16 Jul, 2020

1 commit

  • The flag CRYPTO_ALG_ASYNC is "inherited" in the sense that when a
    template is instantiated, the template will have CRYPTO_ALG_ASYNC set if
    any of the algorithms it uses has CRYPTO_ALG_ASYNC set.

    We'd like to add a second flag (CRYPTO_ALG_ALLOCATES_MEMORY) that gets
    "inherited" in the same way. This is difficult because the handling of
    CRYPTO_ALG_ASYNC is hardcoded everywhere. Address this by:

    - Add CRYPTO_ALG_INHERITED_FLAGS, which contains the set of flags that
    have these inheritance semantics.

    - Add crypto_algt_inherited_mask(), for use by template ->create()
    methods. It returns any of these flags that the user asked to be
    unset and thus must be passed in the 'mask' to crypto_grab_*().

    - Also modify crypto_check_attr_type() to handle computing the 'mask'
    so that most templates can just use this.

    - Make crypto_grab_*() propagate these flags to the template instance
    being created so that templates don't have to do this themselves.

    Make crypto/simd.c propagate these flags too, since it "wraps" another
    algorithm, similar to a template.

    Based on a patch by Mikulas Patocka
    (https://lore.kernel.org/r/alpine.LRH.2.02.2006301414580.30526@file01.intranet.prod.int.rdu2.redhat.com).

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

09 Jan, 2020

4 commits

  • Make the authenc template use the new function crypto_grab_ahash() to
    initialize its ahash spawn.

    This is needed to make all spawns be initialized in a consistent way.

    Also simplify the error handling by taking advantage of crypto_drop_*()
    now accepting (as a no-op) spawns that haven't been initialized yet, and
    by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • Initializing a crypto_skcipher_spawn currently requires:

    1. Set spawn->base.inst to point to the instance.
    2. Call crypto_grab_skcipher().

    But there's no reason for these steps to be separate, and in fact this
    unneeded complication has caused at least one bug, the one fixed by
    commit 6db43410179b ("crypto: adiantum - initialize crypto_spawn::inst")

    So just make crypto_grab_skcipher() take the instance as an argument.

    To keep the function calls from getting too unwieldy due to this extra
    argument, also introduce a 'mask' variable into the affected places
    which weren't already using one.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • The CRYPTO_TFM_RES_* flags were apparently meant as a way to make the
    ->setkey() functions provide more information about errors. But these
    flags weren't actually being used or tested, and in many cases they
    weren't being set correctly anyway. So they've now been removed.

    Also, if someone ever actually needs to start better distinguishing
    ->setkey() errors (which is somewhat unlikely, as this has been unneeded
    for a long time), we'd be much better off just defining different return
    values, like -EINVAL if the key is invalid for the algorithm vs.
    -EKEYREJECTED if the key was rejected by a policy like "no weak keys".
    That would be much simpler, less error-prone, and easier to test.

    So just remove CRYPTO_TFM_RES_MASK and all the unneeded logic that
    propagates these flags around.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
    make the ->setkey() functions provide more information about errors.

    However, no one actually checks for this flag, which makes it pointless.

    Also, many algorithms fail to set this flag when given a bad length key.
    Reviewing just the generic implementations, this is the case for
    aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
    rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
    many more in arch/*/crypto/ and drivers/crypto/.

    Some algorithms can even set this flag when the key is the correct
    length. For example, authenc and authencesn set it when the key payload
    is malformed in any way (not just a bad length), the atmel-sha and ccree
    drivers can set it if a memory allocation fails, and the chelsio driver
    sets it for bad auth tag lengths, not just bad key lengths.

    So even if someone actually wanted to start checking this flag (which
    seems unlikely, since it's been unused for a long time), there would be
    a lot of work needed to get it working correctly. But it would probably
    be much better to go back to the drawing board and just define different
    return values, like -EINVAL if the key is invalid for the algorithm vs.
    -EKEYREJECTED if the key was rejected by a policy like "no weak keys".
    That would be much simpler, less error-prone, and easier to test.

    So just remove this flag.

    Signed-off-by: Eric Biggers
    Reviewed-by: Horia Geantă
    Signed-off-by: Herbert Xu

    Eric Biggers
     

31 May, 2019

1 commit

  • Based on 1 normalized pattern(s):

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license as published by
    the free software foundation either version 2 of the license or at
    your option any later version

    extracted by the scancode license scanner the SPDX license identifier

    GPL-2.0-or-later

    has been chosen to replace the boilerplate/reference in 3029 file(s).

    Signed-off-by: Thomas Gleixner
    Reviewed-by: Allison Randal
    Cc: linux-spdx@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     

18 Apr, 2019

1 commit

  • Use subsys_initcall for registration of all templates and generic
    algorithm implementations, rather than module_init. Then change
    cryptomgr to use arch_initcall, to place it before the subsys_initcalls.

