The skcipher API mandates that chaining modes involving IVs calculate an outgoing IV value that is suitable for encrypting additional blocks of data. This means the CCM driver cannot assume that req->iv points to the original IV value when it calls crypto_ccm_auth. So pass a copy to the skcipher instead. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> --- crypto/ccm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/ccm.c b/crypto/ccm.c index b388ac6edfb9..8976ef9bc2e7 100644 --- a/crypto/ccm.c +++ b/crypto/ccm.c @@ -362,7 +362,7 @@ static int crypto_ccm_decrypt(struct aead_request *req) unsigned int cryptlen = req->cryptlen; u8 *authtag = pctx->auth_tag; u8 *odata = pctx->odata; - u8 *iv = req->iv; + u8 iv[16]; int err; cryptlen -= authsize; @@ -378,6 +378,7 @@ static int crypto_ccm_decrypt(struct aead_request *req) if (req->src != req->dst) dst = pctx->dst; + memcpy(iv, req->iv, sizeof(iv)); skcipher_request_set_tfm(skreq, ctx->ctr); skcipher_request_set_callback(skreq, pctx->flags, crypto_ccm_decrypt_done, req); -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
