Assume little-endian in GCM code.
The GCM code has lots of cases of big-endian support left over from
OpenSSL. Since we don't support big-endian systems, drop that code.
Change-Id: I28eb95a9c235c6f705a145fbea72e7569dad2c70
Reviewed-on: https://boringssl-review.googlesource.com/12476
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/modes/gcm.c b/crypto/modes/gcm.c
index eb63aa0..acf6a53 100644
--- a/crypto/modes/gcm.c
+++ b/crypto/modes/gcm.c
@@ -121,27 +121,10 @@
Htable[15].hi = V.hi ^ Htable[7].hi, Htable[15].lo = V.lo ^ Htable[7].lo;
#if defined(GHASH_ASM) && defined(OPENSSL_ARM)
- /* ARM assembler expects specific dword order in Htable. */
- {
- int j;
- const union {
- long one;
- char little;
- } is_endian = {1};
-
- if (is_endian.little) {
- for (j = 0; j < 16; ++j) {
- V = Htable[j];
- Htable[j].hi = V.lo;
- Htable[j].lo = V.hi;
- }
- } else {
- for (j = 0; j < 16; ++j) {
- V = Htable[j];
- Htable[j].hi = V.lo << 32 | V.lo >> 32;
- Htable[j].lo = V.hi << 32 | V.hi >> 32;
- }
- }
+ for (int j = 0; j < 16; ++j) {
+ V = Htable[j];
+ Htable[j].hi = V.lo;
+ Htable[j].lo = V.hi;
}
#endif
}
@@ -157,10 +140,6 @@
u128 Z;
int cnt = 15;
size_t rem, nlo, nhi;
- const union {
- long one;
- char little;
- } is_endian = {1};
nlo = ((const uint8_t *)Xi)[15];
nhi = nlo >> 4;
@@ -203,26 +182,21 @@
Z.lo ^= Htable[nlo].lo;
}
- if (is_endian.little) {
#ifdef BSWAP8
- Xi[0] = BSWAP8(Z.hi);
- Xi[1] = BSWAP8(Z.lo);
+ Xi[0] = BSWAP8(Z.hi);
+ Xi[1] = BSWAP8(Z.lo);
#else
- uint8_t *p = (uint8_t *)Xi;
- uint32_t v;
- v = (uint32_t)(Z.hi >> 32);
- PUTU32(p, v);
- v = (uint32_t)(Z.hi);
- PUTU32(p + 4, v);
- v = (uint32_t)(Z.lo >> 32);
- PUTU32(p + 8, v);
- v = (uint32_t)(Z.lo);
- PUTU32(p + 12, v);
+ uint8_t *p = (uint8_t *)Xi;
+ uint32_t v;
+ v = (uint32_t)(Z.hi >> 32);
+ PUTU32(p, v);
+ v = (uint32_t)(Z.hi);
+ PUTU32(p + 4, v);
+ v = (uint32_t)(Z.lo >> 32);
+ PUTU32(p + 8, v);
+ v = (uint32_t)(Z.lo);
+ PUTU32(p + 12, v);
#endif
- } else {
- Xi[0] = Z.hi;
- Xi[1] = Z.lo;
- }
}
/* Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for
@@ -235,10 +209,6 @@
u128 Z;
int cnt;
size_t rem, nlo, nhi;
- const union {
- long one;
- char little;
- } is_endian = {1};
do {
cnt = 15;
@@ -285,26 +255,21 @@
Z.lo ^= Htable[nlo].lo;
}
- if (is_endian.little) {
#ifdef BSWAP8
- Xi[0] = BSWAP8(Z.hi);
- Xi[1] = BSWAP8(Z.lo);
+ Xi[0] = BSWAP8(Z.hi);
+ Xi[1] = BSWAP8(Z.lo);
#else
- uint8_t *p = (uint8_t *)Xi;
- uint32_t v;
- v = (uint32_t)(Z.hi >> 32);
- PUTU32(p, v);
- v = (uint32_t)(Z.hi);
- PUTU32(p + 4, v);
- v = (uint32_t)(Z.lo >> 32);
- PUTU32(p + 8, v);
- v = (uint32_t)(Z.lo);
- PUTU32(p + 12, v);
+ uint8_t *p = (uint8_t *)Xi;
+ uint32_t v;
+ v = (uint32_t)(Z.hi >> 32);
+ PUTU32(p, v);
+ v = (uint32_t)(Z.hi);
