From patchwork Sun Sep 30 08:58:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 147855 Delivered-To: patch@linaro.org Received: by 2002:a2e:8595:0:0:0:0:0 with SMTP id b21-v6csp2663995lji; Sun, 30 Sep 2018 01:59:16 -0700 (PDT) X-Google-Smtp-Source: ACcGV612NT6o4yesBevx3fd+UWexh00zr3WDvuSYTayMZhmLak4PVrIiXQu8HZua5YlU0kh5stPX X-Received: by 2002:a63:c20f:: with SMTP id b15-v6mr5817740pgd.13.1538297956040; Sun, 30 Sep 2018 01:59:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538297956; cv=none; d=google.com; s=arc-20160816; b=Pyw+ybJhZHDeOEWwZcn6bQnHw5Gv01EtYCZooY1xgucNcfVWzfkXhv1Txzr7fHXKo5 Y0YU6k5UMvIygFU1RYBJ5XwdEs+5+M8KWPKcfAhrU1qJFz5l9KsTYJfRO1RbrcH4QNzV yIbkyCRo9K5EGZiPdpY743iPPm4PmoptD0IX4SL8ip2WCT3y8w+F0VCMNYE5n6qrKAnr GMcpfPfMztw36c7Rx4SumZqABrFng4BFiXQrw24pG3XZb40DWj91sB9OFqwQqtsGH/RU YXfhzSZ+X7LIa+/gizOyLQjWCMR85AiXQWBAJK+9yhYbMzu34vEi/r9RkIizcmrKdXfw /LCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=6dGEHukIH9ImrEjjwNUcetNaKAJ8KWqe4SCp5wRBmec=; b=UkPA5eXp6NJW72kD0rgWkOJxMpfFUPe3rBspQfT0AQTp9FmrhPCnlEQiWzLaaYg2pz YeyTu14jKk8wD/9EEFERAz09zyaPb6Q71pDfQhmsz+u2VG6IMAUl/kNZtteBtwgGiTAp glO35mVmthOYZiX038xI1M8GT+4OG8Ljnrs4FAQpmmiNgR4rrDjN45Q40o4TDhj8yuZW /m16q/9jnPvhAlSZEN3ualtsSdt6D2dESj/cwrbi8p17fLf+jBU3pjh/CfFx6A+HSn+B dFjNO8Y/a4j3NezB2dsjuagQUJbxmtw3EJ5kLgKs+MqkwP7yER3SJPXl5YS64yuTYshY NkuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="ZNreO/Qp"; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6-v6si9234747pgk.306.2018.09.30.01.59.15; Sun, 30 Sep 2018 01:59:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="ZNreO/Qp"; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727852AbeI3PbU (ORCPT + 2 others); Sun, 30 Sep 2018 11:31:20 -0400 Received: from mail-wm1-f67.google.com ([209.85.128.67]:33973 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727818AbeI3PbU (ORCPT ); Sun, 30 Sep 2018 11:31:20 -0400 Received: by mail-wm1-f67.google.com with SMTP id z25-v6so875290wmf.1 for ; Sun, 30 Sep 2018 01:59:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6dGEHukIH9ImrEjjwNUcetNaKAJ8KWqe4SCp5wRBmec=; b=ZNreO/QpTY6ir5uFztmyzB+1s0og6UhZ9LgUMI3CpLodjEIFmRHIe/UXOnzGA3uXdB qXo0qEZvoYPZzmN23/tXMs9OL7RlJ717BjPG6M6dI11kXkD7Fu7M+4OpEB6mlLNpFteS LZUK4LItt+iAZMf+hvefClH18sfXeVCPeIjqA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6dGEHukIH9ImrEjjwNUcetNaKAJ8KWqe4SCp5wRBmec=; b=ipbnW7teZFLl6YWv936EEttHdLUDOCFFHqUIkvHSghszvUajP4IRZ64t1+iSKIAqH6 BIbU2opxs584eblA3z16Bc0at33Ad4zm7svx6JArrPBIAvy6ALKShfuYu68CDbqyU99H hrXnfyQHxH/ZYfA07x0X9CNcyuz6UGd6BRFfSshKDzzxPTWZUqrvq+7BehOast0YBeBF XcyiJYSo50s9nNlTUHLP/Ae9hWa3YrKJ0cA7raULlP3Vf7H+evzp/hw2LKBoQ31QQ3iV +JpmS1M39d+zcKse8SHwyt2GODjNz9i3Anhcbx1zRqcHbvsgzdvo8z2MFHQePm2kFv8q g4Qg== X-Gm-Message-State: ABuFfojHQfbovxIabPVdZnPk6tA+O7Pk+ROYl2s3o9sfan4CwE5w3n+i IcvuE5wGdboinPWdFN73b8a8ffHc0+Y= X-Received: by 2002:a1c:385:: with SMTP id 127-v6mr6296452wmd.92.1538297950188; Sun, 30 Sep 2018 01:59:10 -0700 (PDT) Received: from rev03.home ([2a01:cb1d:112:6f00:4507:1640:20db:cc08]) by smtp.gmail.com with ESMTPSA id l140-v6sm10816540wmb.24.2018.09.30.01.59.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Sep 2018 01:59:09 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@google.com, omosnace@redhat.com, Ard Biesheuvel Subject: [PATCH 1/2] crypto: morus/generic - fix for big endian systems Date: Sun, 30 Sep 2018 10:58:58 +0200 Message-Id: <20180930085859.15038-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180930085859.15038-1-ard.biesheuvel@linaro.org> References: <20180930085859.15038-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Omit the endian swabbing when folding the lengths of the assoc and crypt input buffers into the state to finalize the tag. This is not necessary given that the memory representation of the state is in machine native endianness already. This fixes an error reported by tcrypt running on a big endian system: alg: aead: Test 2 failed on encryption for morus640-generic 00000000: a8 30 ef fb e6 26 eb 23 b0 87 dd 98 57 f3 e1 4b 00000010: 21 alg: aead: Test 2 failed on encryption for morus1280-generic 00000000: 88 19 1b fb 1c 29 49 0e ee 82 2f cb 97 a6 a5 ee 00000010: 5f Fixes: 396be41f16fd ("crypto: morus - Add generic MORUS AEAD implementations") Cc: # v4.18+ Signed-off-by: Ard Biesheuvel --- crypto/morus1280.c | 7 ++----- crypto/morus640.c | 16 ++++------------ 2 files changed, 6 insertions(+), 17 deletions(-) -- 2.19.0 Reviewed-by: Ondrej Mosnacek diff --git a/crypto/morus1280.c b/crypto/morus1280.c index d057cf5ac4a8..3889c188f266 100644 --- a/crypto/morus1280.c +++ b/crypto/morus1280.c @@ -385,14 +385,11 @@ static void crypto_morus1280_final(struct morus1280_state *state, struct morus1280_block *tag_xor, u64 assoclen, u64 cryptlen) { - u64 assocbits = assoclen * 8; - u64 cryptbits = cryptlen * 8; - struct morus1280_block tmp; unsigned int i; - tmp.words[0] = cpu_to_le64(assocbits); - tmp.words[1] = cpu_to_le64(cryptbits); + tmp.words[0] = assoclen * 8; + tmp.words[1] = cryptlen * 8; tmp.words[2] = 0; tmp.words[3] = 0; diff --git a/crypto/morus640.c b/crypto/morus640.c index 1ca76e54281b..da06ec2f6a80 100644 --- a/crypto/morus640.c +++ b/crypto/morus640.c @@ -384,21 +384,13 @@ static void crypto_morus640_final(struct morus640_state *state, struct morus640_block *tag_xor, u64 assoclen, u64 cryptlen) { - u64 assocbits = assoclen * 8; - u64 cryptbits = cryptlen * 8; - - u32 assocbits_lo = (u32)assocbits; - u32 assocbits_hi = (u32)(assocbits >> 32); - u32 cryptbits_lo = (u32)cryptbits; - u32 cryptbits_hi = (u32)(cryptbits >> 32); - struct morus640_block tmp; unsigned int i; - tmp.words[0] = cpu_to_le32(assocbits_lo); - tmp.words[1] = cpu_to_le32(assocbits_hi); - tmp.words[2] = cpu_to_le32(cryptbits_lo); - tmp.words[3] = cpu_to_le32(cryptbits_hi); + tmp.words[0] = lower_32_bits(assoclen * 8); + tmp.words[1] = upper_32_bits(assoclen * 8); + tmp.words[2] = lower_32_bits(cryptlen * 8); + tmp.words[3] = upper_32_bits(cryptlen * 8); for (i = 0; i < MORUS_BLOCK_WORDS; i++) state->s[4].words[i] ^= state->s[0].words[i]; From patchwork Sun Sep 30 08:58:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 