10 Jan, 2018

1 commit

• 9c36498f7   crypto: chacha20poly1305 - validate the digest size ... Browse Code »

  commit e57121d08c38dabec15cf3e1e2ad46721af30cae upstream.

  If the rfc7539 template was instantiated with a hash algorithm with
  digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
  overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
  subsequent memory, including 'cryptlen'. This caused a crash during
  crypto_skcipher_decrypt().

  Fix it by, when instantiating the template, requiring that the
  underlying hash algorithm has the digest size expected for Poly1305.

  Reproducer:

  #include
  #include
  #include

  int main()
  {
  int algfd, reqfd;
  struct sockaddr_alg addr = {
  .salg_type = "aead",
  .salg_name = "rfc7539(chacha20,sha256)",
  };
  unsigned char buf[32] = { 0 };

  algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
  bind(algfd, (void *)&addr, sizeof(addr));
  setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
  reqfd = accept(algfd, 0, 0);
  write(reqfd, buf, 16);
  read(reqfd, buf, 16);
  }

  Reported-by: syzbot
  Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
  Signed-off-by: Eric Biggers
  Signed-off-by: Herbert Xu
  Signed-off-by: Greg Kroah-Hartman

  Eric Biggers

  2018-01-10 16:31:18 +0800  

01 Nov, 2016

2 commits

• 60425a8ba   crypto: skcipher - Get rid of crypto_spawn_skcipher2() ... Browse Code »

  Since commit 3a01d0ee2b99 ("crypto: skcipher - Remove top-level
  givcipher interface"), crypto_spawn_skcipher2() and
  crypto_spawn_skcipher() are equivalent. So switch callers of
  crypto_spawn_skcipher2() to crypto_spawn_skcipher() and remove it.

  Signed-off-by: Eric Biggers
  Signed-off-by: Herbert Xu

  Eric Biggers

  2016-11-01 08:37:17 +0800  
• a35528eca   crypto: skcipher - Get rid of crypto_grab_skcipher2() ... Browse Code »

  Since commit 3a01d0ee2b99 ("crypto: skcipher - Remove top-level
  givcipher interface"), crypto_grab_skcipher2() and
  crypto_grab_skcipher() are equivalent. So switch callers of
  crypto_grab_skcipher2() to crypto_grab_skcipher() and remove it.

  Signed-off-by: Eric Biggers
  Signed-off-by: Herbert Xu

  Eric Biggers

  2016-11-01 08:37:16 +0800  

18 Jul, 2016

1 commit

• 1e1f00611   crypto: chacha20poly1305 - Use skcipher ... Browse Code »

  This patch converts chacha20poly1305 to use the new skcipher
  interface as opposed to ablkcipher.

  It also fixes a buglet where we may end up with an async poly1305
  when the user asks for a async algorithm. This shouldn't be a
  problem yet as there aren't any async implementations of poly1305
  out there.

  Signed-off-by: Herbert Xu

  Herbert Xu

  2016-07-18 17:35:41 +0800  

09 Dec, 2015

1 commit

• 161151d79   crypto: chacha20poly1305 - Skip encryption/decryption for 0-len ... Browse Code »

  If the length of the plaintext is zero, there's no need to waste cycles
  on encryption and decryption. Using the chacha20poly1305 construction
  for zero-length plaintexts is a common way of using a shared encryption
  key for AAD authentication.

  Signed-off-by: Jason A. Donenfeld
  Signed-off-by: Herbert Xu

  Jason A. Donenfeld

  2015-12-09 20:16:04 +0800  

17 Aug, 2015

1 commit

• 5e4b8c1fc   crypto: aead - Remove CRYPTO_ALG_AEAD_NEW flag ... Browse Code »

  This patch removes the CRYPTO_ALG_AEAD_NEW flag now that everyone
  has been converted.

  Signed-off-by: Herbert Xu

  Herbert Xu

  2015-08-17 16:53:53 +0800  

17 Jul, 2015

3 commits

• 2546f811e   crypto: poly1305 - Export common Poly1305 helpers ... Browse Code »

  As architecture specific drivers need a software fallback, export Poly1305
  init/update/final functions together with some helpers in a header file.

  Signed-off-by: Martin Willi
  Signed-off-by: Herbert Xu

  Martin Willi

  2015-07-17 21:20:26 +0800  
• 31d7247da   crypto: chacha20 - Export common ChaCha20 helpers ... Browse Code »

  As architecture specific drivers need a software fallback, export a
  ChaCha20 en-/decryption function together with some helpers in a header
  file.

  Signed-off-by: Martin Willi
  Signed-off-by: Herbert Xu

  Martin Willi

  2015-07-17 21:20:21 +0800  
• 747909223   crypto: chacha20poly1305 - Convert to new AEAD interface ... Browse Code »

  This patch converts rfc7539 and rfc7539esp to the new AEAD interface.
  The test vectors for rfc7539esp have also been updated to include
  the IV.

  Signed-off-by: Herbert Xu
  Tested-by: Martin Willi

  Herbert Xu

  2015-07-17 21:20:19 +0800  

17 Jun, 2015

1 commit

• c2b7b20ae   crypto: poly1305 - Pass key as first two message blocks to each desc_ctx ... Browse Code »

  The Poly1305 authenticator requires a unique key for each generated tag. This
  implies that we can't set the key per tfm, as multiple users set individual
  keys. Instead we pass a desc specific key as the first two blocks of the
  message to authenticate in update().

  Signed-off-by: Martin Willi
  Signed-off-by: Herbert Xu

  Martin Willi

  2015-06-17 15:35:11 +0800  

04 Jun, 2015

2 commits

• 4db4ad260   crypto: chacha20poly1305 - Add an IPsec variant for RFC7539 AEAD ... Browse Code »

  draft-ietf-ipsecme-chacha20-poly1305 defines the use of ChaCha20/Poly1305 in
  ESP. It uses additional four byte key material as a salt, which is then used
  with an 8 byte IV to form the ChaCha20 nonce as defined in the RFC7539.

  Signed-off-by: Martin Willi
  Acked-by: Steffen Klassert
  Signed-off-by: Herbert Xu

  Martin Willi

  2015-06-04 15:04:53 +0800  
• 71ebc4d1b   crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539 ... Browse Code »

  This AEAD uses a chacha20 ablkcipher and a poly1305 ahash to construct the
  ChaCha20-Poly1305 AEAD as defined in RFC7539. It supports both synchronous and
  asynchronous operations, even if we currently have no async chacha20 or poly1305
  drivers.

  Signed-off-by: Martin Willi
  Acked-by: Steffen Klassert
  Signed-off-by: Herbert Xu

  Martin Willi

  2015-06-04 15:04:52 +0800