1 files changed, 12 insertions, 20 deletions

diff --git a/crypto/modes/asm/ghash-s390x.pl b/crypto/modes/asm/ghash-s390x.pl
index ba9c5b4a4f..0ae6adbf61 100644
--- a/crypto/modes/asm/ghash-s390x.pl
+++ b/crypto/modes/asm/ghash-s390x.pl
@@ -90,25 +90,6 @@ $code.=<<___;
 .align	32
 gcm_gmult_4bit:
 ___
-$code.=<<___ if(!$softonly && 0);	# hardware is slow for single block...
-	larl	%r1,OPENSSL_s390xcap_P
-	lghi	%r0,0
-	lg	%r1,S390X_KIMD+8(%r1)	# load second word of kimd capabilities
-					#  vector
-	tmhh	%r1,0x4000	# check for function 65
-	jz	.Lsoft_gmult
-	stg	%r0,16($sp)	# arrange 16 bytes of zero input
-	stg	%r0,24($sp)
-	lghi	%r0,S390X_GHASH	# function 65
-	la	%r1,0($Xi)	# H lies right after Xi in gcm128_context
-	la	$inp,16($sp)
-	lghi	$len,16
-	.long	0xb93e0004	# kimd %r0,$inp
-	brc	1,.-4		# pay attention to "partial completion"
-	br	%r14
-.align	32
-.Lsoft_gmult:
-___
 $code.=<<___;
 	stm${g}	%r6,%r14,6*$SIZE_T($sp)
 
@@ -132,10 +113,21 @@ $code.=<<___ if(!$softonly);
 					#  vector
 	tmhh	%r0,0x4000	# check for function 65
 	jz	.Lsoft_ghash
+	# Do not assume this function is called from a gcm128_context.
+	# This is not true, e.g., for AES-GCM-SIV.
+	# Parameter Block:
+	# Chaining Value (XI) 128byte
+	# Key (Htable[8]) 128byte
+	lmg	%r0,%r1,0($Xi)
+	stmg	%r0,%r1,8($sp)
+	lmg	%r0,%r1,8*16($Htbl)
+	stmg	%r0,%r1,24($sp)
+	la	%r1,8($sp)
 	lghi	%r0,S390X_GHASH	# function 65
-	la	%r1,0($Xi)	# H lies right after Xi in gcm128_context
 	.long	0xb93e0004	# kimd %r0,$inp
 	brc	1,.-4		# pay attention to "partial completion"
+	lmg	%r0,%r1,8($sp)
+	stmg	%r0,%r1,0($Xi)
 	br	%r14
 .align	32
 .Lsoft_ghash: