diff --git a/BUILDING.md b/BUILDING.md index a8988a3fd2..d72331fbdb 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -240,6 +240,8 @@ See "Snapshot Safety Prerequisites" here: https://lkml.org/lkml/2021/3/8/677 # Data Independent Timing on AArch64 +The functions described in this section are still experimental. + The Data Independent Timing (DIT) flag on Arm64 processors, when enabled, ensures the following as per [Arm A-profile Architecture Registers @@ -254,20 +256,39 @@ It is also expected to disable the Data Memory-dependent Prefetcher (DMP) feature of Apple M-series CPUs starting at M3 as per [this article](https://appleinsider.com/articles/24/03/21/apple-silicon-vulnerability-leaks-encryption-keys-and-cant-be-patched-easily). -Building with the option `-DENABLE_DATA_INDEPENDENT_TIMING_AARCH64=ON` -will enable the macro `SET_DIT_AUTO_DISABLE`. This macro is present at -the entry of functions that process/load/store secret data to enable -the DIT flag and then set it to its original value on entry. With -this build option, there is an effect on performance that varies by +Building with the option `-DENABLE_DATA_INDEPENDENT_TIMING=ON` +will enable the macro `SET_DIT_AUTO_RESET`. This macro is present at +the entry of functions that process/load/store secret data to set the +DIT flag and then restore it to its original value on entry. With this +build option, there is an effect on performance that varies by function and by processor architecture. The effect is mostly due to -enabling and disabling the DIT flag. If it remains enabled over many -calls, the effect can be largely mitigated. Hence, the macro can be -inserted in the caller's application at the beginning of the code -scope that makes repeated calls to AWS-LC cryptographic -functions. Alternatively, the functions `armv8_enable_dit` and -`armv8_restore_dit` can be placed at the beginning and the end of -the code section, respectively. -An example of that usage is present in the benchmarking function -`Speed()` in `tool/speed.cc` when the `-dit` option is used - - ./tool/bssl speed -dit \ No newline at end of file +setting and resetting the DIT flag. If it remains set over many calls, +the effect can be largely mitigated. + +The macro and the functions invoked by it are internally declared, +being experimental. In the following, we tested the effect of +inserting the macro in the caller's application at the beginning of +the code scope that makes repeated calls to AWS-LC cryptographic +functions. The functions that are invoked in the macro, +`armv8_set_dit` and `armv8_restore_dit`, are placed at the beginning +and the end, respectively, of the benchmarking function `Speed()` in +`tool/speed.cc` when the `-dit` option is used. + + ./tool/bssl speed -dit + +This resulted in benchmarks that are close to the release build +without the `-DENABLE_DATA_INDEPENDENT_TIMING=ON` flag when tested on +Apple M2. + +The DIT capability, which is checked in `OPENSSL_cpuid_setup` can be +masked out at runtime by calling `armv8_disable_dit`. This would +result in having the functions `armv8_set_dit` and `armv8_restore_dit` +being of no effect. It can be made available again at runtime by calling +`armv8_enable_dit`. + +**Important**: This runtime control is provided to users that would use +the build flag `ENABLE_DATA_INDEPENDENT_TIMING`, but would +then disable DIT capability at runtime. This is ideally done in +an initialization routine of AWS-LC before any threads are spawn. +Otherwise, there may be data races created because these functions write +to the global variable `OPENSSL_armcap_P`. diff --git a/CMakeLists.txt b/CMakeLists.txt index 1a6ff8ef6e..a35fd05c2f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -31,7 +31,8 @@ option(ENABLE_DILITHIUM "Enable Dilithium signatures in the EVP API" OFF) option(DISABLE_PERL "Disable Perl for AWS-LC" OFF) option(DISABLE_GO "Disable Go for AWS-LC" OFF) option(ENABLE_FIPS_ENTROPY_CPU_JITTER "Enable FIPS entropy source: CPU Jitter" OFF) -option(ENABLE_DATA_INDEPENDENT_TIMING_AARCH64 "Enable Data-Independent Timing (DIT) flag on Arm64" OFF) +option(ENABLE_DATA_INDEPENDENT_TIMING "Enable automatic setting/resetting Data-Independent Timing +(DIT) flag in cryptographic functions. Currently only applicable to Arm64 (except on Windows)" OFF) include(cmake/go.cmake) enable_language(C) @@ -867,8 +868,8 @@ if(ARCH STREQUAL "x86" AND NOT OPENSSL_NO_SSE2_FOR_TESTING) endif() endif() -if(ENABLE_DATA_INDEPENDENT_TIMING_AARCH64) - add_definitions(-DMAKE_DIT_AVAILABLE) +if(ENABLE_DATA_INDEPENDENT_TIMING) + add_definitions(-DENABLE_AUTO_SET_RESET_DIT) endif() if(USE_CUSTOM_LIBCXX) diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index 0115800367..217c48c381 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -805,6 +805,7 @@ if(BUILD_TESTING) fipsmodule/sha/sha_test.cc fipsmodule/sha/sha3_test.cc fipsmodule/cpucap/cpu_arm_linux_test.cc + fipsmodule/cpucap/cpu_aarch64_dit_test.cc fipsmodule/hkdf/hkdf_test.cc fipsmodule/sshkdf/sshkdf_test.cc hpke/hpke_test.cc diff --git a/crypto/evp_extra/p_dh_asn1.c b/crypto/evp_extra/p_dh_asn1.c index b7177ff3ca..db5196f3e8 100644 --- a/crypto/evp_extra/p_dh_asn1.c +++ b/crypto/evp_extra/p_dh_asn1.c @@ -15,6 +15,7 @@ #include "internal.h" #include "../internal.h" +#include "../fipsmodule/cpucap/internal.h" static void dh_free(EVP_PKEY *pkey) { @@ -89,7 +90,7 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { }; int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) { - SET_DIT_AUTO_DISABLE + SET_DIT_AUTO_RESET if (EVP_PKEY_assign_DH(pkey, key)) { DH_up_ref(key); return 1; @@ -98,14 +99,14 @@ int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) { } int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key) { - SET_DIT_AUTO_DISABLE + SET_DIT_AUTO_RESET evp_pkey_set_method(pkey, &dh_asn1_meth); pkey->pkey.dh = key; return key != NULL; } DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE + SET_DIT_AUTO_RESET if (pkey->type != EVP_PKEY_DH) { OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_A_DH_KEY); return NULL; @@ -114,7 +115,7 @@ DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) { } DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE + SET_DIT_AUTO_RESET DH *dh = EVP_PKEY_get0_DH(pkey); if (dh != NULL) { DH_up_ref(dh); diff --git a/crypto/fipsmodule/aes/aes.c b/crypto/fipsmodule/aes/aes.c index 40edc2982f..d78fd094ce 100644 --- a/crypto/fipsmodule/aes/aes.c +++ b/crypto/fipsmodule/aes/aes.c @@ -60,7 +60,7 @@ // code, above, is incompatible with the |aes_hw_*| functions. void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (hwaes_capable()) { aes_hw_encrypt(in, out, key); } else if (vpaes_capable()) { @@ -71,7 +71,7 @@ void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { } void AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (hwaes_capable()) { aes_hw_decrypt(in, out, key); } else if (vpaes_capable()) { @@ -82,7 +82,7 @@ void AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { } int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (bits != 128 && bits != 192 && bits != 256) { return -2; } @@ -96,7 +96,7 @@ int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) { } int AES_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (bits != 128 && bits != 192 && bits != 256) { return -2; } diff --git a/crypto/fipsmodule/cipher/aead.c b/crypto/fipsmodule/cipher/aead.c index a5e47f98c6..8ae39706a1 100644 --- a/crypto/fipsmodule/cipher/aead.c +++ b/crypto/fipsmodule/cipher/aead.c @@ -79,7 +79,7 @@ int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len, size_t tag_len, enum evp_aead_direction_t dir) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (key_len != aead->key_len) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_KEY_SIZE); ctx->aead = NULL; @@ -125,7 +125,7 @@ int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (in_len + ctx->aead->overhead < in_len /* overflow */) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); goto error; @@ -164,7 +164,7 @@ int EVP_AEAD_CTX_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t in_len, const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad, size_t ad_len) { - SET_DIT_AUTO_DISABLE; //check that it was preserved + SET_DIT_AUTO_RESET; //check that it was preserved // |in| and |out| may alias exactly, |out_tag| may not alias. if (!check_alias(in, in_len, out, in_len) || buffers_alias(out, in_len, out_tag, max_out_tag_len) || @@ -197,7 +197,7 @@ int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!check_alias(in, in_len, out, max_out_len)) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT); goto error; @@ -245,7 +245,7 @@ int EVP_AEAD_CTX_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len, const uint8_t *in_tag, size_t in_tag_len, const uint8_t *ad, size_t ad_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!check_alias(in, in_len, out, in_len)) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT); goto error; diff --git a/crypto/fipsmodule/cipher/cipher.c b/crypto/fipsmodule/cipher/cipher.c index 7a71fb2fc0..d3a13921de 100644 --- a/crypto/fipsmodule/cipher/cipher.c +++ b/crypto/fipsmodule/cipher/cipher.c @@ -104,7 +104,7 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { } int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (in == NULL || in->cipher == NULL) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED); return 0; @@ -146,7 +146,7 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) { int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine, const uint8_t *key, const uint8_t *iv, int enc) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; GUARD_PTR(ctx); if (enc == -1) { enc = ctx->encrypt; @@ -264,7 +264,7 @@ static int block_remainder(const EVP_CIPHER_CTX *ctx, int len) { int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, const uint8_t *in, int in_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; GUARD_PTR(ctx); if (ctx->poisoned) { OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -357,7 +357,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, } int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; int n; unsigned int i, b, bl; GUARD_PTR(ctx); @@ -412,7 +412,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, const uint8_t *in, int in_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; GUARD_PTR(ctx); if (ctx->poisoned) { OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -479,7 +479,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, } int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; int i, n; unsigned int b; *out_len = 0; @@ -552,7 +552,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; GUARD_PTR(ctx); GUARD_PTR(ctx->cipher); const int ret = ctx->cipher->cipher(ctx, out, in, in_len); diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64.c b/crypto/fipsmodule/cpucap/cpu_aarch64.c index 8f6c06a17e..f6dfc91ebc 100644 --- a/crypto/fipsmodule/cpucap/cpu_aarch64.c +++ b/crypto/fipsmodule/cpucap/cpu_aarch64.c @@ -49,16 +49,21 @@ void handle_cpu_env(uint32_t *out, const char *in) { } } -#if defined(MAKE_DIT_AVAILABLE) && !defined(OPENSSL_WINDOWS) +#if defined(AARCH64_DIT_SUPPORTED) // "DIT" is not recognised as a register name by clang-10 (at least) // Register's encoded name is from e.g. // https://github.com/ashwio/arm64-sysreg-lib/blob/d421e249a026f6f14653cb6f9c4edd8c5d898595/include/sysreg/dit.h#L286 #define DIT_REGISTER s3_3_c4_c2_5 +DEFINE_STATIC_MUTEX(OPENSSL_armcap_P_lock) -static uint64_t armv8_get_dit(void) { - uint64_t val = 0; - __asm__ volatile("mrs %0, s3_3_c4_c2_5" : "=r" (val)); - return (val >> 24) & 1; +uint64_t armv8_get_dit(void) { + if (CRYPTO_is_ARMv8_DIT_capable()) { + uint64_t val = 0; + __asm__ volatile("mrs %0, s3_3_c4_c2_5" : "=r" (val)); + return (val >> 24) & 1; + } else { + return 0; + } } // See https://github.com/torvalds/linux/blob/53eaeb7fbe2702520125ae7d72742362c071a1f2/arch/arm64/include/asm/sysreg.h#L82 @@ -70,7 +75,7 @@ static uint64_t armv8_get_dit(void) { // Op1 (3 for DIT) , Op2 (5 for DIT) encodes the PSTATE field modified and defines the constraints. // CRm = Imm4 (#0 or #1 below) // Rt = 0x1f -uint64_t armv8_enable_dit(void) { +uint64_t armv8_set_dit(void) { if (CRYPTO_is_ARMv8_DIT_capable()) { uint64_t original_dit = armv8_get_dit(); // Encoding of "msr dit, #1" @@ -82,11 +87,28 @@ uint64_t armv8_enable_dit(void) { } void armv8_restore_dit(volatile uint64_t *original_dit) { - if (CRYPTO_is_ARMv8_DIT_capable() && *original_dit != 1) { + if (*original_dit != 1 && CRYPTO_is_ARMv8_DIT_capable()) { // Encoding of "msr dit, #0" __asm__ volatile(".long 0xd503405f"); } } -#endif // MAKE_DIT_AVAILABLE && !OPENSSL_WINDOWS + +void armv8_disable_dit(void) { + CRYPTO_STATIC_MUTEX_lock_write(OPENSSL_armcap_P_lock_bss_get()); + OPENSSL_armcap_P &= ~ARMV8_DIT_ALLOWED; + CRYPTO_STATIC_MUTEX_unlock_write(OPENSSL_armcap_P_lock_bss_get()); +} + +void armv8_enable_dit(void) { + CRYPTO_STATIC_MUTEX_lock_write(OPENSSL_armcap_P_lock_bss_get()); + OPENSSL_armcap_P |= ARMV8_DIT_ALLOWED; + CRYPTO_STATIC_MUTEX_unlock_write(OPENSSL_armcap_P_lock_bss_get()); +} + +int CRYPTO_is_ARMv8_DIT_capable_for_testing(void) { + return CRYPTO_is_ARMv8_DIT_capable(); +} + +#endif // AARCH64_DIT_SUPPORTED #endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64_apple.c b/crypto/fipsmodule/cpucap/cpu_aarch64_apple.c index ddf26b8427..c8966d0ef7 100644 --- a/crypto/fipsmodule/cpucap/cpu_aarch64_apple.c +++ b/crypto/fipsmodule/cpucap/cpu_aarch64_apple.c @@ -99,11 +99,9 @@ void OPENSSL_cpuid_setup(void) { OPENSSL_armcap_P |= ARMV8_APPLE_M1; } -#if defined(MAKE_DIT_AVAILABLE) if (has_hw_feature("hw.optional.arm.FEAT_DIT")) { - OPENSSL_armcap_P |= ARMV8_DIT; + OPENSSL_armcap_P |= (ARMV8_DIT | ARMV8_DIT_ALLOWED); } -#endif // MAKE_DIT_AVAILABLE // OPENSSL_armcap is a 32-bit, unsigned value which may start with "0x" to // indicate a hex value. Prior to the 32-bit value, a '~' or '|' may be given. diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64_dit_test.cc b/crypto/fipsmodule/cpucap/cpu_aarch64_dit_test.cc new file mode 100644 index 0000000000..bbc184e716 --- /dev/null +++ b/crypto/fipsmodule/cpucap/cpu_aarch64_dit_test.cc @@ -0,0 +1,176 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 OR ISC + +#include +#include + +#include "internal.h" + +#if defined(OPENSSL_THREADS) +#include +#include +#endif + +#if defined(AARCH64_DIT_SUPPORTED) && !defined(OPENSSL_STATIC_ARMCAP) + +#if defined(ENABLE_AUTO_SET_RESET_DIT) +static void NestedMacroInvocation(uint64_t one) { + SET_DIT_AUTO_RESET; + uint64_t current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); +} +#endif // ENABLE_AUTO_SET_RESET_DIT + +TEST(DITTest, SetReset) { + uint64_t one = CRYPTO_is_ARMv8_DIT_capable_for_testing()? (uint64_t)1 : (uint64_t)0; + + uint64_t original_dit = 0, original_dit_2 = 0, + current_dit = 0; + original_dit = armv8_set_dit(); + EXPECT_EQ(original_dit, (uint64_t)0); + + // the case of a nested call of setting DIT + original_dit_2 = armv8_set_dit(); + EXPECT_EQ(original_dit_2, one); + + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); + + armv8_restore_dit(&original_dit); + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, (uint64_t)0); + +#if defined(ENABLE_AUTO_SET_RESET_DIT) + { // invoke the macro within a scope + // to test that it restores the CPU DIT flag at the end + SET_DIT_AUTO_RESET; + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); + // Nested macro invocation will exit the scope leaving DIT = 1 + NestedMacroInvocation(one); + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); + } + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, (uint64_t)0); +#endif // ENABLE_AUTO_SET_RESET_DIT +} + +#if defined(OPENSSL_THREADS) + +TEST(DITTest, Threads) { + uint64_t one = CRYPTO_is_ARMv8_DIT_capable_for_testing()? (uint64_t)1 : (uint64_t)0; + + { + // Test that the CPU DIT flag (bit in PSTATE register) is + // context-switched at the thread level. + std::thread thread1([&] { + uint64_t original_dit = 0, current_dit = 0; + original_dit = armv8_set_dit(); + EXPECT_EQ(original_dit, (uint64_t)0); + + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); + + // Sleep until thread2 starts, sets and resets DIT + std::this_thread::sleep_for(std::chrono::milliseconds(40)); + + // This thread should still see DIT=1 + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); + + armv8_restore_dit(&original_dit); + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, (uint64_t)0); + }); + + std::thread thread2([&] { + uint64_t original_dit = 