xref: /illumos-gate/usr/src/contrib/mDNSResponder/mDNSCore/DNSDigest.c (revision 7b34a9a5df26271af0da06974fc361c468cd48d3)
1 /* -*- Mode: C; tab-width: 4 -*-
2  *
3  * Copyright (c) 2002-2011 Apple Inc. All rights reserved.
4  * Copyright (c) 2016 by Delphix. All rights reserved.
5  *
6  * Licensed under the Apache License, Version 2.0 (the "License");
7  * you may not use this file except in compliance with the License.
8  * You may obtain a copy of the License at
9  *
10  *     http://www.apache.org/licenses/LICENSE-2.0
11  *
12  * Unless required by applicable law or agreed to in writing, software
13  * distributed under the License is distributed on an "AS IS" BASIS,
14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  * See the License for the specific language governing permissions and
16  * limitations under the License.
17  */
18 
19 #ifdef __cplusplus
20 extern "C" {
21 #endif
22 
23 #include "mDNSEmbeddedAPI.h"
24 #include "DNSCommon.h"
25 
26 // Disable certain benign warnings with Microsoft compilers
27 #if (defined(_MSC_VER))
28 // Disable "conditional expression is constant" warning for debug macros.
29 // Otherwise, this generates warnings for the perfectly natural construct "while(1)"
30 // If someone knows a variant way of writing "while(1)" that doesn't generate warning messages, please let us know
31     #pragma warning(disable:4127)
32 #endif
33 
34 
35 // ***************************************************************************
36 #if COMPILER_LIKES_PRAGMA_MARK
37 #pragma mark - Byte Swapping Functions
38 #endif
39 
40 mDNSlocal mDNSu16 NToH16(mDNSu8 * bytes)
41 {
42     return (mDNSu16)((mDNSu16)bytes[0] << 8 | (mDNSu16)bytes[1]);
43 }
44 
45 mDNSlocal mDNSu32 NToH32(mDNSu8 * bytes)
46 {
47     return (mDNSu32)((mDNSu32) bytes[0] << 24 | (mDNSu32) bytes[1] << 16 | (mDNSu32) bytes[2] << 8 | (mDNSu32)bytes[3]);
48 }
49 
50 // ***************************************************************************
51 #if COMPILER_LIKES_PRAGMA_MARK
52 #pragma mark - MD5 Hash Functions
53 #endif
54 
55 
56 /* The source for the has is derived CommonCrypto files CommonDigest.h, md32_common.h, md5_locl.h, md5_locl.h, and openssl/md5.h.
57  * The following changes have been made to the original sources:
58  *    replaced CC_LONG w/ mDNSu32
59  *    replaced CC_MD5* with MD5*
60  *    replaced CC_LONG w/ mDNSu32, removed conditional #defines from md5.h
61  *    removed extern decls for MD5_Init/Update/Final from CommonDigest.h
62  *    removed APPLE_COMMON_DIGEST specific #defines from md5_locl.h
63  *
64  * Note: machine archetecure specific conditionals from the original sources are turned off, but are left in the code
65  * to aid in platform-specific optimizations and debugging.
66  * Sources originally distributed under the following license headers:
67  * CommonDigest.h - APSL
68  *
69  * md32_Common.h
70  * ====================================================================
71  * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
72  *
73  * Redistribution and use in source and binary forms, with or without
74  * modification, are permitted provided that the following conditions
75  * are met:
76  *
77  * 1. Redistributions of source code must retain the above copyright
78  *    notice, this list of conditions and the following disclaimer.
79  *
80  * 2. Redistributions in binary form must reproduce the above copyright
81  *    notice, this list of conditions and the following disclaimer in
82  *    the documentation and/or other materials provided with the
83  *    distribution.
84  *
85  * 3. All advertising materials mentioning features or use of this
86  *    software must display the following acknowledgment:
87  *    "This product includes software developed by the OpenSSL Project
88  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
89  *
90  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
91  *    endorse or promote products derived from this software without
92  *    prior written permission. For written permission, please contact
93  *    licensing@OpenSSL.org.
94  *
95  * 5. Products derived from this software may not be called "OpenSSL"
96  *    nor may "OpenSSL" appear in their names without prior written
97  *    permission of the OpenSSL Project.
98  *
99  * 6. Redistributions of any form whatsoever must retain the following
100  *    acknowledgment:
101  *    "This product includes software developed by the OpenSSL Project
102  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
103  *
104  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
105  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
106  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
107  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
108  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
109  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
110  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
111  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
112  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
113  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
114  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
115  * OF THE POSSIBILITY OF SUCH DAMAGE.
116  *
117  *
118  * md5_dgst.c, md5_locl.h
119  * ====================================================================
120  *
121  * This product includes cryptographic software written by Eric Young
122  * (eay@cryptsoft.com).  This product includes software written by Tim
123  * Hudson (tjh@cryptsoft.com).
124  *
125  * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
126  * All rights reserved.
127  *
128  * This package is an SSL implementation written
129  * by Eric Young (eay@cryptsoft.com).
130  * The implementation was written so as to conform with Netscapes SSL.
131  *
132  * This library is free for commercial and non-commercial use as long as
133  * the following conditions are aheared to.  The following conditions
134  * apply to all code found in this distribution, be it the RC4, RSA,
135  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
136  * included with this distribution is covered by the same copyright terms
137  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
138  *
139  * Copyright remains Eric Young's, and as such any Copyright notices in
140  * the code are not to be removed.
141  * If this package is used in a product, Eric Young should be given attribution
142  * as the author of the parts of the library used.
143  * This can be in the form of a textual message at program startup or
144  * in documentation (online or textual) provided with the package.
145  *
146  * Redistribution and use in source and binary forms, with or without
147  * modification, are permitted provided that the following conditions
148  * are met:
149  * 1. Redistributions of source code must retain the copyright
150  *    notice, this list of conditions and the following disclaimer.
151  * 2. Redistributions in binary form must reproduce the above copyright
152  *    notice, this list of conditions and the following disclaimer in the
153  *    documentation and/or other materials provided with the distribution.
154  * 3. All advertising materials mentioning features or use of this software
155  *    must display the following acknowledgement:
156  *    "This product includes cryptographic software written by
157  *     Eric Young (eay@cryptsoft.com)"
158  *    The word 'cryptographic' can be left out if the rouines from the library
159  *    being used are not cryptographic related :-).
160  * 4. If you include any Windows specific code (or a derivative thereof) from
161  *    the apps directory (application code) you must include an acknowledgement:
162  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
163  *
164  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
165  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
166  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
167  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
168  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
169  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
170  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
171  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
172  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
173  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
174  * SUCH DAMAGE.
175  *
176  * The licence and distribution terms for any publically available version or
177  * derivative of this code cannot be changed.  i.e. this code cannot simply be
178  * copied and put under another distribution licence
179  * [including the GNU Public Licence.]
180  *
181  */
182 
183 //from CommonDigest.h
184 
185 
186 
187 // from openssl/md5.h
188 
189 #define MD5_CBLOCK  64
190 #define MD5_LBLOCK  (MD5_CBLOCK/4)
191 #define MD5_DIGEST_LENGTH 16
192 
193 void MD5_Transform(MD5_CTX *c, const unsigned char *b);
194 
195 // From md5_locl.h
196 
197 #ifndef MD5_LONG_LOG2
198 #define MD5_LONG_LOG2 2 /* default to 32 bits */
199 #endif
200 
201 #ifdef MD5_ASM
202 # if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
203 #  define md5_block_host_order md5_block_asm_host_order
204 # elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
205 void md5_block_asm_data_order_aligned (MD5_CTX *c, const mDNSu32 *p,int num);
206 #  define HASH_BLOCK_DATA_ORDER_ALIGNED md5_block_asm_data_order_aligned
207 # endif
208 #endif
209 
210 void md5_block_host_order (MD5_CTX *c, const void *p,int num);
211 void md5_block_data_order (MD5_CTX *c, const void *p,int num);
212 
213 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
214 /*
215  * *_block_host_order is expected to handle aligned data while
216  * *_block_data_order - unaligned. As algorithm and host (x86)
217  * are in this case of the same "endianness" these two are
218  * otherwise indistinguishable. But normally you don't want to
219  * call the same function because unaligned access in places
220  * where alignment is expected is usually a "Bad Thing". Indeed,
221  * on RISCs you get punished with BUS ERROR signal or *severe*
222  * performance degradation. Intel CPUs are in turn perfectly
223  * capable of loading unaligned data without such drastic side
224  * effect. Yes, they say it's slower than aligned load, but no
225  * exception is generated and therefore performance degradation
226  * is *incomparable* with RISCs. What we should weight here is
227  * costs of unaligned access against costs of aligning data.
228  * According to my measurements allowing unaligned access results
229  * in ~9% performance improvement on Pentium II operating at
230  * 266MHz. I won't be surprised if the difference will be higher
231  * on faster systems:-)
232  *
233  *				<appro@fy.chalmers.se>
234  */
235 #define md5_block_data_order md5_block_host_order
236 #endif
237 
238 #define DATA_ORDER_IS_LITTLE_ENDIAN
239 
240 #define HASH_LONG       mDNSu32
241 #define HASH_LONG_LOG2  MD5_LONG_LOG2
242 #define HASH_CTX        MD5_CTX
243 #define HASH_CBLOCK     MD5_CBLOCK
244 #define HASH_LBLOCK     MD5_LBLOCK
245 
246 #define HASH_UPDATE     MD5_Update
247 #define HASH_TRANSFORM  MD5_Transform
248 #define HASH_FINAL      MD5_Final
249 
250 #define HASH_MAKE_STRING(c,s)   do {    \
251         unsigned long ll;       \
252         ll=(c)->A; HOST_l2c(ll,(s));    \
253         ll=(c)->B; HOST_l2c(ll,(s));    \
254         ll=(c)->C; HOST_l2c(ll,(s));    \
255         ll=(c)->D; HOST_l2c(ll,(s));    \
256 } while (0)
257 #define HASH_BLOCK_HOST_ORDER   md5_block_host_order
258 #if !defined(L_ENDIAN) || defined(md5_block_data_order)
259 #define HASH_BLOCK_DATA_ORDER   md5_block_data_order
260 /*
261  * Little-endians (Intel and Alpha) feel better without this.
262  * It looks like memcpy does better job than generic
263  * md5_block_data_order on copying-n-aligning input data.
264  * But frankly speaking I didn't expect such result on Alpha.
265  * On the other hand I've got this with egcs-1.0.2 and if
266  * program is compiled with another (better?) compiler it
267  * might turn out other way around.
268  *
269  *				<appro@fy.chalmers.se>
270  */
271 #endif
272 
273 
274 // from md32_common.h
275 
276 /*
277  * This is a generic 32 bit "collector" for message digest algorithms.
278  * Whenever needed it collects input character stream into chunks of
279  * 32 bit values and invokes a block function that performs actual hash
280  * calculations.
281  *
282  * Porting guide.
283  *
284  * Obligatory macros:
285  *
286  * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
287  *	this macro defines byte order of input stream.
288  * HASH_CBLOCK
289  *	size of a unit chunk HASH_BLOCK operates on.
290  * HASH_LONG
291  *	has to be at lest 32 bit wide, if it's wider, then
292  *	HASH_LONG_LOG2 *has to* be defined along
293  * HASH_CTX
294  *	context structure that at least contains following
295  *	members:
296  *		typedef struct {
297  *			...
298  *			HASH_LONG	Nl,Nh;
299  *			HASH_LONG	data[HASH_LBLOCK];
300  *			int		num;
301  *			...
302  *			} HASH_CTX;
303  * HASH_UPDATE
304  *	name of "Update" function, implemented here.
305  * HASH_TRANSFORM
306  *	name of "Transform" function, implemented here.
307  * HASH_FINAL
308  *	name of "Final" function, implemented here.
309  * HASH_BLOCK_HOST_ORDER
310  *	name of "block" function treating *aligned* input message
311  *	in host byte order, implemented externally.
312  * HASH_BLOCK_DATA_ORDER
313  *	name of "block" function treating *unaligned* input message
314  *	in original (data) byte order, implemented externally (it
315  *	actually is optional if data and host are of the same
316  *	"endianess").
317  * HASH_MAKE_STRING
318  *	macro convering context variables to an ASCII hash string.
319  *
320  * Optional macros:
321  *
322  * B_ENDIAN or L_ENDIAN
323  *	defines host byte-order.
324  * HASH_LONG_LOG2
325  *	defaults to 2 if not states otherwise.
326  * HASH_LBLOCK
327  *	assumed to be HASH_CBLOCK/4 if not stated otherwise.
328  * HASH_BLOCK_DATA_ORDER_ALIGNED
329  *	alternative "block" function capable of treating
330  *	aligned input message in original (data) order,
331  *	implemented externally.
332  *
333  * MD5 example:
334  *
335  *	#define DATA_ORDER_IS_LITTLE_ENDIAN
336  *
337  *	#define HASH_LONG		mDNSu32
338  *	#define HASH_LONG_LOG2	mDNSu32_LOG2
339  *	#define HASH_CTX		MD5_CTX
340  *	#define HASH_CBLOCK		MD5_CBLOCK
341  *	#define HASH_LBLOCK		MD5_LBLOCK
342  *	#define HASH_UPDATE		MD5_Update
343  *	#define HASH_TRANSFORM		MD5_Transform
344  *	#define HASH_FINAL		MD5_Final
345  *	#define HASH_BLOCK_HOST_ORDER	md5_block_host_order
346  *	#define HASH_BLOCK_DATA_ORDER	md5_block_data_order
347  *
348  *					<appro@fy.chalmers.se>
349  */
350 
351 #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
352 #error "DATA_ORDER must be defined!"
353 #endif
354 
355 #ifndef HASH_CBLOCK
356 #error "HASH_CBLOCK must be defined!"
357 #endif
358 #ifndef HASH_LONG
359 #error "HASH_LONG must be defined!"
360 #endif
361 #ifndef HASH_CTX
362 #error "HASH_CTX must be defined!"
363 #endif
364 
365 #ifndef HASH_UPDATE
366 #error "HASH_UPDATE must be defined!"
367 #endif
368 #ifndef HASH_TRANSFORM
369 #error "HASH_TRANSFORM must be defined!"
370 #endif
371 #ifndef HASH_FINAL
372 #error "HASH_FINAL must be defined!"
373 #endif
374 
375 #ifndef HASH_BLOCK_HOST_ORDER
376 #error "HASH_BLOCK_HOST_ORDER must be defined!"
377 #endif
378 
379 #if 0
380 /*
381  * Moved below as it's required only if HASH_BLOCK_DATA_ORDER_ALIGNED
382  * isn't defined.
383  */
384 #ifndef HASH_BLOCK_DATA_ORDER
385 #error "HASH_BLOCK_DATA_ORDER must be defined!"
386 #endif
387 #endif
388 
389 #ifndef HASH_LBLOCK
390 #define HASH_LBLOCK (HASH_CBLOCK/4)
391 #endif
392 
393 #ifndef HASH_LONG_LOG2
394 #define HASH_LONG_LOG2  2
395 #endif
396 
397 /*
398  * Engage compiler specific rotate intrinsic function if available.
399  */
400 #undef ROTATE
401 #ifndef PEDANTIC
402 # if 0 /* defined(_MSC_VER) */
403 #  define ROTATE(a,n)   _lrotl(a,n)
404 # elif defined(__MWERKS__)
405 #  if defined(__POWERPC__)
406 #   define ROTATE(a,n)  (unsigned MD32_REG_T)__rlwinm((int)a,n,0,31)
407 #  elif defined(__MC68K__)
408 /* Motorola specific tweak. <appro@fy.chalmers.se> */
409 #   define ROTATE(a,n)  (n<24 ? __rol(a,n) : __ror(a,32-n))
410 #  else
411 #   define ROTATE(a,n)  __rol(a,n)
412 #  endif
413 # elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
414 /*
415  * Some GNU C inline assembler templates. Note that these are
416  * rotates by *constant* number of bits! But that's exactly
417  * what we need here...
418  *
419  *                  <appro@fy.chalmers.se>
420  */
421 /*
422  * LLVM is more strict about compatibility of types between input & output constraints,
423  * but we want these to be rotations of 32 bits, not 64, so we explicitly drop the
424  * most significant bytes by casting to an unsigned int.
425  */
426 #  if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
427 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
428                            asm (           \
429                                "roll %1,%0"        \
430                                : "=r" (ret)     \
431                                : "I" (n), "0" ((unsigned int)a)  \
432                                : "cc");        \
433                            ret;             \
434                          })
435 #  elif defined(__powerpc) || defined(__ppc)
436 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
437                            asm (           \
438                                "rlwinm %0,%1,%2,0,31"  \
439                                : "=r" (ret)     \
440                                : "r" (a), "I" (n));  \
441                            ret;             \
442                          })
443 #  endif
444 # endif
445 
446 /*
447  * Engage compiler specific "fetch in reverse byte order"
448  * intrinsic function if available.
449  */
450 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
451 /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
452 #  if (defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)) && !defined(I386_ONLY)
453 #   define BE_FETCH32(a)    ({ register unsigned int l=(a); \
454                                asm (           \
455                                    "bswapl %0"     \
456                                    : "=r" (l) : "0" (l));    \
457                                l;                \
458                              })
459 #  elif defined(__powerpc)
460 #   define LE_FETCH32(a)    ({ register unsigned int l; \
461                                asm (           \
462                                    "lwbrx %0,0,%1"     \
463                                    : "=r" (l)       \
464                                    : "r" (a));      \
465                                l;               \
466                              })
467 
468 #  elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
469 #  define LE_FETCH32(a) ({ register unsigned int l;     \
470                            asm (               \
471                                "lda [%1]#ASI_PRIMARY_LITTLE,%0" \
472                                : "=r" (l)           \
473                                : "r" (a));          \
474                            l;                   \
475                          })
476 #  endif
477 # endif
478 #endif /* PEDANTIC */
479 
480 #if HASH_LONG_LOG2==2   /* Engage only if sizeof(HASH_LONG)== 4 */
481 /* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
482 #ifdef ROTATE
483 /* 5 instructions with rotate instruction, else 9 */
484 #define REVERSE_FETCH32(a,l)    (                   \
485         l=*(const HASH_LONG *)(a),              \
486         ((ROTATE(l,8)&0x00FF00FF)|(ROTATE((l&0x00FF00FF),24)))  \
487         )
488 #else
489 /* 6 instructions with rotate instruction, else 8 */
490 #define REVERSE_FETCH32(a,l)    (               \
491         l=*(const HASH_LONG *)(a),          \
492         l=(((l>>8)&0x00FF00FF)|((l&0x00FF00FF)<<8)),    \
493         ROTATE(l,16)                    \
494         )
495 /*
496  * Originally the middle line started with l=(((l&0xFF00FF00)>>8)|...
497  * It's rewritten as above for two reasons:
498  *	- RISCs aren't good at long constants and have to explicitely
499  *	  compose 'em with several (well, usually 2) instructions in a
500  *	  register before performing the actual operation and (as you
501  *	  already realized:-) having same constant should inspire the
502  *	  compiler to permanently allocate the only register for it;
503  *	- most modern CPUs have two ALUs, but usually only one has
504  *	  circuitry for shifts:-( this minor tweak inspires compiler
505  *	  to schedule shift instructions in a better way...
506  *
507  *				<appro@fy.chalmers.se>
508  */
509 #endif
510 #endif
511 
512 #ifndef ROTATE
513 #define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
514 #endif
515 
516 /*
517  * Make some obvious choices. E.g., HASH_BLOCK_DATA_ORDER_ALIGNED
518  * and HASH_BLOCK_HOST_ORDER ought to be the same if input data
519  * and host are of the same "endianess". It's possible to mask
520  * this with blank #define HASH_BLOCK_DATA_ORDER though...
521  *
522  *				<appro@fy.chalmers.se>
523  */
524 #if defined(B_ENDIAN)
525 #  if defined(DATA_ORDER_IS_BIG_ENDIAN)
526 #    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
527 #      define HASH_BLOCK_DATA_ORDER_ALIGNED HASH_BLOCK_HOST_ORDER
528 #    endif
529 #  elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
530 #    ifndef HOST_FETCH32
531 #      ifdef LE_FETCH32
532 #        define HOST_FETCH32(p,l)   LE_FETCH32(p)
533 #      elif defined(REVERSE_FETCH32)
534 #        define HOST_FETCH32(p,l)   REVERSE_FETCH32(p,l)
535 #      endif
536 #    endif
537 #  endif
538 #elif defined(L_ENDIAN)
539 #  if defined(DATA_ORDER_IS_LITTLE_ENDIAN)
540 #    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
541 #      define HASH_BLOCK_DATA_ORDER_ALIGNED HASH_BLOCK_HOST_ORDER
542 #    endif
543 #  elif defined(DATA_ORDER_IS_BIG_ENDIAN)
544 #    ifndef HOST_FETCH32
545 #      ifdef BE_FETCH32
546 #        define HOST_FETCH32(p,l)   BE_FETCH32(p)
547 #      elif defined(REVERSE_FETCH32)
548 #        define HOST_FETCH32(p,l)   REVERSE_FETCH32(p,l)
549 #      endif
550 #    endif
551 #  endif
552 #endif
553 
554 #if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
555 #ifndef HASH_BLOCK_DATA_ORDER
556 #error "HASH_BLOCK_DATA_ORDER must be defined!"
557 #endif
558 #endif
559 
560 // None of the invocations of the following macros actually use the result,
561 // so cast them to void to avoid any compiler warnings/errors about not using
562 // the result (e.g. when using clang).
563 // If the resultant values need to be used at some point, these must be changed.
564 #define HOST_c2l(c,l) ((void)_HOST_c2l(c,l))
565 #define HOST_l2c(l,c) ((void)_HOST_l2c(l,c))
566 
567 #if defined(DATA_ORDER_IS_BIG_ENDIAN)
568 
569 #define _HOST_c2l(c,l)  (l =(((unsigned long)(*((c)++)))<<24),      \
570                          l|=(((unsigned long)(*((c)++)))<<16),      \
571                          l|=(((unsigned long)(*((c)++)))<< 8),      \
572                          l|=(((unsigned long)(*((c)++)))    ),      \
573                          l)
574 #define HOST_p_c2l(c,l,n)   {                   \
575         switch (n) {                    \
576         case 0: l =((unsigned long)(*((c)++)))<<24; \
577         case 1: l|=((unsigned long)(*((c)++)))<<16; \
578         case 2: l|=((unsigned long)(*((c)++)))<< 8; \
579         case 3: l|=((unsigned long)(*((c)++)));     \
580         } }
581 #define HOST_p_c2l_p(c,l,sc,len) {                  \
582         switch (sc) {                   \
583         case 0: l =((unsigned long)(*((c)++)))<<24; \
584             if (--len == 0) break;                                                 \
585         case 1: l|=((unsigned long)(*((c)++)))<<16; \
586             if (--len == 0) break;                                                 \
587         case 2: l|=((unsigned long)(*((c)++)))<< 8; \
588         } }
589 /* NOTE the pointer is not incremented at the end of this */
590 #define HOST_c2l_p(c,l,n)   {                   \
591         l=0; (c)+=n;                    \
592         switch (n) {                    \
593         case 3: l =((unsigned long)(*(--(c))))<< 8; \
594         case 2: l|=((unsigned long)(*(--(c))))<<16; \
595         case 1: l|=((unsigned long)(*(--(c))))<<24; \
596         } }
597 #define _HOST_l2c(l,c)  (*((c)++)=(unsigned char)(((l)>>24)&0xff),  \
598                          *((c)++)=(unsigned char)(((l)>>16)&0xff),  \
599                          *((c)++)=(unsigned char)(((l)>> 8)&0xff),  \
600                          *((c)++)=(unsigned char)(((l)    )&0xff),  \
601                          l)
602 
603 #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
604 
605 #define _HOST_c2l(c,l)  (l =(((unsigned long)(*((c)++)))    ),      \
606                          l|=(((unsigned long)(*((c)++)))<< 8),      \
607                          l|=(((unsigned long)(*((c)++)))<<16),      \
608                          l|=(((unsigned long)(*((c)++)))<<24),      \
609                          l)
610 #define HOST_p_c2l(c,l,n)   {                   \
611         switch (n) {                    \
612         case 0: l =((unsigned long)(*((c)++)));     \
613 	/* FALLTHROUGH */	\
614         case 1: l|=((unsigned long)(*((c)++)))<< 8; \
615 	/* FALLTHROUGH */	\
616         case 2: l|=((unsigned long)(*((c)++)))<<16; \
617 	/* FALLTHROUGH */	\
618         case 3: l|=((unsigned long)(*((c)++)))<<24; \
619         } }
620 #define HOST_p_c2l_p(c,l,sc,len) {                  \
621         switch (sc) {                   \
622         case 0: l =((unsigned long)(*((c)++)));     \
623             if (--len == 0) break;                                                 \
624 	/* FALLTHROUGH */	\
625         case 1: l|=((unsigned long)(*((c)++)))<< 8; \
626             if (--len == 0) break;                                                 \
627 	/* FALLTHROUGH */	\
628         case 2: l|=((unsigned long)(*((c)++)))<<16; \
629         } }
630 /* NOTE the pointer is not incremented at the end of this */
631 #define HOST_c2l_p(c,l,n)   {                   \
632         l=0; (c)+=n;                    \
633         switch (n) {                    \
634         case 3: l =((unsigned long)(*(--(c))))<<16; \
635 	/* FALLTHROUGH */	\
636         case 2: l|=((unsigned long)(*(--(c))))<< 8; \
637 	/* FALLTHROUGH */	\
638         case 1: l|=((unsigned long)(*(--(c))));     \
639         } }
640 #define _HOST_l2c(l,c)  (*((c)++)=(unsigned char)(((l)    )&0xff),  \
641                          *((c)++)=(unsigned char)(((l)>> 8)&0xff),  \
642                          *((c)++)=(unsigned char)(((l)>>16)&0xff),  \
643                          *((c)++)=(unsigned char)(((l)>>24)&0xff),  \
644                          l)
645 
646 #endif
647 
648 /*
649  * Time for some action:-)
650  */
651 
652 int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
653 {
654     const unsigned char *data=(const unsigned char *)data_;
655     register HASH_LONG * p;
656     register unsigned long l;
657     int sw,sc,ew,ec;
658 
659     if (len==0) return 1;
660 
661     l=(c->Nl+(len<<3))&0xffffffffL;
662     /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
663      * Wei Dai <weidai@eskimo.com> for pointing it out. */
664     if (l < c->Nl) /* overflow */
665         c->Nh++;
666     c->Nh+=(len>>29);
667     c->Nl=l;
668 
669     if (c->num != 0)
670     {
671         p=c->data;
672         sw=c->num>>2;
673         sc=c->num&0x03;
674 
675         if ((c->num+len) >= HASH_CBLOCK)
676         {
677             l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
678             for (; sw<HASH_LBLOCK; sw++)
679             {
680                 HOST_c2l(data,l); p[sw]=l;
681             }
682             HASH_BLOCK_HOST_ORDER (c,p,1);
683             len-=(HASH_CBLOCK-c->num);
684             c->num=0;
685             /* drop through and do the rest */
686         }
687         else
688         {
689             c->num+=len;
690             if ((sc+len) < 4) /* ugly, add char's to a word */
691             {
692                 l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l;
693             }
694             else
695             {
696                 ew=(c->num>>2);
697                 ec=(c->num&0x03);
698                 if (sc)
699                     l=p[sw];
700                 HOST_p_c2l(data,l,sc);
701                 p[sw++]=l;
702                 for (; sw < ew; sw++)
703                 {
704                     HOST_c2l(data,l); p[sw]=l;
705                 }
706                 if (ec)
707                 {
708                     HOST_c2l_p(data,l,ec); p[sw]=l;
709                 }
710             }
711             return 1;
712         }
713     }
714 
715     sw=(int)(len/HASH_CBLOCK);
716     if (sw > 0)
717     {
718 #if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
719         /*
720          * Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined
721          * only if sizeof(HASH_LONG)==4.
722          */
723         if ((((unsigned long)data)%4) == 0)
724         {
725             /* data is properly aligned so that we can cast it: */
726             HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw);
727             sw*=HASH_CBLOCK;
728             data+=sw;
729             len-=sw;
730         }
731         else
732 #if !defined(HASH_BLOCK_DATA_ORDER)
733             while (sw--)
734             {
735                 mDNSPlatformMemCopy(p=c->data,data,HASH_CBLOCK);
736                 HASH_BLOCK_DATA_ORDER_ALIGNED(c,p,1);
737                 data+=HASH_CBLOCK;
738                 len-=HASH_CBLOCK;
739             }
740 #endif
741 #endif
742 #if defined(HASH_BLOCK_DATA_ORDER)
743         {
744             HASH_BLOCK_DATA_ORDER(c,data,sw);
745             sw*=HASH_CBLOCK;
746             data+=sw;
747             len-=sw;
748         }
749 #endif
750     }
751 
752     if (len!=0)
753     {
754         p = c->data;
755         c->num = (int)len;
756         ew=(int)(len>>2);   /* words to copy */
757         ec=(int)(len&0x03);
758         for (; ew; ew--,p++)
759         {
760             HOST_c2l(data,l); *p=l;
761         }
762         HOST_c2l_p(data,l,ec);
763         *p=l;
764     }
765     return 1;
766 }
767 
768 
769 void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
770 {
771 #if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
772     if ((((unsigned long)data)%4) == 0)
773         /* data is properly aligned so that we can cast it: */
774         HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1);
775     else
776 #if !defined(HASH_BLOCK_DATA_ORDER)
777     {
778         mDNSPlatformMemCopy(c->data,data,HASH_CBLOCK);
779         HASH_BLOCK_DATA_ORDER_ALIGNED (c,c->data,1);
780     }
781 #endif
782 #endif
783 #if defined(HASH_BLOCK_DATA_ORDER)
784     HASH_BLOCK_DATA_ORDER (c,data,1);
785 #endif
786 }
787 
788 
789 int HASH_FINAL (unsigned char *md, HASH_CTX *c)
790 {
791     register HASH_LONG *p;
792     register unsigned long l;
793     register int i,j;
794     static const unsigned char end[4]={0x80,0x00,0x00,0x00};
795     const unsigned char *cp=end;
796 
797     /* c->num should definitly have room for at least one more byte. */
798     p=c->data;
799     i=c->num>>2;
800     j=c->num&0x03;
801 
802 #if 0
803     /* purify often complains about the following line as an
804      * Uninitialized Memory Read.  While this can be true, the
805      * following p_c2l macro will reset l when that case is true.
806      * This is because j&0x03 contains the number of 'valid' bytes
807      * already in p[i].  If and only if j&0x03 == 0, the UMR will
808      * occur but this is also the only time p_c2l will do
809      * l= *(cp++) instead of l|= *(cp++)
810      * Many thanks to Alex Tang <altitude@cic.net> for pickup this
811      * 'potential bug' */
812 #ifdef PURIFY
813     if (j==0) p[i]=0; /* Yeah, but that's not the way to fix it:-) */
814 #endif
815     l=p[i];
816 #else
817     l = (j==0) ? 0 : p[i];
818 #endif
819     HOST_p_c2l(cp,l,j); p[i++]=l; /* i is the next 'undefined word' */
820 
821     if (i>(HASH_LBLOCK-2)) /* save room for Nl and Nh */
822     {
823         if (i<HASH_LBLOCK) p[i]=0;
824         HASH_BLOCK_HOST_ORDER (c,p,1);
825         i=0;
826     }
827     for (; i<(HASH_LBLOCK-2); i++)
828         p[i]=0;
829 
830 #if   defined(DATA_ORDER_IS_BIG_ENDIAN)
831     p[HASH_LBLOCK-2]=c->Nh;
832     p[HASH_LBLOCK-1]=c->Nl;
833 #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
834     p[HASH_LBLOCK-2]=c->Nl;
835     p[HASH_LBLOCK-1]=c->Nh;
836 #endif
837     HASH_BLOCK_HOST_ORDER (c,p,1);
838 
839 #ifndef HASH_MAKE_STRING
840 #error "HASH_MAKE_STRING must be defined!"
841 #else
842     HASH_MAKE_STRING(c,md);
843 #endif
844 
845     c->num=0;
846     /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
847      * but I'm not worried :-)
848        OPENSSL_cleanse((void *)c,sizeof(HASH_CTX));
849      */
850     return 1;
851 }
852 
853 #ifndef MD32_REG_T
854 #define MD32_REG_T long
855 /*
856  * This comment was originaly written for MD5, which is why it
857  * discusses A-D. But it basically applies to all 32-bit digests,
858  * which is why it was moved to common header file.
859  *
860  * In case you wonder why A-D are declared as long and not
861  * as mDNSu32. Doing so results in slight performance
862  * boost on LP64 architectures. The catch is we don't
863  * really care if 32 MSBs of a 64-bit register get polluted
864  * with eventual overflows as we *save* only 32 LSBs in
865  * *either* case. Now declaring 'em long excuses the compiler
866  * from keeping 32 MSBs zeroed resulting in 13% performance
867  * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
868  * Well, to be honest it should say that this *prevents*
869  * performance degradation.
870  *				<appro@fy.chalmers.se>
871  * Apparently there're LP64 compilers that generate better
872  * code if A-D are declared int. Most notably GCC-x86_64
873  * generates better code.
874  *				<appro@fy.chalmers.se>
875  */
876 #endif
877 
878 
879 // from md5_locl.h (continued)
880 
881 /*
882  #define	F(x,y,z)	(((x) & (y))  |  ((~(x)) & (z)))
883  #define	G(x,y,z)	(((x) & (z))  |  ((y) & (~(z))))
884  */
885 
886 /* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
887  * simplified to the code below.  Wei attributes these optimizations
888  * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
889  */
890 #define F(b,c,d)    ((((c) ^ (d)) & (b)) ^ (d))
891 #define G(b,c,d)    ((((b) ^ (c)) & (d)) ^ (c))
892 #define H(b,c,d)    ((b) ^ (c) ^ (d))
893 #define I(b,c,d)    (((~(d)) | (b)) ^ (c))
894 
895 #define R0(a,b,c,d,k,s,t) { \
896         a+=((k)+(t)+F((b),(c),(d))); \
897         a=ROTATE(a,s); \
898         a+=b; }; \
899 
900 #define R1(a,b,c,d,k,s,t) { \
901         a+=((k)+(t)+G((b),(c),(d))); \
902         a=ROTATE(a,s); \
903         a+=b; };
904 
905 #define R2(a,b,c,d,k,s,t) { \
906         a+=((k)+(t)+H((b),(c),(d))); \
907         a=ROTATE(a,s); \
908         a+=b; };
909 
910 #define R3(a,b,c,d,k,s,t) { \
911         a+=((k)+(t)+I((b),(c),(d))); \
912         a=ROTATE(a,s); \
913         a+=b; };
914 
915 // from md5_dgst.c
916 
917 
918 /* Implemented from RFC1321 The MD5 Message-Digest Algorithm
919  */
920 
921 #define INIT_DATA_A (unsigned long)0x67452301L
922 #define INIT_DATA_B (unsigned long)0xefcdab89L
923 #define INIT_DATA_C (unsigned long)0x98badcfeL
924 #define INIT_DATA_D (unsigned long)0x10325476L
925 
926 int MD5_Init(MD5_CTX *c)
927 {
928     c->A=INIT_DATA_A;
929     c->B=INIT_DATA_B;
930     c->C=INIT_DATA_C;
931     c->D=INIT_DATA_D;
932     c->Nl=0;
933     c->Nh=0;
934     c->num=0;
935     return 1;
936 }
937 
938 #ifndef md5_block_host_order
939 void md5_block_host_order (MD5_CTX *c, const void *data, int num)
940 {
941     const mDNSu32 *X=(const mDNSu32 *)data;
942     register unsigned MD32_REG_T A,B,C,D;
943 
944     A=c->A;
945     B=c->B;
946     C=c->C;
947     D=c->D;
948 
949     for (; num--; X+=HASH_LBLOCK)
950     {
951         /* Round 0 */
952         R0(A,B,C,D,X[ 0], 7,0xd76aa478L);
953         R0(D,A,B,C,X[ 1],12,0xe8c7b756L);
954         R0(C,D,A,B,X[ 2],17,0x242070dbL);
955         R0(B,C,D,A,X[ 3],22,0xc1bdceeeL);
956         R0(A,B,C,D,X[ 4], 7,0xf57c0fafL);
957         R0(D,A,B,C,X[ 5],12,0x4787c62aL);
958         R0(C,D,A,B,X[ 6],17,0xa8304613L);
959         R0(B,C,D,A,X[ 7],22,0xfd469501L);
960         R0(A,B,C,D,X[ 8], 7,0x698098d8L);
961         R0(D,A,B,C,X[ 9],12,0x8b44f7afL);
962         R0(C,D,A,B,X[10],17,0xffff5bb1L);
963         R0(B,C,D,A,X[11],22,0x895cd7beL);
964         R0(A,B,C,D,X[12], 7,0x6b901122L);
965         R0(D,A,B,C,X[13],12,0xfd987193L);
966         R0(C,D,A,B,X[14],17,0xa679438eL);
967         R0(B,C,D,A,X[15],22,0x49b40821L);
968         /* Round 1 */
969         R1(A,B,C,D,X[ 1], 5,0xf61e2562L);
970         R1(D,A,B,C,X[ 6], 9,0xc040b340L);
971         R1(C,D,A,B,X[11],14,0x265e5a51L);
972         R1(B,C,D,A,X[ 0],20,0xe9b6c7aaL);
973         R1(A,B,C,D,X[ 5], 5,0xd62f105dL);
974         R1(D,A,B,C,X[10], 9,0x02441453L);
975         R1(C,D,A,B,X[15],14,0xd8a1e681L);
976         R1(B,C,D,A,X[ 4],20,0xe7d3fbc8L);
977         R1(A,B,C,D,X[ 9], 5,0x21e1cde6L);
978         R1(D,A,B,C,X[14], 9,0xc33707d6L);
979         R1(C,D,A,B,X[ 3],14,0xf4d50d87L);
980         R1(B,C,D,A,X[ 8],20,0x455a14edL);
981         R1(A,B,C,D,X[13], 5,0xa9e3e905L);
982         R1(D,A,B,C,X[ 2], 9,0xfcefa3f8L);
983         R1(C,D,A,B,X[ 7],14,0x676f02d9L);
984         R1(B,C,D,A,X[12],20,0x8d2a4c8aL);
985         /* Round 2 */
986         R2(A,B,C,D,X[ 5], 4,0xfffa3942L);
987         R2(D,A,B,C,X[ 8],11,0x8771f681L);
988         R2(C,D,A,B,X[11],16,0x6d9d6122L);
989         R2(B,C,D,A,X[14],23,0xfde5380cL);
990         R2(A,B,C,D,X[ 1], 4,0xa4beea44L);
991         R2(D,A,B,C,X[ 4],11,0x4bdecfa9L);
992         R2(C,D,A,B,X[ 7],16,0xf6bb4b60L);
993         R2(B,C,D,A,X[10],23,0xbebfbc70L);
994         R2(A,B,C,D,X[13], 4,0x289b7ec6L);
995         R2(D,A,B,C,X[ 0],11,0xeaa127faL);
996         R2(C,D,A,B,X[ 3],16,0xd4ef3085L);
997         R2(B,C,D,A,X[ 6],23,0x04881d05L);
998         R2(A,B,C,D,X[ 9], 4,0xd9d4d039L);
999         R2(D,A,B,C,X[12],11,0xe6db99e5L);
1000         R2(C,D,A,B,X[15],16,0x1fa27cf8L);
1001         R2(B,C,D,A,X[ 2],23,0xc4ac5665L);
1002         /* Round 3 */
1003         R3(A,B,C,D,X[ 0], 6,0xf4292244L);
1004         R3(D,A,B,C,X[ 7],10,0x432aff97L);
1005         R3(C,D,A,B,X[14],15,0xab9423a7L);
1006         R3(B,C,D,A,X[ 5],21,0xfc93a039L);
1007         R3(A,B,C,D,X[12], 6,0x655b59c3L);
1008         R3(D,A,B,C,X[ 3],10,0x8f0ccc92L);
1009         R3(C,D,A,B,X[10],15,0xffeff47dL);
1010         R3(B,C,D,A,X[ 1],21,0x85845dd1L);
1011         R3(A,B,C,D,X[ 8], 6,0x6fa87e4fL);
1012         R3(D,A,B,C,X[15],10,0xfe2ce6e0L);
1013         R3(C,D,A,B,X[ 6],15,0xa3014314L);
1014         R3(B,C,D,A,X[13],21,0x4e0811a1L);
1015         R3(A,B,C,D,X[ 4], 6,0xf7537e82L);
1016         R3(D,A,B,C,X[11],10,0xbd3af235L);
1017         R3(C,D,A,B,X[ 2],15,0x2ad7d2bbL);
1018         R3(B,C,D,A,X[ 9],21,0xeb86d391L);
1019 
1020         A = c->A += A;
1021         B = c->B += B;
1022         C = c->C += C;
1023         D = c->D += D;
