lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 18 Mar 2020 17:30:38 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     "Jason A. Donenfeld" <Jason@...c4.com>
Cc:     linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
        gregkh@...uxfoundation.org, herbert@...dor.apana.org.au,
        Emil Renner Berthing <kernel@...il.dk>,
        Ard Biesheuvel <ardb@...nel.org>, stable@...r.kernel.org
Subject: Re: [PATCH URGENT crypto] crypto: arm64/chacha - correctly walk
 through blocks

On Wed, Mar 18, 2020 at 05:24:01PM -0700, Eric Biggers wrote:
> Hi Jason,
> 
> On Wed, Mar 18, 2020 at 05:45:18PM -0600, Jason A. Donenfeld wrote:
> > Prior, passing in chunks of 2, 3, or 4, followed by any additional
> > chunks would result in the chacha state counter getting out of sync,
> > resulting in incorrect encryption/decryption, which is a pretty nasty
> > crypto vuln, dating back to 2018. WireGuard users never experienced this
> > prior, because we have always, out of tree, used a different crypto
> > library, until the recent Frankenzinc addition. This commit fixes the
> > issue by advancing the pointers and state counter by the actual size
> > processed.
> > 
> > Fixes: f2ca1cbd0fb5 ("crypto: arm64/chacha - optimize for arbitrary length inputs")
> > Reported-and-tested-by: Emil Renner Berthing <kernel@...il.dk>
> > Signed-off-by: Jason A. Donenfeld <Jason@...c4.com>
> > Cc: Ard Biesheuvel <ardb@...nel.org>
> > Cc: stable@...r.kernel.org
> 
> Thanks for fixing this!  We definitely should get this fix to Linus for 5.6.
> But I don't think your description of this bug dating back to 2018 is accurate,
> because this bug only affects the new library interface to ChaCha20 which was
> added in v5.5.  In the "regular" crypto API case, the "walksize" is set to
> '5 * CHACHA_BLOCK_SIZE', and chacha_doneon() is guaranteed to be called with a
> multiple of '5 * CHACHA_BLOCK_SIZE' except at the end.  Thus the code worked
> fine with the regular crypto API.

So I think it's actually:

Fixes: b3aad5bad26a ("crypto: arm64/chacha - expose arm64 ChaCha routine as library function")
Cc: <stable@...r.kernel.org> # v5.5+

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