Crypto: update Whirlpool implementation using latest code from Crypto++.

2025-11-12 19:38:26 -06:00 · 2016-02-21 00:52:22 +01:00
parent faf00ca1e0
commit 87df2fd2fc
5 changed files with 645 additions and 518 deletions
--- a/src/Crypto/Whirlpool.c
+++ b/src/Crypto/Whirlpool.c
@@ -381,7 +381,7 @@ void WhirlpoolTransform(uint64 *digest, const uint64 *block)
 	#endif
 	__asm__ __volatile__
 	(
-		".intel_syntax noprefix;"
+		INTEL_NOPREFIX
 		AS_PUSH_IF86(	bx)
 		AS2(	mov		AS_REG_6, WORD_REG(ax))
 #else
@@ -392,12 +392,17 @@ void WhirlpoolTransform(uint64 *digest, const uint64 *block)
 		AS2(	mov		WORD_REG(cx), digest)
 		AS2(	mov		WORD_REG(dx), block)
 #endif
-#if CRYPTOPP_BOOL_X86
+#if CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32
 		AS2(	mov		eax, esp)
 		AS2(	and		esp, -16)
 		AS2(	sub		esp, 16*8)
-		AS1(	push	eax)
+		AS_PUSH_IF86( ax)
    #if CRYPTOPP_BOOL_X86
        #define SSE2_workspace	esp+WORD_SZ
    #elif CRYPTOPP_BOOL_X32
        #define SSE2_workspace	esp+(WORD_SZ*2)
    #endif
 #else
    #define SSE2_workspace	%3
 #endif
@@ -549,7 +554,7 @@ void WhirlpoolTransform(uint64 *digest, const uint64 *block)
 		AS_POP_IF86(	bx)
 #endif
 #ifdef __GNUC__
-		".att_syntax prefix;"
+		ATT_PREFIX
 			:
 			: "a" (Whirlpool_C), "c" (digest), "d" (block)
 	#if CRYPTOPP_BOOL_X64
@@ -628,7 +633,7 @@ void WhirlpoolTransform(uint64 *digest, const uint64 *block)
 	r=0;
 	while (1)
 	{
-		uint32 t;
+		uint32 t = 0;
 		KSL(0, 4, 3, 2, 1, 0)
 		KSL(0, 0, 7, 6, 5, 4)
--- a/src/Crypto/config.h
+++ b/src/Crypto/config.h
@@ -13,9 +13,24 @@
 	#define CRYPTOPP_GCC_VERSION (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
 #endif
 // Apple and LLVM's Clang. Apple Clang version 7.0 roughly equals LLVM Clang version 3.7
 #if defined(__clang__ ) && !defined(__apple_build_version__)
    #define CRYPTOPP_CLANG_VERSION (__clang_major__ * 10000 + __clang_minor__ * 100 + __clang_patchlevel__)
 #elif defined(__clang__ ) && defined(__apple_build_version__)
    #define CRYPTOPP_APPLE_CLANG_VERSION (__clang_major__ * 10000 + __clang_minor__ * 100 + __clang_patchlevel__)
 #endif
 // Clang due to "Inline assembly operands don't work with .intel_syntax", http://llvm.org/bugs/show_bug.cgi?id=24232
 //   TODO: supply the upper version when LLVM fixes it. We set it to 20.0 for compilation purposes.
 #if (defined(CRYPTOPP_CLANG_VERSION) && CRYPTOPP_CLANG_VERSION <= 200000) || (defined(CRYPTOPP_APPLE_CLANG_VERSION) && CRYPTOPP_APPLE_CLANG_VERSION <= 200000)
 #define CRYPTOPP_DISABLE_INTEL_ASM 1
 #endif
 #ifndef CRYPTOPP_L1_CACHE_LINE_SIZE
 	// This should be a lower bound on the L1 cache line size. It's used for defense against timing attacks.
-	#if defined(_M_X64) || defined(__x86_64__)
+    // Also see http://stackoverflow.com/questions/794632/programmatically-get-the-cache-line-size.
    #if defined(_M_X64) || defined(__x86_64__) || (__ILP32__ >= 1)
 		#define CRYPTOPP_L1_CACHE_LINE_SIZE 64
 	#else
 		// L1 cache line size is 32 on Pentium III and earlier
@@ -53,19 +68,25 @@
 #define CRYPTOPP_DISABLE_SSE2
 #endif
 // Apple's Clang prior to 5.0 cannot handle SSE2 (and Apple does not use LLVM Clang numbering...)
 #if defined(CRYPTOPP_APPLE_CLANG_VERSION) && (CRYPTOPP_APPLE_CLANG_VERSION < 50000)
 # define CRYPTOPP_DISABLE_ASM
 #endif
 #if !defined(CRYPTOPP_DISABLE_ASM) && ((defined(_MSC_VER) && defined(_M_IX86)) || (defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))))
    // C++Builder 2010 does not allow "call label" where label is defined within inline assembly
    #define CRYPTOPP_X86_ASM_AVAILABLE
-	#if !defined(CRYPTOPP_DISABLE_SSE2) && (defined(_MSC_VER) || CRYPTOPP_GCC_VERSION >= 30300)
+    #if !defined(CRYPTOPP_DISABLE_SSE2) && (defined(CRYPTOPP_MSVC6PP_OR_LATER) || CRYPTOPP_GCC_VERSION >= 30300 || defined(__SSE2__))
        #define CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE 1
    #else
        #define CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE 0
    #endif
-	// SSSE3 was actually introduced in GNU as 2.17, which was released 6/23/2006, but we can't tell what version of binutils is installed.
+    // SSE3 was actually introduced in GNU as 2.17, which was released 6/23/2006, but we can't tell what version of binutils is installed.
-	// GCC 4.1.2 was released on 2/13/2007, so we'll use that as a proxy for the binutils version.
+    // GCC 4.1.2 was released on 2/13/2007, so we'll use that as a proxy for the binutils version. Also see the output of
-	#if !defined(CRYPTOPP_DISABLE_SSSE3) && (_MSC_VER >= 1400 || CRYPTOPP_GCC_VERSION >= 40102)
+    // `gcc -dM -E -march=native - < /dev/null | grep -i SSE` for preprocessor defines available.
    #if !defined(CRYPTOPP_DISABLE_SSSE3) && (_MSC_VER >= 1400 || CRYPTOPP_GCC_VERSION >= 40102 || defined(__SSSE3__) || defined(__SSE3__))
        #define CRYPTOPP_BOOL_SSSE3_ASM_AVAILABLE 1
    #else
        #define CRYPTOPP_BOOL_SSSE3_ASM_AVAILABLE 0
@@ -80,22 +101,22 @@
    #define CRYPTOPP_X64_ASM_AVAILABLE
 #endif
-#if !defined(CRYPTOPP_DISABLE_SSE2) && (defined(_MSC_VER) || defined(__SSE2__))
+#if !defined(CRYPTOPP_DISABLE_SSE2) && (defined(CRYPTOPP_MSVC6PP_OR_LATER) || defined(__SSE2__)) && !defined(_M_ARM)
    #define CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE 1
 #else
    #define CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE 0
 #endif
-#if !defined(CRYPTOPP_DISABLE_SSSE3) && !defined(CRYPTOPP_DISABLE_AESNI) && CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE && (CRYPTOPP_GCC_VERSION >= 40400 || _MSC_FULL_VER >= 150030729 || __INTEL_COMPILER >= 1110)
+#if !defined(CRYPTOPP_DISABLE_SSSE3) && !defined(CRYPTOPP_DISABLE_AESNI) && CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE && (CRYPTOPP_GCC_VERSION >= 40400 || _MSC_FULL_VER >= 150030729 || __INTEL_COMPILER >= 1110 || defined(__AES__))
    #define CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE 1
 #else
    #define CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE 0
 #endif
 #if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE)
-	#define CRYPTOPP_BOOL_ALIGN16_ENABLED 1
+    #define CRYPTOPP_BOOL_ALIGN16 1
 #else
-	#define CRYPTOPP_BOOL_ALIGN16_ENABLED 0
+    #define CRYPTOPP_BOOL_ALIGN16 0
 #endif
 // how to allocate 16-byte aligned memory (for SSE2)
@@ -116,22 +137,40 @@
 #	define CRYPTOPP_CONSTANT(x) static const int x;
 #endif
-#if defined(_M_X64) || defined(__x86_64__)
+// Linux provides X32, which is 32-bit integers, longs and pointers on x86_64 using the full x86_64 register set.
