25 Oct, 2014

1 commit


17 Oct, 2014

1 commit

  • Recently, in commit 13aa93c70e71 ("random: add and use memzero_explicit()
    for clearing data"), we have found that GCC may optimize some memset()
    cases away when it detects a stack variable is not being used anymore
    and going out of scope. This can happen, for example, in cases when we
    are clearing out sensitive information such as keying material or any
    e.g. intermediate results from crypto computations, etc.

    With the help of Coccinelle, we can figure out and fix such occurences
    in the crypto subsytem as well. Julia Lawall provided the following
    Coccinelle program:

    @@
    type T;
    identifier x;
    @@

    T x;
    ... when exists
    when any
    -memset
    +memzero_explicit
    (&x,
    -0,
    ...)
    ... when != x
    when strict

    @@
    type T;
    identifier x;
    @@

    T x[...];
    ... when exists
    when any
    -memset
    +memzero_explicit
    (x,
    -0,
    ...)
    ... when != x
    when strict

    Therefore, make use of the drop-in replacement memzero_explicit() for
    exactly such cases instead of using memset().

    Signed-off-by: Daniel Borkmann
    Cc: Julia Lawall
    Cc: Herbert Xu
    Cc: Theodore Ts'o
    Cc: Hannes Frederic Sowa
    Acked-by: Hannes Frederic Sowa
    Acked-by: Herbert Xu
    Signed-off-by: Theodore Ts'o

    Daniel Borkmann
     

14 Oct, 2014

2 commits

  • Replaced the use of a Variable Length Array In Struct (VLAIS) with a C99
    compliant equivalent. This patch allocates the appropriate amount of memory
    using a char array using the SHASH_DESC_ON_STACK macro.

    The new code can be compiled with both gcc and clang.

    Signed-off-by: Jan-Simon Möller
    Signed-off-by: Behan Webster
    Reviewed-by: Mark Charlebois
    Acked-by: Herbert Xu
    Cc: pageexec@freemail.hu

    Jan-Simon Möller
     
  • Replaced the use of a Variable Length Array In Struct (VLAIS) with a C99
    compliant equivalent. This patch allocates the appropriate amount of memory
    using a char array using the SHASH_DESC_ON_STACK macro.

    The new code can be compiled with both gcc and clang.

    Signed-off-by: Jan-Simon Möller
    Signed-off-by: Behan Webster
    Reviewed-by: Mark Charlebois
    Acked-by: Herbert Xu
    Cc: pageexec@freemail.hu

    Jan-Simon Möller
     

12 Oct, 2014

1 commit

  • Pull security subsystem updates from James Morris.

    Mostly ima, selinux, smack and key handling updates.

    * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits)
    integrity: do zero padding of the key id
    KEYS: output last portion of fingerprint in /proc/keys
    KEYS: strip 'id:' from ca_keyid
    KEYS: use swapped SKID for performing partial matching
    KEYS: Restore partial ID matching functionality for asymmetric keys
    X.509: If available, use the raw subjKeyId to form the key description
    KEYS: handle error code encoded in pointer
    selinux: normalize audit log formatting
    selinux: cleanup error reporting in selinux_nlmsg_perm()
    KEYS: Check hex2bin()'s return when generating an asymmetric key ID
    ima: detect violations for mmaped files
    ima: fix race condition on ima_rdwr_violation_check and process_measurement
    ima: added ima_policy_flag variable
    ima: return an error code from ima_add_boot_aggregate()
    ima: provide 'ima_appraise=log' kernel option
    ima: move keyring initialization to ima_init()
    PKCS#7: Handle PKCS#7 messages that contain no X.509 certs
    PKCS#7: Better handling of unsupported crypto
    KEYS: Overhaul key identification when searching for asymmetric keys
    KEYS: Implement binary asymmetric key ID handling
    ...

    Linus Torvalds
     

08 Oct, 2014

3 commits

  • Pull crypto update from Herbert Xu:
    - add multibuffer infrastructure (single_task_running scheduler helper,
    OKed by Peter on lkml.
    - add SHA1 multibuffer implementation for AVX2.
    - reenable "by8" AVX CTR optimisation after fixing counter overflow.
    - add APM X-Gene SoC RNG support.
    - SHA256/SHA512 now handles unaligned input correctly.
    - set lz4 decompressed length correctly.
    - fix algif socket buffer allocation failure for 64K page machines.
    - misc fixes

    * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (47 commits)
    crypto: sha - Handle unaligned input data in generic sha256 and sha512.
    Revert "crypto: aesni - disable "by8" AVX CTR optimization"
    crypto: aesni - remove unused defines in "by8" variant
    crypto: aesni - fix counter overflow handling in "by8" variant
    hwrng: printk replacement
    crypto: qat - Removed unneeded partial state
    crypto: qat - Fix typo in name of tasklet_struct
    crypto: caam - Dynamic allocation of addresses for various memory blocks in CAAM.
    crypto: mcryptd - Fix typos in CRYPTO_MCRYPTD description
    crypto: algif - avoid excessive use of socket buffer in skcipher
    arm64: dts: add random number generator dts node to APM X-Gene platform.
    Documentation: rng: Add X-Gene SoC RNG driver documentation
    hwrng: xgene - add support for APM X-Gene SoC RNG support
    crypto: mv_cesa - Add missing #define
    crypto: testmgr - add test for lz4 and lz4hc
    crypto: lz4,lz4hc - fix decompression
    crypto: qat - Use pci_enable_msix_exact() instead of pci_enable_msix()
    crypto: drbg - fix maximum value checks on 32 bit systems
    crypto: drbg - fix sparse warning for cpu_to_be[32|64]
    crypto: sha-mb - sha1_mb_alg_state can be static
    ...

    Linus Torvalds
     
  • Pull ARM updates from Russell King:
    "Included in these updates are:
    - Performance optimisation to avoid writing the control register at
    every exception.
    - Use static inline instead of extern inline in ftrace code.
    - Crypto ARM assembly updates for big endian
    - Alignment of initrd/.init memory to page sizes when freeing to
    ensure that we fully free the regions
    - Add gcov support
    - A couple of preparatory patches for VDSO support: use
    _install_special_mapping, and randomize the sigpage placement above
    stack.
    - Add L2 ePAPR DT cache properties so that DT can specify the cache
    geometry.
    - Preparatory patch for FIQ (NMI) kernel C code for things like
    spinlock lockup debug. Following on from this are a couple of my
    patches cleaning up show_regs() and removing an unused (probably
    since 1.x days) do_unexp_fiq() function.
    - Use pr_warn() rather than pr_warning().
    - A number of cleanups (smp, footbridge, return_address)"

    * 'for-linus' of git://ftp.arm.linux.org.uk/~rmk/linux-arm: (21 commits)
    ARM: 8167/1: extend the reserved memory for initrd to be page aligned
    ARM: 8168/1: extend __init_end to a page align address
    ARM: 8169/1: l2c: parse cache properties from ePAPR definitions
    ARM: 8160/1: drop warning about return_address not using unwind tables
    ARM: 8161/1: footbridge: select machine dir based on ARCH_FOOTBRIDGE
    ARM: 8158/1: LLVMLinux: use static inline in ARM ftrace.h
    ARM: 8155/1: place sigpage at a random offset above stack
    ARM: 8154/1: use _install_special_mapping for sigpage
    ARM: 8153/1: Enable gcov support on the ARM architecture
    ARM: Avoid writing to control register on every exception
    ARM: 8152/1: Convert pr_warning to pr_warn
    ARM: remove unused do_unexp_fiq() function
    ARM: remove extraneous newline in show_regs()
    ARM: 8150/3: fiq: Replace default FIQ handler
    ARM: 8140/1: ep93xx: Enable DEBUG_LL_UART_PL01X
    ARM: 8139/1: versatile: Enable DEBUG_LL_UART_PL01X
    ARM: 8138/1: drop ISAR0 workaround for B15
    ARM: 8136/1: sa1100: add Micro ASIC platform device
    ARM: 8131/1: arm/smp: Absorb boot_secondary()
    ARM: 8126/1: crypto: enable NEON SHA-384/SHA-512 for big endian
    ...

    Linus Torvalds
     
  • Pull dmaengine updates from Dan Williams:
    "Even though this has fixes marked for -stable, given the size and the
    needed conflict resolutions this is 3.18-rc1/merge-window material.

    These patches have been languishing in my tree for a long while. The
    fact that I do not have the time to do proper/prompt maintenance of
    this tree is a primary factor in the decision to step down as
    dmaengine maintainer. That and the fact that the bulk of drivers/dma/
    activity is going through Vinod these days.

    The net_dma removal has not been in -next. It has developed simple
    conflicts against mainline and net-next (for-3.18).

    Continuing thanks to Vinod for staying on top of drivers/dma/.

    Summary:

    1/ Step down as dmaengine maintainer see commit 08223d80df38
    "dmaengine maintainer update"

    2/ Removal of net_dma, as it has been marked 'broken' since 3.13
    (commit 77873803363c "net_dma: mark broken"), without reports of
    performance regression.

    3/ Miscellaneous fixes"

    * tag 'dmaengine-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/dmaengine:
    net: make tcp_cleanup_rbuf private
    net_dma: revert 'copied_early'
    net_dma: simple removal
    dmaengine maintainer update
    dmatest: prevent memory leakage on error path in thread
    ioat: Use time_before_jiffies()
    dmaengine: fix xor sources continuation
    dma: mv_xor: Rename __mv_xor_slot_cleanup() to mv_xor_slot_cleanup()
    dma: mv_xor: Remove all callers of mv_xor_slot_cleanup()
    dma: mv_xor: Remove unneeded mv_xor_clean_completed_slots() call
    ioat: Use pci_enable_msix_exact() instead of pci_enable_msix()
    drivers: dma: Include appropriate header file in dca.c
    drivers: dma: Mark functions as static in dma_v3.c
    dma: mv_xor: Add DMA API error checks
    ioat/dca: Use dev_is_pci() to check whether it is pci device

    Linus Torvalds
     

07 Oct, 2014

2 commits


06 Oct, 2014

2 commits


03 Oct, 2014

3 commits

  • Module signing matches keys by comparing against the key description exactly.
    However, the way the key description gets constructed got changed to be
    composed of the subject name plus the certificate serial number instead of the
    subject name and the subjectKeyId. I changed this to avoid problems with
    certificates that don't *have* a subjectKeyId.

    Instead, if available, use the raw subjectKeyId to form the key description
    and only use the serial number if the subjectKeyId doesn't exist.

    Reported-by: Dmitry Kasatkin
    Signed-off-by: David Howells

    David Howells
     
  • If hexlen is odd then function returns an error.
    Use IS_ERR to check for error, otherwise invalid pointer
    is used and kernel gives oops:

    [ 132.816522] BUG: unable to handle kernel paging request at
    ffffffffffffffea
    [ 132.819902] IP: [] asymmetric_key_id_same+0x14/0x36
    [ 132.820302] PGD 1a12067 PUD 1a14067 PMD 0
    [ 132.820302] Oops: 0000 [#1] SMP
    [ 132.820302] Modules linked in: bridge(E) stp(E) llc(E) evdev(E)
    serio_raw(E) i2c_piix4(E) button(E) fuse(E)
    [ 132.820302] CPU: 0 PID: 2993 Comm: cat Tainted: G E
    3.16.0-kds+ #2847
    [ 132.820302] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    [ 132.820302] task: ffff88004249a430 ti: ffff880056640000 task.ti:
    ffff880056640000
    [ 132.820302] RIP: 0010:[] []
    asymmetric_key_id_same+0x14/0x36
    [ 132.820302] RSP: 0018:ffff880056643930 EFLAGS: 00010246
    [ 132.820302] RAX: 0000000000000000 RBX: ffffffffffffffea RCX:
    ffff880056643ae0
    [ 132.820302] RDX: 000000000000005e RSI: ffffffffffffffea RDI:
    ffff88005bac9300
    [ 132.820302] RBP: ffff880056643948 R08: 0000000000000003 R09:
    00000007504aa01a
    [ 132.820302] R10: 0000000000000000 R11: 0000000000000000 R12:
    ffff88005d68ca40
    [ 132.820302] R13: 0000000000000101 R14: 0000000000000000 R15:
    ffff88005bac5280
    [ 132.820302] FS: 00007f67a153c740(0000) GS:ffff88005da00000(0000)
    knlGS:0000000000000000
    [ 132.820302] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [ 132.820302] CR2: ffffffffffffffea CR3: 000000002e663000 CR4:
    00000000000006f0
    [ 132.820302] Stack:
    [ 132.820302] ffffffff812bfc66 ffff880056643ae0 ffff88005bac5280
    ffff880056643958
    [ 132.820302] ffffffff812bfc9d ffff880056643980 ffffffff812971d9
    ffff88005ce930c1
    [ 132.820302] ffff88005ce930c0 0000000000000000 ffff8800566439c8
    ffffffff812fb753
    [ 132.820302] Call Trace:
    [ 132.820302] [] ? asymmetric_match_key_ids+0x24/0x42
    [ 132.820302] [] asymmetric_key_cmp+0x19/0x1b
    [ 132.820302] [] keyring_search_iterator+0x74/0xd7
    [ 132.820302] [] assoc_array_subtree_iterate+0x67/0xd2
    [ 132.820302] [] ? key_default_cmp+0x20/0x20
    [ 132.820302] [] assoc_array_iterate+0x19/0x1e
    [ 132.820302] [] search_nested_keyrings+0xf6/0x2b6
    [ 132.820302] [] ? sched_clock_cpu+0x91/0xa2
    [ 132.820302] [] ? mark_held_locks+0x58/0x6e
    [ 132.820302] [] ? current_kernel_time+0x77/0xb8
    [ 132.820302] [] keyring_search_aux+0xe1/0x14c
    [ 132.820302] [] ? keyring_search_aux+0x6c/0x14c
    [ 132.820302] [] keyring_search+0x8f/0xb6
    [ 132.820302] [] ? asymmetric_match_key_ids+0x42/0x42
    [ 132.820302] [] ? key_default_cmp+0x20/0x20
    [ 132.820302] [] asymmetric_verify+0xa4/0x214
    [ 132.820302] [] integrity_digsig_verify+0xb1/0xe2
    [ 132.820302] [] ? evm_verifyxattr+0x6a/0x7a
    [ 132.820302] [] ima_appraise_measurement+0x160/0x370
    [ 132.820302] [] ? d_absolute_path+0x5b/0x7a
    [ 132.820302] [] process_measurement+0x322/0x404

    Reported-by: Dmitry Kasatkin
    Signed-off-by: Dmitry Kasatkin
    Signed-off-by: David Howells

    Dmitry Kasatkin
     
  • Russell King
     

02 Oct, 2014

1 commit


30 Sep, 2014

1 commit


22 Sep, 2014

1 commit

  • As it stands, the code to generate an asymmetric key ID prechecks the hex
    string it is given whilst determining the length, before it allocates the
    buffer for hex2bin() to translate into - which mean that checking the result of
    hex2bin() is redundant.

    Unfortunately, hex2bin() is marked as __must_check, which means that the
    following warning may be generated if the return value isn't checked:

    crypto/asymmetric_keys/asymmetric_type.c: In function
    asymmetric_key_hex_to_key_id:
    crypto/asymmetric_keys/asymmetric_type.c:110: warning: ignoring return
    value of hex2bin, declared with attribute warn_unused_result

    The warning can't be avoided by casting the result to void.

