228 lines
7.4 KiB
Diff
228 lines
7.4 KiB
Diff
From f4f6661af1bf15fe7416dcca8f5fc84dcabd5242 Mon Sep 17 00:00:00 2001
|
|
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
|
Date: Thu, 21 May 2020 11:58:38 +0200
|
|
Subject: [PATCH 1/2] Enable legacy AES API to use AESNI or VPAES if available
|
|
|
|
When no assembler support is available, we fall back
|
|
to either the constant time C implementation or the
|
|
non-constant time C code implementation.
|
|
|
|
This is controlled by -DOPENSSL_AES_CONST_TIME.
|
|
So this makes the legacy API completely constant time,
|
|
if OPENSSL_AES_CONST_TIME is defined, otherwise it uses constant time
|
|
assembler implementations when available, and may fall back to the
|
|
non-constant time implementation.
|
|
|
|
This works so far only for intel and aarch64 CPUs.
|
|
|
|
[extended tests]
|
|
---
|
|
crypto/aes/aes_core.c | 15 ++++++++
|
|
crypto/evp/e_aes.c | 82 +++++++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 97 insertions(+)
|
|
|
|
diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c
|
|
index ad00c729e70..36e35dfdf49 100644
|
|
--- a/crypto/aes/aes_core.c
|
|
+++ b/crypto/aes/aes_core.c
|
|
@@ -43,6 +43,21 @@
|
|
#include <openssl/aes.h>
|
|
#include "aes_local.h"
|
|
|
|
+#if defined(OPENSSL_CPUID_OBJ) && !defined(AES_ASM)
|
|
+int aes_set_encrypt_key(const unsigned char *userKey, const int bits,
|
|
+ AES_KEY *key);
|
|
+int aes_set_decrypt_key(const unsigned char *userKey, const int bits,
|
|
+ AES_KEY *key);
|
|
+void aes_encrypt(const unsigned char *in, unsigned char *out,
|
|
+ const AES_KEY *key);
|
|
+void aes_decrypt(const unsigned char *in, unsigned char *out,
|
|
+ const AES_KEY *key);
|
|
+# define AES_set_encrypt_key aes_set_encrypt_key
|
|
+# define AES_set_decrypt_key aes_set_decrypt_key
|
|
+# define AES_encrypt aes_encrypt
|
|
+# define AES_decrypt aes_decrypt
|
|
+#endif
|
|
+
|
|
#if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM)
|
|
typedef union {
|
|
unsigned char b[8];
|
|
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
|
|
index 405ddbf9bf0..8dbc947157d 100644
|
|
--- a/crypto/evp/e_aes.c
|
|
+++ b/crypto/evp/e_aes.c
|
|
@@ -100,6 +100,21 @@ typedef struct {
|
|
|
|
#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
|
|
|
|
+#if defined(OPENSSL_CPUID_OBJ) && !defined(AES_ASM)
|
|
+int aes_set_encrypt_key(const unsigned char *userKey, const int bits,
|
|
+ AES_KEY *key);
|
|
+int aes_set_decrypt_key(const unsigned char *userKey, const int bits,
|
|
+ AES_KEY *key);
|
|
+void aes_encrypt(const unsigned char *in, unsigned char *out,
|
|
+ const AES_KEY *key);
|
|
+void aes_decrypt(const unsigned char *in, unsigned char *out,
|
|
+ const AES_KEY *key);
|
|
+# define AES_set_encrypt_key aes_set_encrypt_key
|
|
+# define AES_set_dncrypt_key aes_set_decrypt_key
|
|
+# define AES_encrypt aes_encrypt
|
|
+# define AES_dncrypt aes_dncrypt
|
|
+#endif
|
|
+
|
|
#ifdef VPAES_ASM
|
|
int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
|
|
AES_KEY *key);
|
|
@@ -4287,3 +4302,70 @@ BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
|
|
BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
|
|
EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
|
|
#endif /* OPENSSL_NO_OCB */
|
|
+
|
|
+#if defined(OPENSSL_CPUID_OBJ) && !defined(AES_ASM)
|
|
+# undef AES_set_encrypt_key
|
|
+# undef AES_set_decrypt_key
|
|
+# undef AES_encrypt
|
|
+# undef AES_decrypt
|
|
+
|
|
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
|
|
+ AES_KEY *key)
|
|
+{
|
|
+# ifdef AESNI_CAPABLE
|
|
+ if (AESNI_CAPABLE)
|
|
+ return aesni_set_encrypt_key(userKey, bits, key);
|
|
+# endif
|
|
+# ifdef VPAES_CAPABLE
|
|
+ if (VPAES_CAPABLE)
|
|
+ return vpaes_set_encrypt_key(userKey, bits, key);
|
|
+# endif
|
|
+ return aes_set_encrypt_key(userKey, bits, key);
|
|
+}
|
|
+
|
|
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
|
|
+ AES_KEY *key)
|
|
+{
|
|
+# ifdef AESNI_CAPABLE
|
|
+ if (AESNI_CAPABLE)
|
|
+ return aesni_set_decrypt_key(userKey, bits, key);
|
|
+# endif
|
|
+# ifdef VPAES_CAPABLE
|
|
+ if (VPAES_CAPABLE)
|
|
+ return vpaes_set_decrypt_key(userKey, bits, key);
|
|
+# endif
|
|
+ return aes_set_decrypt_key(userKey, bits, key);
|
|
+}
|
|
+
|
|
+void AES_encrypt(const unsigned char *in, unsigned char *out,
|
|
+ const AES_KEY *key)
|
|
+{
|
|
+# ifdef AESNI_CAPABLE
|
|
+ if (AESNI_CAPABLE)
|
|
+ aesni_encrypt(in, out, key);
|
|
+ else
|
|
+# endif
|
|
+# ifdef VPAES_CAPABLE
|
|
+ if (VPAES_CAPABLE)
|
|
+ vpaes_encrypt(in, out, key);
|
|
+ else
|
|
+# endif
|
|
+ aes_encrypt(in, out, key);
|
|
+}
|
|
+
|
|
+void AES_decrypt(const unsigned char *in, unsigned char *out,
|
|
+ const AES_KEY *key)
|
|
+{
|
|
+# ifdef AESNI_CAPABLE
|
|
+ if (AESNI_CAPABLE)
|
|
+ aesni_decrypt(in, out, key);
|
|
+ else
|
|
+# endif
|
|
+# ifdef VPAES_CAPABLE
|
|
+ if (VPAES_CAPABLE)
|
|
+ vpaes_decrypt(in, out, key);
|
|
+ else
|
|
+# endif
|
|
+ aes_decrypt(in, out, key);
|
|
+}
|
|
+#endif
|
|
|
|
From 5de700ae03e0fdb8ca738f4c4912107437399d87 Mon Sep 17 00:00:00 2001
|
|
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
|
Date: Sat, 23 May 2020 23:43:36 +0200
|
|
Subject: [PATCH 2/2] Enable AES_cbc_encrypt to use AESNI or VPAES if available
|
|
|
|
This makes the legacy API AES_cbc_encrypt outperform the EVP API.
|
|
|
|
[extended tests]
|
|
---
|
|
crypto/aes/aes_cbc.c | 7 +++++++
|
|
crypto/evp/e_aes.c | 22 ++++++++++++++++++++++
|
|
2 files changed, 29 insertions(+)
|
|
|
|
diff --git a/crypto/aes/aes_cbc.c b/crypto/aes/aes_cbc.c
|
|
index 342841fc4ff..c1195bd432b 100644
|
|
--- a/crypto/aes/aes_cbc.c
|
|
+++ b/crypto/aes/aes_cbc.c
|
|
@@ -10,6 +10,13 @@
|
|
#include <openssl/aes.h>
|
|
#include <openssl/modes.h>
|
|
|
|
+#if defined(OPENSSL_CPUID_OBJ) && !defined(AES_ASM)
|
|
+void aes_cbc_encrypt(const unsigned char *in, unsigned char *out,
|
|
+ size_t len, const AES_KEY *key,
|
|
+ unsigned char *ivec, const int enc);
|
|
+# define AES_cbc_encrypt aes_cbc_encrypt
|
|
+#endif
|
|
+
|
|
void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
|
|
size_t len, const AES_KEY *key,
|
|
unsigned char *ivec, const int enc)
|
|
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
|
|
index 8dbc947157d..954425e6552 100644
|
|
--- a/crypto/evp/e_aes.c
|
|
+++ b/crypto/evp/e_aes.c
|
|
@@ -109,10 +109,14 @@ void aes_encrypt(const unsigned char *in, unsigned char *out,
|
|
const AES_KEY *key);
|
|
void aes_decrypt(const unsigned char *in, unsigned char *out,
|
|
const AES_KEY *key);
|
|
+void aes_cbc_encrypt(const unsigned char *in, unsigned char *out,
|
|
+ size_t len, const AES_KEY *key,
|
|
+ unsigned char *ivec, const int enc);
|
|
# define AES_set_encrypt_key aes_set_encrypt_key
|
|
# define AES_set_dncrypt_key aes_set_decrypt_key
|
|
# define AES_encrypt aes_encrypt
|
|
# define AES_dncrypt aes_dncrypt
|
|
+# define AES_cbc_encrypt aes_cbc_encrypt
|
|
#endif
|
|
|
|
#ifdef VPAES_ASM
|
|
@@ -4308,6 +4312,7 @@ BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
|
|
# undef AES_set_decrypt_key
|
|
# undef AES_encrypt
|
|
# undef AES_decrypt
|
|
+# undef AES_cbc_encrypt
|
|
|
|
int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
|
|
AES_KEY *key)
|
|
@@ -4368,4 +4373,21 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
|
|
# endif
|
|
aes_decrypt(in, out, key);
|
|
}
|
|
+
|
|
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
|
|
+ size_t len, const AES_KEY *key,
|
|
+ unsigned char *ivec, const int enc)
|
|
+{
|
|
+# ifdef AESNI_CAPABLE
|
|
+ if (AESNI_CAPABLE)
|
|
+ aesni_cbc_encrypt(in, out, len, key, ivec, enc);
|
|
+ else
|
|
+# endif
|
|
+# ifdef VPAES_CAPABLE
|
|
+ if (VPAES_CAPABLE)
|
|
+ vpaes_cbc_encrypt(in, out, len, key, ivec, enc);
|
|
+ else
|
|
+# endif
|
|
+ aes_cbc_encrypt(in, out, len, key, ivec, enc);
|
|
+}
|
|
#endif
|