1. 11 Jan, 2019 1 commit
  2. 23 Dec, 2018 2 commits
  3. 09 Nov, 2018 1 commit
    • Eric Biggers's avatar
      crypto: user - clean up report structure copying · 37db69e0
      Eric Biggers authored
      There have been a pretty ridiculous number of issues with initializing
      the report structures that are copied to userspace by NETLINK_CRYPTO.
      Commit 4473710d ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME
      expansion") replaced some strncpy()s with strlcpy()s, thereby
      introducing information leaks.  Later two other people tried to replace
      other strncpy()s with strlcpy() too, which would have introduced even
      more information leaks:
          - https://lore.kernel.org/patchwork/patch/954991/
          - https://patchwork.kernel.org/patch/10434351/
      Commit cac5818c ("crypto: user - Implement a generic crypto
      statistics") also uses the buggy strlcpy() approach and therefore leaks
      uninitialized memory to userspace.  A fix was proposed, but it was
      originally incomplete.
      Seeing as how apparently no one can get this right with the current
      approach, change all the reporting functions to:
      - Start by memsetting the report structure to 0.  This guarantees it's
        always initialized, regardless of what happens later.
      - Initialize all strings using strscpy().  This is safe after the
        memset, ensures null termination of long strings, avoids unnecessary
        work, and avoids the -Wstringop-truncation warnings from gcc.
      - Use sizeof(var) instead of sizeof(type).  This is more robust against
        copy+paste errors.
      For simplicity, also reuse the -EMSGSIZE return value from nla_put().
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  4. 28 Sep, 2018 1 commit
    • Kees Cook's avatar
      crypto: skcipher - Introduce crypto_sync_skcipher · b350bee5
      Kees Cook authored
      In preparation for removal of VLAs due to skcipher requests on the stack
      via SKCIPHER_REQUEST_ON_STACK() usage, this introduces the infrastructure
      for the "sync skcipher" tfm, which is for handling the on-stack cases of
      skcipher, which are always non-ASYNC and have a known limited request
      The crypto API additions:
      	struct crypto_sync_skcipher (wrapper for struct crypto_skcipher)
      	SYNC_SKCIPHER_REQUEST_ON_STACK() (with tfm type check)
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  5. 03 Aug, 2018 3 commits
    • Eric Biggers's avatar
      crypto: skcipher - fix crash flushing dcache in error path · 8088d3dd
      Eric Biggers authored
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      skcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      Fix it by reorganizing skcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      This bug was found by syzkaller fuzzing.
      Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
      	#include <linux/if_alg.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      	int main()
      		struct sockaddr_alg addr = {
      			.salg_type = "skcipher",
      			.salg_name = "cbc(aes-generic)",
      		char buffer[4096] __attribute__((aligned(4096))) = { 0 };
      		int fd;
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
      		fd = accept(fd, NULL, NULL);
      		write(fd, buffer, 15);
      		read(fd, buffer, 15);
      Reported-by: default avatarLiu Chao <liuchao741@huawei.com>
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Eric Biggers's avatar
      crypto: skcipher - remove unnecessary setting of walk->nbytes · 2a57c0be
      Eric Biggers authored
      Setting 'walk->nbytes = walk->total' in skcipher_walk_first() doesn't
      make sense because actually walk->nbytes needs to be set to the length
      of the first step in the walk, which may be less than walk->total.  This
      is done by skcipher_walk_next() which is called immediately afterwards.
      Also walk->nbytes was already set to 0 in skcipher_walk_skcipher(),
      which is a better default value in case it's forgotten to be set later.
      Therefore, remove the unnecessary assignment to walk->nbytes.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Eric Biggers's avatar
      crypto: skcipher - fix aligning block size in skcipher_copy_iv() · 0567fc9e
      Eric Biggers authored
      The ALIGN() macro needs to be passed the alignment, not the alignmask
      (which is the alignment minus 1).
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  6. 01 Jul, 2018 1 commit
    • Denis Efremov's avatar
      crypto: skcipher - remove the exporting of skcipher_walk_next · e4e47306
      Denis Efremov authored
      The function skcipher_walk_next declared as static and marked as
      EXPORT_SYMBOL_GPL. It's a bit confusing for internal function to be
      exported. The area of visibility for such function is its .c file
      and all other modules. Other *.c files of the same module can't use it,
      despite all other modules can. Relying on the fact that this is the
      internal function and it's not a crucial part of the API, the patch
      just removes the EXPORT_SYMBOL_GPL marking of skcipher_walk_next.
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarDenis Efremov <efremov@linux.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  7. 12 Jan, 2018 1 commit
    • Eric Biggers's avatar
      crypto: skcipher - prevent using skciphers without setting key · f8d33fac
      Eric Biggers authored
      Similar to what was done for the hash API, update the skcipher API to
      track whether each transform has been keyed, and reject
      encryption/decryption if a key is needed but one hasn't been set.
      This isn't as important as the equivalent fix for the hash API because
      symmetric ciphers almost always require a key (the "null cipher" is the
      only exception), so are unlikely to be used without one.  Still,
      tracking the key will prevent accidental unkeyed use.  algif_skcipher
      also had to track the key anyway, so the new flag replaces that and
      simplifies the algif_skcipher implementation.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  8. 11 Dec, 2017 1 commit
    • Eric Biggers's avatar
      crypto: skcipher - set walk.iv for zero-length inputs · 2b4f27c3
      Eric Biggers authored
      All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
      algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
      before checking whether any bytes need to be processed (walk.nbytes).
      But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
      and the algorithms crash trying to use the uninitialized IV pointer.
      Fix it by setting the IV earlier in skcipher_walk_virt().  Also fix it
      for the AEAD walk functions.
      This isn't a perfect solution because we can't actually align the IV to
      ->cra_alignmask unless there are bytes to process, for one because the
      temporary buffer for the aligned IV is freed by skcipher_walk_done(),
      which is only called when there are bytes to process.  Thus, algorithms
      that require aligned IVs will still need to avoid accessing the IV when
      walk.nbytes == 0.  Still, many algorithms/architectures are fine with
      IVs having any alignment, and even for those that aren't, a misaligned
      pointer bug is much less severe than an uninitialized pointer bug.
      This change also matches the behavior of the older blkcipher_walk API.
      Fixes: 0cabf2af ("crypto: skcipher - Fix crash on zero-length input")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # v4.14+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  9. 25 Nov, 2017 1 commit
    • Ondrej Mosnáček's avatar
      crypto: skcipher - Fix skcipher_walk_aead_common · c14ca838
      Ondrej Mosnáček authored
      The skcipher_walk_aead_common function calls scatterwalk_copychunks on
      the input and output walks to skip the associated data. If the AD end
      at an SG list entry boundary, then after these calls the walks will
      still be pointing to the end of the skipped region.
      These offsets are later checked for alignment in skcipher_walk_next,
      so the skcipher_walk may detect the alignment incorrectly.
      This patch fixes it by calling scatterwalk_done after the copychunks
      calls to ensure that the offsets refer to the right SG list entry.
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarOndrej Mosnacek <omosnacek@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  10. 07 Oct, 2017 1 commit
  11. 18 May, 2017 1 commit
  12. 12 Jan, 2017 1 commit
    • Gideon Israel Dsouza's avatar
      crypto: Replaced gcc specific attributes with macros from compiler.h · d8c34b94
      Gideon Israel Dsouza authored
      Continuing from this commit: 52f5684c
      ("kernel: use macros from compiler.h instead of __attribute__((...))")
      I submitted 4 total patches. They are part of task I've taken up to
      increase compiler portability in the kernel. I've cleaned up the
      subsystems under /kernel /mm /block and /security, this patch targets
      There is <linux/compiler.h> which provides macros for various gcc specific
      constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
      instances of gcc specific attributes with the right macros for the crypto
      I had to make one additional change into compiler-gcc.h for the case when
      one wants to use this: __attribute__((aligned) and not specify an alignment
      factor. From the gcc docs, this will result in the largest alignment for
      that data type on the target machine so I've named the macro
      __aligned_largest. Please advise if another name is more appropriate.
      Signed-off-by: default avatarGideon Israel Dsouza <gidisrael@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  13. 30 Dec, 2016 1 commit
    • Ard Biesheuvel's avatar
      crypto: skcipher - introduce walksize attribute for SIMD algos · c821f6ab
      Ard Biesheuvel authored
      In some cases, SIMD algorithms can only perform optimally when
      allowed to operate on multiple input blocks in parallel. This is
      especially true for bit slicing algorithms, which typically take
      the same amount of time processing a single block or 8 blocks in
      parallel. However, other SIMD algorithms may benefit as well from
      bigger strides.
      So add a walksize attribute to the skcipher algorithm definition, and
      wire it up to the skcipher walk API. To avoid confusion between the
      skcipher and AEAD attributes, rename the skcipher_walk chunksize
      attribute to 'stride', and set it from the walksize (in the skcipher
      case) or from the chunksize (in the AEAD case).
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  14. 14 Dec, 2016 1 commit
    • Ard Biesheuvel's avatar
      crypto: skcipher - fix crash in virtual walk · 18e615ad
      Ard Biesheuvel authored
      The new skcipher walk API may crash in the following way. (Interestingly,
      the tcrypt boot time tests seem unaffected, while an explicit test using
      the module triggers it)
        Unable to handle kernel NULL pointer dereference at virtual address 00000000
        [<ffff000008431d84>] __memcpy+0x84/0x180
        [<ffff0000083ec0d0>] skcipher_walk_done+0x328/0x340
        [<ffff0000080c5c04>] ctr_encrypt+0x84/0x100
        [<ffff000008406d60>] simd_skcipher_encrypt+0x88/0x98
        [<ffff0000083fa05c>] crypto_rfc3686_crypt+0x8c/0x98
        [<ffff0000009b0900>] test_skcipher_speed+0x518/0x820 [tcrypt]
        [<ffff0000009b31c0>] do_test+0x1408/0x3b70 [tcrypt]
        [<ffff0000009bd050>] tcrypt_mod_init+0x50/0x1000 [tcrypt]
        [<ffff0000080838f4>] do_one_initcall+0x44/0x138
        [<ffff0000081aee60>] do_init_module+0x68/0x1e0
        [<ffff0000081524d0>] load_module+0x1fd0/0x2458
        [<ffff000008152c38>] SyS_finit_module+0xe0/0xf0
        [<ffff0000080836f0>] el0_svc_naked+0x24/0x28
      This is due to the fact that skcipher_done_slow() may be entered with
      walk->buffer unset. Since skcipher_walk_done() already deals with the
      case where walk->buffer == walk->page, it appears to be the intention
      that walk->buffer point to walk->page after skcipher_next_slow(), so
      ensure that is the case.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  15. 01 Dec, 2016 1 commit
  16. 30 Nov, 2016 1 commit
    • Ard Biesheuvel's avatar
      crypto: skcipher - fix crash in skcipher_walk_aead() · 3cbf61fb
      Ard Biesheuvel authored
      The new skcipher_walk_aead() may crash in the following way due to
      the walk flag SKCIPHER_WALK_PHYS not being cleared at the start of the
      Unable to handle kernel NULL pointer dereference at virtual address 00000001
      Internal error: Oops: 96000044 [#1] PREEMPT SMP
      PC is at skcipher_walk_next+0x208/0x450
      LR is at skcipher_walk_next+0x1e4/0x450
      pc : [<ffff2b93b7104e20>] lr : [<ffff2b93b7104dfc>] pstate: 40000045
      sp : ffffb925fa517940
      [<ffff2b93b7104e20>] skcipher_walk_next+0x208/0x450
      [<ffff2b93b710535c>] skcipher_walk_first+0x54/0x148
      [<ffff2b93b7105664>] skcipher_walk_aead+0xd4/0x108
      [<ffff2b93b6e77928>] ccm_encrypt+0x68/0x158
      So clear the flag at the appropriate time.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  17. 28 Nov, 2016 1 commit
  18. 18 Jul, 2016 2 commits
    • Herbert Xu's avatar
      crypto: skcipher - Remove top-level givcipher interface · 3a01d0ee
      Herbert Xu authored
      This patch removes the old crypto_grab_skcipher helper and replaces
      it with crypto_grab_skcipher2.
      As this is the final entry point into givcipher this patch also
      removes all traces of the top-level givcipher interface, including
      all implicit IV generators such as chainiv.
      The bottom-level givcipher interface remains until the drivers
      using it are converted.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      crypto: skcipher - Add low-level skcipher interface · 4e6c3df4
      Herbert Xu authored
      This patch allows skcipher algorithms and instances to be created
      and registered with the crypto API.  They are accessible through
      the top-level skcipher interface, along with ablkcipher/blkcipher
      algorithms and instances.
      This patch also introduces a new parameter called chunk size
      which is meant for ciphers such as CTR and CTS which ostensibly
      can handle arbitrary lengths, but still behave like block ciphers
      in that you can only process a partial block at the very end.
      For these ciphers the block size will continue to be set to 1
      as it is now while the chunk size will be set to the underlying
      block size.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  19. 25 Jan, 2016 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Add default key size helper · 973fb3fb
      Herbert Xu authored
      While converting ecryptfs over to skcipher I found that it needs
      to pick a default key size if one isn't given.  Rather than having
      it poke into the guts of the algorithm to get max_keysize, let's
      provide a helper that is meant to give a sane default (just in
      case we ever get an algorithm that has no maximum key size).
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  20. 18 Jan, 2016 1 commit
  21. 01 Oct, 2015 1 commit
  22. 21 Aug, 2015 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Add top-level skcipher interface · 7a7ffe65
      Herbert Xu authored
      This patch introduces the crypto skcipher interface which aims
      to replace both blkcipher and ablkcipher.
      It's very similar to the existing ablkcipher interface.  The
      main difference is the removal of the givcrypt interface.  In
      order to make the transition easier for blkcipher users, there
      is a helper SKCIPHER_REQUEST_ON_STACK which can be used to place
      a request on the stack for synchronous transforms.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>