 2006*13effbfbSDon Lewis (uint32_t)26U), 2007*13effbfbSDon Lewis FStar_UInt128_uint64_to_uint128((uint64_t)h0))))); 2008*13effbfbSDon Lewis- FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_); 2009*13effbfbSDon Lewis+ mac_ = FStar_UInt128_add_mod(acc_, k_); 2010*13effbfbSDon Lewis store128_le(output, mac_); 2011*13effbfbSDon Lewis } 2012*13effbfbSDon Lewis 2013*13effbfbSDon Lewis@@ -485,14 +574,17 @@ 2014*13effbfbSDon Lewis uint32_t 2015*13effbfbSDon Lewis r4 = 2016*13effbfbSDon Lewis (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U)) & (uint32_t)0x3ffffffU; 2017*13effbfbSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0; 2018*13effbfbSDon Lewis+ uint32_t *h; 2019*13effbfbSDon Lewis+ uint32_t *x00; 2020*13effbfbSDon Lewis x0[0U] = r0; 2021*13effbfbSDon Lewis x0[1U] = r1; 2022*13effbfbSDon Lewis x0[2U] = r2; 2023*13effbfbSDon Lewis x0[3U] = r3; 2024*13effbfbSDon Lewis x0[4U] = r4; 2025*13effbfbSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; 2026*13effbfbSDon Lewis- uint32_t *h = scrut0.h; 2027*13effbfbSDon Lewis- uint32_t *x00 = h; 2028*13effbfbSDon Lewis+ scrut0 = st; 2029*13effbfbSDon Lewis+ h = scrut0.h; 2030*13effbfbSDon Lewis+ x00 = h; 2031*13effbfbSDon Lewis x00[0U] = (uint32_t)0U; 2032*13effbfbSDon Lewis x00[1U] = (uint32_t)0U; 2033*13effbfbSDon Lewis x00[2U] = (uint32_t)0U; 2034*13effbfbSDon Lewis@@ -529,11 +621,14 @@ 2035*13effbfbSDon Lewis uint8_t *m, 2036*13effbfbSDon Lewis uint32_t len1) 2037*13effbfbSDon Lewis { 2038*13effbfbSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut; 2039*13effbfbSDon Lewis+ uint32_t *h; 2040*13effbfbSDon Lewis+ uint32_t *acc; 2041*13effbfbSDon Lewis if (!((uint64_t)len1 == (uint64_t)0U)) 2042*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, m, (uint64_t)len1); 2043*13effbfbSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; 2044*13effbfbSDon Lewis- uint32_t *h = scrut.h; 2045*13effbfbSDon Lewis- uint32_t *acc = h; 2046*13effbfbSDon Lewis+ scrut = st; 2047*13effbfbSDon Lewis+ h = scrut.h; 2048*13effbfbSDon Lewis+ acc = h; 2049*13effbfbSDon Lewis Hacl_Impl_Poly1305_32_poly1305_last_pass(acc); 2050*13effbfbSDon Lewis } 2051*13effbfbSDon Lewis 2052*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.h misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.h 2053*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.h 2018-08-31 05:55:53.000000000 -0700 2054*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.h 2018-10-22 00:11:45.152423000 -0700 2055*13effbfbSDon Lewis@@ -13,6 +13,7 @@ 2056*13effbfbSDon Lewis * limitations under the License. 2057*13effbfbSDon Lewis */ 2058*13effbfbSDon Lewis 2059*13effbfbSDon Lewis+#include "secport.h" 2060*13effbfbSDon Lewis #include "kremlib.h" 2061*13effbfbSDon Lewis #ifndef __Hacl_Poly1305_32_H 2062*13effbfbSDon Lewis #define __Hacl_Poly1305_32_H 2063*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/kremlib_base.h misc/build/nss-3.39/nss/lib/freebl/verified/kremlib_base.h 2064*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/kremlib_base.h 2018-08-31 05:55:53.000000000 -0700 2065*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/kremlib_base.h 2018-10-21 20:56:12.848112000 -0700 2066*13effbfbSDon Lewis@@ -16,9 +16,26 @@ 2067*13effbfbSDon Lewis #ifndef __KREMLIB_BASE_H 2068*13effbfbSDon Lewis #define __KREMLIB_BASE_H 2069*13effbfbSDon Lewis 2070*13effbfbSDon Lewis-#include <inttypes.h> 2071*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1800 2072*13effbfbSDon Lewis+ #define PRIx8 "x" 2073*13effbfbSDon Lewis+ #define PRIx16 "x" 2074*13effbfbSDon Lewis+ #define PRIx32 "x" 2075*13effbfbSDon Lewis+ #ifdef _WIN64 2076*13effbfbSDon Lewis+ #define PRIx64 "lx" 2077*13effbfbSDon Lewis+ #else 2078*13effbfbSDon Lewis+ #define PRIx64 "llx" 2079*13effbfbSDon Lewis+ #endif 2080*13effbfbSDon Lewis+#else 2081*13effbfbSDon Lewis+ #include <inttypes.h> 2082*13effbfbSDon Lewis+#endif 2083*13effbfbSDon Lewis #include <limits.h> 2084*13effbfbSDon Lewis-#include <stdbool.h> 2085*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 2086*13effbfbSDon Lewis+ #define false 0 2087*13effbfbSDon Lewis+ #define true 1 2088*13effbfbSDon Lewis+typedef int bool; 2089*13effbfbSDon Lewis+#else 2090*13effbfbSDon Lewis+ #include <stdbool.h> 2091*13effbfbSDon Lewis+#endif 2092*13effbfbSDon Lewis #include <stdio.h> 2093*13effbfbSDon Lewis #include <stdlib.h> 2094*13effbfbSDon Lewis #include <string.h> 2095*13effbfbSDon Lewis@@ -47,6 +64,9 @@ 2096*13effbfbSDon Lewis 2097*13effbfbSDon Lewis #ifdef __GNUC__ 2098*13effbfbSDon Lewis #define inline __inline__ 2099*13effbfbSDon Lewis+#endif 2100*13effbfbSDon Lewis+#if defined(_MSC_VER) 2101*13effbfbSDon Lewis+#define inline __inline 2102*13effbfbSDon Lewis #endif 2103*13effbfbSDon Lewis 2104*13effbfbSDon Lewis /* GCC-specific attribute syntax; everyone else gets the standard C inline 2105*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/pk11wrap/pk11skey.c misc/build/nss-3.39/nss/lib/pk11wrap/pk11skey.c 2106*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/pk11wrap/pk11skey.c 2018-08-31 05:55:53.000000000 -0700 2107*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/pk11wrap/pk11skey.c 2018-10-22 01:25:27.313788000 -0700 2108*13effbfbSDon Lewis@@ -2217,12 +2217,13 @@ 2109*13effbfbSDon Lewis /* old PKCS #11 spec was ambiguous on what needed to be passed, 2110*13effbfbSDon Lewis * try this again with an encoded public key */ 2111*13effbfbSDon Lewis if (crv != CKR_OK) { 2112*13effbfbSDon Lewis+ SECItem *pubValue; 2113*13effbfbSDon Lewis /* For curves that only use X as public value and no encoding we don't 2114*13effbfbSDon Lewis * have to try again. (Currently only Curve25519) */ 2115*13effbfbSDon Lewis if (pk11_ECGetPubkeyEncoding(pubKey) == ECPoint_XOnly) { 2116*13effbfbSDon Lewis goto loser; 2117*13effbfbSDon Lewis } 2118*13effbfbSDon Lewis- SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, 2119*13effbfbSDon Lewis+ pubValue = SEC_ASN1EncodeItem(NULL, NULL, 2120*13effbfbSDon Lewis &pubKey->u.ec.publicValue, 2121*13effbfbSDon Lewis SEC_ASN1_GET(SEC_OctetStringTemplate)); 2122*13effbfbSDon Lewis if (pubValue == NULL) { 2123*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/pkcs7/p7create.c misc/build/nss-3.39/nss/lib/pkcs7/p7create.c 2124*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/pkcs7/p7create.c 2018-08-31 05:55:53.000000000 -0700 2125*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/pkcs7/p7create.c 2018-10-22 10:00:01.127657000 -0700 2126*13effbfbSDon Lewis@@ -1263,6 +1263,7 @@ 2127*13effbfbSDon Lewis SECAlgorithmID *algid; 2128*13effbfbSDon Lewis SEC_PKCS7EncryptedData *enc_data; 2129*13effbfbSDon Lewis SECStatus rv; 2130*13effbfbSDon Lewis+ SECAlgorithmID *pbe_algid; 2131*13effbfbSDon Lewis 2132*13effbfbSDon Lewis PORT_Assert(SEC_PKCS5IsAlgorithmPBEAlgTag(pbe_algorithm)); 2133*13effbfbSDon Lewis 2134*13effbfbSDon Lewis@@ -1274,7 +1275,6 @@ 2135*13effbfbSDon Lewis enc_data = cinfo->content.encryptedData; 2136*13effbfbSDon Lewis algid = &(enc_data->encContentInfo.contentEncAlg); 2137*13effbfbSDon Lewis 2138*13effbfbSDon Lewis- SECAlgorithmID *pbe_algid; 2139*13effbfbSDon Lewis pbe_algid = PK11_CreatePBEV2AlgorithmID(pbe_algorithm, 2140*13effbfbSDon Lewis cipher_algorithm, 2141*13effbfbSDon Lewis prf_algorithm, 2142*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/softoken/pkcs11c.c misc/build/nss-3.39/nss/lib/softoken/pkcs11c.c 2143*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/softoken/pkcs11c.c 2018-08-31 05:55:53.000000000 -0700 2144*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/softoken/pkcs11c.c 2018-10-22 01:08:34.274286000 -0700 2145*13effbfbSDon Lewis@@ -5125,8 +5125,9 @@ 2146*13effbfbSDon Lewis crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, 2147*13effbfbSDon Lewis sftk_item_expand(&ecPriv->publicValue)); 2148*13effbfbSDon Lewis } else { 2149*13effbfbSDon Lewis+ SECItem *pubValue; 2150*13effbfbSDon Lewis PORT_FreeArena(ecParams->arena, PR_TRUE); 2151*13effbfbSDon Lewis- SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, 2152*13effbfbSDon Lewis+ pubValue = SEC_ASN1EncodeItem(NULL, NULL, 2153*13effbfbSDon Lewis &ecPriv->publicValue, 2154*13effbfbSDon Lewis SEC_ASN1_GET(SEC_OctetStringTemplate)); 2155*13effbfbSDon Lewis if (!pubValue) { 2156*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/softoken/sdb.c misc/build/nss-3.39/nss/lib/softoken/sdb.c 2157*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/softoken/sdb.c 2018-08-31 05:55:53.000000000 -0700 2158*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/softoken/sdb.c 2018-10-22 01:18:14.220773000 -0700 2159*13effbfbSDon Lewis@@ -206,12 +206,13 @@ 2160*13effbfbSDon Lewis sdb_chmod(const char *filename, int pmode) 2161*13effbfbSDon Lewis { 2162*13effbfbSDon Lewis int result; 2163*13effbfbSDon Lewis+ wchar_t *filenameWide; 2164*13effbfbSDon Lewis 2165*13effbfbSDon Lewis if (!filename) { 2166*13effbfbSDon Lewis return -1; 2167*13effbfbSDon Lewis } 2168*13effbfbSDon Lewis 2169*13effbfbSDon Lewis- wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); 2170*13effbfbSDon Lewis+ filenameWide = _NSSUTIL_UTF8ToWide(filename); 2171*13effbfbSDon Lewis if (!filenameWide) { 2172*13effbfbSDon Lewis return -1; 2173*13effbfbSDon Lewis } 2174*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/dtls13con.c misc/build/nss-3.39/nss/lib/ssl/dtls13con.c 2175*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/dtls13con.c 2018-08-31 05:55:53.000000000 -0700 2176*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/dtls13con.c 2018-10-22 01:31:19.795730000 -0700 2177*13effbfbSDon Lewis@@ -64,7 +64,7 @@ 2178*13effbfbSDon Lewis } DTLSHandshakeRecordEntry; 2179*13effbfbSDon Lewis 2180*13effbfbSDon Lewis /* Combine the epoch and sequence number into a single value. */ 2181*13effbfbSDon Lewis-static inline sslSequenceNumber 2182*13effbfbSDon Lewis+static __inline sslSequenceNumber 2183*13effbfbSDon Lewis dtls_CombineSequenceNumber(DTLSEpoch epoch, sslSequenceNumber seqNum) 2184*13effbfbSDon Lewis { 2185*13effbfbSDon Lewis PORT_Assert(seqNum <= RECORD_SEQ_MAX); 2186*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/selfencrypt.c misc/build/nss-3.39/nss/lib/ssl/selfencrypt.c 2187*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/selfencrypt.c 2018-08-31 05:55:53.000000000 -0700 2188*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/selfencrypt.c 2018-10-22 03:36:02.726686000 -0700 2189*13effbfbSDon Lewis@@ -193,6 +193,14 @@ 2190*13effbfbSDon Lewis PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen) 2191*13effbfbSDon Lewis { 2192*13effbfbSDon Lewis sslReader reader = SSL_READER(in, inLen); 2193*13effbfbSDon Lewis+ sslReadBuffer ivBuffer = { 0 }; 2194*13effbfbSDon Lewis+ PRUint64 cipherTextLen = 0; 2195*13effbfbSDon Lewis+ sslReadBuffer cipherTextBuffer = { 0 }; 2196*13effbfbSDon Lewis+ unsigned int bytesToMac; 2197*13effbfbSDon Lewis+ sslReadBuffer encodedMacBuffer = { 0 }; 2198*13effbfbSDon Lewis+ unsigned char computedMac[SHA256_LENGTH]; 2199*13effbfbSDon Lewis+ unsigned int computedMacLen = 0; 2200*13effbfbSDon Lewis+ SECItem ivItem = { siBuffer, (unsigned char *)ivBuffer.buf, AES_BLOCK_SIZE }; 2201*13effbfbSDon Lewis 2202*13effbfbSDon Lewis sslReadBuffer encodedKeyNameBuffer = { 0 }; 2203*13effbfbSDon Lewis SECStatus rv = sslRead_Read(&reader, SELF_ENCRYPT_KEY_NAME_LEN, 2204*13effbfbSDon Lewis@@ -201,26 +209,22 @@ 2205*13effbfbSDon Lewis return SECFailure; 2206*13effbfbSDon Lewis } 2207*13effbfbSDon Lewis 2208*13effbfbSDon Lewis- sslReadBuffer ivBuffer = { 0 }; 2209*13effbfbSDon Lewis rv = sslRead_Read(&reader, AES_BLOCK_SIZE, &ivBuffer); 2210*13effbfbSDon Lewis if (rv != SECSuccess) { 2211*13effbfbSDon Lewis return SECFailure; 2212*13effbfbSDon Lewis } 2213*13effbfbSDon Lewis 2214*13effbfbSDon Lewis- PRUint64 cipherTextLen = 0; 2215*13effbfbSDon Lewis rv = sslRead_ReadNumber(&reader, 2, &cipherTextLen); 2216*13effbfbSDon Lewis if (rv != SECSuccess) { 2217*13effbfbSDon Lewis return SECFailure; 2218*13effbfbSDon Lewis } 2219*13effbfbSDon Lewis 2220*13effbfbSDon Lewis- sslReadBuffer cipherTextBuffer = { 0 }; 2221*13effbfbSDon Lewis rv = sslRead_Read(&reader, (unsigned int)cipherTextLen, &cipherTextBuffer); 2222*13effbfbSDon Lewis if (rv != SECSuccess) { 2223*13effbfbSDon Lewis return SECFailure; 2224*13effbfbSDon Lewis } 2225*13effbfbSDon Lewis- unsigned int bytesToMac = reader.offset; 2226*13effbfbSDon Lewis+ bytesToMac = reader.offset; 2227*13effbfbSDon Lewis 2228*13effbfbSDon Lewis- sslReadBuffer encodedMacBuffer = { 0 }; 2229*13effbfbSDon Lewis rv = sslRead_Read(&reader, SHA256_LENGTH, &encodedMacBuffer); 2230*13effbfbSDon Lewis if (rv != SECSuccess) { 2231*13effbfbSDon Lewis return SECFailure; 2232*13effbfbSDon Lewis@@ -240,8 +244,6 @@ 2233*13effbfbSDon Lewis } 2234*13effbfbSDon Lewis 2235*13effbfbSDon Lewis /* 2. Check the MAC */ 2236*13effbfbSDon Lewis- unsigned char computedMac[SHA256_LENGTH]; 2237*13effbfbSDon Lewis- unsigned int computedMacLen = 0; 2238*13effbfbSDon Lewis rv = ssl_MacBuffer(macKey, CKM_SHA256_HMAC, in, bytesToMac, 2239*13effbfbSDon Lewis computedMac, &computedMacLen, sizeof(computedMac)); 2240*13effbfbSDon Lewis if (rv != SECSuccess) { 2241*13effbfbSDon Lewis@@ -254,7 +256,6 @@ 2242*13effbfbSDon Lewis } 2243*13effbfbSDon Lewis 2244*13effbfbSDon Lewis /* 3. OK, it verifies, now decrypt. */ 2245*13effbfbSDon Lewis- SECItem ivItem = { siBuffer, (unsigned char *)ivBuffer.buf, AES_BLOCK_SIZE }; 2246*13effbfbSDon Lewis rv = PK11_Decrypt(encKey, CKM_AES_CBC_PAD, &ivItem, 2247*13effbfbSDon Lewis out, outLen, maxOutLen, cipherTextBuffer.buf, cipherTextLen); 2248*13effbfbSDon Lewis if (rv != SECSuccess) { 2249*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/ssl3con.c misc/build/nss-3.39/nss/lib/ssl/ssl3con.c 2250*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/ssl3con.c 2018-08-31 05:55:53.000000000 -0700 2251*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/ssl3con.c 2018-10-22 01:44:48.945390000 -0700 2252*13effbfbSDon Lewis@@ -5718,6 +5718,7 @@ 2253*13effbfbSDon Lewis SECStatus rv = SECFailure; 2254*13effbfbSDon Lewis SECItem enc_pms = { siBuffer, NULL, 0 }; 2255*13effbfbSDon Lewis PRBool isTLS; 2256*13effbfbSDon Lewis+ unsigned int svrPubKeyBits; 2257*13effbfbSDon Lewis 2258*13effbfbSDon Lewis PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2259*13effbfbSDon Lewis PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 2260*13effbfbSDon Lewis@@ -5734,7 +5735,7 @@ 2261*13effbfbSDon Lewis } 2262*13effbfbSDon Lewis 2263*13effbfbSDon Lewis /* Get the wrapped (encrypted) pre-master secret, enc_pms */ 2264*13effbfbSDon Lewis- unsigned int svrPubKeyBits = SECKEY_PublicKeyStrengthInBits(svrPubKey); 2265*13effbfbSDon Lewis+ svrPubKeyBits = SECKEY_PublicKeyStrengthInBits(svrPubKey); 2266*13effbfbSDon Lewis enc_pms.len = (svrPubKeyBits + 7) / 8; 2267*13effbfbSDon Lewis /* Check that the RSA key isn't larger than 8k bit. */ 2268*13effbfbSDon Lewis if (svrPubKeyBits > SSL_MAX_RSA_KEY_BITS) { 2269*13effbfbSDon Lewis@@ -8123,6 +8124,7 @@ 2270*13effbfbSDon Lewis ssl_GenerateServerRandom(sslSocket *ss) 2271*13effbfbSDon Lewis { 2272*13effbfbSDon Lewis SECStatus rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random); 2273*13effbfbSDon Lewis+ PRUint8 *downgradeSentinel; 2274*13effbfbSDon Lewis if (rv != SECSuccess) { 2275*13effbfbSDon Lewis return SECFailure; 2276*13effbfbSDon Lewis } 2277*13effbfbSDon Lewis@@ -8154,7 +8156,7 @@ 2278*13effbfbSDon Lewis * 2279*13effbfbSDon Lewis * 44 4F 57 4E 47 52 44 00 2280*13effbfbSDon Lewis */ 2281*13effbfbSDon Lewis- PRUint8 *downgradeSentinel = 2282*13effbfbSDon Lewis+ downgradeSentinel = 2283*13effbfbSDon Lewis ss->ssl3.hs.server_random + 2284*13effbfbSDon Lewis SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random); 2285*13effbfbSDon Lewis 2286*13effbfbSDon Lewis@@ -11986,11 +11988,13 @@ 2287*13effbfbSDon Lewis } 2288*13effbfbSDon Lewis 2289*13effbfbSDon Lewis for (i = 0; i < toCheck; i++) { 2290*13effbfbSDon Lewis+ unsigned char mask; 2291*13effbfbSDon Lewis+ unsigned char b; 2292*13effbfbSDon Lewis t = paddingLength - i; 2293*13effbfbSDon Lewis /* If i <= paddingLength then the MSB of t is zero and mask is 2294*13effbfbSDon Lewis * 0xff. Otherwise, mask is 0. */ 2295*13effbfbSDon Lewis- unsigned char mask = DUPLICATE_MSB_TO_ALL(~t); 2296*13effbfbSDon Lewis- unsigned char b = plaintext->buf[plaintext->len - 1 - i]; 2297*13effbfbSDon Lewis+ mask = DUPLICATE_MSB_TO_ALL(~t); 2298*13effbfbSDon Lewis+ b = plaintext->buf[plaintext->len - 1 - i]; 2299*13effbfbSDon Lewis /* The final |paddingLength+1| bytes should all have the value 2300*13effbfbSDon Lewis * |paddingLength|. Therefore the XOR should be zero. */ 2301*13effbfbSDon Lewis good &= ~(mask & (paddingLength ^ b)); 2302*13effbfbSDon Lewis@@ -12532,6 +12536,7 @@ 2303*13effbfbSDon Lewis } 2304*13effbfbSDon Lewis 2305*13effbfbSDon Lewis if (rv != SECSuccess) { 2306*13effbfbSDon Lewis+ int errCode; 2307*13effbfbSDon Lewis ssl_ReleaseSpecReadLock(ss); /***************************/ 2308*13effbfbSDon Lewis 2309*13effbfbSDon Lewis SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); 2310*13effbfbSDon Lewis@@ -12562,7 +12567,7 @@ 2311*13effbfbSDon Lewis return SECSuccess; 2312*13effbfbSDon Lewis } 2313*13effbfbSDon Lewis 2314*13effbfbSDon Lewis- int errCode = PORT_GetError(); 2315*13effbfbSDon Lewis+ errCode = PORT_GetError(); 2316*13effbfbSDon Lewis SSL3_SendAlert(ss, alert_fatal, alert); 2317*13effbfbSDon Lewis /* Reset the error code in case SSL3_SendAlert called 2318*13effbfbSDon Lewis * PORT_SetError(). */ 2319*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/ssl3exthandle.c misc/build/nss-3.39/nss/lib/ssl/ssl3exthandle.c 2320*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/ssl3exthandle.c 2018-08-31 05:55:53.000000000 -0700 2321*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/ssl3exthandle.c 2018-10-22 02:03:24.559698000 -0700 2322*13effbfbSDon Lewis@@ -1915,6 +1915,8 @@ 2323*13effbfbSDon Lewis sslBuffer *buf, PRBool *added) 2324*13effbfbSDon Lewis { 2325*13effbfbSDon Lewis PRUint32 maxLimit; 2326*13effbfbSDon Lewis+ PRUint32 limit; 2327*13effbfbSDon Lewis+ SECStatus rv; 2328*13effbfbSDon Lewis if (ss->sec.isServer) { 2329*13effbfbSDon Lewis maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) 2330*13effbfbSDon Lewis ? (MAX_FRAGMENT_LENGTH + 1) 2331*13effbfbSDon Lewis@@ -1924,8 +1926,8 @@ 2332*13effbfbSDon Lewis ? (MAX_FRAGMENT_LENGTH + 1) 2333*13effbfbSDon Lewis : MAX_FRAGMENT_LENGTH; 2334*13effbfbSDon Lewis } 2335*13effbfbSDon Lewis- PRUint32 limit = PR_MIN(ss->opt.recordSizeLimit, maxLimit); 2336*13effbfbSDon Lewis- SECStatus rv = sslBuffer_AppendNumber(buf, limit, 2); 2337*13effbfbSDon Lewis+ limit = PR_MIN(ss->opt.recordSizeLimit, maxLimit); 2338*13effbfbSDon Lewis+ rv = sslBuffer_AppendNumber(buf, limit, 2); 2339*13effbfbSDon Lewis if (rv != SECSuccess) { 2340*13effbfbSDon Lewis return SECFailure; 2341*13effbfbSDon Lewis } 2342*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslbloom.c misc/build/nss-3.39/nss/lib/ssl/sslbloom.c 2343*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslbloom.c 2018-08-31 05:55:53.000000000 -0700 2344*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslbloom.c 2018-10-22 01:50:48.294197000 -0700 2345*13effbfbSDon Lewis@@ -10,7 +10,7 @@ 2346*13effbfbSDon Lewis #include "prnetdb.h" 2347*13effbfbSDon Lewis #include "secport.h" 2348*13effbfbSDon Lewis 2349*13effbfbSDon Lewis-static