On Sun, Sep 30, 2018 at 10:59 AM Ard Biesheuvel
<ard.biesheuvel@xxxxxxxxxx> wrote:
> Omit the endian swabbing when folding the lengths of the assoc and
> crypt input buffers into the state to finalize the tag. This is not
> necessary given that the memory representation of the state is in
> machine native endianness already.
>
> This fixes an error reported by tcrypt running on a big endian system:
>
> alg: aead: Test 2 failed on encryption for morus640-generic
> 00000000: a8 30 ef fb e6 26 eb 23 b0 87 dd 98 57 f3 e1 4b
> 00000010: 21
> alg: aead: Test 2 failed on encryption for morus1280-generic
> 00000000: 88 19 1b fb 1c 29 49 0e ee 82 2f cb 97 a6 a5 ee
> 00000010: 5f
Yikes, I never really got around to test MORUS and AEGIS on a BE
machine... My mistake, sorry :/
>
> Fixes: 396be41f16fd ("crypto: morus - Add generic MORUS AEAD implementations")
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.18+
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
Reviewed-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
> crypto/morus1280.c | 7 ++-----
> crypto/morus640.c | 16 ++++------------
> 2 files changed, 6 insertions(+), 17 deletions(-)
>
> diff --git a/crypto/morus1280.c b/crypto/morus1280.c
> index d057cf5ac4a8..3889c188f266 100644
> --- a/crypto/morus1280.c
> +++ b/crypto/morus1280.c
> @@ -385,14 +385,11 @@ static void crypto_morus1280_final(struct morus1280_state *state,
> struct morus1280_block *tag_xor,
> u64 assoclen, u64 cryptlen)
> {
> - u64 assocbits = assoclen * 8;
> - u64 cryptbits = cryptlen * 8;
> -
> struct morus1280_block tmp;
> unsigned int i;
>
> - tmp.words[0] = cpu_to_le64(assocbits);
> - tmp.words[1] = cpu_to_le64(cryptbits);
> + tmp.words[0] = assoclen * 8;
> + tmp.words[1] = cryptlen * 8;
> tmp.words[2] = 0;
> tmp.words[3] = 0;
>
> diff --git a/crypto/morus640.c b/crypto/morus640.c
> index 1ca76e54281b..da06ec2f6a80 100644
> --- a/crypto/morus640.c
> +++ b/crypto/morus640.c
> @@ -384,21 +384,13 @@ static void crypto_morus640_final(struct morus640_state *state,
> struct morus640_block *tag_xor,
> u64 assoclen, u64 cryptlen)
> {
> - u64 assocbits = assoclen * 8;
> - u64 cryptbits = cryptlen * 8;
> -
> - u32 assocbits_lo = (u32)assocbits;
> - u32 assocbits_hi = (u32)(assocbits >> 32);
> - u32 cryptbits_lo = (u32)cryptbits;
> - u32 cryptbits_hi = (u32)(cryptbits >> 32);
> -
> struct morus640_block tmp;
> unsigned int i;
>
> - tmp.words[0] = cpu_to_le32(assocbits_lo);
> - tmp.words[1] = cpu_to_le32(assocbits_hi);
> - tmp.words[2] = cpu_to_le32(cryptbits_lo);
> - tmp.words[3] = cpu_to_le32(cryptbits_hi);
> + tmp.words[0] = lower_32_bits(assoclen * 8);
> + tmp.words[1] = upper_32_bits(assoclen * 8);
> + tmp.words[2] = lower_32_bits(cryptlen * 8);
> + tmp.words[3] = upper_32_bits(cryptlen * 8);
>
> for (i = 0; i < MORUS_BLOCK_WORDS; i++)
> state->s[4].words[i] ^= state->s[0].words[i];
> --
> 2.19.0
>
Thanks,
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
