[openssl-dev] [openssl.org #4305] ChaCha20 assembly bugs

David Benjamin via RT rt at openssl.org
Sat Feb 13 03:50:02 UTC 2016 

Hi folks,

I've started playing with the ChaCha20 assembly that was recently checked
in and found a few problems. Most of these do not affect OpenSSL as you
only ever call ChaCha20_ctr32 on a whole number of blocks. But this isn't
documented as a constraint in internal/chacha.h and the assembly has code
for partial blocks, so it seems it was supposed to work. (If not, I'd
recommend removing the codepaths and documenting the constraint.)

1. In chacha-x86_64.pl, .Ltail:
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/chacha/asm/chacha-x86_64.pl;h=41dbef51b26db07a78d8939c728a8da5c703d806;hb=HEAD#l345
the xor %rbx,%rbx line clobbers @x[1] right before it is read. (@x[1] is
%rbx.) It should be moved one line down or a different register used.

2. In chacha-x86_64.pl, .Loop_tail_ssse3:
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/chacha/asm/chacha-x86_64.pl;h=41dbef51b26db07a78d8939c728a8da5c703d806;hb=HEAD#l522
The length decrement loop is wrong and instead counts up from 0 to 2^64. It
also clobbers $len because $len is %rdx. This seems to work instead:
.Loop_tail_ssse3:
        movzb   ($inp,%rbx),%eax
        movzb   (%rsp,%rbx),%ecx
        lea     1(%rbx),%rbx
        xor     %ecx,%eax
        mov     %al,-1($out,%rbx)
        dec     $len
        jnz     .Loop_tail_ssse3

3. In chacha-x86.pl, loop:
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/chacha/asm/chacha-x86.pl;h=60d604882f76c227798895da6fafd798834f467a;hb=HEAD#l207
The line:
         &mov    ($b,&wparam(3));                # load len
should say:
         &mov    ($b,&wparam(2));                # load len
wparam(3) is the pointer to the key. This works in OpenSSL's calls because
pointers are typically larger than 64, and that's sufficient for the
codepaths you exercise.

4. The assembly versions crash if you pass in an empty input/output. The
generic C code handles this fine. (I'll defer to you whether this is a bug
or a caller obligation to be documented.)

I have not tested the AVX2 or XOP code yet. I'll let you know if I find
problems.

David

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4305
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list