Commit 02685906 authored by Ard Biesheuvel's avatar Ard Biesheuvel Committed by Herbert Xu

crypto: aegis128 - wipe plaintext and tag if decryption fails

The AEGIS spec mentions explicitly that the security guarantees hold
only if the resulting plaintext and tag of a failed decryption are
withheld. So ensure that we abide by this.

While at it, drop the unused struct aead_request *req parameter from
crypto_aegis128_process_crypt().
Reviewed-by: default avatarOndrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 732b7640
...@@ -154,6 +154,12 @@ static void crypto_aegis128_ad(struct aegis_state *state, ...@@ -154,6 +154,12 @@ static void crypto_aegis128_ad(struct aegis_state *state,
} }
} }
static void crypto_aegis128_wipe_chunk(struct aegis_state *state, u8 *dst,
const u8 *src, unsigned int size)
{
memzero_explicit(dst, size);
}
static void crypto_aegis128_encrypt_chunk(struct aegis_state *state, u8 *dst, static void crypto_aegis128_encrypt_chunk(struct aegis_state *state, u8 *dst,
const u8 *src, unsigned int size) const u8 *src, unsigned int size)
{ {
...@@ -324,7 +330,6 @@ static void crypto_aegis128_process_ad(struct aegis_state *state, ...@@ -324,7 +330,6 @@ static void crypto_aegis128_process_ad(struct aegis_state *state,
static __always_inline static __always_inline
int crypto_aegis128_process_crypt(struct aegis_state *state, int crypto_aegis128_process_crypt(struct aegis_state *state,
struct aead_request *req,
struct skcipher_walk *walk, struct skcipher_walk *walk,
void (*crypt)(struct aegis_state *state, void (*crypt)(struct aegis_state *state,
u8 *dst, const u8 *src, u8 *dst, const u8 *src,
...@@ -403,14 +408,14 @@ static int crypto_aegis128_encrypt(struct aead_request *req) ...@@ -403,14 +408,14 @@ static int crypto_aegis128_encrypt(struct aead_request *req)
if (aegis128_do_simd()) { if (aegis128_do_simd()) {
crypto_aegis128_init_simd(&state, &ctx->key, req->iv); crypto_aegis128_init_simd(&state, &ctx->key, req->iv);
crypto_aegis128_process_ad(&state, req->src, req->assoclen); crypto_aegis128_process_ad(&state, req->src, req->assoclen);
crypto_aegis128_process_crypt(&state, req, &walk, crypto_aegis128_process_crypt(&state, &walk,
crypto_aegis128_encrypt_chunk_simd); crypto_aegis128_encrypt_chunk_simd);
crypto_aegis128_final_simd(&state, &tag, req->assoclen, crypto_aegis128_final_simd(&state, &tag, req->assoclen,
cryptlen); cryptlen);
} else { } else {
crypto_aegis128_init(&state, &ctx->key, req->iv); crypto_aegis128_init(&state, &ctx->key, req->iv);
crypto_aegis128_process_ad(&state, req->src, req->assoclen); crypto_aegis128_process_ad(&state, req->src, req->assoclen);
crypto_aegis128_process_crypt(&state, req, &walk, crypto_aegis128_process_crypt(&state, &walk,
crypto_aegis128_encrypt_chunk); crypto_aegis128_encrypt_chunk);
crypto_aegis128_final(&state, &tag, req->assoclen, cryptlen); crypto_aegis128_final(&state, &tag, req->assoclen, cryptlen);
} }
...@@ -438,19 +443,34 @@ static int crypto_aegis128_decrypt(struct aead_request *req) ...@@ -438,19 +443,34 @@ static int crypto_aegis128_decrypt(struct aead_request *req)
if (aegis128_do_simd()) { if (aegis128_do_simd()) {
crypto_aegis128_init_simd(&state, &ctx->key, req->iv); crypto_aegis128_init_simd(&state, &ctx->key, req->iv);
crypto_aegis128_process_ad(&state, req->src, req->assoclen); crypto_aegis128_process_ad(&state, req->src, req->assoclen);
crypto_aegis128_process_crypt(&state, req, &walk, crypto_aegis128_process_crypt(&state, &walk,
crypto_aegis128_decrypt_chunk_simd); crypto_aegis128_decrypt_chunk_simd);
crypto_aegis128_final_simd(&state, &tag, req->assoclen, crypto_aegis128_final_simd(&state, &tag, req->assoclen,
cryptlen); cryptlen);
} else { } else {
crypto_aegis128_init(&state, &ctx->key, req->iv); crypto_aegis128_init(&state, &ctx->key, req->iv);
crypto_aegis128_process_ad(&state, req->src, req->assoclen); crypto_aegis128_process_ad(&state, req->src, req->assoclen);
crypto_aegis128_process_crypt(&state, req, &walk, crypto_aegis128_process_crypt(&state, &walk,
crypto_aegis128_decrypt_chunk); crypto_aegis128_decrypt_chunk);
crypto_aegis128_final(&state, &tag, req->assoclen, cryptlen); crypto_aegis128_final(&state, &tag, req->assoclen, cryptlen);
} }
return crypto_memneq(tag.bytes, zeros, authsize) ? -EBADMSG : 0; if (unlikely(crypto_memneq(tag.bytes, zeros, authsize))) {
/*
* From Chapter 4. 'Security Analysis' of the AEGIS spec [0]
*
* "3. If verification fails, the decrypted plaintext and the
* wrong authentication tag should not be given as output."
*
* [0] https://competitions.cr.yp.to/round3/aegisv11.pdf
*/
skcipher_walk_aead_decrypt(&walk, req, false);
crypto_aegis128_process_crypt(NULL, &walk,
crypto_aegis128_wipe_chunk);
memzero_explicit(&tag, sizeof(tag));
return -EBADMSG;
}
return 0;
} }
static struct aead_alg crypto_aegis128_alg = { static struct aead_alg crypto_aegis128_alg = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment