diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-03-18 20:27:32 -0600 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2020-03-20 14:35:27 +1100 |
commit | c8cfcb78c65877313cda7bcbace624d3dbd1f3b3 (patch) | |
tree | a8a322ebcd9ebc7475c33426d898c649a4bb1e8d /lib/vdso | |
parent | 1579f1bc3b753d17a44de3457d5c6f4a5b14c752 (diff) | |
download | linux-riscv-c8cfcb78c65877313cda7bcbace624d3dbd1f3b3.tar.gz linux-riscv-c8cfcb78c65877313cda7bcbace624d3dbd1f3b3.tar.bz2 linux-riscv-c8cfcb78c65877313cda7bcbace624d3dbd1f3b3.zip |
crypto: arm64/chacha - correctly walk through blocks
Prior, passing in chunks of 2, 3, or 4, followed by any additional
chunks would result in the chacha state counter getting out of sync,
resulting in incorrect encryption/decryption, which is a pretty nasty
crypto vuln: "why do images look weird on webpages?" WireGuard users
never experienced this prior, because we have always, out of tree, used
a different crypto library, until the recent Frankenzinc addition. This
commit fixes the issue by advancing the pointers and state counter by
the actual size processed. It also fixes up a bug in the (optional,
costly) stride test that prevented it from running on arm64.
Fixes: b3aad5bad26a ("crypto: arm64/chacha - expose arm64 ChaCha routine as library function")
Reported-and-tested-by: Emil Renner Berthing <kernel@esmil.dk>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: stable@vger.kernel.org # v5.5+
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'lib/vdso')
0 files changed, 0 insertions, 0 deletions