Searched hist:fcabe15c7783f14d6997a89154a8754790c648ea (Results 1 – 2 of 2) sorted by relevance
| /optee_os/core/arch/arm/crypto/ |
| H A D | ghash-ce-core_a64.S | fcabe15c7783f14d6997a89154a8754790c648ea Wed Jan 31 09:51:46 UTC 2024 Jens Wiklander <jens.wiklander@linaro.org> core: crypto: fix internal AES-GCM counter implementation
We have several AES-GCM implementations in crypto libraries and
internal. The internal implementation comes in two flavours, with Arm
crypto extensions (CFG_CRYPTO_WITH_CE=y) and a pure software
implementation.
Each block to be encrypted is xored with an encrypted counter block of
equal size (16 bytes). For each block the counter is increased.
Prior to this patch the entire counter block was increased as a 128-bit
integer, but that's not how AES-GCM is defined. In AES-GCM only the
least significant 32 bits of the counter block are increased, leaving
the rest untouched. The difference is only noticeable when the 32 bits
has reached 0xffffffff and wraps to 0x00000000 on next increment. With a
128-bit integer this would propagate into other parts of the block.
Fix this by only incrementing the last 32-bit word in the counter block,
both in the pure software implementation and when using Arm crypto
extensions.
Link: https://github.com/OP-TEE/optee_os/issues/6659
Fixes: 1fca7e269b13 ("core: crypto: add new AES-GCM implementation")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
|
| /optee_os/core/crypto/ |
| H A D | aes-gcm.c | fcabe15c7783f14d6997a89154a8754790c648ea Wed Jan 31 09:51:46 UTC 2024 Jens Wiklander <jens.wiklander@linaro.org> core: crypto: fix internal AES-GCM counter implementation
We have several AES-GCM implementations in crypto libraries and
internal. The internal implementation comes in two flavours, with Arm
crypto extensions (CFG_CRYPTO_WITH_CE=y) and a pure software
implementation.
Each block to be encrypted is xored with an encrypted counter block of
equal size (16 bytes). For each block the counter is increased.
Prior to this patch the entire counter block was increased as a 128-bit
integer, but that's not how AES-GCM is defined. In AES-GCM only the
least significant 32 bits of the counter block are increased, leaving
the rest untouched. The difference is only noticeable when the 32 bits
has reached 0xffffffff and wraps to 0x00000000 on next increment. With a
128-bit integer this would propagate into other parts of the block.
Fix this by only incrementing the last 32-bit word in the counter block,
both in the pure software implementation and when using Arm crypto
extensions.
Link: https://github.com/OP-TEE/optee_os/issues/6659
Fixes: 1fca7e269b13 ("core: crypto: add new AES-GCM implementation")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
|