0, current_dit = 0; + original_dit = armv8_set_dit(); + EXPECT_EQ(original_dit, (uint64_t)0); + + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); + + armv8_restore_dit(&original_dit); + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, (uint64_t)0); + }); + + thread2.join(); + thread1.join(); + } + + { + // Test that the DIT runtime dis/enabler in OPENSSL_armcap_P is + // at the process level. + // (Trying to make the threads concurrent and synchronising them + // with sleep time was making the Thread Sanitizer warn about a + // a data race.) + + std::thread thread1([&] { + uint64_t original_dit = 0, current_dit = 0; + + original_dit = armv8_set_dit(); + EXPECT_EQ(original_dit, (uint64_t)0); + + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); + + armv8_restore_dit(&original_dit); + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, (uint64_t)0); + + armv8_disable_dit(); // disable DIT capability at run-time + }); + + thread1.join(); + + std::thread thread2([&] { + uint64_t original_dit = 0, current_dit = 0; + + // DIT was disabled at runtime, so the DIT bit would be read as 0 + EXPECT_EQ(CRYPTO_is_ARMv8_DIT_capable_for_testing(), 0); + + original_dit = armv8_set_dit(); + EXPECT_EQ(original_dit, (uint64_t)0); + + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, (uint64_t)0); + + armv8_restore_dit(&original_dit); + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, (uint64_t)0); + + }); + + thread2.join(); + + std::thread thread3([&] { + armv8_enable_dit(); // enable back DIT capability at run-time + }); + + thread3.join(); + + std::thread thread4([&] { + uint64_t original_dit = 0, current_dit = 0; + + EXPECT_EQ(CRYPTO_is_ARMv8_DIT_capable_for_testing(), (int)one); + original_dit = armv8_set_dit(); + EXPECT_EQ(original_dit, (uint64_t)0); + + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, one); + + armv8_restore_dit(&original_dit); + current_dit = armv8_get_dit(); + EXPECT_EQ(current_dit, (uint64_t)0); + }); + + thread4.join(); + + } +} +#endif // OPENSSL_THREADS + +#endif // AARCH64_DIT_SUPPORTED && !OPENSSL_STATIC_ARMCAP diff --git a/crypto/fipsmodule/cpucap/cpu_aarch64_linux.c b/crypto/fipsmodule/cpucap/cpu_aarch64_linux.c index 8d3f803505..c681a2e0a0 100644 --- a/crypto/fipsmodule/cpucap/cpu_aarch64_linux.c +++ b/crypto/fipsmodule/cpucap/cpu_aarch64_linux.c @@ -91,13 +91,11 @@ void OPENSSL_cpuid_setup(void) { } } -#if defined(MAKE_DIT_AVAILABLE) static const unsigned long kDIT = 1 << 24; - // Before enabling/disabling the DIT flag, check it's available in HWCAP + // Before setting/resetting the DIT flag, check it's available in HWCAP if (hwcap & kDIT) { - OPENSSL_armcap_P |= ARMV8_DIT; + OPENSSL_armcap_P |= (ARMV8_DIT | ARMV8_DIT_ALLOWED); } -#endif // MAKE_DIT_AVAILABLE // OPENSSL_armcap is a 32-bit, unsigned value which may start with "0x" to // indicate a hex value. Prior to the 32-bit value, a '~' or '|' may be given. diff --git a/crypto/fipsmodule/cpucap/internal.h b/crypto/fipsmodule/cpucap/internal.h index fd4690e3c9..28bae433ea 100644 --- a/crypto/fipsmodule/cpucap/internal.h +++ b/crypto/fipsmodule/cpucap/internal.h @@ -251,11 +251,51 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_wide_multiplier_capable(void) { } OPENSSL_INLINE int CRYPTO_is_ARMv8_DIT_capable(void) { - return (OPENSSL_armcap_P & ARMV8_DIT) != 0; + return (OPENSSL_armcap_P & (ARMV8_DIT | ARMV8_DIT_ALLOWED)) == + (ARMV8_DIT | ARMV8_DIT_ALLOWED); } +// This function is used only for testing; hence, not inlined +OPENSSL_EXPORT int CRYPTO_is_ARMv8_DIT_capable_for_testing(void); + #endif // OPENSSL_ARM || OPENSSL_AARCH64 +#if defined(AARCH64_DIT_SUPPORTED) +// (TODO): See if we can detect the DIT capability in Windows environment + +// armv8_get_dit gets the value of the DIT flag from the CPU. +OPENSSL_EXPORT uint64_t armv8_get_dit(void); + +// armv8_set_dit sets the CPU DIT flag to 1 and returns its original value +// before it was called. +OPENSSL_EXPORT uint64_t armv8_set_dit(void); + +// armv8_restore_dit takes as input a value to restore the CPU DIT flag to. +OPENSSL_EXPORT void armv8_restore_dit(volatile uint64_t *original_dit); + +#if defined(ENABLE_AUTO_SET_RESET_DIT) +// SET_DIT_AUTO_RESET can be inserted in the caller's application at +// the beginning of the code section that makes repeated calls to AWS-LC +// functions. The flag will be automatically restored to its original value +// at the end of the scope. +// This can minimise the effect on performance of repeatedly setting and +// disabling DIT. +// Instead of the macro, the functions above can be used. +// An example of their usage is present in the benchmarking function +// `Speed()` in `tool/speed.cc` when the option `-dit` is passed in. +#define SET_DIT_AUTO_RESET \ + volatile uint64_t _dit_restore_orig \ + __attribute__((cleanup(armv8_restore_dit))) \ + OPENSSL_UNUSED = armv8_set_dit(); + +#else +#define SET_DIT_AUTO_RESET +#endif // ENABLE_AUTO_SET_RESET_DIT + +#else +#define SET_DIT_AUTO_RESET +#endif // AARCH64_DIT_SUPPORTED + #if defined(OPENSSL_PPC64LE) // CRYPTO_is_PPC64LE_vcrypto_capable returns true iff the current CPU supports diff --git a/crypto/fipsmodule/curve25519/curve25519.c b/crypto/fipsmodule/curve25519/curve25519.c index 84b42661f2..9a9e8fe774 100644 --- a/crypto/fipsmodule/curve25519/curve25519.c +++ b/crypto/fipsmodule/curve25519/curve25519.c @@ -106,7 +106,7 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN], uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) { boringssl_ensure_eddsa_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; // Ed25519 key generation: rfc8032 5.1.5 // Private key is 32 octets of random data. @@ -143,7 +143,7 @@ int ED25519_sign_no_self_test(uint8_t out_sig[ED25519_SIGNATURE_LEN], // seed = private_key[0:31] // A = private_key[32:61] (per 5.1.5.4) // Compute az = SHA512(seed). - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; uint8_t az[SHA512_DIGEST_LENGTH]; SHA512(private_key, ED25519_PRIVATE_KEY_SEED_LEN, az); // s = az[0:31] @@ -253,7 +253,7 @@ int ED25519_check_public_key(const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]) { void X25519_public_from_private( uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], const uint8_t private_key[X25519_PRIVATE_KEY_LEN]) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; #if defined(CURVE25519_S2N_BIGNUM_CAPABLE) x25519_public_from_private_s2n_bignum(out_public_value, private_key); @@ -266,7 +266,7 @@ void X25519_public_from_private( void X25519_keypair(uint8_t out_public_value[X25519_PUBLIC_VALUE_LEN], uint8_t out_private_key[X25519_PRIVATE_KEY_LEN]) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; RAND_bytes(out_private_key, X25519_PRIVATE_KEY_LEN); @@ -294,7 +294,7 @@ int X25519(uint8_t out_shared_key[X25519_SHARED_KEY_LEN], const uint8_t private_key[X25519_PRIVATE_KEY_LEN], const uint8_t peer_public_value[X25519_PUBLIC_VALUE_LEN]) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; static const uint8_t kZeros[X25519_SHARED_KEY_LEN] = {0}; #if defined(CURVE25519_S2N_BIGNUM_CAPABLE) diff --git a/crypto/fipsmodule/dh/dh.c b/crypto/fipsmodule/dh/dh.c index e0da26c736..3d0f4543e8 100644 --- a/crypto/fipsmodule/dh/dh.c +++ b/crypto/fipsmodule/dh/dh.c @@ -97,7 +97,7 @@ DH *DH_new_by_nid(int nid) { } void DH_free(DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (dh == NULL) { return; } @@ -118,38 +118,38 @@ void DH_free(DH *dh) { } unsigned DH_bits(const DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return BN_num_bits(dh->p); } const BIGNUM *DH_get0_pub_key(const DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return dh->pub_key;; } const BIGNUM *DH_get0_priv_key(const DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return dh->priv_key; } const BIGNUM *DH_get0_p(const DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return dh->p; } const BIGNUM *DH_get0_q(const DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return dh->q; } const BIGNUM *DH_get0_g(const DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return dh->g; } void DH_get0_key(const DH *dh, const BIGNUM **out_pub_key, const BIGNUM **out_priv_key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (out_pub_key != NULL) { *out_pub_key = dh->pub_key; } @@ -159,13 +159,13 @@ void