| From 441f99c90497e15aa3ad1dbabd56187e29614348 Mon Sep 17 00:00:00 2001 |
| From: Romain Izard <romain.izard.pro@gmail.com> |
| Date: Tue, 31 Oct 2017 15:42:35 +0100 |
| Subject: crypto: ccm - preserve the IV buffer |
| |
| From: Romain Izard <romain.izard.pro@gmail.com> |
| |
| commit 441f99c90497e15aa3ad1dbabd56187e29614348 upstream. |
| |
| The IV buffer used during CCM operations is used twice, during both the |
| hashing step and the ciphering step. |
| |
| When using a hardware accelerator that updates the contents of the IV |
| buffer at the end of ciphering operations, the value will be modified. |
| In the decryption case, the subsequent setup of the hashing algorithm |
| will interpret the updated IV instead of the original value, which can |
| lead to out-of-bounds writes. |
| |
| Reuse the idata buffer, only used in the hashing step, to preserve the |
| IV's value during the ciphering step in the decryption case. |
| |
| Signed-off-by: Romain Izard <romain.izard.pro@gmail.com> |
| Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com> |
| Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| crypto/ccm.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/crypto/ccm.c |
| +++ b/crypto/ccm.c |
| @@ -413,7 +413,7 @@ static int crypto_ccm_decrypt(struct aea |
| unsigned int cryptlen = req->cryptlen; |
| u8 *authtag = pctx->auth_tag; |
| u8 *odata = pctx->odata; |
| - u8 *iv = req->iv; |
| + u8 *iv = pctx->idata; |
| int err; |
| |
| cryptlen -= authsize; |
| @@ -429,6 +429,8 @@ static int crypto_ccm_decrypt(struct aea |
| if (req->src != req->dst) |
| dst = pctx->dst; |
| |
| + memcpy(iv, req->iv, 16); |
| + |
| skcipher_request_set_tfm(skreq, ctx->ctr); |
| skcipher_request_set_callback(skreq, pctx->flags, |
| crypto_ccm_decrypt_done, req); |