diff options
| author | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2018-10-01 04:36:38 -0400 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2018-10-08 01:44:53 -0400 |
| commit | 4a34e3c2f2f48f47213702a84a123af0fe21ad60 (patch) | |
| tree | 7aa30c05b6323f47a335c2852b29ef3d647f34ac /crypto/aegis.h | |
| parent | 5a8dedfa3276e88c5865f265195d63d72aec3e72 (diff) | |
crypto: aegis/generic - fix for big endian systems
Use the correct __le32 annotation and accessors to perform the
single round of AES encryption performed inside the AEGIS transform.
Otherwise, tcrypt reports:
alg: aead: Test 1 failed on encryption for aegis128-generic
00000000: 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e
alg: aead: Test 1 failed on encryption for aegis128l-generic
00000000: cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28
alg: aead: Test 1 failed on encryption for aegis256-generic
00000000: aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c
Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations")
Cc: <stable@vger.kernel.org> # v4.18+
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/aegis.h')
| -rw-r--r-- | crypto/aegis.h | 20 |
1 files changed, 9 insertions, 11 deletions
diff --git a/crypto/aegis.h b/crypto/aegis.h index f1c6900ddb80..405e025fc906 100644 --- a/crypto/aegis.h +++ b/crypto/aegis.h | |||
| @@ -21,7 +21,7 @@ | |||
| 21 | 21 | ||
| 22 | union aegis_block { | 22 | union aegis_block { |
| 23 | __le64 words64[AEGIS_BLOCK_SIZE / sizeof(__le64)]; | 23 | __le64 words64[AEGIS_BLOCK_SIZE / sizeof(__le64)]; |
| 24 | u32 words32[AEGIS_BLOCK_SIZE / sizeof(u32)]; | 24 | __le32 words32[AEGIS_BLOCK_SIZE / sizeof(__le32)]; |
| 25 | u8 bytes[AEGIS_BLOCK_SIZE]; | 25 | u8 bytes[AEGIS_BLOCK_SIZE]; |
| 26 | }; | 26 | }; |
| 27 | 27 | ||
| @@ -57,24 +57,22 @@ static void crypto_aegis_aesenc(union aegis_block *dst, | |||
| 57 | const union aegis_block *src, | 57 | const union aegis_block *src, |
| 58 | const union aegis_block *key) | 58 | const union aegis_block *key) |
| 59 | { | 59 | { |
| 60 | u32 *d = dst->words32; | ||
| 61 | const u8 *s = src->bytes; | 60 | const u8 *s = src->bytes; |
| 62 | const u32 *k = key->words32; | ||
| 63 | const u32 *t0 = crypto_ft_tab[0]; | 61 | const u32 *t0 = crypto_ft_tab[0]; |
| 64 | const u32 *t1 = crypto_ft_tab[1]; | 62 | const u32 *t1 = crypto_ft_tab[1]; |
| 65 | const u32 *t2 = crypto_ft_tab[2]; | 63 | const u32 *t2 = crypto_ft_tab[2]; |
| 66 | const u32 *t3 = crypto_ft_tab[3]; | 64 | const u32 *t3 = crypto_ft_tab[3]; |
| 67 | u32 d0, d1, d2, d3; | 65 | u32 d0, d1, d2, d3; |
| 68 | 66 | ||
| 69 | d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]] ^ k[0]; | 67 | d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]]; |
| 70 | d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]] ^ k[1]; | 68 | d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]]; |
| 71 | d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]] ^ k[2]; | 69 | d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]]; |
| 72 | d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]] ^ k[3]; | 70 | d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]]; |
| 73 | 71 | ||
| 74 | d[0] = d0; | 72 | dst->words32[0] = cpu_to_le32(d0) ^ key->words32[0]; |
| 75 | d[1] = d1; | 73 | dst->words32[1] = cpu_to_le32(d1) ^ key->words32[1]; |
| 76 | d[2] = d2; | 74 | dst->words32[2] = cpu_to_le32(d2) ^ key->words32[2]; |
| 77 | d[3] = d3; | 75 | dst->words32[3] = cpu_to_le32(d3) ^ key->words32[3]; |
| 78 | } | 76 | } |
| 79 | 77 | ||
| 80 | #endif /* _CRYPTO_AEGIS_H */ | 78 | #endif /* _CRYPTO_AEGIS_H */ |