From 4115440aa7c833490c2c2646d2bf0dabbd9ceb7b Mon Sep 17 00:00:00 2001
From: Solar Designer <solar@openwall.com>
Date: Sat, 30 Nov 2024 04:42:47 +0100
Subject: [PATCH 1/3] Specify register clobbers in mbedtls_aesni_crypt_ecb()

Signed-off-by: Solar Designer <solar@openwall.com>
---
 library/aesni.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/aesni.c b/library/aesni.c
index 74bae91f5e..3bfc8d0578 100644
--- a/library/aesni.c
+++ b/library/aesni.c
@@ -460,7 +460,7 @@ int mbedtls_aesni_crypt_ecb(mbedtls_aes_context *ctx,
          "movdqu    %%xmm0, (%4)    \n\t" // export output
          :
          : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output)
-         : "memory", "cc", "xmm0", "xmm1");
+         : "memory", "cc", "xmm0", "xmm1", "0", "1");
 
 
     return 0;

From 4ad27aa47ef1db7815980bece810489dc029c6c9 Mon Sep 17 00:00:00 2001
From: Solar Designer <solar@openwall.com>
Date: Sun, 8 Dec 2024 18:55:53 +0100
Subject: [PATCH 2/3] Specify previously missed XMM register clobbers in AES-NI
 asm blocks

Noticed by Gilles Peskine

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Solar Designer <solar@openwall.com>
---
 library/aesni.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/aesni.c b/library/aesni.c
index 3bfc8d0578..7491f8d980 100644
--- a/library/aesni.c
+++ b/library/aesni.c
@@ -648,7 +648,7 @@ static void aesni_setkey_enc_128(unsigned char *rk,
          AESKEYGENA(xmm0_xmm1, "0x36")      "call 1b \n\t"
          :
          : "r" (rk), "r" (key)
-         : "memory", "cc", "0");
+         : "memory", "cc", "xmm0", "xmm1", "0");
 }
 
 /*
@@ -705,7 +705,7 @@ static void aesni_setkey_enc_192(unsigned char *rk,
 
          :
          : "r" (rk), "r" (key)
-         : "memory", "cc", "0");
+         : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
 }
 
 /*
@@ -771,7 +771,7 @@ static void aesni_setkey_enc_256(unsigned char *rk,
          AESKEYGENA(xmm1_xmm2, "0x40")      "call 1b \n\t"
          :
          : "r" (rk), "r" (key)
-         : "memory", "cc", "0");
+         : "memory", "cc", "xmm0", "xmm1", "xmm2", "0");
 }
 
 #endif  /* MBEDTLS_AESNI_HAVE_CODE */

From 1cd6fb57f9355ffa9ca4fad61c52f3a5e74c2b17 Mon Sep 17 00:00:00 2001
From: Solar Designer <solar@openwall.com>
Date: Wed, 11 Dec 2024 02:47:20 +0100
Subject: [PATCH 3/3] Add change log entry on AES-NI asm block fixes

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Solar Designer <solar@openwall.com>
---
 ChangeLog.d/fix-aesni-asm-clobbers.txt | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 ChangeLog.d/fix-aesni-asm-clobbers.txt

diff --git a/ChangeLog.d/fix-aesni-asm-clobbers.txt b/ChangeLog.d/fix-aesni-asm-clobbers.txt
new file mode 100644
index 0000000000..538f0c5115
--- /dev/null
+++ b/ChangeLog.d/fix-aesni-asm-clobbers.txt
@@ -0,0 +1,5 @@
+Bugfix
+   * Fix missing constraints on the AES-NI inline assembly which is used on
+     GCC-like compilers when building AES for generic x86_64 targets. This
+     may have resulted in incorrect code with some compilers, depending on
+     optimizations. Fixes #9819.