Set vZZ.16b register to zero before use in armv8 gcm implementation
Needs ReviewPublic

Authored by larma on Jan 16 2020, 9:27 PM.

Details

Reviewers
jukivili
Summary

The register vZZ.16b is expected to be always 0 throughout the macros in cipher/cipher-gcm-armv8-aarch64-ce.S. The PMUL_128x128 and REDUCTION macros are used in gcry_ghash_setup_armv8_ce_pmull function, however that function does not set vZZ.16b to zero. If previous use left `vZZ.16b non-zero before gcry_ghash_setup_armv8_ce_pmull is called, this will cause invalid GCM auth tag results.

The patch resets vZZ.16b to 0 at the beginning of gcry_ghash_setup_armv8_ce_pmull.

Test Plan

This fixes a bug when using the OMEMO encryption in Dino (XMPP client) on arm64 Debian bullseye (with dino-im package from Debian repository or when compiling current master from source). The first OMEMO encrypted message always worked fine, but every later message with more than 96 bytes had an invalid auth tag.

Diff Detail

Repository
rC libgcrypt
Lint
Lint Skipped
Unit
Unit Tests Skipped
larma created this revision.Jan 16 2020, 9:27 PM
larma created this object with visibility "larma (Marvin W.)".
larma retitled this revision from Correctly 0 out vZZ.16b register before usage in aarchv8 gcm implementation to Set vZZ.16b register to zero before use in armv8 gcm implementation.Jan 16 2020, 9:36 PM
larma edited the summary of this revision. (Show Details)
larma changed the visibility from "larma (Marvin W.)" to "Public (No Login Required)".
larma changed the edit policy from "All Users" to "larma (Marvin W.)".

It looks good.

Please add @jukivili as a reviewer.

Thanks for bug fix. I've prepared patch and send it to mailing list https://lists.gnupg.org/pipermail/gcrypt-devel/2020-January/004885.html. Let me know if Reported-by is ok/enough. I would have liked to put you as author of commit, but this Differential interface of quite horrible and does not give all the needed information (mainly "name <email>" format for git).

I've also prepared patch to tests/basic for better detecting this sort of bugs in future, https://lists.gnupg.org/pipermail/gcrypt-devel/2020-January/004884.html

larma added a comment.Jan 21 2020, 9:27 PM

@jukivili thanks for looking into this. If you want, you can go with "Marvin W. <git at larma.de>" or just keep as is.