DH_get0_key(const DH *dh, const BIGNUM **out_pub_key, } void DH_clear_flags(DH *dh, int flags) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; (void) dh; (void) flags; } int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pub_key != NULL) { BN_free(dh->pub_key); dh->pub_key = pub_key; @@ -181,7 +181,7 @@ int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { void DH_get0_pqg(const DH *dh, const BIGNUM **out_p, const BIGNUM **out_q, const BIGNUM **out_g) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (out_p != NULL) { *out_p = dh->p; } @@ -194,7 +194,7 @@ void DH_get0_pqg(const DH *dh, const BIGNUM **out_p, const BIGNUM **out_q, } int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) { return 0; @@ -222,13 +222,13 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { } int DH_set_length(DH *dh, unsigned priv_length) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; dh->priv_length = priv_length; return 1; } int DH_generate_key(DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; boringssl_ensure_ffdh_self_test(); if (!dh_check_params_fast(dh)) { @@ -412,14 +412,14 @@ int dh_compute_key_padded_no_self_test(unsigned char *out, int DH_compute_key_padded(unsigned char *out, const BIGNUM *peers_key, DH *dh) { boringssl_ensure_ffdh_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return dh_compute_key_padded_no_self_test(out, peers_key, dh); } int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) { boringssl_ensure_ffdh_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { @@ -442,7 +442,7 @@ int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) { int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, size_t max_out_len, const BIGNUM *peers_key, const EVP_MD *digest) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; *out_len = SIZE_MAX; @@ -482,17 +482,17 @@ int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, } int DH_size(const DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return BN_num_bytes(dh->p); } unsigned DH_num_bits(const DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return BN_num_bits(dh->p); } int DH_up_ref(DH *dh) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; CRYPTO_refcount_inc(&dh->references); return 1; } diff --git a/crypto/fipsmodule/ec/ec.c b/crypto/fipsmodule/ec/ec.c index 4976dd8230..3d92bcae39 100644 --- a/crypto/fipsmodule/ec/ec.c +++ b/crypto/fipsmodule/ec/ec.c @@ -846,7 +846,7 @@ int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) { boringssl_ensure_ecc_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx); } @@ -882,7 +882,7 @@ int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, const EC_SCALAR *scalar) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (p == NULL || scalar == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); return 0; @@ -902,7 +902,7 @@ int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (scalar == NULL) { OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); return 0; diff --git a/crypto/fipsmodule/evp/digestsign.c b/crypto/fipsmodule/evp/digestsign.c index 39914db92a..914db61789 100644 --- a/crypto/fipsmodule/evp/digestsign.c +++ b/crypto/fipsmodule/evp/digestsign.c @@ -157,18 +157,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return do_sigver_init(ctx, pctx, type, e, pkey, evp_sign); } int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return do_sigver_init(ctx, pctx, type, e, pkey, evp_verify); } int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!uses_prehash(ctx, evp_sign) && !used_for_hmac(ctx)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -178,7 +178,7 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { } int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!uses_prehash(ctx, evp_verify) || used_for_hmac(ctx)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -189,7 +189,7 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { int EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!uses_prehash(ctx, evp_sign) && !used_for_hmac(ctx)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -235,7 +235,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig, } int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!uses_prehash(ctx, evp_verify) || used_for_hmac(ctx)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -267,7 +267,7 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len, // We have to avoid the underlying |EVP_DigestSignFinal| services updating // the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; int ret = 0; if (uses_prehash(ctx, evp_sign) || used_for_hmac(ctx)) { @@ -305,7 +305,7 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len, // We have to avoid the underlying |EVP_DigestSignFinal| services updating // the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; int ret = 0; if (uses_prehash(ctx, evp_verify) && !used_for_hmac(ctx)) { @@ -332,7 +332,7 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len, } void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; // |pctx| could be null, so we have to deal with the cleanup job here. if (!(ctx->flags & EVP_MD_CTX_FLAG_KEEP_PKEY_CTX)) { EVP_PKEY_CTX_free(ctx->pctx); diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c index 998d05cd4f..7bfc79ea91 100644 --- a/crypto/fipsmodule/evp/evp.c +++ b/crypto/fipsmodule/evp/evp.c @@ -105,7 +105,7 @@ static void free_it(EVP_PKEY *pkey) { } void EVP_PKEY_free(EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey == NULL) { return; } @@ -119,13 +119,13 @@ void EVP_PKEY_free(EVP_PKEY *pkey) { } int EVP_PKEY_up_ref(EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; CRYPTO_refcount_inc(&pkey->references); return 1; } int EVP_PKEY_is_opaque(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey->ameth && pkey->ameth->pkey_opaque) { return pkey->ameth->pkey_opaque(pkey); } @@ -133,7 +133,7 @@ int EVP_PKEY_is_opaque(const EVP_PKEY *pkey) { } int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (a->type != b->type) { return -1; } @@ -157,7 +157,7 @@ int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { } int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (to->type == EVP_PKEY_NONE) { evp_pkey_set_method(to, from->ameth); } else if (to->type != from->type) { @@ -189,7 +189,7 @@ int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) { } int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey->ameth && pkey->ameth->param_missing) { return pkey->ameth->param_missing(pkey); } @@ -197,7 +197,7 @@ int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey) { } int EVP_PKEY_size(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey && pkey->ameth && pkey->ameth->pkey_size) { return pkey->ameth->pkey_size(pkey); } @@ -205,7 +205,7 @@ int EVP_PKEY_size(const EVP_PKEY *pkey) { } int EVP_PKEY_bits(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey && pkey->ameth && pkey->ameth->pkey_bits) { return pkey->ameth->pkey_bits(pkey); } @@ -213,7 +213,7 @@ int EVP_PKEY_bits(const EVP_PKEY *pkey) { } int EVP_PKEY_id(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return pkey->type; } @@ -273,7 +273,7 @@ int EVP_PKEY_type(int nid) { EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine, const uint8_t *mac_key, size_t mac_key_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; // Only |EVP_PKEY_HMAC| is supported as of now. if (type != EVP_PKEY_HMAC) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -315,7 +315,7 @@ EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine, const uint8_t *mac_key, } int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (EVP_PKEY_assign_RSA(pkey, key)) { RSA_up_ref(key); return 1; @@ -324,7 +324,7 @@ int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { } int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; const EVP_PKEY_ASN1_METHOD *meth = evp_pkey_asn1_find(EVP_PKEY_RSA); assert(meth != NULL); evp_pkey_set_method(pkey, meth); @@ -333,7 +333,7 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) { } RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_RSA_PSS) { OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_RSA_KEY); return NULL; @@ -342,7 +342,7 @@ RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) { } RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; RSA *rsa = EVP_PKEY_get0_RSA(pkey); if (rsa != NULL) { RSA_up_ref(rsa); @@ -351,7 +351,7 @@ RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey) { } int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (EVP_PKEY_assign_DSA(pkey, key)) { DSA_up_ref(key); return 1; @@ -360,7 +360,7 @@ int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) { } int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; const EVP_PKEY_ASN1_METHOD *meth = evp_pkey_asn1_find(EVP_PKEY_DSA); assert(meth != NULL); evp_pkey_set_method(pkey, meth); @@ -369,7 +369,7 @@ int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key) { } DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey->type != EVP_PKEY_DSA) { OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_A_DSA_KEY); return NULL; @@ -378,7 +378,7 @@ DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) { } DSA *EVP_PKEY_get1_DSA(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; DSA *dsa = EVP_PKEY_get0_DSA(pkey); if (dsa != NULL) { DSA_up_ref(dsa); @@ -387,7 +387,7 @@ DSA *EVP_PKEY_get1_DSA(const EVP_PKEY *pkey) { } int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (EVP_PKEY_assign_EC_KEY(pkey, key)) { EC_KEY_up_ref(key); return 1; @@ -396,7 +396,7 @@ int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { } int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; const EVP_PKEY_ASN1_METHOD *meth = evp_pkey_asn1_find(EVP_PKEY_EC); assert(meth != NULL); evp_pkey_set_method(pkey, meth); @@ -405,7 +405,7 @@ int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { } EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey->type != EVP_PKEY_EC) { OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_EC_KEY_KEY); return NULL; @@ -414,7 +414,7 @@ EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) { } EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); if (ec_key != NULL) { EC_KEY_up_ref(ec_key); @@ -426,7 +426,7 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { // This function can only be used to assign RSA, DSA, EC, and DH keys. Other // key types have internal representations which are not exposed through the // public API. - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; switch (type) { case EVP_PKEY_RSA: return EVP_PKEY_assign_RSA(pkey, key); @@ -446,7 +446,7 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { } int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey && pkey->pkey.ptr) { // This isn't strictly necessary, but historically |EVP_PKEY_set_type| would // clear |pkey| even if |evp_pkey_asn1_find| failed, so we preserve that @@ -470,7 +470,7 @@ int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *unused, const uint8_t *in, size_t len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; EVP_PKEY *ret = EVP_PKEY_new(); if (ret == NULL || !EVP_PKEY_set_type(ret, type)) { @@ -519,7 +519,7 @@ EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *unused, int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey == NULL || pkey->ameth == NULL || pkey->ameth->get_priv_raw == NULL) { @@ -532,7 +532,7 @@ int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, uint8_t *out, int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (pkey == NULL || pkey->ameth == NULL || pkey->ameth->get_pub_raw == NULL) { @@ -544,7 +544,7 @@ int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, uint8_t *out, } int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (a->type != b->type) { return -1; } @@ -557,19 +557,19 @@ int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) { } int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, 0, (void *)md); } int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_GET_MD, 0, (void *)out_md); } void *EVP_PKEY_get0(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; GUARD_PTR(pkey); switch (pkey->type) { case EVP_PKEY_RSA: @@ -594,7 +594,7 @@ void OpenSSL_add_all_digests(void) {} void EVP_cleanup(void) {} int EVP_PKEY_base_id(const EVP_PKEY *pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; // OpenSSL has two notions of key type because it supports multiple OIDs for // the same algorithm: NID_rsa vs NID_rsaEncryption and five distinct spelling // of DSA. We do not support these, so the base ID is simply the ID. @@ -747,7 +747,7 @@ static int evp_pkey_set1_tls_encodedpoint_x25519(EVP_PKEY *pkey, int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const uint8_t *in, size_t len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (NULL == pkey) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); goto err; @@ -861,7 +861,7 @@ static size_t evp_pkey_get1_tls_encodedpoint_x25519(const EVP_PKEY *pkey, } size_t EVP_PKEY_get1_tls_encodedpoint(const EVP_PKEY *pkey, uint8_t **out_ptr) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (NULL == pkey) { OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER); goto err; diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c index 4fad3a201a..b6f62a801e 100644 --- a/crypto/fipsmodule/evp/evp_ctx.c +++ b/crypto/fipsmodule/evp/evp_ctx.c @@ -144,7 +144,7 @@ static EVP_PKEY_CTX *evp_pkey_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) { } EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return evp_pkey_ctx_new(pkey, e, -1); } @@ -153,7 +153,7 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e) { } void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (ctx == NULL) { return; } @@ -166,7 +166,7 @@ void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx) { } EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx->pmeth || !ctx->pmeth->copy) { return NULL; } @@ -201,13 +201,13 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx) { } EVP_PKEY *EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return ctx->pkey; } int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, int cmd, int p1, void *p2) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->ctrl) { OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED); return 0; @@ -231,7 +231,7 @@ int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, int cmd, } int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (ctx == NULL || ctx->pmeth == NULL || (ctx->pmeth->sign == NULL && ctx->pmeth->sign_message == NULL)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -248,7 +248,7 @@ int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx) { int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *sig_len, const uint8_t *digest, size_t digest_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->sign) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -261,7 +261,7 @@ int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *sig_len, } int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (ctx == NULL || ctx->pmeth == NULL || (ctx->pmeth->verify == NULL && ctx->pmeth->verify_message == NULL)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -277,7 +277,7 @@ int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx) { int EVP_PKEY_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t sig_len, const uint8_t *digest, size_t digest_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->verify) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -300,7 +300,7 @@ int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx) { int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, const uint8_t *in, size_t inlen) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->encrypt) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -313,7 +313,7 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, } int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->decrypt) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -324,7 +324,7 @@ int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx) { int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, const uint8_t *in, size_t inlen) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->decrypt) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -337,7 +337,7 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen, } int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->verify_recover) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -348,7 +348,7 @@ int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx) { int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len, const uint8_t *sig, size_t sig_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->verify_recover) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -361,7 +361,7 @@ int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len, } int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->derive) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -371,7 +371,7 @@ int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx) { } int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; int ret; if (!ctx || !ctx->pmeth || !