On Sun, Dec 13, 2020 at 03:39:29PM +0100, Ard Biesheuvel wrote:
> Commit 86cd97ec4b943af3 ("crypto: arm/chacha-neon - optimize for non-block
> size multiples") refactored the chacha block handling in the glue code in
> a way that may result in the counter increment to be omitted when calling
> chacha_block_xor_neon() to process a full block. This violates the skcipher
> API, which requires that the output IV is suitable for handling more input
> as long as the preceding input has been presented in round multiples of the
> block size. Also, the same code is exposed via the chacha library interface
> whose callers may actually rely on this increment to occur even for final
> blocks that are smaller than the chacha block size.
>
> So increment the counter after calling chacha_block_xor_neon().
>
> Fixes: 86cd97ec4b943af3 ("crypto: arm/chacha-neon - optimize for non-block size multiples")
> Reported-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> ---
> v2: - use ++ instead of += 1
> - make note in the commit log of the fact that the library API needs the
> increment to occur in all cases, not only for final blocks whose size
> is exactly the block size
>
> arch/arm/crypto/chacha-glue.c | 1 +
> 1 file changed, 1 insertion(+)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
