Extract common rotl/rotr functions.

We have a ton of per-file rotation functions, often with generic names
that do not tell you whether they are uint32_t vs uint64_t, or rotl vs
rotr.

Additionally, (x >> r) | (x << (32 - r)) is UB at r = 0.
(x >> r) | (x << ((-r) & 31)) works for 0 <= r < 32, which is what
cast.c does. GCC and Clang recognize this pattern as a rotate, but MSVC
doesn't. MSVC does, however, provide functions for this.

We usually rotate by a non-zero constant, which makes this moot, but
rotation comes up often enough that it's worth extracting out. Some
particular changes to call out:

- I've switched sha256.c from rotl to rotr. There was a comment
  explaining why it differed from the specification. Now that we have
  both functions, it's simpler to just match the specification.

- I've dropped all the inline assembly from sha512.c. Compilers should
  be able to recognize rotations in 2021.

Change-Id: Ia1030e8bfe94dad92514ed1c28777447c48b82f9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49765
Reviewed-by: Adam Langley <agl@google.com>

2 files changed, 23 insertions, 31 deletions

diff --git a/decrepit/cast/cast.c b/decrepit/cast/cast.c
index 8fd4e3a..dffee5c 100644
--- a/decrepit/cast/cast.c
+++ b/decrepit/cast/cast.c
@@ -84,22 +84,16 @@ void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out, const CAST_KEY *ks,
   l2n(d[1], out);
 }
 
-#if defined(OPENSSL_WINDOWS) && defined(_MSC_VER)
-#define ROTL(a, n) (_lrotl(a, n))
-#else
-#define ROTL(a, n) ((((a) << (n)) | ((a) >> ((-(n))&31))) & 0xffffffffL)
-#endif
-
-#define E_CAST(n, key, L, R, OP1, OP2, OP3)                                   \
-  {                                                                           \
-    uint32_t a, b, c, d;                                                      \
-    t = (key[n * 2] OP1 R) & 0xffffffff;                                      \
-    t = ROTL(t, (key[n * 2 + 1]));                                            \
-    a = CAST_S_table0[(t >> 8) & 0xff];                                       \
-    b = CAST_S_table1[(t)&0xff];                                              \
-    c = CAST_S_table2[(t >> 24) & 0xff];                                      \
-    d = CAST_S_table3[(t >> 16) & 0xff];                                      \
-    L ^= (((((a OP2 b)&0xffffffffL)OP3 c) & 0xffffffffL)OP1 d) & 0xffffffffL; \
+#define E_CAST(n, key, L, R, OP1, OP2, OP3)                                    \
+  {                                                                            \
+    uint32_t a, b, c, d;                                                       \
+    t = (key[n * 2] OP1 R) & 0xffffffff;                                       \
+    t = CRYPTO_rotl_u32(t, (key[n * 2 + 1]));                                  \
+    a = CAST_S_table0[(t >> 8) & 0xff];                                        \
+    b = CAST_S_table1[(t)&0xff];                                               \
+    c = CAST_S_table2[(t >> 24) & 0xff];                                       \
+    d = CAST_S_table3[(t >> 16) & 0xff];                                       \
+    L ^= (((((a OP2 b)&0xffffffffL)OP3 c) & 0xffffffffL) OP1 d) & 0xffffffffL; \
   }
 
 void CAST_encrypt(uint32_t *data, const CAST_KEY *key) {
diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c
index 9120cdd..3ae6904 100644
--- a/decrepit/ripemd/ripemd.c
+++ b/decrepit/ripemd/ripemd.c
@@ -112,41 +112,39 @@ int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH], RIPEMD160_CTX *c) {
 #define F4(x, y, z) ((((x) ^ (y)) & (z)) ^ (y))
 #define F5(x, y, z) (((~(z)) | (y)) ^ (x))
 
-#define ROTATE(a, n) (((a) << (n)) | (((a)&0xffffffff) >> (32 - (n))))
-
-#define RIP1(a, b, c, d, e, w, s) \
-  {                               \
-    a += F1(b, c, d) + X(w);      \
-    a = ROTATE(a, s) + e;         \
-    c = ROTATE(c, 10);            \
+#define RIP1(a, b, c, d, e, w, s)  \
+  {                                \
+    a += F1(b, c, d) + X(w);       \
+    a = CRYPTO_rotl_u32(a, s) + e; \
+    c = CRYPTO_rotl_u32(c, 10);    \
   }
 
 #define RIP2(a, b, c, d, e, w, s, K) \
   {                                  \
     a += F2(b, c, d) + X(w) + K;     \
-    a = ROTATE(a, s) + e;            \
-    c = ROTATE(c, 10);               \
+    a = CRYPTO_rotl_u32(a, s) + e;   \
+    c = CRYPTO_rotl_u32(c, 10);      \
   }
 
 #define RIP3(a, b, c, d, e, w, s, K) \
   {                                  \
     a += F3(b, c, d) + X(w) + K;     \
-    a = ROTATE(a, s) + e;            \
-    c = ROTATE(c, 10);               \
+    a = CRYPTO_rotl_u32(a, s) + e;   \
+    c = CRYPTO_rotl_u32(c, 10);      \
   }
 
 #define RIP4(a, b, c, d, e, w, s, K) \
   {                                  \
     a += F4(b, c, d) + X(w) + K;     \
-    a = ROTATE(a, s) + e;            \
-    c = ROTATE(c, 10);               \
+    a = CRYPTO_rotl_u32(a, s) + e;   \
+    c = CRYPTO_rotl_u32(c, 10);      \
   }
 
 #define RIP5(a, b, c, d, e, w, s, K) \
   {                                  \
     a += F5(b, c, d) + X(w) + K;     \
-    a = ROTATE(a, s) + e;            \
-    c = ROTATE(c, 10);               \
+    a = CRYPTO_rotl_u32(a, s) + e;   \
+    c = CRYPTO_rotl_u32(c, 10);      \
   }
 
 #define KL0 0x00000000L