1. 08 Jul, 2018 27 commits
  2. 01 Jul, 2018 7 commits
    • Denis Efremov's avatar
      crypto: skcipher - remove the exporting of skcipher_walk_next · e4e47306
      Denis Efremov authored
      The function skcipher_walk_next declared as static and marked as
      EXPORT_SYMBOL_GPL. It's a bit confusing for internal function to be
      exported. The area of visibility for such function is its .c file
      and all other modules. Other *.c files of the same module can't use it,
      despite all other modules can. Relying on the fact that this is the
      internal function and it's not a crucial part of the API, the patch
      just removes the EXPORT_SYMBOL_GPL marking of skcipher_walk_next.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarDenis Efremov <efremov@linux.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e4e47306
    • Farhan Ali's avatar
      crypto: virtio - Register an algo only if it's supported · d0d859bb
      Farhan Ali authored
      Register a crypto algo with the Linux crypto layer only if
      the algorithm is supported by the backend virtio-crypto
      device.
      
      Also route crypto requests to a virtio-crypto
      device, only if it can support the requested service and
      algorithm.
      Signed-off-by: default avatarFarhan Ali <alifm@linux.ibm.com>
      Acked-by: default avatarGonglei <arei.gonglei@huawei.com>
      Acked-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d0d859bb
    • Farhan Ali's avatar
      crypto: virtio - Read crypto services and algorithm masks · b551bac1
      Farhan Ali authored
      Read the crypto services and algorithm masks which provides
      information about the services and algorithms supported by
      virtio-crypto backend.
      Signed-off-by: default avatarFarhan Ali <alifm@linux.ibm.com>
      Acked-by: default avatarGonglei <arei.gonglei@huawei.com>
      Acked-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      b551bac1
    • Eric Biggers's avatar
      crypto: vmac - remove insecure version with hardcoded nonce · 0917b873
      Eric Biggers authored
      Remove the original version of the VMAC template that had the nonce
      hardcoded to 0 and produced a digest with the wrong endianness.  I'm
      unsure whether this had users or not (there are no explicit in-kernel
      references to it), but given that the hardcoded nonce made it wildly
      insecure unless a unique key was used for each message, let's try
      removing it and see if anyone complains.
      
      Leave the new "vmac64" template that requires the nonce to be explicitly
      specified as the first 16 bytes of data and uses the correct endianness
      for the digest.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0917b873
    • Eric Biggers's avatar
      crypto: vmac - add nonced version with big endian digest · ed331ada
      Eric Biggers authored
      Currently the VMAC template uses a "nonce" hardcoded to 0, which makes
      it insecure unless a unique key is set for every message.  Also, the
      endianness of the final digest is wrong: the implementation uses little
      endian, but the VMAC specification has it as big endian, as do other
      VMAC implementations such as the one in Crypto++.
      
      Add a new VMAC template where the nonce is passed as the first 16 bytes
      of data (similar to what is done for Poly1305's nonce), and the digest
      is big endian.  Call it "vmac64", since the old name of simply "vmac"
      didn't clarify whether the implementation is of VMAC-64 or of VMAC-128
      (which produce 64-bit and 128-bit digests respectively); so we fix the
      naming ambiguity too.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ed331ada
    • Eric Biggers's avatar
      crypto: vmac - separate tfm and request context · bb296481
      Eric Biggers authored
      syzbot reported a crash in vmac_final() when multiple threads
      concurrently use the same "vmac(aes)" transform through AF_ALG.  The bug
      is pretty fundamental: the VMAC template doesn't separate per-request
      state from per-tfm (per-key) state like the other hash algorithms do,
      but rather stores it all in the tfm context.  That's wrong.
      
      Also, vmac_final() incorrectly zeroes most of the state including the
      derived keys and cached pseudorandom pad.  Therefore, only the first
      VMAC invocation with a given key calculates the correct digest.
      
      Fix these bugs by splitting the per-tfm state from the per-request state
      and using the proper init/update/final sequencing for requests.
      
      Reproducer for the crash:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          int main()
          {
                  int fd;
                  struct sockaddr_alg addr = {
                          .salg_type = "hash",
                          .salg_name = "vmac(aes)",
                  };
                  char buf[256] = { 0 };
      
                  fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  bind(fd, (void *)&addr, sizeof(addr));
                  setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
                  fork();
                  fd = accept(fd, NULL, NULL);
                  for (;;)
                          write(fd, buf, 256);
          }
      
      The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
      VMAC_NHBYTES, causing vmac_final() to memset() a negative length.
      
      Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
      Fixes: f1939f7c ("crypto: vmac - New hash algorithm for intel_txt support")
      Cc: <stable@vger.kernel.org> # v2.6.32+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      bb296481
    • Eric Biggers's avatar
      crypto: vmac - require a block cipher with 128-bit block size · 73bf20ef
      Eric Biggers authored
      The VMAC template assumes the block cipher has a 128-bit block size, but
      it failed to check for that.  Thus it was possible to instantiate it
      using a 64-bit block size cipher, e.g. "vmac(cast5)", causing
      uninitialized memory to be used.
      
      Add the needed check when instantiating the template.
      
      Fixes: f1939f7c ("crypto: vmac - New hash algorithm for intel_txt support")
      Cc: <stable@vger.kernel.org> # v2.6.32+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      73bf20ef
  3. 22 Jun, 2018 6 commits