Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
When decrypting data that is not in-place (src != dst), there is
no need to save the high-order sequence bits in dst as it could
simply be re-copied from the source.
However, the data to be hashed need to be rearranged accordingly.
Reported-by: Taeyang Lee <0wn@theori.io>
Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Thanks,
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+30
-20
+30
-20
crypto/authencesn.c
+30
-20
crypto/authencesn.c
···
207
207
u8 *ohash = areq_ctx->tail;
208
208
unsigned int cryptlen = req->cryptlen - authsize;
209
209
unsigned int assoclen = req->assoclen;
210
+
struct scatterlist *src = req->src;
210
211
struct scatterlist *dst = req->dst;
211
212
u8 *ihash = ohash + crypto_ahash_digestsize(auth);
212
213
u32 tmp[2];
···
215
214
if (!authsize)
216
215
goto decrypt;
217
216
218
-
/* Move high-order bits of sequence number back. */
219
-
scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
220
-
scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
221
-
scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
217
+
if (src == dst) {
218
+
/* Move high-order bits of sequence number back. */
219
+
scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
220
+
scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
221
+
scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
222
+
} else
223
+
memcpy_sglist(dst, src, assoclen);
222
224
223
225
if (crypto_memneq(ihash, ohash, authsize))
224
226
return -EBADMSG;
225
227
226
228
decrypt:
227
229
228
-
sg_init_table(areq_ctx->dst, 2);
230
+
if (src != dst)
231
+
src = scatterwalk_ffwd(areq_ctx->src, src, assoclen);
229
232
dst = scatterwalk_ffwd(areq_ctx->dst, dst, assoclen);
230
233
231
234
skcipher_request_set_tfm(skreq, ctx->enc);
232
235
skcipher_request_set_callback(skreq, flags,
233
236
req->base.complete, req->base.data);
234
-
skcipher_request_set_crypt(skreq, dst, dst, cryptlen, req->iv);
237
+
skcipher_request_set_crypt(skreq, src, dst, cryptlen, req->iv);
235
238
236
239
return crypto_skcipher_decrypt(skreq);
237
240
}
···
260
255
unsigned int assoclen = req->assoclen;
261
256
unsigned int cryptlen = req->cryptlen;
262
257
u8 *ihash = ohash + crypto_ahash_digestsize(auth);
258
+
struct scatterlist *src = req->src;
263
259
struct scatterlist *dst = req->dst;
264
260
u32 tmp[2];
265
261
int err;
···
268
262
if (assoclen < 8)
269
263
return -EINVAL;
270
264
271
-
cryptlen -= authsize;
272
-
273
-
if (req->src != dst)
274
-
memcpy_sglist(dst, req->src, assoclen + cryptlen);
275
-
276
-
scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
277
-
authsize, 0);
278
-
279
265
if (!authsize)
280
266
goto tail;
281
267
282
-
/* Move high-order bits of sequence number to the end. */
283
-
scatterwalk_map_and_copy(tmp, dst, 0, 8, 0);
284
-
scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
285
-
scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
268
+
cryptlen -= authsize;
269
+
scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
270
+
authsize, 0);
286
271
287
-
sg_init_table(areq_ctx->dst, 2);
288
-
dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
272
+
/* Move high-order bits of sequence number to the end. */
273
+
scatterwalk_map_and_copy(tmp, src, 0, 8, 0);
274
+
if (src == dst) {
275
+
scatterwalk_map_and_copy(tmp, dst, 4, 4, 1);
276
+
scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 1);
277
+
dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
278
+
} else {
279
+
scatterwalk_map_and_copy(tmp, dst, 0, 4, 1);
280
+
scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen - 4, 4, 1);
281
+
282
+
src = scatterwalk_ffwd(areq_ctx->src, src, 8);
283
+
dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
284
+
memcpy_sglist(dst, src, assoclen + cryptlen - 8);
285
+
dst = req->dst;
286
+
}
289
287
290
288
ahash_request_set_tfm(ahreq, auth);
291
289
ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);