-	#define CRYPTOPP_BOOL_X64 1
+// Detect via __ILP32__ (http://wiki.debian.org/X32Port). However, __ILP32__ shows up in more places than
 // the System V ABI specs calls out, like on just about any 32-bit system with Clang.
 #if ((__ILP32__ >= 1) || (_ILP32 >= 1)) && defined(__x86_64__)
    #define CRYPTOPP_BOOL_X32 1
 #else
-	#define CRYPTOPP_BOOL_X64 0
+    #define CRYPTOPP_BOOL_X32 0
 #endif
 // see http://predef.sourceforge.net/prearch.html
-#if defined(_M_IX86) || defined(__i386__) || defined(__i386) || defined(_X86_) || defined(__I86__) || defined(__INTEL__)
+#if (defined(_M_IX86) || defined(__i386__) || defined(__i386) || defined(_X86_) || defined(__I86__) || defined(__INTEL__)) && !CRYPTOPP_BOOL_X32
    #define CRYPTOPP_BOOL_X86 1
 #else
    #define CRYPTOPP_BOOL_X86 0
 #endif
-#if CRYPTOPP_BOOL_X64 || CRYPTOPP_BOOL_X86 || defined(__powerpc__)
+#if (defined(_M_X64) || defined(__x86_64__)) && !CRYPTOPP_BOOL_X32
    #define CRYPTOPP_BOOL_X64 1
 #else
    #define CRYPTOPP_BOOL_X64 0
 #endif
 // Undo the ASM and Intrinsic related defines due to X32.
 #if CRYPTOPP_BOOL_X32
 # undef CRYPTOPP_BOOL_X64
 # undef CRYPTOPP_X64_ASM_AVAILABLE
 # undef CRYPTOPP_X64_MASM_AVAILABLE
 #endif
 #if !defined(CRYPTOPP_NO_UNALIGNED_DATA_ACCESS) && !defined(CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS)
 #if (CRYPTOPP_BOOL_X64 || CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32 || defined(__powerpc__) || (__ARM_FEATURE_UNALIGNED >= 1))
    #define CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS
 #endif
 #endif
 #define GETBYTE(x, y) (unsigned int)((unsigned char)((x)>>(8*(y))))
--- a/src/Crypto/cpu.c
+++ b/src/Crypto/cpu.c
@@ -3,6 +3,10 @@
 #include "cpu.h"
 #include "misc.h"
 #ifndef EXCEPTION_EXECUTE_HANDLER
 #define EXCEPTION_EXECUTE_HANDLER 1
 #endif
 #ifndef CRYPTOPP_MS_STYLE_INLINE_ASSEMBLY
 #include <signal.h>
 #include <setjmp.h>
@@ -16,7 +20,7 @@
 #if _MSC_VER >= 1400 && CRYPTOPP_BOOL_X64
-int CpuId(uint32 input, uint32 *output)
+int CpuId(uint32 input, uint32 output[4])
 {
 	__cpuid((int *)output, input);
 	return 1;
@@ -45,12 +49,13 @@ static void SigIllHandlerSSE2(int p)
 	longjmp(s_jmpNoSSE2, 1);
 }
 #endif
 #if defined(__cplusplus)
 }
 #endif
 #endif
-int CpuId(uint32 input, uint32 *output)
+int CpuId(uint32 input, uint32 output[4])
 {
 #ifdef CRYPTOPP_MS_STYLE_INLINE_ASSEMBLY
    __try
@@ -58,6 +63,7 @@ int CpuId(uint32 input, uint32 *output)
 		__asm
 		{
 			mov eax, input
            mov ecx, 0
 			cpuid
 			mov edi, output
 			mov [edi], eax
@@ -66,31 +72,41 @@ int CpuId(uint32 input, uint32 *output)
 			mov [edi+12], edx
 		}
 	}
-    __except (1)
+    __except (EXCEPTION_EXECUTE_HANDLER)
 	{
 		return 0;
    }
 	// function 0 returns the highest basic function understood in EAX
 	if(input == 0)
        return !!output[0]? 1 : 0;
 	return 1;
 #else
 	// longjmp and clobber warnings. Volatile is required.
 	// http://github.com/weidai11/cryptopp/issues/24
 	// http://stackoverflow.com/q/7721854
 	volatile int result = 1;
 	SigHandler oldHandler = signal(SIGILL, SigIllHandlerCPUID);
 	if (oldHandler == SIG_ERR)
-		return 0;
+		result = 0;
 	int result = 1;
 	if (setjmp(s_jmpNoCPUID))
 		result = 0;
 	else
 	{
-		asm
+		asm volatile
 		(
            // save ebx in case -fPIC is being used
-#if CRYPTOPP_BOOL_X86
+            // TODO: this might need an early clobber on EDI.
-			"push %%ebx; cpuid; mov %%ebx, %%edi; pop %%ebx"
+#if CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64
 #else
            "pushq %%rbx; cpuid; mov %%ebx, %%edi; popq %%rbx"
 #else
            "push %%ebx; cpuid; mov %%ebx, %%edi; pop %%ebx"
 #endif
            : "=a" (output[0]), "=D" (output[1]), "=c" (output[2]), "=d" (output[3])
-			: "a" (input)
+            : "a" (input), "c" (0)
         );
 	}
@@ -112,29 +128,33 @@ static int TrySSE2()
        AS2(por xmm0, xmm0)        // executing SSE2 instruction
 #elif CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE
 		__m128i x = _mm_setzero_si128();
-		return _mm_cvtsi128_si32(x) == 0;
+		return _mm_cvtsi128_si32(x) == 0 ? 1 : 0;
 #endif
 	}
-    __except (1)
+    __except (EXCEPTION_EXECUTE_HANDLER)
 	{
 		return 0;
    }
 	return 1;
 #else
 	// longjmp and clobber warnings. Volatile is required.
