Hi folks, I've started playing with the ChaCha20 assembly that was recently checked in and found a few problems. Most of these do not affect OpenSSL as you only ever call ChaCha20_ctr32 on a whole number of blocks. But this isn't documented as a constraint in internal/chacha.h and the assembly has code for partial blocks, so it seems it was supposed to work. (If not, I'd recommend removing the codepaths and documenting the constraint.)
1. In chacha-x86_64.pl, .Ltail: https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/chacha/asm/chacha-x86_64.pl;h=41dbef51b26db07a78d8939c728a8da5c703d806;hb=HEAD#l345 the xor %rbx,%rbx line clobbers @x[1] right before it is read. (@x[1] is %rbx.) It should be moved one line down or a different register used. 2. In chacha-x86_64.pl, .Loop_tail_ssse3: https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/chacha/asm/chacha-x86_64.pl;h=41dbef51b26db07a78d8939c728a8da5c703d806;hb=HEAD#l522 The length decrement loop is wrong and instead counts up from 0 to 2^64. It also clobbers $len because $len is %rdx. This seems to work instead: .Loop_tail_ssse3: movzb ($inp,%rbx),%eax movzb (%rsp,%rbx),%ecx lea 1(%rbx),%rbx xor %ecx,%eax mov %al,-1($out,%rbx) dec $len jnz .Loop_tail_ssse3 3. In chacha-x86.pl, loop: https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/chacha/asm/chacha-x86.pl;h=60d604882f76c227798895da6fafd798834f467a;hb=HEAD#l207 The line: &mov ($b,&wparam(3)); # load len should say: &mov ($b,&wparam(2)); # load len wparam(3) is the pointer to the key. This works in OpenSSL's calls because pointers are typically larger than 64, and that's sufficient for the codepaths you exercise. 4. The assembly versions crash if you pass in an empty input/output. The generic C code handles this fine. (I'll defer to you whether this is a bug or a caller obligation to be documented.) I have not tested the AVX2 or XOP code yet. I'll let you know if I find problems. David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4305 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
