Sync with Upstream master

2017-08-12 19:28:59 -04:00 · 2017-08-12 19:28:59 -04:00 · 5f3a3f29e8
parent 5e6e6c4eaa
commit 5f3a3f29e8
3 changed files with 46 additions and 44 deletions
--- a/authenc.cpp
+++ b/authenc.cpp
@ -50,7 +50,7 @@ void AuthenticatedSymmetricCipherBase::SetKey(const byte *userKey, size_t keylen
 	m_bufferedDataLength = 0;
 	m_state = State_Start;

-	SetKeyWithoutResync(userKey, keylength, params);
+	this->SetKeyWithoutResync(userKey, keylength, params);
 	m_state = State_KeySet;

 	size_t length;
--- a/gcm-simd.cpp
+++ b/gcm-simd.cpp
@ -219,14 +219,14 @@ bool CPU_TryPMULL_ARMV8()
 # else
 #   if defined(__ANDROID__) && (defined(__aarch64__) || defined(__aarch32__))
    if (android_getCpuFeatures() & ANDROID_CPU_ARM64_FEATURE_PMULL)
-		return true;
+        return true;
    // https://sourceware.org/ml/libc-help/2017-08/msg00012.html
 #   elif defined(__linux__) && defined(__aarch64__)
-	if (getauxval(AT_HWCAP) & HWCAP_PMULL)
-		return true;
+    if (getauxval(AT_HWCAP) & HWCAP_PMULL)
+        return true;
 #   elif defined(__linux__) && defined(__aarch32__)
-	if (getauxval(AT_HWCAP2) & HWCAP2_PMULL)
-		return true;
+    if (getauxval(AT_HWCAP2) & HWCAP2_PMULL)
+        return true;
 #   endif

    // longjmp and clobber warnings. Volatile is required.
@ -322,27 +322,27 @@ uint64x2_t GCM_Multiply_PMULL(const uint64x2_t &x, const uint64x2_t &h, const ui

 void GCM_SetKeyWithoutResync_PMULL(const byte *hashKey, byte *mulTable, unsigned int tableSize)
 {
-	const uint64x2_t r = s_clmulConstants[0];
-	const uint64x2_t t = vreinterpretq_u64_u8(vrev64q_u8(vld1q_u8(hashKey)));
-	const uint64x2_t h0 = vextq_u64(t, t, 1);
+    const uint64x2_t r = s_clmulConstants[0];
+    const uint64x2_t t = vreinterpretq_u64_u8(vrev64q_u8(vld1q_u8(hashKey)));
+    const uint64x2_t h0 = vextq_u64(t, t, 1);

-	uint64x2_t h = h0;
-	unsigned int i;
-	for (i=0; i<tableSize-32; i+=32)
-	{
-		const uint64x2_t h1 = GCM_Multiply_PMULL(h, h0, r);
-		vst1_u64((uint64_t *)(mulTable+i), vget_low_u64(h));
-		vst1q_u64((uint64_t *)(mulTable+i+16), h1);
-		vst1q_u64((uint64_t *)(mulTable+i+8), h);
-		vst1_u64((uint64_t *)(mulTable+i+8), vget_low_u64(h1));
-		h = GCM_Multiply_PMULL(h1, h0, r);
-	}
+    uint64x2_t h = h0;
+    unsigned int i;
+    for (i=0; i<tableSize-32; i+=32)
+    {
+        const uint64x2_t h1 = GCM_Multiply_PMULL(h, h0, r);
+        vst1_u64((uint64_t *)(mulTable+i), vget_low_u64(h));
+        vst1q_u64((uint64_t *)(mulTable+i+16), h1);
+        vst1q_u64((uint64_t *)(mulTable+i+8), h);
+        vst1_u64((uint64_t *)(mulTable+i+8), vget_low_u64(h1));
+        h = GCM_Multiply_PMULL(h1, h0, r);
+    }

-	const uint64x2_t h1 = GCM_Multiply_PMULL(h, h0, r);
-	vst1_u64((uint64_t *)(mulTable+i), vget_low_u64(h));
-	vst1q_u64((uint64_t *)(mulTable+i+16), h1);
-	vst1q_u64((uint64_t *)(mulTable+i+8), h);
-	vst1_u64((uint64_t *)(mulTable+i+8), vget_low_u64(h1));
+    const uint64x2_t h1 = GCM_Multiply_PMULL(h, h0, r);
+    vst1_u64((uint64_t *)(mulTable+i), vget_low_u64(h));
+    vst1q_u64((uint64_t *)(mulTable+i+16), h1);
+    vst1q_u64((uint64_t *)(mulTable+i+8), h);
+    vst1_u64((uint64_t *)(mulTable+i+8), vget_low_u64(h1));
 }

 size_t GCM_AuthenticateBlocks_PMULL(const byte *data, size_t len, const byte *mtable, byte *hbuffer)
@ -420,11 +420,11 @@ size_t GCM_AuthenticateBlocks_PMULL(const byte *data, size_t len, const byte *mt
 #if CRYPTOPP_ARM_NEON_AVAILABLE
 void GCM_ReverseHashBufferIfNeeded_NEON(byte *hashBuffer)
 {
-	if (GetNativeByteOrder() != BIG_ENDIAN_ORDER)
-	{
-		const uint8x16_t x = vrev64q_u8(vld1q_u8(hashBuffer));
-		vst1q_u8(hashBuffer, vextq_u8(x, x, 8));
-	}
+    if (GetNativeByteOrder() != BIG_ENDIAN_ORDER)
+    {
+        const uint8x16_t x = vrev64q_u8(vld1q_u8(hashBuffer));
+        vst1q_u8(hashBuffer, vextq_u8(x, x, 8));
+    }
 }
 #endif

