| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFqZXNtqwiEZCd1Ua2NMHX8Lr20ptbM7yQL5m-bwXUztXGAWdA@mail.gmail.com>
Date: Tue, 5 Feb 2019 10:30:57 +0100
From: Ondrej Mosnacek <omosnace@...hat.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: linux-crypto@...r.kernel.org,
Herbert Xu <herbert@...dor.apana.org.au>,
Linux kernel mailing list <linux-kernel@...r.kernel.org>,
stable@...r.kernel.org
Subject: Re: [PATCH v2 02/15] crypto: morus - fix handling chunked inputs
On Fri, Feb 1, 2019 at 8:52 AM Eric Biggers <ebiggers@...nel.org> wrote:
> From: Eric Biggers <ebiggers@...gle.com>
>
> The generic MORUS implementations all fail the improved AEAD tests
> because they produce the wrong result with some data layouts. The issue
> is that they assume that if the skcipher_walk API gives 'nbytes' not
> aligned to the walksize (a.k.a. walk.stride), then it is the end of the
> data. In fact, this can happen before the end. Fix them.
>
> Fixes: 396be41f16fd ("crypto: morus - Add generic MORUS AEAD implementations")
> Cc: <stable@...r.kernel.org> # v4.18+
> Cc: Ondrej Mosnacek <omosnace@...hat.com>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
Reviewed-by: Ondrej Mosnacek <omosnace@...hat.com>
> ---
> crypto/morus1280.c | 13 +++++++------
> crypto/morus640.c | 13 +++++++------
> 2 files changed, 14 insertions(+), 12 deletions(-)
>
> diff --git a/crypto/morus1280.c b/crypto/morus1280.c
> index 78ba09db7328c..0747732d5b78a 100644
> --- a/crypto/morus1280.c
> +++ b/crypto/morus1280.c
> @@ -362,18 +362,19 @@ static void crypto_morus1280_process_crypt(struct morus1280_state *state,
> const struct morus1280_ops *ops)
> {
> struct skcipher_walk walk;
> - u8 *dst;
> - const u8 *src;
>
> ops->skcipher_walk_init(&walk, req, false);
>
> while (walk.nbytes) {
> - src = walk.src.virt.addr;
> - dst = walk.dst.virt.addr;
> + unsigned int nbytes = walk.nbytes;
>
> - ops->crypt_chunk(state, dst, src, walk.nbytes);
> + if (nbytes < walk.total)
> + nbytes = round_down(nbytes, walk.stride);
>
> - skcipher_walk_done(&walk, 0);
> + ops->crypt_chunk(state, walk.dst.virt.addr, walk.src.virt.addr,
> + nbytes);
> +
> + skcipher_walk_done(&walk, walk.nbytes - nbytes);
> }
> }
>
> diff --git a/crypto/morus640.c b/crypto/morus640.c
> index 5cf530139b271..1617a1eb8be13 100644
> --- a/crypto/morus640.c
> +++ b/crypto/morus640.c
> @@ -361,18 +361,19 @@ static void crypto_morus640_process_crypt(struct morus640_state *state,
> const struct morus640_ops *ops)
> {
> struct skcipher_walk walk;
> - u8 *dst;
> - const u8 *src;
>
> ops->skcipher_walk_init(&walk, req, false);
>
> while (walk.nbytes) {
> - src = walk.src.virt.addr;
> - dst = walk.dst.virt.addr;
> + unsigned int nbytes = walk.nbytes;
>
> - ops->crypt_chunk(state, dst, src, walk.nbytes);
> + if (nbytes < walk.total)
> + nbytes = round_down(nbytes, walk.stride);
>
> - skcipher_walk_done(&walk, 0);
> + ops->crypt_chunk(state, walk.dst.virt.addr, walk.src.virt.addr,
> + nbytes);
> +
> + skcipher_walk_done(&walk, walk.nbytes - nbytes);
> }
> }
>
> --
> 2.20.1
>
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
Powered by blists - more mailing lists