1. 10 Nov, 2017 2 commits
    • Eric Biggers's avatar
      crypto: dh - Remove pointless checks for NULL 'p' and 'g' · ced6a586
      Eric Biggers authored
      Neither 'p' nor 'g' can be NULL, as they were unpacked using
      crypto_dh_decode_key().  And it makes no sense for them to be optional.
      So remove the NULL checks that were copy-and-pasted into both modules.
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: 's avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      ced6a586
    • Eric Biggers's avatar
      crypto: dh - Fix double free of ctx->p · 12d41a02
      Eric Biggers authored
      When setting the secret with the software Diffie-Hellman implementation,
      if allocating 'g' failed (e.g. if it was longer than
      MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
      once later when the crypto_kpp tfm was destroyed.
      
      Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
      paths, as that correctly sets the pointers to NULL.
      
      KASAN report:
      
          MPI: mpi too large (32760 bits)
          ==================================================================
          BUG: KASAN: use-after-free in mpi_free+0x131/0x170
          Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367
      
          CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
          Call Trace:
           dump_stack+0xb3/0x10b
           ? mpi_free+0x131/0x170
           print_address_description+0x79/0x2a0
           ? mpi_free+0x131/0x170
           kasan_report+0x236/0x340
           ? akcipher_register_instance+0x90/0x90
           __asan_report_load4_noabort+0x14/0x20
           mpi_free+0x131/0x170
           ? akcipher_register_instance+0x90/0x90
           dh_exit_tfm+0x3d/0x140
           crypto_kpp_exit_tfm+0x52/0x70
           crypto_destroy_tfm+0xb3/0x250
           __keyctl_dh_compute+0x640/0xe90
           ? kasan_slab_free+0x12f/0x180
           ? dh_data_from_key+0x240/0x240
           ? key_create_or_update+0x1ee/0xb20
           ? key_instantiate_and_link+0x440/0x440
           ? lock_contended+0xee0/0xee0
           ? kfree+0xcf/0x210
           ? SyS_add_key+0x268/0x340
           keyctl_dh_compute+0xb3/0xf1
           ? __keyctl_dh_compute+0xe90/0xe90
           ? SyS_add_key+0x26d/0x340
           ? entry_SYSCALL_64_fastpath+0x5/0xbe
           ? trace_hardirqs_on_caller+0x3f4/0x560
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
          RIP: 0033:0x43ccf9
          RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
          RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
          RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
          RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
          R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
          R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000
      
          Allocated by task 367:
           save_stack_trace+0x16/0x20
           kasan_kmalloc+0xeb/0x180
           kmem_cache_alloc_trace+0x114/0x300
           mpi_alloc+0x4b/0x230
           mpi_read_raw_data+0xbe/0x360
           dh_set_secret+0x1dc/0x460
           __keyctl_dh_compute+0x623/0xe90
           keyctl_dh_compute+0xb3/0xf1
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
      
          Freed by task 367:
           save_stack_trace+0x16/0x20
           kasan_slab_free+0xab/0x180
           kfree+0xb5/0x210
           mpi_free+0xcb/0x170
           dh_set_secret+0x2d7/0x460
           __keyctl_dh_compute+0x623/0xe90
           keyctl_dh_compute+0xb3/0xf1
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
      
      Fixes: 802c7f1c ("crypto: dh - Add DH software implementation")
      Cc: <stable@vger.kernel.org> # v4.8+
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: 's avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      12d41a02
  2. 10 Jun, 2017 3 commits
  3. 09 Mar, 2017 1 commit
  4. 13 Nov, 2016 1 commit
  5. 01 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: rsa - Generate fixed-length output · 9b45b7bb
      Herbert Xu authored
      Every implementation of RSA that we have naturally generates
      output with leading zeroes.  The one and only user of RSA,
      pkcs1pad wants to have those leading zeroes in place, in fact
      because they are currently absent it has to write those zeroes
      itself.
      
      So we shouldn't be stripping leading zeroes in the first place.
      In fact this patch makes rsa-generic produce output with fixed
      length so that pkcs1pad does not need to do any extra work.
      
      This patch also changes DH to use the new interface.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      9b45b7bb
  6. 23 Jun, 2016 1 commit