Commit graph

495 commits

Author SHA1 Message Date
Matt Caswell
66ad63e801 Make basic AES ciphers available from within the FIPS providers
These ciphers were already provider aware, and were available from the
default provider. We move them into the FIPS provider too.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9038)
2019-06-03 12:56:53 +01:00
Pauli
2752c8984c Revert "ppc assembly pack: always increment CTR IV as quadword"
The 32 bit counter behaviour is necessary and was intentional.

This reverts commit e9f148c935.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8958)
2019-05-20 18:08:42 +10:00
Daniel Axtens
e9f148c935 ppc assembly pack: always increment CTR IV as quadword
The kernel self-tests picked up an issue with CTR mode. The issue was
detected with a test vector with an IV of
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD: after 3 increments it should wrap
around to 0.

There are two paths that increment IVs: the bulk (8 at a time) path,
and the individual path which is used when there are fewer than 8 AES
blocks to process.

In the bulk path, the IV is incremented with vadduqm: "Vector Add
Unsigned Quadword Modulo", which does 128-bit addition.

In the individual path, however, the IV is incremented with vadduwm:
"Vector Add Unsigned Word Modulo", which instead does 4 32-bit
additions. Thus the IV would instead become
FFFFFFFFFFFFFFFFFFFFFFFF00000000, throwing off the result.

Use vadduqm.

This was probably a typo originally, what with q and w being
adjacent.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8942)
2019-05-17 11:05:16 +10:00
Andy Polyakov
d6e4287c97 aes/asm/aesv8-armx.pl: ~20% improvement on ThunderX2.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8776)
2019-04-17 21:30:39 +02:00
Andy Polyakov
6465321e40 ARM64 assembly pack: add ThunderX2 results.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8776)
2019-04-17 21:08:13 +02:00
Matt Caswell
fd367b4ce3 Deprecate AES_ige_encrypt() and AES_bi_ige_encrypt()
These undocumented functions were never integrated into the EVP layer
and implement the AES Infinite Garble Extension (IGE) mode and AES
Bi-directional IGE mode. These modes were never formally standardised
and usage of these functions is believed to be very small. In particular
AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only
one is ever used. The security implications are believed to be minimal,
but this issue was never fixed for backwards compatibility reasons.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8710)
2019-04-12 14:22:41 +01:00
Daniel Axtens
f643deac41 PPC assembly pack: fix copy-paste error in CTR mode
There are two copy-paste errors in handling CTR mode. When dealing
with a 2 or 3 block tail, the code branches to the CBC decryption exit
path, rather than to the CTR exit path.

This can lead to data corruption: in the Linux kernel we have a copy
of this file, and the bug leads to corruption of the IV, which leads
to data corruption when we call the encryption function again later to
encrypt subsequent blocks.

Originally reported to the Linux kernel by Ondrej Mosnáček <omosnacek@gmail.com>

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8510)
2019-03-18 18:13:24 +10:00
Markus Stockhausen
4592172376 MIPS32R3 provides the EXT instruction to extract bits from
registers. As the AES table is already 1K aligned we can
use it everywhere and speedup table address calculation by
10%. Performance numbers:

decryption         16B       64B      256B     1024B     8192B
-------------------------------------------------------------------
aes-256-cbc   5636.84k  6443.26k  6689.02k  6752.94k  6766.59k bef.
aes-256-cbc   6200.31k  7195.71k  7504.30k  7585.11k  7599.45k aft.
-------------------------------------------------------------------
aes-128-cbc   7313.85k  8653.67k  9079.55k  9188.35k  9205.08k bef.
aes-128-cbc   7925.38k  9557.99k 10092.37k 10232.15k 10272.77k aft.

encryption         16B       64B      256B     1024B     8192B
-------------------------------------------------------------------
aes-256 cbc   6009.65k  6592.70k  6766.59k  6806.87k  6815.74k bef.
aes-256 cbc   6643.93k  7388.69k  7605.33k  7657.81k  7675.90k aft.
-------------------------------------------------------------------
aes-128 cbc   7862.09k  8892.48k  9214.04k  9291.78k  9311.57k bef.
aes-128 cbc   8639.29k  9881.17k 10265.86k 10363.56k 10392.92k aft.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8206)
2019-02-20 23:17:16 +01:00
David Benjamin
c0e8e5007b Fix some CFI issues in x86_64 assembly
The add/double shortcut in ecp_nistz256-x86_64.pl left one instruction
point that did not unwind, and the "slow" path in AES_cbc_encrypt was
not annotated correctly. For the latter, add
.cfi_{remember,restore}_state support to perlasm.

Next, fill in a bunch of functions that are missing no-op .cfi_startproc
and .cfi_endproc blocks. libunwind cannot unwind those stack frames
otherwise.

Finally, work around a bug in libunwind by not encoding rflags. (rflags
isn't a callee-saved register, so there's not much need to annotate it
anyway.)

These were found as part of ABI testing work in BoringSSL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8109
2019-02-17 23:39:51 +01:00
Andy Polyakov
db42bb440e ARM64 assembly pack: make it Windows-friendly.
"Windows friendliness" means a) unified PIC-ification, unified across
all platforms; b) unified commantary delimiter; c) explicit ldur/stur,
as Visual Studio assembler can't automatically encode ldr/str as
ldur/stur when needed.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8256)
2019-02-16 17:01:15 +01:00
Andy Polyakov
3405db97e5 ARM assembly pack: make it Windows-friendly.
"Windows friendliness" means a) flipping .thumb and .text directives,
b) always generate Thumb-2 code when asked(*); c) Windows-specific
references to external OPENSSL_armcap_P.

(*) so far *some* modules were compiled as .code 32 even if Thumb-2
was targeted. It works at hardware level because processor can alternate
between the modes with no overhead. But clang --target=arm-windows's
builtin assembler just refuses to compile .code 32...

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8252)
2019-02-16 16:59:23 +01:00
Andy Polyakov
9a18aae5f2 AArch64 assembly pack: authenticate return addresses.
ARMv8.3 adds pointer authentication extension, which in this case allows
to ensure that, when offloaded to stack, return address is same at return
as at entry to the subroutine. The new instructions are nops on processors
that don't implement the extension, so that the vetification is backward
compatible.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8205)
2019-02-12 19:00:42 +01:00
Richard Levitte
77adb75e16 Build: Remove BEGINRAW / ENDRAW / OVERRIDE
It was an ugly hack to avoid certain problems that are no more.

Also added GENERATE lines for perlasm scripts that didn't have that
explicitly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8125)
2019-01-31 16:19:49 +01:00
Richard Levitte
c918d8e283 Following the license change, modify the boilerplates in crypto/aes/
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7771)
2018-12-06 14:23:25 +01:00
Richard Levitte
389c09fa09 License: change any non-boilerplate comment referring to "OpenSSL license"
Make it just say "the License", which refers back to the standard
boilerplate.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7764)
2018-12-06 13:26:28 +01:00
Matt Caswell
1212818eb0 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7176)
2018-09-11 13:45:17 +01:00
Andy Polyakov
1753d12374 PA-RISC assembly pack: make it work with GNU assembler for HP-UX.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6583)
2018-06-25 16:45:48 +02:00
Andy Polyakov
41013cd63c PPC assembly pack: correct POWER9 results.
As it turns out originally published results were skewed by "turbo"
mode. VM apparently remains oblivious to dynamic frequency scaling,
and reports that processor operates at "base" frequency at all times.
While actual frequency gets increased under load.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6406)
2018-06-03 21:20:06 +02:00
Matt Caswell
83cf7abf8e Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6371)
2018-05-29 13:16:04 +01:00
Andy Polyakov
13f6857db1 PPC assembly pack: add POWER9 results.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-05-10 11:44:21 +02:00
Matt Caswell
b0edda11cb Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5689)
2018-03-20 13:08:46 +00:00
Andy Polyakov
9d3cab4bdb MIPS assembly pack: default heuristic detection to little-endian.
Current endianness detection is somewhat opportunistic and can fail
in cross-compile scenario. Since we are more likely to cross-compile
for little-endian now, adjust the default accordingly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5613)
2018-03-19 14:31:30 +01:00
David Benjamin
8a5d8bc4bc Always use adr with __thumb2__.
Thumb2 addresses are a bit a mess, depending on whether a label is
interpreted as a function pointer value (for use with BX and BLX) or as
a program counter value (for use with PC-relative addressing). Clang's
integrated assembler mis-assembles this code. See
https://crbug.com/124610#c54 for details.

Instead, use the ADR pseudo-instruction which has clear semantics and
should be supported by every assembler that handles the OpenSSL Thumb2
code. (In other files, the ADR vs SUB conditionals are based on
__thumb2__ already. For some reason, this one is based on __APPLE__, I'm
guessing to deal with an older version of clang assembler.)

It's unclear to me which of clang or binutils is "correct" or if this is
even a well-defined notion beyond "whatever binutils does". But I will
note that https://github.com/openssl/openssl/pull/4669 suggests binutils
has also changed behavior around this before.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5431)
2018-02-27 18:46:33 -05:00
Richard Levitte
722c9762f2 Harmonize the make variables across all known platforms families
The make variables LIB_CFLAGS, DSO_CFLAGS and so on were used in
addition to CFLAGS and so on.  This works without problem on Unix and
Windows, where options with different purposes (such as -D and -I) can
appear anywhere on the command line and get accumulated as they come.
This is not necessarely so on VMS.  For example, macros must all be
collected and given through one /DEFINE, and the same goes for
inclusion directories (/INCLUDE).

So, to harmonize all platforms, we repurpose make variables starting
with LIB_, DSO_ and BIN_ to be all encompassing variables that
collects the corresponding values from CFLAGS, CPPFLAGS, DEFINES,
INCLUDES and so on together with possible config target values
specific for libraries DSOs and programs, and use them instead of the
general ones everywhere.

This will, for example, allow VMS to use the exact same generators for
generated files that go through cpp as all other platforms, something
that has been impossible to do safely before now.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5357)
2018-02-14 17:13:53 +01:00
Richard Levitte
8c3bc594e0 Processing GNU-style "make variables" - separate CPP flags from C flags
C preprocessor flags get separated from C flags, which has the
advantage that we don't get loads of macro definitions and inclusion
directory specs when linking shared libraries, DSOs and programs.

This is a step to add support for "make variables" when configuring.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5177)
2018-01-28 07:26:10 +01:00
Richard Levitte
3c7d0945b6 Update copyright years on all files merged since Jan 1st 2018
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5038)
2018-01-09 05:49:01 +01:00
Patrick Steuer
e21a84308c crypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)
2018-01-07 21:51:53 +01:00
Patrick Steuer
1c3a23e446 s390x assembly pack: add KMA code path for aes-ctr.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)
2018-01-07 21:51:09 +01:00
Andy Polyakov
7533162322 ARMv8 assembly pack: add Qualcomm Kryo results.
[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
2017-11-13 11:13:00 +01:00
Josh Soref
46f4e1bec5 Many spelling fixes/typo's corrected.
Around 138 distinct errors found and fixed; thanks!

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3459)
2017-11-11 19:03:10 -05:00
Andy Polyakov
b82acc3c1a aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.
It's not clear if it's a feature or bug, but binutils-2.29[.1]
interprets 'adr' instruction with Thumb2 code reference differently,
in a way that affects calculation of addresses of constants' tables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4669)
2017-11-05 16:56:32 +01:00
Patrick Steuer
bc4e831ccd s390x assembly pack: extend s390x capability vector.
Extend the s390x capability vector to store the longer facility list
available from z13 onwards. The bits indicating the vector extensions
are set to zero, if the kernel does not enable the vector facility.

Also add capability bits returned by the crypto instructions' query
functions.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4542)
2017-10-30 14:31:32 +01:00
Patrick Steuer
af1d638730 s390x assembly pack: remove capability double-checking.
An instruction's QUERY function is executed at initialization, iff the required
MSA level is installed. Therefore, it is sufficient to check the bits returned
by the QUERY functions. The MSA level does not have to be checked at every
function call.
crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the
required KM or KMC function codes are not available. Formally, the availability
of a KMC function code does not imply the availability of the corresponding KM
function code.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)
2017-10-17 21:55:33 +02:00
Patrick Steuer
4c5100ce7d crypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)
2017-10-17 21:55:13 +02:00
Rich Salz
e3713c365c Remove email addresses from source code.
Names were not removed.
Some comments were updated.
Replace Andy's address with openssl.org

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4516)
2017-10-13 10:06:59 -04:00
Andy Polyakov
1843787173 aes/asm/aesni-sha*-x86_64.pl: add SHAEXT performance results.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/3898)
2017-07-24 23:29:46 +02:00
Andy Polyakov
64d92d7498 x86_64 assembly pack: "optimize" for Knights Landing, add AVX-512 results.
"Optimize" is in quotes because it's rather a "salvage operation"
for now. Idea is to identify processor capability flags that
drive Knights Landing to suboptimial code paths and mask them.
Two flags were identified, XSAVE and ADCX/ADOX. Former affects
choice of AES-NI code path specific for Silvermont (Knights Landing
is of Silvermont "ancestry"). And 64-bit ADCX/ADOX instructions are
effectively mishandled at decode time. In both cases we are looking
at ~2x improvement.

AVX-512 results cover even Skylake-X :-)

Hardware used for benchmarking courtesy of Atos, experiments run by
Romain Dolbeau <romain.dolbeau@atos.net>. Kudos!

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-07-21 14:07:32 +02:00
Andy Polyakov
54f8f9a1ed x86_64 assembly pack: fill some blanks in Ryzen results.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
2017-07-03 18:17:00 +02:00
David Benjamin
e195c8a256 Remove filename argument to x86 asm_init.
The assembler already knows the actual path to the generated file and,
in other perlasm architectures, is left to manage debug symbols itself.
Notably, in OpenSSL 1.1.x's new build system, which allows a separate
build directory, converting .pl to .s as the scripts currently do result
in the wrong paths.

This also avoids inconsistencies from some of the files using $0 and
some passing in the filename.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3431)
2017-05-11 17:00:23 -04:00
FdaSilvaYY
69687aa829 More typo fixes
Fix some comments too
[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3069)
2017-03-29 07:14:29 +02:00
Andy Polyakov
0822d41b6d aes/asm/bsaes-armv7.pl: relax stack alignment requirement.
Even though Apple refers to Procedure Call Standard for ARM Architecture
(AAPCS), they apparently adhere to custom version that doesn't follow
stack alignment constraints in the said standard. [Why or why? If it's
vendor lock-in thing, then it would be like worst spot ever.] And since
bsaes-armv7 relied on standard alignment, it became problematic to
execute the code on iOS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-03-26 18:29:03 +02:00
Andy Polyakov
08d09628d2 aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.
Initial IV was disregarded on SHAEXT-capable processors. Amazingly
enough bulk AES128-SHA* talk-to-yourself tests were passing.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2992)
2017-03-22 11:02:56 +01:00
Andy Polyakov
6cbfd94d08 x86_64 assembly pack: add some Ryzen performance results.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2017-03-22 10:58:01 +01:00
Andy Polyakov
ea750b5929 aes/aes_x86core.c: clarify reference implementation status.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2017-03-02 16:26:01 +01:00
Emilia Kasper
b53338cbf8 Clean up references to FIPS
This removes the fips configure option. This option is broken as the
required FIPS code is not available.

FIPS_mode() and FIPS_mode_set() are retained for compatibility, but
FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to
turn FIPS mode off.

Reviewed-by: Stephen Henson <steve@openssl.org>
2017-02-28 15:26:25 +01:00
Rich Salz
b1498c98f3 Don't call memcpy if len is zero.
Prevent undefined behavior in CRYPTO_cbc128_encrypt: calling this function
with the 'len' parameter being 0 would result in a memcpy where the source
and destination parameters are the same, which is undefined behavior.
Do same for AES_ige_encrypt.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2671)
2017-02-20 19:17:53 -05:00
Andy Polyakov
c93f06c12f ARMv4 assembly pack: harmonize Thumb-ification of iOS build.
Three modules were left behind in a285992763.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2617)
2017-02-15 23:16:01 +01:00
Andy Polyakov
b84460ad3a aes/asm/*-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:17:29 +01:00
Andy Polyakov
384e6de4c7 x86_64 assembly pack: Win64 SEH face-lift.
- harmonize handlers with guidelines and themselves;
- fix some bugs in handlers;
- add missing handlers in chacha and ecp_nistz256 modules;

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-06 08:21:42 +01:00
Andy Polyakov
a30b0522cb x86 assembly pack: update performance results.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-19 16:18:25 +01:00