grpc 1.37.1 → 1.39.0

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/ofb.c

@@ -60,7 +60,8 @@ OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0,
 void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
                            const AES_KEY *key, uint8_t ivec[16], unsigned *num,
                            block128_f block) {
-  assert(in && out && key && ivec && num);
+  assert(key != NULL && ivec != NULL && num != NULL);
+  assert(len == 0 || (in != NULL && out != NULL));
 
   unsigned n = *num;
 

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/internal.h

@@ -45,12 +45,10 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
 // for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the
 // entropy came directly from the CPU and zero if it came from the OS. It
 // actively obtains entropy from the CPU/OS and so should not be called from
-// within the FIPS module if |BORINGSSL_FIPS_PASSIVE_ENTROPY| is defined.
+// within the FIPS module.
 void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
                              int *out_used_cpu);
 
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
-
 // RAND_load_entropy supplies |entropy_len| bytes of entropy to the module. The
 // |from_cpu| parameter is true iff the entropy was obtained directly from the
 // CPU.
@@ -61,7 +59,6 @@ void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len,
 // when the module has stopped because it has run out of entropy.
 void RAND_need_entropy(size_t bytes_needed);
 
-#endif  // BORINGSSL_FIPS_PASSIVE_ENTROPY
 #endif  // BORINGSSL_FIPS
 
 // CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c

@@ -178,8 +178,6 @@ void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
 #endif
 }
 
-#if defined(BORINGSSL_FIPS_PASSIVE_ENTROPY)
-
 // In passive entropy mode, entropy is supplied from outside of the module via
 // |RAND_load_entropy| and is stored in global instance of the following
 // structure.
@@ -242,17 +240,6 @@ static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
   CRYPTO_STATIC_MUTEX_unlock_write(entropy_buffer_lock_bss_get());
 }
 
-#else
-
-// In the active case, |get_seed_entropy| simply calls |CRYPTO_get_seed_entropy|
-// in order to obtain entropy from the CPU or OS.
-static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,
-                            int *out_used_cpu) {
-  CRYPTO_get_seed_entropy(out_entropy, out_entropy_len, out_used_cpu);
-}
-
-#endif  // !BORINGSSL_FIPS_PASSIVE_ENTROPY
-
 // rand_get_seed fills |seed| with entropy and sets |*out_used_cpu| to one if
 // that entropy came directly from the CPU and zero otherwise.
 static void rand_get_seed(struct rand_thread_state *state,

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/urandom.c

@@ -62,6 +62,15 @@
 #include <sys/random.h>
 #endif
 
+#if defined(OPENSSL_FREEBSD)
+#define URANDOM_BLOCKS_FOR_ENTROPY
+#if __FreeBSD__ >= 12
+// getrandom is supported in FreeBSD 12 and up.
+#define FREEBSD_GETRANDOM
+#include <sys/random.h>
+#endif
+#endif
+
 #include <openssl/thread.h>
 #include <openssl/mem.h>
 
@@ -176,6 +185,11 @@ static void init_once(void) {
   }
 #endif
 
+#if defined(FREEBSD_GETRANDOM)
+  *urandom_fd_bss_get() = kHaveGetrandom;
+  return;
+#endif
+
   // Android FIPS builds must support getrandom.
 #if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
   perror("getrandom not found");
@@ -256,11 +270,11 @@ static void wait_for_entropy(void) {
     return;
   }
 
-#if defined(BORINGSSL_FIPS)
-  // In FIPS mode we ensure that the kernel has sufficient entropy before
-  // continuing. This is automatically handled by getrandom, which requires
-  // that the entropy pool has been initialised, but for urandom we have to
-  // poll.
+#if defined(BORINGSSL_FIPS) && !defined(URANDOM_BLOCKS_FOR_ENTROPY)
+  // In FIPS mode on platforms where urandom doesn't block at startup, we ensure
+  // that the kernel has sufficient entropy before continuing. This is
+  // automatically handled by getrandom, which requires that the entropy pool
+  // has been initialised, but for urandom we have to poll.
   for (;;) {
     int entropy_bits;
     if (ioctl(fd, RNDGETENTCNT, &entropy_bits)) {
@@ -277,7 +291,7 @@ static void wait_for_entropy(void) {
 
     usleep(250000);
   }
-#endif  // BORINGSSL_FIPS
+#endif  // BORINGSSL_FIPS && !URANDOM_BLOCKS_FOR_ENTROPY
 }
 
 // fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
@@ -291,11 +305,14 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
     return 1;
   }
 
-#if defined(USE_NR_getrandom)
+#if defined(USE_NR_getrandom) || defined(FREEBSD_GETRANDOM)
   int getrandom_flags = 0;
   if (!block) {
     getrandom_flags |= GRND_NONBLOCK;
   }
+#endif
+
+#if defined (USE_NR_getrandom)
   if (seed) {
     getrandom_flags |= *extra_getrandom_flags_for_seed_bss_get();
   }
@@ -315,6 +332,8 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {
     if (*urandom_fd_bss_get() == kHaveGetrandom) {
 #if defined(USE_NR_getrandom)
       r = boringssl_getrandom(out, len, getrandom_flags);
+#elif defined(FREEBSD_GETRANDOM)
+      r = getrandom(out, len, getrandom_flags);
 #elif defined(OPENSSL_MACOS)
       if (__builtin_available(macos 10.12, *)) {
         // |getentropy| can only request 256 bytes at a time.

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c

@@ -458,18 +458,18 @@ static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
 };
 
 int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
-                         int *is_alloced, int hash_nid, const uint8_t *msg,
-                         size_t msg_len) {
+                         int *is_alloced, int hash_nid, const uint8_t *digest,
+                         size_t digest_len) {
   unsigned i;
 
   if (hash_nid == NID_md5_sha1) {
     // Special case: SSL signature, just check the length.
-    if (msg_len != SSL_SIG_LENGTH) {
+    if (digest_len != SSL_SIG_LENGTH) {
       OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
       return 0;
     }
 
-    *out_msg = (uint8_t*) msg;
+    *out_msg = (uint8_t *)digest;
     *out_msg_len = SSL_SIG_LENGTH;
     *is_alloced = 0;
     return 1;
@@ -481,7 +481,7 @@ int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
       continue;
     }
 
-    if (msg_len != sig_prefix->hash_len) {
+    if (digest_len != sig_prefix->hash_len) {
       OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
       return 0;
     }
@@ -491,7 +491,7 @@ int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
     unsigned signed_msg_len;
     uint8_t *signed_msg;
 
-    signed_msg_len = prefix_len + msg_len;
+    signed_msg_len = prefix_len + digest_len;
     if (signed_msg_len < prefix_len) {
       OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);
       return 0;
@@ -504,7 +504,7 @@ int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
     }
 
     OPENSSL_memcpy(signed_msg, prefix, prefix_len);
-    OPENSSL_memcpy(signed_msg + prefix_len, msg, msg_len);
+    OPENSSL_memcpy(signed_msg + prefix_len, digest, digest_len);
 
     *out_msg = signed_msg;
     *out_msg_len = signed_msg_len;
@@ -517,8 +517,8 @@ int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
   return 0;
 }
 
-int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
-             unsigned *out_len, RSA *rsa) {
+int RSA_sign(int hash_nid, const uint8_t *digest, unsigned digest_len,
+             uint8_t *out, unsigned *out_len, RSA *rsa) {
   const unsigned rsa_size = RSA_size(rsa);
   int ret = 0;
   uint8_t *signed_msg = NULL;
@@ -527,11 +527,12 @@ int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
   size_t size_t_out_len;
 
   if (rsa->meth->sign) {
-    return rsa->meth->sign(hash_nid, in, in_len, out, out_len, rsa);
+    return rsa->meth->sign(hash_nid, digest, digest_len, out, out_len, rsa);
   }
 
   if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
-                            &signed_msg_is_alloced, hash_nid, in, in_len) ||
+                            &signed_msg_is_alloced, hash_nid, digest,
+                            digest_len) ||
       !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg,
                     signed_msg_len, RSA_PKCS1_PADDING)) {
     goto err;
@@ -548,9 +549,9 @@ err:
 }
 
 int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
-                      const uint8_t *in, size_t in_len, const EVP_MD *md,
-                      const EVP_MD *mgf1_md, int salt_len) {
-  if (in_len != EVP_MD_size(md)) {
+                      const uint8_t *digest, size_t digest_len,
+                      const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) {
+  if (digest_len != EVP_MD_size(md)) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
     return 0;
   }
@@ -562,15 +563,15 @@ int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
     return 0;
   }
 
