diff --git a/libc/nexgen32e/mul6x6adx.S b/libc/nexgen32e/mul6x6adx.S index 313658bec..bff0d2c36 100644 --- a/libc/nexgen32e/mul6x6adx.S +++ b/libc/nexgen32e/mul6x6adx.S @@ -20,12 +20,12 @@ // Computes 768-bit product of 384-bit and 384-bit numbers. // -// Instructions: 153 -// Total Cycles: 73 -// Total uOps: 261 -// uOps Per Cycle: 3.58 -// IPC: 2.10 -// Block RThroughput: 43.5 +// Instructions: 152 +// Total Cycles: 65 +// Total uOps: 260 +// uOps Per Cycle: 4.00 +// IPC: 2.34 +// Block RThroughput: 43.3 // // @param rdi receives 8 quadword result // @param rsi is left hand side which must have 4 quadwords @@ -171,18 +171,18 @@ Mul6x6Adx: adox %r12,%rdx mov -48(%rbp),%rsi mov -56(%rbp),%rbx - mov %r15,24(%rdi) mov -64(%rbp),%r14 - mov %r13,80(%rdi) + mov %rsi,(%rdi) mov %rbx,8(%rdi) mov %r14,16(%rdi) - mov %rsi,(%rdi) + mov %r15,24(%rdi) mov %r10,32(%rdi) mov %r9,40(%rdi) mov %rcx,48(%rdi) mov %rax,56(%rdi) mov %r8,64(%rdi) mov %r11,72(%rdi) + mov %r13,80(%rdi) mov %rdx,88(%rdi) mov -8(%rbp),%r15 mov -16(%rbp),%r14 @@ -194,157 +194,157 @@ Mul6x6Adx: .endfn Mul6x6Adx,globl .end -SIMULATION 0123456789 0123456789 0123456789 012 -Index 0123456789 0123456789 0123456789 0123456789 -[0,0] DeER . . . . . . . . . . . . . . . movq %r15, -8(%rbp) -[0,1] D=eER. . . . . . . . . . . . . . . movq %r14, -16(%rbp) -[0,2] D==eER . . . . . . . . . . . . . . movq %r13, -24(%rbp) -[0,3] D===eER . . . . . . . . . . . . . . movq %r12, -32(%rbp) -[0,4] D====eER . . . . . . . . . . . . . . movq %rbx, -40(%rbp) -[0,5] DeE----R . . . . . . . . . . . . . . movq %rdx, %rbx -[0,6] .DeeeeeER . . . . . . . . . . . . . . movq (%rdx), %rdx -[0,7] .D=====eeeeeeeeeER . . . . . . . . . . . . mulxq (%rsi), %rcx, %rax -[0,8] . D=====eeeeeeeeeER . . . . . . . . . . . . mulxq 8(%rsi), %rdx, %r12 -[0,9] . D=======eE------R . . . . . . . . . . . . movq %rcx, -48(%rbp) -[0,10] . D=============eER . . . . . . . . . . . . addq %rdx, %rax -[0,11] . DeeeeeE--------R . . . . . . . . . . . . movq (%rbx), %rdx -[0,12] . D=====eeeeeeeeeER. . . . . . . . . . . . mulxq 16(%rsi), %rdx, %r15 -[0,13] . D=============eER. . . . . . . . . . . . adcq %rdx, %r12 -[0,14] . DeeeeeE--------R. . . . . . . . . . . . movq (%rbx), %rdx -[0,15] . D=====eeeeeeeeeER . . . . . . . . . . . mulxq 24(%rsi), %rdx, %r10 -[0,16] . D=============eER . . . . . . . . . . . adcq %rdx, %r15 -[0,17] . DeeeeeE--------R . . . . . . . . . . . movq (%rbx), %rdx -[0,18] . D=====eeeeeeeeeER . . . . . . . . . . . mulxq 32(%rsi), %rdx, %r9 -[0,19] . D=============eER . . . . . . . . . . . adcq %rdx, %r10 -[0,20] . .DeeeeeE--------R . . . . . . . . . . . movq (%rbx), %rdx -[0,21] . .D=====eeeeeeeeeER . . . . . . . . . . . mulxq 40(%rsi), %rdx, %rcx -[0,22] . .D=============eER . . . . . . . . . . . adcq %rdx, %r9 -[0,23] . . DeeeeeE--------R . . . . . . . . . . . movq 8(%rbx), %rdx -[0,24] . . D=============eER . . . . . . . . . . . adcq $0, %rcx -[0,25] . . D=====eeeeeeeeeER . . . . . . . . . . . mulxq (%rsi), %r13, %r11 -[0,26] . . D--------------R . . . . . . . . . . . xorl %r8d, %r8d -[0,27] . . D========eE----R . . . . . . . . . . . adoxq %r13, %rax -[0,28] . . D=============eER. . . . . . . . . . . adcxq %r11, %r12 -[0,29] . . D=========eE----R. . . . . . . . . . . movq %rax, -56(%rbp) -[0,30] . . D====eeeeeeeeeER. . . . . . . . . . . mulxq 8(%rsi), %r11, %rax -[0,31] . . D=============eER . . . . . . . . . . adoxq %r11, %r12 -[0,32] . . D==============eER . . . . . . . . . . adcxq %rax, %r15 -[0,33] . . D=============eER . . . . . . . . . . movq %r12, %r14 -[0,34] . . D====eeeeeeeeeE-R . . . . . . . . . . mulxq 16(%rsi), %r11, %rax -[0,35] . . D==============eER . . . . . . . . . . adoxq %r11, %r15 -[0,36] . . .D==============eER . . . . . . . . . . adcxq %rax, %r10 -[0,37] . . .D====eeeeeeeeeE--R . . . . . . . . . . mulxq 24(%rsi), %r11, %rax -[0,38] . . .D===============eER. . . . . . . . . . adoxq %r11, %r10 -[0,39] . . . D===============eER . . . . . . . . . adcxq %rax, %r9 -[0,40] . . . D====eeeeeeeeeE---R . . . . . . . . . mulxq 32(%rsi), %r11, %rax -[0,41] . . . D================eER . . . . . . . . . adoxq %r11, %r9 -[0,42] . . . D================eER . . . . . . . . . adcxq %rax, %rcx -[0,43] . . . D====eeeeeeeeeE----R . . . . . . . . . mulxq 40(%rsi), %rdx, %rax -[0,44] . . . D=================eER . . . . . . . . . adoxq %rdx, %rcx -[0,45] . . . D=================eER. . . . . . . . . adcxq %r8, %rax -[0,46] . . . DeeeeeE-------------R. . . . . . . . . movq 16(%rbx), %rdx -[0,47] . . . D==================eER . . . . . . . . adoxq %r8, %rax -[0,48] . . . D====eeeeeeeeeE-----R . . . . . . . . mulxq (%rsi), %r13, %r8 -[0,49] . . . D====E--------------R . . . . . . . . xorl %r11d, %r11d -[0,50] . . . D=========eE--------R . . . . . . . . adoxq %r13, %r14 -[0,51] . . . .D=========eE-------R . . . . . . . . movq %r14, -64(%rbp) -[0,52] . . . .D============eE----R . . . . . . . . adcxq %r8, %r15 -[0,53] . . . .D====eeeeeeeeeE----R . . . . . . . . mulxq 8(%rsi), %r12, %r8 -[0,54] . . . . D============eE---R . . . . . . . . adoxq %r12, %r15 -[0,55] . . . . D=============eE--R . . . . . . . . adcxq %r8, %r10 -[0,56] . . . . D====eeeeeeeeeE---R . . . . . . . . mulxq 16(%rsi), %r12, %r8 -[0,57] . . . . D=============eE-R . . . . . . . . adoxq %r12, %r10 -[0,58] . . . . D==============eER . . . . . . . . adcxq %r8, %r9 -[0,59] . . . . D====eeeeeeeeeE--R . . . . . . . . mulxq 24(%rsi), %r12, %r8 -[0,60] . . . . D==============eER . . . . . . . . adoxq %r12, %r9 -[0,61] . . . . D===============eER . . . . . . . . adcxq %r8, %rcx -[0,62] . . . . D====eeeeeeeeeE---R . . . . . . . . mulxq 32(%rsi), %r12, %r8 -[0,63] . . . . D===============eER . . . . . . . . adoxq %r12, %rcx -[0,64] . . . . D================eER. . . . . . . . adcxq %r8, %rax -[0,65] . . . . D====eeeeeeeeeE----R. . . . . . . . mulxq 40(%rsi), %rdx, %r8 -[0,66] . . . . .D================eER . . . . . . . adoxq %rdx, %rax -[0,67] . . . . .D=================eER . . . . . . . adcxq %r11, %r8 -[0,68] . . . . .DeeeeeE-------------R . . . . . . . movq 24(%rbx), %rdx -[0,69] . . . . .D==================eER . . . . . . . adoxq %r11, %r8 -[0,70] . . . . . D====eeeeeeeeeE-----R . . . . . . . mulxq (%rsi), %r13, %r11 -[0,71] . . . . . D====E--------------R . . . . . . . xorl %r12d, %r12d -[0,72] . . . . . D===========eE------R . . . . . . . adoxq %r13, %r15 -[0,73] . . . . . D============eE----R . . . . . . . adcxq %r11, %r10 -[0,74] . . . . . D====eeeeeeeeeE----R . . . . . . . mulxq 8(%rsi), %r13, %r11 -[0,75] . . . . . D=============eE---R . . . . . . . adoxq %r13, %r10 -[0,76] . . . . . D=============eE--R . . . . . . . adcxq %r11, %r9 -[0,77] . . . . . D====eeeeeeeeeE---R . . . . . . . mulxq 16(%rsi), %r13, %r11 -[0,78] . . . . . D==============eE-R . . . . . . . adoxq %r13, %r9 -[0,79] . . . . . D==============eER . . . . . . . adcxq %r11, %rcx -[0,80] . . . . . D====eeeeeeeeeE--R . . . . . . . mulxq 24(%rsi), %r13, %r11 -[0,81] . . . . . D===============eER . . . . . . . adoxq %r13, %rcx -[0,82] . . . . . .D===============eER. . . . . . . adcxq %r11, %rax -[0,83] . . . . . .D====eeeeeeeeeE---R. . . . . . . mulxq 32(%rsi), %r13, %r11 -[0,84] . . . . . .D================eER . . . . . . adoxq %r13, %rax -[0,85] . . . . . . D================eER . . . . . . adcxq %r11, %r8 -[0,86] . . . . . . D====eeeeeeeeeE----R . . . . . . mulxq 40(%rsi), %rdx, %r11 -[0,87] . . . . . . D=================eER . . . . . . adoxq %rdx, %r8 -[0,88] . . . . . . DeeeeeE------------R . . . . . . movq 32(%rbx), %rdx -[0,89] . . . . . . D=================eER . . . . . . adcxq %r12, %r11 -[0,90] . . . . . . D=====eeeeeeeeeE----R . . . . . . mulxq (%rsi), %r14, %r13 -[0,91] . . . . . . D=================eER. . . . . . adoxq %r12, %r11 -[0,92] . . . . . . D-------------------R. . . . . . xorl %r12d, %r12d -[0,93] . . . . . . D===========eE------R. . . . . . adoxq %r14, %r10 -[0,94] . . . . . . D=============eE----R. . . . . . adcxq %r13, %r9 -[0,95] . . . . . . D====eeeeeeeeeE----R. . . . . . mulxq 8(%rsi), %r14, %r13 -[0,96] . . . . . . D=============eE---R. . . . . . adoxq %r14, %r9 -[0,97] . . . . . . D==============eE--R. . . . . . adcxq %r13, %rcx -[0,98] . . . . . . .D====eeeeeeeeeE---R. . . . . . mulxq 16(%rsi), %r14, %r13 -[0,99] . . . . . . .D==============eE-R. . . . . . adoxq %r14, %rcx -[0,100] . . . . . . .D===============eER. . . . . . adcxq %r13, %rax -[0,101] . . . . . . . D====eeeeeeeeeE--R. . . . . . mulxq 24(%rsi), %r14, %r13 -[0,102] . . . . . . . D===============eER . . . . . adoxq %r14, %rax -[0,103] . . . . . . . D================eER . . . . . adcxq %r13, %r8 -[0,104] . . . . . . . D====eeeeeeeeeE---R . . . . . mulxq 32(%rsi), %r14, %r13 -[0,105] . . . . . . . D================eER . . . . . adoxq %r14, %r8 -[0,106] . . . . . . . D=================eER . . . . . adcxq %r13, %r11 -[0,107] . . . . . . . D====eeeeeeeeeE----R . . . . . mulxq 40(%rsi), %rdx, %r13 -[0,108] . . . . . . . D=================eER. . . . . adoxq %rdx, %r11 -[0,109] . . . . . . . D==================eER . . . . adcxq %r12, %r13 -[0,110] . . . . . . . DeeeeeE-------------R . . . . movq 40(%rbx), %rdx -[0,111] . . . . . . . D==================eER . . . . adoxq %r12, %r13 -[0,112] . . . . . . . D=====eeeeeeeeeE-----R . . . . mulxq (%rsi), %r14, %rbx -[0,113] . . . . . . . .D-------------------R . . . . xorl %r12d, %r12d -[0,114] . . . . . . . .D===========eE------R . . . . adoxq %r14, %r9 -[0,115] . . . . . . . .D=============eE----R . . . . adcxq %rbx, %rcx -[0,116] . . . . . . . . D====eeeeeeeeeE----R . . . . mulxq 8(%rsi), %r14, %rbx -[0,117] . . . . . . . . D=============eE---R . . . . adoxq %r14, %rcx -[0,118] . . . . . . . . D==============eE--R . . . . adcxq %rbx, %rax -[0,119] . . . . . . . . D====eeeeeeeeeE---R . . . . mulxq 16(%rsi), %r14, %rbx -[0,120] . . . . . . . . D==============eE-R . . . . adoxq %r14, %rax -[0,121] . . . . . . . . D===============eER . . . . adcxq %rbx, %r8 -[0,122] . . . . . . . . D====eeeeeeeeeE--R . . . . mulxq 24(%rsi), %r14, %rbx -[0,123] . . . . . . . . D===============eER . . . . adoxq %r14, %r8 -[0,124] . . . . . . . . D================eER . . . . adcxq %rbx, %r11 -[0,125] . . . . . . . . D====eeeeeeeeeE---R . . . . mulxq 32(%rsi), %r14, %rbx -[0,126] . . . . . . . . .D====eeeeeeeeeE--R . . . . mulxq 40(%rsi), %rsi, %rdx -[0,127] . . . . . . . . .D===============eER. . . . adoxq %r14, %r11 -[0,128] . . . . . . . . .D================eER . . . adcxq %rbx, %r13 -[0,129] . . . . . . . . . D================eER . . . adoxq %rsi, %r13 -[0,130] . . . . . . . . . D=================eER . . . adcxq %r12, %rdx -[0,131] . . . . . . . . . D==================eER . . . adoxq %r12, %rdx -[0,132] . . . . . . . . . DeeeeeE--------------R . . . movq -48(%rbp), %rsi -[0,133] . . . . . . . . . D=eeeeeE-------------R . . . movq -56(%rbp), %rbx -[0,134] . . . . . . . . . D===eE---------------R . . . movq %r15, 24(%rdi) -[0,135] . . . . . . . . . D=eeeeeE------------R . . . movq -64(%rbp), %r14 -[0,136] . . . . . . . . . D================eE-R . . . movq %r13, 80(%rdi) -[0,137] . . . . . . . . . D=================eER . . . movq %rbx, 8(%rdi) -[0,138] . . . . . . . . . D==================eER. . . movq %r14, 16(%rdi) -[0,139] . . . . . . . . . D===================eER . . movq %rsi, (%rdi) -[0,140] . . . . . . . . . D====================eER . . movq %r10, 32(%rdi) -[0,141] . . . . . . . . . D====================eER . . movq %r9, 40(%rdi) -[0,142] . . . . . . . . . D=====================eER . . movq %rcx, 48(%rdi) -[0,143] . . . . . . . . . D======================eER. . movq %rax, 56(%rdi) -[0,144] . . . . . . . . . D=======================eER . movq %r8, 64(%rdi) -[0,145] . . . . . . . . . D========================eER. movq %r11, 72(%rdi) -[0,146] . . . . . . . . . D=========================eER movq %rdx, 88(%rdi) -[0,147] . . . . . . . . . DeeeeeE--------------------R movq -8(%rbp), %r15 -[0,148] . . . . . . . . . D=eeeeeE-------------------R movq -16(%rbp), %r14 -[0,149] . . . . . . . . . D=eeeeeE-------------------R movq -24(%rbp), %r13 -[0,150] . . . . . . . . . D==eeeeeE------------------R movq -32(%rbp), %r12 -[0,151] . . . . . . . . . D==eeeeeE------------------R movq -40(%rbp), %rbx +SIMULATION 0123456789 0123456789 0123456789 +Index 0123456789 0123456789 0123456789 01234 +[0,0] DeER . . . . . . . . . . . . . movq %r15, -8(%rbp) +[0,1] D=eER. . . . . . . . . . . . . movq %r14, -16(%rbp) +[0,2] D==eER . . . . . . . . . . . . movq %r13, -24(%rbp) +[0,3] D===eER . . . . . . . . . . . . movq %r12, -32(%rbp) +[0,4] D====eER . . . . . . . . . . . . movq %rbx, -40(%rbp) +[0,5] DeE----R . . . . . . . . . . . . movq %rdx, %rbx +[0,6] .DeeeeeER . . . . . . . . . . . . movq (%rdx), %rdx +[0,7] .D=====eeeeeeeeeER . . . . . . . . . . mulxq (%rsi), %rcx, %rax +[0,8] . D=====eeeeeeeeeER . . . . . . . . . . mulxq 8(%rsi), %rdx, %r12 +[0,9] . D=======eE------R . . . . . . . . . . movq %rcx, -48(%rbp) +[0,10] . D=============eER . . . . . . . . . . addq %rdx, %rax +[0,11] . DeeeeeE--------R . . . . . . . . . . movq (%rbx), %rdx +[0,12] . D=====eeeeeeeeeER. . . . . . . . . . mulxq 16(%rsi), %rdx, %r15 +[0,13] . D=============eER. . . . . . . . . . adcq %rdx, %r12 +[0,14] . DeeeeeE--------R. . . . . . . . . . movq (%rbx), %rdx +[0,15] . D=====eeeeeeeeeER . . . . . . . . . mulxq 24(%rsi), %rdx, %r10 +[0,16] . D=============eER . . . . . . . . . adcq %rdx, %r15 +[0,17] . DeeeeeE--------R . . . . . . . . . movq (%rbx), %rdx +[0,18] . D=====eeeeeeeeeER . . . . . . . . . mulxq 32(%rsi), %rdx, %r9 +[0,19] . D=============eER . . . . . . . . . adcq %rdx, %r10 +[0,20] . .DeeeeeE--------R . . . . . . . . . movq (%rbx), %rdx +[0,21] . .D=====eeeeeeeeeER . . . . . . . . . mulxq 40(%rsi), %rdx, %rcx +[0,22] . .D=============eER . . . . . . . . . adcq %rdx, %r9 +[0,23] . . DeeeeeE--------R . . . . . . . . . movq 8(%rbx), %rdx +[0,24] . . D=============eER . . . . . . . . . adcq $0, %rcx +[0,25] . . D=====eeeeeeeeeER . . . . . . . . . mulxq (%rsi), %r13, %r11 +[0,26] . . D--------------R . . . . . . . . . xorl %r8d, %r8d +[0,27] . . D========eE----R . . . . . . . . . adoxq %r13, %rax +[0,28] . . D=============eER. . . . . . . . . adcxq %r11, %r12 +[0,29] . . D=========eE----R. . . . . . . . . movq %rax, -56(%rbp) +[0,30] . . D====eeeeeeeeeER. . . . . . . . . mulxq 8(%rsi), %r11, %rax +[0,31] . . D=============eER . . . . . . . . adoxq %r11, %r12 +[0,32] . . D==============eER . . . . . . . . adcxq %rax, %r15 +[0,33] . . D=============eER . . . . . . . . movq %r12, %r14 +[0,34] . . D====eeeeeeeeeE-R . . . . . . . . mulxq 16(%rsi), %r11, %rax +[0,35] . . D==============eER . . . . . . . . adoxq %r11, %r15 +[0,36] . . .D==============eER . . . . . . . . adcxq %rax, %r10 +[0,37] . . .D====eeeeeeeeeE--R . . . . . . . . mulxq 24(%rsi), %r11, %rax +[0,38] . . .D===============eER. . . . . . . . adoxq %r11, %r10 +[0,39] . . . D===============eER . . . . . . . adcxq %rax, %r9 +[0,40] . . . D====eeeeeeeeeE---R . . . . . . . mulxq 32(%rsi), %r11, %rax +[0,41] . . . D================eER . . . . . . . adoxq %r11, %r9 +[0,42] . . . D================eER . . . . . . . adcxq %rax, %rcx +[0,43] . . . D====eeeeeeeeeE----R . . . . . . . mulxq 40(%rsi), %rdx, %rax +[0,44] . . . D=================eER . . . . . . . adoxq %rdx, %rcx +[0,45] . . . D=================eER. . . . . . . adcxq %r8, %rax +[0,46] . . . DeeeeeE-------------R. . . . . . . movq 16(%rbx), %rdx +[0,47] . . . D==================eER . . . . . . adoxq %r8, %rax +[0,48] . . . D====eeeeeeeeeE-----R . . . . . . mulxq (%rsi), %r13, %r8 +[0,49] . . . D====E--------------R . . . . . . xorl %r11d, %r11d +[0,50] . . . D=========eE--------R . . . . . . adoxq %r13, %r14 +[0,51] . . . .D=========eE-------R . . . . . . movq %r14, -64(%rbp) +[0,52] . . . .D============eE----R . . . . . . adcxq %r8, %r15 +[0,53] . . . .D====eeeeeeeeeE----R . . . . . . mulxq 8(%rsi), %r12, %r8 +[0,54] . . . . D============eE---R . . . . . . adoxq %r12, %r15 +[0,55] . . . . D=============eE--R . . . . . . adcxq %r8, %r10 +[0,56] . . . . D====eeeeeeeeeE---R . . . . . . mulxq 16(%rsi), %r12, %r8 +[0,57] . . . . D=============eE-R . . . . . . adoxq %r12, %r10 +[0,58] . . . . D==============eER . . . . . . adcxq %r8, %r9 +[0,59] . . . . D====eeeeeeeeeE--R . . . . . . mulxq 24(%rsi), %r12, %r8 +[0,60] . . . . D==============eER . . . . . . adoxq %r12, %r9 +[0,61] . . . . D===============eER . . . . . . adcxq %r8, %rcx +[0,62] . . . . D====eeeeeeeeeE---R . . . . . . mulxq 32(%rsi), %r12, %r8 +[0,63] . . . . D===============eER . . . . . . adoxq %r12, %rcx +[0,64] . . . . D================eER. . . . . . adcxq %r8, %rax +[0,65] . . . . D====eeeeeeeeeE----R. . . . . . mulxq 40(%rsi), %rdx, %r8 +[0,66] . . . . .D================eER . . . . . adoxq %rdx, %rax +[0,67] . . . . .D=================eER . . . . . adcxq %r11, %r8 +[0,68] . . . . .DeeeeeE-------------R . . . . . movq 24(%rbx), %rdx +[0,69] . . . . .D==================eER . . . . . adoxq %r11, %r8 +[0,70] . . . . . D====eeeeeeeeeE-----R . . . . . mulxq (%rsi), %r13, %r11 +[0,71] . . . . . D====E--------------R . . . . . xorl %r12d, %r12d +[0,72] . . . . . D===========eE------R . . . . . adoxq %r13, %r15 +[0,73] . . . . . D============eE----R . . . . . adcxq %r11, %r10 +[0,74] . . . . . D====eeeeeeeeeE----R . . . . . mulxq 8(%rsi), %r13, %r11 +[0,75] . . . . . D=============eE---R . . . . . adoxq %r13, %r10 +[0,76] . . . . . D=============eE--R . . . . . adcxq %r11, %r9 +[0,77] . . . . . D====eeeeeeeeeE---R . . . . . mulxq 16(%rsi), %r13, %r11 +[0,78] . . . . . D==============eE-R . . . . . adoxq %r13, %r9 +[0,79] . . . . . D==============eER . . . . . adcxq %r11, %rcx +[0,80] . . . . . D====eeeeeeeeeE--R . . . . . mulxq 24(%rsi), %r13, %r11 +[0,81] . . . . . D===============eER . . . . . adoxq %r13, %rcx +[0,82] . . . . . .D===============eER. . . . . adcxq %r11, %rax +[0,83] . . . . . .D====eeeeeeeeeE---R. . . . . mulxq 32(%rsi), %r13, %r11 +[0,84] . . . . . .D================eER . . . . adoxq %r13, %rax +[0,85] . . . . . . D================eER . . . . adcxq %r11, %r8 +[0,86] . . . . . . D====eeeeeeeeeE----R . . . . mulxq 40(%rsi), %rdx, %r11 +[0,87] . . . . . . D=================eER . . . . adoxq %rdx, %r8 +[0,88] . . . . . . DeeeeeE------------R . . . . movq 32(%rbx), %rdx +[0,89] . . . . . . D=================eER . . . . adcxq %r12, %r11 +[0,90] . . . . . . D=====eeeeeeeeeE----R . . . . mulxq (%rsi), %r14, %r13 +[0,91] . . . . . . D=================eER. . . . adoxq %r12, %r11 +[0,92] . . . . . . D-------------------R. . . . xorl %r12d, %r12d +[0,93] . . . . . . D===========eE------R. . . . adoxq %r14, %r10 +[0,94] . . . . . . D=============eE----R. . . . adcxq %r13, %r9 +[0,95] . . . . . . D====eeeeeeeeeE----R. . . . mulxq 8(%rsi), %r14, %r13 +[0,96] . . . . . . D=============eE---R. . . . adoxq %r14, %r9 +[0,97] . . . . . . D==============eE--R. . . . adcxq %r13, %rcx +[0,98] . . . . . . .D====eeeeeeeeeE---R. . . . mulxq 16(%rsi), %r14, %r13 +[0,99] . . . . . . .D==============eE-R. . . . adoxq %r14, %rcx +[0,100] . . . . . . .D===============eER. . . . adcxq %r13, %rax +[0,101] . . . . . . . D====eeeeeeeeeE--R. . . . mulxq 24(%rsi), %r14, %r13 +[0,102] . . . . . . . D===============eER . . . adoxq %r14, %rax +[0,103] . . . . . . . D================eER . . . adcxq %r13, %r8 +[0,104] . . . . . . . D====eeeeeeeeeE---R . . . mulxq 32(%rsi), %r14, %r13 +[0,105] . . . . . . . D================eER . . . adoxq %r14, %r8 +[0,106] . . . . . . . D=================eER . . . adcxq %r13, %r11 +[0,107] . . . . . . . D====eeeeeeeeeE----R . . . mulxq 40(%rsi), %rdx, %r13 +[0,108] . . . . . . . D=================eER. . . adoxq %rdx, %r11 +[0,109] . . . . . . . D==================eER . . adcxq %r12, %r13 +[0,110] . . . . . . . DeeeeeE-------------R . . movq 40(%rbx), %rdx +[0,111] . . . . . . . D==================eER . . adoxq %r12, %r13 +[0,112] . . . . . . . D=====eeeeeeeeeE-----R . . mulxq (%rsi), %r14, %rbx +[0,113] . . . . . . . .D-------------------R . . xorl %r12d, %r12d +[0,114] . . . . . . . .D===========eE------R . . adoxq %r14, %r9 +[0,115] . . . . . . . .D=============eE----R . . adcxq %rbx, %rcx +[0,116] . . . . . . . . D====eeeeeeeeeE----R . . mulxq 8(%rsi), %r14, %rbx +[0,117] . . . . . . . . D=============eE---R . . adoxq %r14, %rcx +[0,118] . . . . . . . . D==============eE--R . . adcxq %rbx, %rax +[0,119] . . . . . . . . D====eeeeeeeeeE---R . . mulxq 16(%rsi), %r14, %rbx +[0,120] . . . . . . . . D==============eE-R . . adoxq %r14, %rax +[0,121] . . . . . . . . D===============eER . . adcxq %rbx, %r8 +[0,122] . . . . . . . . D====eeeeeeeeeE--R . . mulxq 24(%rsi), %r14, %rbx +[0,123] . . . . . . . . D===============eER . . adoxq %r14, %r8 +[0,124] . . . . . . . . D================eER . . adcxq %rbx, %r11 +[0,125] . . . . . . . . D====eeeeeeeeeE---R . . mulxq 32(%rsi), %r14, %rbx +[0,126] . . . . . . . . .D====eeeeeeeeeE--R . . mulxq 40(%rsi), %rsi, %rdx +[0,127] . . . . . . . . .D===============eER. . adoxq %r14, %r11 +[0,128] . . . . . . . . .D================eER . adcxq %rbx, %r13 +[0,129] . . . . . . . . . D================eER . adoxq %rsi, %r13 +[0,130] . . . . . . . . . D=================eER . adcxq %r12, %rdx +[0,131] . . . . . . . . . D==================eER. adoxq %r12, %rdx +[0,132] . . . . . . . . . DeeeeeE--------------R. movq -48(%rbp), %rsi +[0,133] . . . . . . . . . D=eeeeeE-------------R. movq -56(%rbp), %rbx +[0,134] . . . . . . . . . D==eeeeeE------------R. movq -64(%rbp), %r14 +[0,135] . . . . . . . . . D====eE-------------R. movq %rsi, (%rdi) +[0,136] . . . . . . . . . D=====eE------------R. movq %rbx, 8(%rdi) +[0,137] . . . . . . . . . D======eE-----------R. movq %r14, 16(%rdi) +[0,138] . . . . . . . . . D=======eE----------R. movq %r15, 24(%rdi) +[0,139] . . . . . . . . . D========eE---------R. movq %r10, 32(%rdi) +[0,140] . . . . . . . . . D=========eE--------R. movq %r9, 40(%rdi) +[0,141] . . . . . . . . . D=========eE-------R. movq %rcx, 48(%rdi) +[0,142] . . . . . . . . . D==========eE------R. movq %rax, 56(%rdi) +[0,143] . . . . . . . . . D===========eE-----R. movq %r8, 64(%rdi) +[0,144] . . . . . . . . . D=============eE---R. movq %r11, 72(%rdi) +[0,145] . . . . . . . . . D===============eE-R. movq %r13, 80(%rdi) +[0,146] . . . . . . . . . D=================eER movq %rdx, 88(%rdi) +[0,147] . . . . . . . . . DeeeeeE------------R movq -8(%rbp), %r15 +[0,148] . . . . . . . . . D=eeeeeE-----------R movq -16(%rbp), %r14 +[0,149] . . . . . . . . . D=eeeeeE-----------R movq -24(%rbp), %r13 +[0,150] . . . . . . . . . D==eeeeeE----------R movq -32(%rbp), %r12 +[0,151] . . . . . . . . . D==eeeeeE----------R movq -40(%rbp), %rbx diff --git a/libc/str/timingsafe_memcmp.c b/libc/str/timingsafe_memcmp.c index 12427f012..b203272ef 100644 --- a/libc/str/timingsafe_memcmp.c +++ b/libc/str/timingsafe_memcmp.c @@ -28,8 +28,8 @@ asm(".include \"libc/disclaimer.inc\""); * * Running time is independent of the byte sequences compared, making * this safe to use for comparing secret values such as cryptographic - * MACs. In contrast, memcmp() may short-circuit afterw finding the - * first differing byte. + * MACs. In contrast, memcmp() may short-circuit after finding the first + * differing byte. * * @note each byte is interpreted as unsigned char */ diff --git a/third_party/mbedtls/check.h b/third_party/mbedtls/check.h index 16cfa303d..aebf48665 100644 --- a/third_party/mbedtls/check.h +++ b/third_party/mbedtls/check.h @@ -538,22 +538,6 @@ #endif #endif /* MBEDTLS_SSL_PROTO_SSL3 */ -#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) -#if defined(MBEDTLS_DEPRECATED_REMOVED) -#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS" -#elif defined(MBEDTLS_DEPRECATED_WARNING) -#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS" -#endif -#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ - -#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) -#if defined(MBEDTLS_DEPRECATED_REMOVED) -#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS" -#elif defined(MBEDTLS_DEPRECATED_WARNING) -#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS" -#endif /* MBEDTLS_DEPRECATED_REMOVED */ -#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ - #if defined(MBEDTLS_SSL_DTLS_SRTP) && ( !defined(MBEDTLS_SSL_PROTO_DTLS) ) #error "MBEDTLS_SSL_DTLS_SRTP defined, but not all prerequisites" #endif diff --git a/third_party/mbedtls/config.h b/third_party/mbedtls/config.h index a6aa5cb66..76a21a29c 100644 --- a/third_party/mbedtls/config.h +++ b/third_party/mbedtls/config.h @@ -16,7 +16,6 @@ /*#define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/ /*#define MBEDTLS_SSL_PROTO_DTLS*/ /*#define MBEDTLS_SSL_PROTO_SSL3*/ -/*#define MBEDTLS_ZLIB_SUPPORT*/ #endif /* hash functions */ @@ -74,8 +73,8 @@ #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -/*#define MBEDTLS_DHM_C*/ -/*#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED*/ +#define MBEDTLS_DHM_C +#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED /*#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED*/ /*#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED*/ /*#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED*/ @@ -110,14 +109,44 @@ #define MBEDTLS_ENTROPY_MAX_SOURCES 4 #define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 -/* boosts performance from 230k qps to 330k */ #ifndef TINY -#ifndef __FSANITIZE_ADDRESS__ +/* + * Boosts performance from 230k qps to 330k + * Hardens against against sbox side channels + */ +#define MBEDTLS_AESNI_C #define