1. 20 Apr, 2018 1 commit
  2. 22 Dec, 2017 1 commit
  3. 01 Nov, 2016 2 commits
  4. 18 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: authenc - Use skcipher · 7217d49f
      Herbert Xu authored
      This patch converts authenc to use the new skcipher interface as
      opposed to ablkcipher.
      It also fixes a little bug where if a sync version of authenc
      is requested we may still end up using an async ahash.  This should
      have no effect as none of the authenc users can request for a
      sync authenc.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
  5. 01 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: authenc - Consider ahash ASYNC bit · 927ef32d
      Herbert Xu authored
      As it is, if you get an async ahash with a sync skcipher you'll
      end up with a sync authenc, which is wrong.
      This patch fixes it by considering the ASYNC bit from ahash as
      It also fixes a little bug where if a sync version of authenc
      is requested we may still end up using an async ahash.
      Neither of them should have any effect as none of the authenc
      users can request for a sync authenc.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
  6. 29 Jun, 2016 1 commit
  7. 17 Aug, 2015 1 commit
  8. 04 Aug, 2015 1 commit
  9. 13 May, 2015 2 commits
  10. 26 Nov, 2014 1 commit
  11. 28 Nov, 2013 1 commit
  12. 16 Oct, 2013 1 commit
  13. 07 Oct, 2013 1 commit
    • James Yonan's avatar
      crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks · 6bf37e5a
      James Yonan authored
      When comparing MAC hashes, AEAD authentication tags, or other hash
      values in the context of authentication or integrity checking, it
      is important not to leak timing information to a potential attacker,
      i.e. when communication happens over a network.
      Bytewise memory comparisons (such as memcmp) are usually optimized so
      that they return a nonzero value as soon as a mismatch is found. E.g,
      on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
      and up to ~850 cyc for a full match (cold). This early-return behavior
      can leak timing information as a side channel, allowing an attacker to
      iteratively guess the correct result.
      This patch adds a new method crypto_memneq ("memory not equal to each
      other") to the crypto API that compares memory areas of the same length
      in roughly "constant time" (cache misses could change the timing, but
      since they don't reveal information about the content of the strings
      being compared, they are effectively benign). Iow, best and worst case
      behaviour take the same amount of time to complete (in contrast to
      Note that crypto_memneq (unlike memcmp) can only be used to test for
      equality or inequality, NOT for lexicographical order. This, however,
      is not an issue for its use-cases within the crypto API.
      We tried to locate all of the places in the crypto API where memcmp was
      being used for authentication or integrity checking, and convert them
      over to crypto_memneq.
      crypto_memneq is declared noinline, placed in its own source file,
      and compiled with optimizations that might increase code size disabled
      ("Os") because a smart compiler (or LTO) might notice that the return
      value is always compared against zero/nonzero, and might then
      reintroduce the same early-return optimization that we are trying to
      Using #pragma or __attribute__ optimization annotations of the code
      for disabling optimization was avoided as it seems to be considered
      broken or unmaintained for long time in GCC [1]. Therefore, we work
      around that by specifying the compile flag for memneq.o directly in
      the Makefile. We found that this seems to be most appropriate.
      As we use ("Os"), this patch also provides a loop-free "fast-path" for
      frequently used 16 byte digests. Similarly to kernel library string
      functions, leave an option for future even further optimized architecture
      specific assembler implementations.
      This was a joint work of James Yonan and Daniel Borkmann. Also thanks
      for feedback from Florian Weimer on this and earlier proposals [2].
