BUG=396787 Change-Id: I72ddb0ec3c71dbc70054403163930cbbde4b6009 Reviewed-on: https://boringssl-review.googlesource.com/1581 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
@@ -1271,3 +1271,11 @@ static const EVP_AEAD aead_aes_256_key_wrap = { | |||||
const EVP_AEAD *EVP_aead_aes_128_key_wrap() { return &aead_aes_128_key_wrap; } | const EVP_AEAD *EVP_aead_aes_128_key_wrap() { return &aead_aes_128_key_wrap; } | ||||
const EVP_AEAD *EVP_aead_aes_256_key_wrap() { return &aead_aes_256_key_wrap; } | const EVP_AEAD *EVP_aead_aes_256_key_wrap() { return &aead_aes_256_key_wrap; } | ||||
int EVP_has_aes_hardware(void) { | |||||
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) | |||||
return aesni_capable() && crypto_gcm_clmul_enabled(); | |||||
#else | |||||
return 0; | |||||
#endif | |||||
} |
@@ -406,8 +406,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) { | |||||
} | } | ||||
#if defined(GHASH_ASM_X86_OR_64) | #if defined(GHASH_ASM_X86_OR_64) | ||||
if (OPENSSL_ia32cap_P[0] & (1 << 24) && /* check FXSR bit */ | |||||
OPENSSL_ia32cap_P[1] & (1 << 1)) { /* check PCLMULQDQ bit */ | |||||
if (crypto_gcm_clmul_enabled()) { | |||||
if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */ | if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */ | ||||
gcm_init_avx(ctx->Htable, ctx->H.u); | gcm_init_avx(ctx->Htable, ctx->H.u); | ||||
ctx->gmult = gcm_gmult_avx; | ctx->gmult = gcm_gmult_avx; | ||||
@@ -1189,3 +1188,14 @@ void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx) { | |||||
OPENSSL_free(ctx); | OPENSSL_free(ctx); | ||||
} | } | ||||
} | } | ||||
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) | |||||
int crypto_gcm_clmul_enabled(void) { | |||||
#ifdef GHASH_ASM | |||||
return OPENSSL_ia32cap_P[0] & (1 << 24) && /* check FXSR bit */ | |||||
OPENSSL_ia32cap_P[1] & (1 << 1); /* check PCLMULQDQ bit */ | |||||
#else | |||||
return 0; | |||||
#endif | |||||
} | |||||
#endif |
@@ -194,6 +194,13 @@ struct ccm128_context { | |||||
#endif | #endif | ||||
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) | |||||
/* crypto_gcm_clmul_enabled returns one if the CLMUL implementation of GCM is | |||||
* used. */ | |||||
int crypto_gcm_clmul_enabled(void); | |||||
#endif | |||||
#if defined(__cplusplus) | #if defined(__cplusplus) | ||||
} /* extern C */ | } /* extern C */ | ||||
#endif | #endif | ||||
@@ -115,6 +115,10 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_key_wrap(); | |||||
* See |EVP_aead_aes_128_key_wrap| for details. */ | * See |EVP_aead_aes_128_key_wrap| for details. */ | ||||
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_key_wrap(); | OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_key_wrap(); | ||||
/* EVP_has_aes_hardware returns one if we enable hardware support for fast and | |||||
* constant-time AES-GCM. */ | |||||
OPENSSL_EXPORT int EVP_has_aes_hardware(void); | |||||
/* TLS specific AEAD algorithms. | /* TLS specific AEAD algorithms. | ||||
* | * | ||||
@@ -79,7 +79,10 @@ extern "C" { | |||||
* Index 1: | * Index 1: | ||||
* ECX for CPUID where EAX = 1 | * ECX for CPUID where EAX = 1 | ||||
* Index 2: | * Index 2: | ||||
* EBX for CPUID where EAX = 7 */ | |||||
* EBX for CPUID where EAX = 7 | |||||
* | |||||
* Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM | |||||
* bits in XCR0, so it is not necessary to check those. */ | |||||
extern uint32_t OPENSSL_ia32cap_P[4]; | extern uint32_t OPENSSL_ia32cap_P[4]; | ||||
#endif | #endif | ||||
@@ -1193,16 +1193,24 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||||
ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | ||||
ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail); | ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail); | ||||
/* Order the bulk ciphers. | |||||
* 1. CHACHA20_POLY1305. | |||||
* 2. AES_256_GCM and AES_128_GCM. | |||||
* 3. Legacy non-AEAD ciphers. AES_256_CBC, AES-128_CBC, RC4_128_SHA, | |||||
* RC4_128_MD5, 3DES_EDE_CBC_SHA. | |||||
* TODO(davidben): Prefer AES_GCM over CHACHA20 if there is hardware | |||||
* support. */ | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES256GCM, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES128GCM, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
/* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer | |||||
* CHACHA20 unless there is hardware support for fast and constant-time | |||||
* AES_GCM. */ | |||||
if (EVP_has_aes_hardware()) | |||||
{ | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES256GCM, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES128GCM, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
} | |||||
else | |||||
{ | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES256GCM, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES128GCM, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | |||||
} | |||||
/* Then the legacy non-AEAD ciphers: AES_256_CBC, AES-128_CBC, | |||||
* RC4_128_SHA, RC4_128_MD5, 3DES_EDE_CBC_SHA. */ | |||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES256, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | ssl_cipher_apply_rule(0, 0, 0, SSL_AES256, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | ||||
ssl_cipher_apply_rule(0, 0, 0, SSL_AES128, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | ssl_cipher_apply_rule(0, 0, 0, SSL_AES128, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | ||||
ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, ~SSL_MD5, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, ~SSL_MD5, 0, 0, CIPHER_ADD, -1, 0, &head, &tail); | ||||