1. 23 Dec, 2018 1 commit
    • Eric Biggers's avatar
      crypto: skcipher - remove remnants of internal IV generators · c79b411e
      Eric Biggers authored
      Remove dead code related to internal IV generators, which are no longer
      used since they've been replaced with the "seqiv" and "echainiv"
      templates.  The removed code includes:
      
      - The "givcipher" (GIVCIPHER) algorithm type.  No algorithms are
        registered with this type anymore, so it's unneeded.
      
      - The "const char *geniv" member of aead_alg, ablkcipher_alg, and
        blkcipher_alg.  A few algorithms still set this, but it isn't used
        anymore except to show via /proc/crypto and CRYPTO_MSG_GETALG.
        Just hardcode "<default>" or "<none>" in those cases.
      
      - The 'skcipher_givcrypt_request' structure, which is never used.
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      c79b411e
  2. 09 Nov, 2018 1 commit
    • Eric Biggers's avatar
      crypto: user - clean up report structure copying · 37db69e0
      Eric Biggers authored
      There have been a pretty ridiculous number of issues with initializing
      the report structures that are copied to userspace by NETLINK_CRYPTO.
      Commit 4473710d ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME
      expansion") replaced some strncpy()s with strlcpy()s, thereby
      introducing information leaks.  Later two other people tried to replace
      other strncpy()s with strlcpy() too, which would have introduced even
      more information leaks:
      
          - https://lore.kernel.org/patchwork/patch/954991/
          - https://patchwork.kernel.org/patch/10434351/
      
      Commit cac5818c ("crypto: user - Implement a generic crypto
      statistics") also uses the buggy strlcpy() approach and therefore leaks
      uninitialized memory to userspace.  A fix was proposed, but it was
      originally incomplete.
      
      Seeing as how apparently no one can get this right with the current
      approach, change all the reporting functions to:
      
      - Start by memsetting the report structure to 0.  This guarantees it's
        always initialized, regardless of what happens later.
      - Initialize all strings using strscpy().  This is safe after the
        memset, ensures null termination of long strings, avoids unnecessary
        work, and avoids the -Wstringop-truncation warnings from gcc.
      - Use sizeof(var) instead of sizeof(type).  This is more robust against
        copy+paste errors.
      
      For simplicity, also reuse the -EMSGSIZE return value from nla_put().
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      37db69e0
  3. 03 Aug, 2018 1 commit
    • Eric Biggers's avatar
      crypto: blkcipher - fix crash flushing dcache in error path · 0868def3
      Eric Biggers authored
      Like the skcipher_walk case:
      
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      blkcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      
      Fix it by reorganizing blkcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      
      This bug was found by syzkaller fuzzing.
      
      Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
      
      	#include <linux/if_alg.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		struct sockaddr_alg addr = {
      			.salg_type = "skcipher",
      			.salg_name = "ecb(aes-generic)",
      		};
      		char buffer[4096] __attribute__((aligned(4096))) = { 0 };
      		int fd;
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
      		fd = accept(fd, NULL, NULL);
      		write(fd, buffer, 15);
      		read(fd, buffer, 15);
      	}
      Reported-by: 's avatarLiu Chao <liuchao741@huawei.com>
      Fixes: 5cde0af2 ("[CRYPTO] cipher: Added block cipher type")
      Cc: <stable@vger.kernel.org> # v2.6.19+
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      0868def3
  4. 08 Jul, 2018 1 commit
    • Stafford Horne's avatar
      crypto: skcipher - Fix -Wstringop-truncation warnings · cefd769f
      Stafford Horne authored
      As of GCC 9.0.0 the build is reporting warnings like:
      
          crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’:
          crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
            strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             sizeof(rblkcipher.geniv));
             ~~~~~~~~~~~~~~~~~~~~~~~~~
      
      This means the strnycpy might create a non null terminated string.  Fix this by
      explicitly performing '\0' termination.
      
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Max Filippov <jcmvbkbc@gmail.com>
      Cc: Eric Biggers <ebiggers3@gmail.com>
      Cc: Nick Desaulniers <nick.desaulniers@gmail.com>
      Signed-off-by: 's avatarStafford Horne <shorne@gmail.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      cefd769f
  5. 29 Nov, 2017 1 commit
  6. 12 Jan, 2017 1 commit
    • Gideon Israel Dsouza's avatar
      crypto: Replaced gcc specific attributes with macros from compiler.h · d8c34b94
      Gideon Israel Dsouza authored
      Continuing from this commit: 52f5684c
      ("kernel: use macros from compiler.h instead of __attribute__((...))")
      