inline unsigned int 2350*13effbfbSDon Lewis+static __inline unsigned int 2351*13effbfbSDon Lewis sslBloom_Size(unsigned int bits) 2352*13effbfbSDon Lewis { 2353*13effbfbSDon Lewis return (bits >= 3) ? (1 << (bits - 3)) : 1; 2354*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslencode.c misc/build/nss-3.39/nss/lib/ssl/sslencode.c 2355*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslencode.c 2018-08-31 05:55:53.000000000 -0700 2356*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslencode.c 2018-10-22 01:55:55.317356000 -0700 2357*13effbfbSDon Lewis@@ -214,6 +214,8 @@ 2358*13effbfbSDon Lewis SECStatus 2359*13effbfbSDon Lewis sslRead_ReadNumber(sslReader *reader, unsigned int bytes, PRUint64 *num) 2360*13effbfbSDon Lewis { 2361*13effbfbSDon Lewis+ unsigned int i; 2362*13effbfbSDon Lewis+ PRUint64 number = 0; 2363*13effbfbSDon Lewis if (!reader || !num) { 2364*13effbfbSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 2365*13effbfbSDon Lewis return SECFailure; 2366*13effbfbSDon Lewis@@ -224,8 +226,6 @@ 2367*13effbfbSDon Lewis PORT_SetError(SEC_ERROR_BAD_DATA); 2368*13effbfbSDon Lewis return SECFailure; 2369*13effbfbSDon Lewis } 2370*13effbfbSDon Lewis- unsigned int i; 2371*13effbfbSDon Lewis- PRUint64 number = 0; 2372*13effbfbSDon Lewis for (i = 0; i < bytes; i++) { 2373*13effbfbSDon Lewis number = (number << 8) + reader->buf.buf[i + reader->offset]; 2374*13effbfbSDon Lewis } 2375*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslnonce.c misc/build/nss-3.39/nss/lib/ssl/sslnonce.c 2376*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslnonce.c 2018-08-31 05:55:53.000000000 -0700 2377*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslnonce.c 2018-10-22 02:55:25.098750000 -0700 2378*13effbfbSDon Lewis@@ -439,6 +439,10 @@ 2379*13effbfbSDon Lewis ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedToken, 2380*13effbfbSDon Lewis PRUint32 encodedTokenLen) 2381*13effbfbSDon Lewis { 2382*13effbfbSDon Lewis+ sslReader reader; 2383*13effbfbSDon Lewis+ PRUint64 tmpInt = 0; 2384*13effbfbSDon Lewis+ sslReadBuffer readerBuffer = { 0 }; 2385*13effbfbSDon Lewis+ 2386*13effbfbSDon Lewis PORT_Assert(encodedTokenLen); 2387*13effbfbSDon Lewis PORT_Assert(encodedToken); 2388*13effbfbSDon Lewis PORT_Assert(sid); 2389*13effbfbSDon Lewis@@ -454,10 +458,11 @@ 2390*13effbfbSDon Lewis } 2391*13effbfbSDon Lewis 2392*13effbfbSDon Lewis /* These variables are used across macros. Don't use them outside. */ 2393*13effbfbSDon Lewis- sslReader reader = SSL_READER(encodedToken, encodedTokenLen); 2394*13effbfbSDon Lewis+ // sslReader reader = SSL_READER(encodedToken, encodedTokenLen); 2395*13effbfbSDon Lewis+ reader.buf.buf = encodedToken; 2396*13effbfbSDon Lewis+ reader.buf.len = encodedTokenLen; 2397*13effbfbSDon Lewis+ reader.offset = 0; 2398*13effbfbSDon Lewis reader.offset += 1; // We read the version already. Skip the first byte. 2399*13effbfbSDon Lewis- sslReadBuffer readerBuffer = { 0 }; 2400*13effbfbSDon Lewis- PRUint64 tmpInt = 0; 2401*13effbfbSDon Lewis 2402*13effbfbSDon Lewis if (sslRead_ReadNumber(&reader, 8, &tmpInt) != SECSuccess) { 2403*13effbfbSDon Lewis return SECFailure; 2404*13effbfbSDon Lewis@@ -494,9 +499,13 @@ 2405*13effbfbSDon Lewis return SECFailure; 2406*13effbfbSDon Lewis } 2407*13effbfbSDon Lewis if (readerBuffer.len) { 2408*13effbfbSDon Lewis+ SECItem tempItem; 2409*13effbfbSDon Lewis PORT_Assert(!sid->peerCert); 2410*13effbfbSDon Lewis- SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2411*13effbfbSDon Lewis- readerBuffer.len }; 2412*13effbfbSDon Lewis+ // tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2413*13effbfbSDon Lewis+ // readerBuffer.len }; 2414*13effbfbSDon Lewis+ tempItem.type = siBuffer; 2415*13effbfbSDon Lewis+ tempItem.data = (unsigned char *)readerBuffer.buf; 2416*13effbfbSDon Lewis+ tempItem.len = readerBuffer.len; 2417*13effbfbSDon Lewis sid->peerCert = CERT_NewTempCertificate(NULL, /* dbHandle */ 2418*13effbfbSDon Lewis &tempItem, 2419*13effbfbSDon Lewis NULL, PR_FALSE, PR_TRUE); 2420*13effbfbSDon Lewis@@ -510,12 +519,16 @@ 2421*13effbfbSDon Lewis return SECFailure; 2422*13effbfbSDon Lewis } 2423*13effbfbSDon Lewis if (readerBuffer.len) { 2424*13effbfbSDon Lewis+ SECItem tempItem; 2425*13effbfbSDon Lewis SECITEM_AllocArray(NULL, &sid->peerCertStatus, 1); 2426*13effbfbSDon Lewis if (!sid->peerCertStatus.items) { 2427*13effbfbSDon Lewis return SECFailure; 2428*13effbfbSDon Lewis } 2429*13effbfbSDon Lewis- SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2430*13effbfbSDon Lewis- readerBuffer.len }; 2431*13effbfbSDon Lewis+ // SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2432*13effbfbSDon Lewis+ // readerBuffer.len }; 2433*13effbfbSDon Lewis+ tempItem.type = siBuffer; 2434*13effbfbSDon Lewis+ tempItem.data = (unsigned char *)readerBuffer.buf; 2435*13effbfbSDon Lewis+ tempItem.len = readerBuffer.len; 2436*13effbfbSDon Lewis SECITEM_CopyItem(NULL, &sid->peerCertStatus.items[0], &tempItem); 2437*13effbfbSDon Lewis } 2438*13effbfbSDon Lewis 2439*13effbfbSDon Lewis@@ -545,9 +558,13 @@ 2440*13effbfbSDon Lewis return SECFailure; 2441*13effbfbSDon Lewis } 2442*13effbfbSDon Lewis if (readerBuffer.len) { 2443*13effbfbSDon Lewis+ SECItem tempItem; 2444*13effbfbSDon Lewis PORT_Assert(!sid->localCert); 2445*13effbfbSDon Lewis- SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2446*13effbfbSDon Lewis- readerBuffer.len }; 2447*13effbfbSDon Lewis+ //SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2448*13effbfbSDon Lewis+ // readerBuffer.len }; 2449*13effbfbSDon Lewis+ tempItem.type = siBuffer; 2450*13effbfbSDon Lewis+ tempItem.data = (unsigned char *)readerBuffer.buf; 2451*13effbfbSDon Lewis+ tempItem.len = readerBuffer.len; 2452*13effbfbSDon Lewis sid->localCert = CERT_NewTempCertificate(NULL, /* dbHandle */ 2453*13effbfbSDon Lewis &tempItem, 2454*13effbfbSDon Lewis NULL, PR_FALSE, PR_TRUE); 2455*13effbfbSDon Lewis@@ -706,13 +723,15 @@ 2456*13effbfbSDon Lewis PRBool 2457*13effbfbSDon Lewis ssl_IsResumptionTokenValid(sslSocket *ss) 2458*13effbfbSDon Lewis { 2459*13effbfbSDon Lewis+ sslSessionID *sid; 2460*13effbfbSDon Lewis+ PRTime endTime = 0; 2461*13effbfbSDon Lewis+ NewSessionTicket *ticket; 2462*13effbfbSDon Lewis PORT_Assert(ss); 2463*13effbfbSDon Lewis- sslSessionID *sid = ss->sec.ci.sid; 2464*13effbfbSDon Lewis+ sid = ss->sec.ci.sid; 2465*13effbfbSDon Lewis PORT_Assert(sid); 2466*13effbfbSDon Lewis 2467*13effbfbSDon Lewis // Check that the ticket didn't expire. 