New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove ia32cap overrides alternate #16693
Remove ia32cap overrides alternate #16693
Conversation
The removed override was: OPENSSL_ia32cap=~0x200000200000000 which disables AESNI codepaths and PCLMULQDQ (useful for ghash). It is unclear why this was done, but it probably just hides bugs. [extended tests]
This replaces the AES-128-CBC-HMAC-SHA1 cipher with a non-encrypting version for use the test suite. [extended tests]
interesting fact: But it is completely strange that it does even pass if I do this:
This should be completely impossible, since this makes the cipher FAIL in every case! |
Hmm, this looks like a deep crack in your new design.... Lines 37 to 40 in 398ae82
here if nid == NID_aes_128_cbc_hmac_sha1 ENGINE_get_cipher_engine finds a non-zero engine, but EVP_get_cipherbynid(nid) returns NULL, but ENGINE_get_cipher(eng, nid) would return the cipher from tne ossltest engine. |
... and after this fails, the last chance to find the cipher is here: Lines 5885 to 5895 in 398ae82
but EVP_CIPHER_fetch fill not find anything since the provider does not have the cipher since it is disabled by OPENSSL_ia32cap=0, so the ssl uses the default implementation using separete AES-128-CBC and HMAC-SHA1. |
60dd28a
to
68dfccc
Compare
@@ -138,8 +138,6 @@ int tls1_cbc_remove_padding_and_mac(size_t *reclen, | |||
if (aead) { | |||
/* padding is already verified and we don't need to check the MAC */ | |||
*reclen -= padding_length + 1 + mac_size; | |||
*mac = NULL; | |||
*alloced = 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No longer work in progress. This actually works now.
I had to fix a bug in the ssl engine to make that happen,
in deed any engine exporting the aes_128_cbc_hmac_sha1 cipher
would have crashed here, but the only other engine "dasync" with that cipher
is so broken in the RSA cipher, that I can't make it up to this point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general this looks good to me but perhaps @mattcaswell should look at the libssl changes to verify.
engines/e_ossltest.c
Outdated
int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, | ||
const unsigned char *key, | ||
const unsigned char *iv, int enc); | ||
int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, | ||
unsigned char *out, | ||
const unsigned char *in, size_t inl); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these functions be static as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, maybe when I'm already there, I should also do the same with AES-128-CBC and AES-128-GCM ciphers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I am not sure whether this should be merged to 3.0 branch as well.
This pull request is ready to merge |
The removed override was: OPENSSL_ia32cap=~0x200000200000000 which disables AESNI codepaths and PCLMULQDQ (useful for ghash). It is unclear why this was done, but it probably just hides bugs. [extended tests] Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #16693)
This replaces the AES-128-CBC-HMAC-SHA1 cipher with a non-encrypting version for use the test suite. [extended tests] Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #16693)
Yes, I would recommend that, because of the better test coverage of the legacy code path,
|
Merged to master so far... |
I found a way to trigger the expected crash the 3.0 branch, similar to #16724:
this does no longer reproduce on master, after this PR was merged. |
Looks like a separate problem, would you mind a separate issue for it? |
Okay, #16795 |
Thanks! Could this be closed now? |
yes, however, a back-port to 3.0 would be suggested. |
Actually I only stumbled over #16724 because I knew this crash can happen, but it is really hard to avoid all the other bugs |
I am OK with merging this to 3.0. Will you do that @bernd-edlinger ? |
Merged to 3.0 branch as 14fd5a0. Thanks! |
alternate implementation idea for #11933 (master-does not work)