(ctx->pmeth->derive || ctx->pmeth->encrypt || ctx->pmeth->decrypt) || @@ -432,7 +432,7 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) { } int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *out_key_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->derive) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -445,7 +445,7 @@ int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *out_key_len) { } int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->keygen) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -495,7 +495,7 @@ int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey) { // We have to avoid potential underlying services updating the indicator state, // so we lock the state here. FIPS_service_indicator_lock_state(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; int ret = 0; if (!ctx || !ctx->pmeth || !ctx->pmeth->keygen) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -534,7 +534,7 @@ int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey) { } int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->paramgen) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -544,7 +544,7 @@ int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx) { } int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (!ctx || !ctx->pmeth || !ctx->pmeth->paramgen) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; @@ -594,10 +594,11 @@ int EVP_PKEY_encapsulate_deterministic(EVP_PKEY_CTX *ctx, int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx, uint8_t *ciphertext, size_t *ciphertext_len, uint8_t *shared_secret, size_t *shared_secret_len) { + SET_DIT_AUTO_RESET; // We have to avoid potential underlying services updating the indicator // state, so we lock the state here. FIPS_service_indicator_lock_state(); - SET_DIT_AUTO_DISABLE; + int ret = 0; if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->encapsulate == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); @@ -620,10 +621,11 @@ int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx, uint8_t *ciphertext, int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, uint8_t *shared_secret, size_t *shared_secret_len, const uint8_t *ciphertext, size_t ciphertext_len) { + SET_DIT_AUTO_RESET; // We have to avoid potential underlying services updating the indicator // state, so we lock the state here. FIPS_service_indicator_lock_state(); - SET_DIT_AUTO_DISABLE; + int ret = 0; if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->decapsulate == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); diff --git a/crypto/fipsmodule/evp/p_hkdf.c b/crypto/fipsmodule/evp/p_hkdf.c index 7a6314b15c..69a8552e62 100644 --- a/crypto/fipsmodule/evp/p_hkdf.c +++ b/crypto/fipsmodule/evp/p_hkdf.c @@ -291,7 +291,7 @@ int EVP_PKEY_CTX_set_hkdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx, const uint8_t *key, size_t key_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; CBS cbs; CBS_init(&cbs, key, key_len); return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HKDF, EVP_PKEY_OP_DERIVE, diff --git a/crypto/fipsmodule/hkdf/hkdf.c b/crypto/fipsmodule/hkdf/hkdf.c index bccdaf1527..746e2d8f38 100644 --- a/crypto/fipsmodule/hkdf/hkdf.c +++ b/crypto/fipsmodule/hkdf/hkdf.c @@ -58,13 +58,14 @@ int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, int HKDF_extract(uint8_t *out_key, size_t *out_len, const EVP_MD *digest, const uint8_t *secret, size_t secret_len, const uint8_t *salt, size_t salt_len) { + SET_DIT_AUTO_RESET; // https://tools.ietf.org/html/rfc5869#section-2.2 int ret = 0; // We have to avoid the underlying HMAC services updating the indicator // state, so we lock the state here. FIPS_service_indicator_lock_state(); - SET_DIT_AUTO_DISABLE; + // If salt is not given, HashLength zeros are used. However, HMAC does that // internally already so we can ignore it. unsigned len; @@ -85,6 +86,7 @@ int HKDF_expand(uint8_t *out_key, size_t out_len, const EVP_MD *digest, const uint8_t *prk, size_t prk_len, const uint8_t *info, size_t info_len) { // https://tools.ietf.org/html/rfc5869#section-2.3 + SET_DIT_AUTO_RESET; const size_t digest_len = EVP_MD_size(digest); uint8_t previous[EVP_MAX_MD_SIZE]; size_t n, done = 0; @@ -104,7 +106,7 @@ int HKDF_expand(uint8_t *out_key, size_t out_len, const EVP_MD *digest, // We have to avoid the underlying HMAC services updating the indicator // state, so we lock the state here. FIPS_service_indicator_lock_state(); - SET_DIT_AUTO_DISABLE; + if (!HMAC_Init_ex(&hmac, prk, prk_len, digest, NULL)) { goto out; } diff --git a/crypto/fipsmodule/kdf/kbkdf.c b/crypto/fipsmodule/kdf/kbkdf.c index ce94444caa..d33d6ffae2 100644 --- a/crypto/fipsmodule/kdf/kbkdf.c +++ b/crypto/fipsmodule/kdf/kbkdf.c @@ -7,6 +7,8 @@ int KBKDF_ctr_hmac(uint8_t *out_key, size_t out_len, const EVP_MD *digest, const uint8_t *secret, size_t secret_len, const uint8_t *info, size_t info_len) { + SET_DIT_AUTO_RESET; + // We have to avoid the underlying |HMAC_Final| services updating // the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); diff --git a/crypto/fipsmodule/kdf/sskdf.c b/crypto/fipsmodule/kdf/sskdf.c index 40efbf203c..804d3b26cf 100644 --- a/crypto/fipsmodule/kdf/sskdf.c +++ b/crypto/fipsmodule/kdf/sskdf.c @@ -289,6 +289,8 @@ static int SSKDF(const sskdf_variant *variant, sskdf_variant_ctx *ctx, int SSKDF_digest(uint8_t *out_key, size_t out_len, const EVP_MD *digest, const uint8_t *secret, size_t secret_len, const uint8_t *info, size_t info_len) { + SET_DIT_AUTO_RESET; + // We have to avoid the underlying |EVP_DigestFinal| services updating // the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); @@ -320,6 +322,8 @@ int SSKDF_digest(uint8_t *out_key, size_t out_len, const EVP_MD *digest, int SSKDF_hmac(uint8_t *out_key, size_t out_len, const EVP_MD *digest, const uint8_t *secret, size_t secret_len, const uint8_t *info, size_t info_len, const uint8_t *salt, size_t salt_len) { + SET_DIT_AUTO_RESET; + // We have to avoid the underlying |HMAC_Final| services updating // the indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); diff --git a/crypto/fipsmodule/rand/ctrdrbg.c b/crypto/fipsmodule/rand/ctrdrbg.c index 3b523376c2..a6f435b696 100644 --- a/crypto/fipsmodule/rand/ctrdrbg.c +++ b/crypto/fipsmodule/rand/ctrdrbg.c @@ -30,7 +30,7 @@ static const uint64_t kMaxReseedCount = UINT64_C(1) << 48; CTR_DRBG_STATE *CTR_DRBG_new(const uint8_t entropy[CTR_DRBG_ENTROPY_LEN], const uint8_t *personalization, size_t personalization_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; CTR_DRBG_STATE *drbg = OPENSSL_malloc(sizeof(CTR_DRBG_STATE)); if (drbg == NULL || !CTR_DRBG_init(drbg, entropy, personalization, personalization_len)) { @@ -42,14 +42,14 @@ CTR_DRBG_STATE *CTR_DRBG_new(const uint8_t entropy[CTR_DRBG_ENTROPY_LEN], } void CTR_DRBG_free(CTR_DRBG_STATE *state) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; OPENSSL_free(state); } int CTR_DRBG_init(CTR_DRBG_STATE *drbg, const uint8_t entropy[CTR_DRBG_ENTROPY_LEN], const uint8_t *personalization, size_t personalization_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; // Section 10.2.1.3.1 if (personalization_len > CTR_DRBG_ENTROPY_LEN) { return 0; @@ -123,7 +123,7 @@ int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg, const uint8_t entropy[CTR_DRBG_ENTROPY_LEN], const uint8_t *additional_data, size_t additional_data_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; // Section 10.2.1.4 uint8_t entropy_copy[CTR_DRBG_ENTROPY_LEN]; @@ -152,7 +152,7 @@ int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg, int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out, size_t out_len, const uint8_t *additional_data, size_t additional_data_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; // See 9.3.1 if (out_len > CTR_DRBG_MAX_GENERATE_LENGTH) { return 0; diff --git a/crypto/fipsmodule/rsa/rsa.c b/crypto/fipsmodule/rsa/rsa.c index 6134c24bc9..9372c5da5d 100644 --- a/crypto/fipsmodule/rsa/rsa.c +++ b/crypto/fipsmodule/rsa/rsa.c @@ -111,7 +111,7 @@ RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e) { RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1, const BIGNUM *iqmp) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; RSA *rsa = RSA_new(); if (rsa == NULL || // !bn_dup_into(&rsa->n, n) || // @@ -132,7 +132,7 @@ RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; RSA *rsa = RSA_new(); if (rsa == NULL || // !bn_dup_into(&rsa->n, n) || // @@ -147,7 +147,7 @@ RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e, } RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; RSA *rsa = RSA_new(); if (rsa == NULL) { return NULL; @@ -185,7 +185,7 @@ RSA *RSA_new_private_key_large_e(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1, const BIGNUM *iqmp) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; RSA *rsa = RSA_new(); if (rsa == NULL) { return NULL; @@ -251,7 +251,7 @@ RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n) { } void RSA_free(RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (rsa == NULL) { return; } @@ -282,59 +282,59 @@ void RSA_free(RSA *rsa) { } int RSA_up_ref(RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; CRYPTO_refcount_inc(&rsa->references); return 1; } unsigned RSA_bits(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return BN_num_bits(rsa->n); } const BIGNUM *RSA_get0_n(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->n; } const BIGNUM *RSA_get0_e(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->e; } const BIGNUM *RSA_get0_d(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->d; } const BIGNUM *RSA_get0_p(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->p; } const BIGNUM *RSA_get0_q(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->q; } const BIGNUM *RSA_get0_dmp1(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->dmp1; } const BIGNUM *RSA_get0_dmq1(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->dmq1; } const BIGNUM *RSA_get0_iqmp(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->iqmp; } void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e, const BIGNUM **out_d) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (out_n != NULL) { *out_n = rsa->n; } @@ -348,7 +348,7 @@ void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e, void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, const BIGNUM **out_q) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (out_p != NULL) { *out_p = rsa->p; } @@ -360,13 +360,13 @@ void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) { // We do not support the id-RSASSA-PSS key encoding. If we add support later, // the |maskHash| field should be filled in for OpenSSL compatibility. - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return NULL; } void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (out_dmp1 != NULL) { *out_dmp1 = rsa->dmp1; } @@ -379,7 +379,7 @@ void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, } int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if ((rsa->n == NULL && n == NULL) || (rsa->e == NULL && e == NULL && rsa->d == NULL && d == NULL)) { return 0; @@ -403,7 +403,7 @@ int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) { } int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if ((rsa->p == NULL && p == NULL) || (rsa->q == NULL && q == NULL)) { return 0; @@ -424,7 +424,7 @@ int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) { } int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if ((rsa->dmp1 == NULL && dmp1 == NULL) || (rsa->dmq1 == NULL && dmq1 == NULL) || (rsa->iqmp == NULL && iqmp == NULL)) { @@ -585,7 +585,7 @@ int RSA_meth_set_sign(RSA_METHOD *meth, int (*sign) (int type, static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (rsa->meth && rsa->meth->sign_raw) { // In OpenSSL, the RSA_METHOD |sign_raw| or |priv_enc| operation does // not directly take and initialize an |out_len| parameter. Instead, it @@ -609,14 +609,14 @@ static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding) { boringssl_ensure_rsa_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa_sign_raw_no_self_test(rsa, out_len, out, max_out, in, in_len, padding); } unsigned RSA_size(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; size_t ret = (rsa->meth && rsa->meth->size) ? rsa->meth->size(rsa) : rsa_default_size(rsa); // RSA modulus sizes are bounded by |BIGNUM|, which must fit in |unsigned|. @@ -627,13 +627,13 @@ unsigned RSA_size(const RSA *rsa) { } int RSA_is_opaque(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE); } int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; int index; if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl, argp, free_func)) { @@ -643,12 +643,12 @@ int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, } int RSA_set_ex_data(RSA *rsa, int idx, void *arg) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg); } void *RSA_get_ex_data(const RSA *rsa, int idx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return CRYPTO_get_ex_data(&rsa->ex_data, idx); } @@ -885,7 +885,7 @@ int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, int RSA_sign(int hash_nid, const uint8_t *digest, size_t digest_len, uint8_t *out, unsigned *out_len, RSA *rsa) { boringssl_ensure_rsa_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa_sign_no_self_test(hash_nid, digest, digest_len, out, out_len, rsa); } @@ -893,7 +893,7 @@ int RSA_sign(int hash_nid, const uint8_t *digest, size_t digest_len, int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *digest, size_t digest_len, const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (digest_len != EVP_MD_size(md)) { OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); return 0; @@ -917,7 +917,7 @@ int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, int rsa_digestsign_no_self_test(const EVP_MD *md, const uint8_t *input, size_t in_len, uint8_t *out, unsigned *out_len, RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; uint8_t digest[EVP_MAX_MD_SIZE]; unsigned int digest_len = EVP_MAX_MD_SIZE; if (!EVP_Digest(input, in_len, digest, &digest_len, md, NULL)) { @@ -999,7 +999,7 @@ int rsa_digestverify_no_self_test(const EVP_MD *md, const uint8_t *input, int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, const uint8_t *sig, size_t sig_len, RSA *rsa) { boringssl_ensure_rsa_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa_verify_no_self_test(hash_nid, digest, digest_len, sig, sig_len, rsa); } @@ -1007,7 +1007,7 @@ int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len, const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len, const uint8_t *sig, size_t sig_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (digest_len != EVP_MD_size(md)) { OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH); return 0; @@ -1048,12 +1048,12 @@ int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out, int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len) { boringssl_ensure_rsa_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return rsa_private_transform_no_self_test(rsa, out, in, len); } int RSA_flags(const RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (rsa == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return 0; @@ -1063,7 +1063,7 @@ int RSA_flags(const RSA *rsa) { } void RSA_set_flags(RSA *rsa, int flags) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (rsa == NULL) { OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER); return; @@ -1073,7 +1073,7 @@ void RSA_set_flags(RSA *rsa, int flags) { } int RSA_test_flags(const RSA *rsa, int flags) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (rsa) { return rsa->flags & flags; } @@ -1083,19 +1083,19 @@ int RSA_test_flags(const RSA *rsa, int flags) { } int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; return (rsa != NULL && ((rsa->flags & RSA_FLAG_NO_BLINDING) == 0)) ? 