openssl/crypto/modes/asm
Juergen Christ cd854f225b Fix GHASH-ASM implementation on s390x
s390x GHASH assembler implementation assumed it was called from a
gcm128_context structure where the Xi paramter to the ghash function was
embedded in that structure.  Since the structure layout resembles the paramter
block required for kimd-GHASH, the assembler code simply assumed the 128 bytes
after Xi are the hash subkey.

This assumption was broken with the introduction of AES-GCM-SIV which uses the
GHASH implementation without a gcm128_context structure.  Furthermore, the
bytes following the Xi input parameter to the GHASH function do not contain
the hash subkey.  To fix this, we remove the assumption about the calling
context and build the parameter block on the stack.  This requires some
copying of data to and from the stack.  While this introduces a performance
degradation, new systems anyway use kma for GHASH/AES-GCM.

Finally fixes #18693 for s390x.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18939)
2022-08-09 10:52:08 +01:00
..
aes-gcm-armv8_64.pl aarch64: support BTI and pointer authentication in assembly 2021-10-01 09:35:38 +02:00
aes-gcm-armv8-unroll8_64.pl Update copyright year 2022-05-03 13:34:51 +01:00
aes-gcm-avx512.pl Update copyright year 2022-05-03 13:34:51 +01:00
aes-gcm-ppc.pl Update copyright year 2022-05-03 13:34:51 +01:00
aesni-gcm-x86_64.pl
ghash-alpha.pl
ghash-armv4.pl
ghash-c64xplus.pl
ghash-ia64.pl
ghash-parisc.pl
ghash-riscv64.pl Add clmul-based gmult for riscv64 with Zbb, Zbc 2022-05-19 16:32:49 +10:00
ghash-s390x.pl Fix GHASH-ASM implementation on s390x 2022-08-09 10:52:08 +01:00
ghash-sparcv9.pl
ghash-x86_64.pl
ghash-x86.pl
ghashp8-ppc.pl
ghashv8-armx.pl Update copyright year 2022-05-03 13:34:51 +01:00