-  int ret =
-      RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, in, md, mgf1_md, salt_len) &&
-      RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
-                   RSA_NO_PADDING);
+  int ret = RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, digest, md, mgf1_md,
+                                           salt_len) &&
+            RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,
+                         RSA_NO_PADDING);
   OPENSSL_free(padded);
   return ret;
 }
 
-int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
+int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len,
                const uint8_t *sig, size_t sig_len, RSA *rsa) {
   if (rsa->n == NULL || rsa->e == NULL) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
@@ -584,7 +585,7 @@ int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
   size_t signed_msg_len = 0, len;
   int signed_msg_is_alloced = 0;
 
-  if (hash_nid == NID_md5_sha1 && msg_len != SSL_SIG_LENGTH) {
+  if (hash_nid == NID_md5_sha1 && digest_len != SSL_SIG_LENGTH) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
     return 0;
   }
@@ -601,7 +602,8 @@ int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
   }
 
   if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,
-                            &signed_msg_is_alloced, hash_nid, msg, msg_len)) {
+                            &signed_msg_is_alloced, hash_nid, digest,
+                            digest_len)) {
     goto out;
   }
 
@@ -622,10 +624,10 @@ out:
   return ret;
 }
 
-int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
+int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len,
                         const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,
                         const uint8_t *sig, size_t sig_len) {
-  if (msg_len != EVP_MD_size(md)) {
+  if (digest_len != EVP_MD_size(md)) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
     return 0;
   }
@@ -647,7 +649,7 @@ int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, size_t msg_len,
     goto err;
   }
 
-  ret = RSA_verify_PKCS1_PSS_mgf1(rsa, msg, md, mgf1_md, em, salt_len);
+  ret = RSA_verify_PKCS1_PSS_mgf1(rsa, digest, md, mgf1_md, em, salt_len);
 
 err:
   OPENSSL_free(em);

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c

@@ -79,9 +79,8 @@ int rsa_check_public_key(const RSA *rsa) {
     return 0;
   }
 
-  unsigned rsa_bits = BN_num_bits(rsa->n);
-
-  if (rsa_bits > 16 * 1024) {
+  unsigned n_bits = BN_num_bits(rsa->n);
+  if (n_bits > 16 * 1024) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
     return 0;
   }
@@ -96,17 +95,21 @@ int rsa_check_public_key(const RSA *rsa) {
   // [2] https://www.imperialviolet.org/2012/03/17/rsados.html
   // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
   static const unsigned kMaxExponentBits = 33;
-
-  if (BN_num_bits(rsa->e) > kMaxExponentBits) {
+  unsigned e_bits = BN_num_bits(rsa->e);
+  if (e_bits > kMaxExponentBits ||
+      // Additionally reject e = 1 or even e. e must be odd to be relatively
+      // prime with phi(n).
+      e_bits < 2 ||
+      !BN_is_odd(rsa->e)) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);
     return 0;
   }
 
-  // Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small
+  // Verify |n > e|. Comparing |n_bits| to |kMaxExponentBits| is a small
   // shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
   // is much smaller than the minimum RSA key size that any application should
   // accept.
-  if (rsa_bits <= kMaxExponentBits) {
+  if (n_bits <= kMaxExponentBits) {
     OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
     return 0;
   }