      I submitted 4 total patches. They are part of task I've taken up to
      increase compiler portability in the kernel. I've cleaned up the
      subsystems under /kernel /mm /block and /security, this patch targets
      /crypto.
      
      There is <linux/compiler.h> which provides macros for various gcc specific
      constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
      instances of gcc specific attributes with the right macros for the crypto
      subsystem.
      
      I had to make one additional change into compiler-gcc.h for the case when
      one wants to use this: __attribute__((aligned) and not specify an alignment
      factor. From the gcc docs, this will result in the largest alignment for
      that data type on the target machine so I've named the macro
      __aligned_largest. Please advise if another name is more appropriate.
      Signed-off-by: 's avatarGideon Israel Dsouza <gidisrael@gmail.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      d8c34b94
  7. 13 Sep, 2016 1 commit
  8. 18 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Remove top-level givcipher interface · 3a01d0ee
      Herbert Xu authored
      This patch removes the old crypto_grab_skcipher helper and replaces
      it with crypto_grab_skcipher2.
      
      As this is the final entry point into givcipher this patch also
      removes all traces of the top-level givcipher interface, including
      all implicit IV generators such as chainiv.
      
      The bottom-level givcipher interface remains until the drivers
      using it are converted.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      3a01d0ee
  9. 09 Dec, 2015 1 commit
    • Jason A. Donenfeld's avatar
      crypto: skcipher - Copy iv from desc even for 0-len walks · 70d906bc
      Jason A. Donenfeld authored
      Some ciphers actually support encrypting zero length plaintexts. For
      example, many AEAD modes support this. The resulting ciphertext for
      those winds up being only the authentication tag, which is a result of
      the key, the iv, the additional data, and the fact that the plaintext
      had zero length. The blkcipher constructors won't copy the IV to the
      right place, however, when using a zero length input, resulting in
      some significant problems when ciphers call their initialization
      routines, only to find that the ->iv parameter is uninitialized. One
      such example of this would be using chacha20poly1305 with a zero length
      input, which then calls chacha20, which calls the key setup routine,
      which eventually OOPSes due to the uninitialized ->iv member.
      Signed-off-by: 's avatarJason A. Donenfeld <Jason@zx2c4.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      70d906bc
  10. 13 May, 2015 1 commit
  11. 10 Mar, 2014 2 commits
  12. 19 Feb, 2013 1 commit
    • Mathias Krause's avatar
      crypto: user - fix info leaks in report API · 9a5467bf
      Mathias Krause authored
      Three errors resulting in kernel memory disclosure:
      
      1/ The structures used for the netlink based crypto algorithm report API
      are located on the stack. As snprintf() does not fill the remainder of
      the buffer with null bytes, those stack bytes will be disclosed to users
      of the API. Switch to strncpy() to fix this.
      
      2/ crypto_report_one() does not initialize all field of struct
      crypto_user_alg. Fix this to fix the heap info leak.
      
      3/ For the module name we should copy only as many bytes as
      module_name() returns -- not as much as the destination buffer could
      hold. But the current code does not and therefore copies random data
      from behind the end of the module name, as the module name is always
      shorter than CRYPTO_MAX_ALG_NAME.
      
      Also switch to use strncpy() to copy the algorithm's name and
      driver_name. They are strings, after all.
      Signed-off-by: 's avatarMathias Krause <minipli@googlemail.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      9a5467bf
  13. 04 Feb, 2013 1 commit
  14. 02 Apr, 2012 1 commit
  15. 20 Mar, 2012 1 commit
  16. 10 Nov, 2011 1 commit
  17. 21 Oct, 2011 1 commit
  18. 26 Oct, 2010 1 commit
  19. 18 Feb, 2009 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Avoid infinite loop when cipher fails selftest · b170a137
      Herbert Xu authored
      When an skcipher constructed through crypto_givcipher_default fails
      its selftest, we'll loop forever trying to construct new skcipher
      objects but failing because it already exists.
      
      The crux of the issue is that once a givcipher fails the selftest,
      we'll ignore it on the next run through crypto_skcipher_lookup and
      attempt to construct a new givcipher.
      
