Check for PMULL in gcm_sha3_capable

This file uses both SHA3 (for EOR3) and PMULL instructions, but it was
only checking for the SHA3 bit.

This is largely moot because we also, in the caller, check for AES
instructions and the Armv8.2 spec currently groups AES and PMULL
features together. But, in theory, they could split them up, so we
should check this bit too.

While I'm here tidy things up: make the ABI tests match the actual code,
and name the function eor3 to reference the implementation, not the CPU
bit.

Change-Id: I7c2788eeaa6a67611647b8218077439a035faafa
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/93468
Reviewed-by: Xiangfei Ding <xfding@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Xiangfei Ding <xfding@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

crypto/fipsmodule/aes/gcm.cc.inc

diff --git a/crypto/fipsmodule/aes/gcm.cc.inc b/crypto/fipsmodule/aes/gcm.cc.inc
index 308e349..73beb8b 100644
--- a/crypto/fipsmodule/aes/gcm.cc.inc
+++ b/crypto/fipsmodule/aes/gcm.cc.inc
@@ -286,8 +286,7 @@
     gcm_key->impl = gcm_x86_aesni;
   }
 #elif defined(OPENSSL_AARCH64)
-  // SHA3 and EOR3 belong to the same ISA extension.
-  if (gcm_sha3_capable() && is_hwaes) {
+  if (gcm_eor3_capable() && is_hwaes) {
     gcm_key->impl = gcm_arm64_aes_eor3;
   } else if (gcm_pmull_capable() && is_hwaes) {
     gcm_key->impl = gcm_arm64_aes;

crypto/fipsmodule/aes/gcm_test.cc

diff --git a/crypto/fipsmodule/aes/gcm_test.cc b/crypto/fipsmodule/aes/gcm_test.cc
index baa4b93..e8afeb4 100644
--- a/crypto/fipsmodule/aes/gcm_test.cc
+++ b/crypto/fipsmodule/aes/gcm_test.cc
@@ -171,8 +171,7 @@
                 Htable);
     }
   }
-  if (hwaes_capable() && gcm_pmull_capable() &&
-      CRYPTO_is_ARMv8_SHA3_capable()) {
+  if (hwaes_capable() && gcm_eor3_capable()) {
     static const uint8_t kKey[16] = {0};
     uint8_t iv[16] = {0};
 

crypto/fipsmodule/aes/internal.h

diff --git a/crypto/fipsmodule/aes/internal.h b/crypto/fipsmodule/aes/internal.h
index 4723afd..db62703 100644
--- a/crypto/fipsmodule/aes/internal.h
+++ b/crypto/fipsmodule/aes/internal.h
@@ -482,7 +482,10 @@
 #define GCM_FUNCREF
 
 inline int gcm_pmull_capable() { return CRYPTO_is_ARMv8_PMULL_capable(); }
-inline int gcm_sha3_capable() { return CRYPTO_is_ARMv8_SHA3_capable(); }
+inline int gcm_eor3_capable() {
+  // SHA3 and EOR3 belong to the same ISA extension.
+  return CRYPTO_is_ARMv8_PMULL_capable() && CRYPTO_is_ARMv8_SHA3_capable();
+}
 
 extern "C" void gcm_init_v8(u128 Htable[16], const uint64_t H[2]);
 extern "C" void gcm_gmult_v8(uint8_t Xi[16], const u128 Htable[16]);
@@ -506,11 +509,13 @@
                                    void *out, void *Xi, uint8_t *ivec,
                                    const AES_KEY *key, const u128 Htable[16]);
 extern "C" void aes_gcm_enc_kernel_eor3(const uint8_t *in, uint64_t in_bits,
-                                   void *out, void *Xi, uint8_t *ivec,
-                                   const AES_KEY *key, const u128 Htable[16]);
+                                        void *out, void *Xi, uint8_t *ivec,
+                                        const AES_KEY *key,
+                                        const u128 Htable[16]);
 extern "C" void aes_gcm_dec_kernel_eor3(const uint8_t *in, uint64_t in_bits,
-                                   void *out, void *Xi, uint8_t *ivec,
-                                   const AES_KEY *key, const u128 Htable[16]);
+                                        void *out, void *Xi, uint8_t *ivec,
+                                        const AES_KEY *key,
+                                        const u128 Htable[16]);
 #endif
 
 #endif