commit | 5b32e81407cd044e76c995eb99343dca954a17b8 | [log] [tgz] |
---|---|---|
author | David Benjamin <davidben@google.com> | Tue May 02 19:17:24 2023 -0400 |
committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | Fri May 05 04:00:51 2023 +0000 |
tree | 09a529f8b7308b48e3f5998cdc3ce5517108e5a2 | |
parent | 5e988c40553f6afe38971d4a32f5c4b7b48ac972 [diff] |
Remove unions in GCM implementation This was a bit of a mess. There are three assembly functions to juggle here. Their current type signatures are: void gcm_init_v8(u128 Htable[16], const uint64_t H[2]); void gcm_gmult_v8(uint64_t Xi[2], const u128 Htable[16]); void gcm_ghash_v8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp, size_t len); Except for gcm_nohw.c, this is all assembly, so they don't follow the C abstract machine's theory of typed memory. That means types are mostly arbitrary and we have room to rearrange them. They do carry an implicit alignment requirement, but none of these assembly files care about this[*]. Values passed to gcm_gmult and gcm_ghash get XORed byte-by-byte in places, which is inconvenient to do as uint64_t. They also get passed to AES functions, which want bytes. Thus I think uint8_t[16] is the most natural and convenient type to use. H in gcm_init is interesting. gcm_init already doesn't take a GHASH key in the natural byte representation. The two 8-byte halves are byte-swapped, but the halves are not swapped, so it's not quite a byte reversal. I opted to leave that as uint64_t[2], mostly to capture that something odd is happening here. [*] We only have GHASH assembly for x86, x86_64, armv7, and aarch64. We used to have armv4 GHASH assembly, but that's been removed from gcm_nohw.c. Thus we can assume none of these files care about alignment for plain scalar loads. Alignment does matter for vmovdqa vs vmovdqu, but that requires 16-byte alignment and uint64_t only implies 4- or 8-byte alignment on these architectures. Bug: 574 Change-Id: If7dba9b41ff62204f4cf8fcd54eb4a4c54214c6e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59528 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
Project links:
There are other files in this directory which might be helpful: