xref: /illumos-gate/usr/src/contrib/mDNSResponder/mDNSCore/DNSDigest.c (revision dd72704bd9e794056c558153663c739e2012d721)
1 /*
2  * Copyright (c) 2002-2019 Apple Inc. All rights reserved.
3  * Copyright (c) 2016 by Delphix. All rights reserved.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #ifdef __cplusplus
19 extern "C" {
20 #endif
21 
22 #include "mDNSEmbeddedAPI.h"
23 #include "DNSCommon.h"
24 
25 // Disable certain benign warnings with Microsoft compilers
26 #if (defined(_MSC_VER))
27 // Disable "conditional expression is constant" warning for debug macros.
28 // Otherwise, this generates warnings for the perfectly natural construct "while(1)"
29 // If someone knows a variant way of writing "while(1)" that doesn't generate warning messages, please let us know
30     #pragma warning(disable:4127)
31 #endif
32 
33 
34 // ***************************************************************************
35 #if COMPILER_LIKES_PRAGMA_MARK
36 #pragma mark - Byte Swapping Functions
37 #endif
38 
39 mDNSlocal mDNSu16 NToH16(mDNSu8 * bytes)
40 {
41     return (mDNSu16)((mDNSu16)bytes[0] << 8 | (mDNSu16)bytes[1]);
42 }
43 
44 mDNSlocal mDNSu32 NToH32(mDNSu8 * bytes)
45 {
46     return (mDNSu32)((mDNSu32) bytes[0] << 24 | (mDNSu32) bytes[1] << 16 | (mDNSu32) bytes[2] << 8 | (mDNSu32)bytes[3]);
47 }
48 
49 // ***************************************************************************
50 #if COMPILER_LIKES_PRAGMA_MARK
51 #pragma mark - MD5 Hash Functions
52 #endif
53 
54 
55 /* The source for the has is derived CommonCrypto files CommonDigest.h, md32_common.h, md5_locl.h, md5_locl.h, and openssl/md5.h.
56  * The following changes have been made to the original sources:
57  *    replaced CC_LONG w/ mDNSu32
58  *    replaced CC_MD5* with MD5*
59  *    replaced CC_LONG w/ mDNSu32, removed conditional #defines from md5.h
60  *    removed extern decls for MD5_Init/Update/Final from CommonDigest.h
61  *    removed APPLE_COMMON_DIGEST specific #defines from md5_locl.h
62  *
63  * Note: machine archetecure specific conditionals from the original sources are turned off, but are left in the code
64  * to aid in platform-specific optimizations and debugging.
65  * Sources originally distributed under the following license headers:
66  * CommonDigest.h - APSL
67  *
68  * md32_Common.h
69  * ====================================================================
70  * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
71  *
72  * Redistribution and use in source and binary forms, with or without
73  * modification, are permitted provided that the following conditions
74  * are met:
75  *
76  * 1. Redistributions of source code must retain the above copyright
77  *    notice, this list of conditions and the following disclaimer.
78  *
79  * 2. Redistributions in binary form must reproduce the above copyright
80  *    notice, this list of conditions and the following disclaimer in
81  *    the documentation and/or other materials provided with the
82  *    distribution.
83  *
84  * 3. All advertising materials mentioning features or use of this
85  *    software must display the following acknowledgment:
86  *    "This product includes software developed by the OpenSSL Project
87  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
88  *
89  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
90  *    endorse or promote products derived from this software without
91  *    prior written permission. For written permission, please contact
92  *    licensing@OpenSSL.org.
93  *
94  * 5. Products derived from this software may not be called "OpenSSL"
95  *    nor may "OpenSSL" appear in their names without prior written
96  *    permission of the OpenSSL Project.
97  *
98  * 6. Redistributions of any form whatsoever must retain the following
99  *    acknowledgment:
100  *    "This product includes software developed by the OpenSSL Project
101  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
102  *
103  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
104  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
105  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
106  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
107  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
108  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
109  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
110  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
111  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
112  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
113  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
114  * OF THE POSSIBILITY OF SUCH DAMAGE.
115  *
116  *
117  * md5_dgst.c, md5_locl.h
118  * ====================================================================
119  *
120  * This product includes cryptographic software written by Eric Young
121  * (eay@cryptsoft.com).  This product includes software written by Tim
122  * Hudson (tjh@cryptsoft.com).
123  *
124  * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
125  * All rights reserved.
126  *
127  * This package is an SSL implementation written
128  * by Eric Young (eay@cryptsoft.com).
129  * The implementation was written so as to conform with Netscapes SSL.
130  *
131  * This library is free for commercial and non-commercial use as long as
132  * the following conditions are aheared to.  The following conditions
133  * apply to all code found in this distribution, be it the RC4, RSA,
134  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
135  * included with this distribution is covered by the same copyright terms
136  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
137  *
138  * Copyright remains Eric Young's, and as such any Copyright notices in
139  * the code are not to be removed.
140  * If this package is used in a product, Eric Young should be given attribution
141  * as the author of the parts of the library used.
142  * This can be in the form of a textual message at program startup or
143  * in documentation (online or textual) provided with the package.
144  *
145  * Redistribution and use in source and binary forms, with or without
146  * modification, are permitted provided that the following conditions
147  * are met:
148  * 1. Redistributions of source code must retain the copyright
149  *    notice, this list of conditions and the following disclaimer.
150  * 2. Redistributions in binary form must reproduce the above copyright
151  *    notice, this list of conditions and the following disclaimer in the
152  *    documentation and/or other materials provided with the distribution.
153  * 3. All advertising materials mentioning features or use of this software
154  *    must display the following acknowledgement:
155  *    "This product includes cryptographic software written by
156  *     Eric Young (eay@cryptsoft.com)"
157  *    The word 'cryptographic' can be left out if the rouines from the library
158  *    being used are not cryptographic related :-).
159  * 4. If you include any Windows specific code (or a derivative thereof) from
160  *    the apps directory (application code) you must include an acknowledgement:
161  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
162  *
163  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
164  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
165  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
166  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
167  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
168  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
169  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
170  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
171  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
172  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
173  * SUCH DAMAGE.
174  *
175  * The licence and distribution terms for any publically available version or
176  * derivative of this code cannot be changed.  i.e. this code cannot simply be
177  * copied and put under another distribution licence
178  * [including the GNU Public Licence.]
179  *
180  */
181 
182 //from CommonDigest.h
183 
184 
185 
186 // from openssl/md5.h
187 
188 #define MD5_CBLOCK  64
189 #define MD5_LBLOCK  (MD5_CBLOCK/4)
190 #define MD5_DIGEST_LENGTH 16
191 
192 void MD5_Transform(MD5_CTX *c, const unsigned char *b);
193 
194 // From md5_locl.h
195 
196 #ifndef MD5_LONG_LOG2
197 #define MD5_LONG_LOG2 2 /* default to 32 bits */
198 #endif
199 
200 #ifdef MD5_ASM
201 # if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
202 #  define md5_block_host_order md5_block_asm_host_order
203 # elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
204 void md5_block_asm_data_order_aligned (MD5_CTX *c, const mDNSu32 *p,int num);
205 #  define HASH_BLOCK_DATA_ORDER_ALIGNED md5_block_asm_data_order_aligned
206 # endif
207 #endif
208 
209 void md5_block_host_order (MD5_CTX *c, const void *p,int num);
210 void md5_block_data_order (MD5_CTX *c, const void *p,int num);
211 
212 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
213 /*
214  * *_block_host_order is expected to handle aligned data while
215  * *_block_data_order - unaligned. As algorithm and host (x86)
216  * are in this case of the same "endianness" these two are
217  * otherwise indistinguishable. But normally you don't want to
218  * call the same function because unaligned access in places
219  * where alignment is expected is usually a "Bad Thing". Indeed,
220  * on RISCs you get punished with BUS ERROR signal or *severe*
221  * performance degradation. Intel CPUs are in turn perfectly
222  * capable of loading unaligned data without such drastic side
223  * effect. Yes, they say it's slower than aligned load, but no
224  * exception is generated and therefore performance degradation
225  * is *incomparable* with RISCs. What we should weight here is
226  * costs of unaligned access against costs of aligning data.
