AES-GCM: Add function pointer trampolines to avoid delocator issue

[jakemas]

Delocate AES, GCM, and cipher wrapper functions

On AArch64, the delocator can patch up the computation of function pointers only if the pointers can be computed with a PC-relative offset in the range (-1MB, 1MB).

For the function pointer computations in crypto/fipsmodule/aes/mode_wrappers.c, crypto/fipsmodule/cipher/e_aes.c, and crypto/fipsmodule/modes/gcm.c, this bounds condition is about to be violated by further code additions to AWS-LC, as witnessed in AES-unrelated PRs.

This commit preventatively fixes the issue by adding function pointer trampolines to these files: These are stub functions immediately branching into the desired assembly routines, but close enough to the C code computing their address to ensure that their addresses will be computable using a PC-relative offset.

This fix is similar to previous delocator fixes addressing the same AArch64 PC-relative offset limitation, see #2165, #2294 for examples.

AWS-LC-Verification

As there are SAW proofs for AES GCM, these changes affect the proofs (formal-verification / fv-saw-x86_64-aes-gcm (pull_request)) and require changes in aws-lc-verification to continue proof support -- this has been added in awslabs/aws-lc-verification#180.

Testing:

Stability of the fix was tested in #2903 which added ~10,000 lines of additional AVX2 backend.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 72.22222% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.21%. Comparing base (406a018) to head (363ba1b).

Files with missing lines	Patch %	Lines
crypto/fipsmodule/cipher/e_aes.c	66.66%	3 Missing ⚠️
crypto/fipsmodule/aes/mode_wrappers.c	77.77%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2919      +/-   ##
==========================================
- Coverage   78.22%   78.21%   -0.01%     
==========================================
  Files         690      690              
  Lines      118745   118750       +5     
  Branches    16680    16679       -1     
==========================================
- Hits        92890    92885       -5     
- Misses      24968    24976       +8     
- Partials      887      889       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[nebeid]

Can we collect benchmarks on c6i, c7i, c6g, c7g and r8g for GCM init and encrypt/decrypt. Just to make sure the trampoline is not noticeable?

[jakemas]

Ok benchmarked c6i, c7i, c6g, c7g and r8g on Main vs delocate-aes-gcm-wrappers (Deloc). The delocate-aes-gcm-wrappers branch demonstrates no significant performance impact from trampoline wrappers across all tested instance types. A summary of ./tool/bssl speed -filter GCM is shown.

Operation                                   c6i Main   c6i Deloc   Diff%     c7i Main   c7i Deloc   Diff%     c6g Main   c6g Deloc   Diff%     c7g Main   c7g Deloc   Diff%     r8g Main   r8g Deloc   Diff%
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AEAD-AES-128-GCM open init                 8,170,730   8,170,804   0.00%   13,395,710  13,585,416   1.42%    7,123,343   7,244,199   1.70%   10,453,156  10,462,520   0.09%   12,575,887  12,557,374  -0.15%
AEAD-AES-128-GCM seal init                 8,166,288   8,168,338   0.03%   13,459,502  13,569,256   0.82%    7,131,615   7,207,899   1.07%   10,371,448  10,475,864   1.01%   12,596,574  12,581,987  -0.12%
AEAD-AES-256-GCM open init                 7,333,375   7,486,888   2.09%   11,988,317  12,240,780   2.11%    6,940,688   6,948,431   0.11%   10,107,828  10,053,089  -0.54%   12,269,350  12,105,237  -1.34%
AEAD-AES-256-GCM seal init                 7,332,478   7,485,334   2.08%   11,960,019  12,200,018   2.01%    6,928,806   6,940,292   0.17%   10,083,450  10,049,319  -0.34%   12,256,091  12,209,329  -0.38%
EVP-AES-128-GCM decrypt init               6,096,378   6,108,719   0.20%    7,298,546   7,250,246  -0.66%    4,741,711   4,726,429  -0.32%    6,806,648   6,800,803  -0.09%    7,612,583   7,579,651  -0.43%
EVP-AES-128-GCM encrypt init               6,092,044   6,108,585   0.27%    7,315,210   7,236,030  -1.08%    4,739,616   4,726,508  -0.28%    6,823,481   6,810,251  -0.19%    7,620,627   7,580,265  -0.53%
EVP-AES-192-GCM decrypt init               6,014,404   6,021,807   0.12%    7,442,668   7,465,660   0.31%    4,664,587   4,669,503   0.11%    6,595,230   6,631,137   0.54%    7,440,433   7,486,820   0.62%
EVP-AES-192-GCM encrypt init               6,014,283   6,031,934   0.29%    7,487,858   7,445,176  -0.57%    4,665,629   4,671,708   0.13%    6,599,618   6,640,084   0.61%    7,441,743   7,485,235   0.58%
EVP-AES-256-GCM decrypt init               5,765,264   5,772,448   0.12%    7,590,227   7,567,705  -0.30%    4,556,790   4,593,302   0.80%    6,480,760   6,493,042   0.19%    7,386,919   7,426,747   0.54%
EVP-AES-256-GCM encrypt init               5,761,816   5,781,717   0.35%    7,620,520   7,605,424  -0.20%    4,561,653   4,577,995   0.36%    6,491,072   6,495,153   0.06%    7,388,514   7,430,324   0.57%

Summary:
- c6i: 0.00% to +2.09% Improvement (avg: +0.55%)
- c7i : -1.08% to +2.11% Improvement (avg: +0.47%)
- c6g (Graviton2): -0.32% to +1.70% Improvement (avg: +0.38%)
- c7g (Graviton3): -0.54% to +1.01% Improvement (avg: +0.13%)
- r8g (Graviton4): -1.34% to +0.62% Improvement (avg: -0.06%)