[PATCH] Set vZZ.16b register to zero before use in armv8 gcm implementation

Jussi Kivilinna jussi.kivilinna at iki.fi
Sun Jan 19 09:40:54 CET 2020

* cipher/cipher-gcm-armv8-aarch64-ce.S
(_gcry_ghash_setup_armv8_ce_pmull): Set vZZ to zero.

Reported by: Marvin W.

@ https://dev.gnupg.org/D497:
> The register vZZ.16b is expected to be always 0 throughout the macros
> in cipher/cipher-gcm-armv8-aarch64-ce.S. The PMUL_128x128 and REDUCTION
> macros are used in gcry_ghash_setup_armv8_ce_pmull function, however that
> function does not set vZZ.16b to zero. If previous use left `vZZ.16b
> non-zero before gcry_ghash_setup_armv8_ce_pmull is called, this will cause
> invalid GCM auth tag results.
> The patch resets vZZ.16b to 0 at the beginning of
> gcry_ghash_setup_armv8_ce_pmull.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna at iki.fi>
 0 files changed

diff --git a/cipher/cipher-gcm-armv8-aarch64-ce.S b/cipher/cipher-gcm-armv8-aarch64-ce.S
index b0c2cccc6..877207d3e 100644
--- a/cipher/cipher-gcm-armv8-aarch64-ce.S
+++ b/cipher/cipher-gcm-armv8-aarch64-ce.S
@@ -385,6 +385,8 @@ _gcry_ghash_setup_armv8_ce_pmull:
   GET_DATA_POINTER(x2, .Lrconst)
+  eor vZZ.16b, vZZ.16b, vZZ.16b
   /* H¹ */
   ld1 {rh1.16b}, [x0]
   rbit rh1.16b, rh1.16b

More information about the Gcrypt-devel mailing list