[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 63b596e38df603c983da188c6ace3e335a116730 (commit) from 243ff51cc6757ab56cda4a7f69fbdcddf81141b6 (commit) - Log - commit 63b596e38df603c983da188c6ace3e335a116730 Author: Bernd Edlinger Date: Wed Jan 30 16:20:31 2019 +0100 Add an entry to the CHANGES for the d2i_X509_PUBKEY fix The commit 5dc40a83c74be579575a512b30d9c1e0364e6a7b forgot to add a short description to the CHANGES file. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8144) (cherry picked from commit b2aea0e3d9a15e30ebce8b6da213df4a3f346155) --- Summary of changes: CHANGES | 4 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 261299d..81e3f84 100644 --- a/CHANGES +++ b/CHANGES @@ -16,6 +16,10 @@ interoperability with such broken implementations. However, enabling this switch breaks interoperability with correct implementations. + *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + [Bernd Edlinger] + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via b2aea0e3d9a15e30ebce8b6da213df4a3f346155 (commit) from 1050f687226d43720da59a22b9afe45a4840659e (commit) - Log - commit b2aea0e3d9a15e30ebce8b6da213df4a3f346155 Author: Bernd Edlinger Date: Wed Jan 30 16:20:31 2019 +0100 Add an entry to the CHANGES for the d2i_X509_PUBKEY fix The commit 5dc40a83c74be579575a512b30d9c1e0364e6a7b forgot to add a short description to the CHANGES file. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8144) --- Summary of changes: CHANGES | 4 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 20b1f5c..a72daba 100644 --- a/CHANGES +++ b/CHANGES @@ -16,6 +16,10 @@ interoperability with such broken implementations. However, enabling this switch breaks interoperability with correct implementations. + *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + [Bernd Edlinger] + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl master.22190
Build openssl master.22190 completed Commit 6de0ba61c5 by Sam Roberts on 2/1/2019 11:06 PM: Make some simple getters take const SSL/SSL_CTX Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.22189
Build openssl master.22189 failed Commit 2b664e9cfc by FdaSilvaYY on 1/30/2019 8:16 PM: Fuzz: add a few more types into Fuzzing Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 152abc5522d869668f50deeb99cd0d948d0df4c1 (commit) from 47c55f881ffef8aa5fafcb88d4230700bb279449 (commit) - Log - commit 152abc5522d869668f50deeb99cd0d948d0df4c1 Author: Bernd Edlinger Date: Wed Jan 30 16:20:31 2019 +0100 Fix a crash in reuse of d2i_X509_PUBKEY If the second PUBKEY is malformed there is use after free. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8135) --- Summary of changes: CHANGES| 4 crypto/x509/x_pubkey.c | 1 + 2 files changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index b810a12..d634252 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.0j and 1.1.0k [xx XXX ] + *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + [Bernd Edlinger] + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index cc69283..03271cb 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, /* Attempt to decode public key and cache in pubkey structure. */ X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); +pubkey->pkey = NULL; /* * Opportunistically decode the key but remove any non fatal errors * from the queue. Subsequent explicit attempts to decode/use the key _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated
via 1050f687226d43720da59a22b9afe45a4840659e (commit)
from 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674 (commit)
- Log -
commit 1050f687226d43720da59a22b9afe45a4840659e
Author: Richard Levitte
Date: Fri Feb 1 10:51:20 2019 +0100
VMS: Clean away stray debugging prints from descrip.mms.tmpl
Reviewed-by: Tim Hudson
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/8140)
---
Summary of changes:
Configurations/descrip.mms.tmpl | 5 -
1 file changed, 5 deletions(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 46b9ffc..a0bc93d 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -102,9 +102,6 @@
return "$target : build_generated\n\t\pipe \$(MMS) \$(MMSQUALIFIERS)
depend && \$(MMS) \$(MMSQUALIFIERS) _$target\n_$target";
}
- #use Data::Dumper;
- #print STDERR "DEBUG: before:\n", Dumper($unified_info{before});
- #print STDERR "DEBUG: after:\n", Dumper($unified_info{after});
"";
-}
PLATFORM={- $config{target} -}
@@ -1097,10 +1094,8 @@ EOF
join("\n\t", "WRITE OPT_FILE \"CASE_SENSITIVE=YES\"",
map { my @lines = ();
use Data::Dumper;
- print STDERR "DEBUG: ",Dumper($_);
my $x = $_->{lib} =~ /\[/
? $_->{lib} : "[]".$_->{lib};
- print STDERR "DEBUG: ",Dumper($x);
if ($x =~ m|\.EXE$|) {
push @lines, "\@ WRITE OPT_FILE \"$x/SHARE\"";
} elsif ($x =~ m|\.OLB$|) {
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 243ff51cc6757ab56cda4a7f69fbdcddf81141b6 (commit)
from 1b66fc87da7c3851d7229993219336afa587f325 (commit)
- Log -
commit 243ff51cc6757ab56cda4a7f69fbdcddf81141b6
Author: Michael Tuexen
Date: Wed Dec 26 12:44:53 2018 +0100
Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.
Fixes #7956
Reviewed-by: Kurt Roeckx
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7957)
(cherry picked from commit 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674)
---
Summary of changes:
CHANGES| 7 ++
apps/s_client.c| 15 +++
apps/s_server.c| 17 ++-
doc/man1/s_client.pod | 9 ++
doc/man1/s_server.pod | 9 ++
doc/man3/SSL_CTX_set_mode.pod | 9 ++
include/openssl/ssl.h | 13 +++
ssl/statem/statem_clnt.c | 16 ++-
ssl/statem/statem_srvr.c | 16 ++-
test/handshake_helper.c| 33 +-
test/recipes/80-test_ssl_new.t | 3 +-
test/ssl-tests/29-dtls-sctp-label-bug.conf | 116 +
...atus.conf.in => 29-dtls-sctp-label-bug.conf.in} | 59 +--
test/ssl_test_ctx.c| 4 +
test/ssl_test_ctx.h| 4 +
15 files changed, 288 insertions(+), 42 deletions(-)
create mode 100644 test/ssl-tests/29-dtls-sctp-label-bug.conf
copy test/ssl-tests/{16-dtls-certstatus.conf.in =>
29-dtls-sctp-label-bug.conf.in} (50%)
diff --git a/CHANGES b/CHANGES
index d3ad3f6..261299d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,13 @@
Changes between 1.1.1a and 1.1.1b [xx XXX ]
+ *) Fix a bug in the computation of the endpoint-pair shared secret used
+ by DTLS over SCTP. This breaks interoperability with older versions
+ of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
+ switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
+ interoperability with such broken implementations. However, enabling
+ this switch breaks interoperability with correct implementations.
+
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
diff --git a/apps/s_client.c b/apps/s_client.c
index 5925814..fb2ff47 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -596,6 +596,7 @@ typedef enum OPTION_choice {
#endif
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
OPT_ENABLE_PHA,
+OPT_SCTP_LABEL_BUG,
OPT_R_ENUM
} OPTION_CHOICE;
@@ -750,6 +751,7 @@ const OPTIONS s_client_options[] = {
#endif
#ifndef OPENSSL_NO_SCTP
{"sctp", OPT_SCTP, '-', "Use SCTP"},
+{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length
bug"},
#endif
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
@@ -976,6 +978,9 @@ int s_client_main(int argc, char **argv)
#endif
char *psksessf = NULL;
int enable_pha = 0;
+#ifndef OPENSSL_NO_SCTP
+int sctp_label_bug = 0;
+#endif
FD_ZERO();
FD_ZERO();
@@ -1323,6 +1328,11 @@ int s_client_main(int argc, char **argv)
protocol = IPPROTO_SCTP;
#endif
break;
+case OPT_SCTP_LABEL_BUG:
+#ifndef OPENSSL_NO_SCTP
+sctp_label_bug = 1;
+#endif
+break;
case OPT_TIMEOUT:
#ifndef OPENSSL_NO_DTLS
enable_timeouts = 1;
@@ -1707,6 +1717,11 @@ int s_client_main(int argc, char **argv)
}
}
+#ifndef OPENSSL_NO_SCTP
+if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
+SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
+#endif
+
if (min_version != 0
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
diff --git a/apps/s_server.c b/apps/s_server.c
index aa0c9ae..caf47b3 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -751,7 +751,7 @@ typedef enum OPTION_choice {
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
-OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY,
+OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
@@ -938,6 +938,7 @@ const OPTIONS s_server_options[] = {
#endif
#ifndef
[openssl-commits] [openssl] master update
The branch master has been updated
via 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674 (commit)
from a28e4890eed847e6122a1c4d50653566e0813f45 (commit)
- Log -
commit 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674
Author: Michael Tuexen
Date: Wed Dec 26 12:44:53 2018 +0100
Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.
