linux/arch/arm64/crypto
Eric Biggers 12455e320e crypto: arm64/aes-neonbs - fix returning final keystream block
The arm64 NEON bit-sliced implementation of AES-CTR fails the improved
skcipher tests because it sometimes produces the wrong ciphertext.  The
bug is that the final keystream block isn't returned from the assembly
code when the number of non-final blocks is zero.  This can happen if
the input data ends a few bytes after a page boundary.  In this case the
last bytes get "encrypted" by XOR'ing them with uninitialized memory.

Fix the assembly code to return the final keystream block when needed.

Fixes: 88a3f582be ("crypto: arm64/aes - don't use IV buffer to return final keystream block")
Cc: <stable@vger.kernel.org> # v4.11+
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-02-08 15:30:08 +08:00
..
.gitignore crypto: arm64/sha2 - add generated .S files to .gitignore 2016-11-29 16:06:56 +08:00
aes-ce-ccm-core.S crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling 2019-02-01 14:42:05 +08:00
aes-ce-ccm-glue.c crypto: arm64/aes-ccm - don't use an atomic walk needlessly 2019-02-01 14:42:05 +08:00
aes-ce-core.S crypto: arm64/aes-ce-cipher - move assembler code to .S file 2017-11-29 17:33:30 +11:00
aes-ce-glue.c crypto: arm64/aes-ce-cipher - move assembler code to .S file 2017-11-29 17:33:30 +11:00
aes-ce-setkey.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
aes-ce.S crypto: arm64/aes-blk - improve XTS mask handling 2018-09-21 13:24:50 +08:00
aes-cipher-core.S crypto: arm64/aes-cipher - move S-box to .rodata section 2018-01-18 23:00:30 +11:00
aes-cipher-glue.c crypto: arm64/aes - add scalar implementation 2017-01-13 00:26:49 +08:00
aes-ctr-fallback.h crypto: arm64/aes-blk - add a non-SIMD fallback for synchronous CTR 2017-08-04 09:27:21 +08:00
aes-glue.c crypto: arm64/aes - fix handling sub-block CTS-CBC inputs 2018-10-08 13:47:02 +08:00
aes-modes.S crypto: arm64/aes-blk - ensure XTS mask is always loaded 2018-10-12 14:20:45 +08:00
aes-neon.S crypto: arm64/aes-blk - improve XTS mask handling 2018-09-21 13:24:50 +08:00
aes-neonbs-core.S crypto: arm64/aes-neonbs - fix returning final keystream block 2019-02-08 15:30:08 +08:00
aes-neonbs-glue.c crypto: arm64/aes-bs - move kernel mode neon en/disable into loop 2018-03-16 23:35:55 +08:00
chacha-neon-core.S crypto: arm64/chacha - use combined SIMD/ALU routine for more speed 2018-12-13 18:24:55 +08:00
chacha-neon-glue.c crypto: arm64/chacha - use combined SIMD/ALU routine for more speed 2018-12-13 18:24:55 +08:00
crct10dif-ce-core.S crypto: arm64/crct10dif-ce - cleanup and optimizations 2019-02-08 15:29:48 +08:00
crct10dif-ce-glue.c crypto: arm64/crct10dif-ce - cleanup and optimizations 2019-02-08 15:29:48 +08:00
ghash-ce-core.S crypto: arm64/ghash-ce - implement 4-way aggregation 2018-08-07 17:51:40 +08:00
ghash-ce-glue.c crypto: arm64/ghash - register PMULL variants as separate algos 2019-02-01 14:44:38 +08:00
Kconfig crypto: arm64/chacha - add XChaCha12 support 2018-12-13 18:24:37 +08:00
Makefile Kbuild updates for v4.21 2018-12-29 12:03:17 -08:00
nh-neon-core.S crypto: arm64/nhpoly1305 - add NEON-accelerated NHPoly1305 2018-12-13 18:24:35 +08:00
nhpoly1305-neon-glue.c crypto: arm64/nhpoly1305 - add NEON-accelerated NHPoly1305 2018-12-13 18:24:35 +08:00
sha1-ce-core.S crypto: arm64/sha1-ce - yield NEON after every block of input 2018-05-12 00:13:05 +08:00
sha1-ce-glue.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sha2-ce-core.S crypto: arm64/sha2-ce - yield NEON after every block of input 2018-05-12 00:13:06 +08:00
sha2-ce-glue.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sha3-ce-core.S crypto: arm64/sha3-ce - yield NEON after every block of input 2018-05-12 00:13:11 +08:00
sha3-ce-glue.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sha256-core.S_shipped crypto: clarify licensing of OpenSSL asm code 2018-05-31 00:13:44 +08:00
sha256-glue.c crypto: arm64/sha256 - increase cra_priority of scalar implementations 2018-07-27 19:16:38 +08:00
sha512-armv8.pl crypto: clarify licensing of OpenSSL asm code 2018-05-31 00:13:44 +08:00
sha512-ce-core.S crypto: arm64/sha512-ce - yield NEON after every block of input 2018-05-12 00:13:12 +08:00
sha512-ce-glue.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sha512-core.S_shipped crypto: clarify licensing of OpenSSL asm code 2018-05-31 00:13:44 +08:00
sha512-glue.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sm3-ce-core.S crypto: arm64/sm3 - new v8.2 Crypto Extensions implementation 2018-01-26 01:10:35 +11:00
sm3-ce-glue.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
sm4-ce-core.S crypto: arm64 - add support for SM4 encryption using special instructions 2018-05-05 14:52:53 +08:00
sm4-ce-glue.c crypto: arm64/sm4-ce - check for the right CPU feature bit 2018-08-25 19:50:41 +08:00