Reenable AES-NI in libcrypto

The OPENSSL_cpu_caps() change after the last bump missed a crucial bit:
there is more MD mess in the MI code than anticipated, with the result
that AES is now used without AES-NI on amd64 and i386, hurting machines
that previously greatly benefitted from it.

Temporarily add an internal crypto_cpu_caps_ia32() API that returns the
OPENSSL_ia32cap_P or 0 like OPENSSL_cpu_caps() previously did. This can
be improved after the release.

Regression reported and fix tested by Mark Patruck.
No impact on public ABI or API.

with/ok jsing

PS: Next time my pkg_add feels very slow, I should perhaps not mechanically
blame IEEE 802.11...

4 files changed, 29 insertions, 10 deletions

diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index d929b0daaa..59e6456bbb 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cryptlib.c,v 1.53 2024/08/31 12:43:58 jsing Exp $ */
+/* $OpenBSD: cryptlib.c,v 1.54 2024/09/06 09:57:32 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -334,6 +334,12 @@ CRYPTO_THREADID_hash(const CRYPTO_THREADID *id)
 
 uint64_t OPENSSL_ia32cap_P;
 
+uint64_t
+crypto_cpu_caps_ia32(void)
+{
+        return OPENSSL_ia32cap_P;
+}
+
 #if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM)
 #define OPENSSL_CPUID_SETUP
 void
@@ -352,6 +358,12 @@ OPENSSL_cpuid_setup(void)
 }
 #endif
 
+#else
+uint64_t
+crypto_cpu_caps_ia32(void)
+{
+        return 0;
+}
 #endif
 
 #if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
diff --git a/src/lib/libcrypto/crypto_internal.h b/src/lib/libcrypto/crypto_internal.h
index 7676076f67..fc617472ad 100644
--- a/src/lib/libcrypto/crypto_internal.h
+++ b/src/lib/libcrypto/crypto_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_internal.h,v 1.11 2024/08/11 13:02:39 jsing Exp $ */
+/*      $OpenBSD: crypto_internal.h,v 1.12 2024/09/06 09:57:32 tb Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -220,4 +220,6 @@ crypto_ror_u64(uint64_t v, size_t shift)
 }
 #endif
 
+uint64_t crypto_cpu_caps_ia32(void);
+
 #endif
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 6135c7d84a..7753c18c15 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.58 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_aes.c,v 1.59 2024/09/06 09:57:32 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -55,6 +55,8 @@
 
 #include <openssl/opensslconf.h>
 
+#include "crypto_internal.h"
+
 #ifndef OPENSSL_NO_AES
 #include <openssl/aes.h>
 #include <openssl/err.h>
@@ -154,7 +156,7 @@ void AES_xts_decrypt(const char *inp, char *out, size_t len,
 #include "x86_arch.h"
 
 #ifdef VPAES_ASM
-#define VPAES_CAPABLE   (OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3)
+#define VPAES_CAPABLE   (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSSE3)
 #endif
 #ifdef BSAES_ASM
 #define BSAES_CAPABLE   VPAES_CAPABLE
@@ -162,7 +164,7 @@ void AES_xts_decrypt(const char *inp, char *out, size_t len,
 /*
  * AES-NI section
  */
-#define AESNI_CAPABLE   (OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI)
+#define AESNI_CAPABLE   (crypto_cpu_caps_ia32() & CPUCAP_MASK_AESNI)
 
 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
     AES_KEY *key);
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index cbda8ad097..6c89bd44b7 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.26 2023/08/10 07:18:43 jsing Exp $ */
+/* $OpenBSD: gcm128.c,v 1.27 2024/09/06 09:57:32 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
  *
@@ -50,9 +50,12 @@
 
 #define OPENSSL_FIPSAPI
 
+#include <string.h>
+
 #include <openssl/crypto.h>
+
+#include "crypto_internal.h"
 #include "modes_local.h"
-#include <string.h>
 
 #ifndef MODES_DEBUG
 # ifndef NDEBUG
@@ -660,7 +663,7 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
 # if    defined(GHASH_ASM_X86_OR_64)
 #  if   !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
         /* check FXSR and PCLMULQDQ bits */
-        if ((OPENSSL_cpu_caps() & (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) ==
+        if ((crypto_cpu_caps_ia32() & (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) ==
             (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) {
                 gcm_init_clmul(ctx->Htable, ctx->H.u);
                 ctx->gmult = gcm_gmult_clmul;
@@ -671,9 +674,9 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
         gcm_init_4bit(ctx->Htable, ctx->H.u);
 #  if   defined(GHASH_ASM_X86)                  /* x86 only */
 #   if  defined(OPENSSL_IA32_SSE2)
-        if (OPENSSL_cpu_caps() & CPUCAP_MASK_SSE) {     /* check SSE bit */
+        if (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSE) { /* check SSE bit */
 #   else
-        if (OPENSSL_cpu_caps() & CPUCAP_MASK_MMX) {     /* check MMX bit */
+        if (crypto_cpu_caps_ia32() & CPUCAP_MASK_MMX) { /* check MMX bit */
 #   endif
                 ctx->gmult = gcm_gmult_4bit_mmx;
                 ctx->ghash = gcm_ghash_4bit_mmx;