From 7b46a0ed5938e28d974757db44cc9d299ad5cb4e Mon Sep 17 00:00:00 2001 From: Patrick Steuer Date: Thu, 23 Feb 2017 14:03:39 +0100 Subject: [PATCH 02/44] crypto/modes/asm/ghash-s390x.pl: fix gcm_gmult_4bit KIMD code path. gcm_gmult_4bit KIMD code path assumed that that Xi is processed. However, with iv lengths not equal to 12, the function is also used to process Yi, resulting in wrong ghash computation. Signed-off-by: Patrick Steuer --- crypto/modes/asm/ghash-s390x.pl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/crypto/modes/asm/ghash-s390x.pl b/crypto/modes/asm/ghash-s390x.pl index f8b038c708..6dbb8232d6 100644 --- a/crypto/modes/asm/ghash-s390x.pl +++ b/crypto/modes/asm/ghash-s390x.pl @@ -95,14 +95,23 @@ $code.=<<___ if(!$softonly && 0); # hardware is slow for single block... lg %r1,24(%r1) # load second word of kimd capabilities vector tmhh %r1,0x4000 # check for function 65 jz .Lsoft_gmult + lghi %r1,-16 stg %r0,16($sp) # arrange 16 bytes of zero input stg %r0,24($sp) + la $Htbl,0(%r1,$Htbl) # H lies right before Htable + lghi %r0,65 # function 65 - la %r1,0($Xi) # H lies right after Xi in gcm128_context + la %r1,32($sp) + mvc 32(16,$sp),0($Xi) # copy Xi/Yi + mvc 48(16,$sp),0($Htbl) # copy H la $inp,16($sp) lghi $len,16 .long 0xb93e0004 # kimd %r0,$inp brc 1,.-4 # pay attention to "partial completion" + + mvc 0(16,$Xi),32($sp) + xc 32(32,$sp),32($sp) # wipe stack + br %r14 .align 32 .Lsoft_gmult: -- 2.13.6