[openssl.org #2663] Apparent bug in the x86 ghash function

Sun, 18 Dec 2011 11:30:54 -0800 

Hi

I've compiled a recent SNAP of OpenSSL 1.0.1 (from 18/12). I am pretty sure 
that the assembly language code generated for the ghash function (in 
ghash-x86.s) is incorrect.

The gcm_init_4bit() function generates a 16-entry table of 128-bit values, to 
be used as a multiplication table. The first value is always zero, while the 
others usually aren't.

The supposedly equivalent gcm_init_clmul() function does not touch indexes 2-16 
of the table, and pushes two usually non-zero entries into the first two 
entries of the table.

Notice how %edx holds a pointer to the Htable, while %eax holds a pointer to H. 
The final two lines of the function put a value in the first ((%edx)) and 
second (16(%edx)) positions of the table. Clearly, this is wrong.

.globl  gcm_init_clmul
.type   gcm_init_clmul,@function
.align  16
gcm_init_clmul:
.L_gcm_init_clmul_begin:
        movl    4(%esp),%edx
        movl    8(%esp),%eax
        call    .L010pic
.L010pic:
        popl    %ecx
        leal    .Lbswap-.L010pic(%ecx),%ecx
        movdqu  (%eax),%xmm2
        pshufd  $78,%xmm2,%xmm2
        pshufd  $255,%xmm2,%xmm4
        movdqa  %xmm2,%xmm3
        psllq   $1,%xmm2
        pxor    %xmm5,%xmm5
        psrlq   $63,%xmm3
        pcmpgtd %xmm4,%xmm5
        pslldq  $8,%xmm3
        por     %xmm3,%xmm2
        pand    16(%ecx),%xmm5
        pxor    %xmm5,%xmm2
        movdqa  %xmm2,%xmm0
        movdqa  %xmm0,%xmm1
        pshufd  $78,%xmm0,%xmm3
        pshufd  $78,%xmm2,%xmm4
        pxor    %xmm0,%xmm3
        pxor    %xmm2,%xmm4
.byte   102,15,58,68,194,0
.byte   102,15,58,68,202,17
.byte   102,15,58,68,220,0
        xorps   %xmm0,%xmm3
        xorps   %xmm1,%xmm3
        movdqa  %xmm3,%xmm4
        psrldq  $8,%xmm3
        pslldq  $8,%xmm4
        pxor    %xmm3,%xmm1
        pxor    %xmm4,%xmm0
        movdqa  %xmm0,%xmm3
        psllq   $1,%xmm0
        pxor    %xmm3,%xmm0
        psllq   $5,%xmm0
        pxor    %xmm3,%xmm0
        psllq   $57,%xmm0
        movdqa  %xmm0,%xmm4
        pslldq  $8,%xmm0
        psrldq  $8,%xmm4
        pxor    %xmm3,%xmm0
        pxor    %xmm4,%xmm1
        movdqa  %xmm0,%xmm4
        psrlq   $5,%xmm0
        pxor    %xmm4,%xmm0
        psrlq   $1,%xmm0
        pxor    %xmm4,%xmm0
        pxor    %xmm1,%xmm4
        psrlq   $1,%xmm0
        pxor    %xmm4,%xmm0
        movdqu  %xmm2,(%edx)
        movdqu  %xmm0,16(%edx)
        ret
.size   gcm_init_clmul,.-.L_gcm_init_clmul_begin
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to