Merge pull request #7862 from ronald-cron-arm/improve-write-supported-group-ext
Improve write supported group ext
diff --git a/ChangeLog.d/aes-perf.txt b/ChangeLog.d/aes-perf.txt
index ca2ced9..ab716bc 100644
--- a/ChangeLog.d/aes-perf.txt
+++ b/ChangeLog.d/aes-perf.txt
@@ -1,4 +1,7 @@
Features
- * AES performance improvements on 64-bit architectures. Uplift
- varies by platform, toolchain, optimisation flags and mode,
- in the 0 - 84% range. Aarch64, gcc and GCM/XTS benefit the most.
+ * AES performance improvements. Uplift varies by platform,
+ toolchain, optimisation flags and mode.
+ Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
+ On Aarch64, uplift is typically around 20 - 110%.
+ When compiling with gcc -Os on Aarch64, AES-XTS improves
+ by 4.5x.
diff --git a/library/aes.c b/library/aes.c
index a7bc8d5..4397dea 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -1077,23 +1077,6 @@
#if defined(MBEDTLS_CIPHER_MODE_CBC)
-#if defined(__ARM_NEON) && defined(__aarch64__)
-/* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on
- * the result for the next block in CBC, and the cost of transferring that data from
- * NEON registers, it is faster to use the following on aarch64.
- * For 32-bit arm, NEON should be faster. */
-#define CBC_XOR_16(r, a, b) do { \
- mbedtls_put_unaligned_uint64(r, \
- mbedtls_get_unaligned_uint64(a) ^ \
- mbedtls_get_unaligned_uint64(b)); \
- mbedtls_put_unaligned_uint64(r + 8, \
- mbedtls_get_unaligned_uint64(a + 8) ^ \
- mbedtls_get_unaligned_uint64(b + 8)); \
-} while (0)
-#else
-#define CBC_XOR_16(r, a, b) mbedtls_xor(r, a, b, 16)
-#endif
-
/*
* AES-CBC buffer encryption/decryption
*/
@@ -1136,7 +1119,10 @@
if (ret != 0) {
goto exit;
}
- CBC_XOR_16(output, output, iv);
+ /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on
+ * the result for the next block in CBC, and the cost of transferring that data from
+ * NEON registers, NEON is slower on aarch64. */
+ mbedtls_xor_no_simd(output, output, iv, 16);
memcpy(iv, temp, 16);
@@ -1146,7 +1132,7 @@
}
} else {
while (length > 0) {
- CBC_XOR_16(output, input, ivp);
+ mbedtls_xor_no_simd(output, input, ivp, 16);
ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
if (ret != 0) {
@@ -1179,8 +1165,11 @@
* for machine endianness and hence works correctly on both big and little
* endian machines.
*/
-static void mbedtls_gf128mul_x_ble(unsigned char r[16],
- const unsigned char x[16])
+#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
+static inline void mbedtls_gf128mul_x_ble(unsigned char r[16],
+ const unsigned char x[16])
{
uint64_t a, b, ra, rb;
@@ -1196,7 +1185,13 @@
/*
* AES-XTS buffer encryption/decryption
+ *
+ * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble()
+ * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
*/
+#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
int mode,
size_t length,
diff --git a/library/aesce.c b/library/aesce.c
index 4db8d2a..f37a11b 100644
--- a/library/aesce.c
+++ b/library/aesce.c
@@ -72,7 +72,7 @@
# define MBEDTLS_POP_TARGET_PRAGMA
# elif defined(__GNUC__)
# pragma GCC push_options
-# pragma GCC target ("arch=armv8-a+crypto")
+# pragma GCC target ("+crypto")
# define MBEDTLS_POP_TARGET_PRAGMA
# elif defined(_MSC_VER)
# error "Required feature(__ARM_FEATURE_AES) is not enabled."
@@ -101,59 +101,105 @@
#endif
}
+/* Single round of AESCE encryption */
+#define AESCE_ENCRYPT_ROUND \
+ block = vaeseq_u8(block, vld1q_u8(keys)); \
+ block = vaesmcq_u8(block); \
+ keys += 16
+/* Two rounds of AESCE encryption */
+#define AESCE_ENCRYPT_ROUND_X2 AESCE_ENCRYPT_ROUND; AESCE_ENCRYPT_ROUND
+
+MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
static uint8x16_t aesce_encrypt_block(uint8x16_t block,
unsigned char *keys,
int rounds)
{
- for (int i = 0; i < rounds - 1; i++) {
- /* AES AddRoundKey, SubBytes, ShiftRows (in this order).
