From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: x86@kernel.org, linux-arm-kernel@lists.infradead.org,
Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH 2/8] crypto: arm64/gcm-aes-ce - fix no-NEON fallback code
Date: Tue, 12 Mar 2019 22:12:46 -0700 [thread overview]
Message-ID: <20190313051252.2917-3-ebiggers@kernel.org> (raw)
In-Reply-To: <20190313051252.2917-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
The arm64 gcm-aes-ce algorithm is failing the extra crypto self-tests
following my patches to test the !may_use_simd() code paths, which
previously were untested. The problem is that in the !may_use_simd()
case, an odd number of AES blocks can be processed within each step of
the skcipher_walk. However, the skcipher_walk is being done with a
"stride" of 2 blocks and is advanced by an even number of blocks after
each step. This causes the encryption to produce the wrong ciphertext
and authentication tag, and causes the decryption to incorrectly fail.
Fix it by only processing an even number of blocks per step.
Fixes: c2b24c36e0a3 ("crypto: arm64/aes-gcm-ce - fix scatterwalk API violation")
Fixes: 71e52c278c54 ("crypto: arm64/aes-ce-gcm - operate on two input blocks at a time")
Cc: <stable@vger.kernel.org> # v4.19+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
arch/arm64/crypto/ghash-ce-glue.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c
index 791ad422c427..089b09286da7 100644
--- a/arch/arm64/crypto/ghash-ce-glue.c
+++ b/arch/arm64/crypto/ghash-ce-glue.c
@@ -473,9 +473,11 @@ static int gcm_encrypt(struct aead_request *req)
put_unaligned_be32(2, iv + GCM_IV_SIZE);
while (walk.nbytes >= (2 * AES_BLOCK_SIZE)) {
- int blocks = walk.nbytes / AES_BLOCK_SIZE;
+ const int blocks =
+ walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
u8 *dst = walk.dst.virt.addr;
u8 *src = walk.src.virt.addr;
+ int remaining = blocks;
do {
__aes_arm64_encrypt(ctx->aes_key.key_enc,
@@ -485,9 +487,9 @@ static int gcm_encrypt(struct aead_request *req)
dst += AES_BLOCK_SIZE;
src += AES_BLOCK_SIZE;
- } while (--blocks > 0);
+ } while (--remaining > 0);
- ghash_do_update(walk.nbytes / AES_BLOCK_SIZE, dg,
+ ghash_do_update(blocks, dg,
walk.dst.virt.addr, &ctx->ghash_key,
NULL, pmull_ghash_update_p64);
@@ -609,7 +611,7 @@ static int gcm_decrypt(struct aead_request *req)
put_unaligned_be32(2, iv + GCM_IV_SIZE);
while (walk.nbytes >= (2 * AES_BLOCK_SIZE)) {
- int blocks = walk.nbytes / AES_BLOCK_SIZE;
+ int blocks = walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
u8 *dst = walk.dst.virt.addr;
u8 *src = walk.src.virt.addr;
--
2.21.0
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-03-13 10:36 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 5:12 [PATCH 0/8] crypto: test the !may_use_simd() fallback code Eric Biggers
2019-03-13 5:12 ` [PATCH 1/8] crypto: chacha-generic - fix use as arm64 no-NEON fallback Eric Biggers
2019-03-13 7:50 ` Ard Biesheuvel
2019-03-13 5:12 ` Eric Biggers [this message]
2019-03-13 10:29 ` [PATCH 2/8] crypto: arm64/gcm-aes-ce - fix no-NEON fallback code Ard Biesheuvel
2019-03-13 5:12 ` [PATCH 3/8] crypto: simd,testmgr - introduce crypto_simd_usable() Eric Biggers
2019-03-13 10:31 ` [PATCH 3/8] crypto: simd, testmgr " Ard Biesheuvel
2019-03-13 5:12 ` [PATCH 4/8] crypto: x86 - convert to use crypto_simd_usable() Eric Biggers
2019-03-13 10:32 ` Ard Biesheuvel
2019-03-13 5:12 ` [PATCH 5/8] crypto: arm " Eric Biggers
2019-03-13 10:33 ` Ard Biesheuvel
2019-03-13 5:12 ` [PATCH 6/8] crypto: arm64 " Eric Biggers
2019-03-13 10:33 ` Ard Biesheuvel
2019-03-13 5:12 ` [PATCH 7/8] crypto: simd " Eric Biggers
2019-03-13 10:34 ` Ard Biesheuvel
2019-03-13 5:12 ` [PATCH 8/8] crypto: testmgr - test the !may_use_simd() fallback code Eric Biggers
2019-03-13 10:35 ` Ard Biesheuvel
2019-03-13 10:50 ` [PATCH 0/8] crypto: " Ard Biesheuvel
2019-03-22 13:03 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190313051252.2917-3-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=ard.biesheuvel@linaro.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).