Re: [PATCH 1/2] blkcipher: Copy iv from desc even for 0-len walks

2015-12-09 Thread Herbert Xu 
On Sun, Dec 06, 2015 at 02:51:37AM +0100, Jason A. Donenfeld wrote:
> Some ciphers actually support encrypting zero length plaintexts. For
> example, many AEAD modes support this. The resulting ciphertext for
> those winds up being only the authentication tag, which is a result of
> the key, the iv, the additional data, and the fact that the plaintext
> had zero length. The blkcipher constructors won't copy the IV to the
> right place, however, when using a zero length input, resulting in
> some significant problems when ciphers call their initialization
> routines, only to find that the ->iv parameter is uninitialized. One
> such example of this would be using chacha20poly1305 with a zero length
> input, which then calls chacha20, which calls the key setup routine,
> which eventually OOPSes due to the uninitialized ->iv member.
> 
> Signed-off-by: Jason A. Donenfeld 
> Cc: 

Applied to crypto.
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/2] blkcipher: Copy iv from desc even for 0-len walks

2015-12-05 Thread Jason A. Donenfeld 
Some ciphers actually support encrypting zero length plaintexts. For
example, many AEAD modes support this. The resulting ciphertext for
those winds up being only the authentication tag, which is a result of
the key, the iv, the additional data, and the fact that the plaintext
had zero length. The blkcipher constructors won't copy the IV to the
right place, however, when using a zero length input, resulting in
some significant problems when ciphers call their initialization
routines, only to find that the ->iv parameter is uninitialized. One
such example of this would be using chacha20poly1305 with a zero length
input, which then calls chacha20, which calls the key setup routine,
which eventually OOPSes due to the uninitialized ->iv member.

Signed-off-by: Jason A. Donenfeld 
Cc: 
---
 crypto/ablkcipher.c | 2 +-
 crypto/blkcipher.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
index b4ffc5b..e5b5721 100644
--- a/crypto/ablkcipher.c
+++ b/crypto/ablkcipher.c
@@ -277,12 +277,12 @@ static int ablkcipher_walk_first(struct 
ablkcipher_request *req,
if (WARN_ON_ONCE(in_irq()))
return -EDEADLK;
 
+   walk->iv = req->info;
walk->nbytes = walk->total;
if (unlikely(!walk->total))
return 0;
 
walk->iv_buffer = NULL;
-   walk->iv = req->info;
if (unlikely(((unsigned long)walk->iv & alignmask))) {
int err = ablkcipher_copy_iv(walk, tfm, alignmask);
 
diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
index 11b9814..8cc1622 100644
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -326,12 +326,12 @@ static int blkcipher_walk_first(struct blkcipher_desc 
*desc,
if (WARN_ON_ONCE(in_irq()))
return -EDEADLK;
 
+   walk->iv = desc->info;
walk->nbytes = walk->total;
if (unlikely(!walk->total))
return 0;
 
walk->buffer = NULL;
-   walk->iv = desc->info;
if (unlikely(((unsigned long)walk->iv & walk->alignmask))) {
int err = blkcipher_copy_iv(walk);
if (err)
-- 
2.6.3

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html