Re: [PATCH] crypto: talitos - fix IPsec cipher in length

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Le 16/03/2018 à 09:48, Horia Geantă a écrit :
For SEC 2.x+, cipher in length must contain only the ciphertext length.
In case of using hardware ICV checking, the ICV length is provided via
the "extent" field of the descriptor pointer.

Cc: <stable@xxxxxxxxxxxxxxx> # 4.8+
Fixes: 549bd8bc5987 ("crypto: talitos - Implement AEAD for SEC1 using HMAC_SNOOP_NO_AFEU")

It looks like the issue comes more from commit fbb22137c4d9b ("crypto: talitos - fix use of sg_link_tbl_len"), doesn't it ?


Signed-off-by: Horia Geantă <horia.geanta@xxxxxxx>
---
  drivers/crypto/talitos.c | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
index 447cb8b1b16a..61a30704847f 100644
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1251,6 +1251,13 @@ static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq,
  	ret = talitos_sg_map(dev, areq->src, sg_link_tbl_len, edesc,
  			     &desc->ptr[4], sg_count, areq->assoclen, tbl_off);
+ /*
+	 * In case of SEC 2.x+, cipher in len must include only the ciphertext,
+	 * while extent is used for ICV len.
+	 */
+	if (is_ipsec_esp && (desc->hdr & DESC_HDR_MODE1_MDEU_CICV))
+		desc->ptr[4].len = cpu_to_be16(cryptlen);

I don't like too much the idea of modifying ptr[4] without using the
helpers, although I don't have any other suggestion yet.

Christophe

+
  	if (ret > 1) {
  		tbl_off += ret;
  		sync_needed = true;




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux