diff options
author | Marvin W <git@larma.de> | 2020-01-22 19:36:13 +0200 |
---|---|---|
committer | Jussi Kivilinna <jussi.kivilinna@iki.fi> | 2020-01-22 19:36:13 +0200 |
commit | 79ed620ec46adbb08f5cea6a4865a95a436e4109 (patch) | |
tree | cbca007c4a2688debdffd495fa84dd33f8ca2b1e | |
parent | aa9c78afa1d867bb7b9b3c695cf31a832c9419e5 (diff) | |
download | libgcrypt-79ed620ec46adbb08f5cea6a4865a95a436e4109.tar.gz |
Set vZZ.16b register to zero before use in armv8 gcm implementation
* cipher/cipher-gcm-armv8-aarch64-ce.S
(_gcry_ghash_setup_armv8_ce_pmull): Set vZZ to zero.
--
Reported by "Marvin W." at https://dev.gnupg.org/D497:
>
> The register vZZ.16b is expected to be always 0 throughout the macros
> in cipher/cipher-gcm-armv8-aarch64-ce.S. The PMUL_128x128 and REDUCTION
> macros are used in gcry_ghash_setup_armv8_ce_pmull function, however that
> function does not set vZZ.16b to zero. If previous use left `vZZ.16b
> non-zero before gcry_ghash_setup_armv8_ce_pmull is called, this will cause
> invalid GCM auth tag results.
>
> The patch resets vZZ.16b to 0 at the beginning of
> gcry_ghash_setup_armv8_ce_pmull.
>
[jk: from differential web-ui to commit]
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
-rw-r--r-- | cipher/cipher-gcm-armv8-aarch64-ce.S | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/cipher/cipher-gcm-armv8-aarch64-ce.S b/cipher/cipher-gcm-armv8-aarch64-ce.S index b0c2cccc..877207d3 100644 --- a/cipher/cipher-gcm-armv8-aarch64-ce.S +++ b/cipher/cipher-gcm-armv8-aarch64-ce.S @@ -385,6 +385,8 @@ _gcry_ghash_setup_armv8_ce_pmull: GET_DATA_POINTER(x2, .Lrconst) + eor vZZ.16b, vZZ.16b, vZZ.16b + /* H¹ */ ld1 {rh1.16b}, [x0] rbit rh1.16b, rh1.16b |