 	// http://github.com/weidai11/cryptopp/issues/24
 	// http://stackoverflow.com/q/7721854
 	volatile int result = 1;
 	SigHandler oldHandler = signal(SIGILL, SigIllHandlerSSE2);
 	if (oldHandler == SIG_ERR)
 		return 0;
 	int result = 1;
 	if (setjmp(s_jmpNoSSE2))
-		result = 0;
+		result = 1;
 	else
 	{
 #if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
 		__asm __volatile ("por %xmm0, %xmm0");
 #elif CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE
 		__m128i x = _mm_setzero_si128();
-		result = _mm_cvtsi128_si32(x) == 0;
+		result = _mm_cvtsi128_si32(x) == 0? 1 : 0;
 #endif
 	}
@@ -147,9 +167,25 @@ int g_x86DetectionDone = 0;
 int g_hasISSE = 0, g_hasSSE2 = 0, g_hasSSSE3 = 0, g_hasMMX = 0, g_hasAESNI = 0, g_hasCLMUL = 0, g_isP4 = 0;
 uint32 g_cacheLineSize = CRYPTOPP_L1_CACHE_LINE_SIZE;
 static inline int IsIntel(const uint32 output[4])
 {
 	// This is the "GenuineIntel" string
 	return (output[1] /*EBX*/ == 0x756e6547) &&
    (output[2] /*ECX*/ == 0x6c65746e) &&
    (output[3] /*EDX*/ == 0x49656e69);
 }
 static inline int IsAMD(const uint32 output[4])
 {
 	// This is the "AuthenticAMD" string
 	return (output[1] /*EBX*/ == 0x68747541) &&
    (output[2] /*ECX*/ == 0x69746E65) &&
    (output[3] /*EDX*/ == 0x444D4163);
 }
 void DetectX86Features()
 {
-	uint32 cpuid[4], cpuid1[4], tmp;
+	uint32 cpuid[4], cpuid1[4];
 	if (!CpuId(0, cpuid))
 		return;
 	if (!CpuId(1, cpuid1))
@@ -175,15 +211,12 @@ void DetectX86Features()
 		}
 	}
-	tmp = cpuid[2];
+	if (IsIntel(cpuid))
 	cpuid[2] = cpuid[3];
 	cpuid[3] = tmp;
 	if (memcmp(cpuid+1, "GenuineIntel", 12) == 0)
 	{
 		g_isP4 = ((cpuid1[0] >> 8) & 0xf) == 0xf;
 		g_cacheLineSize = 8 * GETBYTE(cpuid1[1], 1);
 	}
-	else if (memcmp(cpuid+1, "AuthenticAMD", 12) == 0)
+	else if (IsAMD(cpuid))
 	{
 		CpuId(0x80000005, cpuid);
 		g_cacheLineSize = GETBYTE(cpuid[2], 0);
@@ -192,7 +225,7 @@ void DetectX86Features()
 	if (!g_cacheLineSize)
 		g_cacheLineSize = CRYPTOPP_L1_CACHE_LINE_SIZE;
-	g_x86DetectionDone = 1;
+	*((volatile int*)&g_x86DetectionDone) = 1;
 }
 #endif
--- a/src/Crypto/cpu.h
+++ b/src/Crypto/cpu.h
@@ -2,6 +2,7 @@
 #define CRYPTOPP_CPU_H
 #include "Common/Tcdefs.h"
 #include "config.h"
 #ifdef CRYPTOPP_GENERATE_X64_MASM
@@ -11,8 +12,6 @@
 #else
 #include "config.h"
 #if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE
 #include <emmintrin.h>
 #endif
@@ -51,7 +50,7 @@ extern __m128i _mm_aesdeclast_si128(__m128i v, __m128i rkey);
 #endif
 #endif
-#if CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X64
+#if CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64
 #define CRYPTOPP_CPUID_AVAILABLE
@@ -125,12 +124,27 @@ extern int g_hasMMX;
 	#define AS_HEX(y) 0x##y
 #else
 	#define CRYPTOPP_GNU_STYLE_INLINE_ASSEMBLY
    #if defined(CRYPTOPP_CLANG_VERSION) || defined(CRYPTOPP_APPLE_CLANG_VERSION)
        #define NEW_LINE "\n"
        #define INTEL_PREFIX ".intel_syntax;"
        #define INTEL_NOPREFIX ".intel_syntax;"
        #define ATT_PREFIX ".att_syntax;"
        #define ATT_NOPREFIX ".att_syntax;"
    #else
        #define NEW_LINE
        #define INTEL_PREFIX ".intel_syntax prefix;"
        #define INTEL_NOPREFIX ".intel_syntax noprefix;"
        #define ATT_PREFIX ".att_syntax prefix;"
        #define ATT_NOPREFIX ".att_syntax noprefix;"
        #endif
    // define these in two steps to allow arguments to be expanded
-	#define GNU_AS1(x) #x ";"
+    #define GNU_AS1(x) #x ";" NEW_LINE
-	#define GNU_AS2(x, y) #x ", " #y ";"
+    #define GNU_AS2(x, y) #x ", " #y ";" NEW_LINE
-	#define GNU_AS3(x, y, z) #x ", " #y ", " #z ";"
+    #define GNU_AS3(x, y, z) #x ", " #y ", " #z ";" NEW_LINE
-	#define GNU_ASL(x) "\n" #x ":"
+    #define GNU_ASL(x) "\n" #x ":" NEW_LINE
-	#define GNU_ASJ(x, y, z) #x " " #y #z ";"
+    #define GNU_ASJ(x, y, z) #x " " #y #z ";" NEW_LINE
    #define AS1(x) GNU_AS1(x)
    #define AS2(x, y) GNU_AS2(x, y)
    #define AS3(x, y, z) GNU_AS3(x, y, z)
@@ -145,6 +159,21 @@ extern int g_hasMMX;
 #define IF0(y)
 #define IF1(y) y
 // Should be confined to GCC, but its used to help manage Clang 3.4 compiler error.
