On Wed, Mar 20, 2019 at 05:27:25PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> commit 12455e320e19e9cc7ad97f4ab89c280fe297387c upstream.
>
> The arm64 NEON bit-sliced implementation of AES-CTR fails the improved
> skcipher tests because it sometimes produces the wrong ciphertext. The
> bug is that the final keystream block isn't returned from the assembly
> code when the number of non-final blocks is zero. This can happen if
> the input data ends a few bytes after a page boundary. In this case the
> last bytes get "encrypted" by XOR'ing them with uninitialized memory.
>
> Fix the assembly code to return the final keystream block when needed.
>
> Fixes: 88a3f582bea9 ("crypto: arm64/aes - don't use IV buffer to return final keystream block")
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.11+
> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> ---
>
> Please apply to 4.14-stable. This resolves conflicts due to
> "crypto: arm64/aes-bs - yield NEON after every block of input"
> not being present in 4.14, but that has other dependencies.
>
> Tested using the crypto self-tests from v5.1-rc1 backported to 4.14.
> "rfc3686(ctr-aes-neonbs)" now passes the tests.
>
> arch/arm64/crypto/aes-neonbs-core.S | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
Now queued up, thanks.
greg k-h
