[PATCH 2/2] crypto: talitos - Fix timing leak in ESP ICV verification

Using non-constant time memcmp() makes the verification of the authentication tag in the decrypt path vulnerable to timing attacks. Fix this by using crypto_memneq() instead. Signed-off-by: David Gstir <da...@sigma-star.at> --- drivers/crypto/talitos.c | 2 +- 1 file changed, 1 insertion

[PATCH 1/2] crypto: nx - Fix timing leak in GCM and CCM decryption

Using non-constant time memcmp() makes the verification of the authentication tag in the decrypt path vulnerable to timing attacks. Fix this by using crypto_memneq() instead. Signed-off-by: David Gstir <da...@sigma-star.at> --- drivers/crypto/nx/nx-aes-ccm.c | 2 +- drivers/crypto/nx/

Re: Geode LX AES/RNG driver triggers warning

PrasannaKumar, > On 06.01.2017, at 10:40, PrasannaKumar Muralidharan > wrote: > >>> I narrowed it down to commit 6e9b5e76882c ("hwrng: geode - Migrate to >>> managed API") which seems to introduce this. It looks to me like some issue >>> between devres, the Geode

Geode LX AES/RNG driver triggers warning

Hi! I recently tested kernel v4.9 on my AMD Geode platform and noticed that its AES hardware driver triggers this warning on initialization: [1.265708] [ cut here ] [1.267932] WARNING: CPU: 0 PID: 1 at drivers/base/dd.c:344 driver_probe_device+0x5d/0x1ad [

[PATCH] crypto: caam - properly set IV after {en,de}crypt

r.kernel.org> # 4.8+ Signed-off-by: David Gstir <da...@sigma-star.at> --- drivers/crypto/caam/caamalg.c | 20 ++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c index 398807d1b77e..c45b5bf65254

Re: [RFC PATCH 1/2] crypto: caam - properly set IV after {en,de}crypt

Herbert, > On 20 Jun 2017, at 03:28, Herbert Xu wrote: > > On Mon, Jun 19, 2017 at 10:31:27AM +, Horia Geantă wrote: >> >> IIUC, IV update is required only in case of CBC. >> Since this callback is used also for CTR, we should avoid the copy: >> if

[RFC PATCH 2/2] crypto: caam - fix k*alloc if called from own cipher callback

flags. In most cases we will still use GFP_KERNEL if the flags CRYPTO_TFM_REQ_MAY_SLEEP or CRYPTO_TFM_REQ_MAY_BACKLOG are set for the cipher request. Signed-off-by: David Gstir <da...@sigma-star.at> --- drivers/crypto/caam/caamalg.c | 29 + 1 file changed, 21 inse

[RFC PATCH 0/2] crypto: caam - fix cts(cbc(aes)) with CAAM driver

Hi! While testing fscrypt's filename encryption, I noticed that the implementation of cts(cbc(aes)) is broken when the CAAM hardware crypto driver is enabled. Some digging showed that the refactoring of crypto/cts.c in v4.8 (commit 0605c41cc53ca) exposed some problems with CAAM's aes-cbc

[RFC PATCH 1/2] crypto: caam - properly set IV after {en,de}crypt

) when the CAAM driver is enabled. This patch fixes the CAAM driver to properly set the IV after the {en,de}crypt operation of ablkcipher finishes. Signed-off-by: David Gstir <da...@sigma-star.at> --- drivers/crypto/caam/caamalg.c | 26 -- 1 file changed, 24 inse

Re: [RFC PATCH 0/2] crypto: caam - fix cts(cbc(aes)) with CAAM driver

Friendly ping. Any feedback on that? Thanks, David > On 2 Jun 2017, at 14:24, David Gstir <da...@sigma-star.at> wrote: > > Hi! > > While testing fscrypt's filename encryption, I noticed that the implementation > of cts(cbc(aes)) is broken when the CAAM hardware crypto d

Re: [RFC PATCH 0/2] crypto: caam - fix cts(cbc(aes)) with CAAM driver

Horia, > On 16 Jun 2017, at 23:01, Horia Geantă wrote: > > On 6/16/2017 11:00 AM, Herbert Xu wrote: >> On Fri, Jun 16, 2017 at 07:57:00AM +, Horia Geantă wrote: >>> >>> Commit 0605c41cc53ca ("crypto: cts - Convert to skcipher") appends >>> CRYPTO_TFM_REQ_MAY_BACKLOG

Re: [RFC PATCH 1/2] crypto: caam - properly set IV after {en,de}crypt

Horia, > On 28 Jun 2017, at 10:32, Horia Geantă wrote: > >>> + sg_pcopy_to_buffer(req->dst, nents, req->info, ivsize, >>> + req->nbytes - ivsize); >> >> scatterwalk_map_and_copy() should be used instead. >> > David, IIUC this is the only change

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

> On 08.12.2017, at 03:51, Jason A. Donenfeld wrote: > > Hi Eric, > > Nice to see more use of ChaCha20. However... > > Can we skip over the "sort of worse than XTS, but not having _real_ > authentication sucks anyway in either case, so whatever" and move > directly to, "linux