227  * According to my measurements allowing unaligned access results
228  * in ~9% performance improvement on Pentium II operating at
229  * 266MHz. I won't be surprised if the difference will be higher
230  * on faster systems:-)
231  *
232  *				<appro@fy.chalmers.se>
233  */
234 #define md5_block_data_order md5_block_host_order
235 #endif
236 
237 #define DATA_ORDER_IS_LITTLE_ENDIAN
238 
239 #define HASH_LONG       mDNSu32
240 #define HASH_LONG_LOG2  MD5_LONG_LOG2
241 #define HASH_CTX        MD5_CTX
242 #define HASH_CBLOCK     MD5_CBLOCK
243 #define HASH_LBLOCK     MD5_LBLOCK
244 
245 #define HASH_UPDATE     MD5_Update
246 #define HASH_TRANSFORM  MD5_Transform
247 #define HASH_FINAL      MD5_Final
248 
249 #define HASH_MAKE_STRING(c,s)   do {    \
250         unsigned long ll;       \
251         ll=(c)->A; HOST_l2c(ll,(s));    \
252         ll=(c)->B; HOST_l2c(ll,(s));    \
253         ll=(c)->C; HOST_l2c(ll,(s));    \
254         ll=(c)->D; HOST_l2c(ll,(s));    \
255 } while (0)
256 #define HASH_BLOCK_HOST_ORDER   md5_block_host_order
257 #if !defined(L_ENDIAN) || defined(md5_block_data_order)
258 #define HASH_BLOCK_DATA_ORDER   md5_block_data_order
259 /*
260  * Little-endians (Intel and Alpha) feel better without this.
261  * It looks like memcpy does better job than generic
262  * md5_block_data_order on copying-n-aligning input data.
263  * But frankly speaking I didn't expect such result on Alpha.
264  * On the other hand I've got this with egcs-1.0.2 and if
265  * program is compiled with another (better?) compiler it
266  * might turn out other way around.
267  *
268  *				<appro@fy.chalmers.se>
269  */
270 #endif
271 
272 
273 // from md32_common.h
274 
275 /*
276  * This is a generic 32 bit "collector" for message digest algorithms.
277  * Whenever needed it collects input character stream into chunks of
278  * 32 bit values and invokes a block function that performs actual hash
279  * calculations.
280  *
281  * Porting guide.
282  *
283  * Obligatory macros:
284  *
285  * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
286  *	this macro defines byte order of input stream.
287  * HASH_CBLOCK
288  *	size of a unit chunk HASH_BLOCK operates on.
289  * HASH_LONG
290  *	has to be at lest 32 bit wide, if it's wider, then
291  *	HASH_LONG_LOG2 *has to* be defined along
292  * HASH_CTX
293  *	context structure that at least contains following
294  *	members:
295  *		typedef struct {
296  *			...
297  *			HASH_LONG	Nl,Nh;
298  *			HASH_LONG	data[HASH_LBLOCK];
299  *			int		num;
300  *			...
301  *			} HASH_CTX;
302  * HASH_UPDATE
303  *	name of "Update" function, implemented here.
304  * HASH_TRANSFORM
305  *	name of "Transform" function, implemented here.
306  * HASH_FINAL
307  *	name of "Final" function, implemented here.
308  * HASH_BLOCK_HOST_ORDER
309  *	name of "block" function treating *aligned* input message
310  *	in host byte order, implemented externally.
311  * HASH_BLOCK_DATA_ORDER
312  *	name of "block" function treating *unaligned* input message
313  *	in original (data) byte order, implemented externally (it
314  *	actually is optional if data and host are of the same
315  *	"endianess").
316  * HASH_MAKE_STRING
317  *	macro convering context variables to an ASCII hash string.
318  *
319  * Optional macros:
320  *
321  * B_ENDIAN or L_ENDIAN
322  *	defines host byte-order.
323  * HASH_LONG_LOG2
324  *	defaults to 2 if not states otherwise.
325  * HASH_LBLOCK
326  *	assumed to be HASH_CBLOCK/4 if not stated otherwise.
327  * HASH_BLOCK_DATA_ORDER_ALIGNED
328  *	alternative "block" function capable of treating
329  *	aligned input message in original (data) order,
330  *	implemented externally.
331  *
332  * MD5 example:
333  *
334  *	#define DATA_ORDER_IS_LITTLE_ENDIAN
335  *
336  *	#define HASH_LONG		mDNSu32
337  *	#define HASH_LONG_LOG2	mDNSu32_LOG2
338  *	#define HASH_CTX		MD5_CTX
339  *	#define HASH_CBLOCK		MD5_CBLOCK
340  *	#define HASH_LBLOCK		MD5_LBLOCK
341  *	#define HASH_UPDATE		MD5_Update
342  *	#define HASH_TRANSFORM		MD5_Transform
343  *	#define HASH_FINAL		MD5_Final
344  *	#define HASH_BLOCK_HOST_ORDER	md5_block_host_order
345  *	#define HASH_BLOCK_DATA_ORDER	md5_block_data_order
346  *
347  *					<appro@fy.chalmers.se>
348  */
349 
350 #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
351 #error "DATA_ORDER must be defined!"
352 #endif
353 
354 #ifndef HASH_CBLOCK
355 #error "HASH_CBLOCK must be defined!"
356 #endif
357 #ifndef HASH_LONG
358 #error "HASH_LONG must be defined!"
359 #endif
360 #ifndef HASH_CTX
361 #error "HASH_CTX must be defined!"
362 #endif
363 
364 #ifndef HASH_UPDATE
365 #error "HASH_UPDATE must be defined!"
366 #endif
367 #ifndef HASH_TRANSFORM
368 #error "HASH_TRANSFORM must be defined!"
369 #endif
370 #ifndef HASH_FINAL
371 #error "HASH_FINAL must be defined!"
372 #endif
373 
374 #ifndef HASH_BLOCK_HOST_ORDER
375 #error "HASH_BLOCK_HOST_ORDER must be defined!"
376 #endif
377 
378 #if 0
379 /*
380  * Moved below as it's required only if HASH_BLOCK_DATA_ORDER_ALIGNED
381  * isn't defined.
382  */
383 #ifndef HASH_BLOCK_DATA_ORDER
384 #error "HASH_BLOCK_DATA_ORDER must be defined!"
385 #endif
386 #endif
387 
388 #ifndef HASH_LBLOCK
389 #define HASH_LBLOCK (HASH_CBLOCK/4)
390 #endif
391 
392 #ifndef HASH_LONG_LOG2
393 #define HASH_LONG_LOG2  2
394 #endif
395 
396 /*
397  * Engage compiler specific rotate intrinsic function if available.
398  */
399 #undef ROTATE
400 #ifndef PEDANTIC
401 # if 0 /* defined(_MSC_VER) */
402 #  define ROTATE(a,n)   _lrotl(a,n)
403 # elif defined(__MWERKS__)
404 #  if defined(__POWERPC__)
405 #   define ROTATE(a,n)  (unsigned MD32_REG_T)__rlwinm((int)a,n,0,31)
406 #  elif defined(__MC68K__)
407 /* Motorola specific tweak. <appro@fy.chalmers.se> */
408 #   define ROTATE(a,n)  (n<24 ? __rol(a,n) : __ror(a,32-n))
409 #  else
410 #   define ROTATE(a,n)  __rol(a,n)
411 #  endif
412 # elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
413 /*
414  * Some GNU C inline assembler templates. Note that these are
415  * rotates by *constant* number of bits! But that's exactly
416  * what we need here...
417  *
418  *                  <appro@fy.chalmers.se>
419  */
420 /*
421  * LLVM is more strict about compatibility of types between input & output constraints,
422  * but we want these to be rotations of 32 bits, not 64, so we explicitly drop the
423  * most significant bytes by casting to an unsigned int.
424  */
425 #  if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
426 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
427                            asm (           \
428                                "roll %1,%0"        \
429                                : "=r" (ret)     \
430                                : "I" (n), "0" ((unsigned int)a)  \
431                                : "cc");        \
432                            ret;             \
433                          })
434 #  elif defined(__powerpc) || defined(__ppc)
435 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
436                            asm (           \
437                                "rlwinm %0,%1,%2,0,31"  \
438                                : "=r" (ret)     \
439                                : "r" (a), "I" (n));  \
440                            ret;             \
441                          })
442 #  endif
443 # endif
444 
445 /*
446  * Engage compiler specific "fetch in reverse byte order"
447  * intrinsic function if available.