@ -530,7 +530,7 @@ void GCM_SetKeyWithoutResync_CLMUL(const byte *hashKey, byte *mulTable, unsigned
    const __m128i h0 = _mm_shuffle_epi8(_mm_load_si128((const __m128i *)(const void *)hashKey), s_clmulConstants[1]);

    __m128i h = h0;
-	unsigned int i;
+    unsigned int i;
    for (i=0; i<tableSize-32; i+=32)
    {
        const __m128i h1 = GCM_Multiply_CLMUL(h, h0, r);
@ -541,11 +541,11 @@ void GCM_SetKeyWithoutResync_CLMUL(const byte *hashKey, byte *mulTable, unsigned
        h = GCM_Multiply_CLMUL(h1, h0, r);
    }

-	const __m128i h1 = GCM_Multiply_CLMUL(h, h0, r);
-	_mm_storel_epi64((__m128i *)(void *)(mulTable+i), h);
-	_mm_storeu_si128((__m128i *)(void *)(mulTable+i+16), h1);
-	_mm_storeu_si128((__m128i *)(void *)(mulTable+i+8), h);
-	_mm_storel_epi64((__m128i *)(void *)(mulTable+i+8), h1);
+    const __m128i h1 = GCM_Multiply_CLMUL(h, h0, r);
+    _mm_storel_epi64((__m128i *)(void *)(mulTable+i), h);
+    _mm_storeu_si128((__m128i *)(void *)(mulTable+i+16), h1);
+    _mm_storeu_si128((__m128i *)(void *)(mulTable+i+8), h);
+    _mm_storel_epi64((__m128i *)(void *)(mulTable+i+8), h1);
 }

 size_t GCM_AuthenticateBlocks_CLMUL(const byte *data, size_t len, const byte *mtable, byte *hbuffer)
--- a/gcm.cpp
+++ b/gcm.cpp
@ -119,7 +119,7 @@ void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const
    // https://github.com/weidai11/cryptopp/issues/408.
    const unsigned int blockSize = blockCipher.BlockSize();
    CRYPTOPP_ASSERT(blockSize == REQUIRED_BLOCKSIZE);
-    if (blockSize != REQUIRED_BLOCKSIZE)
+    if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE)
        throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16");

    int tableSize, i, j, k;
@ -129,7 +129,8 @@ void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const
    {
        // Avoid "parameter not used" error and suppress Coverity finding
        (void)params.GetIntValue(Name::TableSize(), tableSize);
-        tableSize = s_cltableSizeInBlocks * REQUIRED_BLOCKSIZE;
+        tableSize = s_cltableSizeInBlocks * blockSize;
+        CRYPTOPP_ASSERT(tableSize > blockSize);
    }
    else
 #elif CRYPTOPP_ARM_PMULL_AVAILABLE
@ -137,7 +138,8 @@ void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const
    {
        // Avoid "parameter not used" error and suppress Coverity finding
        (void)params.GetIntValue(Name::TableSize(), tableSize);
-        tableSize = s_cltableSizeInBlocks * REQUIRED_BLOCKSIZE;
+        tableSize = s_cltableSizeInBlocks * blockSize;
+        CRYPTOPP_ASSERT(tableSize > blockSize);
    }
    else
 #endif
@ -147,13 +149,13 @@ void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const
        else
            tableSize = (GetTablesOption() == GCM_64K_Tables) ? 64*1024 : 2*1024;

-#if defined(_MSC_VER) && (_MSC_VER < 1400)
+        //#if defined(_MSC_VER) && (_MSC_VER < 1400)
        // VC 2003 workaround: compiler generates bad code for 64K tables
-        tableSize = 2*1024;
-#endif
+        //tableSize = 2*1024;
+        //#endif
    }

-    m_buffer.resize(3*REQUIRED_BLOCKSIZE + tableSize);
+    m_buffer.resize(3*blockSize + tableSize);
    byte *mulTable = MulTable();
    byte *hashKey = HashKey();
    memset(hashKey, 0, blockSize);
@ -283,7 +285,7 @@ inline void GCM_Base::ReverseHashBufferIfNeeded()
 #elif CRYPTOPP_ARM_NEON_AVAILABLE
    if (HasNEON())
    {
-		GCM_ReverseHashBufferIfNeeded_NEON(HashBuffer());
+        GCM_ReverseHashBufferIfNeeded_NEON(HashBuffer());
    }
 #endif
 }