1024     }
1025 }
1026 #endif
1027 
1028 #ifndef md5_block_data_order
1029 #ifdef X
1030 #undef X
1031 #endif
1032 void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
1033 {
1034     const unsigned char *data=data_;
1035     register unsigned MD32_REG_T A,B,C,D,l;
1036 #ifndef MD32_XARRAY
1037     /* See comment in crypto/sha/sha_locl.h for details. */
1038     unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
1039                         XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
1040 # define X(i)   XX ## i
1041 #else
1042     mDNSu32 XX[MD5_LBLOCK];
1043 # define X(i)   XX[i]
1044 #endif
1045 
1046     A=c->A;
1047     B=c->B;
1048     C=c->C;
1049     D=c->D;
1050 
1051     for (; num--;)
1052     {
1053         HOST_c2l(data,l); X( 0)=l;      HOST_c2l(data,l); X( 1)=l;
1054         /* Round 0 */
1055         R0(A,B,C,D,X( 0), 7,0xd76aa478L);   HOST_c2l(data,l); X( 2)=l;
1056         R0(D,A,B,C,X( 1),12,0xe8c7b756L);   HOST_c2l(data,l); X( 3)=l;
1057         R0(C,D,A,B,X( 2),17,0x242070dbL);   HOST_c2l(data,l); X( 4)=l;
1058         R0(B,C,D,A,X( 3),22,0xc1bdceeeL);   HOST_c2l(data,l); X( 5)=l;
1059         R0(A,B,C,D,X( 4), 7,0xf57c0fafL);   HOST_c2l(data,l); X( 6)=l;
1060         R0(D,A,B,C,X( 5),12,0x4787c62aL);   HOST_c2l(data,l); X( 7)=l;
1061         R0(C,D,A,B,X( 6),17,0xa8304613L);   HOST_c2l(data,l); X( 8)=l;
1062         R0(B,C,D,A,X( 7),22,0xfd469501L);   HOST_c2l(data,l); X( 9)=l;
1063         R0(A,B,C,D,X( 8), 7,0x698098d8L);   HOST_c2l(data,l); X(10)=l;
1064         R0(D,A,B,C,X( 9),12,0x8b44f7afL);   HOST_c2l(data,l); X(11)=l;
1065         R0(C,D,A,B,X(10),17,0xffff5bb1L);   HOST_c2l(data,l); X(12)=l;
1066         R0(B,C,D,A,X(11),22,0x895cd7beL);   HOST_c2l(data,l); X(13)=l;
1067         R0(A,B,C,D,X(12), 7,0x6b901122L);   HOST_c2l(data,l); X(14)=l;
1068         R0(D,A,B,C,X(13),12,0xfd987193L);   HOST_c2l(data,l); X(15)=l;
1069         R0(C,D,A,B,X(14),17,0xa679438eL);
1070         R0(B,C,D,A,X(15),22,0x49b40821L);
1071         /* Round 1 */
1072         R1(A,B,C,D,X( 1), 5,0xf61e2562L);
1073         R1(D,A,B,C,X( 6), 9,0xc040b340L);
1074         R1(C,D,A,B,X(11),14,0x265e5a51L);
1075         R1(B,C,D,A,X( 0),20,0xe9b6c7aaL);
1076         R1(A,B,C,D,X( 5), 5,0xd62f105dL);
1077         R1(D,A,B,C,X(10), 9,0x02441453L);
1078         R1(C,D,A,B,X(15),14,0xd8a1e681L);
1079         R1(B,C,D,A,X( 4),20,0xe7d3fbc8L);
1080         R1(A,B,C,D,X( 9), 5,0x21e1cde6L);
1081         R1(D,A,B,C,X(14), 9,0xc33707d6L);
1082         R1(C,D,A,B,X( 3),14,0xf4d50d87L);
1083         R1(B,C,D,A,X( 8),20,0x455a14edL);
1084         R1(A,B,C,D,X(13), 5,0xa9e3e905L);
1085         R1(D,A,B,C,X( 2), 9,0xfcefa3f8L);
1086         R1(C,D,A,B,X( 7),14,0x676f02d9L);
1087         R1(B,C,D,A,X(12),20,0x8d2a4c8aL);
1088         /* Round 2 */
1089         R2(A,B,C,D,X( 5), 4,0xfffa3942L);
1090         R2(D,A,B,C,X( 8),11,0x8771f681L);
1091         R2(C,D,A,B,X(11),16,0x6d9d6122L);
1092         R2(B,C,D,A,X(14),23,0xfde5380cL);
1093         R2(A,B,C,D,X( 1), 4,0xa4beea44L);
1094         R2(D,A,B,C,X( 4),11,0x4bdecfa9L);
1095         R2(C,D,A,B,X( 7),16,0xf6bb4b60L);
1096         R2(B,C,D,A,X(10),23,0xbebfbc70L);
1097         R2(A,B,C,D,X(13), 4,0x289b7ec6L);
1098         R2(D,A,B,C,X( 0),11,0xeaa127faL);
1099         R2(C,D,A,B,X( 3),16,0xd4ef3085L);
1100         R2(B,C,D,A,X( 6),23,0x04881d05L);
1101         R2(A,B,C,D,X( 9), 4,0xd9d4d039L);
1102         R2(D,A,B,C,X(12),11,0xe6db99e5L);
1103         R2(C,D,A,B,X(15),16,0x1fa27cf8L);
1104         R2(B,C,D,A,X( 2),23,0xc4ac5665L);
1105         /* Round 3 */
1106         R3(A,B,C,D,X( 0), 6,0xf4292244L);
1107         R3(D,A,B,C,X( 7),10,0x432aff97L);
1108         R3(C,D,A,B,X(14),15,0xab9423a7L);
1109         R3(B,C,D,A,X( 5),21,0xfc93a039L);
1110         R3(A,B,C,D,X(12), 6,0x655b59c3L);
1111         R3(D,A,B,C,X( 3),10,0x8f0ccc92L);
1112         R3(C,D,A,B,X(10),15,0xffeff47dL);
1113         R3(B,C,D,A,X( 1),21,0x85845dd1L);
1114         R3(A,B,C,D,X( 8), 6,0x6fa87e4fL);
1115         R3(D,A,B,C,X(15),10,0xfe2ce6e0L);
1116         R3(C,D,A,B,X( 6),15,0xa3014314L);
1117         R3(B,C,D,A,X(13),21,0x4e0811a1L);
1118         R3(A,B,C,D,X( 4), 6,0xf7537e82L);
1119         R3(D,A,B,C,X(11),10,0xbd3af235L);
1120         R3(C,D,A,B,X( 2),15,0x2ad7d2bbL);
1121         R3(B,C,D,A,X( 9),21,0xeb86d391L);
1122 
1123         A = c->A += A;
1124         B = c->B += B;
1125         C = c->C += C;
1126         D = c->D += D;
1127     }
1128 }
1129 #endif
1130 
1131 
1132 // ***************************************************************************
1133 #if COMPILER_LIKES_PRAGMA_MARK
1134 #pragma mark - base64 -> binary conversion
1135 #endif
1136 
1137 static const char Base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
1138 static const char Pad64 = '=';
1139 
1140 
1141 #define mDNSisspace(x) (x == '\t' || x == '\n' || x == '\v' || x == '\f' || x == '\r' || x == ' ')
1142 
1143 mDNSlocal const char *mDNSstrchr(const char *s, int c)
1144 {
1145     while (1)
1146     {
1147         if (c == *s) return s;
1148         if (!*s) return mDNSNULL;
1149         s++;
1150     }
1151 }
1152 
1153 // skips all whitespace anywhere.
1154 // converts characters, four at a time, starting at (or after)
1155 // src from base - 64 numbers into three 8 bit bytes in the target area.
1156 // it returns the number of data bytes stored at the target, or -1 on error.