1 : 0; } void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (rsa != NULL) { rsa->flags |= RSA_FLAG_NO_BLINDING; } } int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (ctx != NULL && ctx->pmeth != NULL) { if (ctx->pmeth->pkey_id == EVP_PKEY_RSA || ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { @@ -1120,7 +1120,7 @@ int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) // or <= n when RSA_FLAG_LARGE_PUBLIC_EXPONENT is set. // int is_public_component_of_rsa_key_good(const RSA *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (key->n == NULL) { OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); return 0; @@ -1202,7 +1202,7 @@ enum rsa_key_type_for_checking { static enum rsa_key_type_for_checking determine_key_type_for_checking(const RSA *key) { // The key must have the modulus n. - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; if (key->n == NULL) { return RSA_KEY_TYPE_FOR_CHECKING_INVALID; } @@ -1270,7 +1270,7 @@ static enum rsa_key_type_for_checking determine_key_type_for_checking(const RSA // Note: see the rsa_key_type_for_checking enum for details on types of keys // the function can work with. int RSA_check_key(const RSA *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; enum rsa_key_type_for_checking key_type = determine_key_type_for_checking(key); if (key_type == RSA_KEY_TYPE_FOR_CHECKING_INVALID) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); @@ -1498,7 +1498,7 @@ DEFINE_LOCAL_DATA(BIGNUM, g_small_factors) { // that the AWS-LC FIPS module offers only RSA signing and verification as // approved FIPS services. int RSA_check_fips(RSA *key) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; enum rsa_key_type_for_checking key_type = determine_key_type_for_checking(key); // In addition to invalid key type, stripped private keys can not be checked diff --git a/crypto/fipsmodule/rsa/rsa_impl.c b/crypto/fipsmodule/rsa/rsa_impl.c index 38f26d6df0..69023bc5e5 100644 --- a/crypto/fipsmodule/rsa/rsa_impl.c +++ b/crypto/fipsmodule/rsa/rsa_impl.c @@ -1182,7 +1182,7 @@ static int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits, const BIGNUM *e_value, BN_GENCB *cb, int check_fips) { boringssl_ensure_rsa_self_test(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; RSA *tmp = NULL; uint32_t err; diff --git a/crypto/fipsmodule/sshkdf/sshkdf.c b/crypto/fipsmodule/sshkdf/sshkdf.c index a8b758ce41..a12d1fafdd 100644 --- a/crypto/fipsmodule/sshkdf/sshkdf.c +++ b/crypto/fipsmodule/sshkdf/sshkdf.c @@ -21,7 +21,7 @@ int SSHKDF(const EVP_MD *evp_md, char type, uint8_t *out, size_t out_len) { - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; EVP_MD_CTX *md = NULL; uint8_t digest[EVP_MAX_MD_SIZE]; unsigned int digest_size = 0; diff --git a/crypto/fipsmodule/tls/kdf.c b/crypto/fipsmodule/tls/kdf.c index ab84d368bb..4089fd34af 100644 --- a/crypto/fipsmodule/tls/kdf.c +++ b/crypto/fipsmodule/tls/kdf.c @@ -143,7 +143,7 @@ int CRYPTO_tls1_prf(const EVP_MD *digest, // We have to avoid the underlying HMAC services updating the indicator state, // so we lock the state here. FIPS_service_indicator_lock_state(); - SET_DIT_AUTO_DISABLE; + SET_DIT_AUTO_RESET; int ret = 0; const EVP_MD *original_digest = digest; if (out_len == 0) { diff --git a/include/openssl/arm_arch.h b/include/openssl/arm_arch.h index 5db9bb3aa8..73c63ae041 100644 --- a/include/openssl/arm_arch.h +++ b/include/openssl/arm_arch.h @@ -90,7 +90,15 @@ #define ARMV8_NEOVERSE_V2 (1 << 14) // ARMV8_DIT indicates support for the Data-Independent Timing (DIT) flag. -#define ARMV8_DIT (1 << 14) +#define ARMV8_DIT (1 << 15) +// ARMV8_DIT_ALLOWED is a run-time en/disabler for the Data-Independent +// Timing (DIT) flag capability. It makes the DIT capability allowed when it is +// first discovered in |OPENSSL_cpuid_setup|. But that bit position in +// |OPENSSL_armcap_P| can be toggled off and back on at run-time via +// |armv8_disable_dit| and |armv8_enable_dit|, respectively. +#define ARMV8_DIT_ALLOWED (1 << 16) + + // // MIDR_EL1 system register // diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index fbe6e21957..9897efa997 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -85,34 +85,31 @@ OPENSSL_EXPORT int CRYPTO_needs_hwcap2_workaround(void); #endif // OPENSSL_ARM && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP // Data-Independent Timing (DIT) on AArch64 - -#if defined(OPENSSL_AARCH64) && !defined(OPENSSL_WINDOWS) && defined(MAKE_DIT_AVAILABLE) +#if defined(OPENSSL_AARCH64) && (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE)) // (TODO): See if we can detect the DIT capability in Windows environment +#define AARCH64_DIT_SUPPORTED +#endif -// armv8_enable_dit sets the DIT flag to 1 and returns its original value -// before it was called. -uint64_t armv8_enable_dit(void); - -// armv8_restore_dit takes as input a value to restore the DIT flag to. -void armv8_restore_dit(volatile uint64_t *original_dit); - -// SET_DIT_AUTO_DISABLE can be inserted in the caller's application at -// the beginning of the code section that makes repeated calls to AWS-LC functions. -// The flag will be automatically restored to its original value at the end of the -// scope. -// This can minimise the effect on performance of repeatedly setting and -// disabling DIT. -// Instead of the macro, the functions above can be used. -// An example of their usage is present in the benchmarking function -// `Speed()` in `tool/speed.cc` when the option `-dit` is passed in. -#define SET_DIT_AUTO_DISABLE \ - volatile uint64_t _dit_restore_orig \ - __attribute__((cleanup(armv8_restore_dit))) \ - OPENSSL_UNUSED = armv8_enable_dit(); - -#else -#define SET_DIT_AUTO_DISABLE -#endif // OPENSSL_AARCH64 && !OPENSSL_WINDOWS && MAKE_DIT_AVAILABLE +#if defined(AARCH64_DIT_SUPPORTED) + +// armv8_disable_dit is a runtime disabler of the DIT capability. +// It results in CRYPTO_is_ARMv8_DIT_capable() returning 0 even if the +// capability exists. +// Important: This runtime control is provided to users that would use +// the build flag ENABLE_DATA_INDEPENDENT_TIMING, but would +// then disable DIT capability at runtime. This is ideally done in +// an initialization routine of AWS-LC before any threads are spawn. +// Otherwise, there may be data races created because this function writes +// to |OPENSSL_armcap_P|. +OPENSSL_EXPORT void armv8_disable_dit(void); + +// armv8_enable_dit is a runtime enabler of the DIT capability. If +// |armv8_disable_dit| was used to disable the DIT capability, this function +// makes it available again. +// Important: See note in |armv8_disable_dit|. +OPENSSL_EXPORT void armv8_enable_dit(void); + +#endif // AARCH64_DIT_SUPPORTED // FIPS monitoring diff --git a/tests/ci/run_posix_tests.sh b/tests/ci/run_posix_tests.sh index 3e0b3c4195..1c76bc54df 100755 --- a/tests/ci/run_posix_tests.sh +++ b/tests/ci/run_posix_tests.sh @@ -36,7 +36,7 @@ echo "Testing with pre-generated assembly code." build_and_test -DDISABLE_PERL=ON echo "Testing building with AArch64 Data-Independent Timing (DIT) on." -build_and_test -DENABLE_DATA_INDEPENDENT_TIMING_AARCH64=ON -DCMAKE_BUILD_TYPE=Release +build_and_test -DENABLE_DATA_INDEPENDENT_TIMING=ON -DCMAKE_BUILD_TYPE=Release if [[ "${AWSLC_C99_TEST}" == "1" ]]; then echo "Testing the C99 compatability of AWS-LC headers." diff --git a/tool/speed.cc b/tool/speed.cc index d71359ac0a..543b304963 100644 --- a/tool/speed.cc +++ b/tool/speed.cc @@ -37,6 +37,7 @@ #if defined(OPENSSL_IS_AWSLC) #include "bssl_bm.h" #include "../crypto/internal.h" +#include "../crypto/fipsmodule/cpucap/internal.h" #include #include #elif defined(OPENSSL_IS_BORINGSSL) @@ -85,8 +86,7 @@ static inline void *align_pointer(void *ptr, size_t alignment) { } #endif -#if defined(OPENSSL_IS_AWSLC) && defined(OPENSSL_AARCH64) && !defined(OPENSSL_WINDOWS) && \ - defined(MAKE_DIT_AVAILABLE) +#if defined(OPENSSL_IS_AWSLC) && defined(AARCH64_DIT_SUPPORTED) #define DIT_OPTION #endif @@ -2607,8 +2607,8 @@ static const argument_t kArguments[] = { { "-dit", kBooleanArgument, - "If this flag is set, the DIT flag is enabled before benchmarking and" - "disabled at the end." + "If this flag is set, the DIT flag is set before benchmarking and" + "reset at the end." }, #endif { @@ -2755,10 +2755,12 @@ bool Speed(const std::vector &args) { } } #if defined(DIT_OPTION) + armv8_disable_dit(); // disable DIT capability at run-time + armv8_enable_dit(); // enable back DIT capability at run-time uint64_t original_dit = 0; if (g_dit) { - original_dit = armv8_enable_dit(); + original_dit = armv8_set_dit(); } #endif