[src-draft/trunk]: src/sys/crypto/aes aes(9): Fix edge case in bitsliced SSE2...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src-draft/trunk]: src/sys/crypto/aes aes(9): Fix edge case in bitsliced SSE2...
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Tue, 08 Sep 2020 23:29:01 +0000

details:   https://anonhg.NetBSD.org/src-all/rev/52fcc6acd34b
branches:  trunk
changeset: 938476:52fcc6acd34b
user:      Taylor R Campbell <riastradh%NetBSD.org@localhost>
date:      Tue Sep 08 22:43:21 2020 +0000

description:
aes(9): Fix edge case in bitsliced SSE2 AES-CBC decryption.

Make sure self-tests exercise this edge case.

Discovered by confusion about jak's adaptation of aes_armv8_64.S for
big-endian.

diffstat:

 sys/crypto/aes/aes_selftest.c           |  35 ++++++++++++++++++--------------
 sys/crypto/aes/arch/x86/aes_sse2_subr.c |   8 ++++--
 2 files changed, 25 insertions(+), 18 deletions(-)

diffs (73 lines):

diff -r e175843c9a43 -r 52fcc6acd34b sys/crypto/aes/aes_selftest.c
--- a/sys/crypto/aes/aes_selftest.c     Tue Sep 08 17:39:04 2020 +0000
+++ b/sys/crypto/aes/aes_selftest.c     Tue Sep 08 22:43:21 2020 +0000
@@ -210,7 +210,7 @@
        uint8_t in[144];
        uint8_t outbuf[146] = { [0] = 0x1a, [145] = 0x1a }, *out = outbuf + 1;
        uint8_t iv0[16], iv[16];
-       unsigned i;
+       unsigned i, j;
 
        for (i = 0; i < 32; i++)
                key[i] = i;
@@ -237,21 +237,26 @@
                            "AES-%u-CBC dec", aes_keybits[i]);
 
                /* Try incrementally, with IV update.  */
-               memcpy(iv, iv0, 16);
-               impl->ai_cbc_enc(&enc, in, out, 16, iv, aes_nrounds[i]);
-               impl->ai_cbc_enc(&enc, in + 16, out + 16, 128, iv,
-                   aes_nrounds[i]);
-               if (memcmp(out, expected[i], 144))
-                       return aes_selftest_fail(impl, out, expected[i], 144,
-                           "AES-%u-CBC enc incremental", aes_keybits[i]);
+               for (j = 0; j < 144; j += 16) {
+                       memcpy(iv, iv0, 16);
+                       impl->ai_cbc_enc(&enc, in, out, j, iv, aes_nrounds[i]);
+                       impl->ai_cbc_enc(&enc, in + j, out + j, 144 - j, iv,
+                           aes_nrounds[i]);
+                       if (memcmp(out, expected[i], 144))
+                               return aes_selftest_fail(impl, out,
+                                   expected[i], 144, "AES-%u-CBC enc inc %u",
+                                   aes_keybits[i], j);
 
-               memcpy(iv, iv0, 16);
-               impl->ai_cbc_dec(&dec, out, out, 128, iv, aes_nrounds[i]);
-               impl->ai_cbc_dec(&dec, out + 128, out + 128, 16, iv,
-                   aes_nrounds[i]);
-               if (memcmp(out, in, 144))
-                       return aes_selftest_fail(impl, out, in, 144,
-                           "AES-%u-CBC dec incremental", aes_keybits[i]);
+                       memcpy(iv, iv0, 16);
+                       impl->ai_cbc_dec(&dec, out, out, j, iv,
+                           aes_nrounds[i]);
+                       impl->ai_cbc_dec(&dec, out + j, out + j, 144 - j, iv,
+                           aes_nrounds[i]);
+                       if (memcmp(out, in, 144))
+                               return aes_selftest_fail(impl, out,
+                                   in, 144, "AES-%u-CBC dec inc %u",
+                                   aes_keybits[i], j);
+               }
        }
 
        if (outbuf[0] != 0x1a)
diff -r e175843c9a43 -r 52fcc6acd34b sys/crypto/aes/arch/x86/aes_sse2_subr.c
--- a/sys/crypto/aes/arch/x86/aes_sse2_subr.c   Tue Sep 08 17:39:04 2020 +0000
+++ b/sys/crypto/aes/arch/x86/aes_sse2_subr.c   Tue Sep 08 22:43:21 2020 +0000
@@ -200,11 +200,13 @@
                case 48:
                        w = _mm_loadu_epi8(in + nbytes - 32);
                        q[1] = aes_sse2_interleave_in(w);
-                       /*FALLTHROUGH*/
-               case 32:
                        w = _mm_loadu_epi8(in + nbytes - 48);
                        q[0] = aes_sse2_interleave_in(w);
-                       /*FALLTHROUGH*/
+                       break;
+               case 32:
+                       w = _mm_loadu_epi8(in + nbytes - 32);
+                       q[0] = aes_sse2_interleave_in(w);
+                       break;
                case 16:
                        break;
                }

Prev by Date: [pkgsrc/trunk]: pkgsrc/databases/lmdb lmdb: catch up with databases/openldap ...
Next by Date: [src-draft/trunk]: src/sys/crypto/aes/arch/arm aesarmv8: Fix aesarmv8_cbc_dec...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/databases/lmdb lmdb: catch up with databases/openldap ...
Next by Thread: [src-draft/trunk]: src/sys/crypto/aes/arch/arm aesarmv8: Fix aesarmv8_cbc_dec...
Indexes:

Home | Main Index | Thread Index | Old Index