Try to remove execmod from 32-bit AES-NI k5crypto

- make a guess at making the 32-bit AES-NI implementation sufficiently position-independent to not require execmod permissions for libk5crypto (more of #1045699)
2014-01-06 18:53:03 -05:00 · 2014-01-06 18:53:03 -05:00 · 75edc7c7ca
commit 75edc7c7ca
parent 05c4140d32
2 changed files with 45 additions and 2 deletions
--- a/krb5-1.12-pic-aes-ni.patch
+++ b/krb5-1.12-pic-aes-ni.patch
@ -0,0 +1,38 @@
+--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
+++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
+@@ -256,6 +256,7 @@ DD 0
+ section .text
+ 
+ 
+extern _GLOBAL_OFFSET_TABLE_
+ 
+ align 16
+ key_expansion256:
+@@ -318,7 +319,12 @@ _iEncExpandKey128:
+ 
+         movdqu [edx], xmm1
+ 
+-        movdqa xmm5, [shuffle_mask]
+        call .get_GOT
+.get_GOT:
+        pop ebx
+        add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
+
+        movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff]
+ 
+         add edx,16
+ 
+@@ -421,7 +430,12 @@ _iEncExpandKey256:
+ 
+     add edx,32
+ 
+-    movdqa xmm5, [shuffle_mask]  ; this mask is used by key_expansion
+    call .get_GOT
+.get_GOT:
+    pop ebx
+    add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
+
+    movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion
+ 
+     aeskeygenassist xmm2, xmm3, 0x1     ;
+     call key_expansion256
--- a/krb5.spec
+++ b/krb5.spec
@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -97,6 +97,7 @@ Patch138: krb5-master-keytab_close.patch
 Patch139: krb5-1.12-copy_context.patch
 Patch140: krb5-master-spnego_error_messages.patch
 Patch141: krb5-1.12-enable-NX.patch
+Patch142: krb5-1.12-pic-aes-ni.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -322,6 +323,7 @@ ln -s NOTICE LICENSE
 %patch139 -p1 -b .copy_context
 %patch140 -p1 -b .spnego_error_messages
 %patch141 -p1 -b .enable-NX
+%patch142 -p1 -b .pic-aes-ni

 # Apply when the hard-wired or configured default location is
 # DIR:/run/user/%%{uid}/krb5cc.
@ -976,9 +978,12 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
-* Mon Jan  6 2014 Nalin Dahyabhai <nalin@redhat.com>
+* Mon Jan  6 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-9
 - grab a more-commented version of the most recent patch from upstream
  master
+- make a guess at making the 32-bit AES-NI implementation sufficiently
+  position-independent to not require execmod permissions for libk5crypto
+  (more of #1045699)

 * Thu Jan  2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-8
 - add patch from Dhiru Kholia for the AES-NI implementations to allow