 //   Also see LLVM Bug 24232, http://llvm.org/bugs/show_bug.cgi?id=24232 .
 #ifndef INTEL_PREFIX
 #define INTEL_PREFIX
 #endif
 #ifndef INTEL_NOPREFIX
 #define INTEL_NOPREFIX
 #endif
 #ifndef ATT_PREFIX
 #define ATT_PREFIX
 #endif
 #ifndef ATT_NOPREFIX
 #define ATT_NOPREFIX
 #endif
 #ifdef CRYPTOPP_GENERATE_X64_MASM
 #define ASM_MOD(x, y) ((x) MOD (y))
 #define XMMWORD_PTR XMMWORD PTR
@@ -176,6 +205,27 @@ extern int g_hasMMX;
 	#define AS_PUSH_IF86(x) AS1(push e##x)
 	#define AS_POP_IF86(x) AS1(pop e##x)
 	#define AS_JCXZ jecxz
 #elif CRYPTOPP_BOOL_X32
    #define AS_REG_1 ecx
    #define AS_REG_2 edx
    #define AS_REG_3 r8d
    #define AS_REG_4 r9d
    #define AS_REG_5 eax
    #define AS_REG_6 r10d
    #define AS_REG_7 r11d
    #define AS_REG_1d ecx
    #define AS_REG_2d edx
    #define AS_REG_3d r8d
    #define AS_REG_4d r9d
    #define AS_REG_5d eax
    #define AS_REG_6d r10d
    #define AS_REG_7d r11d
    #define WORD_SZ 4
    #define WORD_REG(x)	e##x
    #define WORD_PTR DWORD PTR
    #define AS_PUSH_IF86(x) AS1(push r##x)
    #define AS_POP_IF86(x) AS1(pop r##x)
    #define AS_JCXZ jecxz
 #elif CRYPTOPP_BOOL_X64
 	#ifdef CRYPTOPP_GENERATE_X64_MASM
 		#define AS_REG_1 rcx
--- a/src/Crypto/misc.h
+++ b/src/Crypto/misc.h
@@ -27,7 +27,7 @@
 #elif (defined(__MWERKS__) && TARGET_CPU_PPC) || \
 	(defined(__GNUC__) && (defined(_ARCH_PWR2) || defined(_ARCH_PWR) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || defined(_ARCH_COM)))
 	#define CRYPTOPP_FAST_ROTATE(x) ((x) == 32)
-#elif defined(__GNUC__) && (CRYPTOPP_BOOL_X64 || CRYPTOPP_BOOL_X86)	// depend on GCC's peephole optimization to generate rotate instructions
+#elif defined(__GNUC__) && (CRYPTOPP_BOOL_X64 || CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X86)	// depend on GCC's peephole optimization to generate rotate instructions
 	#define CRYPTOPP_FAST_ROTATE(x) 1
 #else
 	#define CRYPTOPP_FAST_ROTATE(x) 0