2468*13effbfbSDon Lewis- PRTime endTime = 0; 2469*13effbfbSDon Lewis- NewSessionTicket *ticket = &sid->u.ssl3.locked.sessionTicket; 2470*13effbfbSDon Lewis+ ticket = &sid->u.ssl3.locked.sessionTicket; 2471*13effbfbSDon Lewis if (ticket->ticket_lifetime_hint != 0) { 2472*13effbfbSDon Lewis endTime = ticket->received_timestamp + 2473*13effbfbSDon Lewis (PRTime)(ticket->ticket_lifetime_hint * PR_USEC_PER_SEC); 2474*13effbfbSDon Lewis@@ -746,6 +765,9 @@ 2475*13effbfbSDon Lewis static SECStatus 2476*13effbfbSDon Lewis ssl_EncodeResumptionToken(sslSessionID *sid, sslBuffer *encodedTokenBuf) 2477*13effbfbSDon Lewis { 2478*13effbfbSDon Lewis+ SECStatus rv; 2479*13effbfbSDon Lewis+ PRUint64 len; 2480*13effbfbSDon Lewis+ 2481*13effbfbSDon Lewis PORT_Assert(encodedTokenBuf); 2482*13effbfbSDon Lewis PORT_Assert(sid); 2483*13effbfbSDon Lewis if (!sid || !sid->u.ssl3.locked.sessionTicket.ticket.len || 2484*13effbfbSDon Lewis@@ -760,7 +782,7 @@ 2485*13effbfbSDon Lewis * SECItems are prepended with a 64-bit length field followed by the bytes. 2486*13effbfbSDon Lewis * Optional bytes are encoded as a 0-length item if not present. 2487*13effbfbSDon Lewis */ 2488*13effbfbSDon Lewis- SECStatus rv = sslBuffer_AppendNumber(encodedTokenBuf, 2489*13effbfbSDon Lewis+ rv = sslBuffer_AppendNumber(encodedTokenBuf, 2490*13effbfbSDon Lewis SSLResumptionTokenVersion, 1); 2491*13effbfbSDon Lewis if (rv != SECSuccess) { 2492*13effbfbSDon Lewis return SECFailure; 2493*13effbfbSDon Lewis@@ -843,7 +865,7 @@ 2494*13effbfbSDon Lewis } 2495*13effbfbSDon Lewis } 2496*13effbfbSDon Lewis 2497*13effbfbSDon Lewis- PRUint64 len = sid->peerID ? strlen(sid->peerID) : 0; 2498*13effbfbSDon Lewis+ len = sid->peerID ? strlen(sid->peerID) : 0; 2499*13effbfbSDon Lewis if (len > PR_UINT8_MAX) { 2500*13effbfbSDon Lewis // This string really shouldn't be that long. 2501*13effbfbSDon Lewis PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2502*13effbfbSDon Lewis@@ -1052,8 +1074,11 @@ 2503*13effbfbSDon Lewis void 2504*13effbfbSDon Lewis ssl_CacheExternalToken(sslSocket *ss) 2505*13effbfbSDon Lewis { 2506*13effbfbSDon Lewis+ sslSessionID *sid; 2507*13effbfbSDon Lewis+ sslBuffer encodedToken = SSL_BUFFER_EMPTY; 2508*13effbfbSDon Lewis+ 2509*13effbfbSDon Lewis PORT_Assert(ss); 2510*13effbfbSDon Lewis- sslSessionID *sid = ss->sec.ci.sid; 2511*13effbfbSDon Lewis+ sid = ss->sec.ci.sid; 2512*13effbfbSDon Lewis PORT_Assert(sid); 2513*13effbfbSDon Lewis PORT_Assert(sid->cached == never_cached); 2514*13effbfbSDon Lewis PORT_Assert(ss->resumptionTokenCallback); 2515*13effbfbSDon Lewis@@ -1083,8 +1108,6 @@ 2516*13effbfbSDon Lewis sid->expirationTime = sid->creationTime + ssl3_sid_timeout; 2517*13effbfbSDon Lewis } 2518*13effbfbSDon Lewis 2519*13effbfbSDon Lewis- sslBuffer encodedToken = SSL_BUFFER_EMPTY; 2520*13effbfbSDon Lewis- 2521*13effbfbSDon Lewis if (ssl_EncodeResumptionToken(sid, &encodedToken) != SECSuccess) { 2522*13effbfbSDon Lewis SSL_TRC(3, ("SSL [%d]: encoding resumption token failed", ss->fd)); 2523*13effbfbSDon Lewis return; 2524*13effbfbSDon Lewis@@ -1127,11 +1150,12 @@ 2525*13effbfbSDon Lewis void 2526*13effbfbSDon Lewis ssl_UncacheSessionID(sslSocket *ss) 2527*13effbfbSDon Lewis { 2528*13effbfbSDon Lewis+ sslSecurityInfo *sec; 2529*13effbfbSDon Lewis if (ss->opt.noCache) { 2530*13effbfbSDon Lewis return; 2531*13effbfbSDon Lewis } 2532*13effbfbSDon Lewis 2533*13effbfbSDon Lewis- sslSecurityInfo *sec = &ss->sec; 2534*13effbfbSDon Lewis+ sec = &ss->sec; 2535*13effbfbSDon Lewis PORT_Assert(sec); 2536*13effbfbSDon Lewis 2537*13effbfbSDon Lewis if (sec->ci.sid) { 2538*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslsnce.c misc/build/nss-3.39/nss/lib/ssl/sslsnce.c 2539*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslsnce.c 2018-08-31 05:55:53.000000000 -0700 2540*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslsnce.c 2018-10-22 03:10:53.707928000 -0700 2541*13effbfbSDon Lewis@@ -732,11 +732,11 @@ 2542*13effbfbSDon Lewis void 2543*13effbfbSDon Lewis ssl_ServerCacheSessionID(sslSessionID *sid) 2544*13effbfbSDon Lewis { 2545*13effbfbSDon Lewis- PORT_Assert(sid); 2546*13effbfbSDon Lewis- 2547*13effbfbSDon Lewis sidCacheEntry sce; 2548*13effbfbSDon Lewis PRUint32 now = 0; 2549*13effbfbSDon Lewis cacheDesc *cache = &globalCache; 2550*13effbfbSDon Lewis+ 2551*13effbfbSDon Lewis+ PORT_Assert(sid); 2552*13effbfbSDon Lewis 2553*13effbfbSDon Lewis if (sid->u.ssl3.sessionIDLength == 0) { 2554*13effbfbSDon Lewis return; 2555*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslsock.c misc/build/nss-3.39/nss/lib/ssl/sslsock.c 2556*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslsock.c 2018-08-31 05:55:53.000000000 -0700 2557*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslsock.c 2018-10-22 03:26:21.638950000 -0700 2558*13effbfbSDon Lewis@@ -53,38 +53,38 @@ 2559*13effbfbSDon Lewis ** default settings for socket enables 2560*13effbfbSDon Lewis */ 2561*13effbfbSDon Lewis static sslOptions ssl_defaults = { 2562*13effbfbSDon Lewis- .nextProtoNego = { siBuffer, NULL, 0 }, 2563*13effbfbSDon Lewis- .maxEarlyDataSize = 1 << 16, 2564*13effbfbSDon Lewis- .recordSizeLimit = MAX_FRAGMENT_LENGTH + 1, 2565*13effbfbSDon Lewis- .useSecurity = PR_TRUE, 2566*13effbfbSDon Lewis- .useSocks = PR_FALSE, 2567*13effbfbSDon Lewis- .requestCertificate = PR_FALSE, 2568*13effbfbSDon Lewis- .requireCertificate = SSL_REQUIRE_FIRST_HANDSHAKE, 2569*13effbfbSDon Lewis- .handshakeAsClient = PR_FALSE, 2570*13effbfbSDon Lewis- .handshakeAsServer = PR_FALSE, 2571*13effbfbSDon Lewis- .noCache = PR_FALSE, 2572*13effbfbSDon Lewis- .fdx = PR_FALSE, 2573*13effbfbSDon Lewis- .detectRollBack = PR_TRUE, 2574*13effbfbSDon Lewis- .noLocks = PR_FALSE, 2575*13effbfbSDon Lewis- .enableSessionTickets = PR_FALSE, 2576*13effbfbSDon Lewis- .enableDeflate = PR_FALSE, 2577*13effbfbSDon Lewis- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, 2578*13effbfbSDon Lewis- .requireSafeNegotiation = PR_FALSE, 2579*13effbfbSDon Lewis- .enableFalseStart = PR_FALSE, 2580*13effbfbSDon Lewis- .cbcRandomIV = PR_TRUE, 2581*13effbfbSDon Lewis- .enableOCSPStapling = PR_FALSE, 2582*13effbfbSDon Lewis- .enableALPN = PR_TRUE, 2583*13effbfbSDon Lewis- .reuseServerECDHEKey = PR_TRUE, 2584*13effbfbSDon Lewis- .enableFallbackSCSV = PR_FALSE, 2585*13effbfbSDon Lewis- .enableServerDhe = PR_TRUE, 2586*13effbfbSDon Lewis- .enableExtendedMS = PR_FALSE, 2587*13effbfbSDon Lewis- .enableSignedCertTimestamps = PR_FALSE, 2588*13effbfbSDon Lewis- .requireDHENamedGroups = PR_FALSE, 2589*13effbfbSDon Lewis- .enable0RttData = PR_FALSE, 2590*13effbfbSDon Lewis- .enableTls13CompatMode = PR_FALSE, 2591*13effbfbSDon Lewis- .enableDtlsShortHeader = PR_FALSE, 2592*13effbfbSDon Lewis- .enableHelloDowngradeCheck = PR_FALSE, 2593*13effbfbSDon Lewis- .enableV2CompatibleHello = PR_FALSE 2594*13effbfbSDon Lewis+ /* .nextProtoNego = */ { siBuffer, NULL, 0 }, 2595*13effbfbSDon Lewis+ /* .recordSizeLimit = */ MAX_FRAGMENT_LENGTH + 1, 2596*13effbfbSDon Lewis+ /* .maxEarlyDataSize = */ 1 << 16, 2597*13effbfbSDon Lewis+ /* .useSecurity = */ PR_TRUE, 2598*13effbfbSDon Lewis+ /* .useSocks = */ PR_FALSE, 2599*13effbfbSDon Lewis+ /* .requestCertificate = */ PR_FALSE, 2600*13effbfbSDon Lewis+ /* .requireCertificate = */ SSL_REQUIRE_FIRST_HANDSHAKE, 2601*13effbfbSDon Lewis+ /* .handshakeAsClient = */ PR_FALSE, 2602*13effbfbSDon Lewis+ /* .handshakeAsServer = */ PR_FALSE, 2603*13effbfbSDon Lewis+ /* .noCache = */ PR_FALSE, 2604*13effbfbSDon Lewis+ /* .fdx = */ PR_FALSE, 2605*13effbfbSDon Lewis+ /* .detectRollBack = */ PR_TRUE, 2606*13effbfbSDon Lewis+ /* .noLocks = */ PR_FALSE, 2607*13effbfbSDon Lewis+ /* .enableSessionTickets = */ PR_FALSE, 2608*13effbfbSDon Lewis+ /* .enableDeflate = */ PR_FALSE, 2609*13effbfbSDon Lewis+ /* .enableRenegotiation = */ SSL_RENEGOTIATE_REQUIRES_XTN, 2610*13effbfbSDon Lewis+ /* .requireSafeNegotiation = */ PR_FALSE, 2611*13effbfbSDon Lewis+ /* .enableFalseStart = */ PR_FALSE, 2612*13effbfbSDon Lewis+ /* .cbcRandomIV = */ PR_TRUE, 2613*13effbfbSDon Lewis+ /* .enableOCSPStapling = */ PR_FALSE, 2614*13effbfbSDon Lewis+ /* .enableALPN = */ PR_TRUE, 2615*13effbfbSDon Lewis+ /* .reuseServerECDHEKey = */ PR_TRUE, 2616*13effbfbSDon Lewis+ /* .enableFallbackSCSV = */ PR_FALSE, 2617*13effbfbSDon Lewis+ /* .enableServerDhe = */ PR_TRUE, 2618*13effbfbSDon Lewis+ /* .enableExtendedMS = */ PR_FALSE, 2619*13effbfbSDon Lewis+ /* .enableSignedCertTimestamps = */ PR_FALSE, 2620*13effbfbSDon Lewis+ /* .requireDHENamedGroups = */ PR_FALSE, 2621*13effbfbSDon Lewis+ /* .enable0RttData = */ PR_FALSE, 2622*13effbfbSDon Lewis+ /* .enableTls13CompatMode = */ PR_FALSE, 2623*13effbfbSDon Lewis+ /* .enableDtlsShortHeader = */ PR_FALSE, 2624*13effbfbSDon Lewis+ /* .enableHelloDowngradeCheck = */ PR_FALSE, 2625*13effbfbSDon Lewis+ /* .enableV2CompatibleHello = */ PR_FALSE 2626*13effbfbSDon Lewis }; 2627*13effbfbSDon Lewis 2628*13effbfbSDon Lewis /* 2629*13effbfbSDon Lewis@@ -2032,6 +2032,7 @@ 2630*13effbfbSDon Lewis unsigned int length) 2631*13effbfbSDon Lewis { 2632*13effbfbSDon Lewis sslSocket *ss; 2633*13effbfbSDon Lewis+ size_t firstLen; 2634*13effbfbSDon Lewis 2635*13effbfbSDon Lewis ss = ssl_FindSocket(fd); 2636*13effbfbSDon Lewis if (!ss) { 2637*13effbfbSDon Lewis@@ -2050,7 +2051,7 @@ 2638*13effbfbSDon Lewis ssl_GetSSL3HandshakeLock(ss); 2639*13effbfbSDon Lewis SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); 2640*13effbfbSDon Lewis SECITEM_AllocItem(NULL, &ss->opt.nextProtoNego, length); 2641*13effbfbSDon Lewis- size_t firstLen = data[0] + 1; 2642*13effbfbSDon Lewis+ firstLen = data[0] + 1; 2643*13effbfbSDon Lewis /* firstLen <= length is ensured by ssl3_ValidateAppProtocol. */ 2644*13effbfbSDon Lewis PORT_Memcpy(ss->opt.nextProtoNego.data + (length - firstLen), data, firstLen); 2645*13effbfbSDon Lewis PORT_Memcpy(ss->opt.nextProtoNego.data, data + firstLen, length - firstLen); 2646*13effbfbSDon Lewis@@ -4079,6 +4080,7 @@ 2647*13effbfbSDon Lewis unsigned int len) 2648*13effbfbSDon Lewis { 2649*13effbfbSDon Lewis sslSocket *ss = ssl_FindSocket(fd); 2650*13effbfbSDon Lewis+ SECStatus rv; 2651*13effbfbSDon Lewis 2652*13effbfbSDon Lewis if (!ss) { 2653*13effbfbSDon Lewis SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetResumptionToken", 2654*13effbfbSDon Lewis@@ -4109,7 +4111,7 @@ 2655*13effbfbSDon Lewis } 2656*13effbfbSDon Lewis 2657*13effbfbSDon Lewis /* Populate NewSessionTicket values */ 2658*13effbfbSDon Lewis- SECStatus rv = ssl_DecodeResumptionToken(ss->sec.ci.sid, token, len); 2659*13effbfbSDon Lewis+ rv = ssl_DecodeResumptionToken(ss->sec.ci.sid, token, len); 2660*13effbfbSDon Lewis if (rv != SECSuccess) { 2661*13effbfbSDon Lewis // If decoding fails, we assume the token is bad. 2662*13effbfbSDon Lewis PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR); 2663*13effbfbSDon Lewis@@ -4163,13 +4165,14 @@ 2664*13effbfbSDon Lewis SSLExp_GetResumptionTokenInfo(const PRUint8 *tokenData, unsigned int tokenLen, 2665*13effbfbSDon Lewis SSLResumptionTokenInfo *tokenOut, PRUintn len) 2666*13effbfbSDon Lewis { 2667*13effbfbSDon Lewis+ sslSessionID sid = { 0 }; 2668*13effbfbSDon Lewis+ SSLResumptionTokenInfo token; 2669*13effbfbSDon Lewis+ 2670*13effbfbSDon Lewis if (!tokenData || !tokenOut || !tokenLen || 2671*13effbfbSDon Lewis len > sizeof(SSLResumptionTokenInfo)) { 2672*13effbfbSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 2673*13effbfbSDon Lewis return SECFailure; 2674*13effbfbSDon Lewis } 2675*13effbfbSDon Lewis- sslSessionID sid = { 0 }; 2676*13effbfbSDon Lewis- SSLResumptionTokenInfo token; 2677*13effbfbSDon Lewis 2678*13effbfbSDon Lewis /* Populate sid values */ 2679*13effbfbSDon Lewis if (ssl_DecodeResumptionToken(&sid, tokenData, tokenLen) != SECSuccess) { 2680*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/tls13exthandle.c misc/build/nss-3.39/nss/lib/ssl/tls13exthandle.c 2681*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/tls13exthandle.c 2018-08-31 05:55:53.000000000 -0700 2682*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/tls13exthandle.c 2018-10-22 03:41:59.569200000 -0700 2683*13effbfbSDon Lewis@@ -773,6 +773,7 @@ 2684*13effbfbSDon Lewis sslBuffer *buf, PRBool *added) 2685*13effbfbSDon Lewis { 2686*13effbfbSDon Lewis SECStatus rv; 2687*13effbfbSDon Lewis+ PRUint16 ver; 2688*13effbfbSDon Lewis 2689*13effbfbSDon Lewis if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 2690*13effbfbSDon Lewis return SECSuccess; 2691*13effbfbSDon Lewis@@ -781,7 +782,7 @@ 2692*13effbfbSDon Lewis SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension", 2693*13effbfbSDon Lewis SSL_GETPID(), ss->fd)); 2694*13effbfbSDon Lewis 2695*13effbfbSDon Lewis- PRUint16 ver = tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3, 2696*13effbfbSDon Lewis+ ver = tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3, 2697*13effbfbSDon Lewis ss->protocolVariant); 2698*13effbfbSDon Lewis rv = sslBuffer_AppendNumber(buf, ver, 2); 