      We should instead return an error to the caller if we find a
      givcipher that has failed the test.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      b170a137
  20. 27 Jan, 2009 1 commit
  21. 29 Aug, 2008 1 commit
  22. 23 Feb, 2008 1 commit
  23. 10 Jan, 2008 5 commits
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Create default givcipher instances · b9c55aa4
      Herbert Xu authored
      This patch makes crypto_alloc_ablkcipher/crypto_grab_skcipher always
      return algorithms that are capable of generating their own IVs through
      givencrypt and givdecrypt.  Each algorithm may specify its default IV
      generator through the geniv field.
      
      For algorithms that do not set the geniv field, the blkcipher layer will
      pick a default.  Currently it's chainiv for synchronous algorithms and
      eseqiv for asynchronous algorithms.  Note that if these wrappers do not
      work on an algorithm then that algorithm must specify its own geniv or
      it can't be used at all.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      b9c55aa4
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Add skcipher_geniv_alloc/skcipher_geniv_free · ecfc4329
      Herbert Xu authored
      This patch creates the infrastructure to help the construction of givcipher
      templates that wrap around existing blkcipher/ablkcipher algorithms by adding
      an IV generator to them.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      ecfc4329
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Added geniv field · 23508e11
      Herbert Xu authored
      This patch introduces the geniv field which indicates the default IV
      generator for each algorithm.  It should point to a string that is not
      freed as long as the algorithm is registered.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      23508e11
    • Herbert Xu's avatar
      [CRYPTO] scatterwalk: Move scatterwalk.h to linux/crypto · 42c271c6
      Herbert Xu authored
      The scatterwalk infrastructure is used by algorithms so it needs to
      move out of crypto for future users that may live in drivers/crypto
      or asm/*/crypto.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      42c271c6
    • Herbert Xu's avatar
      [CRYPTO] ablkcipher: Add distinct ABLKCIPHER type · 332f8840
      Herbert Xu authored
      Up until now we have ablkcipher algorithms have been identified as
      type BLKCIPHER with the ASYNC bit set.  This is suboptimal because
      ablkcipher refers to two things.  On the one hand it refers to the
      top-level ablkcipher interface with requests.  On the other hand it
      refers to and algorithm type underneath.
      
      As it is you cannot request a synchronous block cipher algorithm
      with the ablkcipher interface on top.  This is a problem because
      we want to be able to eventually phase out the blkcipher top-level
      interface.
      
      This patch fixes this by making ABLKCIPHER its own type, just as
      we have distinct types for HASH and DIGEST.  The type it associated
      with the algorithm implementation only.
      
      Which top-level interface is used for synchronous block ciphers is
      then determined by the mask that's used.  If it's a specific mask
      then the old blkcipher interface is given, otherwise we go with the
      new ablkcipher interface.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      332f8840
  24. 10 Oct, 2007 5 commits
  25. 10 Sep, 2007 1 commit
  26. 09 Sep, 2007 1 commit
    • Herbert Xu's avatar
      [CRYPTO] blkcipher: Fix handling of kmalloc page straddling · e4630f9f
      Herbert Xu authored
      The function blkcipher_get_spot tries to return a buffer of
      the specified length that does not straddle a page.  It has
      an off-by-one bug so it may advance a page unnecessarily.
      
      What's worse, one of its callers doesn't provide a buffer
      that's sufficiently long for this operation.
      
      This patch fixes both problems.  Thanks to Bob Gilligan for
      diagnosing this problem and providing a fix.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      e4630f9f
  27. 06 Aug, 2007 1 commit
  28. 11 Jul, 2007 1 commit
  29. 02 May, 2007 2 commits
    • Herbert Xu's avatar
      [CRYPTO] api: Add async block cipher interface · 32e3983f
      Herbert Xu authored
      This patch adds the frontend interface for asynchronous block ciphers.
      In addition to the usual block cipher parameters, there is a callback
      function pointer and a data pointer.  The callback will be invoked only
      if the encrypt/decrypt handlers return -EINPROGRESS.  In other words,
      if the return value of zero the completion handler (or the equivalent
      code) needs to be invoked by the caller.
      
      The request structure is allocated and freed by the caller.  Its size
      is determined by calling crypto_ablkcipher_reqsize().  The helpers
      ablkcipher_request_alloc/ablkcipher_request_free can be used to manage
      the memory for a request.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      32e3983f
    • Herbert Xu's avatar
      [CRYPTO] api: Proc functions should be marked as unused · 03f5d8ce
      Herbert Xu authored
      The proc functions were incorrectly marked as used rather than unused.
      They may be unused if proc is disabled.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      03f5d8ce
  30. 06 Feb, 2007 1 commit