    This is needed so that when both a generic and optimized implementation
    of an algorithm are built into the kernel (not loadable modules), the
    generic implementation is registered before the optimized one.
    Otherwise, the self-tests for the optimized implementation are unable to
    allocate the generic implementation for the new comparison fuzz tests.

    Note that on arm, a side effect of this change is that self-tests for
    generic implementations may run before the unaligned access handler has
    been installed. So, unaligned accesses will crash the kernel. This is
    arguably a good thing as it makes it easier to detect that type of bug.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

10 Jan, 2019

1 commit

  • Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
    'enckeylen', followed by an authentication key and an encryption key.
    crypto_authenc_extractkeys() parses the key to find the inner keys.

    However, it fails to consider the case where the rtattr's payload is
    longer than 4 bytes but not 4-byte aligned, and where the key ends
    before the next 4-byte aligned boundary. In this case, 'keylen -=
    RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This
    causes a buffer overread and crash during crypto_ahash_setkey().

    Fix it by restricting the rtattr payload to the expected size.

    Reproducer using AF_ALG:

    #include
    #include
    #include

    int main()
    {
    int fd;
    struct sockaddr_alg addr = {
    .salg_type = "aead",
    .salg_name = "authenc(hmac(sha256),cbc(aes))",
    };
    struct {
    struct rtattr attr;
    __be32 enckeylen;
    char keys[1];
    } __attribute__((packed)) key = {
    .attr.rta_len = sizeof(key),
    .attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
    };

    fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
    bind(fd, (void *)&addr, sizeof(addr));
    setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
    }

    It caused:

    BUG: unable to handle kernel paging request at ffff88007ffdc000
    PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
    Oops: 0000 [#1] SMP
    CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
    RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
    [...]
    Call Trace:
    sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
    crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
    shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
    crypto_shash_digest+0x24/0x40 crypto/shash.c:202
    hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
    crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
    shash_async_setkey+0x10/0x20 crypto/shash.c:223
    crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
    crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
    crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
    aead_setkey+0xc/0x10 crypto/algif_aead.c:526
    alg_setkey crypto/af_alg.c:223 [inline]
    alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
    __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
    __do_sys_setsockopt net/socket.c:1913 [inline]
    __se_sys_setsockopt net/socket.c:1910 [inline]
    __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
    do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
    entry_SYSCALL_64_after_hwframe+0x49/0xbe

    Fixes: e236d4a89a2f ("[CRYPTO] authenc: Move enckeylen into key itself")
    Cc: # v2.6.25+
    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

28 Sep, 2018

1 commit

  • In the quest to remove all stack VLA usage from the kernel[1], this
    replaces struct crypto_skcipher and SKCIPHER_REQUEST_ON_STACK() usage
    with struct crypto_sync_skcipher and SYNC_SKCIPHER_REQUEST_ON_STACK(),
    which uses a fixed stack size.

    [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com

    Signed-off-by: Kees Cook
    Signed-off-by: Herbert Xu

    Kees Cook
     

21 Apr, 2018

1 commit


22 Dec, 2017

1 commit


01 Nov, 2016

2 commits


18 Jul, 2016

1 commit

  • This patch converts authenc to use the new skcipher interface as
    opposed to ablkcipher.

    It also fixes a little bug where if a sync version of authenc
    is requested we may still end up using an async ahash. This should
    have no effect as none of the authenc users can request for a
    sync authenc.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

01 Jul, 2016

1 commit

  • As it is, if you get an async ahash with a sync skcipher you'll
    end up with a sync authenc, which is wrong.

    This patch fixes it by considering the ASYNC bit from ahash as
    well.

    It also fixes a little bug where if a sync version of authenc
    is requested we may still end up using an async ahash.

    Neither of them should have any effect as none of the authenc
    users can request for a sync authenc.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

29 Jun, 2016

1 commit


17 Aug, 2015

1 commit


04 Aug, 2015

1 commit


13 May, 2015

2 commits


26 Nov, 2014

1 commit

  • This adds the module loading prefix "crypto-" to the template lookup
    as well.

    For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly
    includes the "crypto-" prefix at every level, correctly rejecting "vfat":

    net-pf-38
    algif-hash
    crypto-vfat(blowfish)
    crypto-vfat(blowfish)-all
    crypto-vfat

    Reported-by: Mathias Krause
    Signed-off-by: Kees Cook
    Acked-by: Mathias Krause
    Signed-off-by: Herbert Xu

    Kees Cook
     

28 Nov, 2013

1 commit

  • When performing an asynchronous ablkcipher operation the authenc
    completion callback routine is invoked, but it does not locate and use
    the proper IV.

    The callback routine, crypto_authenc_encrypt_done, is updated to use
    the same method of calculating the address of the IV as is done in
    crypto_authenc_encrypt function which sets up the callback.

    Cc: stable@vger.kernel.org
    Signed-off-by: Tom Lendacky
    Signed-off-by: Herbert Xu

    Tom Lendacky
     

16 Oct, 2013

1 commit


07 Oct, 2013

1 commit

  • When comparing MAC hashes, AEAD authentication tags, or other hash
    values in the context of authentication or integrity checking, it
    is important not to leak timing information to a potential attacker,
    i.e. when communication happens over a network.

    Bytewise memory comparisons (such as memcmp) are usually optimized so
    that they return a nonzero value as soon as a mismatch is found. E.g,
    on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
    and up to ~850 cyc for a full match (cold). This early-return behavior
    can leak timing information as a side channel, allowing an attacker to
    iteratively guess the correct result.

    This patch adds a new method crypto_memneq ("memory not equal to each
    other") to the crypto API that compares memory areas of the same length
    in roughly "constant time" (cache misses could change the timing, but
    since they don't reveal information about the content of the strings
    being compared, they are effectively benign). Iow, best and worst case
    behaviour take the same amount of time to complete (in contrast to
    memcmp).

    Note that crypto_memneq (unlike memcmp) can only be used to test for
    equality or inequality, NOT for lexicographical order. This, however,
    is not an issue for its use-cases within the crypto API.

    We tried to locate all of the places in the crypto API where memcmp was
    being used for authentication or integrity checking, and convert them
    over to crypto_memneq.

    crypto_memneq is declared noinline, placed in its own source file,
    and compiled with optimizations that might increase code size disabled
    ("Os") because a smart compiler (or LTO) might notice that the return
    value is always compared against zero/nonzero, and might then
    reintroduce the same early-return optimization that we are trying to
    avoid.

    Using #pragma or __attribute__ optimization annotations of the code
    for disabling optimization was avoided as it seems to be considered
    broken or unmaintained for long time in GCC [1]. Therefore, we work
    around that by specifying the compile flag for memneq.o directly in
    the Makefile. We found that this seems to be most appropriate.

    As we use ("Os"), this patch also provides a loop-free "fast-path" for
    frequently used 16 byte digests. Similarly to kernel library string
    functions, leave an option for future even further optimized architecture
    specific assembler implementations.

    This was a joint work of James Yonan and Daniel Borkmann. Also thanks
    for feedback from Florian Weimer on this and earlier proposals [2].

    [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
    [2] https://lkml.org/lkml/2013/2/10/131

    Signed-off-by: James Yonan
    Signed-off-by: Daniel Borkmann
    Cc: Florian Weimer
    Signed-off-by: Herbert Xu

    James Yonan
     

04 Feb, 2013

1 commit

  • Replace PTR_ERR followed by ERR_PTR by ERR_CAST, to be more concise.

    The semantic patch that makes this change is as follows:
    (http://coccinelle.lip6.fr/)

    //
    @@
    expression err,x;
    @@
    - err = PTR_ERR(x);
    if (IS_ERR(x))
    - return ERR_PTR(err);
    + return ERR_CAST(x);
    //

    Signed-off-by: Julia Lawall
    Signed-off-by: Herbert Xu

    Julia Lawall
     

11 Sep, 2012

1 commit

  • The authenc code doesn't deal with zero-length associated data
    correctly and ends up constructing a zero-length sg entry which
    causes a crash when it's fed into the crypto system.

    This patch fixes this by avoiding the code-path that triggers
    the SG construction if we have no associated data.

    This isn't the most optimal fix as it means that we'll end up
    using the fallback code-path even when we could still execute
    the digest function. However, this isn't a big deal as nobody
    but the test path would supply zero-length associated data.

    Reported-by: Romain Francoise
    Signed-off-by: Herbert Xu
    Tested-by: Romain Francoise

    Herbert Xu
     

02 Dec, 2010

1 commit


26 May, 2010

1 commit

  • Use ERR_CAST(x) rather than ERR_PTR(PTR_ERR(x)). The former makes more
    clear what is the purpose of the operation, which otherwise looks like a
    no-op.

    The semantic patch that makes this change is as follows:
    (http://coccinelle.lip6.fr/)

    //
    @@
    type T;
    T x;
    identifier f;
    @@

    T f (...) { }

    @@
    expression x;
    @@

    - ERR_PTR(PTR_ERR(x))
    + ERR_CAST(x)
    //

    Signed-off-by: Julia Lawall
    Signed-off-by: Herbert Xu

    Julia Lawall
     

20 May, 2010

1 commit


26 Apr, 2010

1 commit

  • When Steffen originally wrote the authenc async hash patch, he
    correctly had EINPROGRESS checks in place so that we did not invoke
    the original completion handler with it.