MBEDTLS_HAVE_ASM #define MBEDTLS_HAVE_X86_64 #define MBEDTLS_HAVE_SSE2 -#define MBEDTLS_AESNI_C #endif + +#ifndef TINY +/* + * TODO(jart): RHEL5 sends SSLv2 hello even though it supports TLS. Is + * DROWN really a problem if we turn this on? Since Google + * supports it on their website. SSLLabs says we're OK. + */ +#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO +#endif + +#ifndef TINY +/* + * The CIA says "messages should be compressed prior to encryption" + * because "compression reduces the amount of information to be + * encrypted, thereby decreasing the amount of material available for + * cryptanalysis. Additionally, compression is designed to eliminate + * redundancies in the message, further complicating cryptanalysis." + * + * Google says that if you (1) have the ability to record encrypted + * communications made by a machine and (2) have the ability to run code + * on that machine which injects plaintext repeatedly into the encrypted + * messages, then you can extract other small parts of the mesasge which + * the code execution sandbox doesn't allow you to see, and that the + * only solution to stop using compression. + * + * Since we pay $0.12/gb for GCP bandwidth we choose to believe the CIA. + */ +#define MBEDTLS_ZLIB_SUPPORT #endif #if IsModeDbg() diff --git a/third_party/mbedtls/mbedtls.mk b/third_party/mbedtls/mbedtls.mk index 8bbea0621..9b87fa7b6 100644 --- a/third_party/mbedtls/mbedtls.mk +++ b/third_party/mbedtls/mbedtls.mk @@ -34,7 +34,8 @@ THIRD_PARTY_MBEDTLS_A_DIRECTDEPS = \ LIBC_UNICODE \ NET_HTTP \ THIRD_PARTY_COMPILER_RT \ - THIRD_PARTY_GDTOA + THIRD_PARTY_GDTOA \ + THIRD_PARTY_ZLIB THIRD_PARTY_MBEDTLS_A_DEPS := \ $(call uniq,$(foreach x,$(THIRD_PARTY_MBEDTLS_A_DIRECTDEPS),$($(x)))) diff --git a/third_party/mbedtls/ssl.h b/third_party/mbedtls/ssl.h index 1c0ac6e34..5b1a52895 100644 --- a/third_party/mbedtls/ssl.h +++ b/third_party/mbedtls/ssl.h @@ -1075,6 +1075,7 @@ struct mbedtls_ssl_config unsigned int dtls_srtp_mki_support : 1; /* support having mki_value in the use_srtp extension */ #endif + bool disable_compression; }; struct mbedtls_ssl_context @@ -1113,7 +1114,8 @@ struct mbedtls_ssl_context mbedtls_ssl_session *session; /*!< negotiated session data */ mbedtls_ssl_session *session_negotiate; /*!< session data in negotiation */ mbedtls_ssl_handshake_params *handshake; /*!< params required only during - the handshake process */ + the handshake process */ + const mbedtls_ecp_curve_info *curve; /* * Record layer transformations */ @@ -1442,7 +1444,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *, const unsigned c int mbedtls_ssl_set_hostname( mbedtls_ssl_context *, const char * ); int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *, const unsigned char *, size_t ); int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *, mbedtls_x509_crt *, mbedtls_pk_context * ); -int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *, const unsigned char *, size_t ); +int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *, const void *, size_t ); int mbedtls_ssl_set_session( mbedtls_ssl_context *, const mbedtls_ssl_session * ); int mbedtls_ssl_setup( mbedtls_ssl_context *, const mbedtls_ssl_config * ); int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types , const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t ); diff --git a/third_party/mbedtls/ssl_ciphersuites.c b/third_party/mbedtls/ssl_ciphersuites.c index 7a949bdaf..32d78b7c4 100644 --- a/third_party/mbedtls/ssl_ciphersuites.c +++ b/third_party/mbedtls/ssl_ciphersuites.c @@ -42,17 +42,26 @@ asm(".include \"libc/disclaimer.inc\""); */ #if defined(MBEDTLS_SSL_TLS_C) -static const uint16_t ciphersuite_preference[] = +const uint16_t ciphersuite_preference[] = { #if defined(MBEDTLS_SSL_CIPHERSUITES) MBEDTLS_SSL_CIPHERSUITES, #else #ifdef MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED - /* strong perfect forward secrecy */ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, +#endif + +#ifdef MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED + MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384, + MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, + MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256, + MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, +#endif + +#ifdef MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, @@ -61,21 +70,14 @@ static const uint16_t ciphersuite_preference[] = MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, #endif #ifdef MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED - MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384, - MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, - MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256, - MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, @@ -83,6 +85,18 @@ static const uint16_t ciphersuite_preference[] = MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, +#endif + +#ifdef MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, +#endif + +#ifdef MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, @@ -111,8 +125,8 @@ static const uint16_t ciphersuite_preference[] = MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, - MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, + MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, @@ -128,7 +142,7 @@ static const uint16_t ciphersuite_preference[] = MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, - MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, + MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, // e.g. IE 8 XP MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, diff --git a/third_party/mbedtls/ssl_cli.c b/third_party/mbedtls/ssl_cli.c index 906d45911..2dd9ef2f8 100644 --- a/third_party/mbedtls/ssl_cli.c +++ b/third_party/mbedtls/ssl_cli.c @@ -1170,7 +1170,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) *q++ = (unsigned char)( n << 1 ); #if defined(MBEDTLS_ZLIB_SUPPORT) - offer_compress = 1; + offer_compress = !ssl->conf->disable_compression; #else offer_compress = 0; #endif @@ -2134,7 +2134,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) accept_comp = 0; else #endif - accept_comp = 1; + accept_comp = !ssl->conf->disable_compression; if( comp != MBEDTLS_SSL_COMPRESS_NULL && ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) diff --git a/third_party/mbedtls/ssl_srv.c b/third_party/mbedtls/ssl_srv.c index f732f95ed..d98613a72 100644 --- a/third_party/mbedtls/ssl_srv.c +++ b/third_party/mbedtls/ssl_srv.c @@ -1861,12 +1861,15 @@ read_record_header: ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; #if defined(MBEDTLS_ZLIB_SUPPORT) - for( i = 0; i < comp_len; ++i ) + if( !ssl->conf->disable_compression ) { - if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) + for( i = 0; i < comp_len; ++i ) { - ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; - break; + if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) + { + ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; + break; + } } } #endif @@ -3364,6 +3367,7 @@ curve_matching_done: return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); } MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); + ssl->curve = *curve; if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx, (*curve)->grp_id ) ) != 0 ) { diff --git a/third_party/mbedtls/ssl_tls.c b/third_party/mbedtls/ssl_tls.c index 3208b9e8a..853490d4e 100644 --- a/third_party/mbedtls/ssl_tls.c +++ b/third_party/mbedtls/ssl_tls.c @@ -3166,6 +3166,7 @@ void mbedtls_ssl_session_init( mbedtls_ssl_session *session ) static int ssl_handshake_init( mbedtls_ssl_context *ssl ) { /* Clear old handshake information if present */ + ssl->curve = 0; if( ssl->transform_negotiate ) mbedtls_ssl_transform_free( ssl->transform_negotiate ); if( ssl->session_negotiate ) @@ -4468,7 +4469,7 @@ static void ssl_remove_psk( mbedtls_ssl_context *ssl ) * \return An \c MBEDTLS_ERR_SSL_XXX error code on failure. */ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, - const unsigned char *psk, size_t psk_len ) + const void *psk, size_t psk_len ) { if( psk == NULL || ssl->handshake == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); diff --git a/third_party/quickjs/call.c b/third_party/quickjs/call.c index fbd860f9d..fdf2c30eb 100644 --- a/third_party/quickjs/call.c +++ b/third_party/quickjs/call.c @@ -41,10 +41,10 @@ static const uint16_t func_kind_to_class_id[] = { [JS_FUNC_ASYNC_GENERATOR] = JS_CLASS_ASYNC_GENERATOR_FUNCTION, }; -static JSValue JS_CallConstructorInternal(JSContext *ctx, - JSValueConst func_obj, - JSValueConst new_target, - int argc, JSValue *argv, int flags); +static JSValue JS_CallConstructorInternal(JSContext *, + JSValueConst, + JSValueConst, + int, JSValue *, int); JSValue js_closure2(JSContext *ctx, JSValue func_obj, JSFunctionBytecode *b, diff --git a/tool/decode/base64.c b/tool/decode/base64.c new file mode 100644 index 000000000..71c543a11 --- /dev/null +++ b/tool/decode/base64.c @@ -0,0 +1,99 @@ +/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│ +│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi│ +╞══════════════════════════════════════════════════════════════════════════════╡ +│ Copyright 2021 Justine Alexandra Roberts Tunney │ +│ │ +│ Permission to use, copy, modify, and/or distribute this software for │ +│ any purpose with or without fee is hereby granted, provided that the │ +│ above copyright notice and this permission notice appear in all copies. │ +│ │ +│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │ +│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │ +│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │ +│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │ +│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │ +│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │ +│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │ +│ PERFORMANCE OF THIS SOFTWARE. │ +╚─────────────────────────────────────────────────────────────────────────────*/ +#include "libc/stdio/stdio.h" +#include "libc/str/str.h" + +/** + * @fileoverview base64 stream coder + * + * Does `openssl base64 [-d]` as a 20kb αcτµαlly pδrταblε εxεcµταblε. + */ + +#define CHARS "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" + +const signed char kBase64[256] = { + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0x00 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0x10 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, 62, -1, 63, // 0x20 + 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, // 0x30 + -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, // 0x40 + 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, // 0x50 + -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, // 0x60 + 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, // 0x70 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0x80 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0x90 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0xa0 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0xb0 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0xc0 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0xd0 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0xe0 + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 0xf0 +}; + +void Encode(void) { + int a, b, c, w; + while ((a = getchar()) != -1) { + b = getchar(); + c = getchar(); + w = a << 020; + if (b != -1) w |= b << 010; + if (c != -1) w |= c; + putchar(CHARS[(w >> 18) & 077]); + putchar(CHARS[(w >> 12) & 077]); + putchar(b != -1 ? CHARS[(w >> 6) & 077] : '='); + putchar(c != -1 ? CHARS[w & 077] : '='); + } + putchar('\n'); +} + +int Get(void) { + int c; + while ((c = getchar()) != -1) { + if ((c = kBase64[c]) != -1) break; + } + return c; +} + +void Decode(void) { + int a, b, c, d, w; + while ((a = Get()) != -1 && (b = Get()) != -1) { + c = Get(); + d = Get(); + w = a << 18 | b << 12; + if (c != -1) w |= c << 6; + if (d != -1) w |= d; + putchar((w & 0xFF0000) >> 020); + if (c != -1) putchar((w & 0x00FF00) >> 010); + if (d != -1) putchar((w & 0x0000FF) >> 000); + } +} + +int main(int argc, char *argv[]) { + if (argc == 1) { + Encode(); + } else if (argc == 2 && !strcmp(argv[1], "-d")) { + Decode(); + } else { + fputs("usage: ", stderr); + fputs(argv[0], stderr); + fputs(" [-d]\n", stderr); + return 1; + } + return ferror(stdin) || ferror(stdout) ? 1 : 0; +} diff --git a/tool/net/help.txt b/tool/net/help.txt index 1206e5000..2b07e699d 100644 --- a/tool/net/help.txt +++ b/tool/net/help.txt @@ -471,7 +471,7 @@ FUNCTIONS DecodeBase64(ascii:str) → binary:str Turns ASCII into binary, in a permissive way that ignores characters outside the base64 alphabet, such as whitespace. See - decodebase64.c. + decodebase64.c. DecodeLatin1(iso-8859-1:str) → utf-8:str Turns ISO-8859-1 string into UTF-8. @@ -850,6 +850,86 @@ FUNCTIONS If this option is programmed then redbean will not transmit a Server Name Indicator (SNI) when performing Fetch() requests. + ProgramSslCompression(bool) + This option may be used to enable SSL DEFLATE support. This + can harden against cryptanalysis but we leave it off by + default since (1) we already have compression at the HTTP + layer and (2) there doesn't appear to be any browsers or + open source software that support it. + + ProgramSslPresharedKey(key:str, identity:str) + This function can be used to enable the PSK ciphersuites + which simplify SSL and enhance its performance in controlled + environments. `key` may contain 1..32 bytes of random binary + data and identity is usually a short plaintext string. The + first time this function is called, the preshared key will + be added to both the client and the server SSL configs. If + it's called multiple times, then the remaining keys will be + added to the server, which is useful if you want to assign + separate keys to each client, each of which needs a separate + identity too. If this function is called multiple times with + the same identity string, then the latter call will overwrite + the prior. If a preshared key is supplied and no certificates + or key-signing-keys are programmed, then redbean won't bother + auto-generating any serving certificates and will instead use + only PSK ciphersuites. + + ProgramSslCiphersuite(name:str) + This function may be called multiple times to specify which + ciphersuites should be used in the server and client. The + default list, ordered by preference, is as follows: + + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 + ECDHE-PSK-AES256-GCM-SHA384 + ECDHE-PSK-AES128-GCM-SHA256 + ECDHE-PSK-CHACHA20-POLY1305-SHA256 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-RSA-AES128-GCM-SHA256 + ECDHE-RSA-CHACHA20-POLY1305-SHA256 + DHE-RSA-AES256-GCM-SHA384 + DHE-RSA-AES128-GCM-SHA256 + DHE-RSA-CHACHA20-POLY1305-SHA256 + ECDHE-ECDSA-AES128-CBC-SHA256 + ECDHE-RSA-AES256-CBC-SHA384 + ECDHE-RSA-AES128-CBC-SHA256 + DHE-RSA-AES256-CBC-SHA256 + DHE-RSA-AES128-CBC-SHA256 + ECDHE-PSK-AES256-CBC-SHA384 + ECDHE-PSK-AES128-CBC-SHA256 + ECDHE-ECDSA-AES256-CBC-SHA + ECDHE-ECDSA-AES128-CBC-SHA + ECDHE-RSA-AES256-CBC-SHA + ECDHE-RSA-AES128-CBC-SHA + DHE-RSA-AES256-CBC-SHA + DHE-RSA-AES128-CBC-SHA + ECDHE-PSK-AES256-CBC-SHA + ECDHE-PSK-AES128-CBC-SHA + RSA-AES256-GCM-SHA384 + RSA-AES128-GCM-SHA256 + RSA-AES256-CBC-SHA256 + RSA-AES128-CBC-SHA256 + RSA-AES256-CBC-SHA + RSA-AES128-CBC-SHA + PSK-AES256-GCM-SHA384 + PSK-AES128-GCM-SHA256 + PSK-CHACHA20-POLY1305-SHA256 + PSK-AES256-CBC-SHA384 + PSK-AES128-CBC-SHA256 + PSK-AES256-CBC-SHA + PSK-AES128-CBC-SHA + ECDHE-RSA-3DES-EDE-CBC-SHA + DHE-RSA-3DES-EDE-CBC-SHA + ECDHE-PSK-3DES-EDE-CBC-SHA + RSA-3DES-EDE-CBC-SHA + PSK-3DES-EDE-CBC-SHA + + The names above are canonical to redbean and were simplified + programmatically from the official IANA names. This function + will accept the IANA names too. In most cases it will accept + the OpenSSL and GnuTLS naming convention as well. + IsDaemon() → bool Returns true if -d flag was passed to redbean. diff --git a/tool/net/net.mk b/tool/net/net.mk index 63e4bf183..d52b82928 100644 --- a/tool/net/net.mk +++ b/tool/net/net.mk @@ -52,6 +52,7 @@ TOOL_NET_DIRECTDEPS = \ LIBC_ZIPOS \ NET_HTTP \ NET_HTTPS \ + TOOL_BUILD_LIB \ THIRD_PARTY_GDTOA \ THIRD_PARTY_GETOPT \ THIRD_PARTY_LUA \ diff --git a/tool/net/redbean.c b/tool/net/redbean.c index cffac5538..81fb2002c 100644 --- a/tool/net/redbean.c +++ b/tool/net/redbean.c @@ -52,6 +52,7 @@ #include "libc/runtime/runtime.h" #include "libc/sock/sock.h" #include "libc/stdio/append.internal.h" +#include "libc/stdio/hex.internal.h" #include "libc/stdio/stdio.h" #include "libc/str/str.h" #include "libc/str/undeflate.h" @@ -119,6 +120,7 @@ #include "third_party/regex/regex.h" #include "third_party/zlib/zlib.h" #include "tool/build/lib/case.h" +#include "tool/build/lib/psk.h" /** * @fileoverview redbean - single-file distributable web server @@ -248,6 +250,22 @@ static struct Unmaplist { } * p; } unmaplist; +static struct Psks { + size_t n; + struct Psk { + char *key; + size_t key_len; + char *identity; + size_t identity_len; + char *s; + } * p; +} psks; + +static struct Suites { + size_t n; + uint16_t *p; +} suites; + static struct Certs { size_t n; struct Cert { @@ -1467,10 +1485,14 @@ static void WipeKeySigningKeys(void) { } static void WipeServingKeys(void) { + size_t i; if (uniprocess) return; /* TODO(jart): We need to figure out MbedTLS ownership semantics here. */ /* mbedtls_ssl_ticket_free(&ssltick); */ /* mbedtls_ssl_key_cert_free(conf.key_cert); */ + for (i = 0; i < psks.n; ++i) { + mbedtls_platform_zeroize(psks.p[i].key, psks.p[i].key_len); + } } static bool CertHasCommonName(const mbedtls_x509_crt *cert, @@ -1570,6 +1592,21 @@ static int TlsRoute(void *ctx, mbedtls_ssl_context *ssl, return ok1 || ok2 ? 0 : -1; } +static int TlsRoutePsk(void *ctx, mbedtls_ssl_context *ssl, + const unsigned char *identity, size_t identity_len) { + size_t i; + for (i = 0; i < psks.n; ++i) { + if (SlicesEqual((void *)identity, identity_len, psks.p[i].identity, + psks.p[i].identity_len)) { + DEBUGF("TlsRoutePsk(%`'.*s)", identity_len, identity); + mbedtls_ssl_set_hs_psk(ssl, psks.p[i].key, psks.p[i].key_len); + return 0; + } + } + VERBOSEF("TlsRoutePsk(%`'.