From patchwork Sun Sep 30 08:58:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 10621335 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5F02A14BD for ; Sun, 30 Sep 2018 08:59:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4F6C72962D for ; Sun, 30 Sep 2018 08:59:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 43C5229633; Sun, 30 Sep 2018 08:59:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D5A8C29633 for ; Sun, 30 Sep 2018 08:59:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727852AbeI3PbU (ORCPT ); Sun, 30 Sep 2018 11:31:20 -0400 Received: from mail-wm1-f67.google.com ([209.85.128.67]:33973 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727818AbeI3PbU (ORCPT ); Sun, 30 Sep 2018 11:31:20 -0400 Received: by mail-wm1-f67.google.com with SMTP id z25-v6so875290wmf.1 for ; Sun, 30 Sep 2018 01:59:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6dGEHukIH9ImrEjjwNUcetNaKAJ8KWqe4SCp5wRBmec=; b=ZNreO/QpTY6ir5uFztmyzB+1s0og6UhZ9LgUMI3CpLodjEIFmRHIe/UXOnzGA3uXdB qXo0qEZvoYPZzmN23/tXMs9OL7RlJ717BjPG6M6dI11kXkD7Fu7M+4OpEB6mlLNpFteS LZUK4LItt+iAZMf+hvefClH18sfXeVCPeIjqA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6dGEHukIH9ImrEjjwNUcetNaKAJ8KWqe4SCp5wRBmec=; b=ipbnW7teZFLl6YWv936EEttHdLUDOCFFHqUIkvHSghszvUajP4IRZ64t1+iSKIAqH6 BIbU2opxs584eblA3z16Bc0at33Ad4zm7svx6JArrPBIAvy6ALKShfuYu68CDbqyU99H hrXnfyQHxH/ZYfA07x0X9CNcyuz6UGd6BRFfSshKDzzxPTWZUqrvq+7BehOast0YBeBF XcyiJYSo50s9nNlTUHLP/Ae9hWa3YrKJ0cA7raULlP3Vf7H+evzp/hw2LKBoQ31QQ3iV +JpmS1M39d+zcKse8SHwyt2GODjNz9i3Anhcbx1zRqcHbvsgzdvo8z2MFHQePm2kFv8q g4Qg== X-Gm-Message-State: ABuFfojHQfbovxIabPVdZnPk6tA+O7Pk+ROYl2s3o9sfan4CwE5w3n+i IcvuE5wGdboinPWdFN73b8a8ffHc0+Y= X-Google-Smtp-Source: ACcGV60P966ACC+yXbYo+EgJ50lgsSf+QAFCnMYpPWMyabW0gsTik1ZEaKCTctISyCKwTthIjNbAyA== X-Received: by 2002:a1c:385:: with SMTP id 127-v6mr6296452wmd.92.1538297950188; Sun, 30 Sep 2018 01:59:10 -0700 (PDT) Received: from rev03.home ([2a01:cb1d:112:6f00:4507:1640:20db:cc08]) by smtp.gmail.com with ESMTPSA id l140-v6sm10816540wmb.24.2018.09.30.01.59.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Sep 2018 01:59:09 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@google.com, omosnace@redhat.com, Ard Biesheuvel Subject: [PATCH 1/2] crypto: morus/generic - fix for big endian systems Date: Sun, 30 Sep 2018 10:58:58 +0200 Message-Id: <20180930085859.15038-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180930085859.15038-1-ard.biesheuvel@linaro.org> References: <20180930085859.15038-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Omit the endian swabbing when folding the lengths of the assoc and crypt input buffers into the state to finalize the tag. This is not necessary given that the memory representation of the state is in machine native endianness already. This fixes an error reported by tcrypt running on a big endian system: alg: aead: Test 2 failed on encryption for morus640-generic 00000000: a8 30 ef fb e6 26 eb 23 b0 87 dd 98 57 f3 e1 4b 00000010: 21 alg: aead: Test 2 failed on encryption for morus1280-generic 00000000: 88 19 1b fb 1c 29 49 0e ee 82 2f cb 97 a6 a5 ee 00000010: 5f Fixes: 396be41f16fd ("crypto: morus - Add generic MORUS AEAD implementations") Cc: # v4.18+ Signed-off-by: Ard Biesheuvel Reviewed-by: Ondrej Mosnacek --- crypto/morus1280.c | 7 ++----- crypto/morus640.c | 16 ++++------------ 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/crypto/morus1280.c b/crypto/morus1280.c index d057cf5ac4a8..3889c188f266 100644 --- a/crypto/morus1280.c +++ b/crypto/morus1280.c @@ -385,14 +385,11 @@ static void crypto_morus1280_final(struct morus1280_state *state, struct morus1280_block *tag_xor, u64 assoclen, u64 cryptlen) { - u64 assocbits = assoclen * 8; - u64 cryptbits = cryptlen * 8; - struct morus1280_block tmp; unsigned int i; - tmp.words[0] = cpu_to_le64(assocbits); - tmp.words[1] = cpu_to_le64(cryptbits); + tmp.words[0] = assoclen * 8; + tmp.words[1] = cryptlen * 8; tmp.words[2] = 0; tmp.words[3] = 0; diff --git a/crypto/morus640.c b/crypto/morus640.c index 1ca76e54281b..da06ec2f6a80 100644 --- a/crypto/morus640.c +++ b/crypto/morus640.c @@ -384,21 +384,13 @@ static void crypto_morus640_final(struct morus640_state *state, struct morus640_block *tag_xor, u64 assoclen, u64 cryptlen) { - u64 assocbits = assoclen * 8; - u64 cryptbits = cryptlen * 8; - - u32 assocbits_lo = (u32)assocbits; - u32 assocbits_hi = (u32)(assocbits >> 32); - u32 cryptbits_lo = (u32)cryptbits; - u32 cryptbits_hi = (u32)(cryptbits >> 32); - struct morus640_block tmp; unsigned int i; - tmp.words[0] = cpu_to_le32(assocbits_lo); - tmp.words[1] = cpu_to_le32(assocbits_hi); - tmp.words[2] = cpu_to_le32(cryptbits_lo); - tmp.words[3] = cpu_to_le32(cryptbits_hi); + tmp.words[0] = lower_32_bits(assoclen * 8); + tmp.words[1] = upper_32_bits(assoclen * 8); + tmp.words[2] = lower_32_bits(cryptlen * 8); + tmp.words[3] = upper_32_bits(cryptlen * 8); for (i = 0; i < MORUS_BLOCK_WORDS; i++) state->s[4].words[i] ^= state->s[0].words[i]; From patchwork Sun Sep 30 08:58:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 10621337 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 93DE11895 for ; Sun, 30 Sep 2018 08:59:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 84FD02962D for ; Sun, 30 Sep 2018 08:59:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 76A2329633; Sun, 30 Sep 2018 08:59:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 01F4329635 for ; Sun, 30 Sep 2018 08:59:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727829AbeI3PbW (ORCPT ); Sun, 30 Sep 2018 11:31:22 -0400 Received: from mail-wm1-f65.google.com ([209.85.128.65]:39917 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727818AbeI3PbW (ORCPT ); Sun, 30 Sep 2018 11:31:22 -0400 Received: by mail-wm1-f65.google.com with SMTP id q8-v6so5800159wmq.4 for ; Sun, 30 Sep 2018 01:59:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hL3qJaZqPoF49D2S/c5KQsR5E6Cld1xrmPIJV/R9eiM=; b=dBRGLB55DPEvghfqx2eNuxcY4I9CFgEDt+PP5W0Hs1GsDacI+wGAY/Nmj5iOTBLT69 0CRuQ1P4IFENNUy3JYEfrYpOVCMcrqUIiAPGgFs5wGTxyije29xqU2OWiO1HEVRGzQFQ pS1E5v8f91iW6yBqq8ejxIY8VIcHJuVwj4OoQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hL3qJaZqPoF49D2S/c5KQsR5E6Cld1xrmPIJV/R9eiM=; b=db45m3sFCnVXNk50omW/ARnywzw6y7IA5hEnEufgGcMGwFXpH90MfgpIFiuV08dYOe gLd2zBItXbn0NKhXi398WfbVLUf0gUuRe5EDv87EQ+v7ZeKuHtVkvSEdv3bU8C4/mMkU kpN0C0cMNy/akFgNv2G837j5LBbxMJGqWTTbIkATdgWc0OLjMeEt3T7jyHAO+quVTZxG gm0mbZFnW1lXvlBMFXlvRznrxDTtEBevSUsDQT4iouqhjvXuwhW4CMew/+1VGa/gJ47r IPwSQ7+8jNUCkuw3UMhEZg8MpLGvepKlJXIldD7I7i8YTglTZ+aCY7t5eCxS1uF37IbS FYbA== X-Gm-Message-State: ABuFfojkZib/4VNd/RbzUQTbGk65jHnyb66kt9/rI+RfF4ppoTTYt1q9 VI8TWk4WpGXUJr/siwjMcdl4sv/aqh0= X-Google-Smtp-Source: ACcGV61FywHyu/fhn/I3laoq92tlmmdEqcDM3GPdVPdK+DpAPBStmUak58YyHyu02jCvsTbGjxdceg== X-Received: by 2002:a1c:f11a:: with SMTP id p26-v6mr5360192wmh.92.1538297951866; Sun, 30 Sep 2018 01:59:11 -0700 (PDT) Received: from rev03.home ([2a01:cb1d:112:6f00:4507:1640:20db:cc08]) by smtp.gmail.com with ESMTPSA id l140-v6sm10816540wmb.24.2018.09.30.01.59.