Re: [PATCH] crypto: aesni - fix "by8" variant for 128 bit keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 30/12/2014 14:50, Mathias Krause wrote:
The "by8" counter mode optimization is broken for 128 bit keys with
input data longer than 128 bytes. It uses the wrong key material for
en- and decryption.

The key registers xkey0, xkey4, xkey8 and xkey12 need to be preserved
in case we're handling more than 128 bytes of input data -- they won't
get reloaded after the initial load. They must therefore be (a) loaded
on the first iteration and (b) be preserved for the latter ones. The
implementation for 128 bit keys does not comply with (a) nor (b).

Fix this by bringing the implementation back to its original source
and correctly load the key registers and preserve their values by
*not* re-using the registers for other purposes.

Kudos to James for reporting the issue and providing a test case
showing the discrepancies.

Reported-by: James Yonan <james@xxxxxxxxxxx>
Cc: Chandramouli Narayanan <mouli@xxxxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx> # v3.18
Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>

This looks great, fixes the issue on 3.18.1 for all of our use cases.

Thanks to Mathias for putting this together.

James
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux