1. 26 Jan, 2019 1 commit
    • Vitaly Chikunov's avatar
      crypto: ecc - regularize scalar for scalar multiplication · 9e1a69dc
      Vitaly Chikunov authored
      [ Upstream commit 3da2c1df ]
      
      ecc_point_mult is supposed to be used with a regularized scalar,
      otherwise, it's possible to deduce the position of the top bit of the
      scalar with timing attack. This is important when the scalar is a
      private key.
      
      ecc_point_mult is already using a regular algorithm (i.e. having an
      operation flow independent of the input scalar) but regularization step
      is not implemented.
      
      Arrange scalar to always have fixed top bit by adding a multiple of the
      curve order (n).
      
      References:
      The constant time regularization step is based on micro-ecc by Kenneth
      MacKay and also referenced in the literature (Bernstein, D. J., & Lange,
      T. (2017). Montgomery curves and the Montgomery ladder. (Cryptology
      ePrint Archive; Vol. 2017/293). s.l.: IACR. Chapter 4.6.2.)
      Signed-off-by: default avatarVitaly Chikunov <[email protected]>
      Cc: [email protected]
      Signed-off-by: default avatarHerbert Xu <[email protected]>
      Signed-off-by: default avatarSasha Levin <[email protected]>
      9e1a69dc
  2. 22 Jan, 2019 3 commits
    • Eric Biggers's avatar
      crypto: authenc - fix parsing key with misaligned rta_len · 80733239
      Eric Biggers authored
      commit 8f9c4693 upstream.
      
      Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
      'enckeylen', followed by an authentication key and an encryption key.
      crypto_authenc_extractkeys() parses the key to find the inner keys.
      
      However, it fails to consider the case where the rtattr's payload is
      longer than 4 bytes but not 4-byte aligned, and where the key ends
      before the next 4-byte aligned boundary.  In this case, 'keylen -=
      RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX.  This
      causes a buffer overread and crash during crypto_ahash_setkey().
      
      Fix it by restricting the rtattr payload to the expected size.
      
      Reproducer using AF_ALG:
      
      	#include <linux/if_alg.h>
      	#include <linux/rtnetlink.h>
      	#include <sys/socket.h>
      
      	int main()
      	{
      		int fd;
      		struct sockaddr_alg addr = {
      			.salg_type = "aead",
      			.salg_name = "authenc(hmac(sha256),cbc(aes))",
      		};
      		struct {
      			struct rtattr attr;
      			__be32 enckeylen;
      			char keys[1];
      		} __attribute__((packed)) key = {
      			.attr.rta_len = sizeof(key),
      			.attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
      		};
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
      	}
      
      It caused:
      
      	BUG: unable to handle kernel paging request at ffff88007ffdc000
      	PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
      	Oops: 0000 [#1] SMP
      	CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37 #13
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
      	RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
      	[...]
      	Call Trace:
      	 sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
      	 crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
      	 shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
      	 crypto_shash_digest+0x24/0x40 crypto/shash.c:202
      	 hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
      	 crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
      	 shash_async_setkey+0x10/0x20 crypto/shash.c:223
      	 crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
      	 crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
      	 crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
      	 aead_setkey+0xc/0x10 crypto/algif_aead.c:526
      	 alg_setkey crypto/af_alg.c:223 [inline]
      	 alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
      	 __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
      	 __do_sys_setsockopt net/socket.c:1913 [inline]
      	 __se_sys_setsockopt net/socket.c:1910 [inline]
      	 __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
      	 do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
      	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: e236d4a8 ("[CRYPTO] authenc: Move enckeylen into key itself")
      Cc: <[email protected]> # v2.6.25+
      Signed-off-by: default avatarEric Biggers <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
      Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
      80733239
    • Harsh Jain's avatar
      crypto: authencesn - Avoid twice completion call in decrypt path · ac8d9ed2
      Harsh Jain authored
      commit a7773363 upstream.
      
      Authencesn template in decrypt path unconditionally calls aead_request_complete
      after ahash_verify which leads to following kernel panic in after decryption.
      
      [  338.539800] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
      [  338.548372] PGD 0 P4D 0
      [  338.551157] Oops: 0000 [#1] SMP PTI
      [  338.554919] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Tainted: G        W I       4.19.7+ #13
      [  338.564431] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0        07/29/10
      [  338.572212] RIP: 0010:esp_input_done2+0x350/0x410 [esp4]
      [  338.578030] Code: ff 0f b6 68 10 48 8b 83 c8 00 00 00 e9 8e fe ff ff 8b 04 25 04 00 00 00 83 e8 01 48 98 48 8b 3c c5 10 00 00 00 e9 f7 fd ff ff <8b> 04 25 04 00 00 00 83 e8 01 48 98 4c 8b 24 c5 10 00 00 00 e9 3b
      [  338.598547] RSP: 0018:ffff911c97803c00 EFLAGS: 00010246
      [  338.604268] RAX: 0000000000000002 RBX: ffff911c4469ee00 RCX: 0000000000000000
      [  338.612090] RDX: 0000000000000000 RSI: 0000000000000130 RDI: ffff911b87c20400
      [  338.619874] RBP: 0000000000000000 R08: ffff911b87c20498 R09: 000000000000000a
      [  338.627610] R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000
      [  338.635402] R13: ffff911c89590000 R14: ffff911c91730000 R15: 0000000000000000
      [  338.643234] FS:  0000000000000000(0000) GS:ffff911c97800000(0000) knlGS:0000000000000000
      [  338.652047] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  338.658299] CR2: 0000000000000004 CR3: 00000001ec20a000 CR4: 00000000000006f0
      [  338.666382] Call Trace:
      [  338.669051]  <IRQ>
      [  338.671254]  esp_input_done+0x12/0x20 [esp4]
      [  338.675922]  chcr_handle_resp+0x3b5/0x790 [chcr]
      [  338.680949]  cpl_fw6_pld_handler+0x37/0x60 [chcr]
      [  338.686080]  chcr_uld_rx_handler+0x22/0x50 [chcr]
      [  338.691233]  uldrx_handler+0x8c/0xc0 [cxgb4]
      [  338.695923]  process_responses+0x2f0/0x5d0 [cxgb4]
      [  338.701177]  ? bitmap_find_next_zero_area_off+0x3a/0x90
      [  338.706882]  ? matrix_alloc_area.constprop.7+0x60/0x90
      [  338.712517]  ? apic_update_irq_cfg+0x82/0xf0
      [  338.717177]  napi_rx_handler+0x14/0xe0 [cxgb4]
      [  338.722015]  net_rx_action+0x2aa/0x3e0
      [  338.726136]  __do_softirq+0xcb/0x280
      [  338.730054]  irq_exit+0xde/0xf0
      [  338.733504]  do_IRQ+0x54/0xd0
      [  338.736745]  common_interrupt+0xf/0xf
      
      Fixes: 104880a6 ("crypto: authencesn - Convert to new AEAD...")
      Signed-off-by: default avatarHarsh Jain <[email protected]>
      Cc: [email protected]
      Signed-off-by: default avatarHerbert Xu <[email protected]>
      Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
      ac8d9ed2
    • Eric Biggers's avatar
      crypto: sm3 - fix undefined shift by >= width of value · 2661032c
      Eric Biggers authored
      commit d45a90cb upstream.
      
      sm3_compress() calls rol32() with shift >= 32, which causes undefined
      behavior.  This is easily detected by enabling CONFIG_UBSAN.
      
      Explicitly AND with 31 to make the behavior well defined.
      
      Fixes: 4f0fc160 ("crypto: sm3 - add OSCCA SM3 secure hash")
      Cc: <[email protected]> # v4.15+
      Cc: Gilad Ben-Yossef <[email protected]>
      Signed-off-by: default avatarEric Biggers <[email protected]>
      Signed-off-by: default avatarHerbert Xu <[email protected]>
      Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
      2661032c
  3. 09 Jan, 2019 2 commits
  4. 07 Dec, 2018 1 commit
  5. 29 Nov, 2018 1 commit
  6. 09 Nov, 2018 3 commits
  7. 26 Oct, 2018 19 commits
  8. 23 Oct, 2018 1 commit
    • Karsten Graul's avatar
      Revert "net: simplify sock_poll_wait" · 89ab066d
      Karsten Graul authored
      This reverts commit dd979b4d.
      
      This broke tcp_poll for SMC fallback: An AF_SMC socket establishes an
      internal TCP socket for the initial handshake with the remote peer.
      Whenever the SMC connection can not be established this TCP socket is
      used as a fallback. All socket operations on the SMC socket are then
      forwarded to the TCP socket. In case of poll, the file->private_data
      pointer references the SMC socket because the TCP socket has no file
      assigned. This causes tcp_poll to wait on the wrong socket.
      Signed-off-by: default avatarKarsten Graul <[email protected]>
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      89ab066d
  9. 12 Oct, 2018 1 commit
  10. 08 Oct, 2018 2 commits
  11. 05 Oct, 2018 2 commits
  12. 28 Sep, 2018 4 commits