*s) not found", identity_len, identity); + return -1; +} + static bool TlsSetup(void) { int r; oldin.p = inbuf.p; @@ -1590,9 +1627,10 @@ static bool TlsSetup(void) { reader = SslRead; writer = SslWrite; WipeServingKeys(); - VERBOSEF("SHAKEN %s %s %s", DescribeClient(), - mbedtls_ssl_get_ciphersuite(&ssl), - mbedtls_ssl_get_version(&ssl)); + VERBOSEF("SHAKEN %s %s %s%s %s", DescribeClient(), + mbedtls_ssl_get_ciphersuite(&ssl), mbedtls_ssl_get_version(&ssl), + ssl.session->compression ? " COMPRESSED" : "", + ssl.curve ? ssl.curve->name : ""); return true; } else if (r == MBEDTLS_ERR_SSL_WANT_READ) { LockInc(&shared->c.handshakeinterrupts); @@ -1878,7 +1916,7 @@ static void LoadCertificates(void) { } } } - if (!havecert) { + if (!havecert && (!psks.n || ksk.key)) { if ((ksk = GetKeySigningKey()).key) { DEBUGF("generating ssl certificates using %`'s", gc(FormatX509Name(&ksk.cert->subject))); @@ -2431,14 +2469,20 @@ static ssize_t Send(struct iovec *iov, int iovlen) { return rc; } +static bool IsSslCompressed(void) { + return usessl && ssl.session->compression; +} + static char *CommitOutput(char *p) { uint32_t crc; size_t outbuflen; if (!contentlength) { outbuflen = appendz(outbuf).i; if (istext && outbuflen >= 100) { - p = stpcpy(p, "Vary: Accept-Encoding\r\n"); - if (!IsTiny() && ClientAcceptsGzip()) { + if (!IsTiny() && !IsSslCompressed()) { + p = stpcpy(p, "Vary: Accept-Encoding\r\n"); + } + if (!IsTiny() && !IsSslCompressed() && ClientAcceptsGzip()) { gzipped = true; crc = crc32_z(0, outbuf, outbuflen); WRITE32LE(gzip_footer + 0, crc); @@ -4824,6 +4868,49 @@ static int LuaProgramPidPath(lua_State *L) { return LuaProgramString(L, ProgramPidPath); } +static int LuaProgramSslPresharedKey(lua_State *L) { +#ifndef UNSECURE + struct Psk psk; + size_t n1, n2, i; + const char *p1, *p2; + p1 = luaL_checklstring(L, 1, &n1); + p2 = luaL_checklstring(L, 2, &n2); + if (!n1 || n1 > MBEDTLS_PSK_MAX_LEN || !n2) { + luaL_argerror(L, 1, "bad preshared key length"); + unreachable; + } + psk.key = memcpy(malloc(n1), p1, n1); + psk.key_len = n1; + psk.identity = memcpy(malloc(n2), p2, n2); + psk.identity_len = n2; + for (i = 0; i < psks.n; ++i) { + if (SlicesEqual(psk.identity, psk.identity_len, psks.p[i].identity, + psks.p[i].identity_len)) { + mbedtls_platform_zeroize(psks.p[i].key, psks.p[i].key_len); + free(psks.p[i].key); + free(psks.p[i].identity); + psks.p[i] = psk; + return 0; + } + } + psks.p = realloc(psks.p, ++psks.n * sizeof(*psks.p)); + psks.p[psks.n - 1] = psk; +#endif + return 0; +} + +static int LuaProgramSslCiphersuite(lua_State *L) { + mbedtls_ssl_ciphersuite_t *suite; + if (!(suite = GetCipherSuite(luaL_checkstring(L, 1)))) { + luaL_argerror(L, 1, "unsupported or unknown ciphersuite"); + unreachable; + } + suites.p = realloc(suites.p, (++suites.n + 1) * sizeof(*suites.p)); + suites.p[suites.n - 1] = suite->id; + suites.p[suites.n - 0] = 0; + return 0; +} + static int LuaProgramPrivateKey(lua_State *L) { #ifndef UNSECURE size_t n; @@ -4885,6 +4972,13 @@ static int LuaEvadeDragnetSurveillance(lua_State *L) { return LuaProgramBool(L, &evadedragnetsurveillance); } +static int LuaProgramSslCompression(lua_State *L) { +#ifndef UNSECURE + conf.disable_compression = confcli.disable_compression = !lua_toboolean(L, 1); +#endif + return 0; +} + static int LuaGetLogLevel(lua_State *L) { lua_pushinteger(L, __log_level); return 1; @@ -5321,8 +5415,11 @@ static const luaL_Reg kLuaFuncs[] = { {"ProgramPort", LuaProgramPort}, // {"ProgramPrivateKey", LuaProgramPrivateKey}, // {"ProgramRedirect", LuaProgramRedirect}, // + {"ProgramSslCiphersuite", LuaProgramSslCiphersuite}, // {"ProgramSslClientVerify", LuaProgramSslClientVerify}, // + {"ProgramSslCompression", LuaProgramSslCompression}, // {"ProgramSslFetchVerify", LuaProgramSslFetchVerify}, // + {"ProgramSslPresharedKey", LuaProgramSslPresharedKey}, // {"ProgramSslTicketLifetime", LuaProgramSslTicketLifetime}, // {"ProgramTimeout", LuaProgramTimeout}, // {"ProgramUid", LuaProgramUid}, // @@ -6015,7 +6112,8 @@ static char *ServeAsset(struct Asset *a, const char *path, size_t pathlen) { } else { return ServeError(500, "Internal Server Error"); } - } else if (!IsTiny() && msg.method != kHttpHead && ClientAcceptsGzip() && + } else if (!IsTiny() && msg.method != kHttpHead && !IsSslCompressed() && + ClientAcceptsGzip() && ((contentlength >= 100 && StartsWithIgnoreCase(ct, "text/")) || (contentlength >= 1000 && MeasureEntropy(content, 1000) < 6))) { p = ServeAssetCompressed(a); @@ -6165,8 +6263,9 @@ static bool HandleMessage(void) { } else { LockInc(&shared->c.badmessages); connectionclose = true; - LOGF("%s sent garbage %`'s", DescribeClient(), - VisualizeControlCodes(inbuf.p, MIN(128, amtread), 0)); + if ((p = DumpHexc(inbuf.p, MIN(amtread, 256), 0))) { + LOGF("%s sent garbage %s", DescribeClient(), p); + } return true; } if (!msgsize) { @@ -6219,6 +6318,14 @@ static void InitRequest(void) { InitHttpMessage(&msg, kHttpRequest); } +static bool IsSsl(unsigned char c) { + if (c == 22) return true; + if (!(c & 128)) return false; + /* RHEL5 sends SSLv2 hello but supports TLS */ + DEBUGF("%s SSLv2 hello D:", DescribeClient()); + return true; +} + static void HandleMessages(void) { bool once; ssize_t rc; @@ -6239,7 +6346,7 @@ static void HandleMessages(void) { #ifndef UNSECURE if (!once) { once = true; - if (inbuf.p[0] == 22) { + if (IsSsl(inbuf.p[0])) { if (TlsSetup()) { continue; } else { @@ -6605,6 +6712,16 @@ static void TlsInit(void) { MBEDTLS_SSL_TRANSPORT_STREAM, suite); mbedtls_ssl_config_defaults(&confcli, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, suite); + if (suites.n) { + mbedtls_ssl_conf_ciphersuites(&conf, suites.p); + mbedtls_ssl_conf_ciphersuites(&confcli, suites.p); + } + if (psks.n) { + mbedtls_ssl_conf_psk_cb(&conf, TlsRoutePsk, 0); + DCHECK_EQ(0, + mbedtls_ssl_conf_psk(&confcli, psks.p[0].key, psks.p[0].key_len, + psks.p[0].identity, psks.p[0].identity_len)); + } if (sslticketlifetime > 0) { mbedtls_ssl_ticket_setup(&ssltick, mbedtls_ctr_drbg_random, &rng, MBEDTLS_CIPHER_AES_256_GCM, sslticketlifetime); @@ -6628,6 +6745,7 @@ static void TlsInit(void) { mbedtls_ssl_conf_authmode(&confcli, MBEDTLS_SSL_VERIFY_NONE); } mbedtls_ssl_set_bio(&ssl, &g_bio, TlsSend, 0, TlsRecv); + conf.disable_compression = confcli.disable_compression = true; DCHECK_EQ(0, mbedtls_ssl_conf_alpn_protocols(&conf, kAlpn)); DCHECK_EQ(0, mbedtls_ssl_conf_alpn_protocols(&confcli, kAlpn)); DCHECK_EQ(0, mbedtls_ssl_setup(&ssl, &conf)); @@ -6638,6 +6756,11 @@ static void TlsInit(void) { static void TlsDestroy(void) { #ifndef UNSECURE size_t i; + for (i = 0; i < psks.n; ++i) { + mbedtls_platform_zeroize(psks.p[i].key, psks.p[i].key_len); + free(psks.p[i].key); + free(psks.p[i].identity); + } mbedtls_ssl_free(&ssl); mbedtls_ssl_free(&sslcli); mbedtls_ctr_drbg_free(&rng); @@ -6651,9 +6774,11 @@ static void TlsDestroy(void) { /* mbedtls_x509_crt_free(certs.p[i].cert); */ /* mbedtls_pk_free(certs.p[i].key); */ /* } */ - free(certs.p), certs.p = 0, certs.n = 0; - free(ports.p), ports.p = 0, ports.n = 0; - free(ips.p), ips.p = 0, ips.n = 0; + Free(&suites.p), suites.n = 0; + Free(&certs.p), certs.n = 0; + Free(&ports.p), ports.n = 0; + Free(&psks.p), psks.n = 0; + Free(&ips.p), ips.n = 0; #endif }