Try to remove execmod from 32-bit AES-NI k5crypto

- make a guess at making the 32-bit AES-NI implementation sufficiently
  position-independent to not require execmod permissions for libk5crypto
  (more of #1045699)
This commit is contained in:
Nalin Dahyabhai 2014-01-06 18:53:03 -05:00
parent 05c4140d32
commit 75edc7c7ca
2 changed files with 45 additions and 2 deletions

View File

@ -0,0 +1,38 @@
--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
+++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
@@ -256,6 +256,7 @@ DD 0
section .text
+extern _GLOBAL_OFFSET_TABLE_
align 16
key_expansion256:
@@ -318,7 +319,12 @@ _iEncExpandKey128:
movdqu [edx], xmm1
- movdqa xmm5, [shuffle_mask]
+ call .get_GOT
+.get_GOT:
+ pop ebx
+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
+
+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff]
add edx,16
@@ -421,7 +430,12 @@ _iEncExpandKey256:
add edx,32
- movdqa xmm5, [shuffle_mask] ; this mask is used by key_expansion
+ call .get_GOT
+.get_GOT:
+ pop ebx
+ add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
+
+ movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion
aeskeygenassist xmm2, xmm3, 0x1 ;
call key_expansion256

View File

@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.12
Release: 8%{?dist}
Release: 9%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
Source0: krb5-%{version}.tar.gz
@ -97,6 +97,7 @@ Patch138: krb5-master-keytab_close.patch
Patch139: krb5-1.12-copy_context.patch
Patch140: krb5-master-spnego_error_messages.patch
Patch141: krb5-1.12-enable-NX.patch
Patch142: krb5-1.12-pic-aes-ni.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -322,6 +323,7 @@ ln -s NOTICE LICENSE
%patch139 -p1 -b .copy_context
%patch140 -p1 -b .spnego_error_messages
%patch141 -p1 -b .enable-NX
%patch142 -p1 -b .pic-aes-ni
# Apply when the hard-wired or configured default location is
# DIR:/run/user/%%{uid}/krb5cc.
@ -976,9 +978,12 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Mon Jan 6 2014 Nalin Dahyabhai <nalin@redhat.com>
* Mon Jan 6 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-9
- grab a more-commented version of the most recent patch from upstream
master
- make a guess at making the 32-bit AES-NI implementation sufficiently
position-independent to not require execmod permissions for libk5crypto
(more of #1045699)
* Thu Jan 2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-8
- add patch from Dhiru Kholia for the AES-NI implementations to allow