From 6f65ffce68d9edbffaab9bdade2348af01909c87 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 3 Nov 2011 10:18:52 +0100 Subject: [PATCH] do not use AVX instructions when osxsave bit not set add direct known answer tests for SHA2 algorithms --- openssl-1.0.0-sha2test.patch | 77 ++++++++++++++++++++++++++++++++++ openssl-1.0.0d-intelopts.patch | 57 +++++++++++-------------- openssl.spec | 8 +++- 3 files changed, 109 insertions(+), 33 deletions(-) create mode 100644 openssl-1.0.0-sha2test.patch diff --git a/openssl-1.0.0-sha2test.patch b/openssl-1.0.0-sha2test.patch new file mode 100644 index 0000000..b8bd9e5 --- /dev/null +++ b/openssl-1.0.0-sha2test.patch @@ -0,0 +1,77 @@ +diff -up openssl-1.0.0/crypto/fips/fips.c.sha2test openssl-1.0.0/crypto/fips/fips.c +--- openssl-1.0.0/crypto/fips/fips.c.sha2test 2011-09-12 15:07:42.000000000 +0200 ++++ openssl-1.0.0/crypto/fips/fips.c 2011-09-26 11:03:17.000000000 +0200 +@@ -163,6 +163,7 @@ int FIPS_selftest() + { + + return FIPS_selftest_sha1() ++ && FIPS_selftest_sha2() + && FIPS_selftest_hmac() + && FIPS_selftest_aes() + && FIPS_selftest_des() +@@ -323,6 +324,8 @@ FIPSCHECK_verify(const char *libname, co + return 0; + + hmacpath = make_hmac_path(path); ++ if (hmacpath == NULL) ++ return 0; + + hf = fopen(hmacpath, "r"); + if (hf == NULL) { +@@ -627,6 +630,45 @@ int fips_cipher_test(EVP_CIPHER_CTX *ctx + return 1; + } + ++static const unsigned char msg_sha256[] = { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30, ++ 0xfc }; ++static const unsigned char dig_sha256[] = { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b, ++ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01, ++ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83, ++ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a }; ++ ++static const unsigned char msg_sha512[] = { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7, ++ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd }; ++static const unsigned char dig_sha512[] = { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16, ++ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44, ++ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0, ++ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f, ++ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38, ++ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04, ++ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1, ++ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 }; ++ ++int FIPS_selftest_sha2(void) ++ { ++ unsigned char md[SHA512_DIGEST_LENGTH]; ++ ++ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL); ++ if(memcmp(dig_sha256, md, sizeof(dig_sha256))) ++ { ++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL); ++ if(memcmp(dig_sha512, md, sizeof(dig_sha512))) ++ { ++ FIPSerr(FIPS_F_FIPS_MODE_SET, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ return 1; ++ } ++ + #if 0 + /* The purpose of this is to ensure the error code exists and the function + * name is to keep the error checking script quiet +diff -up openssl-1.0.0/crypto/fips/fips.h.sha2test openssl-1.0.0/crypto/fips/fips.h +--- openssl-1.0.0/crypto/fips/fips.h.sha2test 2011-09-12 15:07:42.000000000 +0200 ++++ openssl-1.0.0/crypto/fips/fips.h 2011-09-26 11:00:55.000000000 +0200 +@@ -72,6 +72,7 @@ int FIPS_selftest_failed(void); + void FIPS_selftest_check(void); + void FIPS_corrupt_sha1(void); + int FIPS_selftest_sha1(void); ++int FIPS_selftest_sha2(void); + void FIPS_corrupt_aes(void); + int FIPS_selftest_aes(void); + void FIPS_corrupt_des(void); diff --git a/openssl-1.0.0d-intelopts.patch b/openssl-1.0.0d-intelopts.patch index 99957b3..6aba7b3 100644 --- a/openssl-1.0.0d-intelopts.patch +++ b/openssl-1.0.0d-intelopts.patch @@ -1,6 +1,6 @@ diff -up openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl.intelopts openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl ---- openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl.intelopts 2011-08-24 12:36:33.000000000 +0200 -+++ openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl 2011-08-24 12:36:34.000000000 +0200 +--- openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl.intelopts 2011-08-24 12:50:55.000000000 +0200 ++++ openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -1021,8 +1021,8 @@ diff -up openssl-1.0.0d/crypto/aes/asm/aesni-x86.pl.intelopts openssl-1.0.0d/cry &$movekey ("xmm0",&QWP(0,$key)); # inverse middle diff -up openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl.intelopts openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl ---- openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl.intelopts 2011-08-24 12:36:33.000000000 +0200 -+++ openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl 2011-08-24 12:36:34.000000000 +0200 +--- openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl.intelopts 2011-08-24 12:50:55.000000000 +0200 ++++ openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -2315,7 +2315,7 @@ diff -up openssl-1.0.0d/crypto/aes/asm/aesni-x86_64.pl.intelopts openssl-1.0.0d/ ___ diff -up openssl-1.0.0d/crypto/cryptlib.c.intelopts openssl-1.0.0d/crypto/cryptlib.c --- openssl-1.0.0d/crypto/cryptlib.c.intelopts 2010-11-19 01:11:27.000000000 +0100 -+++ openssl-1.0.0d/crypto/cryptlib.c 2011-08-24 12:36:33.000000000 +0200 ++++ openssl-1.0.0d/crypto/cryptlib.c 2011-08-24 12:50:55.000000000 +0200 @@ -662,22 +662,23 @@ const char *CRYPTO_get_lock_name(int typ defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64) @@ -2344,8 +2344,8 @@ diff -up openssl-1.0.0d/crypto/cryptlib.c.intelopts openssl-1.0.0d/crypto/cryptl * |(1<<10) sets a reserved bit to signal that variable * was initialized already... This is to avoid interference diff -up openssl-1.0.0d/crypto/engine/eng_aesni.c.intelopts openssl-1.0.0d/crypto/engine/eng_aesni.c ---- openssl-1.0.0d/crypto/engine/eng_aesni.c.intelopts 2011-08-24 12:36:33.000000000 +0200 -+++ openssl-1.0.0d/crypto/engine/eng_aesni.c 2011-08-24 12:36:33.000000000 +0200 +--- openssl-1.0.0d/crypto/engine/eng_aesni.c.intelopts 2011-08-24 12:50:55.000000000 +0200 ++++ openssl-1.0.0d/crypto/engine/eng_aesni.c 2011-08-24 12:50:55.000000000 +0200 @@ -157,16 +157,20 @@ typedef unsigned __int64 IA32CAP; typedef unsigned long long IA32CAP; #endif @@ -2373,8 +2373,8 @@ diff -up openssl-1.0.0d/crypto/engine/eng_aesni.c.intelopts openssl-1.0.0d/crypt /* Register everything or return with an error */ diff -up openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c.intelopts openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c ---- openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c.intelopts 2011-08-24 12:36:33.000000000 +0200 -+++ openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c 2011-08-24 12:36:33.000000000 +0200 +--- openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c.intelopts 2011-08-24 12:50:55.000000000 +0200 ++++ openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c 2011-08-24 12:50:55.000000000 +0200 @@ -62,6 +62,8 @@ void OPENSSL_cleanse(void *p,size_t len) #ifdef OPENSSL_FIPS @@ -2386,7 +2386,7 @@ diff -up openssl-1.0.0d/crypto/fips/fips_standalone_sha1.c.intelopts openssl-1.0 { diff -up openssl-1.0.0d/crypto/perlasm/x86asm.pl.intelopts openssl-1.0.0d/crypto/perlasm/x86asm.pl --- openssl-1.0.0d/crypto/perlasm/x86asm.pl.intelopts 2008-12-17 20:56:47.000000000 +0100 -+++ openssl-1.0.0d/crypto/perlasm/x86asm.pl 2011-08-24 12:36:34.000000000 +0200 ++++ openssl-1.0.0d/crypto/perlasm/x86asm.