147856 Delivered-To: patch@linaro.org Received: by 2002:a2e:8595:0:0:0:0:0 with SMTP id b21-v6csp2664000lji; Sun, 30 Sep 2018 01:59:16 -0700 (PDT) X-Google-Smtp-Source: ACcGV62p7n4ufOmQzQ4cDYZJhRH83zeGFrlwPBwiSQaPIbrNjkvr122pYhOvQjNJIqWhvOq7X7w5 X-Received: by 2002:a63:480e:: with SMTP id v14-v6mr5825062pga.308.1538297956311; Sun, 30 Sep 2018 01:59:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538297956; cv=none; d=google.com; s=arc-20160816; b=RcxO2qRzUslezsJrH4XSyg+jdbJpmnP9+JnpFOIGZg4ByxOl7uOyXlVTLA35MopdVV YzpXdXTBZAwHTmr4N8MiR/yH9hE58OOh716SPIFI2UZ+CFPgIenXbqLPiCZPa8kxRSNU UFNgjtkItLQWUzBf/8fMgEfmH7spGLa9YzOd27R1ln6jF8ImBeffKwUgx9MzMXxJhLna jYMavmPb1Ee61ef8R+mEr32hcL9EWl59zatg3eDio718gN4aqrxDEYYEvE+wx8in2dJx oUZA8aARcfglBMwgpNVLu5xfZp4bPRMnMbrx3hBuFn4GHjdgZNDOc1L/R7Df3eB7EfjX FUkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=hL3qJaZqPoF49D2S/c5KQsR5E6Cld1xrmPIJV/R9eiM=; b=adQbmCHX/4FYU9IoqvRPaQzaT2KfVCRrSfhk8CHd05BcGXILbXfCcd/jQzqH1A5fQu DUiQq3YLEM2h8aXQ0MrIkC1jlbxnj3mN0/UORj9RNyy86gFT2/eQHJ6CX6dkw8SQNYq5 PdMURthzpQJc8FcZgAiDmN6t+UVmerBECdf4I6m3ZWny2RXXrcz5NJZCAombKEadfuEs S6OJhF1zLu7eZHkW1qRDfhAhg17J8IdDHIsPnDdsSrijCZswOYgO/ko3ZaeJruVixdws GbVAz9MFCm+ig4RlpbYkUHUCbXPKg+1um+I3qAJX/sgE03IkouY2zOoZd2gAOxQEneJL voyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dBRGLB55; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6-v6si9234747pgk.306.2018.09.30.01.59.16; Sun, 30 Sep 2018 01:59:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dBRGLB55; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727829AbeI3PbW (ORCPT + 2 others); Sun, 30 Sep 2018 11:31:22 -0400 Received: from mail-wm1-f65.google.com ([209.85.128.65]:39917 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727818AbeI3PbW (ORCPT ); Sun, 30 Sep 2018 11:31:22 -0400 Received: by mail-wm1-f65.google.com with SMTP id q8-v6so5800159wmq.4 for ; Sun, 30 Sep 2018 01:59:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hL3qJaZqPoF49D2S/c5KQsR5E6Cld1xrmPIJV/R9eiM=; b=dBRGLB55DPEvghfqx2eNuxcY4I9CFgEDt+PP5W0Hs1GsDacI+wGAY/Nmj5iOTBLT69 0CRuQ1P4IFENNUy3JYEfrYpOVCMcrqUIiAPGgFs5wGTxyije29xqU2OWiO1HEVRGzQFQ pS1E5v8f91iW6yBqq8ejxIY8VIcHJuVwj4OoQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hL3qJaZqPoF49D2S/c5KQsR5E6Cld1xrmPIJV/R9eiM=; b=db45m3sFCnVXNk50omW/ARnywzw6y7IA5hEnEufgGcMGwFXpH90MfgpIFiuV08dYOe gLd2zBItXbn0NKhXi398WfbVLUf0gUuRe5EDv87EQ+v7ZeKuHtVkvSEdv3bU8C4/mMkU kpN0C0cMNy/akFgNv2G837j5LBbxMJGqWTTbIkATdgWc0OLjMeEt3T7jyHAO+quVTZxG gm0mbZFnW1lXvlBMFXlvRznrxDTtEBevSUsDQT4iouqhjvXuwhW4CMew/+1VGa/gJ47r IPwSQ7+8jNUCkuw3UMhEZg8MpLGvepKlJXIldD7I7i8YTglTZ+aCY7t5eCxS1uF37IbS FYbA== X-Gm-Message-State: ABuFfojkZib/4VNd/RbzUQTbGk65jHnyb66kt9/rI+RfF4ppoTTYt1q9 VI8TWk4WpGXUJr/siwjMcdl4sv/aqh0= X-Received: by 2002:a1c:f11a:: with SMTP id p26-v6mr5360192wmh.92.1538297951866; Sun, 30 Sep 2018 01:59:11 -0700 (PDT) Received: from rev03.home ([2a01:cb1d:112:6f00:4507:1640:20db:cc08]) by smtp.gmail.com with ESMTPSA id l140-v6sm10816540wmb.24.2018.09.30.01.59.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Sep 2018 01:59:10 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@google.com, omosnace@redhat.com, Ard Biesheuvel Subject: [PATCH 2/2] crypto: aegis/generic - fix for big endian systems Date: Sun, 30 Sep 2018 10:58:59 +0200 Message-Id: <20180930085859.15038-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180930085859.15038-1-ard.biesheuvel@linaro.org> References: <20180930085859.15038-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Use the correct __le32 annotation and accessors to perform the single round of AES encryption performed inside the AEGIS transform. Otherwise, tcrypt reports: alg: aead: Test 1 failed on encryption for aegis128-generic 00000000: 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e alg: aead: Test 1 failed on encryption for aegis128l-generic 00000000: cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28 alg: aead: Test 1 failed on encryption for aegis256-generic 00000000: aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c While at it, let's refer to the first precomputed table only, and derive the other ones by rotation. This reduces the D-cache footprint by 75%, and shouldn't be too costly or free on load/store architectures (and X86 has its own AES-NI based implementation) Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations") Cc: # v4.18+ Signed-off-by: Ard Biesheuvel --- crypto/aegis.h | 23 +++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) -- 2.19.0 diff --git a/crypto/aegis.h b/crypto/aegis.h index f1c6900ddb80..84d3e07a3c33 100644 --- a/crypto/aegis.h +++ b/crypto/aegis.h @@ -21,7 +21,7 @@ union aegis_block { __le64 words64[AEGIS_BLOCK_SIZE / sizeof(__le64)]; - u32 words32[AEGIS_BLOCK_SIZE / sizeof(u32)]; + __le32 words32[AEGIS_BLOCK_SIZE / sizeof(__le32)]; u8 bytes[AEGIS_BLOCK_SIZE]; }; @@ -59,22 +59,19 @@ static void crypto_aegis_aesenc(union aegis_block *dst, { u32 *d = dst->words32; const u8 *s = src->bytes; - const u32 *k = key->words32; + const __le32 *k = key->words32; const u32 *t0 = crypto_ft_tab[0]; - const u32 *t1 = crypto_ft_tab[1]; - const u32 *t2 = crypto_ft_tab[2]; - const u32 *t3 = crypto_ft_tab[3]; u32 d0, d1, d2, d3; - d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]] ^ k[0]; - d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]] ^ k[1]; - d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]] ^ k[2]; - d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]] ^ k[3]; + d0 = t0[s[ 0]] ^ rol32(t0[s[ 5]], 8) ^ rol32(t0[s[10]], 16) ^ rol32(t0[s[15]], 24); + d1 = t0[s[ 4]] ^ rol32(t0[s[ 9]], 8) ^ rol32(t0[s[14]], 16) ^ rol32(t0[s[ 3]], 24); + d2 = t0[s[ 8]] ^ rol32(t0[s[13]], 8) ^ rol32(t0[s[ 2]], 16) ^ rol32(t0[s[ 7]], 24); + d3 = t0[s[12]] ^ rol32(t0[s[ 1]], 8) ^ rol32(t0[s[ 6]], 16) ^ rol32(t0[s[11]], 24); - d[0] = d0; - d[1] = d1; - d[2] = d2; - d[3] = d3; + d[0] = cpu_to_le32(d0 ^ le32_to_cpu(k[0])); + d[1] = cpu_to_le32(d1 ^ le32_to_cpu(k[1])); + d[2] = cpu_to_le32(d2 ^ le32_to_cpu(k[2])); + d[3] = cpu_to_le32(d3 ^ le32_to_cpu(k[3])); } #endif /* _CRYPTO_AEGIS_H */