From patchwork Mon Oct 1 08:36:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 147876 Delivered-To: patch@linaro.org Received: by 2002:a2e:8595:0:0:0:0:0 with SMTP id b21-v6csp3632254lji; Mon, 1 Oct 2018 01:36:46 -0700 (PDT) X-Google-Smtp-Source: ACcGV606Pc1KoMShoeZ8mQ+KzOZ6or5WZ8ep6WdZbFQ5pYhuBc+24w9cazWZlQCfK5m3T7iAwjS2 X-Received: by 2002:a17:902:22cc:: with SMTP id o12-v6mr10691893plg.108.1538383006815; Mon, 01 Oct 2018 01:36:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538383006; cv=none; d=google.com; s=arc-20160816; b=b9pvIAMwyV0+MYZXAx5h4HmyEczmqceuQub/DDhR3pA43JWwzSZ7h523RF9mN4AxEj sn4meO1VpBCIk9XUONHfMbN0HU5+Oa14P9SuLvzkjDk2Mxlppa6tbZg2K4drfv6TQJt9 96AGun/TlPmUL4+HNxQiwwqIRJhcxG16j6ysXrCkL29GlPDX4I/I6gVNu46nPTtJOlYW 1+iWr9QQ+qADzxwEzwWQEBE+1he9Vbj9/6Gw9xQUvx3gLx/bgysN+vVqKRIDZ5u4qF9J wn9tofN0DUzuuR49Yoq/e8ZjOpCUnrIDcPCAVhyWi4AjZokMrHzEg95EllC4ADUJeo67 K6dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=5e5l3s7WxsPCqVSC8vXOV6EOrIzDRsvpa14HkzoPDew=; b=Vjsct5r9VvkgoSenrjUDGsy0xPCVUR3gd8oZGB12UFSiobOZIqjbRlMNQg3Pvcse25 E+R3Yk6v+KBsiObA2VomAZd73XO4SUunhPBtR65bj1WPFnsO13BU/CNUDm8P9je8x2ii 5ZEBaMrMfsg4+W/rXnAOddPHGfT90HxfWfUvbvAlc+Q/mqhU6YV8TS0gx76QICge6zHF bYg13TysfqsNfqLBlR7FNg2xhOaWusinkNZeIjMKwi2Oo+aGVipENAZU1cgFLenMDohB 4KllvqAznmOwaRG3prI3sy09yxeIQjBq860pCSORG4sXFVvP7C7b4/GLLwr1Qj3HWi3L AX6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aWDbYw3A; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d11-v6si11521766pgd.342.2018.10.01.01.36.46; Mon, 01 Oct 2018 01:36:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aWDbYw3A; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728749AbeJAPNW (ORCPT + 2 others); Mon, 1 Oct 2018 11:13:22 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:38719 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726386AbeJAPNW (ORCPT ); Mon, 1 Oct 2018 11:13:22 -0400 Received: by mail-wm1-f66.google.com with SMTP id 193-v6so6370975wme.3 for ; Mon, 01 Oct 2018 01:36:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=5e5l3s7WxsPCqVSC8vXOV6EOrIzDRsvpa14HkzoPDew=; b=aWDbYw3AJY5M1Sc8ue65ncugOypTQgR5vCLCJi1EH3poxgunP9Oxu7JCIvjzwd/UxP kkBnypr7ZNSaazW5QJ08VCyKeFIn7f/8JJrNQ4/CT6oRvM0NsZSS5pc2eNbiEXTcB6qB wijUBF7W/uFSCd1/nlzRbAv3Xh+KasPzMQWyQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=5e5l3s7WxsPCqVSC8vXOV6EOrIzDRsvpa14HkzoPDew=; b=pepP3hVUhr0nxSGPm0BG+G1IBfnibH6Y1FOIU0cU1DBXiRxNGuPhA5wBSNkY0EYsEe Y63pEzFoO8mNzW3ZNaK5/TwxacXUUN0Ew1/7BqnRpP9/YNNHCDr6MRm6Ohu2TGfN3QjW yVex2NZZ6AclOKD6AIK5i8/kUl/YcD7ds/YAAsZuAzLeVShFR/1o9/gaLItUCvJ5xf6B UPK9Ttw16dPjTLYZaNOkTK0LJ/e9E2qMk3LpVj2bb+kOGYnji/YErmz4UojQNNgn8AHF Kb9TaBiA/rVBkgyA747rrDYRE0XcuuqY0Iw/rcogPSafkzt8nSYCXKjnD7eU1sfKPONE xN7Q== X-Gm-Message-State: ABuFfohmd1Bv/6c/habDFCkRJ3EL/yNZtAsAa653Qrt8pdxA9cwrQb96 CFWQvTqM8O/6VBnK8GahTtAeddrhPAk= X-Received: by 2002:a1c:aa01:: with SMTP id t1-v6mr2433349wme.93.1538383003474; Mon, 01 Oct 2018 01:36:43 -0700 (PDT) Received: from dogfood.home ([2a01:cb1d:112:6f00:6d26:fb49:4a42:a358]) by smtp.gmail.com with ESMTPSA id u127-v6sm7689465wmf.48.2018.10.01.01.36.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 01 Oct 2018 01:36:42 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@google.com, omosnace@redhat.com, Ard Biesheuvel Subject: [PATCH v2 2/2] crypto: aegis/generic - fix for big endian systems Date: Mon, 1 Oct 2018 10:36:38 +0200 Message-Id: <20181001083638.28325-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181001083638.28325-1-ard.biesheuvel@linaro.org> References: <20181001083638.28325-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Use the correct __le32 annotation and accessors to perform the single round of AES encryption performed inside the AEGIS transform. Otherwise, tcrypt reports: alg: aead: Test 1 failed on encryption for aegis128-generic 00000000: 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e alg: aead: Test 1 failed on encryption for aegis128l-generic 00000000: cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28 alg: aead: Test 1 failed on encryption for aegis256-generic 00000000: aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations") Cc: # v4.18+ Signed-off-by: Ard Biesheuvel --- crypto/aegis.h | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) -- 2.17.1 Reviewed-by: Ondrej Mosnacek diff --git a/crypto/aegis.h b/crypto/aegis.h index f1c6900ddb80..405e025fc906 100644 --- a/crypto/aegis.h +++ b/crypto/aegis.h @@ -21,7 +21,7 @@ union aegis_block { __le64 words64[AEGIS_BLOCK_SIZE / sizeof(__le64)]; - u32 words32[AEGIS_BLOCK_SIZE / sizeof(u32)]; + __le32 words32[AEGIS_BLOCK_SIZE / sizeof(__le32)]; u8 bytes[AEGIS_BLOCK_SIZE]; }; @@ -57,24 +57,22 @@ static void crypto_aegis_aesenc(union aegis_block *dst, const union aegis_block *src, const union aegis_block *key) { - u32 *d = dst->words32; const u8 *s = src->bytes; - const u32 *k = key->words32; const u32 *t0 = crypto_ft_tab[0]; const u32 *t1 = crypto_ft_tab[1]; const u32 *t2 = crypto_ft_tab[2]; const u32 *t3 = crypto_ft_tab[3]; u32 d0, d1, d2, d3; - d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]] ^ k[0]; - d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]] ^ k[1]; - d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]] ^ k[2]; - d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]] ^ k[3]; + d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]]; + d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]]; + d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]]; + d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]]; - d[0] = d0; - d[1] = d1; - d[2] = d2; - d[3] = d3; + dst->words32[0] = cpu_to_le32(d0) ^ key->words32[0]; + dst->words32[1] = cpu_to_le32(d1) ^ key->words32[1]; + dst->words32[2] = cpu_to_le32(d2) ^ key->words32[2]; + dst->words32[3] = cpu_to_le32(d3) ^ key->words32[3]; } #endif /* _CRYPTO_AEGIS_H */