1157 // adapted from BIND sources
1158 
1159 mDNSlocal mDNSs32 DNSDigest_Base64ToBin(const char *src, mDNSu8 *target, mDNSu32 targsize)
1160 {
1161     int tarindex, state, ch;
1162     const char *pos;
1163 
1164     state = 0;
1165     tarindex = 0;
1166 
1167     while ((ch = *src++) != '\0') {
1168         if (mDNSisspace(ch))    /* Skip whitespace anywhere. */
1169             continue;
1170 
1171         if (ch == Pad64)
1172             break;
1173 
1174         pos = mDNSstrchr(Base64, ch);
1175         if (pos == 0)       /* A non-base64 character. */
1176             return (-1);
1177 
1178         switch (state) {
1179         case 0:
1180             if (target) {
1181                 if ((mDNSu32)tarindex >= targsize)
1182                     return (-1);
1183                 target[tarindex] = (mDNSu8)((pos - Base64) << 2);
1184             }
1185             state = 1;
1186             break;
1187         case 1:
1188             if (target) {
1189                 if ((mDNSu32)tarindex + 1 >= targsize)
1190                     return (-1);
1191                 target[tarindex]   |=  (pos - Base64) >> 4;
1192                 target[tarindex+1]  = (mDNSu8)(((pos - Base64) & 0x0f) << 4);
1193             }
1194             tarindex++;
1195             state = 2;
1196             break;
1197         case 2:
1198             if (target) {
1199                 if ((mDNSu32)tarindex + 1 >= targsize)
1200                     return (-1);
1201                 target[tarindex]   |=  (pos - Base64) >> 2;
1202                 target[tarindex+1]  = (mDNSu8)(((pos - Base64) & 0x03) << 6);
1203             }
1204             tarindex++;
1205             state = 3;
1206             break;
1207         case 3:
1208             if (target) {
1209                 if ((mDNSu32)tarindex >= targsize)
1210                     return (-1);
1211                 target[tarindex] |= (pos - Base64);
1212             }
1213             tarindex++;
1214             state = 0;
1215             break;
1216         default:
1217             return -1;
1218         }
1219     }
1220 
1221     /*
1222      * We are done decoding Base-64 chars.  Let's see if we ended
1223      * on a byte boundary, and/or with erroneous trailing characters.
1224      */
1225 
1226     if (ch == Pad64) {      /* We got a pad char. */
1227         ch = *src++;        /* Skip it, get next. */
1228         switch (state) {
1229         case 0:     /* Invalid = in first position */
1230         case 1:     /* Invalid = in second position */
1231             return (-1);
1232 
1233         case 2:     /* Valid, means one byte of info */
1234             /* Skip any number of spaces. */
1235             for ((void)mDNSNULL; ch != '\0'; ch = *src++)
1236                 if (!mDNSisspace(ch))
1237                     break;
1238             /* Make sure there is another trailing = sign. */
1239             if (ch != Pad64)
1240                 return (-1);
1241             ch = *src++;        /* Skip the = */
1242         /* Fall through to "single trailing =" case. */
1243         /* FALLTHROUGH */
1244 
1245         case 3:     /* Valid, means two bytes of info */
1246             /*
1247              * We know this char is an =.  Is there anything but
1248              * whitespace after it?
1249              */
1250             for ((void)mDNSNULL; ch != '\0'; ch = *src++)
1251                 if (!mDNSisspace(ch))
1252                     return (-1);
1253 
1254             /*
1255              * Now make sure for cases 2 and 3 that the "extra"
1256              * bits that slopped past the last full byte were
1257              * zeros.  If we don't check them, they become a
1258              * subliminal channel.
1259              */
1260             if (target && target[tarindex] != 0)
1261                 return (-1);
1262         }
1263     } else {
1264         /*
1265          * We ended by seeing the end of the string.  Make sure we
1266          * have no partial bytes lying around.
1267          */
1268         if (state != 0)
1269             return (-1);
1270     }
1271 
1272     return (tarindex);
1273 }
1274 
1275 
1276 // ***************************************************************************
1277 #if COMPILER_LIKES_PRAGMA_MARK
1278 #pragma mark - API exported to mDNS Core
1279 #endif
1280 
1281 // Constants
1282 #define HMAC_IPAD   0x36
1283 #define HMAC_OPAD   0x5c
1284 #define MD5_LEN     16
1285 
1286 #define HMAC_MD5_AlgName (*(const domainname*) "\010" "hmac-md5" "\007" "sig-alg" "\003" "reg" "\003" "int")
1287 
1288 // Adapted from Appendix, RFC 2104
1289 mDNSlocal void DNSDigest_ConstructHMACKey(DomainAuthInfo *info, const mDNSu8 *key, mDNSu32 len)
1290 {
1291     MD5_CTX k;
1292     mDNSu8 buf[MD5_LEN];
1293     int i;
1294 
1295     // If key is longer than HMAC_LEN reset it to MD5(key)
1296     if (len > HMAC_LEN)
1297     {
1298         MD5_Init(&k);
1299         MD5_Update(&k, key, len);
1300         MD5_Final(buf, &k);
1301         key = buf;
1302         len = MD5_LEN;
1303     }
1304 
1305     // store key in pads
1306     mDNSPlatformMemZero(info->keydata_ipad, HMAC_LEN);
1307     mDNSPlatformMemZero(info->keydata_opad, HMAC_LEN);
1308     mDNSPlatformMemCopy(info->keydata_ipad, key, len);
1309     mDNSPlatformMemCopy(info->keydata_opad, key, len);
1310 
1311     // XOR key with ipad and opad values
1312     for (i = 0; i < HMAC_LEN; i++)
1313     {
1314         info->keydata_ipad[i] ^= HMAC_IPAD;
1315         info->keydata_opad[i] ^= HMAC_OPAD;
1316     }
1317 
1318 }
1319 
1320 mDNSexport mDNSs32 DNSDigest_ConstructHMACKeyfromBase64(DomainAuthInfo *info, const char *b64key)
1321 {
1322     mDNSu8 keybuf[1024];
1323     mDNSs32 keylen = DNSDigest_Base64ToBin(b64key, keybuf, sizeof(keybuf));
1324     if (keylen < 0) return(keylen);
1325     DNSDigest_ConstructHMACKey(info, keybuf, (mDNSu32)keylen);
1326     return(keylen);
1327 }
1328 
1329 mDNSexport void DNSDigest_SignMessage(DNSMessage *msg, mDNSu8 **end, DomainAuthInfo *info, mDNSu16 tcode)
1330 {
1331     AuthRecord tsig;
1332     mDNSu8  *rdata, *const countPtr = (mDNSu8 *)&msg->h.numAdditionals; // Get existing numAdditionals value
1333     mDNSu32 utc32;
1334     mDNSu8 utc48[6];
1335     mDNSu8 digest[MD5_LEN];
1336     mDNSu8 *ptr = *end;
1337     mDNSu32 len;
1338     mDNSOpaque16 buf;
1339     MD5_CTX c;
1340     mDNSu16 numAdditionals = (mDNSu16)((mDNSu16)countPtr[0] << 8 | countPtr[1]);
1341 
1342     // Init MD5 context, digest inner key pad and message
1343     MD5_Init(&c);
1344     MD5_Update(&c, info->keydata_ipad, HMAC_LEN);
1345     MD5_Update(&c, (mDNSu8 *)msg, (unsigned long)(*end - (mDNSu8 *)msg));
1346 
1347     // Construct TSIG RR, digesting variables as apporpriate
1348     mDNS_SetupResourceRecord(&tsig, mDNSNULL, 0, kDNSType_TSIG, 0, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL);
1349 
1350     // key name
1351     AssignDomainName(&tsig.namestorage, &info->keyname);
1352     MD5_Update(&c, info->keyname.c, DomainNameLength(&info->keyname));
1353 
1354     // class
1355     tsig.resrec.rrclass = kDNSQClass_ANY;
1356     buf = mDNSOpaque16fromIntVal(kDNSQClass_ANY);
1357     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));
1358 
1359     // ttl
1360     tsig.resrec.rroriginalttl = 0;
1361     MD5_Update(&c, (mDNSu8 *)&tsig.resrec.rroriginalttl, sizeof(tsig.resrec.rroriginalttl));
1362 
1363     // alg name
1364     AssignDomainName(&tsig.resrec.rdata->u.name, &HMAC_MD5_AlgName);
1365     len = DomainNameLength(&HMAC_MD5_AlgName);
1366     rdata = tsig.resrec.rdata->u.data + len;
1367     MD5_Update(&c, HMAC_MD5_AlgName.c, len);
1368 
1369     // time
1370     // get UTC (universal time), convert to 48-bit unsigned in network byte order
1371     utc32 = (mDNSu32)mDNSPlatformUTC();
1372     if (utc32 == (unsigned)-1) { LogMsg("ERROR: DNSDigest_SignMessage - mDNSPlatformUTC returned bad time -1"); *end = mDNSNULL; }
1373     utc48[0] = 0;
1374     utc48[1] = 0;
1375     utc48[2] = (mDNSu8)((utc32 >> 24) & 0xff);
1376     utc48[3] = (mDNSu8)((utc32 >> 16) & 0xff);
1377     utc48[4] = (mDNSu8)((utc32 >>  8) & 0xff);
1378     utc48[5] = (mDNSu8)( utc32        & 0xff);
1379 
1380     mDNSPlatformMemCopy(rdata, utc48, 6);
1381     rdata += 6;
1382     MD5_Update(&c, utc48, 6);
1383 
1384     // 300 sec is fudge recommended in RFC 2485
1385     rdata[0] = (mDNSu8)((300 >> 8)  & 0xff);
1386     rdata[1] = (mDNSu8)( 300        & 0xff);
1387     MD5_Update(&c, rdata, sizeof(mDNSOpaque16));
1388     rdata += sizeof(mDNSOpaque16);
1389 
1390     // digest error (tcode) and other data len (zero) - we'll add them to the rdata later
1391     buf.b[0] = (mDNSu8)((tcode >> 8) & 0xff);
1392     buf.b[1] = (mDNSu8)( tcode       & 0xff);
1393     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));  // error
1394     buf.NotAnInteger = 0;
1395     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));  // other data len
1396 
1397     // finish the message & tsig var hash
1398     MD5_Final(digest, &c);
1399 
1400     // perform outer MD5 (outer key pad, inner digest)
1401     MD5_Init(&c);
1402     MD5_Update(&c, info->keydata_opad, HMAC_LEN);
1403     MD5_Update(&c, digest, MD5_LEN);
1404     MD5_Final(digest, &c);
1405 
1406     // set remaining rdata fields
1407     rdata[0] = (mDNSu8)((MD5_LEN >> 8)  & 0xff);
1408     rdata[1] = (mDNSu8)( MD5_LEN        & 0xff);
1409     rdata += sizeof(mDNSOpaque16);
1410     mDNSPlatformMemCopy(rdata, digest, MD5_LEN);                          // MAC
1411     rdata += MD5_LEN;
1412     rdata[0] = msg->h.id.b[0];                                            // original ID
1413     rdata[1] = msg->h.id.b[1];
1414     rdata[2] = (mDNSu8)((tcode >> 8) & 0xff);
1415     rdata[3] = (mDNSu8)( tcode       & 0xff);
1416     rdata[4] = 0;                                                         // other data len
1417     rdata[5] = 0;
1418     rdata += 6;
1419 
1420     tsig.resrec.rdlength = (mDNSu16)(rdata - tsig.resrec.rdata->u.data);
1421     *end = PutResourceRecordTTLJumbo(msg, ptr, &numAdditionals, &tsig.resrec, 0);
1422     if (!*end) { LogMsg("ERROR: DNSDigest_SignMessage - could not put TSIG"); *end = mDNSNULL; return; }
1423 
1424     // Write back updated numAdditionals value
1425     countPtr[0] = (mDNSu8)(numAdditionals >> 8);
1426     countPtr[1] = (mDNSu8)(numAdditionals &  0xFF);
1427 }
1428 
1429 mDNSexport mDNSBool DNSDigest_VerifyMessage(DNSMessage *msg, mDNSu8 *end, LargeCacheRecord * lcr, DomainAuthInfo *info, mDNSu16 * rcode, mDNSu16 * tcode)
1430 {
1431     mDNSu8          *   ptr = (mDNSu8*) &lcr->r.resrec.rdata->u.data;
1432     mDNSs32 now;
1433     mDNSs32 then;
1434     mDNSu8 thisDigest[MD5_LEN];
1435     mDNSu8 thatDigest[MD5_LEN];
1436     mDNSOpaque16 buf;
1437     mDNSu8 utc48[6];
1438     mDNSs32 delta;
1439     mDNSu16 fudge;
1440     domainname      *   algo;
1441     MD5_CTX c;
1442     mDNSBool ok = mDNSfalse;
1443 
1444     // We only support HMAC-MD5 for now
1445 
1446     algo = (domainname*) ptr;
1447 
1448     if (!SameDomainName(algo, &HMAC_MD5_AlgName))
1449     {
1450         LogMsg("ERROR: DNSDigest_VerifyMessage - TSIG algorithm not supported: %##s", algo->c);
1451         *rcode = kDNSFlag1_RC_NotAuth;
1452         *tcode = TSIG_ErrBadKey;
1453         ok = mDNSfalse;
1454         goto exit;
1455     }
1456 
1457     ptr += DomainNameLength(algo);
1458 
1459     // Check the times
1460 
1461     now = mDNSPlatformUTC();
1462     if (now == -1)
1463     {
1464         LogMsg("ERROR: DNSDigest_VerifyMessage - mDNSPlatformUTC returned bad time -1");
1465         *rcode = kDNSFlag1_RC_NotAuth;
1466         *tcode = TSIG_ErrBadTime;
1467         ok = mDNSfalse;
1468         goto exit;
1469     }
1470 
1471     // Get the 48 bit time field, skipping over the first word
1472 
1473     utc48[0] = *ptr++;
1474     utc48[1] = *ptr++;
1475     utc48[2] = *ptr++;
1476     utc48[3] = *ptr++;
1477     utc48[4] = *ptr++;
1478     utc48[5] = *ptr++;
1479 
1480     then  = (mDNSs32)NToH32(utc48 + sizeof(mDNSu16));
1481 
1482     fudge = NToH16(ptr);
1483 
1484     ptr += sizeof(mDNSu16);
1485 
1486     delta = (now > then) ? now - then : then - now;
1487 
1488     if (delta > fudge)
1489     {
1490         LogMsg("ERROR: DNSDigest_VerifyMessage - time skew > %d", fudge);
1491         *rcode = kDNSFlag1_RC_NotAuth;
1492         *tcode = TSIG_ErrBadTime;
1493         ok = mDNSfalse;
1494         goto exit;
1495     }
1496 
1497     // MAC size
1498 
1499     ptr += sizeof(mDNSu16);
1500 
1501     // MAC
1502 
1503     mDNSPlatformMemCopy(thatDigest, ptr, MD5_LEN);
1504 
1505     // Init MD5 context, digest inner key pad and message
1506 
1507     MD5_Init(&c);
1508     MD5_Update(&c, info->keydata_ipad, HMAC_LEN);
1509     MD5_Update(&c, (mDNSu8*) msg, (unsigned long)(end - (mDNSu8*) msg));
1510 
1511     // Key name
1512 
1513     MD5_Update(&c, lcr->r.resrec.name->c, DomainNameLength(lcr->r.resrec.name));
1514 
1515     // Class name
1516 
1517     buf = mDNSOpaque16fromIntVal(lcr->r.resrec.rrclass);
1518     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));
1519 
1520     // TTL
1521 
1522     MD5_Update(&c, (mDNSu8*) &lcr->r.resrec.rroriginalttl, sizeof(lcr->r.resrec.rroriginalttl));
1523 
1524     // Algorithm
1525 
1526     MD5_Update(&c, algo->c, DomainNameLength(algo));
1527 
1528     // Time
1529 
1530     MD5_Update(&c, utc48, 6);
1531 
1532     // Fudge
1533 
1534     buf = mDNSOpaque16fromIntVal(fudge);
1535     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));
1536 
1537     // Digest error and other data len (both zero) - we'll add them to the rdata later
1538 
1539     buf.NotAnInteger = 0;
1540     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));  // error
1541     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));  // other data len
1542 
1543     // Finish the message & tsig var hash
1544 
1545     MD5_Final(thisDigest, &c);
1546 
1547     // perform outer MD5 (outer key pad, inner digest)
1548 
1549     MD5_Init(&c);
1550     MD5_Update(&c, info->keydata_opad, HMAC_LEN);
1551     MD5_Update(&c, thisDigest, MD5_LEN);
1552     MD5_Final(thisDigest, &c);
1553 
1554     if (!mDNSPlatformMemSame(thisDigest, thatDigest, MD5_LEN))
1555     {
1556         LogMsg("ERROR: DNSDigest_VerifyMessage - bad signature");
1557         *rcode = kDNSFlag1_RC_NotAuth;
1558         *tcode = TSIG_ErrBadSig;
1559         ok = mDNSfalse;
1560         goto exit;
1561     }
1562 
1563     // set remaining rdata fields
1564     ok = mDNStrue;
1565 
1566 exit:
1567 
1568     return ok;
1569 }
1570 
1571 
1572 #ifdef __cplusplus
1573 }
1574 #endif
1575