On Sun, Dec 13, 2020 at 03:39:29PM +0100, Ard Biesheuvel wrote: > Commit 86cd97ec4b943af3 ("crypto: arm/chacha-neon - optimize for non-block > size multiples") refactored the chacha block handling in the glue code in > a way that may result in the counter increment to be omitted when calling > chacha_block_xor_neon() to process a full block. This violates the skcipher > API, which requires that the output IV is suitable for handling more input > as long as the preceding input has been presented in round multiples of the > block size. Also, the same code is exposed via the chacha library interface > whose callers may actually rely on this increment to occur even for final > blocks that are smaller than the chacha block size. > > So increment the counter after calling chacha_block_xor_neon(). > > Fixes: 86cd97ec4b943af3 ("crypto: arm/chacha-neon - optimize for non-block size multiples") > Reported-by: Eric Biggers <ebiggers@xxxxxxxxxx> > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > --- > v2: - use ++ instead of += 1 > - make note in the commit log of the fact that the library API needs the > increment to occur in all cases, not only for final blocks whose size > is exactly the block size > > arch/arm/crypto/chacha-glue.c | 1 + > 1 file changed, 1 insertion(+) Patch applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt