Merge pull request #9848 from solardiz/mbedtls-3.6
[Backport 3.6] Specify previously missed register clobbers in AES-NI asm blocks
diff --git a/ChangeLog.d/fix-aesni-asm-clobbers.txt b/ChangeLog.d/fix-aesni-asm-clobbers.txt
new file mode 100644
index 0000000..538f0c5
--- /dev/null
+++ b/ChangeLog.d/fix-aesni-asm-clobbers.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix missing constraints on the AES-NI inline assembly which is used on
+ GCC-like compilers when building AES for generic x86_64 targets. This
+ may have resulted in incorrect code with some compilers, depending on
+ optimizations. Fixes #9819.
diff --git a/library/aesni.c b/library/aesni.c
index 8e5bd55..4fc1cb9 100644
--- a/library/aesni.c
+++ b/library/aesni.c
@@ -489,7 +489,7 @@
"movdqu %%xmm0, (%4) \n\t" // export output
:
: "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
- : "memory", "cc", "xmm0", "xmm1");
+ : "memory", "cc", "xmm0", "xmm1", "0", "1");
return 0;
@@ -679,7 +679,7 @@
AESKEYGENA(xmm0_xmm1, "0x36") "call 1b \n\t"
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "0");
}
/*
@@ -737,7 +737,7 @@
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
@@ -805,7 +805,7 @@
AESKEYGENA(xmm1_xmm2, "0x40") "call 1b \n\t"
:
: "r" (rk), "r" (key)
- : "memory", "cc", "0");
+ : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */