aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/crypto/zinc
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2018-09-25 18:48:54 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2018-09-25 20:05:17 +0200
commitf606b291e30fc6a9eab31902666047ea8e70d0fd (patch)
tree8e89abab707baaec0ae7cce68185672fe31b57d4 /src/crypto/zinc
parentcurve25519-arm: disable on big-endian (diff)
downloadwireguard-monolithic-historical-f606b291e30fc6a9eab31902666047ea8e70d0fd.tar.xz
wireguard-monolithic-historical-f606b291e30fc6a9eab31902666047ea8e70d0fd.zip
poly1305-arm: swap endianness in base 2^26 conversion
These are actually 32-bit limbs, so we have to swap them back after the 64-bit arithmetic. Also, change type of boolean for 64-bit. Suggested-by: Andy Polyakov <appro@openssl.org>
Diffstat (limited to 'src/crypto/zinc')
-rw-r--r--src/crypto/zinc/poly1305/poly1305-arm-glue.h6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/crypto/zinc/poly1305/poly1305-arm-glue.h b/src/crypto/zinc/poly1305/poly1305-arm-glue.h
index ddeb58a..9d34d21 100644
--- a/src/crypto/zinc/poly1305/poly1305-arm-glue.h
+++ b/src/crypto/zinc/poly1305/poly1305-arm-glue.h
@@ -35,7 +35,7 @@ struct poly1305_arch_internal {
u64 h0, h1, h2;
};
};
- u32 is_base2_26;
+ u64 is_base2_26;
u64 r[2];
};
#elif defined(CONFIG_ARM)
@@ -68,6 +68,10 @@ static void convert_to_base2_64(void *ctx)
state->h0 = ((u64)state->h[2] << 52) | ((u64)state->h[1] << 26) | state->h[0];
state->h1 = ((u64)state->h[4] << 40) | ((u64)state->h[3] << 14) | (state->h[2] >> 12);
state->h2 = state->h[4] >> 24;
+#if defined(CONFIG_ARM) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+ state->h0 = rol64(state->h0, 32);
+ state->h1 = rol64(state->h1, 32);
+#endif
#define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
cy = (state->h2 >> 2) + (state->h2 & ~3ULL);
state->h2 &= 3;