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -2453,7 +2453,7 @@ diff -up openssl-1.0.0d/crypto/perlasm/x86asm.pl.intelopts openssl-1.0.0d/crypto $label="000"; diff -up openssl-1.0.0d/crypto/perlasm/x86gas.pl.intelopts openssl-1.0.0d/crypto/perlasm/x86gas.pl --- openssl-1.0.0d/crypto/perlasm/x86gas.pl.intelopts 2008-12-17 20:56:47.000000000 +0100 -+++ openssl-1.0.0d/crypto/perlasm/x86gas.pl 2011-08-24 12:36:34.000000000 +0200 ++++ openssl-1.0.0d/crypto/perlasm/x86gas.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -2487,7 +2487,7 @@ diff -up openssl-1.0.0d/crypto/perlasm/x86gas.pl.intelopts openssl-1.0.0d/crypto sub ::align diff -up openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl.intelopts openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl --- openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl.intelopts 2010-10-10 23:14:17.000000000 +0200 -+++ openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl 2011-08-24 12:36:34.000000000 +0200 ++++ openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -2781,8 +2781,8 @@ diff -up openssl-1.0.0d/crypto/perlasm/x86_64-xlate.pl.intelopts openssl-1.0.0d/ printf "\t%s",$opcode->out(); } diff -up openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl.intelopts openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl ---- openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl.intelopts 2011-08-24 12:36:33.000000000 +0200 -+++ openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl 2011-08-24 12:49:09.000000000 +0200 +--- openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl.intelopts 2011-08-24 12:50:55.000000000 +0200 ++++ openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -3229,8 +3229,8 @@ diff -up openssl-1.0.0d/crypto/rc4/asm/rc4-x86_64.pl.intelopts openssl-1.0.0d/cr print $code; diff -up openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl.intelopts openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl ---- openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl.intelopts 2011-08-24 12:36:33.000000000 +0200 -+++ openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl 2011-08-24 12:50:40.000000000 +0200 +--- openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl.intelopts 2011-08-24 12:50:55.000000000 +0200 ++++ openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -3449,7 +3449,7 @@ diff -up openssl-1.0.0d/crypto/rc4/asm/rc4-586.pl.intelopts openssl-1.0.0d/crypt &function_end_B("RC4_options"); diff -up openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl.intelopts openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl --- openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl.intelopts 2010-01-17 17:58:56.000000000 +0100 -+++ openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl 2011-08-24 12:36:34.000000000 +0200 ++++ openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -4765,7 +4765,7 @@ diff -up openssl-1.0.0d/crypto/sha/asm/sha1-x86_64.pl.intelopts openssl-1.0.0d/c diff -up openssl-1.0.0d/crypto/sha/asm/sha1-586.pl.intelopts openssl-1.0.0d/crypto/sha/asm/sha1-586.pl --- openssl-1.0.0d/crypto/sha/asm/sha1-586.pl.intelopts 2008-07-17 11:50:56.000000000 +0200 -+++ openssl-1.0.0d/crypto/sha/asm/sha1-586.pl 2011-08-24 12:36:34.000000000 +0200 ++++ openssl-1.0.0d/crypto/sha/asm/sha1-586.