Source release 17.1.0

2022-07-07 17:14:31 -07:00
parent 8c17574083
commit 694cf6fb25
2233 changed files with 272026 additions and 223371 deletions
--- a/third_party/boringssl/kit/ios-arm/crypto/fipsmodule/aesv8-armx32.S
+++ b/third_party/boringssl/kit/ios-arm/crypto/fipsmodule/aesv8-armx32.S
@@ -248,6 +248,7 @@ Ldec_key_abort:
 #endif
 .align	5
 _aes_hw_encrypt:
+	AARCH64_VALID_CALL_TARGET
 	ldr	r3,[r2,#240]
 	vld1.32	{q0},[r2]!
 	vld1.8	{q2},[r0]
@@ -280,6 +281,7 @@ Loop_enc:
 #endif
 .align	5
 _aes_hw_decrypt:
+	AARCH64_VALID_CALL_TARGET
 	ldr	r3,[r2,#240]
 	vld1.32	{q0},[r2]!
 	vld1.8	{q2},[r0]
@@ -628,20 +630,34 @@ _aes_hw_ctr32_encrypt_blocks:
 	add	r7,r3,#32
 	mov	r6,r5
 	movlo	r12,#0
+
+	@ ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are
+	@ affected by silicon errata #1742098 [0] and #1655431 [1],
+	@ respectively, where the second instruction of an aese/aesmc
+	@ instruction pair may execute twice if an interrupt is taken right
+	@ after the first instruction consumes an input register of which a
+	@ single 32-bit lane has been updated the last time it was modified.
+	@ 
+	@ This function uses a counter in one 32-bit lane. The 
+	@ could write to q1 and q10 directly, but that trips this bugs.
+	@ We write to q6 and copy to the final register as a workaround.
+	@ 
+	@ [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice
+	@ [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice
 #ifndef __ARMEB__
 	rev	r8, r8
 #endif
-	vorr	q1,q0,q0
 	add	r10, r8, #1
-	vorr	q10,q0,q0
-	add	r8, r8, #2
 	vorr	q6,q0,q0
 	rev	r10, r10
-	vmov.32	d3[1],r10
+	vmov.32	d13[1],r10
+	add	r8, r8, #2
+	vorr	q1,q6,q6
 	bls	Lctr32_tail
 	rev	r12, r8
+	vmov.32	d13[1],r12
 	sub	r2,r2,#3		@ bias
-	vmov.32	d21[1],r12
+	vorr	q10,q6,q6
 	b	Loop3x_ctr32

 .align	4
@@ -668,11 +684,11 @@ Loop3x_ctr32:
 .byte	0x20,0x23,0xb0,0xf3	@ aese q1,q8
 .byte	0x82,0xa3,0xb0,0xf3	@ aesmc q5,q1
 	vld1.8	{q2},[r0]!
-	vorr	q0,q6,q6
+	add	r9,r8,#1
 .byte	0x20,0x43,0xf0,0xf3	@ aese q10,q8
 .byte	0xa4,0x43,0xf0,0xf3	@ aesmc q10,q10
 	vld1.8	{q3},[r0]!
-	vorr	q1,q6,q6
+	rev	r9,r9
 .byte	0x22,0x83,0xb0,0xf3	@ aese q4,q9
 .byte	0x88,0x83,0xb0,0xf3	@ aesmc q4,q4
 .byte	0x22,0xa3,0xb0,0xf3	@ aese q5,q9
@@ -681,8 +697,6 @@ Loop3x_ctr32:
 	mov	r7,r3
 .byte	0x22,0x43,0xf0,0xf3	@ aese q10,q9
 .byte	0xa4,0x23,0xf0,0xf3	@ aesmc q9,q10
-	vorr	q10,q6,q6
-	add	r9,r8,#1
 .byte	0x28,0x83,0xb0,0xf3	@ aese q4,q12
 .byte	0x88,0x83,0xb0,0xf3	@ aesmc q4,q4
 .byte	0x28,0xa3,0xb0,0xf3	@ aese q5,q12
@@ -697,21 +711,26 @@ Loop3x_ctr32:
 .byte	0x88,0x83,0xb0,0xf3	@ aesmc q4,q4
 .byte	0x2a,0xa3,0xb0,0xf3	@ aese q5,q13
 .byte	0x8a,0xa3,0xb0,0xf3	@ aesmc q5,q5
+	 @ Note the logic to update q0, q1, and q1 is written to work
+	 @ around a bug in ARM Cortex-A57 and Cortex-A72 cores running in
+	 @ 32-bit mode. See the comment above.
 	veor	q11,q11,q7
-	rev	r9,r9
+	vmov.32	d13[1], r9
 .byte	0x2a,0x23,0xf0,0xf3	@ aese q9,q13
 .byte	0xa2,0x23,0xf0,0xf3	@ aesmc q9,q9
-	vmov.32	d1[1], r9
+	vorr	q0,q6,q6
 	rev	r10,r10
 .byte	0x2c,0x83,0xb0,0xf3	@ aese q4,q14
 .byte	0x88,0x83,0xb0,0xf3	@ aesmc q4,q4
+	vmov.32	d13[1], r10
+	rev	r12,r8
 .byte	0x2c,0xa3,0xb0,0xf3	@ aese q5,q14
 .byte	0x8a,0xa3,0xb0,0xf3	@ aesmc q5,q5
-	vmov.32	d3[1], r10
-	rev	r12,r8
+	vorr	q1,q6,q6
+	vmov.32	d13[1], r12
 .byte	0x2c,0x23,0xf0,0xf3	@ aese q9,q14
 .byte	0xa2,0x23,0xf0,0xf3	@ aesmc q9,q9
-	vmov.32	d21[1], r12
+	vorr	q10,q6,q6
 	subs	r2,r2,#3
 .byte	0x2e,0x83,0xb0,0xf3	@ aese q4,q15
 .byte	0x2e,0xa3,0xb0,0xf3	@ aese q5,q15
--- a/third_party/boringssl/kit/ios-arm/crypto/fipsmodule/ghashv8-armx32.S
+++ b/third_party/boringssl/kit/ios-arm/crypto/fipsmodule/ghashv8-armx32.S
@@ -14,6 +14,7 @@
 #endif
 #include <openssl/arm_arch.h>

+#if __ARM_MAX_ARCH__>=7
 .text

 .code	32
@@ -25,6 +26,7 @@
 #endif
 .align	4
 _gcm_init_v8:
+	AARCH64_VALID_CALL_TARGET
 	vld1.64	{q9},[r1]		@ load input H
 	vmov.i8	q11,#0xe1
 	vshl.i64	q11,q11,#57		@ 0xc2.0
@@ -67,8 +69,7 @@ _gcm_init_v8:
 	vext.8	q9,q14,q14,#8		@ Karatsuba pre-processing
 	veor	q9,q9,q14
 	vext.8	q13,q8,q9,#8		@ pack Karatsuba pre-processed
-	vst1.64	{q13,q14},[r0]		@ store Htable[1..2]
-
+	vst1.64	{q13,q14},[r0]!	@ store Htable[1..2]
 	bx	lr

 .globl	_gcm_gmult_v8
@@ -78,6 +79,7 @@ _gcm_init_v8:
 #endif
 .align	4
 _gcm_gmult_v8:
+	AARCH64_VALID_CALL_TARGET
 	vld1.64	{q9},[r0]		@ load Xi
 	vmov.i8	q11,#0xe1
 	vld1.64	{q12,q13},[r1]	@ load twisted H, ...
@@ -122,6 +124,7 @@ _gcm_gmult_v8:
 #endif
 .align	4
 _gcm_ghash_v8:
+	AARCH64_VALID_CALL_TARGET
 	vstmdb	sp!,{d8,d9,d10,d11,d12,d13,d14,d15}		@ 32-bit ABI says so
 	vld1.64	{q0},[r0]		@ load [rotated] Xi
 						@ "[rotated]" means that
@@ -253,4 +256,5 @@ Ldone_v8:
 .byte	71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
 .align	2
 .align	2
+#endif
 #endif  // !OPENSSL_NO_ASM