Commit 4bca5a9a authored by Eric Biggers's avatar Eric Biggers Committed by Greg Kroah-Hartman

crypto: arm64/aes-neonbs - fix returning final keystream block

commit 12455e32 upstream.

The arm64 NEON bit-sliced implementation of AES-CTR fails the improved
skcipher tests because it sometimes produces the wrong ciphertext.  The
bug is that the final keystream block isn't returned from the assembly
code when the number of non-final blocks is zero.  This can happen if
the input data ends a few bytes after a page boundary.  In this case the
last bytes get "encrypted" by XOR'ing them with uninitialized memory.

Fix the assembly code to return the final keystream block when needed.

Fixes: 88a3f582 ("crypto: arm64/aes - don't use IV buffer to return final keystream block")
Cc: <stable@vger.kernel.org> # v4.11+
Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0beb34b8
...@@ -971,18 +971,22 @@ CPU_LE( rev x8, x8 ) ...@@ -971,18 +971,22 @@ CPU_LE( rev x8, x8 )
8: next_ctr v0 8: next_ctr v0
st1 {v0.16b}, [x24] st1 {v0.16b}, [x24]
cbz x23, 0f cbz x23, .Lctr_done
cond_yield_neon 98b cond_yield_neon 98b
b 99b b 99b
0: frame_pop .Lctr_done:
frame_pop
ret ret
/* /*
* If we are handling the tail of the input (x6 != NULL), return the * If we are handling the tail of the input (x6 != NULL), return the
* final keystream block back to the caller. * final keystream block back to the caller.
*/ */
0: cbz x25, 8b
st1 {v0.16b}, [x25]
b 8b
1: cbz x25, 8b 1: cbz x25, 8b
st1 {v1.16b}, [x25] st1 {v1.16b}, [x25]
b 8b b 8b
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment