diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2016-11-03 21:28:30 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2016-11-03 21:28:30 +0100 |
| commit | 981bc4e212777b49fa446e6632a148ce8bfdcd3e (patch) | |
| tree | 2ca8e90c88c7bd57a8aeb7099d9153e281f8eeb7 /src/crypto/chacha20poly1305.c | |
| parent | device: use ARPHDR_VOID instead of ARPHDR_NONE (diff) | |
| download | wireguard-monolithic-historical-981bc4e212777b49fa446e6632a148ce8bfdcd3e.tar.xz wireguard-monolithic-historical-981bc4e212777b49fa446e6632a148ce8bfdcd3e.zip | |
chacha20poly1305: src is different from dst on last pieceexperimental-0.0.20161103
This took hours of debugging. In some cases, the src and dst are
different for the last piece, so the incorrect code here resulted in
computing the poly1305 over the wrong data. This lead to packets being
unnecessarily dropped.
Diffstat (limited to 'src/crypto/chacha20poly1305.c')
| -rw-r--r-- | src/crypto/chacha20poly1305.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/crypto/chacha20poly1305.c b/src/crypto/chacha20poly1305.c index c291ba9..944710c 100644 --- a/src/crypto/chacha20poly1305.c +++ b/src/crypto/chacha20poly1305.c @@ -741,7 +741,7 @@ bool chacha20poly1305_decrypt_sg(struct scatterlist *dst, struct scatterlist *sr blkcipher_walk_done(&chacha20_desc, &walk, walk.nbytes % CHACHA20_BLOCK_SIZE); } if (walk.nbytes) { - poly1305_update(&poly1305_state, walk.dst.virt.addr, walk.nbytes, have_simd); + poly1305_update(&poly1305_state, walk.src.virt.addr, walk.nbytes, have_simd); chacha20_crypt(&chacha20_state, walk.dst.virt.addr, walk.src.virt.addr, walk.nbytes, have_simd); blkcipher_walk_done(&chacha20_desc, &walk, 0); } |