Re: [PATCH] crypto: arm/speck - fix building in Thumb2 mode

On 19 June 2018 at 00:33, Eric Biggers wrote: > Building the kernel with CONFIG_THUMB2_KERNEL=y and > CONFIG_CRYPTO_SPECK_NEON set fails with the following errors: > > arch/arm/crypto/speck-neon-core.S: Assembler messages: > > arch/arm/crypto/speck-neon-core.S:419: Error: r13 not allowed h

[PATCH] crypto: arm/speck - fix building in Thumb2 mode

Building the kernel with CONFIG_THUMB2_KERNEL=y and CONFIG_CRYPTO_SPECK_NEON set fails with the following errors: arch/arm/crypto/speck-neon-core.S: Assembler messages: arch/arm/crypto/speck-neon-core.S:419: Error: r13 not allowed here -- `bic sp,#0xf' arch/arm/crypto/speck-neon-core

Re: [PATCH v3 3/5] crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS

On 18 June 2018 at 23:56, Eric Biggers wrote: > On Sun, Jun 17, 2018 at 01:10:41PM +0200, Ard Biesheuvel wrote: >> > + >> > + // One-time XTS preparation >> > + >> > + /* >> > + * Allocate stack space to store 128 bytes worth of tweaks. For >> > + * perfo

Re: [PATCH v3 3/5] crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS

On Sun, Jun 17, 2018 at 01:10:41PM +0200, Ard Biesheuvel wrote: > > + > > + // One-time XTS preparation > > + > > + /* > > + * Allocate stack space to store 128 bytes worth of tweaks. For > > + * performance, this space is aligned to a 16-byte boundary so

[PATCH 4/4] crypto: vmac - remove insecure version with hardcoded nonce

From: Eric Biggers Remove the original version of the VMAC template that had the nonce hardcoded to 0 and produced a digest with the wrong endianness. I'm unsure whether this had users or not (there are no explicit in-kernel references to it), but given that the hardcoded nonce made it wildly in

[PATCH 0/4] crypto: vmac - various fixes

From: Eric Biggers Hi, this series fixes various bugs in the VMAC template (crypto/vmac.c). First, the per-request context was being stored in the transform context, which made VMAC not thread-safe, and the kernel could be crashed by using the same VMAC transform in multiple threads using AF_ALG

[PATCH 1/4] crypto: vmac - require a block cipher with 128-bit block size

From: Eric Biggers The VMAC template assumes the block cipher has a 128-bit block size, but it failed to check for that. Thus it was possible to instantiate it using a 64-bit block size cipher, e.g. "vmac(cast5)", causing uninitialized memory to be used. Add the needed check when instantiating

[PATCH 3/4] crypto: vmac - add nonced version with big endian digest

From: Eric Biggers Currently the VMAC template uses a "nonce" hardcoded to 0, which makes it insecure unless a unique key is set for every message. Also, the endianness of the final digest is wrong: the implementation uses little endian, but the VMAC specification has it as big endian, as do oth

[PATCH 2/4] crypto: vmac - separate tfm and request context

From: Eric Biggers syzbot reported a crash in vmac_final() when multiple threads concurrently use the same "vmac(aes)" transform through AF_ALG. The bug is pretty fundamental: the VMAC template doesn't separate per-request state from per-tfm (per-key) state like the other hash algorithms do, but