7977328f42
commit 678cce4019d746da6c680c48ba9e6d417803e127 upstream. The x86_64 implementation of Poly1305 produces the wrong result on some inputs because poly1305_4block_avx2() incorrectly assumes that when partially reducing the accumulator, the bits carried from limb 'd4' to limb 'h0' fit in a 32-bit integer. This is true for poly1305-generic which processes only one block at a time. However, it's not true for the AVX2 implementation, which processes 4 blocks at a time and therefore can produce intermediate limbs about 4x larger. Fix it by making the relevant calculations use 64-bit arithmetic rather than 32-bit. Note that most of the carries already used 64-bit arithmetic, but the d4 -> h0 carry was different for some reason. To be safe I also made the same change to the corresponding SSE2 code, though that only operates on 1 or 2 blocks at a time. I don't think it's really needed for poly1305_block_sse2(), but it doesn't hurt because it's already x86_64 code. It *might* be needed for poly1305_2block_sse2(), but overflows aren't easy to reproduce there. This bug was originally detected by my patches that improve testmgr to fuzz algorithms against their generic implementation. But also add a test vector which reproduces it directly (in the AVX2 case). Fixes: |
||
|---|---|---|
| .. | ||
| asymmetric_keys | ||
| async_tx | ||
| .gitignore | ||
| 842.c | ||
| ablk_helper.c | ||
| ablkcipher.c | ||
| aead.c | ||
| aes_generic.c | ||
| af_alg.c | ||
| ahash.c | ||
| akcipher.c | ||
| algapi.c | ||
| algboss.c | ||
| algif_aead.c | ||
| algif_hash.c | ||
| algif_rng.c | ||
| algif_skcipher.c | ||
| ansi_cprng.c | ||
| anubis.c | ||
| api.c | ||
| arc4.c | ||
| authenc.c | ||
| authencesn.c | ||
| blkcipher.c | ||
| blowfish_common.c | ||
| blowfish_generic.c | ||
| camellia_generic.c | ||
| cast5_generic.c | ||
| cast6_generic.c | ||
| cast_common.c | ||
| cbc.c | ||
| ccm.c | ||
| chacha20_generic.c | ||
| chacha20poly1305.c | ||
| chainiv.c | ||
| cipher.c | ||
| cmac.c | ||
| compress.c | ||
| crc32.c | ||
| crc32c_generic.c | ||
| crct10dif_common.c | ||
| crct10dif_generic.c | ||
| cryptd.c | ||
| crypto_null.c | ||
| crypto_user.c | ||
| crypto_wq.c | ||
| ctr.c | ||
| cts.c | ||
| deflate.c | ||
| des_generic.c | ||
| drbg.c | ||
| ecb.c | ||
| echainiv.c | ||
| eseqiv.c | ||
| fcrypt.c | ||
| fips.c | ||
| gcm.c | ||
| gf128mul.c | ||
| ghash-generic.c | ||
| hash_info.c | ||
| hmac.c | ||
| internal.h | ||
| jitterentropy-kcapi.c | ||
| jitterentropy.c | ||
| Kconfig | ||
| keywrap.c | ||
| khazad.c | ||
| lrw.c | ||
| lz4.c | ||
| lz4hc.c | ||
| lzo.c | ||
| Makefile | ||
| mcryptd.c | ||
| md4.c | ||
| md5.c | ||
| memneq.c | ||
| michael_mic.c | ||
| pcbc.c | ||
| pcompress.c | ||
| pcrypt.c | ||
| poly1305_generic.c | ||
| proc.c | ||
| ripemd.h | ||
| rmd128.c | ||
| rmd160.c | ||
| rmd256.c | ||
| rmd320.c | ||
| rng.c | ||
| rsa.c | ||
| rsa_helper.c | ||
| rsaprivkey.asn1 | ||
| rsapubkey.asn1 | ||
| salsa20_generic.c | ||
| scatterwalk.c | ||
| seed.c | ||
| seqiv.c | ||
| serpent_generic.c | ||
| sha1_generic.c | ||
| sha256_generic.c | ||
| sha512_generic.c | ||
| shash.c | ||
| skcipher.c | ||
| tcrypt.c | ||
| tcrypt.h | ||
| tea.c | ||
| testmgr.c | ||
| testmgr.h | ||
| tgr192.c | ||
| twofish_common.c | ||
| twofish_generic.c | ||
| vmac.c | ||
| wp512.c | ||
| xcbc.c | ||
| xor.c | ||
| xts.c | ||
| zlib.c | ||