summaryrefslogtreecommitdiffstats
path: root/crypto/drbg.c
diff options
context:
space:
mode:
authorStephan Mueller <smueller@chronox.de>2014-07-01 17:08:48 +0200
committerHerbert Xu <herbert@gondor.apana.org.au>2014-07-04 05:04:53 +0200
commit8fecaad77fb9e076daa462ac1596330a604e23ad (patch)
treef41fec9eb667b9b07941603749c79f56a8bc6833 /crypto/drbg.c
parentcrypto: ux500 - make interrupt mode plausible (diff)
downloadlinux-8fecaad77fb9e076daa462ac1596330a604e23ad.tar.xz
linux-8fecaad77fb9e076daa462ac1596330a604e23ad.zip
crypto: drbg - fix memory corruption for AES192
For the CTR DRBG, the drbg_state->scratchpad temp buffer (i.e. the memory location immediately before the drbg_state->tfm variable is the buffer that the BCC function operates on. BCC operates blockwise. Making the temp buffer drbg_statelen(drbg) in size is sufficient when the DRBG state length is a multiple of the block size. For AES192 this is not the case and the length for temp is insufficient (yes, that also means for such ciphers, the final output of all BCC rounds are truncated before used to update the state of the DRBG!!). The patch enlarges the temp buffer from drbg_statelen to drbg_statelen + drbg_blocklen to have sufficient space. Reported-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to '')
-rw-r--r--crypto/drbg.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 99fa8f89fb3e..3f0b7e0f8bac 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -446,8 +446,16 @@ static int drbg_ctr_bcc(struct drbg_state *drbg,
* length: drbg_blocklen(drbg)
* temp
* start: iv + drbg_blocklen(drbg)
- * length: (drbg_keylen(drbg) + drbg_blocklen(drbg) ==
- * drbg_statelen(drbg))
+ * length: drbg_satelen(drbg) + drbg_blocklen(drbg)
+ * note: temp is the buffer that the BCC function operates
+ * on. BCC operates blockwise. drbg_statelen(drbg)
+ * is sufficient when the DRBG state length is a multiple
+ * of the block size. For AES192 (and maybe other ciphers)
+ * this is not correct and the length for temp is
+ * insufficient (yes, that also means for such ciphers,
+ * the final output of all BCC rounds are truncated).
+ * Therefore, add drbg_blocklen(drbg) to cover all
+ * possibilities.
*/
/* Derivation Function for CTR DRBG as defined in 10.4.2 */
@@ -1205,7 +1213,7 @@ static inline int drbg_alloc_state(struct drbg_state *drbg)
drbg_statelen(drbg) + /* df_data */
drbg_blocklen(drbg) + /* pad */
drbg_blocklen(drbg) + /* iv */
- drbg_statelen(drbg); /* temp */
+ drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
else
sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);