Enable vpaes for AES_* functions.

This makes the AES_* functions meet our constant-time goals for
platforms where we have vpaes available. In particular, QUIC packet
number encryption needs single-block operations and those should have
vpaes available.

As a bonus, when vpaes is statically available, the aes_nohw_* functions
should be dropped by the linker. (Notably, NEON is guaranteed on
aarch64. Although vpaes-armv8.pl itself may take some more exploration.
https://crbug.com/boringssl/246#c4)

Bug: 263
Change-Id: Ie1c4727a166ec101a8453761757c87dadc188769
Reviewed-on: https://boringssl-review.googlesource.com/c/34875
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2019-02-10 04:26:22 +00:00 committed by CQ bot account: commit-bot@chromium.org
parent 3c19830f6f
commit 65dc321492
3 changed files with 21 additions and 10 deletions

View File

@ -808,15 +808,16 @@ void aes_nohw_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
#endif // NO_ASM || (!X86 && !X86_64 && !ARM) #endif // NO_ASM || (!X86 && !X86_64 && !ARM)
// Be aware that on x86(-64), the |aes_nohw_*| functions are incompatible with // Be aware that different sets of AES functions use incompatible key
// the aes_hw_* functions. The latter set |AES_KEY.rounds| to one less than the // representations, varying in format of the key schedule, the |AES_KEY.rounds|
// true value, which breaks the former. Therefore the two functions cannot mix. // value, or both. Therefore they cannot mix. Also, on AArch64, the plain-C
// Also, on Aarch64, the plain-C code, above, is incompatible with the // code, above, is incompatible with the |aes_hw_*| functions.
// |aes_hw_*| functions.
void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
if (hwaes_capable()) { if (hwaes_capable()) {
aes_hw_encrypt(in, out, key); aes_hw_encrypt(in, out, key);
} else if (vpaes_capable()) {
vpaes_encrypt(in, out, key);
} else { } else {
aes_nohw_encrypt(in, out, key); aes_nohw_encrypt(in, out, key);
} }
@ -825,6 +826,8 @@ void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
void AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { void AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
if (hwaes_capable()) { if (hwaes_capable()) {
aes_hw_decrypt(in, out, key); aes_hw_decrypt(in, out, key);
} else if (vpaes_capable()) {
vpaes_decrypt(in, out, key);
} else { } else {
aes_nohw_decrypt(in, out, key); aes_nohw_decrypt(in, out, key);
} }
@ -833,6 +836,8 @@ void AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) { int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {
if (hwaes_capable()) { if (hwaes_capable()) {
return aes_hw_set_encrypt_key(key, bits, aeskey); return aes_hw_set_encrypt_key(key, bits, aeskey);
} else if (vpaes_capable()) {
return vpaes_set_encrypt_key(key, bits, aeskey);
} else { } else {
return aes_nohw_set_encrypt_key(key, bits, aeskey); return aes_nohw_set_encrypt_key(key, bits, aeskey);
} }
@ -841,6 +846,8 @@ int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {
int AES_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) { int AES_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {
if (hwaes_capable()) { if (hwaes_capable()) {
return aes_hw_set_decrypt_key(key, bits, aeskey); return aes_hw_set_decrypt_key(key, bits, aeskey);
} else if (vpaes_capable()) {
return vpaes_set_decrypt_key(key, bits, aeskey);
} else { } else {
return aes_nohw_set_decrypt_key(key, bits, aeskey); return aes_nohw_set_decrypt_key(key, bits, aeskey);
} }

View File

@ -80,14 +80,16 @@ void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
} }
#if defined(AES_NOHW_CBC) #if defined(AES_NOHW_CBC)
aes_nohw_cbc_encrypt(in, out, len, key, ivec, enc); if (!vpaes_capable()) {
#else aes_nohw_cbc_encrypt(in, out, len, key, ivec, enc);
return;
}
#endif
if (enc) { if (enc) {
CRYPTO_cbc128_encrypt(in, out, len, key, ivec, AES_encrypt); CRYPTO_cbc128_encrypt(in, out, len, key, ivec, AES_encrypt);
} else { } else {
CRYPTO_cbc128_decrypt(in, out, len, key, ivec, AES_decrypt); CRYPTO_cbc128_decrypt(in, out, len, key, ivec, AES_decrypt);
} }
#endif
} }
void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length, void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length,

View File

@ -122,7 +122,8 @@ TEST_F(ImplDispatchTest, AES_set_encrypt_key) {
AssertFunctionsHit( AssertFunctionsHit(
{ {
{kFlag_aes_hw_set_encrypt_key, aesni_}, {kFlag_aes_hw_set_encrypt_key, aesni_},
// VPAES / BSAES will not be used for the |AES_*| functions. {kFlag_vpaes_set_encrypt_key, ssse3_ && !aesni_},
// BSAES will not be used for the |AES_*| functions.
}, },
[] { [] {
AES_KEY key; AES_KEY key;
@ -139,7 +140,8 @@ TEST_F(ImplDispatchTest, AES_single_block) {
AssertFunctionsHit( AssertFunctionsHit(
{ {
{kFlag_aes_hw_encrypt, aesni_}, {kFlag_aes_hw_encrypt, aesni_},
// VPAES / BSAES will not be used for the |AES_*| functions. {kFlag_vpaes_encrypt, ssse3_ && !aesni_},
// BSAES will not be used for the |AES_*| functions.
}, },
[&key] { [&key] {
uint8_t in[AES_BLOCK_SIZE] = {0}; uint8_t in[AES_BLOCK_SIZE] = {0};