poly1305-arm: swap endianness in base 2^26 conversion

These are actually 32-bit limbs, so we have to swap them back after the
64-bit arithmetic. Also, change type of boolean for 64-bit.

Suggested-by: Andy Polyakov <appro@openssl.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

1 files changed, 5 insertions, 1 deletions

diff --git a/src/crypto/zinc/poly1305/poly1305-arm-glue.h b/src/crypto/zinc/poly1305/poly1305-arm-glue.h
index ddeb58a..9d34d21 100644
--- a/src/crypto/zinc/poly1305/poly1305-arm-glue.h
+++ b/src/crypto/zinc/poly1305/poly1305-arm-glue.h
@@ -35,7 +35,7 @@ struct poly1305_arch_internal {
 			u64 h0, h1, h2;
 		};
 	};
-	u32 is_base2_26;
+	u64 is_base2_26;
 	u64 r[2];
 };
 #elif defined(CONFIG_ARM)
@@ -68,6 +68,10 @@ static void convert_to_base2_64(void *ctx)
 	state->h0 = ((u64)state->h[2] << 52) | ((u64)state->h[1] << 26) | state->h[0];
 	state->h1 = ((u64)state->h[4] << 40) | ((u64)state->h[3] << 14) | (state->h[2] >> 12);
 	state->h2 = state->h[4] >> 24;
+#if defined(CONFIG_ARM) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+	state->h0 = rol64(state->h0, 32);
+	state->h1 = rol64(state->h1, 32);
+#endif
 #define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
 	cy = (state->h2 >> 2) + (state->h2 & ~3ULL);
 	state->h2 &= 3;