aes-s390x.pl: Initialize reserved and unused memory

The reserved bytes in the parameter block (bytes 0-11) for the KMA
instruction should be set to zero to be compatible in case of future
architecture changes.

While at it, also the following unused parts of the parameter block
(bytes 48-63) are also cleared to avoid false positives with various
memory checkers like valgrind.

As it makes - performance wise - no difference to process 12, 48 or 64
bytes with one XC call, but two XC calls are slower than one call, the
first 64 bytes of the parameter block will be cleared with a single XC
call. This will also initialize the counter in the parameter block
(bytes 12-15), although it is not strictly necessary.

Co-developed-by: Juergen Christ <jchrist@linux.ibm.com>
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28315)

(cherry picked from commit 899623b29caa02f25e069acbcef581d19fe0a64e)

diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl
index 5d1283f5769029364811a507d976ad14de27e36f..8cc21638e7693d59159a3ae89a2598ccf47defa0 100644 (file)
--- a/crypto/aes/asm/aes-s390x.pl
+++ b/crypto/aes/asm/aes-s390x.pl
@@ -1431,6 +1431,9 @@ $code.=<<___ if (!$softonly);
        st${g}  $s3,0($sp)                      # backchain
        la      %r1,$stdframe($sp)
 
+       xc      $stdframe+0(64,$sp),$stdframe+0($sp)    # clear reserved/unused
+                                                       # in parameter block
+
        lmg     $s2,$s3,0($key)                 # copy key
        stg     $s2,$stdframe+80($sp)
        stg     $s3,$stdframe+88($sp)