diff options
author | Adam Langley <alangley@gmail.com> | 2017-01-12 16:15:20 -0800 |
---|---|---|
committer | Adam Langley <alangley@gmail.com> | 2017-01-16 16:53:32 +0000 |
commit | abb32cc00dd4086f7b2213a5d3ecd223be937831 (patch) | |
tree | a6a984713613a8b6bef36377c268d7d9c4934007 | |
parent | 67ccf59161156071cd16be2fb3dff5911b95b869 (diff) | |
download | boringssl-abb32cc00dd4086f7b2213a5d3ecd223be937831.zip boringssl-abb32cc00dd4086f7b2213a5d3ecd223be937831.tar.gz boringssl-abb32cc00dd4086f7b2213a5d3ecd223be937831.tar.bz2 |
Restore H (the key) in the GHASH context.
This was removed in a00cafc50ca599cc91f240f5347f0a01cca7bf7d because
none of the assembly actually appeared to need it. However, we found the
assembly the uses it: the MOVBE-based, x86-64 code.
Needing H seems silly since Htable is there, but rather than mess with
the assembly, it's easier to put H back in the structure—now with a
better comment.
Change-Id: Ie038cc4482387264d5e0821664fb41f575826d6f
Reviewed-on: https://boringssl-review.googlesource.com/13122
Reviewed-by: Adam Langley <alangley@gmail.com>
-rw-r--r-- | crypto/modes/gcm.c | 7 | ||||
-rw-r--r-- | crypto/modes/internal.h | 9 | ||||
-rw-r--r-- | crypto/modes/polyval.c | 2 |
3 files changed, 14 insertions, 4 deletions
diff --git a/crypto/modes/gcm.c b/crypto/modes/gcm.c index 21bfa31..1330ad6 100644 --- a/crypto/modes/gcm.c +++ b/crypto/modes/gcm.c @@ -351,7 +351,8 @@ void gcm_ghash_p8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp, #endif void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, - u128 out_table[16], const uint8_t *gcm_key) { + u128 *out_key, u128 out_table[16], + const uint8_t *gcm_key) { union { uint64_t u[2]; uint8_t c[16]; @@ -363,6 +364,8 @@ void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, H.u[0] = CRYPTO_bswap8(H.u[0]); H.u[1] = CRYPTO_bswap8(H.u[1]); + OPENSSL_memcpy(out_key, H.c, 16); + #if defined(GHASH_ASM_X86_64) if (crypto_gcm_clmul_enabled()) { if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */ @@ -425,7 +428,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *aes_key, OPENSSL_memset(gcm_key, 0, sizeof(gcm_key)); (*block)(gcm_key, gcm_key, aes_key); - CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, gcm_key); + CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, &ctx->H, ctx->Htable, gcm_key); } void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key, diff --git a/crypto/modes/internal.h b/crypto/modes/internal.h index 9b579fa..94072ec 100644 --- a/crypto/modes/internal.h +++ b/crypto/modes/internal.h @@ -150,6 +150,9 @@ struct gcm128_context { size_t t[16 / sizeof(size_t)]; } Yi, EKi, EK0, len, Xi; + /* Note that the order of |Xi|, |H| and |Htable| is fixed by the MOVBE-based, + * x86-64, GHASH assembly. */ + u128 H; u128 Htable[16]; gmult_func gmult; ghash_func ghash; @@ -211,7 +214,8 @@ typedef struct gcm128_context GCM128_CONTEXT; * |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware * accelerated) functions for performing operations in the GHASH field. */ void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, - u128 out_table[16], const uint8_t *gcm_key); + u128 *out_key, u128 out_table[16], + const uint8_t *gcm_key); /* CRYPTO_gcm128_init initialises |ctx| to use |block| (typically AES) with * the given key. */ @@ -348,7 +352,10 @@ typedef union { } polyval_block; struct polyval_ctx { + /* Note that the order of |S|, |H| and |Htable| is fixed by the MOVBE-based, + * x86-64, GHASH assembly. */ polyval_block S; + u128 H; u128 Htable[16]; gmult_func gmult; ghash_func ghash; diff --git a/crypto/modes/polyval.c b/crypto/modes/polyval.c index 125b256..33d37eb 100644 --- a/crypto/modes/polyval.c +++ b/crypto/modes/polyval.c @@ -57,7 +57,7 @@ void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) { OPENSSL_memcpy(H.c, key, 16); reverse_and_mulX_ghash(&H); - CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, H.c); + CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, &ctx->H, ctx->Htable, H.c); OPENSSL_memset(&ctx->S, 0, sizeof(ctx->S)); } |