mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-22 06:57:57 +00:00
d540725871
Without this patch, the chacha block counter is not incremented on neon rounds, resulting in incorrect calculations and corrupt packets. This also switches to using `--no-numbered --zero-commit` so that future diffs are smaller. Reported-by: Hans Geiblinger <cybrnook2002@yahoo.com> Reviewed-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> Cc: David Bauer <mail@david-bauer.net> Cc: Petr Štetiar <ynezz@true.cz> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
84 lines
2.9 KiB
Diff
84 lines
2.9 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Eric Biggers <ebiggers@google.com>
|
|
Date: Sun, 17 Nov 2019 23:22:16 -0800
|
|
Subject: [PATCH] crypto: lib/chacha20poly1305 - use chacha20_crypt()
|
|
|
|
commit 413808b71e6204b0cc1eeaa77960f7c3cd381d33 upstream.
|
|
|
|
Use chacha20_crypt() instead of chacha_crypt(), since it's not really
|
|
appropriate for users of the ChaCha library API to be passing the number
|
|
of rounds as an argument.
|
|
|
|
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
|
Acked-by: Ard Biesheuvel <ardb@kernel.org>
|
|
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
---
|
|
lib/crypto/chacha20poly1305.c | 16 ++++++++--------
|
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
|
--- a/lib/crypto/chacha20poly1305.c
|
|
+++ b/lib/crypto/chacha20poly1305.c
|
|
@@ -66,14 +66,14 @@ __chacha20poly1305_encrypt(u8 *dst, cons
|
|
__le64 lens[2];
|
|
} b;
|
|
|
|
- chacha_crypt(chacha_state, b.block0, pad0, sizeof(b.block0), 20);
|
|
+ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
|
|
poly1305_init(&poly1305_state, b.block0);
|
|
|
|
poly1305_update(&poly1305_state, ad, ad_len);
|
|
if (ad_len & 0xf)
|
|
poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
|
|
|
|
- chacha_crypt(chacha_state, dst, src, src_len, 20);
|
|
+ chacha20_crypt(chacha_state, dst, src, src_len);
|
|
|
|
poly1305_update(&poly1305_state, dst, src_len);
|
|
if (src_len & 0xf)
|
|
@@ -140,7 +140,7 @@ __chacha20poly1305_decrypt(u8 *dst, cons
|
|
if (unlikely(src_len < POLY1305_DIGEST_SIZE))
|
|
return false;
|
|
|
|
- chacha_crypt(chacha_state, b.block0, pad0, sizeof(b.block0), 20);
|
|
+ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
|
|
poly1305_init(&poly1305_state, b.block0);
|
|
|
|
poly1305_update(&poly1305_state, ad, ad_len);
|
|
@@ -160,7 +160,7 @@ __chacha20poly1305_decrypt(u8 *dst, cons
|
|
|
|
ret = crypto_memneq(b.mac, src + dst_len, POLY1305_DIGEST_SIZE);
|
|
if (likely(!ret))
|
|
- chacha_crypt(chacha_state, dst, src, dst_len, 20);
|
|
+ chacha20_crypt(chacha_state, dst, src, dst_len);
|
|
|
|
memzero_explicit(&b, sizeof(b));
|
|
|
|
@@ -241,7 +241,7 @@ bool chacha20poly1305_crypt_sg_inplace(s
|
|
b.iv[1] = cpu_to_le64(nonce);
|
|
|
|
chacha_init(chacha_state, b.k, (u8 *)b.iv);
|
|
- chacha_crypt(chacha_state, b.block0, pad0, sizeof(b.block0), 20);
|
|
+ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
|
|
poly1305_init(&poly1305_state, b.block0);
|
|
|
|
if (unlikely(ad_len)) {
|
|
@@ -278,14 +278,14 @@ bool chacha20poly1305_crypt_sg_inplace(s
|
|
|
|
if (unlikely(length < sl))
|
|
l &= ~(CHACHA_BLOCK_SIZE - 1);
|
|
- chacha_crypt(chacha_state, addr, addr, l, 20);
|
|
+ chacha20_crypt(chacha_state, addr, addr, l);
|
|
addr += l;
|
|
length -= l;
|
|
}
|
|
|
|
if (unlikely(length > 0)) {
|
|
- chacha_crypt(chacha_state, b.chacha_stream, pad0,
|
|
- CHACHA_BLOCK_SIZE, 20);
|
|
+ chacha20_crypt(chacha_state, b.chacha_stream, pad0,
|
|
+ CHACHA_BLOCK_SIZE);
|
|
crypto_xor(addr, b.chacha_stream, length);
|
|
partial = length;
|
|
}
|