    Unfortuantely I told him to remove it before the patch was applied.

    As only MAY_BACKLOG request completion handlers are required to
    handle EINPROGRESS completions, those checks are really needed.

    This patch restores them.

    Reported-by: Sebastian Andrzej Siewior
    Signed-off-by: Herbert Xu

    Herbert Xu
     

03 Mar, 2010

1 commit

  • In crypto_authenc_encrypt() we save the IV behind the ablkcipher
    request. To save space on the request, we overwrite the ablkcipher
    request with a ahash request after encryption. So the IV may be
    overwritten by the ahash request. This patch fixes this by placing
    the IV in front of the ablkcipher/ahash request.

    Signed-off-by: Steffen Klassert
    Signed-off-by: Herbert Xu

    Steffen Klassert
     

02 Mar, 2010

1 commit


16 Feb, 2010

1 commit


05 Aug, 2009

1 commit


14 Jul, 2009

1 commit


15 Jan, 2009

1 commit

  • As it is if an algorithm with a zero-length IV is used (e.g.,
    NULL encryption) with authenc, authenc may generate an SG entry
    of length zero, which will trigger a BUG check in the hash layer.

    This patch fixes it by skipping the IV SG generation if the IV
    size is zero.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

25 Dec, 2008

1 commit


22 Aug, 2008

1 commit

  • Authenc works in two stages for encryption, it first encrypts and
    then computes an ICV. The context memory of the request is used
    by both operations. The problem is that when an asynchronous
    encryption completes, we will compute the ICV and then reread the
    context memory of the encryption to get the original request.

    It just happens that we have a buffer of 16 bytes in front of the
    request pointer, so ICVs of 16 bytes (such as SHA1) do not trigger
    the bug. However, any attempt to uses a larger ICV instantly kills
    the machine when the first asynchronous encryption is completed.

    This patch fixes this by saving the request pointer before we start
    the ICV computation.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

01 May, 2008

1 commit

  • crypto_authenc_givencrypt_done uses req->data as struct aead_givcrypt_request,
    while it really points to a struct aead_request, causing this crash:

    BUG: unable to handle kernel paging request at 6b6b6b6b
    IP: [] :authenc:crypto_authenc_genicv+0x23/0x109
    *pde = 00000000
    Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
    Modules linked in: hifn_795x authenc esp4 aead xfrm4_mode_tunnel sha1_generic hmac crypto_hash]

    Pid: 3074, comm: ping Not tainted (2.6.25 #4)
    EIP: 0060:[] EFLAGS: 00010296 CPU: 0
    EIP is at crypto_authenc_genicv+0x23/0x109 [authenc]
    EAX: daa04690 EBX: daa046e0 ECX: dab0a100 EDX: daa046b0
    ESI: 6b6b6b6b EDI: dc872054 EBP: c033ff60 ESP: c033ff0c
    DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
    Process ping (pid: 3074, ti=c033f000 task=db883a80 task.ti=dab6c000)
    Stack: 00000000 daa046b0 c0215a3e daa04690 dab0a100 00000000 ffffffff db9fd7f0
    dba208c0 dbbb1720 00000001 daa04720 00000001 c033ff54 c0119ca9 dc852a75
    c033ff60 c033ff60 daa046e0 00000000 00000001 c033ff6c dc87527b 00000001
    Call Trace:
    [] ? dev_alloc_skb+0x14/0x29
    [] ? printk+0x15/0x17
    [] ? crypto_authenc_givencrypt_done+0x1a/0x27 [authenc]
    [] ? hifn_process_ready+0x34a/0x352 [hifn_795x]
    [] ? rhine_napipoll+0x3f2/0x3fd [via_rhine]
    [] ? hifn_check_for_completion+0x4d/0xa6 [hifn_795x]
    [] ? hifn_tasklet_callback+0xa/0xc [hifn_795x]
    [] ? tasklet_action+0x3f/0x66
    [] ? __do_softirq+0x38/0x7a
    [] ? do_softirq+0x3e/0x71
    [] ? irq_exit+0x2c/0x65
    [] ? smp_apic_timer_interrupt+0x5f/0x6a
    [] ? apic_timer_interrupt+0x28/0x30
    [] ? hifn_handle_req+0x44a/0x50d [hifn_795x]
    ...

    Signed-off-by: Patrick McHardy
    Signed-off-by: Herbert Xu

    Patrick McHardy
     

11 Jan, 2008

1 commit