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/fips.c

@@ -0,0 +1,79 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/crypto.h>
+
+#include "../../internal.h"
+#include "../delocate.h"
+
+
+int FIPS_mode(void) {
+#if defined(BORINGSSL_FIPS) && !defined(OPENSSL_ASAN)
+  return 1;
+#else
+  return 0;
+#endif
+}
+
+int FIPS_mode_set(int on) { return on == FIPS_mode(); }
+
+#if defined(BORINGSSL_FIPS_COUNTERS)
+
+size_t FIPS_read_counter(enum fips_counter_t counter) {
+  if (counter < 0 || counter > fips_counter_max) {
+    abort();
+  }
+
+  const size_t *array =
+      CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS);
+  if (!array) {
+    return 0;
+  }
+
+  return array[counter];
+}
+
+void boringssl_fips_inc_counter(enum fips_counter_t counter) {
+  if (counter < 0 || counter > fips_counter_max) {
+    abort();
+  }
+
+  size_t *array =
+      CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS);
+  if (!array) {
+    const size_t num_bytes = sizeof(size_t) * (fips_counter_max + 1);
+    array = OPENSSL_malloc(num_bytes);
+    if (!array) {
+      return;
+    }
+
+    OPENSSL_memset(array, 0, num_bytes);
+    if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS, array,
+                                 OPENSSL_free)) {
+      // |OPENSSL_free| has already been called by |CRYPTO_set_thread_local|.
+      return;
+    }
+  }
+
+  array[counter]++;
+}
+
+#else
+
+size_t FIPS_read_counter(enum fips_counter_t counter) { return 0; }
+
+// boringssl_fips_inc_counter is a no-op, inline function in internal.h in this
+// case. That should let the compiler optimise away the callsites.
+
+#endif

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/self_check/self_check.c

@@ -32,13 +32,20 @@
 
 #include "../../internal.h"
 #include "../ec/internal.h"
+#include "../ecdsa/internal.h"
 #include "../rand/internal.h"
 #include "../tls/internal.h"
 
 
 // MSVC wants to put a NUL byte at the end of non-char arrays and so cannot
-// compile this.
-#if !defined(_MSC_VER)
+// compile the real logic.
+#if defined(_MSC_VER)
+
+int BORINGSSL_self_test(void) {
+  return 0;
+}
+
+#else
 
 #if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)
 // FIPS builds on Android will test for flag files, named after the module hash,
@@ -727,14 +734,12 @@ int boringssl_fips_self_test(
   // ECDSA Sign/Verify KAT
 
   // The 'k' value for ECDSA is fixed to avoid an entropy draw.
-  ec_key->fixed_k = BN_new();
-  if (ec_key->fixed_k == NULL ||
-      !BN_set_word(ec_key->fixed_k, 42)) {
-    fprintf(stderr, "Out of memory\n");
-    goto err;
-  }
+  uint8_t ecdsa_k[32] = {0};
+  ecdsa_k[31] = 42;
 
-  sig = ECDSA_do_sign(kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key);
+  sig = ecdsa_sign_with_nonce_for_known_answer_test(
+      kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key, ecdsa_k,
+      sizeof(ecdsa_k));
 
   uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)];
   uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)];

data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/sha/sha1.c

@@ -60,8 +60,9 @@
 
 #include <openssl/mem.h>
 
-#include "internal.h"
 #include "../../internal.h"
+#include "../digest/md32_common.h"
+#include "internal.h"
 
 
 int SHA1_Init(SHA_CTX *sha) {
@@ -83,30 +84,33 @@ uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH]) {
   return out;
 }
 
-#define DATA_ORDER_IS_BIG_ENDIAN
-
-#define HASH_CTX                SHA_CTX
-#define HASH_CBLOCK             64
-#define HASH_DIGEST_LENGTH      20
-#define HASH_MAKE_STRING(c, s) \
-  do {                         \
-    uint32_t ll;               \
-    ll = (c)->h[0];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[1];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[2];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[3];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[4];            \
-    HOST_l2c(ll, (s));         \
-  } while (0)
+#if !defined(SHA1_ASM)
+static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
+                                  size_t num);
+#endif
+
+void SHA1_Transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) {
+  sha1_block_data_order(c->h, data, 1);
+}
+
+int SHA1_Update(SHA_CTX *c, const void *data, size_t len) {
+  crypto_md32_update(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num,
+                     &c->Nh, &c->Nl, data, len);
+  return 1;
+}
+
+int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) {
+  crypto_md32_final(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num,
+                    c->Nh, c->Nl, /*is_big_endian=*/1);
+
+  CRYPTO_store_u32_be(out, c->h[0]);
+  CRYPTO_store_u32_be(out + 4, c->h[1]);
+  CRYPTO_store_u32_be(out + 8, c->h[2]);
+  CRYPTO_store_u32_be(out + 12, c->h[3]);
+  CRYPTO_store_u32_be(out + 16, c->h[4]);
+  return 1;
+}
 
-#define HASH_UPDATE SHA1_Update
-#define HASH_TRANSFORM SHA1_Transform
-#define HASH_FINAL SHA1_Final
-#define HASH_BLOCK_DATA_ORDER sha1_block_data_order
 #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
 #define Xupdate(a, ix, ia, ib, ic, id) \
   do {                                 \
@@ -114,13 +118,6 @@ uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH]) {
     (ix) = (a) = ROTATE((a), 1);       \
   } while (0)
 
-#if !defined(SHA1_ASM)
-static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
-                                  size_t num);
-#endif
-
-#include "../digest/md32_common.h"
-
 #define K_00_19 0x5a827999UL
 #define K_20_39 0x6ed9eba1UL
 #define K_40_59 0x8f1bbcdcUL
@@ -193,7 +190,7 @@ static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
 #if !defined(SHA1_ASM)
 static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
                                   size_t num) {
-  register uint32_t A, B, C, D, E, T, l;
+  register uint32_t A, B, C, D, E, T;
   uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10,
       XX11, XX12, XX13, XX14, XX15;
 
@@ -204,52 +201,52 @@ static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
   E = state[4];
 
   for (;;) {
-    HOST_c2l(data, l);
-    X(0) = l;
-    HOST_c2l(data, l);
-    X(1) = l;
+    X(0) = CRYPTO_load_u32_be(data);
+    data += 4;
+    X(1) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(0, A, B, C, D, E, T, X(0));
-    HOST_c2l(data, l);
-    X(2) = l;
+    X(2) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(1, T, A, B, C, D, E, X(1));
-    HOST_c2l(data, l);
-    X(3) = l;
+    X(3) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(2, E, T, A, B, C, D, X(2));
-    HOST_c2l(data, l);
-    X(4) = l;
+    X(4) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(3, D, E, T, A, B, C, X(3));
-    HOST_c2l(data, l);
-    X(5) = l;
+    X(5) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(4, C, D, E, T, A, B, X(4));
-    HOST_c2l(data, l);
-    X(6) = l;
+    X(6) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(5, B, C, D, E, T, A, X(5));
-    HOST_c2l(data, l);
-    X(7) = l;
+    X(7) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(6, A, B, C, D, E, T, X(6));
-    HOST_c2l(data, l);
-    X(8) = l;
+    X(8) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(7, T, A, B, C, D, E, X(7));
-    HOST_c2l(data, l);
-    X(9) = l;
+    X(9) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(8, E, T, A, B, C, D, X(8));
-    HOST_c2l(data, l);
-    X(10) = l;
+    X(10) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(9, D, E, T, A, B, C, X(9));
-    HOST_c2l(data, l);
-    X(11) = l;
+    X(11) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(10, C, D, E, T, A, B, X(10));
-    HOST_c2l(data, l);
-    X(12) = l;
+    X(12) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(11, B, C, D, E, T, A, X(11));
-    HOST_c2l(data, l);
-    X(13) = l;
+    X(13) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(12, A, B, C, D, E, T, X(12));
-    HOST_c2l(data, l);
-    X(14) = l;
+    X(14) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(13, T, A, B, C, D, E, X(13));
-    HOST_c2l(data, l);
-    X(15) = l;
+    X(15) = CRYPTO_load_u32_be(data);
+    data += 4;
     BODY_00_15(14, E, T, A, B, C, D, X(14));
     BODY_00_15(15, D, E, T, A, B, C, X(15));
 
@@ -341,15 +338,6 @@ static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
 }
 #endif
 
-#undef DATA_ORDER_IS_BIG_ENDIAN
-#undef HASH_CTX
-#undef HASH_CBLOCK
-#undef HASH_DIGEST_LENGTH
-#undef HASH_MAKE_STRING
-#undef HASH_UPDATE
-#undef HASH_TRANSFORM
-#undef HASH_FINAL
-#undef HASH_BLOCK_DATA_ORDER
 #undef ROTATE
 #undef Xupdate
 #undef K_00_19
@@ -367,5 +355,3 @@ static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
 #undef BODY_40_59
 #undef BODY_60_79
 #undef X
-#undef HOST_c2l
-#undef HOST_l2c