Restore H (the key) in the GHASH context.
This was removed in a00cafc50ca599cc91f240f5347f0a01cca7bf7d because
none of the assembly actually appeared to need it. However, we found the
assembly the uses it: the MOVBE-based, x86-64 code.
Needing H seems silly since Htable is there, but rather than mess with
the assembly, it's easier to put H back in the structure—now with a
better comment.
Change-Id: Ie038cc4482387264d5e0821664fb41f575826d6f
Reviewed-on: https://boringssl-review.googlesource.com/13122
Reviewed-by: Adam Langley <alangley@gmail.com>
diff --git a/crypto/modes/gcm.c b/crypto/modes/gcm.c
index 21bfa31..1330ad6 100644
--- a/crypto/modes/gcm.c
+++ b/crypto/modes/gcm.c
@@ -351,7 +351,8 @@
#endif
void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
- u128 out_table[16], const uint8_t *gcm_key) {
+ u128 *out_key, u128 out_table[16],
+ const uint8_t *gcm_key) {
union {
uint64_t u[2];
uint8_t c[16];
@@ -363,6 +364,8 @@
H.u[0] = CRYPTO_bswap8(H.u[0]);
H.u[1] = CRYPTO_bswap8(H.u[1]);
+ OPENSSL_memcpy(out_key, H.c, 16);
+
#if defined(GHASH_ASM_X86_64)
if (crypto_gcm_clmul_enabled()) {
if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */
@@ -425,7 +428,7 @@
OPENSSL_memset(gcm_key, 0, sizeof(gcm_key));
(*block)(gcm_key, gcm_key, aes_key);
- CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, gcm_key);
+ CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, &ctx->H, ctx->Htable, gcm_key);
}
void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
diff --git a/crypto/modes/internal.h b/crypto/modes/internal.h
index 9b579fa..94072ec 100644
--- a/crypto/modes/internal.h
+++ b/crypto/modes/internal.h
@@ -150,6 +150,9 @@
size_t t[16 / sizeof(size_t)];
} Yi, EKi, EK0, len, Xi;
+ /* Note that the order of |Xi|, |H| and |Htable| is fixed by the MOVBE-based,
+ * x86-64, GHASH assembly. */
+ u128 H;
u128 Htable[16];
gmult_func gmult;
ghash_func ghash;
@@ -211,7 +214,8 @@
* |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware
* accelerated) functions for performing operations in the GHASH field. */
void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
- u128 out_table[16], const uint8_t *gcm_key);
+ u128 *out_key, u128 out_table[16],
+ const uint8_t *gcm_key);
/* CRYPTO_gcm128_init initialises |ctx| to use |block| (typically AES) with
* the given key. */
@@ -348,7 +352,10 @@
} polyval_block;
struct polyval_ctx {
+ /* Note that the order of |S|, |H| and |Htable| is fixed by the MOVBE-based,
+ * x86-64, GHASH assembly. */
polyval_block S;
+ u128 H;
u128 Htable[16];
gmult_func gmult;
ghash_func ghash;
diff --git a/crypto/modes/polyval.c b/crypto/modes/polyval.c
index 125b256..33d37eb 100644
--- a/crypto/modes/polyval.c
+++ b/crypto/modes/polyval.c
@@ -57,7 +57,7 @@
OPENSSL_memcpy(H.c, key, 16);
reverse_and_mulX_ghash(&H);
- CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, H.c);
+ CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, &ctx->H, ctx->Htable, H.c);
OPENSSL_memset(&ctx->S, 0, sizeof(ctx->S));
}