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Sep 2018 01:59:10 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@google.com, omosnace@redhat.com, Ard Biesheuvel Subject: [PATCH 2/2] crypto: aegis/generic - fix for big endian systems Date: Sun, 30 Sep 2018 10:58:59 +0200 Message-Id: <20180930085859.15038-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180930085859.15038-1-ard.biesheuvel@linaro.org> References: <20180930085859.15038-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Use the correct __le32 annotation and accessors to perform the single round of AES encryption performed inside the AEGIS transform. Otherwise, tcrypt reports: alg: aead: Test 1 failed on encryption for aegis128-generic 00000000: 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e alg: aead: Test 1 failed on encryption for aegis128l-generic 00000000: cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28 alg: aead: Test 1 failed on encryption for aegis256-generic 00000000: aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c While at it, let's refer to the first precomputed table only, and derive the other ones by rotation. This reduces the D-cache footprint by 75%, and shouldn't be too costly or free on load/store architectures (and X86 has its own AES-NI based implementation) Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations") Cc: # v4.18+ Signed-off-by: Ard Biesheuvel --- crypto/aegis.h | 23 +++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/crypto/aegis.h b/crypto/aegis.h index f1c6900ddb80..84d3e07a3c33 100644 --- a/crypto/aegis.h +++ b/crypto/aegis.h @@ -21,7 +21,7 @@ union aegis_block { __le64 words64[AEGIS_BLOCK_SIZE / sizeof(__le64)]; - u32 words32[AEGIS_BLOCK_SIZE / sizeof(u32)]; + __le32 words32[AEGIS_BLOCK_SIZE / sizeof(__le32)]; u8 bytes[AEGIS_BLOCK_SIZE]; }; @@ -59,22 +59,19 @@ static void crypto_aegis_aesenc(union aegis_block *dst, { u32 *d = dst->words32; const u8 *s = src->bytes; - const u32 *k = key->words32; + const __le32 *k = key->words32; const u32 *t0 = crypto_ft_tab[0]; - const u32 *t1 = crypto_ft_tab[1]; - const u32 *t2 = crypto_ft_tab[2]; - const u32 *t3 = crypto_ft_tab[3]; u32 d0, d1, d2, d3; - d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]] ^ k[0]; - d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]] ^ k[1]; - d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]] ^ k[2]; - d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]] ^ k[3]; + d0 = t0[s[ 0]] ^ rol32(t0[s[ 5]], 8) ^ rol32(t0[s[10]], 16) ^ rol32(t0[s[15]], 24); + d1 = t0[s[ 4]] ^ rol32(t0[s[ 9]], 8) ^ rol32(t0[s[14]], 16) ^ rol32(t0[s[ 3]], 24); + d2 = t0[s[ 8]] ^ rol32(t0[s[13]], 8) ^ rol32(t0[s[ 2]], 16) ^ rol32(t0[s[ 7]], 24); + d3 = t0[s[12]] ^ rol32(t0[s[ 1]], 8) ^ rol32(t0[s[ 6]], 16) ^ rol32(t0[s[11]], 24); - d[0] = d0; - d[1] = d1; - d[2] = d2; - d[3] = d3; + d[0] = cpu_to_le32(d0 ^ le32_to_cpu(k[0])); + d[1] = cpu_to_le32(d1 ^ le32_to_cpu(k[1])); + d[2] = cpu_to_le32(d2 ^ le32_to_cpu(k[2])); + d[3] = cpu_to_le32(d3 ^ le32_to_cpu(k[3])); } #endif /* _CRYPTO_AEGIS_H */