1From 372bdf0348fb86d671e73baab19daa34bd0cf73d Mon Sep 17 00:00:00 2001
2From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
3Date: Tue, 9 Nov 2021 19:01:20 +0100
4Subject: [PATCH] Revert "workaround a miscompilation issue in clang 12
5 (XCode 13)"
6
7This reverts commit 219329f8e777af54d785ae7259f8be32a714b751.
8
9Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
10[Upstream status: https://github.com/randombit/botan/issues/2845]
11---
12 src/lib/hash/sha3/sha3.cpp                | 46 ++++++-----------------
13 src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp | 46 ++++++-----------------
14 2 files changed, 22 insertions(+), 70 deletions(-)
15
16diff --git a/src/lib/hash/sha3/sha3.cpp b/src/lib/hash/sha3/sha3.cpp
17index 289e451ff..690c2b264 100644
18--- a/src/lib/hash/sha3/sha3.cpp
19+++ b/src/lib/hash/sha3/sha3.cpp
20@@ -11,47 +11,23 @@
21 #include <botan/exceptn.h>
22 #include <botan/cpuid.h>
23
24-#include <tuple>
25-
26 namespace Botan {
27
28 namespace {
29
30-// This is a workaround for a suspected bug in clang 12 (and XCode 13)
31-// that caused a miscompile of the SHA3 implementation for optimization
32-// level -O2 and higher.
33-//
34-// For details, see: https://github.com/randombit/botan/issues/2802
35-#if    defined(__clang__) && \
36-    (( defined(__apple_build_version__) && __clang_major__ == 13) || \
37-     (!defined(__apple_build_version__) && __clang_major__ == 12))
38-#define BOTAN_WORKAROUND_MAYBE_INLINE __attribute__((noinline))
39-#else
40-#define BOTAN_WORKAROUND_MAYBE_INLINE inline
41-#endif
42-
43-BOTAN_WORKAROUND_MAYBE_INLINE std::tuple<uint64_t, uint64_t, uint64_t, uint64_t, uint64_t>
44-   xor_CNs(const uint64_t A[25])
45-   {
46-   return {
47-      A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20],
48-      A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21],
49-      A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22],
50-      A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23],
51-      A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24]};
52-   }
53-
54-#undef BOTAN_WORKAROUND_MAYBE_INLINE
55-
56 inline void SHA3_round(uint64_t T[25], const uint64_t A[25], uint64_t RC)
57    {
58-   const auto Cs = xor_CNs(A);
59-
60-   const uint64_t D0 = rotl<1>(std::get<0>(Cs)) ^ std::get<3>(Cs);
61-   const uint64_t D1 = rotl<1>(std::get<1>(Cs)) ^ std::get<4>(Cs);
62-   const uint64_t D2 = rotl<1>(std::get<2>(Cs)) ^ std::get<0>(Cs);
63-   const uint64_t D3 = rotl<1>(std::get<3>(Cs)) ^ std::get<1>(Cs);
64-   const uint64_t D4 = rotl<1>(std::get<4>(Cs)) ^ std::get<2>(Cs);
65+   const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
66+   const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
67+   const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
68+   const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
69+   const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
70+
71+   const uint64_t D0 = rotl<1>(C0) ^ C3;
72+   const uint64_t D1 = rotl<1>(C1) ^ C4;
73+   const uint64_t D2 = rotl<1>(C2) ^ C0;
74+   const uint64_t D3 = rotl<1>(C3) ^ C1;
75+   const uint64_t D4 = rotl<1>(C4) ^ C2;
76
77    const uint64_t B00 =          A[ 0] ^ D1;
78    const uint64_t B01 = rotl<44>(A[ 6] ^ D2);
79diff --git a/src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp b/src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp
80index c7f1914a3..a9650ad9d 100644
81--- a/src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp
82+++ b/src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp
83@@ -8,47 +8,23 @@
84 #include <botan/sha3.h>
85 #include <botan/rotate.h>
86
87-#include <tuple>
88-
89 namespace Botan {
90
91 namespace {
92
93-// This is a workaround for a suspected bug in clang 12 (and XCode 13)
94-// that caused a miscompile of the SHA3 implementation for optimization
95-// level -O2 and higher.
96-//
97-// For details, see: https://github.com/randombit/botan/issues/2802
98-#if    defined(__clang__) && \
99-    (( defined(__apple_build_version__) && __clang_major__ == 13) || \
100-     (!defined(__apple_build_version__) && __clang_major__ == 12))
101-#define BOTAN_WORKAROUND_MAYBE_INLINE __attribute__((noinline))
102-#else
103-#define BOTAN_WORKAROUND_MAYBE_INLINE inline
104-#endif
105-
106-BOTAN_WORKAROUND_MAYBE_INLINE std::tuple<uint64_t, uint64_t, uint64_t, uint64_t, uint64_t>
107-   xor_CNs(const uint64_t A[25])
108-   {
109-   return {
110-      A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20],
111-      A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21],
112-      A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22],
113-      A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23],
114-      A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24]};
115-   }
116-
117-#undef BOTAN_WORKAROUND_MAYBE_INLINE
118-
119 inline void SHA3_BMI2_round(uint64_t T[25], const uint64_t A[25], uint64_t RC)
120    {
121-   const auto Cs = xor_CNs(A);
122-
123-   const uint64_t D0 = rotl<1>(std::get<0>(Cs)) ^ std::get<3>(Cs);
124-   const uint64_t D1 = rotl<1>(std::get<1>(Cs)) ^ std::get<4>(Cs);
125-   const uint64_t D2 = rotl<1>(std::get<2>(Cs)) ^ std::get<0>(Cs);
126-   const uint64_t D3 = rotl<1>(std::get<3>(Cs)) ^ std::get<1>(Cs);
127-   const uint64_t D4 = rotl<1>(std::get<4>(Cs)) ^ std::get<2>(Cs);
128+   const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
129+   const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
130+   const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
131+   const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
132+   const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
133+
134+   const uint64_t D0 = rotl<1>(C0) ^ C3;
135+   const uint64_t D1 = rotl<1>(C1) ^ C4;
136+   const uint64_t D2 = rotl<1>(C2) ^ C0;
137+   const uint64_t D3 = rotl<1>(C3) ^ C1;
138+   const uint64_t D4 = rotl<1>(C4) ^ C2;
139
140    const uint64_t B00 =          A[ 0] ^ D1;
141    const uint64_t B01 = rotl<44>(A[ 6] ^ D2);
142--
1432.33.0
144
145