2699*13effbfbSDon Lewis if (rv != SECSuccess) { 2700*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/tls13hashstate.c misc/build/nss-3.39/nss/lib/ssl/tls13hashstate.c 2701*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/ssl/tls13hashstate.c 2018-08-31 05:55:53.000000000 -0700 2702*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/tls13hashstate.c 2018-10-22 04:03:39.133885000 -0700 2703*13effbfbSDon Lewis@@ -95,6 +95,9 @@ 2704*13effbfbSDon Lewis PRUint64 group; 2705*13effbfbSDon Lewis const sslNamedGroupDef *selectedGroup; 2706*13effbfbSDon Lewis PRUint64 appTokenLen; 2707*13effbfbSDon Lewis+ sslReader reader = SSL_READER(plaintext, plaintextLen); 2708*13effbfbSDon Lewis+ sslReadBuffer appTokenReader = { 0 }; 2709*13effbfbSDon Lewis+ unsigned int hashLen; 2710*13effbfbSDon Lewis 2711*13effbfbSDon Lewis rv = ssl_SelfEncryptUnprotect(ss, cookie, cookieLen, 2712*13effbfbSDon Lewis plaintext, &plaintextLen, sizeof(plaintext)); 2713*13effbfbSDon Lewis@@ -102,7 +105,10 @@ 2714*13effbfbSDon Lewis return SECFailure; 2715*13effbfbSDon Lewis } 2716*13effbfbSDon Lewis 2717*13effbfbSDon Lewis- sslReader reader = SSL_READER(plaintext, plaintextLen); 2718*13effbfbSDon Lewis+ // reader = SSL_READER(plaintext, plaintextLen); 2719*13effbfbSDon Lewis+ reader.buf.buf = plaintext; 2720*13effbfbSDon Lewis+ reader.buf.len = plaintextLen; 2721*13effbfbSDon Lewis+ reader.offset = 0; 2722*13effbfbSDon Lewis 2723*13effbfbSDon Lewis /* Should start with 0xff. */ 2724*13effbfbSDon Lewis rv = sslRead_ReadNumber(&reader, 1, &sentinel); 2725*13effbfbSDon Lewis@@ -138,7 +144,6 @@ 2726*13effbfbSDon Lewis return SECFailure; 2727*13effbfbSDon Lewis } 2728*13effbfbSDon Lewis ss->xtnData.applicationToken.len = appTokenLen; 2729*13effbfbSDon Lewis- sslReadBuffer appTokenReader = { 0 }; 2730*13effbfbSDon Lewis rv = sslRead_Read(&reader, appTokenLen, &appTokenReader); 2731*13effbfbSDon Lewis if (rv != SECSuccess) { 2732*13effbfbSDon Lewis FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); 2733*13effbfbSDon Lewis@@ -148,7 +153,7 @@ 2734*13effbfbSDon Lewis PORT_Memcpy(ss->xtnData.applicationToken.data, appTokenReader.buf, appTokenLen); 2735*13effbfbSDon Lewis 2736*13effbfbSDon Lewis /* The remainder is the hash. */ 2737*13effbfbSDon Lewis- unsigned int hashLen = SSL_READER_REMAINING(&reader); 2738*13effbfbSDon Lewis+ hashLen = SSL_READER_REMAINING(&reader); 2739*13effbfbSDon Lewis if (hashLen != tls13_GetHashSize(ss)) { 2740*13effbfbSDon Lewis FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); 2741*13effbfbSDon Lewis return SECFailure; 2742*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/util/quickder.c misc/build/nss-3.39/nss/lib/util/quickder.c 2743*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/util/quickder.c 2018-08-31 05:55:53.000000000 -0700 2744*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/util/quickder.c 2018-09-10 17:24:47.548844000 -0700 2745*13effbfbSDon Lewis@@ -408,11 +408,12 @@ 2746*13effbfbSDon Lewis { 2747*13effbfbSDon Lewis const SEC_ASN1Template* ptrTemplate = 2748*13effbfbSDon Lewis SEC_ASN1GetSubtemplate(templateEntry, dest, PR_FALSE); 2749*13effbfbSDon Lewis+ void* subdata; 2750*13effbfbSDon Lewis if (!ptrTemplate) { 2751*13effbfbSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 2752*13effbfbSDon Lewis return SECFailure; 2753*13effbfbSDon Lewis } 2754*13effbfbSDon Lewis- void* subdata = PORT_ArenaZAlloc(arena, ptrTemplate->size); 2755*13effbfbSDon Lewis+ subdata = PORT_ArenaZAlloc(arena, ptrTemplate->size); 2756*13effbfbSDon Lewis *(void**)((char*)dest + templateEntry->offset) = subdata; 2757*13effbfbSDon Lewis if (subdata) { 2758*13effbfbSDon Lewis return DecodeItem(subdata, ptrTemplate, src, arena, checkTag); 2759*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/util/secport.c misc/build/nss-3.39/nss/lib/util/secport.c 2760*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/util/secport.c 2018-08-31 05:55:53.000000000 -0700 2761*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/util/secport.c 2018-10-21 01:46:42.919736000 -0700 2762*13effbfbSDon Lewis@@ -21,7 +21,23 @@ 2763*13effbfbSDon Lewis #include "prenv.h" 2764*13effbfbSDon Lewis #include "prinit.h" 2765*13effbfbSDon Lewis 2766*13effbfbSDon Lewis-#include <stdint.h> 2767*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 2768*13effbfbSDon Lewis+ #ifdef _WIN64 2769*13effbfbSDon Lewis+typedef unsigned __int64 uintptr_t; 2770*13effbfbSDon Lewis+ #else 2771*13effbfbSDon Lewis+typedef unsigned int uintptr_t; 2772*13effbfbSDon Lewis+ #endif 2773*13effbfbSDon Lewis+typedef unsigned char uint8_t; 2774*13effbfbSDon Lewis+typedef unsigned short uint16_t; 2775*13effbfbSDon Lewis+typedef unsigned int uint32_t; 2776*13effbfbSDon Lewis+typedef unsigned __int64 uint64_t; 2777*13effbfbSDon Lewis+#define UINT8_MAX 0xff 2778*13effbfbSDon Lewis+#define UINT16_MAX 0xffff 2779*13effbfbSDon Lewis+#define UINT32_MAX 0xffffffffu 2780*13effbfbSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 2781*13effbfbSDon Lewis+#else 2782*13effbfbSDon Lewis+ #include <stdint.h> 2783*13effbfbSDon Lewis+#endif 2784*13effbfbSDon Lewis 2785*13effbfbSDon Lewis #ifdef DEBUG 2786*13effbfbSDon Lewis #define THREADMARK 2787*13effbfbSDon Lewis@@ -150,13 +166,14 @@ 2788*13effbfbSDon Lewis void * 2789*13effbfbSDon Lewis PORT_ZAllocAlignedOffset(size_t size, size_t alignment, size_t offset) 2790*13effbfbSDon Lewis { 2791*13effbfbSDon Lewis+ void *mem = NULL; 2792*13effbfbSDon Lewis+ void *v; 2793*13effbfbSDon Lewis PORT_Assert(offset < size); 2794*13effbfbSDon Lewis if (offset > size) { 2795*13effbfbSDon Lewis return NULL; 2796*13effbfbSDon Lewis } 2797*13effbfbSDon Lewis 2798*13effbfbSDon Lewis- void *mem = NULL; 2799*13effbfbSDon Lewis- void *v = PORT_ZAllocAligned(size, alignment, &mem); 2800*13effbfbSDon Lewis+ v = PORT_ZAllocAligned(size, alignment, &mem); 2801*13effbfbSDon Lewis if (!v) { 2802*13effbfbSDon Lewis return NULL; 2803*13effbfbSDon Lewis } 2804*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/util/secport.h misc/build/nss-3.39/nss/lib/util/secport.h 2805*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/util/secport.h 2018-08-31 05:55:53.000000000 -0700 2806*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/util/secport.h 2018-10-21 20:43:01.473838000 -0700 2807*13effbfbSDon Lewis@@ -45,7 +45,30 @@ 2808*13effbfbSDon Lewis #include <string.h> 2809*13effbfbSDon Lewis #include <stddef.h> 2810*13effbfbSDon Lewis #include <stdlib.h> 2811*13effbfbSDon Lewis-#include <stdint.h> 2812*13effbfbSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 2813*13effbfbSDon Lewis+ #ifdef _WIN64 2814*13effbfbSDon Lewis+typedef unsigned __int64 uintptr_t; 2815*13effbfbSDon Lewis+ #else 2816*13effbfbSDon Lewis+typedef unsigned int uintptr_t; 2817*13effbfbSDon Lewis+ #endif 2818*13effbfbSDon Lewis+typedef unsigned char uint8_t; 2819*13effbfbSDon Lewis+typedef unsigned short uint16_t; 2820*13effbfbSDon Lewis+typedef unsigned int uint32_t; 2821*13effbfbSDon Lewis+typedef unsigned __int64 uint64_t; 2822*13effbfbSDon Lewis+typedef char int8_t; 2823*13effbfbSDon Lewis+typedef short int16_t; 2824*13effbfbSDon Lewis+typedef int int32_t; 2825*13effbfbSDon Lewis+typedef __int64 int64_t; 2826*13effbfbSDon Lewis+#define UINT8_MAX 0xff 2827*13effbfbSDon Lewis+#define UINT16_MAX 0xffff 2828*13effbfbSDon Lewis+#define UINT32_MAX 0xffffffffu 2829*13effbfbSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 2830*13effbfbSDon Lewis+#define UINT64_C(x) ((x) + (UINT64_MAX - UINT64_MAX)) 2831*13effbfbSDon Lewis+#define INT32_MIN (-0x7fffffff - 1) 2832*13effbfbSDon Lewis+#define INT32_MAX 0x7fffffff 2833*13effbfbSDon Lewis+#else 2834*13effbfbSDon Lewis+ #include <stdint.h> 2835*13effbfbSDon Lewis+#endif 2836*13effbfbSDon Lewis #include "prtypes.h" 2837*13effbfbSDon Lewis #include "prlog.h" /* for PR_ASSERT */ 2838*13effbfbSDon Lewis #include "plarena.h" 2839*13effbfbSDon Lewisdiff -ur misc/nss-3.39/nss/lib/util/utilmod.c misc/build/nss-3.39/nss/lib/util/utilmod.c 2840*13effbfbSDon Lewis--- misc/nss-3.39/nss/lib/util/utilmod.c 2018-08-31 05:55:53.000000000 -0700 2841*13effbfbSDon Lewis+++ misc/build/nss-3.39/nss/lib/util/utilmod.c 2018-09-11 01:58:56.505884000 -0700 2842*13effbfbSDon Lewis@@ -75,12 +75,13 @@ 2843*13effbfbSDon Lewis os_open(const char *filename, int oflag, int pmode) 2844*13effbfbSDon Lewis { 2845*13effbfbSDon Lewis int fd; 2846*13effbfbSDon Lewis+ wchar_t *filenameWide; 2847*13effbfbSDon Lewis 2848*13effbfbSDon Lewis if (!filename) { 2849*13effbfbSDon Lewis return -1; 2850*13effbfbSDon Lewis } 2851*13effbfbSDon Lewis 2852*13effbfbSDon Lewis- wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); 2853*13effbfbSDon Lewis+ filenameWide = _NSSUTIL_UTF8ToWide(filename); 2854*13effbfbSDon Lewis if (!filenameWide) { 2855*13effbfbSDon Lewis return -1; 2856*13effbfbSDon Lewis } 2857*13effbfbSDon Lewis@@ -94,12 +95,13 @@ 2858*13effbfbSDon Lewis os_stat(const char *path, os_stat_type *buffer) 2859*13effbfbSDon Lewis { 2860*13effbfbSDon Lewis int result; 2861*13effbfbSDon Lewis+ wchar_t *pathWide; 2862*13effbfbSDon Lewis 2863*13effbfbSDon Lewis if (!path) { 2864*13effbfbSDon Lewis return -1; 2865*13effbfbSDon Lewis } 2866*13effbfbSDon Lewis 2867*13effbfbSDon Lewis- wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path); 2868*13effbfbSDon Lewis+ pathWide = _NSSUTIL_UTF8ToWide(path); 2869*13effbfbSDon Lewis if (!pathWide) { 2870*13effbfbSDon Lewis return -1; 2871*13effbfbSDon Lewis } 2872*13effbfbSDon Lewis@@ -113,16 +115,18 @@ 2873*13effbfbSDon Lewis os_fopen(const char *filename, const char *mode) 2874*13effbfbSDon Lewis { 2875*13effbfbSDon Lewis FILE *fp; 2876*13effbfbSDon Lewis+ wchar_t *filenameWide; 2877*13effbfbSDon Lewis+ wchar_t *modeWide; 2878*13effbfbSDon Lewis 2879*13effbfbSDon Lewis if (!filename || !mode) { 2880*13effbfbSDon Lewis return NULL; 2881*13effbfbSDon Lewis } 2882*13effbfbSDon Lewis 2883*13effbfbSDon Lewis- wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); 2884*13effbfbSDon Lewis+ filenameWide = _NSSUTIL_UTF8ToWide(filename); 2885*13effbfbSDon Lewis if (!filenameWide) { 2886*13effbfbSDon Lewis return NULL; 2887*13effbfbSDon Lewis } 2888*13effbfbSDon Lewis- wchar_t *modeWide = _NSSUTIL_UTF8ToWide(mode); 2889*13effbfbSDon Lewis+ modeWide = _NSSUTIL_UTF8ToWide(mode); 2890*13effbfbSDon Lewis if (!modeWide) { 2891*13effbfbSDon Lewis PORT_Free(filenameWide); 2892*13effbfbSDon Lewis return NULL; 2893*13effbfbSDon Lewis@@ -138,12 +142,13 @@ 2894*13effbfbSDon Lewis _NSSUTIL_Access(const char *path, PRAccessHow how) 2895*13effbfbSDon Lewis { 2896*13effbfbSDon Lewis int result; 2897*13effbfbSDon Lewis+ int mode; 2898*13effbfbSDon Lewis+ wchar_t *pathWide; 2899*13effbfbSDon Lewis 2900*13effbfbSDon Lewis if (!path) { 2901*13effbfbSDon Lewis return PR_FAILURE; 2902*13effbfbSDon Lewis } 2903*13effbfbSDon Lewis 2904*13effbfbSDon Lewis- int mode; 2905*13effbfbSDon Lewis switch (how) { 2906*13effbfbSDon Lewis case PR_ACCESS_WRITE_OK: 2907*13effbfbSDon Lewis mode = 2; 2908*13effbfbSDon Lewis@@ -158,7 +163,7 @@ 2909*13effbfbSDon Lewis return PR_FAILURE; 2910*13effbfbSDon Lewis } 2911*13effbfbSDon Lewis 2912*13effbfbSDon Lewis- wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path); 2913*13effbfbSDon Lewis+ pathWide = _NSSUTIL_UTF8ToWide(path); 2914*13effbfbSDon Lewis if (!pathWide) { 2915*13effbfbSDon Lewis return PR_FAILURE; 2916*13effbfbSDon Lewis } 2917*13effbfbSDon Lewis@@ -172,12 +177,13 @@ 2918*13effbfbSDon Lewis nssutil_Delete(const char *name) 2919*13effbfbSDon Lewis { 2920*13effbfbSDon Lewis BOOL result; 2921*13effbfbSDon Lewis+ wchar_t *nameWide; 2922*13effbfbSDon Lewis 2923*13effbfbSDon Lewis if (!name) { 2924*13effbfbSDon Lewis return PR_FAILURE; 2925*13effbfbSDon Lewis } 2926*13effbfbSDon Lewis 2927*13effbfbSDon Lewis- wchar_t *nameWide = _NSSUTIL_UTF8ToWide(name); 2928*13effbfbSDon Lewis+ nameWide = _NSSUTIL_UTF8ToWide(name); 2929*13effbfbSDon Lewis if (!nameWide) { 2930*13effbfbSDon Lewis return PR_FAILURE; 2931*13effbfbSDon Lewis } 2932*13effbfbSDon Lewis@@ -191,16 +197,18 @@ 2933*13effbfbSDon Lewis nssutil_Rename(const char *from, const char *to) 2934*13effbfbSDon Lewis { 2935*13effbfbSDon Lewis BOOL result; 2936*13effbfbSDon Lewis+ wchar_t *fromWide; 2937*13effbfbSDon Lewis+ wchar_t *toWide; 2938*13effbfbSDon Lewis 2939*13effbfbSDon Lewis if (!from || !to) { 2940*13effbfbSDon Lewis return PR_FAILURE; 2941*13effbfbSDon Lewis } 2942*13effbfbSDon Lewis 2943*13effbfbSDon Lewis- wchar_t *fromWide = _NSSUTIL_UTF8ToWide(from); 2944*13effbfbSDon Lewis+ fromWide = _NSSUTIL_UTF8ToWide(from); 2945*13effbfbSDon Lewis if (!fromWide) { 2946*13effbfbSDon Lewis return PR_FAILURE; 2947*13effbfbSDon Lewis } 2948*13effbfbSDon Lewis- wchar_t *toWide = _NSSUTIL_UTF8ToWide(to); 2949*13effbfbSDon Lewis+ toWide = _NSSUTIL_UTF8ToWide(to); 2950*13effbfbSDon Lewis if (!toWide) { 2951*13effbfbSDon Lewis PORT_Free(fromWide); 2952*13effbfbSDon Lewis return PR_FAILURE; 2953