[PATCH] crypto: arm64/aes - fix handling sub-block CTS-CBC inputs
From: Eric Biggers In the new arm64 CTS-CBC implementation, return an error code rather than crashing on inputs shorter than AES_BLOCK_SIZE bytes. Also set cra_blocksize to AES_BLOCK_SIZE (like is done in the cts template) to indicate the minimum input size. Fixes: dd597fb33ff0 ("crypto: arm64/aes-blk - add support for CTS-CBC mode") Signed-off-by: Eric Biggers --- arch/arm64/crypto/aes-glue.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c index 26d2b0263ba63..1e676625ef33f 100644 --- a/arch/arm64/crypto/aes-glue.c +++ b/arch/arm64/crypto/aes-glue.c @@ -243,8 +243,11 @@ static int cts_cbc_encrypt(struct skcipher_request *req) skcipher_request_set_tfm(>subreq, tfm); - if (req->cryptlen == AES_BLOCK_SIZE) + if (req->cryptlen <= AES_BLOCK_SIZE) { + if (req->cryptlen < AES_BLOCK_SIZE) + return -EINVAL; cbc_blocks = 1; + } if (cbc_blocks > 0) { unsigned int blocks; @@ -305,8 +308,11 @@ static int cts_cbc_decrypt(struct skcipher_request *req) skcipher_request_set_tfm(>subreq, tfm); - if (req->cryptlen == AES_BLOCK_SIZE) + if (req->cryptlen <= AES_BLOCK_SIZE) { + if (req->cryptlen < AES_BLOCK_SIZE) + return -EINVAL; cbc_blocks = 1; + } if (cbc_blocks > 0) { unsigned int blocks; @@ -486,14 +492,13 @@ static struct skcipher_alg aes_algs[] = { { .cra_driver_name= "__cts-cbc-aes-" MODE, .cra_priority = PRIO, .cra_flags = CRYPTO_ALG_INTERNAL, - .cra_blocksize = 1, + .cra_blocksize = AES_BLOCK_SIZE, .cra_ctxsize= sizeof(struct crypto_aes_ctx), .cra_module = THIS_MODULE, }, .min_keysize= AES_MIN_KEY_SIZE, .max_keysize= AES_MAX_KEY_SIZE, .ivsize = AES_BLOCK_SIZE, - .chunksize = AES_BLOCK_SIZE, .walksize = 2 * AES_BLOCK_SIZE, .setkey = skcipher_aes_setkey, .encrypt= cts_cbc_encrypt, -- 2.19.0
Re: [PATCH v2 2/2] crypto: aegis/generic - fix for big endian systems
On Mon, Oct 1, 2018 at 10:36 AM Ard Biesheuvel wrote: > Use the correct __le32 annotation and accessors to perform the > single round of AES encryption performed inside the AEGIS transform. > Otherwise, tcrypt reports: > > alg: aead: Test 1 failed on encryption for aegis128-generic > : 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e > alg: aead: Test 1 failed on encryption for aegis128l-generic > : cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28 > alg: aead: Test 1 failed on encryption for aegis256-generic > : aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c > > Fixes: f606a88e5823 ("crypto: aegis - Add generic AEGIS AEAD implementations") > Cc: # v4.18+ > Signed-off-by: Ard Biesheuvel LGTM now, thanks! Reviewed-by: Ondrej Mosnacek > --- > crypto/aegis.h | 20 +--- > 1 file changed, 9 insertions(+), 11 deletions(-) > > diff --git a/crypto/aegis.h b/crypto/aegis.h > index f1c6900ddb80..405e025fc906 100644 > --- a/crypto/aegis.h > +++ b/crypto/aegis.h > @@ -21,7 +21,7 @@ > > union aegis_block { > __le64 words64[AEGIS_BLOCK_SIZE / sizeof(__le64)]; > - u32 words32[AEGIS_BLOCK_SIZE / sizeof(u32)]; > + __le32 words32[AEGIS_BLOCK_SIZE / sizeof(__le32)]; > u8 bytes[AEGIS_BLOCK_SIZE]; > }; > > @@ -57,24 +57,22 @@ static void crypto_aegis_aesenc(union aegis_block *dst, > const union aegis_block *src, > const union aegis_block *key) > { > - u32 *d = dst->words32; > const u8 *s = src->bytes; > - const u32 *k = key->words32; > const u32 *t0 = crypto_ft_tab[0]; > const u32 *t1 = crypto_ft_tab[1]; > const u32 *t2 = crypto_ft_tab[2]; > const u32 *t3 = crypto_ft_tab[3]; > u32 d0, d1, d2, d3; > > - d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]] ^ k[0]; > - d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]] ^ k[1]; > - d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]] ^ k[2]; > - d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]] ^ k[3]; > + d0 = t0[s[ 0]] ^ t1[s[ 5]] ^ t2[s[10]] ^ t3[s[15]]; > + d1 = t0[s[ 4]] ^ t1[s[ 9]] ^ t2[s[14]] ^ t3[s[ 3]]; > + d2 = t0[s[ 8]] ^ t1[s[13]] ^ t2[s[ 2]] ^ t3[s[ 7]]; > + d3 = t0[s[12]] ^ t1[s[ 1]] ^ t2[s[ 6]] ^ t3[s[11]]; > > - d[0] = d0; > - d[1] = d1; > - d[2] = d2; > - d[3] = d3; > + dst->words32[0] = cpu_to_le32(d0) ^ key->words32[0]; > + dst->words32[1] = cpu_to_le32(d1) ^ key->words32[1]; > + dst->words32[2] = cpu_to_le32(d2) ^ key->words32[2]; > + dst->words32[3] = cpu_to_le32(d3) ^ key->words32[3]; > } > > #endif /* _CRYPTO_AEGIS_H */ > -- > 2.17.1 > -- Ondrej Mosnacek Associate Software Engineer, Security Technologies Red Hat, Inc.