- * AddRoundKey adds the round key for the previous round. */
- block = vaeseq_u8(block, vld1q_u8(keys + i * 16));
- /* AES mix columns */
- block = vaesmcq_u8(block);
+ /* 10, 12 or 14 rounds. Unroll loop. */
+ if (rounds == 10) {
+ goto rounds_10;
}
+ if (rounds == 12) {
+ goto rounds_12;
+ }
+ AESCE_ENCRYPT_ROUND_X2;
+rounds_12:
+ AESCE_ENCRYPT_ROUND_X2;
+rounds_10:
+ AESCE_ENCRYPT_ROUND_X2;
+ AESCE_ENCRYPT_ROUND_X2;
+ AESCE_ENCRYPT_ROUND_X2;
+ AESCE_ENCRYPT_ROUND_X2;
+ AESCE_ENCRYPT_ROUND;
/* AES AddRoundKey for the previous round.
* SubBytes, ShiftRows for the final round. */
- block = vaeseq_u8(block, vld1q_u8(keys + (rounds -1) * 16));
+ block = vaeseq_u8(block, vld1q_u8(keys));
+ keys += 16;
/* Final round: no MixColumns */
/* Final AddRoundKey */
- block = veorq_u8(block, vld1q_u8(keys + rounds * 16));
+ block = veorq_u8(block, vld1q_u8(keys));
return block;
}
+/* Single round of AESCE decryption
+ *
+ * AES AddRoundKey, SubBytes, ShiftRows
+ *
+ * block = vaesdq_u8(block, vld1q_u8(keys));
+ *
+ * AES inverse MixColumns for the next round.
+ *
+ * This means that we switch the order of the inverse AddRoundKey and
+ * inverse MixColumns operations. We have to do this as AddRoundKey is
+ * done in an atomic instruction together with the inverses of SubBytes
+ * and ShiftRows.
+ *
+ * It works because MixColumns is a linear operation over GF(2^8) and
+ * AddRoundKey is an exclusive or, which is equivalent to addition over
+ * GF(2^8). (The inverse of MixColumns needs to be applied to the
+ * affected round keys separately which has been done when the
+ * decryption round keys were calculated.)
+ *
+ * block = vaesimcq_u8(block);
+ */
+#define AESCE_DECRYPT_ROUND \
+ block = vaesdq_u8(block, vld1q_u8(keys)); \
+ block = vaesimcq_u8(block); \
+ keys += 16
+/* Two rounds of AESCE decryption */
+#define AESCE_DECRYPT_ROUND_X2 AESCE_DECRYPT_ROUND; AESCE_DECRYPT_ROUND
+
static uint8x16_t aesce_decrypt_block(uint8x16_t block,
unsigned char *keys,
int rounds)
{
-
- for (int i = 0; i < rounds - 1; i++) {
- /* AES AddRoundKey, SubBytes, ShiftRows */
- block = vaesdq_u8(block, vld1q_u8(keys + i * 16));
- /* AES inverse MixColumns for the next round.
- *
- * This means that we switch the order of the inverse AddRoundKey and
- * inverse MixColumns operations. We have to do this as AddRoundKey is
- * done in an atomic instruction together with the inverses of SubBytes
- * and ShiftRows.
- *
- * It works because MixColumns is a linear operation over GF(2^8) and
- * AddRoundKey is an exclusive or, which is equivalent to addition over
- * GF(2^8). (The inverse of MixColumns needs to be applied to the
- * affected round keys separately which has been done when the
- * decryption round keys were calculated.) */
- block = vaesimcq_u8(block);
+ /* 10, 12 or 14 rounds. Unroll loop. */
+ if (rounds == 10) {
+ goto rounds_10;
}
+ if (rounds == 12) {
+ goto rounds_12;
+ }
+ AESCE_DECRYPT_ROUND_X2;
+rounds_12:
+ AESCE_DECRYPT_ROUND_X2;
+rounds_10:
+ AESCE_DECRYPT_ROUND_X2;
+ AESCE_DECRYPT_ROUND_X2;
+ AESCE_DECRYPT_ROUND_X2;
+ AESCE_DECRYPT_ROUND_X2;
+ AESCE_DECRYPT_ROUND;
/* The inverses of AES AddRoundKey, SubBytes, ShiftRows finishing up the
* last full round. */
- block = vaesdq_u8(block, vld1q_u8(keys + (rounds - 1) * 16));
+ block = vaesdq_u8(block, vld1q_u8(keys));
+ keys += 16;
/* Inverse AddRoundKey for inverting the initial round key addition. */
- block = veorq_u8(block, vld1q_u8(keys + rounds * 16));
+ block = veorq_u8(block, vld1q_u8(keys));
return block;
}
diff --git a/library/aesce.h b/library/aesce.h
index 7048d77..b12bf76 100644
--- a/library/aesce.h
+++ b/library/aesce.h
@@ -52,6 +52,9 @@
/**
* \brief Internal AES-ECB block encryption and decryption
*
+ * \warning This assumes that the context specifies either 10, 12 or 14
+ * rounds and will behave incorrectly if this is not the case.