+ PUTU32(p + 4, v);
+ v = (uint32_t)(Z.lo >> 32);
+ PUTU32(p + 8, v);
+ v = (uint32_t)(Z.lo);
+ PUTU32(p + 12, v);
#endif
- } else {
- Xi[0] = Z.hi;
- Xi[1] = Z.lo;
- }
} while (inp += 16, len -= 16);
}
#else /* GHASH_ASM */
@@ -427,30 +392,23 @@
void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key,
block128_f block) {
- const union {
- long one;
- char little;
- } is_endian = {1};
-
memset(ctx, 0, sizeof(*ctx));
ctx->block = block;
(*block)(ctx->H.c, ctx->H.c, key);
- if (is_endian.little) {
-/* H is stored in host byte order */
+ /* H is stored in host byte order */
#ifdef BSWAP8
- ctx->H.u[0] = BSWAP8(ctx->H.u[0]);
- ctx->H.u[1] = BSWAP8(ctx->H.u[1]);
+ ctx->H.u[0] = BSWAP8(ctx->H.u[0]);
+ ctx->H.u[1] = BSWAP8(ctx->H.u[1]);
#else
- uint8_t *p = ctx->H.c;
- uint64_t hi, lo;
- hi = (uint64_t)GETU32(p) << 32 | GETU32(p + 4);
- lo = (uint64_t)GETU32(p + 8) << 32 | GETU32(p + 12);
- ctx->H.u[0] = hi;
- ctx->H.u[1] = lo;
+ uint8_t *p = ctx->H.c;
+ uint64_t hi, lo;
+ hi = (uint64_t)GETU32(p) << 32 | GETU32(p + 4);
+ lo = (uint64_t)GETU32(p + 8) << 32 | GETU32(p + 12);
+ ctx->H.u[0] = hi;
+ ctx->H.u[1] = lo;
#endif
- }
#if defined(GHASH_ASM_X86_OR_64)
if (crypto_gcm_clmul_enabled()) {
@@ -511,10 +469,6 @@
void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *iv, size_t len) {
- const union {
- long one;
- char little;
- } is_endian = {1};
unsigned int ctr;
#ifdef GCM_FUNCREF_4BIT
void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;
@@ -551,39 +505,26 @@
GCM_MUL(ctx, Yi);
}
len0 <<= 3;
- if (is_endian.little) {
#ifdef BSWAP8
- ctx->Yi.u[1] ^= BSWAP8(len0);
+ ctx->Yi.u[1] ^= BSWAP8(len0);
#else
- ctx->Yi.c[8] ^= (uint8_t)(len0 >> 56);
- ctx->Yi.c[9] ^= (uint8_t)(len0 >> 48);
- ctx->Yi.c[10] ^= (uint8_t)(len0 >> 40);
- ctx->Yi.c[11] ^= (uint8_t)(len0 >> 32);
- ctx->Yi.c[12] ^= (uint8_t)(len0 >> 24);
- ctx->Yi.c[13] ^= (uint8_t)(len0 >> 16);
- ctx->Yi.c[14] ^= (uint8_t)(len0 >> 8);
- ctx->Yi.c[15] ^= (uint8_t)(len0);
+ ctx->Yi.c[8] ^= (uint8_t)(len0 >> 56);
+ ctx->Yi.c[9] ^= (uint8_t)(len0 >> 48);
+ ctx->Yi.c[10] ^= (uint8_t)(len0 >> 40);
+ ctx->Yi.c[11] ^= (uint8_t)(len0 >> 32);
+ ctx->Yi.c[12] ^= (uint8_t)(len0 >> 24);
+ ctx->Yi.c[13] ^= (uint8_t)(len0 >> 16);
+ ctx->Yi.c[14] ^= (uint8_t)(len0 >> 8);
+ ctx->Yi.c[15] ^= (uint8_t)(len0);
#endif
- } else {
- ctx->Yi.u[1] ^= len0;
- }
GCM_MUL(ctx, Yi);
-
- if (is_endian.little) {
- ctr = GETU32(ctx->Yi.c + 12);
- } else {
- ctr = ctx->Yi.d[3];
- }
+ ctr = GETU32(ctx->Yi.c + 12);
}
(*ctx->block)(ctx->Yi.c, ctx->EK0.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
}
int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad, size_t len) {
@@ -656,10 +597,6 @@
int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key,
