[openssl] master update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Mon Nov 30 11:15:26 UTC 2020

The branch master has been updated
       via  26217510d21cd4d5928db8bff41c6756a7c7a636 (commit)
      from  cbb85bda0c0849ce962e1cf232689d6351e4a217 (commit)

- Log -----------------------------------------------------------------
commit 26217510d21cd4d5928db8bff41c6756a7c7a636
Author: Ard Biesheuvel <ard.biesheuvel at arm.com>
Date:   Tue Nov 24 17:33:31 2020 +0100

    aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
    ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are affected
    by silicon errata #1742098 [0] and #1655431 [1], respectively, where the
    second instruction of a AES instruction pair may execute twice if an
    interrupt is taken right after the first instruction consumes an input
    register of which a single 32-bit lane has been updated the last time it
    was modified.
    This is not such a rare occurrence as it may seem: in counter mode, only
    the least significant 32-bit word is incremented in the absence of a
    carry, which makes our counter mode implementation susceptible to these
    So let's shuffle the counter assignments around a bit so that the most
    recent updates when the AES instruction pair executes are 128-bit wide.
    [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice
    [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice
    Signed-off-by: Ard Biesheuvel <ard.biesheuvel at arm.com>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13504)


Summary of changes:
 crypto/aes/asm/aesv8-armx.pl | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
index ee2e29823a..9532db70e2 100755
--- a/crypto/aes/asm/aesv8-armx.pl
+++ b/crypto/aes/asm/aesv8-armx.pl
@@ -1797,17 +1797,17 @@ $code.=<<___;
 #ifndef __ARMEB__
 	rev		$ctr, $ctr
-	vorr		$dat1,$dat0,$dat0
 	add		$tctr1, $ctr, #1
-	vorr		$dat2,$dat0,$dat0
-	add		$ctr, $ctr, #2
 	vorr		$ivec,$dat0,$dat0
 	rev		$tctr1, $tctr1
-	vmov.32		${dat1}[3],$tctr1
+	vmov.32		${ivec}[3],$tctr1
+	add		$ctr, $ctr, #2
+	vorr		$dat1,$ivec,$ivec
 	b.ls		.Lctr32_tail
 	rev		$tctr2, $ctr
+	vmov.32		${ivec}[3],$tctr2
 	sub		$len,$len,#3		// bias
-	vmov.32		${dat2}[3],$tctr2
+	vorr		$dat2,$ivec,$ivec
 $code.=<<___	if ($flavour =~ /64/);
 	cmp		$len,#2
@@ -2003,11 +2003,11 @@ $code.=<<___;
 	aese		$dat1,q8
 	aesmc		$tmp1,$dat1
 	 vld1.8		{$in0},[$inp],#16
-	 vorr		$dat0,$ivec,$ivec
+	 add		$tctr0,$ctr,#1
 	aese		$dat2,q8
 	aesmc		$dat2,$dat2
 	 vld1.8		{$in1},[$inp],#16
-	 vorr		$dat1,$ivec,$ivec
+	 rev		$tctr0,$tctr0
 	aese		$tmp0,q9
 	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q9
@@ -2016,8 +2016,6 @@ $code.=<<___;
 	 mov		$key_,$key
 	aese		$dat2,q9
 	aesmc		$tmp2,$dat2
-	 vorr		$dat2,$ivec,$ivec
-	 add		$tctr0,$ctr,#1
 	aese		$tmp0,q12
 	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q12
@@ -2033,20 +2031,22 @@ $code.=<<___;
 	aese		$tmp1,q13
 	aesmc		$tmp1,$tmp1
 	 veor		$in2,$in2,$rndlast
-	 rev		$tctr0,$tctr0
+	 vmov.32	${ivec}[3], $tctr0
 	aese		$tmp2,q13
 	aesmc		$tmp2,$tmp2
-	 vmov.32	${dat0}[3], $tctr0
+	 vorr		$dat0,$ivec,$ivec
 	 rev		$tctr1,$tctr1
 	aese		$tmp0,q14
 	aesmc		$tmp0,$tmp0
+	 vmov.32	${ivec}[3], $tctr1
+	 rev		$tctr2,$ctr
 	aese		$tmp1,q14
 	aesmc		$tmp1,$tmp1
-	 vmov.32	${dat1}[3], $tctr1
-	 rev		$tctr2,$ctr
+	 vorr		$dat1,$ivec,$ivec
+	 vmov.32	${ivec}[3], $tctr2
 	aese		$tmp2,q14
 	aesmc		$tmp2,$tmp2
-	 vmov.32	${dat2}[3], $tctr2
+	 vorr		$dat2,$ivec,$ivec
 	 subs		$len,$len,#3
 	aese		$tmp0,q15
 	aese		$tmp1,q15

More information about the openssl-commits mailing list