chacha20poly1305: src is different from dst on last piece

This took hours of debugging. In some cases, the src and dst are different for the last piece, so the incorrect code here resulted in computing the poly1305 over the wrong data. This lead to packets being unnecessarily dropped. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2016-11-03 21:28:30 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2016-11-03 21:28:30 +0100
commit: 1eded2e80094d3419bea64bc10e92df471e4ead7 (patch)
tree: 5337199d87780ccab3cac441b54a45a6013ca9d4
parent: efa85755aa424491d9ee771f548448d3a1b0f4f5 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/crypto/chacha20poly1305.c b/src/crypto/chacha20poly1305.c
index c291ba9..944710c 100644
--- a/src/crypto/chacha20poly1305.c
+++ b/src/crypto/chacha20poly1305.c
@@ -741,7 +741,7 @@ bool chacha20poly1305_decrypt_sg(struct scatterlist *dst, struct scatterlist *sr
 			blkcipher_walk_done(&chacha20_desc, &walk, walk.nbytes % CHACHA20_BLOCK_SIZE);
 		}
 		if (walk.nbytes) {
-			poly1305_update(&poly1305_state, walk.dst.virt.addr, walk.nbytes, have_simd);
+			poly1305_update(&poly1305_state, walk.src.virt.addr, walk.nbytes, have_simd);
 			chacha20_crypt(&chacha20_state, walk.dst.virt.addr, walk.src.virt.addr, walk.nbytes, have_simd);
 			blkcipher_walk_done(&chacha20_desc, &walk, 0);
 		}
author	Jason A. Donenfeld <Jason@zx2c4.com>	2016-11-03 21:28:30 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2016-11-03 21:28:30 +0100
commit	1eded2e80094d3419bea64bc10e92df471e4ead7 (patch)
tree	5337199d87780ccab3cac441b54a45a6013ca9d4
parent	efa85755aa424491d9ee771f548448d3a1b0f4f5 (diff)