Commit 580e295
crypto: arm64/gcm-aes-ce - fix no-NEON fallback code
The arm64 gcm-aes-ce algorithm is failing the extra crypto self-tests
following my patches to test the !may_use_simd() code paths, which
previously were untested. The problem is that in the !may_use_simd()
case, an odd number of AES blocks can be processed within each step of
the skcipher_walk. However, the skcipher_walk is being done with a
"stride" of 2 blocks and is advanced by an even number of blocks after
each step. This causes the encryption to produce the wrong ciphertext
and authentication tag, and causes the decryption to incorrectly fail.
Fix it by only processing an even number of blocks per step.
Fixes: c2b24c3 ("crypto: arm64/aes-gcm-ce - fix scatterwalk API violation")
Fixes: 71e52c2 ("crypto: arm64/aes-ce-gcm - operate on two input blocks at a time")
Cc: <[email protected]> # v4.19+
Signed-off-by: Eric Biggers <[email protected]>
Reviewed-by: Ard Biesheuvel <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>1 parent 7aceaae commit 580e295
1 file changed
+6
-4
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
473 | 473 | | |
474 | 474 | | |
475 | 475 | | |
476 | | - | |
| 476 | + | |
| 477 | + | |
477 | 478 | | |
478 | 479 | | |
| 480 | + | |
479 | 481 | | |
480 | 482 | | |
481 | 483 | | |
| |||
485 | 487 | | |
486 | 488 | | |
487 | 489 | | |
488 | | - | |
| 490 | + | |
489 | 491 | | |
490 | | - | |
| 492 | + | |
491 | 493 | | |
492 | 494 | | |
493 | 495 | | |
| |||
609 | 611 | | |
610 | 612 | | |
611 | 613 | | |
612 | | - | |
| 614 | + | |
613 | 615 | | |
614 | 616 | | |
615 | 617 | | |
| |||
0 commit comments