From patchwork Sun Dec  6 01:51:37 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Jason A. Donenfeld" <Jason@zx2c4.com>
X-Patchwork-Id: 7776151
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
X-Original-To: patchwork-linux-crypto@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 720499F30B
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Sun,  6 Dec 2015 01:58:36 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A18F820452
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Sun,  6 Dec 2015 01:58:35 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id BB2FB20439
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Sun,  6 Dec 2015 01:58:34 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753348AbbLFB6e (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Sat, 5 Dec 2015 20:58:34 -0500
Received: from frisell.zx2c4.com ([192.95.5.64]:49620 "EHLO
	frisell.zx2c4.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751540AbbLFB6d (ORCPT <rfc822;linux-crypto@vger.kernel.org>);
	Sat, 5 Dec 2015 20:58:33 -0500
X-Greylist: delayed 398 seconds by postgrey-1.27 at vger.kernel.org;
	Sat, 05 Dec 2015 20:58:33 EST
Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e98f7d3b;
	Sun, 6 Dec 2015 01:51:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc
	:subject:date:message-id; s=mail; bh=WU15pNphZyv9+Pg58TRGx+TQjpo
	=; b=ZSbQkqXxzUST80x9qHFBLnCw4brlpZ/m5HUFFu4BbCyEu3kmouPO1LqIynV
	Fa83OC0l5E+CrwNq7YbMlOTaMm7p4DaXN9ySyfNBYjtfvKrH2QNJiwv1O2IZfpl9
	ISp4+yjKdfwytt7JPA22GHExqGEJzYUDlYMEx53cJiMFHG8dsN9ed7bnqEUAeMuS
	QKkRoiqC5Ael099clmIcg50cau+9LzzNZ6SH8S5femkre4c9zfHAsew28ay4VH16
	j7Pd6tBbA4uTAUAWOTMVv5+jE7LTPmX9lYZWWXvdnsmOt2hXbFZy/JygYopAKoq9
	YPGc8UTJekyRQfkKY7+WEtVQP5w==
Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 97b6db2d
	TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384
	bits=256 verify=NO; Sun, 6 Dec 2015 01:51:18 +0000 (UTC)
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: herbert@gondor.apana.org.au, davem@davemloft.net,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	Netdev <netdev@vger.kernel.org>, martin@strongswan.org
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>, stable@vger.kernel.org
Subject: [PATCH 1/2] blkcipher: Copy iv from desc even for 0-len walks
Date: Sun,  6 Dec 2015 02:51:37 +0100
Message-Id: <1449366698-2422-1-git-send-email-Jason@zx2c4.com>
X-Mailer: git-send-email 2.6.3
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Some ciphers actually support encrypting zero length plaintexts. For
example, many AEAD modes support this. The resulting ciphertext for
those winds up being only the authentication tag, which is a result of
the key, the iv, the additional data, and the fact that the plaintext
had zero length. The blkcipher constructors won't copy the IV to the
right place, however, when using a zero length input, resulting in
some significant problems when ciphers call their initialization
routines, only to find that the ->iv parameter is uninitialized. One
such example of this would be using chacha20poly1305 with a zero length
input, which then calls chacha20, which calls the key setup routine,
which eventually OOPSes due to the uninitialized ->iv member.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: <stable@vger.kernel.org>
---
 crypto/ablkcipher.c | 2 +-
 crypto/blkcipher.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
index b4ffc5b..e5b5721 100644
--- a/crypto/ablkcipher.c
+++ b/crypto/ablkcipher.c
@@ -277,12 +277,12 @@ static int ablkcipher_walk_first(struct ablkcipher_request *req,
 	if (WARN_ON_ONCE(in_irq()))
 		return -EDEADLK;
 
+	walk->iv = req->info;
 	walk->nbytes = walk->total;
 	if (unlikely(!walk->total))
 		return 0;
 
 	walk->iv_buffer = NULL;
-	walk->iv = req->info;
 	if (unlikely(((unsigned long)walk->iv & alignmask))) {
 		int err = ablkcipher_copy_iv(walk, tfm, alignmask);
 
diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
index 11b9814..8cc1622 100644
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -326,12 +326,12 @@ static int blkcipher_walk_first(struct blkcipher_desc *desc,
 	if (WARN_ON_ONCE(in_irq()))
 		return -EDEADLK;
 
+	walk->iv = desc->info;
 	walk->nbytes = walk->total;
 	if (unlikely(!walk->total))
 		return 0;
 
 	walk->buffer = NULL;
-	walk->iv = desc->info;
 	if (unlikely(((unsigned long)walk->iv & walk->alignmask))) {
 		int err = blkcipher_copy_iv(walk);
 		if (err)