1. 22 Dec, 2017 1 commit
    • Eric Biggers's avatar
      crypto: chacha20poly1305 - validate the digest size · e57121d0
      Eric Biggers authored
      If the rfc7539 template was instantiated with a hash algorithm with
      digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
      overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
      subsequent memory, including 'cryptlen'.  This caused a crash during
      crypto_skcipher_decrypt().
      
      Fix it by, when instantiating the template, requiring that the
      underlying hash algorithm has the digest size expected for Poly1305.
      
      Reproducer:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          int main()
          {
                  int algfd, reqfd;
                  struct sockaddr_alg addr = {
                          .salg_type = "aead",
                          .salg_name = "rfc7539(chacha20,sha256)",
                  };
                  unsigned char buf[32] = { 0 };
      
                  algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  bind(algfd, (void *)&addr, sizeof(addr));
                  setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
                  reqfd = accept(algfd, 0, 0);
                  write(reqfd, buf, 16);
                  read(reqfd, buf, 16);
          }
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Cc: <stable@vger.kernel.org> # v4.2+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e57121d0
  2. 01 Nov, 2016 2 commits
  3. 18 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: chacha20poly1305 - Use skcipher · 1e1f0061
      Herbert Xu authored
      This patch converts chacha20poly1305 to use the new skcipher
      interface as opposed to ablkcipher.
      
      It also fixes a buglet where we may end up with an async poly1305
      when the user asks for a async algorithm.  This shouldn't be a
      problem yet as there aren't any async implementations of poly1305
      out there.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1e1f0061
  4. 09 Dec, 2015 1 commit
  5. 17 Aug, 2015 1 commit
  6. 17 Jul, 2015 3 commits
  7. 17 Jun, 2015 1 commit
  8. 04 Jun, 2015 2 commits