448  */
449 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
450 /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
451 #  if (defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)) && !defined(I386_ONLY)
452 #   define BE_FETCH32(a)    ({ register unsigned int l=(a); \
453                                asm (           \
454                                    "bswapl %0"     \
455                                    : "=r" (l) : "0" (l));    \
456                                l;                \
457                              })
458 #  elif defined(__powerpc)
459 #   define LE_FETCH32(a)    ({ register unsigned int l; \
460                                asm (           \
461                                    "lwbrx %0,0,%1"     \
462                                    : "=r" (l)       \
463                                    : "r" (a));      \
464                                l;               \
465                              })
466 
467 #  elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
468 #  define LE_FETCH32(a) ({ register unsigned int l;     \
469                            asm (               \
470                                "lda [%1]#ASI_PRIMARY_LITTLE,%0" \
471                                : "=r" (l)           \
472                                : "r" (a));          \
473                            l;                   \
474                          })
475 #  endif
476 # endif
477 #endif /* PEDANTIC */
478 
479 #if HASH_LONG_LOG2==2   /* Engage only if sizeof(HASH_LONG)== 4 */
480 /* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
481 #ifdef ROTATE
482 /* 5 instructions with rotate instruction, else 9 */
483 #define REVERSE_FETCH32(a,l)    (                   \
484         l=*(const HASH_LONG *)(a),              \
485         ((ROTATE(l,8)&0x00FF00FF)|(ROTATE((l&0x00FF00FF),24)))  \
486         )
487 #else
488 /* 6 instructions with rotate instruction, else 8 */
489 #define REVERSE_FETCH32(a,l)    (               \
490         l=*(const HASH_LONG *)(a),          \
491         l=(((l>>8)&0x00FF00FF)|((l&0x00FF00FF)<<8)),    \
492         ROTATE(l,16)                    \
493         )
494 /*
495  * Originally the middle line started with l=(((l&0xFF00FF00)>>8)|...
496  * It's rewritten as above for two reasons:
497  *	- RISCs aren't good at long constants and have to explicitely
498  *	  compose 'em with several (well, usually 2) instructions in a
499  *	  register before performing the actual operation and (as you
500  *	  already realized:-) having same constant should inspire the
501  *	  compiler to permanently allocate the only register for it;
502  *	- most modern CPUs have two ALUs, but usually only one has
503  *	  circuitry for shifts:-( this minor tweak inspires compiler
504  *	  to schedule shift instructions in a better way...
505  *
506  *				<appro@fy.chalmers.se>
507  */
508 #endif
509 #endif
510 
511 #ifndef ROTATE
512 #define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
513 #endif
514 
515 /*
516  * Make some obvious choices. E.g., HASH_BLOCK_DATA_ORDER_ALIGNED
517  * and HASH_BLOCK_HOST_ORDER ought to be the same if input data
518  * and host are of the same "endianess". It's possible to mask
519  * this with blank #define HASH_BLOCK_DATA_ORDER though...
520  *
521  *				<appro@fy.chalmers.se>
522  */
523 #if defined(B_ENDIAN)
524 #  if defined(DATA_ORDER_IS_BIG_ENDIAN)
525 #    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
526 #      define HASH_BLOCK_DATA_ORDER_ALIGNED HASH_BLOCK_HOST_ORDER
527 #    endif
528 #  elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
529 #    ifndef HOST_FETCH32
530 #      ifdef LE_FETCH32
531 #        define HOST_FETCH32(p,l)   LE_FETCH32(p)
532 #      elif defined(REVERSE_FETCH32)
533 #        define HOST_FETCH32(p,l)   REVERSE_FETCH32(p,l)
534 #      endif
535 #    endif
536 #  endif
537 #elif defined(L_ENDIAN)
538 #  if defined(DATA_ORDER_IS_LITTLE_ENDIAN)
539 #    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
540 #      define HASH_BLOCK_DATA_ORDER_ALIGNED HASH_BLOCK_HOST_ORDER
541 #    endif
542 #  elif defined(DATA_ORDER_IS_BIG_ENDIAN)
543 #    ifndef HOST_FETCH32
544 #      ifdef BE_FETCH32
545 #        define HOST_FETCH32(p,l)   BE_FETCH32(p)
546 #      elif defined(REVERSE_FETCH32)
547 #        define HOST_FETCH32(p,l)   REVERSE_FETCH32(p,l)
548 #      endif
549 #    endif
550 #  endif
551 #endif
552 
553 #if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
554 #ifndef HASH_BLOCK_DATA_ORDER
555 #error "HASH_BLOCK_DATA_ORDER must be defined!"
556 #endif
557 #endif
558 
559 // None of the invocations of the following macros actually use the result,
560 // so cast them to void to avoid any compiler warnings/errors about not using
561 // the result (e.g. when using clang).
562 // If the resultant values need to be used at some point, these must be changed.
563 #define HOST_c2l(c,l) ((void)_HOST_c2l(c,l))
564 #define HOST_l2c(l,c) ((void)_HOST_l2c(l,c))
565 
566 #if defined(DATA_ORDER_IS_BIG_ENDIAN)
567 
568 #define _HOST_c2l(c,l)  (l =(((unsigned long)(*((c)++)))<<24),      \
569                          l|=(((unsigned long)(*((c)++)))<<16),      \
570                          l|=(((unsigned long)(*((c)++)))<< 8),      \
571                          l|=(((unsigned long)(*((c)++)))    ),      \
572                          l)
573 #define HOST_p_c2l(c,l,n)   {                       \
574         switch (n) {                                \
575         case 0: l =((unsigned long)(*((c)++)))<<24; \
576             /* FALLTHROUGH */                       \
577         case 1: l|=((unsigned long)(*((c)++)))<<16; \
578             /* FALLTHROUGH */                       \
579         case 2: l|=((unsigned long)(*((c)++)))<< 8; \
580             /* FALLTHROUGH */                       \
581         case 3: l|=((unsigned long)(*((c)++)));     \
582         } }
583 #define HOST_p_c2l_p(c,l,sc,len) {                  \
584         switch (sc) {                               \
585         case 0: l =((unsigned long)(*((c)++)))<<24; \
586             if (--len == 0) break;                  \
587             /* FALLTHROUGH */                       \
588         case 1: l|=((unsigned long)(*((c)++)))<<16; \
589             if (--len == 0) break;                  \
590             /* FALLTHROUGH */                       \
591         case 2: l|=((unsigned long)(*((c)++)))<< 8; \
592         } }
593 /* NOTE the pointer is not incremented at the end of this */
594 #define HOST_c2l_p(c,l,n)   {                       \
595         l=0; (c)+=n;                                \
596         switch (n) {                                \
597         case 3: l =((unsigned long)(*(--(c))))<< 8; \
598             /* FALLTHROUGH */                       \
599         case 2: l|=((unsigned long)(*(--(c))))<<16; \
600             /* FALLTHROUGH */                       \
601         case 1: l|=((unsigned long)(*(--(c))))<<24; \
602         } }
603 #define _HOST_l2c(l,c)  (*((c)++)=(unsigned char)(((l)>>24)&0xff),  \
604                          *((c)++)=(unsigned char)(((l)>>16)&0xff),  \
605                          *((c)++)=(unsigned char)(((l)>> 8)&0xff),  \
606                          *((c)++)=(unsigned char)(((l)    )&0xff),  \
607                          l)
608 
609 #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
610 
611 #define _HOST_c2l(c,l)  (l =(((unsigned long)(*((c)++)))    ),      \
612                          l|=(((unsigned long)(*((c)++)))<< 8),      \
613                          l|=(((unsigned long)(*((c)++)))<<16),      \
614                          l|=(((unsigned long)(*((c)++)))<<24),      \
615                          l)
616 #define HOST_p_c2l(c,l,n)   {                       \
617         switch (n) {                                \
618         case 0: l =((unsigned long)(*((c)++)));     \
619             /* FALLTHROUGH */                       \
620         case 1: l|=((unsigned long)(*((c)++)))<< 8; \
621             /* FALLTHROUGH */                       \
622         case 2: l|=((unsigned long)(*((c)++)))<<16; \
623             /* FALLTHROUGH */                       \
624         case 3: l|=((unsigned long)(*((c)++)))<<24; \
625         } }
626 #define HOST_p_c2l_p(c,l,sc,len) {                  \
627         switch (sc) {                               \
628         case 0: l =((unsigned long)(*((c)++)));     \
629             if (--len == 0) break;                  \
630             /* FALLTHROUGH */                       \
631         case 1: l|=((unsigned long)(*((c)++)))<< 8; \
632             if (--len == 0) break;                  \
633             /* FALLTHROUGH */                       \
634         case 2: l|=((unsigned long)(*((c)++)))<<16; \
635         } }
636 /* NOTE the pointer is not incremented at the end of this */
637 #define HOST_c2l_p(c,l,n)   {                       \
638         l=0; (c)+=n;                                \
639         switch (n) {                                \
640         case 3: l =((unsigned long)(*(--(c))))<<16; \
641             /* FALLTHROUGH */                       \
642         case 2: l|=((unsigned long)(*(--(c))))<< 8; \
643             /* FALLTHROUGH */                       \
644         case 1: l|=((unsigned long)(*(--(c))));     \
645         } }
646 #define _HOST_l2c(l,c)  (*((c)++)=(unsigned char)(((l)    )&0xff),  \
647                          *((c)++)=(unsigned char)(((l)>> 8)&0xff),  \
648                          *((c)++)=(unsigned char)(((l)>>16)&0xff),  \
649                          *((c)++)=(unsigned char)(((l)>>24)&0xff),  \
650                          l)
651 
652 #endif
653 
654 /*
655  * Time for some action:-)
656  */
657 
658 int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
659 {
660     const unsigned char *data=(const unsigned char *)data_;
661     const unsigned char * const data_end=(const unsigned char *)data_;
662     register HASH_LONG * p;
663     register unsigned long l;
664     int sw,sc,ew,ec;
665 
666     if (len==0) return 1;
667 
668     l=(c->Nl+(len<<3))&0xffffffffL;
669     /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
670      * Wei Dai <weidai@eskimo.com> for pointing it out. */
671     if (l < c->Nl) /* overflow */
672         c->Nh++;
673     c->Nh+=(len>>29);
674     c->Nl=l;
675 
676     if (c->num != 0)
677     {
678         p=c->data;
679         sw=c->num>>2;
680         sc=c->num&0x03;
681 
682         if ((c->num+len) >= HASH_CBLOCK)
683         {
684             l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
685             for (; (sw < HASH_LBLOCK) && ((data_end - data) >= 4); sw++)
686             {
687                 HOST_c2l(data,l); p[sw]=l;
688             }
689             HASH_BLOCK_HOST_ORDER (c,p,1);
690             len-=(HASH_CBLOCK-c->num);
691             c->num=0;
692             /* drop through and do the rest */
693         }
694         else
695         {
696             c->num+=len;
697             if ((sc+len) < 4) /* ugly, add char's to a word */
698             {
699                 l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l;
700             }
701             else
702             {
703                 ew=(c->num>>2);
704                 ec=(c->num&0x03);
705                 if (sc)
706                     l=p[sw];
707                 HOST_p_c2l(data,l,sc);
708                 p[sw++]=l;
709                 for (; (sw < ew) && ((data_end - data) >= 4); sw++)
710                 {
711                     HOST_c2l(data,l); p[sw]=l;
712                 }
713                 if (ec)
714                 {
715                     HOST_c2l_p(data,l,ec); p[sw]=l;
716                 }
717             }
718             return 1;
719         }
720     }
721 
722     sw=(int)(len/HASH_CBLOCK);
723     if (sw > 0)
724     {
725 #if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
726         /*
727          * Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined
728          * only if sizeof(HASH_LONG)==4.
729          */
730         if ((((unsigned long)data)%4) == 0)
731         {
732             /* data is properly aligned so that we can cast it: */
733             HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw);
734             sw*=HASH_CBLOCK;
735             data+=sw;
736             len-=sw;
737         }
738         else
739 #if !defined(HASH_BLOCK_DATA_ORDER)
740             while (sw--)
741             {
742                 mDNSPlatformMemCopy(p=c->data,data,HASH_CBLOCK);
743                 HASH_BLOCK_DATA_ORDER_ALIGNED(c,p,1);
744                 data+=HASH_CBLOCK;
745                 len-=HASH_CBLOCK;
746             }
747 #endif
748 #endif
749 #if defined(HASH_BLOCK_DATA_ORDER)
750         {
751             HASH_BLOCK_DATA_ORDER(c,data,sw);
752             sw*=HASH_CBLOCK;
753             data+=sw;
754             len-=sw;
755         }
756 #endif
757     }
758 
759     if (len!=0)
760     {
761         p = c->data;
762         c->num = (int)len;
763         ew=(int)(len>>2);   /* words to copy */
764         ec=(int)(len&0x03);
765         for (; ew && ((data_end - data) >= 4); ew--,p++)
766         {
767             HOST_c2l(data,l); *p=l;
768         }
769         HOST_c2l_p(data,l,ec);
770         *p=l;
771     }
772     return 1;
773 }
774 
775 
776 void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
777 {
778 #if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
779     if ((((unsigned long)data)%4) == 0)
780         /* data is properly aligned so that we can cast it: */
781         HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1);
782     else
783 #if !defined(HASH_BLOCK_DATA_ORDER)
784     {
785         mDNSPlatformMemCopy(c->data,data,HASH_CBLOCK);
786         HASH_BLOCK_DATA_ORDER_ALIGNED (c,c->data,1);
787     }
788 #endif
789 #endif
790 #if defined(HASH_BLOCK_DATA_ORDER)
791     HASH_BLOCK_DATA_ORDER (c,data,1);
792 #endif
793 }
794 
795 
796 int HASH_FINAL (unsigned char *md, HASH_CTX *c)
797 {
798     register HASH_LONG *p;
799     register unsigned long l;
800     register int i,j;
801     static const unsigned char end[4]={0x80,0x00,0x00,0x00};
802     const unsigned char *cp=end;
803 
804     /* c->num should definitly have room for at least one more byte. */
805     p=c->data;
806     i=c->num>>2;
807     j=c->num&0x03;
808 
809 #if 0
810     /* purify often complains about the following line as an
811      * Uninitialized Memory Read.  While this can be true, the
812      * following p_c2l macro will reset l when that case is true.
813      * This is because j&0x03 contains the number of 'valid' bytes
814      * already in p[i].  If and only if j&0x03 == 0, the UMR will
815      * occur but this is also the only time p_c2l will do
816      * l= *(cp++) instead of l|= *(cp++)
817      * Many thanks to Alex Tang <altitude@cic.net> for pickup this
818      * 'potential bug' */
819 #ifdef PURIFY
820     if (j==0) p[i]=0; /* Yeah, but that's not the way to fix it:-) */
821 #endif
822     l=p[i];
823 #else
824     l = (j==0) ? 0 : p[i];
825 #endif
826     HOST_p_c2l(cp,l,j); p[i++]=l; /* i is the next 'undefined word' */
827 
828     if (i>(HASH_LBLOCK-2)) /* save room for Nl and Nh */
829     {
830         if (i<HASH_LBLOCK) p[i]=0;
831         HASH_BLOCK_HOST_ORDER (c,p,1);
832         i=0;
833     }
834     for (; i<(HASH_LBLOCK-2); i++)
835         p[i]=0;
836 
837 #if   defined(DATA_ORDER_IS_BIG_ENDIAN)
838     p[HASH_LBLOCK-2]=c->Nh;
839     p[HASH_LBLOCK-1]=c->Nl;
840 #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
841     p[HASH_LBLOCK-2]=c->Nl;
842     p[HASH_LBLOCK-1]=c->Nh;
843 #endif
844     HASH_BLOCK_HOST_ORDER (c,p,1);
845 
846 #ifndef HASH_MAKE_STRING
847 #error "HASH_MAKE_STRING must be defined!"
848 #else
849     HASH_MAKE_STRING(c,md);
850 #endif
851 
852     c->num=0;
853     /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
854      * but I'm not worried :-)
855        OPENSSL_cleanse((void *)c,sizeof(HASH_CTX));
856      */
857     return 1;
858 }
859 
860 #ifndef MD32_REG_T
861 #define MD32_REG_T long
862 /*
863  * This comment was originaly written for MD5, which is why it
864  * discusses A-D. But it basically applies to all 32-bit digests,
865  * which is why it was moved to common header file.
866  *
867  * In case you wonder why A-D are declared as long and not
868  * as mDNSu32. Doing so results in slight performance
869  * boost on LP64 architectures. The catch is we don't
870  * really care if 32 MSBs of a 64-bit register get polluted
871  * with eventual overflows as we *save* only 32 LSBs in
872  * *either* case. Now declaring 'em long excuses the compiler
873  * from keeping 32 MSBs zeroed resulting in 13% performance
874  * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
875  * Well, to be honest it should say that this *prevents*
876  * performance degradation.
877  *				<appro@fy.chalmers.se>
878  * Apparently there're LP64 compilers that generate better
879  * code if A-D are declared int. Most notably GCC-x86_64
880  * generates better code.
881  *				<appro@fy.chalmers.se>
882  */
883 #endif
884 
885 
886 // from md5_locl.h (continued)
887 
888 /*
889  #define	F(x,y,z)	(((x) & (y))  |  ((~(x)) & (z)))
890  #define	G(x,y,z)	(((x) & (z))  |  ((y) & (~(z))))
891  */
892 
893 /* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
894  * simplified to the code below.  Wei attributes these optimizations
895  * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
896  */
897 #define F(b,c,d)    ((((c) ^ (d)) & (b)) ^ (d))
898 #define G(b,c,d)    ((((b) ^ (c)) & (d)) ^ (c))
899 #define H(b,c,d)    ((b) ^ (c) ^ (d))
900 #define I(b,c,d)    (((~(d)) | (b)) ^ (c))
901 
902 #define R0(a,b,c,d,k,s,t) { \
903         a+=((k)+(t)+F((b),(c),(d))); \
904         a=ROTATE(a,s); \
905         a+=b; }; \
906 
907 #define R1(a,b,c,d,k,s,t) { \
908         a+=((k)+(t)+G((b),(c),(d))); \
909         a=ROTATE(a,s); \
910         a+=b; };
911 
912 #define R2(a,b,c,d,k,s,t) { \
913         a+=((k)+(t)+H((b),(c),(d))); \
914         a=ROTATE(a,s); \
915         a+=b; };
916 
917 #define R3(a,b,c,d,k,s,t) { \
918         a+=((k)+(t)+I((b),(c),(d))); \
919         a=ROTATE(a,s); \
920         a+=b; };
921 
922 // from md5_dgst.c
923 
924 
925 /* Implemented from RFC1321 The MD5 Message-Digest Algorithm
926  */
927 
928 #define INIT_DATA_A (unsigned long)0x67452301L
929 #define INIT_DATA_B (unsigned long)0xefcdab89L
930 #define INIT_DATA_C (unsigned long)0x98badcfeL
931 #define INIT_DATA_D (unsigned long)0x10325476L
932 
933 int MD5_Init(MD5_CTX *c)
934 {
935     c->A=INIT_DATA_A;
936     c->B=INIT_DATA_B;
937     c->C=INIT_DATA_C;
938     c->D=INIT_DATA_D;
939     c->Nl=0;
940     c->Nh=0;
941     c->num=0;
942     return 1;
943 }
944 
945 #ifndef md5_block_host_order
946 void md5_block_host_order (MD5_CTX *c, const void *data, int num)
947 {
948     const mDNSu32 *X=(const mDNSu32 *)data;
949     register unsigned MD32_REG_T A,B,C,D;
950 
951     A=c->A;
952     B=c->B;
953     C=c->C;
954     D=c->D;
955 
956     for (; num--; X+=HASH_LBLOCK)
957     {
958         /* Round 0 */
959         R0(A,B,C,D,X[ 0], 7,0xd76aa478L);
960         R0(D,A,B,C,X[ 1],12,0xe8c7b756L);
961         R0(C,D,A,B,X[ 2],17,0x242070dbL);
962         R0(B,C,D,A,X[ 3],22,0xc1bdceeeL);
963         R0(A,B,C,D,X[ 4], 7,0xf57c0fafL);
964         R0(D,A,B,C,X[ 5],12,0x4787c62aL);
965         R0(C,D,A,B,X[ 6],17,0xa8304613L);
966         R0(B,C,D,A,X[ 7],22,0xfd469501L);
967         R0(A,B,C,D,X[ 8], 7,0x698098d8L);
968         R0(D,A,B,C,X[ 9],12,0x8b44f7afL);
969         R0(C,D,A,B,X[10],17,0xffff5bb1L);
970         R0(B,C,D,A,X[11],22,0x895cd7beL);
971         R0(A,B,C,D,X[12], 7,0x6b901122L);
972         R0(D,A,B,C,X[13],12,0xfd987193L);
973         R0(C,D,A,B,X[14],17,0xa679438eL);
974         R0(B,C,D,A,X[15],22,0x49b40821L);
975         /* Round 1 */
976         R1(A,B,C,D,X[ 1], 5,0xf61e2562L);
977         R1(D,A,B,C,X[ 6], 9,0xc040b340L);
978         R1(C,D,A,B,X[11],14,0x265e5a51L);
979         R1(B,C,D,A,X[ 0],20,0xe9b6c7aaL);
980         R1(A,B,C,D,X[ 5], 5,0xd62f105dL);
981         R1(D,A,B,C,X[10], 9,0x02441453L);
982         R1(C,D,A,B,X[15],14,0xd8a1e681L);
983         R1(B,C,D,A,X[ 4],20,0xe7d3fbc8L);
984         R1(A,B,C,D,X[ 9], 5,0x21e1cde6L);
985         R1(D,A,B,C,X[14], 9,0xc33707d6L);
986         R1(C,D,A,B,X[ 3],14,0xf4d50d87L);
987         R1(B,C,D,A,X[ 8],20,0x455a14edL);
988         R1(A,B,C,D,X[13], 5,0xa9e3e905L);
989         R1(D,A,B,C,X[ 2], 9,0xfcefa3f8L);
990         R1(C,D,A,B,X[ 7],14,0x676f02d9L);
991         R1(B,C,D,A,X[12],20,0x8d2a4c8aL);
992         /* Round 2 */
993         R2(A,B,C,D,X[ 5], 4,0xfffa3942L);
994         R2(D,A,B,C,X[ 8],11,0x8771f681L);
995         R2(C,D,A,B,X[11],16,0x6d9d6122L);
996         R2(B,C,D,A,X[14],23,0xfde5380cL);
997         R2(A,B,C,D,X[ 1], 4,0xa4beea44L);
998         R2(D,A,B,C,X[ 4],11,0x4bdecfa9L);
999         R2(C,D,A,B,X[ 7],16,0xf6bb4b60L);
1000         R2(B,C,D,A,X[10],23,0xbebfbc70L);
1001         R2(A,B,C,D,X[13], 4,0x289b7ec6L);
1002         R2(D,A,B,C,X[ 0],11,0xeaa127faL);
1003         R2(C,D,A,B,X[ 3],16,0xd4ef3085L);
1004         R2(B,C,D,A,X[ 6],23,0x04881d05L);
1005         R2(A,B,C,D,X[ 9], 4,0xd9d4d039L);
1006         R2(D,A,B,C,X[12],11,0xe6db99e5L);
1007         R2(C,D,A,B,X[15],16,0x1fa27cf8L);
1008         R2(B,C,D,A,X[ 2],23,0xc4ac5665L);
1009         /* Round 3 */
1010         R3(A,B,C,D,X[ 0], 6,0xf4292244L);
1011         R3(D,A,B,C,X[ 7],10,0x432aff97L);
1012         R3(C,D,A,B,X[14],15,0xab9423a7L);
1013         R3(B,C,D,A,X[ 5],21,0xfc93a039L);
1014         R3(A,B,C,D,X[12], 6,0x655b59c3L);
1015         R3(D,A,B,C,X[ 3],10,0x8f0ccc92L);
1016         R3(C,D,A,B,X[10],15,0xffeff47dL);
1017         R3(B,C,D,A,X[ 1],21,0x85845dd1L);
1018         R3(A,B,C,D,X[ 8], 6,0x6fa87e4fL);
1019         R3(D,A,B,C,X[15],10,0xfe2ce6e0L);
1020         R3(C,D,A,B,X[ 6],15,0xa3014314L);
1021         R3(B,C,D,A,X[13],21,0x4e0811a1L);
1022         R3(A,B,C,D,X[ 4], 6,0xf7537e82L);
1023         R3(D,A,B,C,X[11],10,0xbd3af235L);
1024         R3(C,D,A,B,X[ 2],15,0x2ad7d2bbL);
1025         R3(B,C,D,A,X[ 9],21,0xeb86d391L);
1026 
1027         A = c->A += A;
1028         B = c->B += B;
1029         C = c->C += C;
1030         D = c->D += D;
1031     }
1032 }
1033 #endif
1034 
1035 #ifndef md5_block_data_order
1036 #ifdef X
1037 #undef X
1038 #endif
1039 void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
1040 {
1041     const unsigned char *data=data_;
1042     register unsigned MD32_REG_T A,B,C,D,l;
1043 #ifndef MD32_XARRAY
1044     /* See comment in crypto/sha/sha_locl.h for details. */
1045     unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
1046                         XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
1047 # define X(i)   XX ## i
1048 #else
1049     mDNSu32 XX[MD5_LBLOCK];
1050 # define X(i)   XX[i]
1051 #endif
1052 
1053     A=c->A;
1054     B=c->B;
1055     C=c->C;
1056     D=c->D;
1057 
1058 #if defined(__clang_analyzer__)
1059     // Get rid of false positive analyzer warning.
1060     for (const unsigned char *_ptr = data; _ptr < &data[num * HASH_CBLOCK]; ++_ptr) {}
1061 #endif
1062     for (; num--;)
1063     {
1064         HOST_c2l(data,l); X( 0)=l;      HOST_c2l(data,l); X( 1)=l;
1065         /* Round 0 */
1066         R0(A,B,C,D,X( 0), 7,0xd76aa478L);   HOST_c2l(data,l); X( 2)=l;
1067         R0(D,A,B,C,X( 1),12,0xe8c7b756L);   HOST_c2l(data,l); X( 3)=l;
1068         R0(C,D,A,B,X( 2),17,0x242070dbL);   HOST_c2l(data,l); X( 4)=l;
1069         R0(B,C,D,A,X( 3),22,0xc1bdceeeL);   HOST_c2l(data,l); X( 5)=l;
1070         R0(A,B,C,D,X( 4), 7,0xf57c0fafL);   HOST_c2l(data,l); X( 6)=l;
1071         R0(D,A,B,C,X( 5),12,0x4787c62aL);   HOST_c2l(data,l); X( 7)=l;
1072         R0(C,D,A,B,X( 6),17,0xa8304613L);   HOST_c2l(data,l); X( 8)=l;
1073         R0(B,C,D,A,X( 7),22,0xfd469501L);   HOST_c2l(data,l); X( 9)=l;
1074         R0(A,B,C,D,X( 8), 7,0x698098d8L);   HOST_c2l(data,l); X(10)=l;
1075         R0(D,A,B,C,X( 9),12,0x8b44f7afL);   HOST_c2l(data,l); X(11)=l;
1076         R0(C,D,A,B,X(10),17,0xffff5bb1L);   HOST_c2l(data,l); X(12)=l;
1077         R0(B,C,D,A,X(11),22,0x895cd7beL);   HOST_c2l(data,l); X(13)=l;
1078         R0(A,B,C,D,X(12), 7,0x6b901122L);   HOST_c2l(data,l); X(14)=l;
1079         R0(D,A,B,C,X(13),12,0xfd987193L);   HOST_c2l(data,l); X(15)=l;
1080         R0(C,D,A,B,X(14),17,0xa679438eL);
1081         R0(B,C,D,A,X(15),22,0x49b40821L);
1082         /* Round 1 */
1083         R1(A,B,C,D,X( 1), 5,0xf61e2562L);
1084         R1(D,A,B,C,X( 6), 9,0xc040b340L);
1085         R1(C,D,A,B,X(11),14,0x265e5a51L);
1086         R1(B,C,D,A,X( 0),20,0xe9b6c7aaL);
1087         R1(A,B,C,D,X( 5), 5,0xd62f105dL);
1088         R1(D,A,B,C,X(10), 9,0x02441453L);
1089         R1(C,D,A,B,X(15),14,0xd8a1e681L);
1090         R1(B,C,D,A,X( 4),20,0xe7d3fbc8L);
1091         R1(A,B,C,D,X( 9), 5,0x21e1cde6L);
1092         R1(D,A,B,C,X(14), 9,0xc33707d6L);
1093         R1(C,D,A,B,X( 3),14,0xf4d50d87L);
1094         R1(B,C,D,A,X( 8),20,0x455a14edL);
1095         R1(A,B,C,D,X(13), 5,0xa9e3e905L);
1096         R1(D,A,B,C,X( 2), 9,0xfcefa3f8L);
1097         R1(C,D,A,B,X( 7),14,0x676f02d9L);
1098         R1(B,C,D,A,X(12),20,0x8d2a4c8aL);
1099         /* Round 2 */
1100         R2(A,B,C,D,X( 5), 4,0xfffa3942L);
1101         R2(D,A,B,C,X( 8),11,0x8771f681L);
1102         R2(C,D,A,B,X(11),16,0x6d9d6122L);
1103         R2(B,C,D,A,X(14),23,0xfde5380cL);
1104         R2(A,B,C,D,X( 1), 4,0xa4beea44L);
1105         R2(D,A,B,C,X( 4),11,0x4bdecfa9L);
1106         R2(C,D,A,B,X( 7),16,0xf6bb4b60L);
1107         R2(B,C,D,A,X(10),23,0xbebfbc70L);
1108         R2(A,B,C,D,X(13), 4,0x289b7ec6L);
1109         R2(D,A,B,C,X( 0),11,0xeaa127faL);
1110         R2(C,D,A,B,X( 3),16,0xd4ef3085L);
1111         R2(B,C,D,A,X( 6),23,0x04881d05L);
1112         R2(A,B,C,D,X( 9), 4,0xd9d4d039L);
1113         R2(D,A,B,C,X(12),11,0xe6db99e5L);
1114         R2(C,D,A,B,X(15),16,0x1fa27cf8L);
1115         R2(B,C,D,A,X( 2),23,0xc4ac5665L);
1116         /* Round 3 */
1117         R3(A,B,C,D,X( 0), 6,0xf4292244L);
1118         R3(D,A,B,C,X( 7),10,0x432aff97L);
1119         R3(C,D,A,B,X(14),15,0xab9423a7L);
1120         R3(B,C,D,A,X( 5),21,0xfc93a039L);
1121         R3(A,B,C,D,X(12), 6,0x655b59c3L);
1122         R3(D,A,B,C,X( 3),10,0x8f0ccc92L);
1123         R3(C,D,A,B,X(10),15,0xffeff47dL);
1124         R3(B,C,D,A,X( 1),21,0x85845dd1L);
1125         R3(A,B,C,D,X( 8), 6,0x6fa87e4fL);
1126         R3(D,A,B,C,X(15),10,0xfe2ce6e0L);
1127         R3(C,D,A,B,X( 6),15,0xa3014314L);
1128         R3(B,C,D,A,X(13),21,0x4e0811a1L);
1129         R3(A,B,C,D,X( 4), 6,0xf7537e82L);
1130         R3(D,A,B,C,X(11),10,0xbd3af235L);
1131         R3(C,D,A,B,X( 2),15,0x2ad7d2bbL);
1132         R3(B,C,D,A,X( 9),21,0xeb86d391L);
1133 
1134         A = c->A += A;
1135         B = c->B += B;
1136         C = c->C += C;
1137         D = c->D += D;
1138     }
1139 }
1140 #endif
1141 
1142 
1143 // ***************************************************************************
1144 #if COMPILER_LIKES_PRAGMA_MARK
1145 #pragma mark - base64 -> binary conversion
1146 #endif
1147 
1148 static const char Base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
1149 static const char Pad64 = '=';
1150 
1151 
1152 #define mDNSisspace(x) (x == '\t' || x == '\n' || x == '\v' || x == '\f' || x == '\r' || x == ' ')
1153 
1154 mDNSlocal const char *mDNSstrchr(const char *s, int c)
1155 {
1156     while (1)
1157     {
1158         if (c == *s) return s;
1159         if (!*s) return mDNSNULL;
1160         s++;
1161     }
1162 }
1163 
1164 // skips all whitespace anywhere.
1165 // converts characters, four at a time, starting at (or after)
1166 // src from base - 64 numbers into three 8 bit bytes in the target area.
1167 // it returns the number of data bytes stored at the target, or -1 on error.
1168 // adapted from BIND sources
1169 
1170 mDNSlocal mDNSs32 DNSDigest_Base64ToBin(const char *src, mDNSu8 *target, mDNSu32 targsize)
1171 {
1172     int tarindex, state, ch;
1173     const char *pos;
1174 
1175     state = 0;
1176     tarindex = 0;
1177 
1178     while ((ch = *src++) != '\0') {
1179         if (mDNSisspace(ch))    /* Skip whitespace anywhere. */
1180             continue;
1181 
1182         if (ch == Pad64)
1183             break;
1184 
1185         pos = mDNSstrchr(Base64, ch);
1186         if (pos == 0)       /* A non-base64 character. */
1187             return (-1);
1188 
1189         switch (state) {
1190         case 0:
1191             if (target) {
1192                 if ((mDNSu32)tarindex >= targsize)
1193                     return (-1);
1194                 target[tarindex] = (mDNSu8)((pos - Base64) << 2);
1195             }
1196             state = 1;
1197             break;
1198         case 1:
1199             if (target) {
1200                 if ((mDNSu32)tarindex + 1 >= targsize)
1201                     return (-1);
1202                 target[tarindex]   |=  (pos - Base64) >> 4;
1203                 target[tarindex+1]  = (mDNSu8)(((pos - Base64) & 0x0f) << 4);
1204             }
1205             tarindex++;
1206             state = 2;
1207             break;
1208         case 2:
1209             if (target) {
1210                 if ((mDNSu32)tarindex + 1 >= targsize)
1211                     return (-1);
1212                 target[tarindex]   |=  (pos - Base64) >> 2;
1213                 target[tarindex+1]  = (mDNSu8)(((pos - Base64) & 0x03) << 6);
1214             }
1215             tarindex++;
1216             state = 3;
1217             break;
1218         case 3:
1219             if (target) {
1220                 if ((mDNSu32)tarindex >= targsize)
1221                     return (-1);
1222                 target[tarindex] |= (pos - Base64);
1223             }
1224             tarindex++;
1225             state = 0;
1226             break;
1227         default:
1228             return -1;
1229         }
1230     }
1231 
1232     /*
1233      * We are done decoding Base-64 chars.  Let's see if we ended
1234      * on a byte boundary, and/or with erroneous trailing characters.
1235      */
1236 
1237     if (ch == Pad64) {      /* We got a pad char. */
1238         ch = *src++;        /* Skip it, get next. */
1239         switch (state) {
1240         case 0:     /* Invalid = in first position */
1241         case 1:     /* Invalid = in second position */
1242             return (-1);
1243 
1244         case 2:     /* Valid, means one byte of info */
1245             /* Skip any number of spaces. */
1246             for ((void)mDNSNULL; ch != '\0'; ch = *src++)
1247                 if (!mDNSisspace(ch))
1248                     break;
1249             /* Make sure there is another trailing = sign. */
1250             if (ch != Pad64)
1251                 return (-1);
1252             ch = *src++;        /* Skip the = */
1253         /* Fall through to "single trailing =" case. */
1254         /* FALLTHROUGH */
1255 
1256         case 3:     /* Valid, means two bytes of info */
1257             /*
1258              * We know this char is an =.  Is there anything but
1259              * whitespace after it?
1260              */
1261             for ((void)mDNSNULL; ch != '\0'; ch = *src++)
1262                 if (!mDNSisspace(ch))
1263                     return (-1);
1264 
1265             /*
1266              * Now make sure for cases 2 and 3 that the "extra"
1267              * bits that slopped past the last full byte were
1268              * zeros.  If we don't check them, they become a
1269              * subliminal channel.
1270              */
1271             if (target && target[tarindex] != 0)
1272                 return (-1);
1273         }
1274     } else {
1275         /*
1276          * We ended by seeing the end of the string.  Make sure we
1277          * have no partial bytes lying around.
1278          */
1279         if (state != 0)
1280             return (-1);
1281     }
1282 
1283     return (tarindex);
1284 }
1285 
1286 
1287 // ***************************************************************************
1288 #if COMPILER_LIKES_PRAGMA_MARK
1289 #pragma mark - API exported to mDNS Core
1290 #endif
1291 
1292 // Constants
1293 #define HMAC_IPAD   0x36
1294 #define HMAC_OPAD   0x5c
1295 #define MD5_LEN     16
1296 
1297 #define HMAC_MD5_AlgName "\010" "hmac-md5" "\007" "sig-alg" "\003" "reg" "\003" "int"
1298 
1299 // Adapted from Appendix, RFC 2104
1300 mDNSlocal void DNSDigest_ConstructHMACKey(DomainAuthInfo *info, const mDNSu8 *key, mDNSu32 len)
1301 {
1302     MD5_CTX k;
1303     mDNSu8 buf[MD5_LEN];
1304     int i;
1305 
1306     // If key is longer than HMAC_LEN reset it to MD5(key)
1307     if (len > HMAC_LEN)
1308     {
1309         MD5_Init(&k);
1310         MD5_Update(&k, key, len);
1311         MD5_Final(buf, &k);
1312         key = buf;
1313         len = MD5_LEN;
1314     }
1315 
1316     // store key in pads
1317     mDNSPlatformMemZero(info->keydata_ipad, HMAC_LEN);
1318     mDNSPlatformMemZero(info->keydata_opad, HMAC_LEN);
1319     mDNSPlatformMemCopy(info->keydata_ipad, key, len);
1320     mDNSPlatformMemCopy(info->keydata_opad, key, len);
1321 
1322     // XOR key with ipad and opad values
1323     for (i = 0; i < HMAC_LEN; i++)
1324     {
1325         info->keydata_ipad[i] ^= HMAC_IPAD;
1326         info->keydata_opad[i] ^= HMAC_OPAD;
1327     }
1328 
1329 }
1330 
1331 mDNSexport mDNSs32 DNSDigest_ConstructHMACKeyfromBase64(DomainAuthInfo *info, const char *b64key)
1332 {
1333     mDNSu8 keybuf[1024];
1334     mDNSs32 keylen = DNSDigest_Base64ToBin(b64key, keybuf, sizeof(keybuf));
1335     if (keylen < 0) return(keylen);
1336     DNSDigest_ConstructHMACKey(info, keybuf, (mDNSu32)keylen);
1337     return(keylen);
1338 }
1339 
1340 mDNSexport void DNSDigest_SignMessage(DNSMessage *msg, mDNSu8 **end, DomainAuthInfo *info, mDNSu16 tcode)
1341 {
1342     AuthRecord tsig;
1343     mDNSu8  *rdata, *const countPtr = (mDNSu8 *)&msg->h.numAdditionals; // Get existing numAdditionals value
1344     mDNSu32 utc32;
1345     mDNSu8 utc48[6];
1346     mDNSu8 digest[MD5_LEN];
1347     mDNSu8 *ptr = *end;
1348     mDNSu32 len;
1349     mDNSOpaque16 buf;
1350     MD5_CTX c;
1351     mDNSu16 numAdditionals = (mDNSu16)((mDNSu16)countPtr[0] << 8 | countPtr[1]);
1352 
1353     // Init MD5 context, digest inner key pad and message
1354     MD5_Init(&c);
1355     MD5_Update(&c, info->keydata_ipad, HMAC_LEN);
1356     MD5_Update(&c, (mDNSu8 *)msg, (unsigned long)(*end - (mDNSu8 *)msg));
1357 
1358     // Construct TSIG RR, digesting variables as apporpriate
1359     mDNS_SetupResourceRecord(&tsig, mDNSNULL, 0, kDNSType_TSIG, 0, kDNSRecordTypeKnownUnique, AuthRecordAny, mDNSNULL, mDNSNULL);
1360 
1361     // key name
1362     AssignDomainName(&tsig.namestorage, &info->keyname);
1363     MD5_Update(&c, info->keyname.c, DomainNameLength(&info->keyname));
1364 
1365     // class
1366     tsig.resrec.rrclass = kDNSQClass_ANY;
1367     buf = mDNSOpaque16fromIntVal(kDNSQClass_ANY);
1368     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));
1369 
1370     // ttl
1371     tsig.resrec.rroriginalttl = 0;
1372     MD5_Update(&c, (mDNSu8 *)&tsig.resrec.rroriginalttl, sizeof(tsig.resrec.rroriginalttl));
1373 
1374     // alg name
1375     AssignConstStringDomainName(&tsig.resrec.rdata->u.name, HMAC_MD5_AlgName);
1376     len = DomainNameLengthLimit((domainname *)HMAC_MD5_AlgName, (mDNSu8 *)HMAC_MD5_AlgName + sizeof HMAC_MD5_AlgName);
1377     rdata = tsig.resrec.rdata->u.data + len;
1378     MD5_Update(&c, (mDNSu8 *)HMAC_MD5_AlgName, len);
1379 
1380     // time
1381     // get UTC (universal time), convert to 48-bit unsigned in network byte order
1382     utc32 = (mDNSu32)mDNSPlatformUTC();
1383     if (utc32 == (unsigned)-1) { LogMsg("ERROR: DNSDigest_SignMessage - mDNSPlatformUTC returned bad time -1"); *end = mDNSNULL; }
1384     utc48[0] = 0;
1385     utc48[1] = 0;
1386     utc48[2] = (mDNSu8)((utc32 >> 24) & 0xff);
1387     utc48[3] = (mDNSu8)((utc32 >> 16) & 0xff);
1388     utc48[4] = (mDNSu8)((utc32 >>  8) & 0xff);
1389     utc48[5] = (mDNSu8)( utc32        & 0xff);
1390 
1391     mDNSPlatformMemCopy(rdata, utc48, 6);
1392     rdata += 6;
1393     MD5_Update(&c, utc48, 6);
1394 
1395     // 300 sec is fudge recommended in RFC 2485
1396     rdata[0] = (mDNSu8)((300 >> 8)  & 0xff);
1397     rdata[1] = (mDNSu8)( 300        & 0xff);
1398     MD5_Update(&c, rdata, sizeof(mDNSOpaque16));
1399     rdata += sizeof(mDNSOpaque16);
1400 
1401     // digest error (tcode) and other data len (zero) - we'll add them to the rdata later
1402     buf.b[0] = (mDNSu8)((tcode >> 8) & 0xff);
1403     buf.b[1] = (mDNSu8)( tcode       & 0xff);
1404     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));  // error
1405     buf.NotAnInteger = 0;
1406     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));  // other data len
1407 
1408     // finish the message & tsig var hash
1409     MD5_Final(digest, &c);
1410 
1411     // perform outer MD5 (outer key pad, inner digest)
1412     MD5_Init(&c);
1413     MD5_Update(&c, info->keydata_opad, HMAC_LEN);
1414     MD5_Update(&c, digest, MD5_LEN);
1415     MD5_Final(digest, &c);
1416 
1417     // set remaining rdata fields
1418     rdata[0] = (mDNSu8)((MD5_LEN >> 8)  & 0xff);
1419     rdata[1] = (mDNSu8)( MD5_LEN        & 0xff);
1420     rdata += sizeof(mDNSOpaque16);
1421     mDNSPlatformMemCopy(rdata, digest, MD5_LEN);                          // MAC
1422     rdata += MD5_LEN;
1423     rdata[0] = msg->h.id.b[0];                                            // original ID
1424     rdata[1] = msg->h.id.b[1];
1425     rdata[2] = (mDNSu8)((tcode >> 8) & 0xff);
1426     rdata[3] = (mDNSu8)( tcode       & 0xff);
1427     rdata[4] = 0;                                                         // other data len
1428     rdata[5] = 0;
1429     rdata += 6;
1430 
1431     tsig.resrec.rdlength = (mDNSu16)(rdata - tsig.resrec.rdata->u.data);
1432     *end = PutResourceRecordTTLJumbo(msg, ptr, &numAdditionals, &tsig.resrec, 0);
1433     if (!*end) { LogMsg("ERROR: DNSDigest_SignMessage - could not put TSIG"); *end = mDNSNULL; return; }
1434 
1435     // Write back updated numAdditionals value
1436     countPtr[0] = (mDNSu8)(numAdditionals >> 8);
1437     countPtr[1] = (mDNSu8)(numAdditionals &  0xFF);
1438 }
1439 
1440 mDNSexport mDNSBool DNSDigest_VerifyMessage(DNSMessage *msg, mDNSu8 *end, LargeCacheRecord * lcr, DomainAuthInfo *info, mDNSu16 * rcode, mDNSu16 * tcode)
1441 {
1442     mDNSu8          *   ptr = (mDNSu8*) &lcr->r.resrec.rdata->u.data;
1443     mDNSs32 now;
1444     mDNSs32 then;
1445     mDNSu8 thisDigest[MD5_LEN];
1446     mDNSu8 thatDigest[MD5_LEN];
1447     mDNSOpaque16 buf;
1448     mDNSu8 utc48[6];
1449     mDNSs32 delta;
1450     mDNSu16 fudge;
1451     domainname      *   algo;
1452     MD5_CTX c;
1453     mDNSBool ok = mDNSfalse;
1454 
1455     // We only support HMAC-MD5 for now
1456 
1457     algo = (domainname*) ptr;
1458 
1459     if (!SameDomainName(algo, (domainname *)HMAC_MD5_AlgName))
1460     {
1461         LogMsg("ERROR: DNSDigest_VerifyMessage - TSIG algorithm not supported: %##s", algo->c);
1462         *rcode = kDNSFlag1_RC_NotAuth;
1463         *tcode = TSIG_ErrBadKey;
1464         ok = mDNSfalse;
1465         goto exit;
1466     }
1467 
1468     ptr += DomainNameLength(algo);
1469 
1470     // Check the times
1471 
1472     now = mDNSPlatformUTC();
1473     if (now == -1)
1474     {
1475         LogMsg("ERROR: DNSDigest_VerifyMessage - mDNSPlatformUTC returned bad time -1");
1476         *rcode = kDNSFlag1_RC_NotAuth;
1477         *tcode = TSIG_ErrBadTime;
1478         ok = mDNSfalse;
1479         goto exit;
1480     }
1481 
1482     // Get the 48 bit time field, skipping over the first word
1483 
1484     utc48[0] = *ptr++;
1485     utc48[1] = *ptr++;
1486     utc48[2] = *ptr++;
1487     utc48[3] = *ptr++;
1488     utc48[4] = *ptr++;
1489     utc48[5] = *ptr++;
1490 
1491     then  = (mDNSs32)NToH32(utc48 + sizeof(mDNSu16));
1492 
1493     fudge = NToH16(ptr);
1494 
1495     ptr += sizeof(mDNSu16);
1496 
1497     delta = (now > then) ? now - then : then - now;
1498 
1499     if (delta > fudge)
1500     {
1501         LogMsg("ERROR: DNSDigest_VerifyMessage - time skew > %d", fudge);
1502         *rcode = kDNSFlag1_RC_NotAuth;
1503         *tcode = TSIG_ErrBadTime;
1504         ok = mDNSfalse;
1505         goto exit;
1506     }
1507 
1508     // MAC size
1509 
1510     ptr += sizeof(mDNSu16);
1511 
1512     // MAC
1513 
1514     mDNSPlatformMemCopy(thatDigest, ptr, MD5_LEN);
1515 
1516     // Init MD5 context, digest inner key pad and message
1517 
1518     MD5_Init(&c);
1519     MD5_Update(&c, info->keydata_ipad, HMAC_LEN);
1520     MD5_Update(&c, (mDNSu8*) msg, (unsigned long)(end - (mDNSu8*) msg));
1521 
1522     // Key name
1523 
1524     MD5_Update(&c, lcr->r.resrec.name->c, DomainNameLength(lcr->r.resrec.name));
1525 
1526     // Class name
1527 
1528     buf = mDNSOpaque16fromIntVal(lcr->r.resrec.rrclass);
1529     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));
1530 
1531     // TTL
1532 
1533     MD5_Update(&c, (mDNSu8*) &lcr->r.resrec.rroriginalttl, sizeof(lcr->r.resrec.rroriginalttl));
1534 
1535     // Algorithm
1536 
1537     MD5_Update(&c, algo->c, DomainNameLength(algo));
1538 
1539     // Time
1540 
1541     MD5_Update(&c, utc48, 6);
1542 
1543     // Fudge
1544 
1545     buf = mDNSOpaque16fromIntVal(fudge);
1546     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));
1547 
1548     // Digest error and other data len (both zero) - we'll add them to the rdata later
1549 
1550     buf.NotAnInteger = 0;
1551     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));  // error
1552     MD5_Update(&c, buf.b, sizeof(mDNSOpaque16));  // other data len
1553 
1554     // Finish the message & tsig var hash
1555 
1556     MD5_Final(thisDigest, &c);
1557 
1558     // perform outer MD5 (outer key pad, inner digest)
1559 
1560     MD5_Init(&c);
1561     MD5_Update(&c, info->keydata_opad, HMAC_LEN);
1562     MD5_Update(&c, thisDigest, MD5_LEN);
1563     MD5_Final(thisDigest, &c);
1564 
1565     if (!mDNSPlatformMemSame(thisDigest, thatDigest, MD5_LEN))
1566     {
1567         LogMsg("ERROR: DNSDigest_VerifyMessage - bad signature");
1568         *rcode = kDNSFlag1_RC_NotAuth;
1569         *tcode = TSIG_ErrBadSig;
1570         ok = mDNSfalse;
1571         goto exit;
1572     }
1573 
1574     // set remaining rdata fields
1575     ok = mDNStrue;
1576 
1577 exit:
1578 
1579     return ok;
1580 }
1581 
1582 
1583 #ifdef __cplusplus
1584 }
1585 #endif
1586