1. 28 Sep, 2018 1 commit
  2. 18 Jul, 2018 1 commit
  3. 23 Mar, 2018 1 commit
  4. 12 Jan, 2018 2 commits
    • Eric Biggers's avatar
      crypto: hash - prevent using keyed hashes without setting key · 9fa68f62
      Eric Biggers authored
      Currently, almost none of the keyed hash algorithms check whether a key
      has been set before proceeding.  Some algorithms are okay with this and
      will effectively just use a key of all 0's or some other bogus default.
      However, others will severely break, as demonstrated using
      "hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
      via a (potentially exploitable) stack buffer overflow.
      
      A while ago, this problem was solved for AF_ALG by pairing each hash
      transform with a 'has_key' bool.  However, there are still other places
      in the kernel where userspace can specify an arbitrary hash algorithm by
      name, and the kernel uses it as unkeyed hash without checking whether it
      is really unkeyed.  Examples of this include:
      
          - KEYCTL_DH_COMPUTE, via the KDF extension
          - dm-verity
          - dm-crypt, via the ESSIV support
          - dm-integrity, via the "internal hash" mode with no key given
          - drbd (Distributed Replicated Block Device)
      
      This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
      privileges to call.
      
      Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
      ->crt_flags of each hash transform that indicates whether the transform
      still needs to be keyed or not.  Then, make the hash init, import, and
      digest functions return -ENOKEY if the key is still needed.
      
      The new flag also replaces the 'has_key' bool which algif_hash was
      previously using, thereby simplifying the algif_hash implementation.
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9fa68f62
    • Eric Biggers's avatar
      crypto: hash - annotate algorithms taking optional key · a208fa8f
      Eric Biggers authored
      We need to consistently enforce that keyed hashes cannot be used without
      setting the key.  To do this we need a reliable way to determine whether
      a given hash algorithm is keyed or not.  AF_ALG currently does this by
      checking for the presence of a ->setkey() method.  However, this is
      actually slightly broken because the CRC-32 algorithms implement
      ->setkey() but can also be used without a key.  (The CRC-32 "key" is not
      actually a cryptographic key but rather represents the initial state.
      If not overridden, then a default initial state is used.)
      
      Prepare to fix this by introducing a flag CRYPTO_ALG_OPTIONAL_KEY which
      indicates that the algorithm has a ->setkey() method, but it is not
      required to be called.  Then set it on all the CRC-32 algorithms.
      
      The same also applies to the Adler-32 implementation in Lustre.
      
      Also, the cryptd and mcryptd templates have to pass through the flag
      from their underlying algorithm.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a208fa8f
  5. 05 Jan, 2018 1 commit
  6. 03 Nov, 2017 1 commit
  7. 10 Apr, 2017 1 commit
  8. 13 Dec, 2016 1 commit
  9. 01 Dec, 2016 1 commit
  10. 25 Oct, 2016 2 commits
  11. 18 Jul, 2016 2 commits
    • Herbert Xu's avatar
      crypto: skcipher - Remove top-level givcipher interface · 3a01d0ee
      Herbert Xu authored
      This patch removes the old crypto_grab_skcipher helper and replaces
      it with crypto_grab_skcipher2.
      
      As this is the final entry point into givcipher this patch also
      removes all traces of the top-level givcipher interface, including
      all implicit IV generators such as chainiv.
      
      The bottom-level givcipher interface remains until the drivers
      using it are converted.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3a01d0ee
    • Herbert Xu's avatar
      crypto: skcipher - Add low-level skcipher interface · 4e6c3df4
      Herbert Xu authored
      This patch allows skcipher algorithms and instances to be created
      and registered with the crypto API.  They are accessible through
      the top-level skcipher interface, along with ablkcipher/blkcipher
      algorithms and instances.
      
      This patch also introduces a new parameter called chunk size
      which is meant for ciphers such as CTR and CTS which ostensibly
      can handle arbitrary lengths, but still behave like block ciphers
      in that you can only process a partial block at the very end.
      
      For these ciphers the block size will continue to be set to 1
      as it is now while the chunk size will be set to the underlying
      block size.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4e6c3df4
  12. 23 Jun, 2016 1 commit
    • Salvatore Benedetto's avatar
      crypto: kpp - Key-agreement Protocol Primitives API (KPP) · 4e5f2c40
      Salvatore Benedetto authored
      Add key-agreement protocol primitives (kpp) API which allows to
      implement primitives required by protocols such as DH and ECDH.
      The API is composed mainly by the following functions
       * set_secret() - It allows the user to set his secret, also
         referred to as his private key, along with the parameters
         known to both parties involved in the key-agreement session.
       * generate_public_key() - It generates the public key to be sent to
         the other counterpart involved in the key-agreement session. The
         function has to be called after set_params() and set_secret()
       * generate_secret() - It generates the shared secret for the session
      
      Other functions such as init() and exit() are provided for allowing
      cryptographic hardware to be inizialized properly before use
      Signed-off-by: default avatarSalvatore Benedetto <salvatore.benedetto@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4e5f2c40
  13. 07 Jun, 2016 1 commit
  14. 15 Apr, 2016 1 commit
  15. 06 Feb, 2016 1 commit
  16. 27 Jan, 2016 1 commit
  17. 17 Aug, 2015 2 commits
  18. 22 Jun, 2015 1 commit
  19. 19 Jun, 2015 1 commit
    • Herbert Xu's avatar
      crypto: api - Add CRYPTO_MINALIGN_ATTR to struct crypto_alg · edf18b91
      Herbert Xu authored
      The struct crypto_alg is embedded into various type-specific structs
      such as aead_alg.  This is then used as part of instances such as
      struct aead_instance.  It is also embedded into the generic struct
      crypto_instance.  In order to ensure that struct aead_instance can
      be converted to struct crypto_instance when necessary, we need to
      ensure that crypto_alg is aligned properly.
      
      This patch adds an alignment attribute to struct crypto_alg to
      ensure this.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      edf18b91
  20. 17 Jun, 2015 1 commit
  21. 04 Jun, 2015 1 commit
  22. 22 May, 2015 1 commit
  23. 13 May, 2015 1 commit
    • Herbert Xu's avatar
      crypto: aead - Convert top level interface to new style · 5d1d65f8
      Herbert Xu authored
      This patch converts the top-level aead interface to the new style.
      All user-level AEAD interface code have been moved into crypto/aead.h.
      
      The allocation/free functions have switched over to the new way of
      allocating tfms.
      
      This patch also removes the double indrection on setkey so the
      indirection now exists only at the alg level.
      
      Apart from these there are no user-visible changes.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5d1d65f8
  24. 22 Apr, 2015 2 commits
  25. 21 Apr, 2015 1 commit
  26. 31 Mar, 2015 1 commit
    • Stephan Mueller's avatar
      crypto: api - prevent helper ciphers from being used · 06ca7f68
      Stephan Mueller authored
      Several hardware related cipher implementations are implemented as
      follows: a "helper" cipher implementation is registered with the
      kernel crypto API.
      
      Such helper ciphers are never intended to be called by normal users. In
      some cases, calling them via the normal crypto API may even cause
      failures including kernel crashes. In a normal case, the "wrapping"
      ciphers that use the helpers ensure that these helpers are invoked
      such that they cannot cause any calamity.
      
      Considering the AF_ALG user space interface, unprivileged users can
      call all ciphers registered with the crypto API, including these
      helper ciphers that are not intended to be called directly. That
      means, with AF_ALG user space may invoke these helper ciphers
      and may cause undefined states or side effects.
      
      To avoid any potential side effects with such helpers, the patch
      prevents the helpers to be called directly. A new cipher type
      flag is added: CRYPTO_ALG_INTERNAL. This flag shall be used
      to mark helper ciphers. These ciphers can only be used if the
      caller invoke the cipher with CRYPTO_ALG_INTERNAL in the type and
      mask field.
      Signed-off-by: Stephan Mueller's avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      06ca7f68
  27. 20 Jan, 2015 1 commit
  28. 08 Jan, 2015 1 commit
  29. 24 Nov, 2014 1 commit
  30. 13 Nov, 2014 6 commits