From 41525ed62802afd9f125bcf33e986d82bbacd635 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 30 May 2019 14:40:57 +0100 Subject: [PATCH] Ensure we get all the right defines for AES assembler in FIPS module There are various C macro definitions that are passed via the compiler to enable AES assembler optimisation. We need to make sure that these defines are also passed during compilation of the FIPS module. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9038) --- Configurations/windows-makefile.tmpl | 12 ++++++++++- Configure | 30 ++++++++++++++++++++++------ crypto/build.info | 4 ++-- crypto/ppccap.c | 22 ++++++++++++-------- crypto/sparcv9cap.c | 6 ++++++ providers/common/ciphers/build.info | 1 + 6 files changed, 58 insertions(+), 17 deletions(-) diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index a07e142672..3c8d51b611 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -287,7 +287,17 @@ DSO_ASFLAGS={- join(' ', $target{dso_asflags} || (), @{$config{module_asflags}}, '$(CNF_ASFLAGS)', '$(ASFLAGS)') -} DSO_CPPFLAGS={- join(' ', $target{dso_cppflags} || (), - $target{module_cppflags} || (), + $target{module_cppflag} || (), + (map { '-D'.quotify1($_) } + @{$target{dso_defines}}, + @{$target{module_defines}}, + @{$config{dso_defines}}, + @{$config{module_defines}}), + (map { '-I'.quotify1($_) } + @{$target{dso_includes}}, + @{$target{module_includes}}, + @{$config{dso_includes}}, + @{$config{module_includes}}), @{$config{dso_cppflags}}, @{$config{module_cppflags}}, '$(CNF_CPPFLAGS)', '$(CPPFLAGS)') -} diff --git a/Configure b/Configure index 2247a36aaa..991f24110b 100755 --- a/Configure +++ b/Configure @@ -1400,7 +1400,10 @@ if ($target{sys_id} ne "") unless ($disabled{asm}) { $target{cpuid_asm_src}=$table{DEFAULTS}->{cpuid_asm_src} if ($config{processor} eq "386"); - push @{$config{lib_defines}}, "OPENSSL_CPUID_OBJ" if ($target{cpuid_asm_src} ne "mem_clr.c"); + if ($target{cpuid_asm_src} ne "mem_clr.c") { + push @{$config{lib_defines}}, "OPENSSL_CPUID_OBJ"; + push @{$config{module_defines}}, "OPENSSL_CPUID_OBJ"; + } $target{bn_asm_src} =~ s/\w+-gf2m.c// if (defined($disabled{ec2m})); @@ -1432,15 +1435,30 @@ unless ($disabled{asm}) { push @{$config{lib_defines}}, "RMD160_ASM"; } if ($target{aes_asm_src}) { - push @{$config{lib_defines}}, "AES_ASM" if ($target{aes_asm_src} =~ m/\baes-/);; + if ($target{aes_asm_src} =~ m/\baes-/) { + push @{$config{lib_defines}}, "AES_ASM"; + push @{$config{module_defines}}, "AES_ASM"; + } # aes-ctr.fake is not a real file, only indication that assembler # module implements AES_ctr32_encrypt... - push @{$config{lib_defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//); + if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//) { + push @{$config{lib_defines}}, "AES_CTR_ASM"; + push @{$config{module_defines}}, "AES_CTR_ASM"; + } # aes-xts.fake indicates presence of AES_xts_[en|de]crypt... - push @{$config{lib_defines}}, "AES_XTS_ASM" if ($target{aes_asm_src} =~ s/\s*aes-xts\.fake//); + if ($target{aes_asm_src} =~ s/\s*aes-xts\.fake//) { + push @{$config{lib_defines}}, "AES_XTS_ASM"; + push @{$config{module_defines}}, "AES_XTS_ASM"; + } $target{aes_asm_src} =~ s/\s*(vpaes|aesni)-x86\.s//g if ($disabled{sse2}); - push @{$config{lib_defines}}, "VPAES_ASM" if ($target{aes_asm_src} =~ m/vpaes/); - push @{$config{lib_defines}}, "BSAES_ASM" if ($target{aes_asm_src} =~ m/bsaes/); + if ($target{aes_asm_src} =~ m/vpaes/) { + push @{$config{lib_defines}}, "VPAES_ASM"; + push @{$config{module_defines}}, "VPAES_ASM"; + } + if ($target{aes_asm_src} =~ m/bsaes/) { + push @{$config{lib_defines}}, "BSAES_ASM"; + push @{$config{module_defines}}, "BSAES_ASM"; + } } if ($target{wp_asm_src} =~ /mmx/) { if ($config{processor} eq "386") { diff --git a/crypto/build.info b/crypto/build.info index 7798bcbe18..fb8f14ed55 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -26,9 +26,9 @@ SOURCE[../libcrypto]=\ # FIPS module SOURCE[../providers/fips]=\ - cryptlib.c mem.c mem_clr.c params.c bsearch.c ex_data.c o_str.c \ + cryptlib.c mem.c params.c bsearch.c ex_data.c o_str.c \ ctype.c threads_pthread.c threads_win.c threads_none.c context.c \ - sparse_array.c + sparse_array.c {- $target{cpuid_asm_src} -} DEPEND[cversion.o]=buildinf.h diff --git a/crypto/ppccap.c b/crypto/ppccap.c index 0d5ab794bd..3465864f0a 100644 --- a/crypto/ppccap.c +++ b/crypto/ppccap.c @@ -38,7 +38,12 @@ unsigned int OPENSSL_ppccap_P = 0; static sigset_t all_masked; -#ifdef OPENSSL_BN_ASM_MONT +/* + * TODO(3.0): Temporarily disabled some assembler that hasn't been brought into + * the FIPS module yet. + */ +#ifndef FIPS_MODE +# ifdef OPENSSL_BN_ASM_MONT int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num) { @@ -63,7 +68,7 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, return bn_mul_mont_int(rp, ap, bp, np, n0, num); } -#endif +# endif void sha256_block_p8(void *ctx, const void *inp, size_t len); void sha256_block_ppc(void *ctx, const void *inp, size_t len); @@ -83,7 +88,7 @@ void sha512_block_data_order(void *ctx, const void *inp, size_t len) sha512_block_ppc(ctx, inp, len); } -#ifndef OPENSSL_NO_CHACHA +# ifndef OPENSSL_NO_CHACHA void ChaCha20_ctr32_int(unsigned char *out, const unsigned char *inp, size_t len, const unsigned int key[8], const unsigned int counter[4]); @@ -103,9 +108,9 @@ void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) : ChaCha20_ctr32_int(out, inp, len, key, counter); } -#endif +# endif -#ifndef OPENSSL_NO_POLY1305 +# ifndef OPENSSL_NO_POLY1305 void poly1305_init_int(void *ctx, const unsigned char key[16]); void poly1305_blocks(void *ctx, const unsigned char *inp, size_t len, unsigned int padbit); @@ -139,9 +144,9 @@ int poly1305_init(void *ctx, const unsigned char key[16], void *func[2]) } return 1; } -#endif +# endif -#ifdef ECP_NISTZ256_ASM +# ifdef ECP_NISTZ256_ASM void ecp_nistz256_mul_mont(unsigned long res[4], const unsigned long a[4], const unsigned long b[4]); @@ -163,7 +168,8 @@ void ecp_nistz256_from_mont(unsigned long res[4], const unsigned long in[4]) ecp_nistz256_mul_mont(res, in, one); } -#endif +# endif +#endif /* FIPS_MODE */ static sigjmp_buf ill_jmp; static void ill_handler(int sig) diff --git a/crypto/sparcv9cap.c b/crypto/sparcv9cap.c index ec825662e5..e48ebf7e6d 100644 --- a/crypto/sparcv9cap.c +++ b/crypto/sparcv9cap.c @@ -24,6 +24,11 @@ __attribute__ ((visibility("hidden"))) #endif unsigned int OPENSSL_sparcv9cap_P[2] = { SPARCV9_TICK_PRIVILEGED, 0 }; +/* + * TODO(3.0): Temporarily disabled some assembler that hasn't been brought into + * the FIPS module yet. + */ +#ifndef FIPS_MODE int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num) { @@ -86,6 +91,7 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, } return bn_mul_mont_int(rp, ap, bp, np, n0, num); } +#endif /* FIPS_MODE */ unsigned long _sparcv9_rdtick(void); void _sparcv9_vis1_probe(void); diff --git a/providers/common/ciphers/build.info b/providers/common/ciphers/build.info index b8c3172032..fd49ccb994 100644 --- a/providers/common/ciphers/build.info +++ b/providers/common/ciphers/build.info @@ -5,3 +5,4 @@ INCLUDE[../../../libcrypto]=. ../../../crypto SOURCE[../../fips]=\ block.c aes.c aes_basic.c +INCLUDE[../../fips]=. ../../../crypto -- 2.40.0