const unsigned char *in, unsigned char *out,
size_t len) {
- const union {
- long one;
- char little;
- } is_endian = {1};
unsigned int n, ctr;
uint64_t mlen = ctx->len.u[1];
block128_f block = ctx->block;
@@ -684,11 +621,7 @@
ctx->ares = 0;
}
- if (is_endian.little) {
- ctr = GETU32(ctx->Yi.c + 12);
- } else {
- ctr = ctx->Yi.d[3];
- }
+ ctr = GETU32(ctx->Yi.c + 12);
n = ctx->mres;
if (n) {
@@ -709,11 +642,7 @@
if (n == 0) {
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
}
ctx->Xi.c[n] ^= out[i] = in[i] ^ ctx->EKi.c[n];
n = (n + 1) % 16;
@@ -735,11 +664,7 @@
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
for (size_t i = 0; i < 16 / sizeof(size_t); ++i) {
out_t[i] = in_t[i] ^ ctx->EKi.t[i];
}
@@ -758,11 +683,7 @@
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
for (size_t i = 0; i < 16 / sizeof(size_t); ++i) {
out_t[i] = in_t[i] ^ ctx->EKi.t[i];
}
@@ -779,11 +700,7 @@
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
for (size_t i = 0; i < 16 / sizeof(size_t); ++i) {
ctx->Xi.t[i] ^= out_t[i] = in_t[i] ^ ctx->EKi.t[i];
}
@@ -796,11 +713,7 @@
if (len) {
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
while (len--) {
ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
++n;
@@ -814,10 +727,6 @@
int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key,
const unsigned char *in, unsigned char *out,
size_t len) {
- const union {
- long one;
- char little;
- } is_endian = {1};
unsigned int n, ctr;
uint64_t mlen = ctx->len.u[1];
block128_f block = ctx->block;
@@ -842,11 +751,7 @@
ctx->ares = 0;
}
- if (is_endian.little) {
- ctr = GETU32(ctx->Yi.c + 12);
- } else {
- ctr = ctx->Yi.d[3];
- }
+ ctr = GETU32(ctx->Yi.c + 12);
n = ctx->mres;
if (n) {
@@ -870,11 +775,7 @@
if (n == 0) {
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
}
c = in[i];
out[i] = c ^ ctx->EKi.c[n];
@@ -899,11 +800,7 @@
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
for (size_t i = 0; i < 16 / sizeof(size_t); ++i) {
out_t[i] = in_t[i] ^ ctx->EKi.t[i];
}
@@ -922,11 +819,7 @@
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
for (size_t i = 0; i < 16 / sizeof(size_t); ++i) {
out_t[i] = in_t[i] ^ ctx->EKi.t[i];
}
@@ -942,11 +835,7 @@
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
for (size_t i = 0; i < 16 / sizeof(size_t); ++i) {
size_t c = in_t[i];
out_t[i] = c ^ ctx->EKi.t[i];
@@ -961,11 +850,7 @@
if (len) {
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
while (len--) {
uint8_t c = in[n];
ctx->Xi.c[n] ^= c;
@@ -981,10 +866,6 @@
int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *in, uint8_t *out, size_t len,
ctr128_f stream) {
- const union {
- long one;
- char little;
- } is_endian = {1};
unsigned int n, ctr;
uint64_t mlen = ctx->len.u[1];
#ifdef GCM_FUNCREF_4BIT
@@ -1034,21 +915,13 @@
}
#endif
- if (is_endian.little) {
- ctr = GETU32(ctx->Yi.c + 12);
- } else {
- ctr = ctx->Yi.d[3];
- }
+ ctr = GETU32(ctx->Yi.c + 12);
#if defined(GHASH)
while (len >= GHASH_CHUNK) {
(*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
ctr += GHASH_CHUNK / 16;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
GHASH(ctx, out, GHASH_CHUNK);
out += GHASH_CHUNK;
in += GHASH_CHUNK;
@@ -1061,11 +934,7 @@
(*stream)(in, out, j, key, ctx->Yi.c);
ctr += (unsigned int)j;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
in += i;
len -= i;
#if defined(GHASH)
@@ -1084,11 +953,7 @@
if (len) {
(*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
while (len--) {
ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
++n;
@@ -1102,10 +967,6 @@
int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *in, uint8_t *out, size_t len,
ctr128_f stream) {
- const union {
- long one;
- char little;
- } is_endian = {1};
unsigned int n, ctr;
uint64_t mlen = ctx->len.u[1];
#ifdef GCM_FUNCREF_4BIT
@@ -1157,22 +1018,14 @@
}
#endif
- if (is_endian.little) {
- ctr = GETU32(ctx->Yi.c + 12);
- } else {
- ctr = ctx->Yi.d[3];
- }
+ ctr = GETU32(ctx->Yi.c + 12);
#if defined(GHASH)
while (len >= GHASH_CHUNK) {
GHASH(ctx, in, GHASH_CHUNK);
(*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
ctr += GHASH_CHUNK / 16;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
out += GHASH_CHUNK;
in += GHASH_CHUNK;
len -= GHASH_CHUNK;
@@ -1198,11 +1051,7 @@
#endif
(*stream)(in, out, j, key, ctx->Yi.c);
ctr += (unsigned int)j;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
out += i;
in += i;
len -= i;
@@ -1210,11 +1059,7 @@
if (len) {
(*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little) {
- PUTU32(ctx->Yi.c + 12, ctr);
- } else {
- ctx->Yi.d[3] = ctr;
- }
+ PUTU32(ctx->Yi.c + 12, ctr);
while (len--) {
uint8_t c = in[n];
ctx->Xi.c[n] ^= c;
@@ -1228,10 +1073,6 @@
}
int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag, size_t len) {
- const union {
- long one;
- char little;
- } is_endian = {1};
uint64_t alen = ctx->len.u[0] << 3;
uint64_t clen = ctx->len.u[1] << 3;
#ifdef GCM_FUNCREF_4BIT
@@ -1242,20 +1083,18 @@
GCM_MUL(ctx, Xi);
}
- if (is_endian.little) {
#ifdef BSWAP8
- alen = BSWAP8(alen);
- clen = BSWAP8(clen);
+ alen = BSWAP8(alen);
+ clen = BSWAP8(clen);
#else
- uint8_t *p = ctx->len.c;
+ uint8_t *p = ctx->len.c;
- ctx->len.u[0] = alen;
- ctx->len.u[1] = clen;
+ ctx->len.u[0] = alen;
+ ctx->len.u[1] = clen;
- alen = (uint64_t)GETU32(p) << 32 | GETU32(p + 4);
- clen = (uint64_t)GETU32(p + 8) << 32 | GETU32(p + 12);
+ alen = (uint64_t)GETU32(p) << 32 | GETU32(p + 4);
+ clen = (uint64_t)GETU32(p + 8) << 32 | GETU32(p + 12);
#endif
- }
ctx->Xi.u[0] ^= alen;
ctx->Xi.u[1] ^= clen;
