wolfcrypt/test/test.c: add test coverage for WOLFSSL_AESXTS_STREAM.

linuxkm/lkcapi_glue.c: typographic cleanups, and failsafe error return constructs when skcipher_walk_virt() returns zero walk.nbytes.

wolfcrypt/src/aes.c: additional comments and inline documentation.

.github/workflows/openvpn.yml: disable test on master branch.

Author: douzzer

.github/workflows/openvpn.yml

@@ -39,7 +39,8 @@ jobs:
       fail-fast: false
       matrix:
         # List of refs to test
-        ref: [ release/2.6, v2.6.0, master ]
+	# disabled master on 20240514 -- see https://github.com/wolfSSL/wolfssl/issues/7508
+        ref: [ release/2.6, v2.6.0 ]
     name: ${{ matrix.ref }}
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.

linuxkm/lkcapi_glue.c

@@ -925,7 +925,7 @@ static int km_AesXtsEncrypt(struct skcipher_request *req)
 
             err = skcipher_walk_virt(&walk, req, false);
             if (!walk.nbytes)
-                return err;
+                return err ? : -EINVAL;
         } else {
             tail = 0;
         }
@@ -939,6 +939,9 @@ static int km_AesXtsEncrypt(struct skcipher_request *req)
         }
 
         while ((nbytes = walk.nbytes) != 0) {
+            /* if this isn't the final call, pass block-aligned data to prevent
+             * end-of-message ciphertext stealing.
+             */
             if (nbytes < walk.total)
                 nbytes &= ~(AES_BLOCK_SIZE - 1);
 
@@ -961,7 +964,7 @@ static int km_AesXtsEncrypt(struct skcipher_request *req)
             }
         }
 
-        if (unlikely(tail > 0 && !err)) {
+        if (unlikely(tail > 0)) {
             struct scatterlist sg_src[2], sg_dst[2];
             struct scatterlist *src, *dst;
 
@@ -1048,7 +1051,7 @@ static int km_AesXtsDecrypt(struct skcipher_request *req)
 
             err = skcipher_walk_virt(&walk, req, false);
             if (!walk.nbytes)
-                return err;
+                return err ? : -EINVAL;
         } else {
             tail = 0;
         }
@@ -1062,6 +1065,9 @@ static int km_AesXtsDecrypt(struct skcipher_request *req)
         }
 
         while ((nbytes = walk.nbytes) != 0) {
+            /* if this isn't the final call, pass block-aligned data to prevent
+             * end-of-message ciphertext stealing.
+             */
             if (nbytes < walk.total)
                 nbytes &= ~(AES_BLOCK_SIZE - 1);
 
@@ -1084,32 +1090,32 @@ static int km_AesXtsDecrypt(struct skcipher_request *req)
             }
         }
 
-        if (unlikely(tail > 0 && !err)) {
-                struct scatterlist sg_src[2], sg_dst[2];
-                struct scatterlist *src, *dst;
+        if (unlikely(tail > 0)) {
+            struct scatterlist sg_src[2], sg_dst[2];
+            struct scatterlist *src, *dst;
 
-                dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen);
-                if (req->dst != req->src)
-                        dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen);
+            dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen);
+            if (req->dst != req->src)
+                dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen);
 
-                skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail,
-                                           req->iv);
+            skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail,
+                                       req->iv);
 
-                err = skcipher_walk_virt(&walk, &subreq, false);
-                if (err)
-                        return err;
+            err = skcipher_walk_virt(&walk, &subreq, false);
+            if (err)
+                return err;
 
-                err = wc_AesXtsDecryptUpdate(ctx->aesXts, walk.dst.virt.addr,
-                                             walk.src.virt.addr, walk.nbytes,
-                                             walk.iv);
+            err = wc_AesXtsDecryptUpdate(ctx->aesXts, walk.dst.virt.addr,
+                                         walk.src.virt.addr, walk.nbytes,
+                                         walk.iv);
 
-                if (unlikely(err)) {
-                    pr_err("%s: wc_AesXtsDecryptUpdate failed: %d\n",
-                           crypto_tfm_alg_driver_name(crypto_skcipher_tfm(tfm)), err);
-                    return -EINVAL;
-                }
+            if (unlikely(err)) {
+                pr_err("%s: wc_AesXtsDecryptUpdate failed: %d\n",
+                       crypto_tfm_alg_driver_name(crypto_skcipher_tfm(tfm)), err);
+                return -EINVAL;
+            }
 
-                err = skcipher_walk_done(&walk, 0);
+            err = skcipher_walk_done(&walk, 0);
         }
 
     }

wolfcrypt/src/aes.c

@@ -12840,6 +12840,15 @@ int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
 
 #ifdef WOLFSSL_AESXTS_STREAM
 
+/* Block-streaming AES-XTS.
+ *
+ * xaes  AES keys to use for block encrypt/decrypt
+ * i     readwrite value to use for tweak
+ * iSz   size of i buffer, should always be AES_BLOCK_SIZE but having this input
+ *       adds a sanity check on how the user calls the function.
+ *
+ * returns 0 on success
+ */
 int wc_AesXtsEncryptInit(XtsAes* xaes, byte* i, word32 iSz)
 {
     int ret;
@@ -12894,12 +12903,15 @@ int wc_AesXtsEncryptInit(XtsAes* xaes, byte* i, word32 iSz)
     return ret;
 }
 
-/* AES with XTS mode. (XTS) XEX encryption with Tweak and cipher text Stealing.
+/* Block-streaming AES-XTS
+ *
+ * Note that sz must be greater than AES_BLOCK_SIZE in each call, and must be a
+ * multiple of AES_BLOCK_SIZE in all but the final call.
  *
  * xaes  AES keys to use for block encrypt/decrypt
  * out   output buffer to hold cipher text
  * in    input plain text buffer to encrypt
- * sz    size of both out and in buffers
+ * sz    size of both out and in buffers -- must be >= AES_BLOCK_SIZE.
  * i     value to use for tweak
  * iSz   size of i buffer, should always be AES_BLOCK_SIZE but having this input
  *       adds a sanity check on how the user calls the function.
@@ -13211,7 +13223,6 @@ int wc_AesXtsDecrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
  * i     readwrite value to use for tweak
  * iSz   size of i buffer, should always be AES_BLOCK_SIZE but having this input
  *       adds a sanity check on how the user calls the function.
- * tweak_block   buffer of size AES_BLOCK_SIZE to use for tweak state
  *
  * returns 0 on success
  */
@@ -13269,7 +13280,10 @@ int wc_AesXtsDecryptInit(XtsAes* xaes, byte* i, word32 iSz)
     return ret;
 }
 
-/* Same process as encryption but Aes key is AES_DECRYPTION type.
+/* Block-streaming AES-XTS
+ *
+ * Note that sz must be greater than AES_BLOCK_SIZE in each call, and must be a
+ * multiple of AES_BLOCK_SIZE in all but the final call.
  *
  * xaes  AES keys to use for block encrypt/decrypt
  * out   output buffer to hold plain text