Merge BoringSSL through a905bbb52a7bac5099f2cbee008c6f3eae96218c

Cargo.toml

@@ -110,10 +110,12 @@ include = [
     "examples/**/*.rs",
     "include/ring-core/aes.h",
     "include/ring-core/arm_arch.h",
+    "include/ring-core/asm_base.h",
     "include/ring-core/base.h",
     "include/ring-core/check.h",
     "include/ring-core/mem.h",
     "include/ring-core/poly1305.h",
+    "include/ring-core/target.h",
     "include/ring-core/type_check.h",
     "src/**/*.rs",
     "src/aead/poly1305_test.txt",

crypto/curve25519/asm/x25519-asm-arm.S

@@ -17,15 +17,9 @@
  * domain licensed but the standard ISC license is included above to keep
  * licensing simple. */
 
-#if defined(__has_feature)
-#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
-#define OPENSSL_NO_ASM
-#endif
-#endif
+#include <ring-core/asm_base.h>
 
-#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__)
-
-#include "ring_core_generated/prefix_symbols_asm.h"
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)
 
 .fpu neon
 .text
@@ -2127,8 +2121,4 @@ mov sp,r12
 vpop {q4,q5,q6,q7}
 bx lr
 
-#endif  /* !OPENSSL_NO_ASM && __ARMEL__ && __ELF__ */
-
-#if defined(__ELF__)
-.section	.note.GNU-stack,"",%progbits
-#endif
+#endif  /* !OPENSSL_NO_ASM && OPENSSL_ARM && __ELF__ */

crypto/curve25519/curve25519.c

@@ -778,6 +778,18 @@ static void table_select(ge_precomp *t, const int pos, const signed char b) {
 // Preconditions:
 //   a[31] <= 127
 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {
+#if defined(BORINGSSL_FE25519_ADX)
+  if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() &&
+      CRYPTO_is_ADX_capable()) {
+    uint8_t t[4][32];
+    x25519_ge_scalarmult_base_adx(t, a);
+    fiat_25519_from_bytes(h->X.v, t[0]);
+    fiat_25519_from_bytes(h->Y.v, t[1]);
+    fiat_25519_from_bytes(h->Z.v, t[2]);
+    fiat_25519_from_bytes(h->T.v, t[3]);
+    return;
+  }
+#endif
   signed char e[64];
   signed char carry;
   ge_p1p1 r;

crypto/curve25519/curve25519_64_adx.c

@@ -0,0 +1,18 @@
+/* Copyright (c) 2023, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+#if defined(BORINGSSL_FE25519_ADX)
+#include "../../third_party/fiat/curve25519_64_adx.h"
+#endif

crypto/internal.h

@@ -223,22 +223,6 @@ static inline crypto_word_t value_barrier_w(crypto_word_t a) {
   return a;
 }
 
-// value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|.
-static inline uint32_t value_barrier_u32(uint32_t a) {
-#if defined(__GNUC__) || defined(__clang__)
-  __asm__("" : "+r"(a) : /* no inputs */);
-#endif
-  return a;
-}
-
-// value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|.
-static inline uint64_t value_barrier_u64(uint64_t a) {
-#if defined(__GNUC__) || defined(__clang__)
-  __asm__("" : "+r"(a) : /* no inputs */);
-#endif
-  return a;
-}
-
 // |value_barrier_u8| could be defined as above, but compilers other than
 // clang seem to still materialize 0x00..00MM instead of reusing 0x??..??MM.
 

crypto/perlasm/arm-xlate.pl

@@ -153,9 +153,9 @@ sub expand_line {
 
 my ($arch_defines, $target_defines);
 if ($flavour =~ /32/) {
-    $arch_defines = "defined(__ARMEL__)";
+    $arch_defines = "defined(OPENSSL_ARM)";
 } elsif ($flavour =~ /64/) {
-    $arch_defines = "defined(__AARCH64EL__)";
+    $arch_defines = "defined(OPENSSL_AARCH64)";
 } else {
     die "unknown architecture: $flavour";
 }
@@ -177,18 +177,11 @@ sub expand_line {
 // This file is generated from a similarly-named Perl script in the BoringSSL
 // source tree. Do not edit by hand.
 
-#if !defined(__has_feature)
-#define __has_feature(x) 0
-#endif
-#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
-#define OPENSSL_NO_ASM
-#endif
+#include <ring-core/asm_base.h>
 
 #if !defined(OPENSSL_NO_ASM) && $arch_defines && $target_defines
 ___
 
-print "#include \"ring_core_generated/prefix_symbols_asm.h\"\n";
-
 while(my $line=<>) {
 
     if ($line =~ m/^\s*(#|@|\/\/)/)	{ print $line; next; }
@@ -258,10 +251,6 @@ sub expand_line {
 
 print <<___;
 #endif  // !OPENSSL_NO_ASM && $arch_defines && $target_defines
-#if defined(__ELF__)
-// See https://www.airs.com/blog/archives/518.
-.section .note.GNU-stack,"",\%progbits
-#endif
 ___
 
 close STDOUT or die "error closing STDOUT: $!";

crypto/perlasm/x86_64-xlate.pl

@@ -1520,14 +1520,9 @@ sub rxb {
         die "unknown target: $flavour";
     }
     print <<___;
-#if defined(__has_feature)
-#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
-#define OPENSSL_NO_ASM
-#endif
-#endif
-
-#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && $target
-#include "ring_core_generated/prefix_symbols_asm.h"
+#include <ring-core/asm_base.h>
+
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && $target
 ___
 }
 
@@ -1623,13 +1618,7 @@ sub process_line {
 if ($masm) {
     print "END\n";
 } elsif ($gas) {
-    print <<___;
-#endif
-#if defined(__ELF__)
-// See https://www.airs.com/blog/archives/518.
-.section .note.GNU-stack,"",\%progbits
-#endif
-___
+    print "#endif\n";
 } elsif ($nasm) {
     print <<___;
 \%else

crypto/perlasm/x86asm.pl

@@ -305,22 +305,13 @@ sub ::asm_finish
         }
 
         print <<___;
-#if defined(__has_feature)
-#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
-#define OPENSSL_NO_ASM
-#endif
-#endif
-
-#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && $target
-#include "ring_core_generated/prefix_symbols_asm.h"
+#include <ring-core/asm_base.h>
+
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && $target
 ___
         print @out;
         print <<___;
-#endif  // !defined(OPENSSL_NO_ASM) && defined(__i386__) && $target
-#if defined(__ELF__)
-// See https://www.airs.com/blog/archives/518.
-.section .note.GNU-stack,"",\%progbits
-#endif
+#endif  // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && $target
 ___
     }
 }

crypto/poly1305/poly1305_arm_asm.S

@@ -1,15 +1,9 @@
-#if defined(__has_feature)
-#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM)
-#define OPENSSL_NO_ASM
-#endif
-#endif
+#include <ring-core/asm_base.h>
 
-#if defined(__ARMEL__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__)
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)
 
 #pragma GCC diagnostic ignored "-Wlanguage-extension-token"
 
-#include "ring_core_generated/prefix_symbols_asm.h"
-
 # This implementation was taken from the public domain, neon2 version in
 # SUPERCOP by D. J. Bernstein and Peter Schwabe.
 
@@ -2022,8 +2016,4 @@ vst1.8 d4,[r0,: 64]
 add sp,sp,#0
 bx lr
 
-#endif  /* __ARMEL__ && !OPENSSL_NO_ASM && __ELF__ */
-
-#if defined(__ELF__)
-.section	.note.GNU-stack,"",%progbits
-#endif
+#endif  /* !OPENSSL_NO_ASM && OPENSSL_ARM && __ELF__ */

include/ring-core/arm_arch.h

@@ -53,12 +53,13 @@
 #ifndef OPENSSL_HEADER_ARM_ARCH_H
 #define OPENSSL_HEADER_ARM_ARCH_H
 
+#include <ring-core/target.h>
+
 // arm_arch.h contains symbols used by ARM assembly, and the C code that calls
 // it. It is included as a public header to simplify the build, but is not
 // intended for external use.
 
-#if defined(__ARMEL__) || defined(_M_ARM) || defined(__AARCH64EL__) || \
-    defined(_M_ARM64)
+#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
 
 // ARMV7_NEON is true when a NEON unit is present in the current CPU.
 #define ARMV7_NEON (1 << 0)
@@ -91,124 +92,8 @@
 // will be included.
 #define __ARM_MAX_ARCH__ 8
 
-// Support macros for
-//   - Armv8.3-A Pointer Authentication and
-//   - Armv8.5-A Branch Target Identification
-// features which require emitting a .note.gnu.property section with the
-// appropriate architecture-dependent feature bits set.
-//
-// |AARCH64_SIGN_LINK_REGISTER| and |AARCH64_VALIDATE_LINK_REGISTER| expand to
-// PACIxSP and AUTIxSP, respectively. |AARCH64_SIGN_LINK_REGISTER| should be
-// used immediately before saving the LR register (x30) to the stack.
-// |AARCH64_VALIDATE_LINK_REGISTER| should be used immediately after restoring
-// it. Note |AARCH64_SIGN_LINK_REGISTER|'s modifications to LR must be undone
-// with |AARCH64_VALIDATE_LINK_REGISTER| before RET. The SP register must also
-// have the same value at the two points. For example:
-//
-//   .global f
-//   f:
-//     AARCH64_SIGN_LINK_REGISTER
-//     stp x29, x30, [sp, #-96]!
-//     mov x29, sp
-//     ...
-//     ldp x29, x30, [sp], #96
-//     AARCH64_VALIDATE_LINK_REGISTER
-//     ret
-//
-// |AARCH64_VALID_CALL_TARGET| expands to BTI 'c'. Either it, or
-// |AARCH64_SIGN_LINK_REGISTER|, must be used at every point that may be an
-// indirect call target. In particular, all symbols exported from a file must
-// begin with one of these macros. For example, a leaf function that does not
-// save LR can instead use |AARCH64_VALID_CALL_TARGET|:
-//
-//   .globl return_zero
-//   return_zero:
-//     AARCH64_VALID_CALL_TARGET
-//     mov x0, #0
-//     ret
-//
-// A non-leaf function which does not immediately save LR may need both macros
-// because |AARCH64_SIGN_LINK_REGISTER| appears late. For example, the function
-// may jump to an alternate implementation before setting up the stack:
-//
-//   .globl with_early_jump
-//   with_early_jump:
-//     AARCH64_VALID_CALL_TARGET
-//     cmp x0, #128
-//     b.lt .Lwith_early_jump_128
-//     AARCH64_SIGN_LINK_REGISTER
-//     stp x29, x30, [sp, #-96]!
-//     mov x29, sp
-//     ...
-//     ldp x29, x30, [sp], #96
-//     AARCH64_VALIDATE_LINK_REGISTER
-//     ret
-//
-//  .Lwith_early_jump_128:
-//     ...
-//     ret
-//
-// These annotations are only required with indirect calls. Private symbols that
-// are only the target of direct calls do not require annotations. Also note
-// that |AARCH64_VALID_CALL_TARGET| is only valid for indirect calls (BLR), not
-// indirect jumps (BR). Indirect jumps in assembly are currently not supported
-// and would require a macro for BTI 'j'.
-//
-// Although not necessary, it is safe to use these macros in 32-bit ARM
-// assembly. This may be used to simplify dual 32-bit and 64-bit files.
-//
-// References:
-// - "ELF for the Arm® 64-bit Architecture"
-//   https://github.com/ARM-software/abi-aa/blob/master/aaelf64/aaelf64.rst
-// - "Providing protection for complex software"
-//   https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software
-
-#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
-#define GNU_PROPERTY_AARCH64_BTI (1 << 0)   // Has Branch Target Identification
-#define AARCH64_VALID_CALL_TARGET hint #34  // BTI 'c'
-#else
-#define GNU_PROPERTY_AARCH64_BTI 0  // No Branch Target Identification
-#define AARCH64_VALID_CALL_TARGET
-#endif
-
-#if defined(__ARM_FEATURE_PAC_DEFAULT) && \
-    (__ARM_FEATURE_PAC_DEFAULT & 1) == 1  // Signed with A-key
-#define GNU_PROPERTY_AARCH64_POINTER_AUTH \
-  (1 << 1)                                       // Has Pointer Authentication
-#define AARCH64_SIGN_LINK_REGISTER hint #25      // PACIASP
-#define AARCH64_VALIDATE_LINK_REGISTER hint #29  // AUTIASP
-#elif defined(__ARM_FEATURE_PAC_DEFAULT) && \
-    (__ARM_FEATURE_PAC_DEFAULT & 2) == 2  // Signed with B-key
-#define GNU_PROPERTY_AARCH64_POINTER_AUTH \
-  (1 << 1)                                       // Has Pointer Authentication
-#define AARCH64_SIGN_LINK_REGISTER hint #27      // PACIBSP
-#define AARCH64_VALIDATE_LINK_REGISTER hint #31  // AUTIBSP
-#else
-#define GNU_PROPERTY_AARCH64_POINTER_AUTH 0  // No Pointer Authentication
-#if GNU_PROPERTY_AARCH64_BTI != 0
-#define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET
-#else
-#define AARCH64_SIGN_LINK_REGISTER
-#endif
-#define AARCH64_VALIDATE_LINK_REGISTER
-#endif
-
-#if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0
-.pushsection .note.gnu.property, "a";
-.balign 8;
-.long 4;
-.long 0x10;
-.long 0x5;
-.asciz "GNU";
-.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
-.long 4;
-.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI);
-.long 0;
-.popsection;
-#endif
-
 #endif  // __ASSEMBLER__
 
-#endif  // __ARMEL__ || _M_ARM || __AARCH64EL__ || _M_ARM64
+#endif  // ARM || AARCH64
 
 #endif  // OPENSSL_HEADER_ARM_ARCH_H