[openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files

Andy Polyakov appro at openssl.org
Tue Mar 1 23:04:22 UTC 2016


> I'm unclear on what EVP_CIPHER's interface guarantees are, but our EVP_AEAD
> APIs are documented to allow in/out buffers to alias as long as out is <=
> in. This matches what callers might expect from a naive implementation.
> 
> Our AES-GCM EVP_AEADs, which share code with OpenSSL, have tended to match
> this pattern too. For ChaCha, of chacha-{x86,x86_64,armv4,armv8}.pl and the
> C implementation, all seem satisfy this (though it's possible I don't have
> complete coverage) except for chacha-x86.pl. That one works if in == out,
> but not if out is slightly behind.
> 
> We were able to reproduce problems when in = out + 1. The SSE3 code
> triggers if the input is at least 256 bytes and the non-SSE3 code if the
> input is at least 64 bytes. The non-SSE3 code is because the words in a
> block are processed in a slightly funny order (0, 4, 8, 9, 12, 14, 1, 2, 3,
> 5, 6, 7, 10, 11, 13, 15). I haven't looked at the SSE3 case carefully, but
> I expect it's something similar.

It's in 16-byte chunks numbered 0,4,8,12, 1,5,8,13, 2,6,...

> Could the blocks perhaps be processed in a more straight-forward ordering,
> so that chacha-x86.pl behaves like the other implementations? (It's nice to
> avoid bugs that only trigger in one implementation.) Or is this order
> necessary for something?

It's the order in which amount of references to memory is minimal. But
double-check attached.


-------------- next part --------------
diff --git a/crypto/chacha/asm/chacha-x86.pl b/crypto/chacha/asm/chacha-x86.pl
index 850c917..986e7f7 100755
--- a/crypto/chacha/asm/chacha-x86.pl
+++ b/crypto/chacha/asm/chacha-x86.pl
@@ -19,13 +19,13 @@
 # P4		18.6/+84%
 # Core2		9.56/+89%	4.83
 # Westmere	9.50/+45%	3.35
-# Sandy Bridge	10.5/+47%	3.20
-# Haswell	8.15/+50%	2.83
-# Silvermont	17.4/+36%	8.35
+# Sandy Bridge	10.7/+47%	3.24
+# Haswell	8.22/+50%	2.89
+# Silvermont	17.8/+36%	8.53
 # Sledgehammer	10.2/+54%
-# Bulldozer	13.4/+50%	4.38(*)
+# Bulldozer	13.5/+50%	4.39(*)
 #
-# (*)	Bulldozer actually executes 4xXOP code path that delivers 3.55;
+# (*)	Bulldozer actually executes 4xXOP code path that delivers 3.50;
 
 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 push(@INC,"${dir}","${dir}../../perlasm");
@@ -238,18 +238,20 @@ if ($xmm) {
 
 	&xor	($a, &DWP(4*0,$b));		# xor with input
 	&xor	($b_,&DWP(4*4,$b));
-	&mov	(&DWP(4*0,"esp"),$a);
+	&mov	(&DWP(4*0,"esp"),$a);		# off-load for later write
 	&mov	($a,&wparam(0));		# load output pointer
 	&xor	($c, &DWP(4*8,$b));
 	&xor	($c_,&DWP(4*9,$b));
 	&xor	($d, &DWP(4*12,$b));
 	&xor	($d_,&DWP(4*14,$b));
-	&mov	(&DWP(4*4,$a),$b_);		# write output
-	&mov	(&DWP(4*8,$a),$c);
-	&mov	(&DWP(4*9,$a),$c_);
-	&mov	(&DWP(4*12,$a),$d);
-	&mov	(&DWP(4*14,$a),$d_);
+	&mov	(&DWP(4*4,"esp"),$b_);
+	&mov	($b_,&DWP(4*0,"esp"));
+	&mov	(&DWP(4*8,"esp"),$c);
+	&mov	(&DWP(4*9,"esp"),$c_);
+	&mov	(&DWP(4*12,"esp"),$d);
+	&mov	(&DWP(4*14,"esp"),$d_);
 
+	&mov	(&DWP(4*0,$a),$b_);		# write output in order
 	&mov	($b_,&DWP(4*1,"esp"));
 	&mov	($c, &DWP(4*2,"esp"));
 	&mov	($c_,&DWP(4*3,"esp"));
@@ -266,35 +268,45 @@ if ($xmm) {
 	&xor	($d, &DWP(4*5,$b));
 	&xor	($d_,&DWP(4*6,$b));
 	&mov	(&DWP(4*1,$a),$b_);
+	&mov	($b_,&DWP(4*4,"esp"));
 	&mov	(&DWP(4*2,$a),$c);
 	&mov	(&DWP(4*3,$a),$c_);
+	&mov	(&DWP(4*4,$a),$b_);
 	&mov	(&DWP(4*5,$a),$d);
 	&mov	(&DWP(4*6,$a),$d_);
 
-	&mov	($b_,&DWP(4*7,"esp"));
-	&mov	($c, &DWP(4*10,"esp"));
+	&mov	($c,&DWP(4*7,"esp"));
+	&mov	($d,&DWP(4*8,"esp"));
+	&mov	($d_,&DWP(4*9,"esp"));
+	&add	($c,&DWP(64+4*7,"esp"));
+	&mov	($b_, &DWP(4*10,"esp"));
+	&xor	($c,&DWP(4*7,$b));
 	&mov	($c_,&DWP(4*11,"esp"));
+	&mov	(&DWP(4*7,$a),$c);
+	&mov	(&DWP(4*8,$a),$d);
+	&mov	(&DWP(4*9,$a),$d_);
+
+	&add	($b_, &DWP(64+4*10,"esp"));
+	&add	($c_,&DWP(64+4*11,"esp"));
+	&xor	($b_, &DWP(4*10,$b));
+	&xor	($c_,&DWP(4*11,$b));
+	&mov	(&DWP(4*10,$a),$b_);
+	&mov	(&DWP(4*11,$a),$c_);
+
+	&mov	($c,&DWP(4*12,"esp"));
+	&mov	($c_,&DWP(4*14,"esp"));
 	&mov	($d, &DWP(4*13,"esp"));
 	&mov	($d_,&DWP(4*15,"esp"));
-	&add	($b_,&DWP(64+4*7,"esp"));
-	&add	($c, &DWP(64+4*10,"esp"));
-	&add	($c_,&DWP(64+4*11,"esp"));
 	&add	($d, &DWP(64+4*13,"esp"));
 	&add	($d_,&DWP(64+4*15,"esp"));
-	&xor	($b_,&DWP(4*7,$b));
-	&xor	($c, &DWP(4*10,$b));
-	&xor	($c_,&DWP(4*11,$b));
 	&xor	($d, &DWP(4*13,$b));
 	&xor	($d_,&DWP(4*15,$b));
 	&lea	($b,&DWP(4*16,$b));
-	&mov	(&DWP(4*7,$a),$b_);
-	&mov	($b_,&DWP(4*0,"esp"));
-	&mov	(&DWP(4*10,$a),$c);
+	&mov	(&DWP(4*12,$a),$c);
 	&mov	($c,&wparam(2));		# len
-	&mov	(&DWP(4*11,$a),$c_);
 	&mov	(&DWP(4*13,$a),$d);
+	&mov	(&DWP(4*14,$a),$c_);
 	&mov	(&DWP(4*15,$a),$d_);
-	&mov	(&DWP(4*0,$a),$b_);
 	&lea	($a,&DWP(4*16,$a));
 	&sub	($c,64);
 	&jnz	(&label("outer_loop"));
@@ -572,12 +584,12 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di));	# previous
 
     my ($xa0,$xa1,$xa2,$xa3,$xt0,$xt1,$xt2,$xt3)=map("xmm$_",(0..7));
 
-	#&movdqa	($xa0,&QWP(16*0-128,"ebx"));	# it's there
-	&movdqa		($xa1,&QWP(16*1-128,"ebx"));
-	&movdqa		($xa2,&QWP(16*2-128,"ebx"));
-	&movdqa		($xa3,&QWP(16*3-128,"ebx"));
-
     for($i=0;$i<256;$i+=64) {
+	#&movdqa	($xa0,&QWP($i+16*0-128,"ebx"));	# it's there
+	&movdqa		($xa1,&QWP($i+16*1-128,"ebx"));
+	&movdqa		($xa2,&QWP($i+16*2-128,"ebx"));
+	&movdqa		($xa3,&QWP($i+16*3-128,"ebx"));
+
 	&paddd		($xa0,&QWP($i+16*0-128,"ebp"));	# accumulate key material
 	&paddd		($xa1,&QWP($i+16*1-128,"ebp"));
 	&paddd		($xa2,&QWP($i+16*2-128,"ebp"));
@@ -598,25 +610,29 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di));	# previous
 