Fixes #7956
Reviewed-by: Kurt Roeckx
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7957)
---
Summary of changes:
CHANGES| 7 ++
apps/s_client.c| 15 +++
apps/s_server.c| 17 ++-
doc/man1/s_client.pod | 9 ++
doc/man1/s_server.pod | 9 ++
doc/man3/SSL_CTX_set_mode.pod | 9 ++
include/openssl/ssl.h | 12 +++
ssl/statem/statem_clnt.c | 16 ++-
ssl/statem/statem_srvr.c | 16 ++-
test/handshake_helper.c| 33 +-
test/recipes/80-test_ssl_new.t | 3 +-
test/ssl-tests/29-dtls-sctp-label-bug.conf | 116 +
...atus.conf.in => 29-dtls-sctp-label-bug.conf.in} | 57 --
test/ssl_test_ctx.c| 4 +
test/ssl_test_ctx.h| 4 +
15 files changed, 286 insertions(+), 41 deletions(-)
create mode 100644 test/ssl-tests/29-dtls-sctp-label-bug.conf
copy test/ssl-tests/{16-dtls-certstatus.conf.in =>
29-dtls-sctp-label-bug.conf.in} (54%)
diff --git a/CHANGES b/CHANGES
index 311d6c6..20b1f5c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,13 @@
Changes between 1.1.1 and 3.0.0 [xx XXX ]
+ *) Fix a bug in the computation of the endpoint-pair shared secret used
+ by DTLS over SCTP. This breaks interoperability with older versions
+ of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
+ switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
+ interoperability with such broken implementations. However, enabling
+ this switch breaks interoperability with correct implementations.
+
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
diff --git a/apps/s_client.c b/apps/s_client.c
index 6e06f15..872496c 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -598,6 +598,7 @@ typedef enum OPTION_choice {
#endif
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
OPT_ENABLE_PHA,
+OPT_SCTP_LABEL_BUG,
OPT_R_ENUM
} OPTION_CHOICE;
@@ -754,6 +755,7 @@ const OPTIONS s_client_options[] = {
#endif
#ifndef OPENSSL_NO_SCTP
{"sctp", OPT_SCTP, '-', "Use SCTP"},
+{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length
bug"},
#endif
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
@@ -982,6 +984,9 @@ int s_client_main(int argc, char **argv)
#endif
char *psksessf = NULL;
int enable_pha = 0;
+#ifndef OPENSSL_NO_SCTP
+int sctp_label_bug = 0;
+#endif
FD_ZERO();
FD_ZERO();
@@ -1335,6 +1340,11 @@ int s_client_main(int argc, char **argv)
protocol = IPPROTO_SCTP;
#endif
break;
+case OPT_SCTP_LABEL_BUG:
+#ifndef OPENSSL_NO_SCTP
+sctp_label_bug = 1;
+#endif
+break;
case OPT_TIMEOUT:
#ifndef OPENSSL_NO_DTLS
enable_timeouts = 1;
@@ -1729,6 +1739,11 @@ int s_client_main(int argc, char **argv)
}
}
+#ifndef OPENSSL_NO_SCTP
+if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
+SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
+#endif
+
if (min_version != 0
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
diff --git a/apps/s_server.c b/apps/s_server.c
index 8565a3a..fbbfd6c 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -751,7 +751,7 @@ typedef enum OPTION_choice {
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
-OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY,
+OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
@@ -938,6 +938,7 @@ const OPTIONS s_server_options[] = {
#endif
#ifndef OPENSSL_NO_SCTP
{"sctp", OPT_SCTP, '-', "Use SCTP"},
+{"sctp_label_bug",
[openssl-commits] [openssl] master update
The branch master has been updated
via a28e4890eed847e6122a1c4d50653566e0813f45 (commit)
via f8f3d624b7c71e8f5acbe373479a5b0f6b73d13f (commit)
from 5dc40a83c74be579575a512b30d9c1e0364e6a7b (commit)
- Log -
commit a28e4890eed847e6122a1c4d50653566e0813f45
Author: Andy Polyakov
Date: Wed Jan 23 14:56:19 2019 +0100
poly1305/asm/poly1305-ppc.pl: add vector base 2^26 implementation.
Reviewed-by: Matt Caswell
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/8120)
commit f8f3d624b7c71e8f5acbe373479a5b0f6b73d13f
Author: Andy Polyakov
Date: Wed Jan 23 15:03:23 2019 +0100
perlasm/ppc-xlate.pl: add VSX word load/store instructions.
Reviewed-by: Matt Caswell
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/8120)
---
Summary of changes:
crypto/perlasm/ppc-xlate.pl |2 +
crypto/poly1305/asm/poly1305-ppc.pl | 1552 ---
crypto/ppccap.c | 11 +-
3 files changed, 1454 insertions(+), 111 deletions(-)
diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
index 1c972a1..e52f2f6 100755
--- a/crypto/perlasm/ppc-xlate.pl
+++ b/crypto/perlasm/ppc-xlate.pl
@@ -273,6 +273,8 @@ my $mtvrwz = sub {
my ($f, $vrt, $ra) = @_;
" .long ".sprintf "0x%X",(31<<26)|($vrt<<21)|($ra<<16)|(243<<1)|1;
};
+my $lvwzx_u= sub { vsxmem_op(@_, 12); }; # lxsiwzx
+my $stvwx_u= sub { vsxmem_op(@_, 140); }; # stxsiwx
# PowerISA 3.0 stuff
my $maddhdu= sub { vfour(@_,49); };
diff --git a/crypto/poly1305/asm/poly1305-ppc.pl
b/crypto/poly1305/asm/poly1305-ppc.pl
index e9118ba..9f15c0d 100755
--- a/crypto/poly1305/asm/poly1305-ppc.pl
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
@@ -8,10 +8,10 @@
#
#
-# Written by Andy Polyakov for the OpenSSL
-# project. The module is, however, dual licensed under OpenSSL and
-# CRYPTOGAMS licenses depending on where you obtain it. For further
-# details see http://www.openssl.org/~appro/cryptogams/.
+# Written by Andy Polyakov, @dot-asm, initially for use in the OpenSSL
+# project. The module is dual licensed under OpenSSL and CRYPTOGAMS
+# licenses depending on where you obtain it. For further details see
+# https://github.com/dot-asm/cryptogams/.
#
#
# This module implements Poly1305 hash for PowerPC.
@@ -44,6 +44,13 @@
#
# On side note, Power ISA 2.07 enables vector base 2^26 implementation,
# and POWER8 might have capacity to break 1.0 cycle per byte barrier...
+#
+# January 2019
+#
+# ... Unfortunately not:-( Estimate was a projection of ARM result,
+# but ARM has vector multiply-n-add instruction, while PowerISA does
+# not, not one usable in the context. Improvement is ~40% over -m64
+# result above and is ~1.43 on little-endian systems.
$flavour = shift;
@@ -99,6 +106,7 @@ $code.=<<___;
std r0,0($ctx) # zero hash value
std r0,8($ctx)
std r0,16($ctx)
+ stw r0,24($ctx) # clear is_base2_26
$UCMP $inp,r0
beq-Lno_key
@@ -140,6 +148,7 @@ Lno_key:
.globl .poly1305_blocks
.align 4
.poly1305_blocks:
+Lpoly1305_blocks:
srdi. $len,$len,4
beq-Labort
@@ -238,60 +247,120 @@ Labort:
.long 0
.byte 0,12,4,1,0x80,5,4,0
.size .poly1305_blocks,.-.poly1305_blocks
+___
+{
+my ($h0,$h1,$h2,$h3,$h4,$t0) = map("r$_",(7..12));
+$code.=<<___;
.globl .poly1305_emit
-.align 4
+.align 5
.poly1305_emit:
- ld $h0,0($ctx) # load hash
- ld $h1,8($ctx)
- ld $h2,16($ctx)
- ld $padbit,0($nonce) # load nonce
- ld $nonce,8($nonce)
-
- addic $d0,$h0,5 # compare to modulus
- addze $d1,$h1
- addze $d2,$h2
-
- srdi$mask,$d2,2 # did it carry/borrow?
- neg $mask,$mask
+ lwz $h0,0($ctx) # load hash value base 2^26
+ lwz $h1,4($ctx)
+ lwz $h2,8($ctx)
+ lwz $h3,12($ctx)
+ lwz $h4,16($ctx)
+ lwz r0,24($ctx) # is_base2_26
+
+ sldi$h1,$h1,26 # base 2^26 -> base 2^64
+ sldi$t0,$h2,52
+ srdi$h2,$h2,12
+ sldi$h3,$h3,14
+ add $h0,$h0,$h1
+ addc$h0,$h0,$t0
+ sldi$t0,$h4,40
+ srdi$h4,$h4,24
+ adde$h1,$h2,$h3
+ addc$h1,$h1,$t0
+ addze $h2,$h4
+
+ ld $h3,0($ctx) # load hash value base 2^64
+ ld $h4,8($ctx)
+ ld $t0,16($ctx)
+
+ neg r0,r0
+ xor $h0,$h0,$h3 # choose between radixes
+ xor $h1,$h1,$h4
+
