• Jason A. Donenfeld's avatar
    crypto: skcipher - Copy iv from desc even for 0-len walks · 2b4c87db
    Jason A. Donenfeld authored
    commit 70d906bc upstream.
    
    Some ciphers actually support encrypting zero length plaintexts. For
    example, many AEAD modes support this. The resulting ciphertext for
    those winds up being only the authentication tag, which is a result of
    the key, the iv, the additional data, and the fact that the plaintext
    had zero length. The blkcipher constructors won't copy the IV to the
    right place, however, when using a zero length input, resulting in
    some significant problems when ciphers call their initialization
    routines, only to find that the ->iv parameter is uninitialized. One
    such example of this would be using chacha20poly1305 with a zero length
    input, which then calls chacha20, which calls the key setup routine,
    which eventually OOPSes due to the uninitialized ->iv member.
    Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    2b4c87db
blkcipher.c 19.9 KB