From 2f1112b22a826dc8854b41b60a422c987f8ddafb Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Thu, 30 Jun 2022 16:21:06 +1000
Subject: Fix unrolled montgomery multiplication for POWER9

In the reference C implementation in bn_asm.c, tp[num + 1] contains the
carry bit for accumulations into tp[num]. tp[num + 1] is only ever
assigned, never itself incremented.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18883)
---
 crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'crypto/bn/asm')

diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
index 0fb397bc5f..e27d0ad93d 100755
--- a/crypto/bn/asm/ppc64-mont-fixed.pl
+++ b/crypto/bn/asm/ppc64-mont-fixed.pl
@@ -63,6 +63,7 @@ my $SIZE_T= 8;
 # Registers are global so the code is remotely readable
 
 # Parameters for Montgomery multiplication
+my $ze	= "r0";
 my $sp	= "r1";
 my $toc	= "r2";
 my $rp	= "r3";
@@ -192,6 +193,7 @@ ___
 	$self->save_registers();
 
 	$self->add_code(<<___);
+	li		$ze,0
 	ld		$n0,0($n0)
 
 	ld		$bp0,0($bp)
@@ -242,7 +244,7 @@ ___
 
 	$self->add_code(<<___);
 	addc		$tp[$n],$tp[$n],$c0
-	addze		$tp[$n+1],$tp[$n+1]
+	addze		$tp[$n+1],$ze
 ___
 
 	$self->add_code(<<___);
@@ -272,7 +274,7 @@ ___
 	and.		$tp[$n],$tp[$n],$tp[$n]
 	bne		$label->{"sub"}
 
-	cmpld	$tp[$n-1],$npj
+	cmpld		$tp[$n-1],$npj
 	blt		$label->{"copy"}
 
 $label->{"sub"}:
-- 
cgit v1.2.3