kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Unwind the large_inputs hint in aes_ctr_set_key.

Browse Source 
With bsaes-x86_64.pl gone, it is no longer needed. Depending on how armv7 works
(if vpaes-armv7.pl is too slow AND on-demand vpaes->bsaes key conversion is not
viable), we may need to bring it back, but get it out of the way for now.

Bug: 256
Change-Id: I762c83097bd03d88574ae1ae16b88fca6826f655
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35365
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2019-03-21 23:19:42 -05:00 committed by CQ bot account: commit-bot@chromium.org
parent 32ce6032ff
commit 1a36dd4930
6 changed files with 14 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
crypto/cipher_extra/e_aesccm.c
View File

@ -66,8 +66,7 @@ static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
struct aead_aes_ccm_ctx *ccm_ctx = (struct aead_aes_ccm_ctx *)&ctx->state;
block128_f block;
ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len,
0 /* small inputs */);
ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len);
ctx->tag_len = tag_len;
if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {
OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);

4
crypto/cipher_extra/e_aesctrhmac.c
View File

@ -94,8 +94,8 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
return 0;
}
aes_ctx->ctr = aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key,
aes_key_len, 1 /* large inputs */);
aes_ctx->ctr =
aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key, aes_key_len);
ctx->tag_len = tag_len;
hmac_init(&aes_ctx->inner_init_state, &aes_ctx->outer_init_state,
key + aes_key_len);

5
crypto/cipher_extra/e_aesgcmsiv.c
View File

@ -595,7 +595,7 @@ static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx));
aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key,
key_len, 0 /* small inputs */);
key_len);
gcm_siv_ctx->is_256 = (key_len == 32);
ctx->tag_len = tag_len;
@ -719,8 +719,7 @@ static void gcm_siv_keys(
OPENSSL_memcpy(out_keys->auth_key, key_material, 16);
aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,
key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16,
0 /* small inputs */);
key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16);
}
static int aead_aes_gcm_siv_seal_scatter(

14
crypto/fipsmodule/cipher/e_aes.c
View File

@ -230,7 +230,7 @@ static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key,
block128_f *out_block, const uint8_t *key,
size_t key_bytes, int large_inputs) {
size_t key_bytes) {
if (hwaes_capable()) {
aes_hw_set_encrypt_key(key, key_bytes * 8, aes_key);
if (gcm_key != NULL) {
@ -242,9 +242,7 @@ ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key,
return aes_hw_ctr32_encrypt_blocks;
}
const int bsaes_ok = bsaes_capable();
const int vpaes_ok = vpaes_capable();
if (bsaes_ok && (large_inputs || !vpaes_ok)) {
if (bsaes_capable()) {
aes_nohw_set_encrypt_key(key, key_bytes * 8, aes_key);
if (gcm_key != NULL) {
CRYPTO_gcm128_init_key(gcm_key, aes_key, aes_nohw_encrypt, 0);
@ -255,7 +253,7 @@ ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key,
return bsaes_ctr32_encrypt_blocks;
}
if (vpaes_ok) {
if (vpaes_capable()) {
vpaes_set_encrypt_key(key, key_bytes * 8, aes_key);
if (out_block) {
*out_block = vpaes_encrypt;
@ -317,7 +315,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
if (key) {
OPENSSL_memset(&gctx->gcm, 0, sizeof(gctx->gcm));
gctx->ctr = aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm.gcm_key, NULL, key,
ctx->key_len, 1 /* large inputs */);
ctx->key_len);
// If we have an iv can set it directly, otherwise use saved IV.
if (iv == NULL && gctx->iv_set) {
iv = gctx->iv;
@ -860,8 +858,8 @@ static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,
return 0;
}
gcm_ctx->ctr = aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm_key, NULL, key,
key_len, 1 /* large inputs */);
gcm_ctx->ctr =
aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm_key, NULL, key, key_len);
*out_tag_len = tag_len;
return 1;
}

4
crypto/fipsmodule/cipher/internal.h
View File

@ -117,11 +117,9 @@ struct evp_aead_st {
// set to a function that encrypts single blocks. If not NULL, |*gcm_key| is
// initialised to do GHASH with the given key. It returns a function for
// optimised CTR-mode, or NULL if CTR-mode should be built using |*out_block|.
// |large_input| is a hint to select AES implementations. If it is one, the
// caller expects this key to be used with large inputs.
ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_KEY *gcm_key,
block128_f *out_block, const uint8_t *key,
size_t key_bytes, int large_input);
size_t key_bytes);
#if defined(__cplusplus)
} // extern C

10
crypto/fipsmodule/rand/ctrdrbg.c
View File

@ -57,12 +57,7 @@ int CTR_DRBG_init(CTR_DRBG_STATE *drbg,
seed_material[i] ^= kInitMask[i];
}
// |RAND_bytes| is rarely called with large enough inputs for bsaes to be
// faster than vpaes. bsaes also currently has side channel trade offs
// (https://crbug.com/boringssl/256), which we should especially avoid in the
// PRNG. (Note the size hint is a no-op on machines with AES instructions.)
drbg->ctr = aes_ctr_set_key(&drbg->ks, NULL, &drbg->block, seed_material, 32,
0 /* small inputs */);
drbg->ctr = aes_ctr_set_key(&drbg->ks, NULL, &drbg->block, seed_material, 32);
OPENSSL_memcpy(drbg->counter.bytes, seed_material + 32, 16);
drbg->reseed_counter = 1;
@ -98,8 +93,7 @@ static int ctr_drbg_update(CTR_DRBG_STATE *drbg, const uint8_t *data,
temp[i] ^= data[i];
}
drbg->ctr = aes_ctr_set_key(&drbg->ks, NULL, &drbg->block, temp, 32,
0 /* small inputs */);
drbg->ctr = aes_ctr_set_key(&drbg->ks, NULL, &drbg->block, temp, 32);
OPENSSL_memcpy(drbg->counter.bytes, temp + 32, 16);
return 1;