+ *
* \param ctx AES context
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
* \param input 16-byte input block
diff --git a/library/bn_mul.h b/library/bn_mul.h
index 43dd5c2..ab1a66a 100644
--- a/library/bn_mul.h
+++ b/library/bn_mul.h
@@ -673,14 +673,10 @@
#if defined(__arm__)
#if defined(__thumb__) && !defined(__thumb2__)
-#if !defined(__ARMCC_VERSION) && !defined(__clang__) \
- && !defined(__llvm__) && !defined(__INTEL_COMPILER)
+#if defined(MBEDTLS_COMPILER_IS_GCC)
/*
* Thumb 1 ISA. This code path has only been tested successfully on gcc;
* it does not compile on clang or armclang.
- *
- * Other compilers which define __GNUC__ may not work. The above macro
- * attempts to exclude these untested compilers.
*/
#if !defined(__OPTIMIZE__) && defined(__GNUC__)
diff --git a/library/cmac.c b/library/cmac.c
index 48f51df..2f19d11 100644
--- a/library/cmac.c
+++ b/library/cmac.c
@@ -237,7 +237,7 @@
input,
block_size - cmac_ctx->unprocessed_len);
- mbedtls_xor(state, cmac_ctx->unprocessed_block, state, block_size);
+ mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size);
if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
&olen)) != 0) {
@@ -255,7 +255,7 @@
/* Iterate across the input data in block sized chunks, excluding any
* final partial or complete block */
for (j = 1; j < n; j++) {
- mbedtls_xor(state, input, state, block_size);
+ mbedtls_xor_no_simd(state, input, state, block_size);
if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
&olen)) != 0) {
diff --git a/library/common.h b/library/common.h
index 97846c4..839b7d1 100644
--- a/library/common.h
+++ b/library/common.h
@@ -192,6 +192,45 @@
}
}
+/**
+ * Perform a fast block XOR operation, such that
+ * r[i] = a[i] ^ b[i] where 0 <= i < n
+ *
+ * In some situations, this can perform better than mbedtls_xor (e.g., it's about 5%
+ * better in AES-CBC).
+ *
+ * \param r Pointer to result (buffer of at least \p n bytes). \p r
+ * may be equal to either \p a or \p b, but behaviour when
+ * it overlaps in other ways is undefined.
+ * \param a Pointer to input (buffer of at least \p n bytes)
+ * \param b Pointer to input (buffer of at least \p n bytes)
+ * \param n Number of bytes to process.
+ */
+static inline void mbedtls_xor_no_simd(unsigned char *r,
+ const unsigned char *a,
+ const unsigned char *b,
+ size_t n)
+{
+ size_t i = 0;
+#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
+#if defined(__amd64__) || defined(__x86_64__) || defined(__aarch64__)
+ /* This codepath probably only makes sense on architectures with 64-bit registers */
+ for (; (i + 8) <= n; i += 8) {
+ uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
+ mbedtls_put_unaligned_uint64(r + i, x);
+ }
+#else
+ for (; (i + 4) <= n; i += 4) {
+ uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
+ mbedtls_put_unaligned_uint32(r + i, x);
+ }
+#endif
+#endif
+ for (; i < n; i++) {
+ r[i] = a[i] ^ b[i];
+ }
+}
+
/* Fix MSVC C99 compatible issue
* MSVC support __func__ from visual studio 2015( 1900 )
* Use MSVC predefine macro to avoid name check fail.
@@ -261,4 +300,20 @@
#define MBEDTLS_UNLIKELY(x) x
#endif
+#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
+ && !defined(__llvm__) && !defined(__INTEL_COMPILER)
+/* Defined if the compiler really is gcc and not clang, etc */
+#define MBEDTLS_COMPILER_IS_GCC
+#endif
+
+/* For gcc -Os, override with -O2 for a given function.
+ *
+ * This will not affect behaviour for other optimisation settings, e.g. -O0.
+ */
+#if defined(MBEDTLS_COMPILER_IS_GCC) && defined(__OPTIMIZE_SIZE__)
+#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE __attribute__((optimize("-O2")))
+#else
+#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
+#endif
+
#endif /* MBEDTLS_LIBRARY_COMMON_H */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5e78215..8d90075 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6609,64 +6609,89 @@
return 0;
}
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
+ const psa_hash_operation_t *hs_op,
+ size_t buffer_size,
+ unsigned char *hash,
+ size_t *hlen)
+{
+ psa_status_t status;
+ psa_hash_operation_t cloned_op = psa_hash_operation_init();
+
+#if !defined(MBEDTLS_DEBUG_C)
+ (void) ssl;
+#endif
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
+ status = psa_hash_clone(hs_op, &cloned_op);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
+
+exit:
+ psa_hash_abort(&cloned_op);
+ return mbedtls_md_error_from_psa(status);
+}
+#else
+static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
+ const mbedtls_md_context_t *hs_ctx,
+ unsigned char *hash,
+ size_t *hlen)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_md_context_t cloned_ctx;
+
+ mbedtls_md_init(&cloned_ctx);
+
+#if !defined(MBEDTLS_DEBUG_C)
+ (void) ssl;
+#endif
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
+
+ ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
+ if (ret != 0) {
+ goto exit;
+ }
+ ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ ret = mbedtls_md_finish(&cloned_ctx, hash);
+ if (ret != 0) {
+ goto exit;
+ }
+
+ *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
+
+ MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
+
+exit:
+ mbedtls_md_free(&cloned_ctx);
+ return ret;
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
#if defined(MBEDTLS_MD_CAN_SHA256)
int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
unsigned char *hash,
size_t *hlen)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- size_t hash_size;
- psa_status_t status;
- psa_hash_operation_t sha256_psa = psa_hash_operation_init();
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256"));
- status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- *hlen = 32;
- MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
-
-exit:
- psa_hash_abort(&sha256_psa);
- return mbedtls_md_error_from_psa(status);
+ return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
+ hash, hlen);
#else
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md_context_t sha256;
-
- mbedtls_md_init(&sha256);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256"));
-
- ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
- if (ret != 0) {
- goto exit;
- }
-
- ret = mbedtls_md_finish(&sha256, hash);
- if (ret != 0) {
- goto exit;
- }
-
- *hlen = 32;
-
- MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
-
-exit:
- mbedtls_md_free(&sha256);
- return ret;
+ return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
+ hash, hlen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_MD_CAN_SHA256 */
@@ -6677,58 +6702,11 @@
size_t *hlen)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- size_t hash_size;
- psa_status_t status;
- psa_hash_operation_t sha384_psa = psa_hash_operation_init();
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384"));
- status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- *hlen = 48;
- MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
-
-exit:
- psa_hash_abort(&sha384_psa);
- return mbedtls_md_error_from_psa(status);
+ return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
+ hash, hlen);
#else
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md_context_t sha384;
-
- mbedtls_md_init(&sha384);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384"));
-
- ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
- if (ret != 0) {
- goto exit;
- }
-
- ret = mbedtls_md_finish(&sha384, hash);
- if (ret != 0) {
- goto exit;
- }
-
- *hlen = 48;
-
- MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
-
-exit:
- mbedtls_md_free(&sha384);
- return ret;
+ return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
+ hash, hlen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_MD_CAN_SHA384 */
@@ -7670,20 +7648,22 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-static int ssl_calc_finished_tls_sha256(
- mbedtls_ssl_context *ssl, unsigned char *buf, int from)
+static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
+ unsigned char *padbuf, size_t hlen,
+ unsigned char *buf, int from)
{
int len = 12;
const char *sender;
- unsigned char padbuf[32];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- size_t hash_size;
- psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
psa_status_t status;
+ psa_hash_operation_t *hs_op = ctx;
+ psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
+ size_t hash_size;
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md_context_t sha256;
+ mbedtls_md_context_t *hs_ctx = ctx;
+ mbedtls_md_context_t cloned_ctx;
+ mbedtls_md_init(&cloned_ctx);
#endif
mbedtls_ssl_session *session = ssl->session_negotiate;
@@ -7696,67 +7676,76 @@
: "server finished";
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- sha256_psa = psa_hash_operation_init();
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha256"));
-
- status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
+ status = psa_hash_clone(hs_op, &cloned_op);
if (status != PSA_SUCCESS) {
goto exit;
}
- status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size);
+ status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
if (status != PSA_SUCCESS) {
goto exit;
}
- MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
+ MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
#else
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
- mbedtls_md_init(&sha256);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha256"));
-
- ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
+ ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
if (ret != 0) {
goto exit;
}
- ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
+ ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
if (ret != 0) {
goto exit;
}
+ ret = mbedtls_md_finish(&cloned_ctx, padbuf);
+ if (ret != 0) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
+
/*
* TLSv1.2:
* hash = PRF( master, finished_label,
* Hash( handshake ) )[0.11]
*/
-
- ret = mbedtls_md_finish(&sha256, padbuf);
- if (ret != 0) {
- goto exit;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- MBEDTLS_SSL_DEBUG_BUF(4, "finished sha256 output", padbuf, 32);
-
ssl->handshake->tls_prf(session->master, 48, sender,
- padbuf, 32, buf, len);
+ padbuf, hlen, buf, len);
MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&sha256_psa);
+ psa_hash_abort(&cloned_op);
return mbedtls_md_error_from_psa(status);
#else
- mbedtls_md_free(&sha256);
+ mbedtls_md_free(&cloned_ctx);
return ret;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+static int ssl_calc_finished_tls_sha256(
+ mbedtls_ssl_context *ssl, unsigned char *buf, int from)
+{
+ unsigned char padbuf[32];
+ return ssl_calc_finished_tls_generic(ssl,
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ &ssl->handshake->fin_sha256_psa,
+#else
+ &ssl->handshake->fin_sha256,
+#endif
+ padbuf, sizeof(padbuf),
+ buf, from);
+}
#endif /* MBEDTLS_MD_CAN_SHA256*/
@@ -7764,87 +7753,15 @@
static int ssl_calc_finished_tls_sha384(
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{
- int len = 12;
- const char *sender;
unsigned char padbuf[48];
+ return ssl_calc_finished_tls_generic(ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- size_t hash_size;
- psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
- psa_status_t status;
+ &ssl->handshake->fin_sha384_psa,
#else
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md_context_t sha384;
+ &ssl->handshake->fin_sha384,
#endif
-
- mbedtls_ssl_session *session = ssl->session_negotiate;
- if (!session) {
- session = ssl->session;
- }
-
- sender = (from == MBEDTLS_SSL_IS_CLIENT)
- ? "client finished"
- : "server finished";
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- sha384_psa = psa_hash_operation_init();
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha384"));
-
- status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
- MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
-#else
- mbedtls_md_init(&sha384);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha384"));
-
- ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
- if (ret != 0) {
- goto exit;
- }
-
- /*
- * TLSv1.2:
- * hash = PRF( master, finished_label,
- * Hash( handshake ) )[0.11]
- */
-
- ret = mbedtls_md_finish(&sha384, padbuf);
- if (ret != 0) {
- goto exit;
- }
-#endif
-
- MBEDTLS_SSL_DEBUG_BUF(4, "finished sha384 output", padbuf, 48);
-
- ssl->handshake->tls_prf(session->master, 48, sender,
- padbuf, 48, buf, len);
-
- MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
-
- mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
-
-exit:
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&sha384_psa);
- return mbedtls_md_error_from_psa(status);
-#else
- mbedtls_md_free(&sha384);
- return ret;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ padbuf, sizeof(padbuf),
+ buf, from);
}
#endif /* MBEDTLS_MD_CAN_SHA384*/
diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py
index 3bd3e4c..0ed2899 100755
--- a/scripts/code_size_compare.py
+++ b/scripts/code_size_compare.py
@@ -91,6 +91,7 @@
"""
arch: architecture to measure code size on.
config: configuration type to measure code size with.
+ sys_arch: host architecture.
make_command: command to build library (Inferred from arch and config).
"""
self.arch = arch
@@ -273,6 +274,7 @@
self.old_rev = old_revision
self.new_rev = new_revision
self.git_command = "git"
+ self.make_clean = 'make clean'
self.make_command = code_size_info.make_command
self.fname_suffix = "-" + code_size_info.arch + "-" +\
code_size_info.config
@@ -307,6 +309,10 @@
my_environment = os.environ.copy()
try:
subprocess.check_output(
+ self.make_clean, env=my_environment, shell=True,
+ cwd=git_worktree_path, stderr=subprocess.STDOUT,
+ )
+ subprocess.check_output(
self.make_command, env=my_environment, shell=True,
cwd=git_worktree_path, stderr=subprocess.STDOUT,
)