[openssl/openssl] cd854f: Fix GHASH-ASM implementation on s390x
openssl-machine
noreply at github.com
Tue Aug 9 09:56:11 UTC 2022
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: cd854f225bbef9561fad680e2628dfd55be1b141
https://github.com/openssl/openssl/commit/cd854f225bbef9561fad680e2628dfd55be1b141
Author: Juergen Christ <jchrist at linux.ibm.com>
Date: 2022-08-09 (Tue, 09 Aug 2022)
Changed paths:
M crypto/modes/asm/ghash-s390x.pl
Log Message:
-----------
Fix GHASH-ASM implementation on s390x
s390x GHASH assembler implementation assumed it was called from a
gcm128_context structure where the Xi paramter to the ghash function was
embedded in that structure. Since the structure layout resembles the paramter
block required for kimd-GHASH, the assembler code simply assumed the 128 bytes
after Xi are the hash subkey.
This assumption was broken with the introduction of AES-GCM-SIV which uses the
GHASH implementation without a gcm128_context structure. Furthermore, the
bytes following the Xi input parameter to the GHASH function do not contain
the hash subkey. To fix this, we remove the assumption about the calling
context and build the parameter block on the stack. This requires some
copying of data to and from the stack. While this introduces a performance
degradation, new systems anyway use kma for GHASH/AES-GCM.
Finally fixes #18693 for s390x.
Signed-off-by: Juergen Christ <jchrist at linux.ibm.com>
Reviewed-by: Todd Short <todd.short at me.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18939)
More information about the openssl-commits
mailing list