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -5972,7 +5972,7 @@ diff -up openssl-1.0.0d/crypto/sha/asm/sha1-586.pl.intelopts openssl-1.0.0d/cryp &asm_finish(); diff -up openssl-1.0.0d/crypto/x86cpuid.pl.intelopts openssl-1.0.0d/crypto/x86cpuid.pl --- openssl-1.0.0d/crypto/x86cpuid.pl.intelopts 2010-02-12 18:02:12.000000000 +0100 -+++ openssl-1.0.0d/crypto/x86cpuid.pl 2011-08-24 12:36:34.000000000 +0200 ++++ openssl-1.0.0d/crypto/x86cpuid.pl 2011-11-03 09:55:42.000000000 +0100 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl @@ -6021,7 +6021,7 @@ diff -up openssl-1.0.0d/crypto/x86cpuid.pl.intelopts openssl-1.0.0d/crypto/x86cp &set_label("intel"); &cmp ("edi",4); -@@ -85,27 +92,52 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3 +@@ -85,27 +92,45 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3 &set_label("nocacheinfo"); &mov ("eax",1); &cpuid (); @@ -6059,20 +6059,13 @@ diff -up openssl-1.0.0d/crypto/x86cpuid.pl.intelopts openssl-1.0.0d/crypto/x86cp + &mov ("esi","edx"); + &or ("ebp","ecx"); # merge AMD XOP flag + -+ &bt ("ecx",26); # check XSAVE bit -+ &jnc (&label("done")); + &bt ("ecx",27); # check OSXSAVE bit -+ &jnc (&label("clear_xmm")); -+ &xor ("ecx","ecx"); ++ &jnc (&label("clear_avx")); ++ &xor ("ecx","ecx"); # XCR0 + &data_byte(0x0f,0x01,0xd0); # xgetbv -+ &and ("eax",6); ++ &and ("eax",6); # isolate XMM and YMM state support + &cmp ("eax",6); + &je (&label("done")); -+ &cmp ("eax",2); -+ &je (&label("clear_avx")); -+&set_label("clear_xmm"); -+ &and ("ebp",0xfdfffffd); # clear AESNI and PCLMULQDQ bits -+ &and ("esi",0xfeffffff); # clear FXSR +&set_label("clear_avx"); + &and ("ebp",0xefffe7ff); # clear AVX, FMA and AMD XOP bits &set_label("done"); @@ -6083,7 +6076,7 @@ diff -up openssl-1.0.0d/crypto/x86cpuid.pl.intelopts openssl-1.0.0d/crypto/x86cp &function_end("OPENSSL_ia32_cpuid"); &external_label("OPENSSL_ia32cap_P"); -@@ -199,8 +231,9 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3 +@@ -199,8 +224,9 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3 &bt (&DWP(0,"ecx"),1); &jnc (&label("no_x87")); if ($sse2) { @@ -6097,7 +6090,7 @@ diff -up openssl-1.0.0d/crypto/x86cpuid.pl.intelopts openssl-1.0.0d/crypto/x86cp &pxor ("xmm2","xmm2"); diff -up openssl-1.0.0d/crypto/x86_64cpuid.pl.intelopts openssl-1.0.0d/crypto/x86_64cpuid.pl --- openssl-1.0.0d/crypto/x86_64cpuid.pl.intelopts 2010-04-14 21:25:09.000000000 +0200 -+++ openssl-1.0.0d/crypto/x86_64cpuid.pl 2011-08-24 12:36:34.000000000 +0200 ++++ openssl-1.0.0d/crypto/x86_64cpuid.pl 2011-08-24 12:50:56.000000000 +0200 @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl diff --git a/openssl.spec b/openssl.spec index 2a3ce57..bd07689 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.0e -Release: 2%{?dist} +Release: 3%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-usa.tar.bz2 @@ -76,6 +76,7 @@ Patch62: openssl-1.0.0-fips-aesni.patch Patch63: openssl-1.0.0d-xmpp-starttls.patch Patch64: openssl-1.0.0d-intelopts.patch Patch65: openssl-1.0.0e-chil-fixes.patch +Patch66: openssl-1.0.0-sha2test.patch # Backported fixes including security fixes Patch81: openssl-1.0.0d-padlock64.patch @@ -173,6 +174,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch63 -p1 -b .starttls %patch64 -p1 -b .intelopts %patch65 -p1 -b .chil +%patch66 -p1 -b .sha2test %patch81 -p1 -b .padlock64 @@ -424,6 +426,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Thu Nov 3 2011 Tomas Mraz 1.0.0e-3 +- do not use AVX instructions when osxsave bit not set +- add direct known answer tests for SHA2 algorithms + * Wed Sep 21 2011 Tomas Mraz 1.0.0e-2 - fix missing initialization of variable in CHIL engine