On Thu, Jan 01, 2015 at 10:08:18AM -0700, James Yonan wrote: > On 30/12/2014 14:50, Mathias Krause wrote: > >The "by8" counter mode optimization is broken for 128 bit keys with > >input data longer than 128 bytes. It uses the wrong key material for > >en- and decryption. > > > >The key registers xkey0, xkey4, xkey8 and xkey12 need to be preserved > >in case we're handling more than 128 bytes of input data -- they won't > >get reloaded after the initial load. They must therefore be (a) loaded > >on the first iteration and (b) be preserved for the latter ones. The > >implementation for 128 bit keys does not comply with (a) nor (b). > > > >Fix this by bringing the implementation back to its original source > >and correctly load the key registers and preserve their values by > >*not* re-using the registers for other purposes. > > > >Kudos to James for reporting the issue and providing a test case > >showing the discrepancies. > > > >Reported-by: James Yonan <james@xxxxxxxxxxx> > >Cc: Chandramouli Narayanan <mouli@xxxxxxxxxxxxxxx> > >Cc: <stable@xxxxxxxxxxxxxxx> # v3.18 > >Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx> > > This looks great, fixes the issue on 3.18.1 for all of our use cases. > > Thanks to Mathias for putting this together. Patch applied to crypto. Thanks a lot! -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html