Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1320707imu; Wed, 23 Jan 2019 14:55:43 -0800 (PST) X-Google-Smtp-Source: ALg8bN6HEUj24RXgcdrw8MOezxZ9xWeLQJV1wY+PpsrcxdZS2WHS8XKf+qQcjnoNWQ8v9PCM20J4 X-Received: by 2002:a62:d885:: with SMTP id e127mr3892711pfg.197.1548284143384; Wed, 23 Jan 2019 14:55:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548284143; cv=none; d=google.com; s=arc-20160816; b=XlcNpqhqW4ZAqdeMIqVOHT8yK+amCYNgiACflUzeljQ4OPkVA8H7Rl8mWGNtNi0AfV U0+CWaknVLQUaGdsaiifqPsMjMRhGfUKNCWryyr887FJGxBK7iAFv+LRZOAnO1FJ2aL8 iPDxQCm8GQUdivNlSb/yDQETusMS144IxhwKUinlZ4/BSVWYEH5bn0RJ5cbX+B5FoUiF jrroaYSaVkqQUFvmULbxb7d/5d9CSoCyCBLOmOi2X6bU3ymirFgreHMnDB7SByIk7jsu mka5ts85vRXRzeox0CTb8A/Ukv1wu600ZWiEeTu6CTDSyA23A/YeBOeIb+cdxsKa/OMW RF9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=vSdEC1Rv8oT5Xw5tbYE4ML7heeygNnTfDYk0EYTNsVY=; b=A3LNQ8VUwOqHGHg8ou4ZYQvDyMxHyEGeVKN49HuXxLEA2J+0dVBsRfXCZ0qLSgqtS2 Ran3ajqWQ+/lzpqhvHt4vr3k5IjyWRBYZl0mxh2P49659P8E45rKHhMOoO2hqd148MY2 61EeFmM0bmoqBxXRBbpt5jf4+IpbDHbTftbRLGgjx7eriI+laP1Nn4p8FBer3IfhcjSv lvZhoV0Vd0MKotAEGcTWvs+YeEx1pwASMQLtnguRp4DvL9rwcDA5k73ET+CaRan3MFC3 qcVxFz/CAnNLHaWISYVgwYMu7sybq/uvqfJx+UM1OmRF+4tQSiU0H9t6Zah+ccIv500x R9Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yhsCMB6D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o5si20119679pgs.497.2019.01.23.14.55.28; Wed, 23 Jan 2019 14:55:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yhsCMB6D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727434AbfAWWxk (ORCPT + 99 others); Wed, 23 Jan 2019 17:53:40 -0500 Received: from mail.kernel.org ([198.145.29.99]:50122 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726744AbfAWWwe (ORCPT ); Wed, 23 Jan 2019 17:52:34 -0500 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4DC43218AC; Wed, 23 Jan 2019 22:52:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548283953; bh=OVMlggYjSpXNEz4yzYkF9qJ5ce0TSOvLRhIyZB71b+4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yhsCMB6Dkc4zzW2r6QukrB0GUHspjvLlrDuehElOdVlFbjUKf8CyHl3KfqvgaE+aa Ta6Z8LygmDcHgPT8sQxi2PjGbvNGxiwfjjlR9lbzR0I7xCuyyxltnjv/FAZYPAp1AB ktr6HWl3UT4meqegQMUli6aVxjCIZh9ygJ7yf3l0= From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: linux-kernel@vger.kernel.org, "Jason A . Donenfeld" , stable@vger.kernel.org, Ard Biesheuvel Subject: [RFC/RFT PATCH 07/15] crypto: arm64/aes-neonbs - fix returning final keystream block Date: Wed, 23 Jan 2019 14:49:18 -0800 Message-Id: <20190123224926.250525-8-ebiggers@kernel.org> X-Mailer: git-send-email 2.20.1.321.g9e740568ce-goog In-Reply-To: <20190123224926.250525-1-ebiggers@kernel.org> References: <20190123224926.250525-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers The arm64 NEON bit-sliced implementation of AES-CTR fails the improved skcipher tests because it sometimes produces the wrong ciphertext. The bug is that the final keystream block isn't returned from the assembly code when the number of non-final blocks is zero. This can happen if the input data ends a few bytes after a page boundary. In this case the last bytes get "encrypted" by XOR'ing them with uninitialized memory. Fix the assembly code to return the final keystream block when needed. Fixes: 88a3f582bea9 ("crypto: arm64/aes - don't use IV buffer to return final keystream block") Cc: # v4.11+ Cc: Ard Biesheuvel Signed-off-by: Eric Biggers --- arch/arm64/crypto/aes-neonbs-core.S | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/arm64/crypto/aes-neonbs-core.S b/arch/arm64/crypto/aes-neonbs-core.S index e613a87f8b53..8432c8d0dea6 100644 --- a/arch/arm64/crypto/aes-neonbs-core.S +++ b/arch/arm64/crypto/aes-neonbs-core.S @@ -971,18 +971,22 @@ CPU_LE( rev x8, x8 ) 8: next_ctr v0 st1 {v0.16b}, [x24] - cbz x23, 0f + cbz x23, .Lctr_done cond_yield_neon 98b b 99b -0: frame_pop +.Lctr_done: + frame_pop ret /* * If we are handling the tail of the input (x6 != NULL), return the * final keystream block back to the caller. */ +0: cbz x25, 8b + st1 {v0.16b}, [x25] + b 8b 1: cbz x25, 8b st1 {v1.16b}, [x25] b 8b -- 2.20.1.321.g9e740568ce-goog