        [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
        [2] https://lkml.org/lkml/2013/2/10/131Signed-off-by: 's avatarJames Yonan <james@openvpn.net>
      Signed-off-by: 's avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Florian Weimer <fw@deneb.enyo.de>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
  14. 04 Feb, 2013 1 commit
  15. 11 Sep, 2012 1 commit
  16. 02 Dec, 2010 1 commit
  17. 26 May, 2010 1 commit
  18. 20 May, 2010 1 commit
  19. 26 Apr, 2010 1 commit
  20. 03 Mar, 2010 1 commit
  21. 02 Mar, 2010 1 commit
  22. 16 Feb, 2010 1 commit
  23. 05 Aug, 2009 1 commit
  24. 14 Jul, 2009 1 commit
  25. 15 Jan, 2009 1 commit
  26. 25 Dec, 2008 1 commit
  27. 22 Aug, 2008 1 commit
    • Herbert Xu's avatar
      crypto: authenc - Avoid using clobbered request pointer · a697690b
      Herbert Xu authored
      Authenc works in two stages for encryption, it first encrypts and
      then computes an ICV.  The context memory of the request is used
      by both operations.  The problem is that when an asynchronous
      encryption completes, we will compute the ICV and then reread the
      context memory of the encryption to get the original request.
      It just happens that we have a buffer of 16 bytes in front of the
      request pointer, so ICVs of 16 bytes (such as SHA1) do not trigger
      the bug.  However, any attempt to uses a larger ICV instantly kills
      the machine when the first asynchronous encryption is completed.
      This patch fixes this by saving the request pointer before we start
      the ICV computation.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
  28. 01 May, 2008 1 commit
    • Patrick McHardy's avatar
      [CRYPTO] authenc: Fix async crypto crash in crypto_authenc_genicv() · 16161329
      Patrick McHardy authored
      crypto_authenc_givencrypt_done uses req->data as struct aead_givcrypt_request,
      while it really points to a struct aead_request, causing this crash:
      BUG: unable to handle kernel paging request at 6b6b6b6b
      IP: [<dc87517b>] :authenc:crypto_authenc_genicv+0x23/0x109
      *pde = 00000000
      Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
      Modules linked in: hifn_795x authenc esp4 aead xfrm4_mode_tunnel sha1_generic hmac crypto_hash]
      Pid: 3074, comm: ping Not tainted (2.6.25 #4)
      EIP: 0060:[<dc87517b>] EFLAGS: 00010296 CPU: 0
      EIP is at crypto_authenc_genicv+0x23/0x109 [authenc]
      EAX: daa04690 EBX: daa046e0 ECX: dab0a100 EDX: daa046b0
      ESI: 6b6b6b6b EDI: dc872054 EBP: c033ff60 ESP: c033ff0c
       DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
      Process ping (pid: 3074, ti=c033f000 task=db883a80 task.ti=dab6c000)
      Stack: 00000000 daa046b0 c0215a3e daa04690 dab0a100 00000000 ffffffff db9fd7f0
             dba208c0 dbbb1720 00000001 daa04720 00000001 c033ff54 c0119ca9 dc852a75
             c033ff60 c033ff60 daa046e0 00000000 00000001 c033ff6c dc87527b 00000001
      Call Trace:
       [<c0215a3e>] ? dev_alloc_skb+0x14/0x29
       [<c0119ca9>] ? printk+0x15/0x17
       [<dc87527b>] ? crypto_authenc_givencrypt_done+0x1a/0x27 [authenc]
       [<dc850cca>] ? hifn_process_ready+0x34a/0x352 [hifn_795x]
       [<dc8353c7>] ? rhine_napipoll+0x3f2/0x3fd [via_rhine]
       [<dc851a56>] ? hifn_check_for_completion+0x4d/0xa6 [hifn_795x]
       [<dc851ab9>] ? hifn_tasklet_callback+0xa/0xc [hifn_795x]
       [<c011d046>] ? tasklet_action+0x3f/0x66
       [<c011d230>] ? __do_softirq+0x38/0x7a
       [<c0105a5f>] ? do_softirq+0x3e/0x71
       [<c011d17c>] ? irq_exit+0x2c/0x65
       [<c010e0c0>] ? smp_apic_timer_interrupt+0x5f/0x6a
       [<c01042e4>] ? apic_timer_interrupt+0x28/0x30
       [<dc851640>] ? hifn_handle_req+0x44a/0x50d [hifn_795x]
      Signed-off-by: 's avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
  29. 10 Jan, 2008 10 commits