search

dot-asm / cryptogams

CRYPTOGAMS distribution repository
Other
56 stars 16 forks source link

Missing files and patches present in OpenSSL #7

Open ansasaki opened 4 years ago

ansasaki commented 4 years ago

I want to enable Intel CET in GnuTLS, which uses the CRYPTOGAMS implementation. Comparing the code in this repository with the code available in OpenSSL, there are missing patches (specially those from @hjl-tools enabling Intel CET) and missing files.

The CRYPTOGAMS code present in OpenSSL states that it is double licensed under CRYPTOGAMS and OpenSSL, but the license that applies depends on where the code is obtained from.

GnuTLS uses the CRYPTOGAMS implementation and claims to use the code under BSD 3-clause license, but obtains it from the OpenSSL repository.

Trying to fix this by obtaining the code directly from this repository, I found the following missing files which are present in OpenSSL repository, but not in this repository:

GnuTLS also uses the following file which is not double licensed:

Would it be possible to add the missing code and patches to this repository?

hjl-tools commented 4 years ago

I want to enable Intel CET in GnuTLS, which uses the CRYPTOGAMS implementation. Comparing the code in this repository with the code available in OpenSSL, there are missing patches (specially those from @hjl-tools enabling Intel CET) and missing files.

The CRYPTOGAMS code present in OpenSSL states that it is double licensed under CRYPTOGAMS and OpenSSL, but the license that applies depends on where the code is obtained from.

GnuTLS uses the CRYPTOGAMS implementation and claims to use the code under BSD 3-clause license, but obtains it from the OpenSSL repository.

Trying to fix this by obtaining the code directly from this repository, I found the following missing files which are present in OpenSSL repository, but not in this repository:

  • openssl/crypto/modes/asm/aesni-gcm-x86_64.pl
  • openssl/engines/asm/e_padlock-x86_64.pl
  • openssl/engines/asm/e_padlock-x86.pl
  • openssl/crypto/modes/asm/ghashv8-armx.pl
  • openssl/crypto/modes/asm/ghash-x86_64.pl
  • openssl/crypto/modes/asm/ghash-x86.pl
  • openssl/crypto/sha/asm/sha512-armv8.pl
  • openssl/crypto/sha/asm/sha256-586.pl
  • openssl/crypto/sha/asm/sha512-armv8.pl
  • openssl/crypto/sha/asm/sha512-586.pl

If they are missing from CRYPTOGAMS, are they used by GnuTLS?

GnuTLS also uses the following file which is not double licensed:

  • openssl/crypto/sha/asm/sha512-x86_64.pl

Would it be possible to add the missing code and patches to this repository?

What is the proper procedure to fix issues like these?

ansasaki commented 4 years ago

I want to enable Intel CET in GnuTLS, which uses the CRYPTOGAMS implementation. Comparing the code in this repository with the code available in OpenSSL, there are missing patches (specially those from @hjl-tools enabling Intel CET) and missing files. The CRYPTOGAMS code present in OpenSSL states that it is double licensed under CRYPTOGAMS and OpenSSL, but the license that applies depends on where the code is obtained from. GnuTLS uses the CRYPTOGAMS implementation and claims to use the code under BSD 3-clause license, but obtains it from the OpenSSL repository. Trying to fix this by obtaining the code directly from this repository, I found the following missing files which are present in OpenSSL repository, but not in this repository:

  • openssl/crypto/modes/asm/aesni-gcm-x86_64.pl
  • openssl/engines/asm/e_padlock-x86_64.pl
  • openssl/engines/asm/e_padlock-x86.pl
  • openssl/crypto/modes/asm/ghashv8-armx.pl
  • openssl/crypto/modes/asm/ghash-x86_64.pl
  • openssl/crypto/modes/asm/ghash-x86.pl
  • openssl/crypto/sha/asm/sha512-armv8.pl
  • openssl/crypto/sha/asm/sha256-586.pl
  • openssl/crypto/sha/asm/sha512-armv8.pl
  • openssl/crypto/sha/asm/sha512-586.pl

If they are missing from CRYPTOGAMS, are they used by GnuTLS?

This is the list of files used by GnuTLS from OpenSSL which are not present in this repository.

GnuTLS also uses the following file which is not double licensed:

  • openssl/crypto/sha/asm/sha512-x86_64.pl

Would it be possible to add the missing code and patches to this repository?

What is the proper procedure to fix issues like these?

For me there are two ways:

  1. The missing files and patches are added to this repository and GnuTLS gets the code from here (which I'm trying to address with this issue). This way GnuTLS will have all the necessary code and the license issue would be fixed.
  2. GnuTLS continues to get the code from OpenSSL and changes the license it uses. The patches would need to be applied to OpenSSL's stable branch. I don't know if the new OpenSSL license is compatible with the GnuTLS license.
hjl-tools commented 4 years ago

I want to enable Intel CET in GnuTLS, which uses the CRYPTOGAMS implementation. Comparing the code in this repository with the code available in OpenSSL, there are missing patches (specially those from @hjl-tools enabling Intel CET) and missing files. The CRYPTOGAMS code present in OpenSSL states that it is double licensed under CRYPTOGAMS and OpenSSL, but the license that applies depends on where the code is obtained from. GnuTLS uses the CRYPTOGAMS implementation and claims to use the code under BSD 3-clause license, but obtains it from the OpenSSL repository. Trying to fix this by obtaining the code directly from this repository, I found the following missing files which are present in OpenSSL repository, but not in this repository:

  • openssl/crypto/modes/asm/aesni-gcm-x86_64.pl
  • openssl/engines/asm/e_padlock-x86_64.pl
  • openssl/engines/asm/e_padlock-x86.pl
  • openssl/crypto/modes/asm/ghashv8-armx.pl
  • openssl/crypto/modes/asm/ghash-x86_64.pl
  • openssl/crypto/modes/asm/ghash-x86.pl
  • openssl/crypto/sha/asm/sha512-armv8.pl
  • openssl/crypto/sha/asm/sha256-586.pl
  • openssl/crypto/sha/asm/sha512-armv8.pl
  • openssl/crypto/sha/asm/sha512-586.pl

If they are missing from CRYPTOGAMS, are they used by GnuTLS?

This is the list of files used by GnuTLS from OpenSSL which are not present in this repository.

So GnuTLS WANTS to use CRYPTOGAMS, not actually IS USING CRYPTOGAMS due to the issues mentioned here.

GnuTLS also uses the following file which is not double licensed:

  • openssl/crypto/sha/asm/sha512-x86_64.pl

Would it be possible to add the missing code and patches to this repository?

What is the proper procedure to fix issues like these?

For me there are two ways:

  1. The missing files and patches are added to this repository and GnuTLS gets the code from here (which I'm trying to address with this issue). This way GnuTLS will have all the necessary code and the license issue would be fixed.

So CRYPTOGAMS isn't kept to update with OpenSSL.

  1. GnuTLS continues to get the code from OpenSSL and changes the license it uses. The patches would need to be applied to OpenSSL's stable branch. I don't know if the new OpenSSL license is compatible with the GnuTLS license.

I have CET backports to OpenSSL's stable branch is at

https://github.com/hjl-tools/openssl/tree/hjl/cet/OpenSSL_1_1_1-stable

But I can't help you with license.

dot-asm commented 4 years ago

I want to enable Intel CET in GnuTLS, which uses the CRYPTOGAMS implementation. Comparing the code in this repository with the code available in OpenSSL, there are missing patches (specially those from @hjl-tools enabling Intel CET) and missing files.

OpenSSL uses inadequate approach, see https://github.com/openssl/openssl/pull/9007#issuecomment-497348785, and corresponding 6d0e025514b0097ed0e9b72585a9f524d9fd431d.

As for missing files. I've added missing armv8 and will keep reviewing and adding others. For example sha512-x86_64.pl needs an overhaul, one of code paths confuses profiler...

noloader commented 4 years ago

Good job Andy. Cryptogams is one of those hidden gems on the web.

ansasaki commented 4 years ago

I want to enable Intel CET in GnuTLS, which uses the CRYPTOGAMS implementation. Comparing the code in this repository with the code available in OpenSSL, there are missing patches (specially those from @hjl-tools enabling Intel CET) and missing files.

OpenSSL uses inadequate approach, see openssl/openssl#9007 (comment), and corresponding 6d0e025.

Thank you for pointing me to the right direction!

As for missing files. I've added missing armv8 and will keep reviewing and adding others. For example sha512-x86_64.pl needs an overhaul, one of code paths confuses profiler...

Thank you very much!

dot-asm commented 4 years ago

sha512-x86_64 is overhauled, but it takes even updated x86_64-xlate...

xnox commented 4 years ago

I'm not sure if that's of help or not, but I've create the pull reuqest to submit @hjl-tools CET OpenSSL 1.1.1 patches into the 1.1.1-Stable branch. The cla-check approved them, meaning at least 1.1.1 branch with hjl-tools patches is still licensed in a way compatible with lgpl v2.1+ suitable for usage by gnutls.

Separately, gnutls is license as lgpl v2.1+ which is compatible with apache2, if the resulting combination is then upgraded to lgpl v3.

q66 commented 4 years ago

@dot-asm there are also some missing files for ppc, particularly the stuff under bn/ like ppc-mont.pl despite those files claiming to be a part of cryptogams - is that intentional?

bluerise commented 3 years ago

Looks like aes-gcm-armv8_64.pl also hasn't yet made the jump to cryptogams. :/ Would be nice to have, since for OpenBSD we'd need to pull it from cryptogams (instead of OpenSSL) due to licensing issues.

dwmw2 commented 3 years ago

Please could I add aesni-sha1-x86_64.pl and x86_64cpuid.pl to the list. As well as an update to sha1-x86_64.pl which is very much older than the one in OpenSSL.

ryancdotorg commented 3 years ago

I'd also appreciate having sha1-x86_64.pl updated for parity with OpenSSL.