crypto/nss_util.cc - Issue 79283002: crypto: disable NSS AES-NI support when AVX is disabled by OS.

Side by Side Diff: crypto/nss_util.cc

Issue 79283002: crypto: disable NSS AES-NI support when AVX is disabled by OS. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "crypto/nss_util.h"	5 #include "crypto/nss_util.h"

6 #include "crypto/nss_util_internal.h"	6 #include "crypto/nss_util_internal.h"

7	7

8 #include <nss.h>	8 #include <nss.h>

9 #include <pk11pub.h>	9 #include <pk11pub.h>

10 #include <plarena.h>	10 #include <plarena.h>

11 #include <prerror.h>	11 #include <prerror.h>

12 #include <prinit.h>	12 #include <prinit.h>

13 #include <prtime.h>	13 #include <prtime.h>

14 #include <secmod.h>	14 #include <secmod.h>

	15 #include <stdlib.h>

15	16

16 #if defined(OS_LINUX)	17 #if defined(OS_LINUX)

17 #include <linux/nfs_fs.h>	18 #include <linux/nfs_fs.h>

18 #include <sys/vfs.h>	19 #include <sys/vfs.h>

19 #elif defined(OS_OPENBSD)	20 #elif defined(OS_OPENBSD)

20 #include <sys/mount.h>	21 #include <sys/mount.h>

21 #include <sys/param.h>	22 #include <sys/param.h>

22 #endif	23 #endif

23	24

24 #include <vector>	25 #include <vector>

25	26

	27 #include "base/cpu.h"

26 #include "base/debug/alias.h"	28 #include "base/debug/alias.h"

27 #include "base/debug/stack_trace.h"	29 #include "base/debug/stack_trace.h"

28 #include "base/environment.h"	30 #include "base/environment.h"

29 #include "base/file_util.h"	31 #include "base/file_util.h"

30 #include "base/files/file_path.h"	32 #include "base/files/file_path.h"

31 #include "base/files/scoped_temp_dir.h"	33 #include "base/files/scoped_temp_dir.h"

32 #include "base/lazy_instance.h"	34 #include "base/lazy_instance.h"

33 #include "base/logging.h"	35 #include "base/logging.h"

34 #include "base/memory/scoped_ptr.h"	36 #include "base/memory/scoped_ptr.h"

35 #include "base/metrics/histogram.h"	37 #include "base/metrics/histogram.h"

(...skipping 389 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
425 test_slot_(NULL),	427 test_slot_(NULL),

426 tpm_slot_(NULL),	428 tpm_slot_(NULL),

427 root_(NULL),	429 root_(NULL),

428 chromeos_user_logged_in_(false) {	430 chromeos_user_logged_in_(false) {

429 base::TimeTicks start_time = base::TimeTicks::Now();	431 base::TimeTicks start_time = base::TimeTicks::Now();

430	432

431 // It's safe to construct on any thread, since LazyInstance will prevent any	433 // It's safe to construct on any thread, since LazyInstance will prevent any

432 // other threads from accessing until the constructor is done.	434 // other threads from accessing until the constructor is done.

433 thread_checker_.DetachFromThread();	435 thread_checker_.DetachFromThread();

434	436

	437 DisableAESNIIfNeeded();

	438

435 EnsureNSPRInit();	439 EnsureNSPRInit();

436	440

437 // We must have NSS >= 3.14.3.	441 // We must have NSS >= 3.14.3.

438 COMPILE_ASSERT(	442 COMPILE_ASSERT(

439 (NSS_VMAJOR == 3 && NSS_VMINOR == 14 && NSS_VPATCH >= 3) \|\|	443 (NSS_VMAJOR == 3 && NSS_VMINOR == 14 && NSS_VPATCH >= 3) \|\|

440 (NSS_VMAJOR == 3 && NSS_VMINOR > 14) \|\|	444 (NSS_VMAJOR == 3 && NSS_VMINOR > 14) \|\|

441 (NSS_VMAJOR > 3),	445 (NSS_VMAJOR > 3),

442 nss_version_check_failed);	446 nss_version_check_failed);

443 // Also check the run-time NSS version.	447 // Also check the run-time NSS version.

444 // NSS_VersionCheck is a >= check, not strict equality.	448 // NSS_VersionCheck is a >= check, not strict equality.

(...skipping 172 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
617 if (PK11_NeedUserInit(db_slot))	621 if (PK11_NeedUserInit(db_slot))

618 PK11_InitPin(db_slot, NULL, NULL);	622 PK11_InitPin(db_slot, NULL, NULL);

619 }	623 }

620 else {	624 else {

621 LOG(ERROR) << "Error opening persistent database (" << modspec	625 LOG(ERROR) << "Error opening persistent database (" << modspec

622 << "): " << GetNSSErrorMessage();	626 << "): " << GetNSSErrorMessage();

623 }	627 }

624 return db_slot;	628 return db_slot;

625 }	629 }

626	630

	631 static void DisableAESNIIfNeeded() {

	632 base::CPU cpu;

	633

	634 if (cpu.has_avx_hardware() && !cpu.has_avx()) {

	635 // Some versions of NSS have a bug that causes AVX instructions to be

	636 // used without testing whether XSAVE is enabled by the operating system.

	637 // In order to work around this, we disable AES-NI in NSS when we find

	638 // that \|has_avx()\| is false (which includes the XSAVE test).
	Ryan Sleevi 2013/11/20 21:46:28 Let's include an NSS version check (or softoken ve Let's include an NSS version check (or softoken version check) here so that we're not always disabling it on Linux. The softoken version is exposed via PKCS#11 as part of the library version .major/.minor, which will handle the cases (such as RHEL) where softoken may be older than NSS. bool use_hw_aes_if_present = true; CK_TOKEN_INFO token_info; ScopedPK11Slot slot(PK11_GetInternalSlot()); if (!slot.get() \|\| PK11_GetTokenInfo(slot, &token_info) != SECSuccess) { use_hw_aes_if_present = false; } if (token_info.hardwareVersion.major < XXX \|\| (token_info.hardwareVersion.major == XXX && token_info.hardwareVersion.minor < YYY)) { use_hw_aes_if_present = cpu.has_avx_hardware() && cpu.has_avx(); } if (!use_hw_aes_if_present) { setenv(...) } wtc 2013/11/21 21:03:43 In this particular case, it is enough to check the In this particular case, it is enough to check the version of the main NSS library. We can safely assume this bug will be fixed in NSS 3.15.4. Since Softoken 3.15.3 is not FIPS 140-2 validated, there is no reason for RHEL to use a newer version of NSS with Softoken 3.15.3. We can use the test NSS_VersionCheck("3.15") && !NSS_VersionCheck("3.15.4") to detect the buggy version range (3.15 <= version < 3.15.4). Although the bug was introduced in NSS 3.14.2, there were no NSS PK11_ functions to access AES-GCM until NSS 3.15.
	639 setenv("NSS_DISABLE_HW_AES", "1", 1 /* overwrite */);

	640 }

	641 }

	642

627 // If this is set to true NSS is forced to be initialized without a DB.	643 // If this is set to true NSS is forced to be initialized without a DB.

628 static bool force_nodb_init_;	644 static bool force_nodb_init_;

629	645

630 bool tpm_token_enabled_for_nss_;	646 bool tpm_token_enabled_for_nss_;

631 std::string tpm_token_name_;	647 std::string tpm_token_name_;

632 std::string tpm_user_pin_;	648 std::string tpm_user_pin_;

633 SECMODModule* chaps_module_;	649 SECMODModule* chaps_module_;

634 PK11SlotInfo* software_slot_;	650 PK11SlotInfo* software_slot_;

635 PK11SlotInfo* test_slot_;	651 PK11SlotInfo* test_slot_;

636 PK11SlotInfo* tpm_slot_;	652 PK11SlotInfo* tpm_slot_;

(...skipping 189 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
826	842

827 PK11SlotInfo* GetPublicNSSKeySlot() {	843 PK11SlotInfo* GetPublicNSSKeySlot() {

828 return g_nss_singleton.Get().GetPublicNSSKeySlot();	844 return g_nss_singleton.Get().GetPublicNSSKeySlot();

829 }	845 }

830	846

831 PK11SlotInfo* GetPrivateNSSKeySlot() {	847 PK11SlotInfo* GetPrivateNSSKeySlot() {

832 return g_nss_singleton.Get().GetPrivateNSSKeySlot();	848 return g_nss_singleton.Get().GetPrivateNSSKeySlot();

833 }	849 }

834	850

835 } // namespace crypto	851 } // namespace crypto

OLD	NEW

« no previous file with comments | « base/cpu.cc ('k') | no next file » | no next file with comments »