diff options
| author | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2016-09-21 20:29:42 -0400 |
|---|---|---|
| committer | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2016-09-21 20:29:42 -0400 |
| commit | 62f0afa2ecead02b1258dabab8097ca278a22f8f (patch) | |
| tree | 56132d617fff7c4f05e67024ec872d88fcafa92d /Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c | |
| parent | d3819813b8e0a64400ddf3ce033bae7c3f245508 (diff) | |
| download | efi-boot-shim-62f0afa2ecead02b1258dabab8097ca278a22f8f.tar.gz efi-boot-shim-62f0afa2ecead02b1258dabab8097ca278a22f8f.zip | |
Import upstream version 0.9+1474479173.6c180c6
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c')
| -rw-r--r-- | Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c index b1c586e6..46c9d033 100644 --- a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -60,6 +60,7 @@ # include <openssl/sha.h> # include <openssl/rand.h> # include "modes_lcl.h" +# include "constant_time_locl.h" # ifndef EVP_CIPH_FLAG_AEAD_CIPHER # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 @@ -498,7 +499,18 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, iv = AES_BLOCK_SIZE; # if defined(STITCHED_CALL) + /* + * Assembly stitch handles AVX-capable processors, but its + * performance is not optimal on AMD Jaguar, ~40% worse, for + * unknown reasons. Incidentally processor in question supports + * AVX, but not AMD-specific XOP extension, which can be used + * to identify it and avoid stitch invocation. So that after we + * establish that current CPU supports AVX, we even see if it's + * either even XOP-capable Bulldozer-based or GenuineIntel one. + */ if (OPENSSL_ia32cap_P[1] & (1 << (60 - 32)) && /* AVX? */ + ((OPENSSL_ia32cap_P[1] & (1 << (43 - 32))) /* XOP? */ + | (OPENSSL_ia32cap_P[0] & (1<<30))) && /* "Intel CPU"? */ plen > (sha_off + iv) && (blocks = (plen - (sha_off + iv)) / SHA256_CBLOCK)) { SHA256_Update(&key->md, in + iv, sha_off); @@ -578,6 +590,8 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx, maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; + ret &= constant_time_ge(maxpad, pad); + inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask; @@ -816,8 +830,6 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, if (arg != EVP_AEAD_TLS1_AAD_LEN) return -1; - len = p[arg - 2] << 8 | p[arg - 1]; - if (ctx->encrypt) { key->payload_length = len; if ((key->aux.tls_ver = |