Re: [PATCH 4.14] crypto: arm64/aes-neonbs - fix returning final keystream block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 20, 2019 at 05:27:25PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
> 
> commit 12455e320e19e9cc7ad97f4ab89c280fe297387c upstream.
> 
> The arm64 NEON bit-sliced implementation of AES-CTR fails the improved
> skcipher tests because it sometimes produces the wrong ciphertext.  The
> bug is that the final keystream block isn't returned from the assembly
> code when the number of non-final blocks is zero.  This can happen if
> the input data ends a few bytes after a page boundary.  In this case the
> last bytes get "encrypted" by XOR'ing them with uninitialized memory.
> 
> Fix the assembly code to return the final keystream block when needed.
> 
> Fixes: 88a3f582bea9 ("crypto: arm64/aes - don't use IV buffer to return final keystream block")
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.11+
> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> ---
> 
> Please apply to 4.14-stable.  This resolves conflicts due to
> "crypto: arm64/aes-bs - yield NEON after every block of input"
> not being present in 4.14, but that has other dependencies.
> 
> Tested using the crypto self-tests from v5.1-rc1 backported to 4.14.
> "rfc3686(ctr-aes-neonbs)" now passes the tests.
> 
>  arch/arm64/crypto/aes-neonbs-core.S | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

Now queued up, thanks.

greg k-h



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux