| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHmME9otcAe7H4Anan8Tv1KreTZtwt4XXEPMG--x2Ljr0M+o1Q@mail.gmail.com>
Date: Wed, 18 Mar 2020 19:33:18 -0600
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: LKML <linux-kernel@...r.kernel.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
Emil Renner Berthing <kernel@...il.dk>,
Ard Biesheuvel <ardb@...nel.org>,
stable <stable@...r.kernel.org>
Subject: Re: [PATCH URGENT crypto] crypto: arm64/chacha - correctly walk
through blocks
Hey Eric,
On Wed, Mar 18, 2020 at 6:24 PM Eric Biggers <ebiggers@...nel.org> wrote:
> Thanks for fixing this! We definitely should get this fix to Linus for 5.6.
> But I don't think your description of this bug dating back to 2018 is accurate,
> because this bug only affects the new library interface to ChaCha20 which was
> added in v5.5. In the "regular" crypto API case, the "walksize" is set to
> '5 * CHACHA_BLOCK_SIZE', and chacha_doneon() is guaranteed to be called with a
> multiple of '5 * CHACHA_BLOCK_SIZE' except at the end. Thus the code worked
> fine with the regular crypto API.
Ahhh, that seems correct.
> > + state[12] += round_up(l, CHACHA_BLOCK_SIZE) / CHACHA_BLOCK_SIZE;
>
> Use DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE)?
Duh, oops, thanks. Will send a v2 in a few minutes.
By the way, I took a brief look at the other implementations
accessible from lib/crypto and I didn't see the same issue over there.
But I wouldn't mind an extra pair of eyes, if you want to give it a
quick look too.
Jason
Powered by blists - more mailing lists