 	#($xa2,$xt2)=($xt2,$xa2);
 
-	&movdqu		($xt0,&QWP(64*0-128,$inp));	# load input
-	&movdqu		($xt1,&QWP(64*1-128,$inp));
-	&movdqu		($xa2,&QWP(64*2-128,$inp));
-	&movdqu		($xt3,&QWP(64*3-128,$inp));
-	&lea		($inp,&QWP($i<192?16:(64*4-16*3),$inp));
-	&pxor		($xt0,$xa0);
+	&movdqa		(&QWP($i+16*0-128,"ebx"),$xa0);
 	&movdqa		($xa0,&QWP($i+16*4-128,"ebx"))	if ($i<192);
-	&pxor		($xt1,$xa1);
-	&movdqa		($xa1,&QWP($i+16*5-128,"ebx"))	if ($i<192);
-	&pxor		($xt2,$xa2);
-	&movdqa		($xa2,&QWP($i+16*6-128,"ebx"))	if ($i<192);
-	&pxor		($xt3,$xa3);
-	&movdqa		($xa3,&QWP($i+16*7-128,"ebx"))	if ($i<192);
-	&movdqu		(&QWP(64*0-128,$out),$xt0);	# store output
-	&movdqu		(&QWP(64*1-128,$out),$xt1);
-	&movdqu		(&QWP(64*2-128,$out),$xt2);
-	&movdqu		(&QWP(64*3-128,$out),$xt3);
-	&lea		($out,&QWP($i<192?16:(64*4-16*3),$out));
+	&movdqa		(&QWP($i+16*1-128,"ebx"),$xa1);
+	&movdqa		(&QWP($i+16*2-128,"ebx"),$xt2);
+	&movdqa		(&QWP($i+16*3-128,"ebx"),$xa3);
+    }
+    for($i=0;$i<256;$i+=64) {
+	my $j = 16*($i/64);
+	&movdqu		($xa0,&QWP($i+16*0-128,$inp));	# load input
+	&movdqu		($xa1,&QWP($i+16*1-128,$inp));
+	&movdqu		($xa2,&QWP($i+16*2-128,$inp));
+	&movdqu		($xa3,&QWP($i+16*3-128,$inp));
+	&pxor		($xa0,&QWP($j+64*0-128,"ebx"));
+	&pxor		($xa1,&QWP($j+64*1-128,"ebx"));
+	&pxor		($xa2,&QWP($j+64*2-128,"ebx"));
+	&pxor		($xa3,&QWP($j+64*3-128,"ebx"));
+	&movdqu		(&QWP($i+16*0-128,$out),$xa0);	# write output
+	&movdqu		(&QWP($i+16*1-128,$out),$xa1);
+	&movdqu		(&QWP($i+16*2-128,$out),$xa2);
+	&movdqu		(&QWP($i+16*3-128,$out),$xa3);
     }
+	&lea		($inp,&DWP(256,$inp));
+	&lea		($out,&DWP(256,$out));
 	&sub		($len,64*4);
 	&jnc		(&label("outer_loop"));
 
@@ -967,12 +983,12 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di));	# previous
 
     my ($xa0,$xa1,$xa2,$xa3,$xt0,$xt1,$xt2,$xt3)=map("xmm$_",(0..7));
 
-	#&vmovdqa	($xa0,&QWP(16*0-128,"ebx"));	# it's there
-	&vmovdqa	($xa1,&QWP(16*1-128,"ebx"));
-	&vmovdqa	($xa2,&QWP(16*2-128,"ebx"));
-	&vmovdqa	($xa3,&QWP(16*3-128,"ebx"));
-
     for($i=0;$i<256;$i+=64) {
+	#&vmovdqa	($xa0,&QWP($i+16*0-128,"ebx"));		# it's there
+	&vmovdqa	($xa1,&QWP($i+16*1-128,"ebx"));
+	&vmovdqa	($xa2,&QWP($i+16*2-128,"ebx"));
+	&vmovdqa	($xa3,&QWP($i+16*3-128,"ebx"));
+
 	&vpaddd		($xa0,$xa0,&QWP($i+16*0-128,"ebp"));	# accumulate key material
 	&vpaddd		($xa1,$xa1,&QWP($i+16*1-128,"ebp"));
 	&vpaddd		($xa2,$xa2,&QWP($i+16*2-128,"ebp"));
@@ -987,21 +1003,33 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di));	# previous
 	&vpunpcklqdq	($xt3,$xa0,$xa2);	# "a2"
 	&vpunpckhqdq	($xa3,$xa0,$xa2);	# "a3"
 
-	&vpxor		($xt0,$xa1,&QWP(64*0-128,$inp));
-	&vpxor		($xt1,$xt2,&QWP(64*1-128,$inp));
-	&vpxor		($xt2,$xt3,&QWP(64*2-128,$inp));
-	&vpxor		($xt3,$xa3,&QWP(64*3-128,$inp));
-	&lea		($inp,&QWP($i<192?16:(64*4-16*3),$inp));
-	&vmovdqa	($xa0,&QWP($i+16*4-128,"ebx"))	if ($i<192);
-	&vmovdqa	($xa1,&QWP($i+16*5-128,"ebx"))	if ($i<192);
-	&vmovdqa	($xa2,&QWP($i+16*6-128,"ebx"))	if ($i<192);
-	&vmovdqa	($xa3,&QWP($i+16*7-128,"ebx"))	if ($i<192);
-	&vmovdqu	(&QWP(64*0-128,$out),$xt0);	# store output
-	&vmovdqu	(&QWP(64*1-128,$out),$xt1);
-	&vmovdqu	(&QWP(64*2-128,$out),$xt2);
-	&vmovdqu	(&QWP(64*3-128,$out),$xt3);
-	&lea		($out,&QWP($i<192?16:(64*4-16*3),$out));
+	&vmovdqa	($xa0,&QWP($i+16*4-128,"ebx"))		if ($i<192);
+	&vmovdqa	(&QWP($i+16*0-128,"ebx"),$xa1);
+	&vmovdqa	(&QWP($i+16*1-128,"ebx"),$xt2);
+	&vmovdqa	(&QWP($i+16*2-128,"ebx"),$xt3);
+	&vmovdqa	(&QWP($i+16*3-128,"ebx"),$xa3);
+    }
+	&vmovdqu	($xa0,&QWP(16*0-128,$inp));		# load input
+	&vmovdqu	($xa1,&QWP(16*1-128,$inp));
+	&vmovdqu	($xa2,&QWP(16*2-128,$inp));
+	&vmovdqu	($xa3,&QWP(16*3-128,$inp));
+    for($i=0;$i<256;$i+=64) {
+	my $j = 16*($i/64);
+	&vpxor		($xt0,$xa0,&QWP($j+64*0-128,"ebx"));
+	&vmovdqu	($xa0,&QWP($i+16*4-128,$inp))		if ($i<192);
+	&vpxor		($xt1,$xa1,&QWP($j+64*1-128,"ebx"));
+	&vmovdqu	($xa1,&QWP($i+16*5-128,$inp))		if ($i<192);
+	&vpxor		($xt2,$xa2,&QWP($j+64*2-128,"ebx"));
+	&vmovdqu	($xa2,&QWP($i+16*6-128,$inp))		if ($i<192);
+	&vpxor		($xt3,$xa3,&QWP($j+64*3-128,"ebx"));
+	&vmovdqu	($xa3,&QWP($i+16*7-128,$inp))		if ($i<192);
+	&vmovdqu	(&QWP($i+16*0-128,$out),$xt0);		# write output
+	&vmovdqu	(&QWP($i+16*1-128,$out),$xt1);
+	&vmovdqu	(&QWP($i+16*2-128,$out),$xt2);
+	&vmovdqu	(&QWP($i+16*3-128,$out),$xt3);
     }
+	&lea		($inp,&DWP(256,$inp));
+	&lea		($out,&DWP(256,$out));
 	&sub		($len,64*4);
 	&jnc		(&label("outer_loop"));
 


More information about the openssl-dev mailing list