mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
cd854f225b
s390x GHASH assembler implementation assumed it was called from a gcm128_context structure where the Xi paramter to the ghash function was embedded in that structure. Since the structure layout resembles the paramter block required for kimd-GHASH, the assembler code simply assumed the 128 bytes after Xi are the hash subkey. This assumption was broken with the introduction of AES-GCM-SIV which uses the GHASH implementation without a gcm128_context structure. Furthermore, the bytes following the Xi input parameter to the GHASH function do not contain the hash subkey. To fix this, we remove the assumption about the calling context and build the parameter block on the stack. This requires some copying of data to and from the stack. While this introduces a performance degradation, new systems anyway use kma for GHASH/AES-GCM. Finally fixes #18693 for s390x. Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18939) |
||
---|---|---|
.. | ||
aes-gcm-armv8_64.pl | ||
aes-gcm-armv8-unroll8_64.pl | ||
aes-gcm-avx512.pl | ||
aes-gcm-ppc.pl | ||
aesni-gcm-x86_64.pl | ||
ghash-alpha.pl | ||
ghash-armv4.pl | ||
ghash-c64xplus.pl | ||
ghash-ia64.pl | ||
ghash-parisc.pl | ||
ghash-riscv64.pl | ||
ghash-s390x.pl | ||
ghash-sparcv9.pl | ||
ghash-x86_64.pl | ||
ghash-x86.pl | ||
ghashp8-ppc.pl | ||
ghashv8-armx.pl |