Run the RSA and signature tests in WebAssembly.
Implement Elem*Elem multiplication for platforms for which we have no assembly
language implementation of it. Refactor the code to accomodate this.
`elem_reduced` was infallible previously as it always ensured the prerequisites
for the reduction were met. Make this clear in the return type, as a side-effect
of the refactoring needed for implementing the multiplication.
This implementation is far from efficient. More work needs to be done to make it
faster.
Replace `GFp_bn_mul_add_word` with a clearer, simpler implementation.
The new `GFp_limbs_mul_add_limb` avoid explicit branches at the C code
level, unlike the code it replaces. (Obviously, even with the new
"branchless" code the compiler might be able to synthesize branches.)
Add the BoringSSL aes_nohw implementation with minimal changes needed to
build. Enable the AES-GCM AEAD tests for wasm32 targets gated on the "wasm_c"
feature.
Use the VPAES implementation from BoringSSL as of commit c556d87ddfe836294c8e04fc59d0c298951a4cc7,
with the 192-bit key handling and decryption removed.
Merge the VPAES and BSAES cases to VPAES_BSAES. Switch between the VPAES and BSAES implementation
on ARMv7 based on the amount of data being encrypted.
Clarify the dispatching logic in `ring::aead::aes`. In particular, avoid using `_` patterns
when matching on the result of `detect_implementation()`. Also rename Fallback to NOHW.
implementation.
*ring* tries to work without type-punning `memcpy`, so the use of that
in `GFp_gcm_ghash_nohw` was replaced by the use of `u64_from_be_bytes`.
This will (I hope) also help with the eventual support for big-endian
targets. Here's the diff from BoringSSL in that function:
```diff
-void gcm_ghash_nohw(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
- size_t len) {
+void GFp_gcm_ghash_nohw(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+ size_t len) {
uint64_t swapped[2];
swapped[0] = CRYPTO_bswap8(Xi[1]);
swapped[1] = CRYPTO_bswap8(Xi[0]);
while (len >= 16) {
- uint64_t block[2];
- OPENSSL_memcpy(block, inp, 16);
- swapped[0] ^= CRYPTO_bswap8(block[1]);
- swapped[1] ^= CRYPTO_bswap8(block[0]);
+ swapped[0] ^= u64_from_be_bytes(&inp[8]);
+ swapped[1] ^= u64_from_be_bytes(inp);
gcm_polyval_nohw(swapped, &Htable[0]);
inp += 16;
len -= 16;
```
I also had to add a couple of (uint32_t) truncating casts where
BoringSSL expects an implicit truncation to occur, to avoid
`-Werror=conversion`.
During the merge, I found that `GFp_gcm_gmult_clmul` had its
`.cfi_startproc` on the wrong line. I fixed that as part of the merge.
During my review of the BoringSSL changes, I noticed that BoringSSL had
left some of the dead code in ghash-x86_64.pl, which had previously been
removed in *ring*. That removal is being done in BoringSSL in [1].
[1] https://boringssl-review.googlesource.com/c/boringssl/+/41144
Previously, build.rs. would print "cargo:..." to stdout if a variable
`$cargo` was set. This conflicted with Cargo's interpretation of
"cargo:..." to direct it to do things; see [1].
Instead, write to stderr to avoid the conflict. Also change the
formatting of the the environment variable logging so that even if
stderr gets redirected to stdout, such conflicts won't occur.
[1]
https://doc.rust-lang.org/cargo/reference/build-scripts.html#outputs-of-the-build-script
Some of the targets in Rust's `cross` toolchains have old libc headers
that don't have sys/auxv.h, and we want to do this in Rust anyway.
Unfortunately, in the process of doing so, I found out that
`libc::getauxval()` isn't available in enough places either, so we skip
dealing with *that* too.
Switch to Rust 2018 Edition. Fix up some build breakage for different
configurations that were found in the process of testing this,
particularly `--no-default-features`.
These functions are used mutually-exclusively and even compiled
mutually-exclusively.
This also removes a build warning on targets where aes.c is empty;
they were complaining that aes.o (rightly) doesn't define anything
for those targets.
This makes the code more like BoringSSL's; they had made a similar
change before.