Hey Eric,
On Wed, Mar 18, 2020 at 6:24 PM Eric Biggers ebiggers@kernel.org wrote:
Thanks for fixing this! We definitely should get this fix to Linus for 5.6. But I don't think your description of this bug dating back to 2018 is accurate, because this bug only affects the new library interface to ChaCha20 which was added in v5.5. In the "regular" crypto API case, the "walksize" is set to '5 * CHACHA_BLOCK_SIZE', and chacha_doneon() is guaranteed to be called with a multiple of '5 * CHACHA_BLOCK_SIZE' except at the end. Thus the code worked fine with the regular crypto API.
Ahhh, that seems correct.
state[12] += round_up(l, CHACHA_BLOCK_SIZE) / CHACHA_BLOCK_SIZE;
Use DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE)?
Duh, oops, thanks. Will send a v2 in a few minutes.
By the way, I took a brief look at the other implementations accessible from lib/crypto and I didn't see the same issue over there. But I wouldn't mind an extra pair of eyes, if you want to give it a quick look too.
Jason