    Instead, use strlen() to check the length of the string and ignore the fact
    that the string might not be entirely valid hex until after the allocation has
    been done - in which case we can use the result of hex2bin() for this.

    Signed-off-by: David Howells

    David Howells
     

17 Sep, 2014

13 commits

  • The X.509 certificate list in a PKCS#7 message is optional. To save space, we
    can omit the inclusion of any X.509 certificates if we are sure that we can
    look the relevant public key up by the serial number and issuer given in a
    signed info block.

    This also supports use of a signed info block for which we can't find a
    matching X.509 cert in the certificate list, though it be populated.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • Provide better handling of unsupported crypto when verifying a PKCS#7 message.
    If we can't bridge the gap between a pair of X.509 certs or between a signed
    info block and an X.509 cert because it involves some crypto we don't support,
    that's not necessarily the end of the world as there may be other ways points
    at which we can intersect with a ring of trusted keys.

    Instead, only produce ENOPKG immediately if all the signed info blocks in a
    PKCS#7 message require unsupported crypto to bridge to the first X.509 cert.
    Otherwise, we defer the generation of ENOPKG until we get ENOKEY during trust
    validation.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • Make use of the new match string preparsing to overhaul key identification
    when searching for asymmetric keys. The following changes are made:

    (1) Use the previously created asymmetric_key_id struct to hold the following
    key IDs derived from the X.509 certificate or PKCS#7 message:

    id: serial number + issuer
    skid: subjKeyId + subject
    authority: authKeyId + issuer

    (2) Replace the hex fingerprint attached to key->type_data[1] with an
    asymmetric_key_ids struct containing the id and the skid (if present).

    (3) Make the asymmetric_type match data preparse select one of two searches:

    (a) An iterative search for the key ID given if prefixed with "id:". The
    prefix is expected to be followed by a hex string giving the ID to
    search for. The criterion key ID is checked against all key IDs
    recorded on the key.

    (b) A direct search if the key ID is not prefixed with "id:". This will
    look for an exact match on the key description.

    (4) Make x509_request_asymmetric_key() take a key ID. This is then converted
    into "id:" and passed into keyring_search() where match preparsing
    will turn it back into a binary ID.

    (5) X.509 certificate verification then takes the authority key ID and looks
    up a key that matches it to find the public key for the certificate
    signature.

    (6) PKCS#7 certificate verification then takes the id key ID and looks up a
    key that matches it to find the public key for the signed information
    block signature.

    Additional changes:

    (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
    cert to be rejected with -EBADMSG.

    (2) The 'fingerprint' ID is gone. This was primarily intended to convey PGP
    public key fingerprints. If PGP is supported in future, this should
    generate a key ID that carries the fingerprint.

    (3) Th ca_keyid= kernel command line option is now converted to a key ID and
    used to match the authority key ID. Possibly this should only match the
    actual authKeyId part and not the issuer as well.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • Implement the first step in using binary key IDs for asymmetric keys rather
    than hex string keys.

    The previously added match data preparsing will be able to convert hex
    criterion strings into binary which can then be compared more rapidly.

    Further, we actually want more then one ID string per public key. The problem
    is that X.509 certs refer to other X.509 certs by matching Issuer + AuthKeyId
    to Subject + SubjKeyId, but PKCS#7 messages match against X.509 Issuer +
    SerialNumber.

    This patch just provides facilities for a later patch to make use of.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • Make the key matching functions pointed to by key_match_data::cmp return bool
    rather than int.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • A previous patch added a ->match_preparse() method to the key type. This is
    allowed to override the function called by the iteration algorithm.
    Therefore, we can just set a default that simply checks for an exact match of
    the key description with the original criterion data and allow match_preparse
    to override it as needed.

    The key_type::match op is then redundant and can be removed, as can the
    user_match() function.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • Remove key_type::def_lookup_type as it's no longer used. The information now
    defaults to KEYRING_SEARCH_LOOKUP_DIRECT but may be overridden by
    type->match_preparse().

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • Preparse the match data. This provides several advantages:

    (1) The preparser can reject invalid criteria up front.

    (2) The preparser can convert the criteria to binary data if necessary (the
    asymmetric key type really wants to do binary comparison of the key IDs).

    (3) The preparser can set the type of search to be performed. This means
    that it's not then a one-off setting in the key type.

    (4) The preparser can set an appropriate comparator function.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • Merge in keyrings fixes for next:

    (1) Insert some missing 'static' annotations.

    Signed-off-by: David Howells

    David Howells
     
  • Merge in keyrings fixes, at least some of which later patches depend on:

    (1) Reinstate the production of EPERM for key types beginning with '.' in
    requests from userspace.

    (2) Tidy up the cleanup of PKCS#7 message signed information blocks and fix a
    bug this made more obvious.

    Signed-off-by: David Howells

    David Howells
     
  • Fix the parser cleanup code to drain parsed out X.509 certs in the case that
    the decode fails and we jump to error_decode.

    The function is rearranged so that the same cleanup code is used in the success
    case as the error case - just that the message descriptor under construction is
    only released if it is still pointed to by the context struct at that point.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • The code to free a signed info block is repeated several times, so move the
    code to do it into a function of its own. This gives us a place to add clean
    ups for stuff that gets added to pkcs7_signed_info.

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     
  • Add a missing static (found by checker).

    Signed-off-by: David Howells
    Acked-by: Vivek Goyal

    David Howells
     

15 Sep, 2014

1 commit

  • Pull crypto fixes from Herbert Xu:
    "This fixes the newly added drbg generator so that it actually works on
    32-bit machines. Previously the code was only tested on 64-bit and on
    32-bit it overflowed and simply doesn't work"

    * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
    crypto: drbg - remove check for uninitialized DRBG handle
    crypto: drbg - backport "fix maximum value checks on 32 bit systems"

    Linus Torvalds
     

05 Sep, 2014

2 commits


04 Sep, 2014

2 commits


03 Sep, 2014

3 commits

  • Printing in base signature handling should have a prefix, so set pr_fmt().

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     
  • Relax the check on the length of the PKCS#7 cert as it appears that the PE
    file wrapper size gets rounded up to the nearest 8.

    The debugging output looks like this:

    PEFILE: ==> verify_pefile_signature()
    PEFILE: ==> pefile_parse_binary()
    PEFILE: checksum @ 110
    PEFILE: header size = 200
    PEFILE: cert = 968 @547be0 [68 09 00 00 00 02 02 00 30 82 09 56 ]
    PEFILE: sig wrapper = { 968, 200, 2 }
    PEFILE: Signature data not PKCS#7

    The wrapper is the first 8 bytes of the hex dump inside []. This indicates a
    length of 0x968 bytes, including the wrapper header - so 0x960 bytes of
    payload.

    The ASN.1 wrapper begins [ ... 30 82 09 56 ]. That indicates an object of size
    0x956 - a four byte discrepency, presumably just padding for alignment
    purposes.

    So we just check that the ASN.1 container is no bigger than the payload and
    reduce the recorded size appropriately.

    Whilst we're at it, allow shorter PKCS#7 objects that manage to squeeze within
    127 or 255 bytes. It's just about conceivable if no X.509 certs are included
    in the PKCS#7 message.

    Reported-by: Vivek Goyal
    Signed-off-by: David Howells
    Acked-by: Vivek Goyal
    Acked-by: Peter Jones
    Signed-off-by: James Morris

    David Howells
     
  • The length of the name of an asymmetric key subtype must be stored in struct
    asymmetric_key_subtype::name_len so that it can be matched by a search for
    ":". Fix the public_key subtype to have
    name_len set.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     

29 Aug, 2014

1 commit