1. 23 Jan, 2019 1 commit
    • Eric Biggers's avatar
      crypto: authenc - fix parsing key with misaligned rta_len · b9119fd2
      Eric Biggers authored
      commit 8f9c469348487844328e162db57112f7d347c49f upstream.
      
      Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
      'enckeylen', followed by an authentication key and an encryption key.
      crypto_authenc_extractkeys() parses the key to find the inner keys.
      
      However, it fails to consider the case where the rtattr's payload is
      longer than 4 bytes but not 4-byte aligned, and where the key ends
      before the next 4-byte aligned boundary.  In this case, 'keylen -=
      RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX.  This
      causes a buffer overread and crash during crypto_ahash_setkey().
      
      Fix it by restricting the rtattr payload to the expected size.
      
      Reproducer using AF_ALG:
      
      	#include <linux/if_alg.h>
      	#include <linux/rtnetlink.h>
      	#include <sys/socket.h>
      
      	int main()
      	{
      		int fd;
      		struct sockaddr_alg addr = {
      			.salg_type = "aead",
      			.salg_name = "authenc(hmac(sha256),cbc(aes))",
      		};
      		struct {
      			struct rtattr attr;
      			__be32 enckeylen;
      			char keys[1];
      		} __attribute__((packed)) key = {
      			.attr.rta_len = sizeof(key),
      			.attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
      		};
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
      	}
      
      It caused:
      
      	BUG: unable to handle kernel paging request at ffff88007ffdc000
      	PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
      	Oops: 0000 [#1] SMP
      	CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
      	RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
      	[...]
      	Call Trace:
      	 sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
      	 crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
      	 shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
      	 crypto_shash_digest+0x24/0x40 crypto/shash.c:202
      	 hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
      	 crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
      	 shash_async_setkey+0x10/0x20 crypto/shash.c:223
      	 crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
      	 crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
      	 crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
      	 aead_setkey+0xc/0x10 crypto/algif_aead.c:526
      	 alg_setkey crypto/af_alg.c:223 [inline]
      	 alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
      	 __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
      	 __do_sys_setsockopt net/socket.c:1913 [inline]
      	 __se_sys_setsockopt net/socket.c:1910 [inline]
      	 __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
      	 do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
      	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: e236d4a8 ("[CRYPTO] authenc: Move enckeylen into key itself")
      Cc: <stable@vger.kernel.org> # v2.6.25+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9119fd2
  2. 03 Aug, 2018 1 commit
  3. 01 Nov, 2016 2 commits
  4. 18 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: authenc - Use skcipher · 7217d49f
      Herbert Xu authored
      This patch converts authenc to use the new skcipher interface as
      opposed to ablkcipher.
      
      It also fixes a little bug where if a sync version of authenc
      is requested we may still end up using an async ahash.  This should
      have no effect as none of the authenc users can request for a
      sync authenc.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7217d49f
  5. 01 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: authenc - Consider ahash ASYNC bit · 927ef32d
      Herbert Xu authored
      As it is, if you get an async ahash with a sync skcipher you'll
      end up with a sync authenc, which is wrong.
      
      This patch fixes it by considering the ASYNC bit from ahash as
      well.
      
      It also fixes a little bug where if a sync version of authenc
      is requested we may still end up using an async ahash.
      
      Neither of them should have any effect as none of the authenc
      users can request for a sync authenc.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      927ef32d
  6. 29 Jun, 2016 1 commit
  7. 17 Aug, 2015 1 commit
  8. 04 Aug, 2015 1 commit
  9. 13 May, 2015 2 commits
  10. 26 Nov, 2014 1 commit
  11. 28 Nov, 2013 1 commit
  12. 16 Oct, 2013 1 commit
  13. 07 Oct, 2013 1 commit
    • James Yonan's avatar
      crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks · 6bf37e5a
      James Yonan authored
      When comparing MAC hashes, AEAD authentication tags, or other hash
      values in the context of authentication or integrity checking, it
      is important not to leak timing information to a potential attacker,
      i.e. when communication happens over a network.
      
      Bytewise memory comparisons (such as memcmp) are usually optimized so
      that they return a nonzero value as soon as a mismatch is found. E.g,
      on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
      and up to ~850 cyc for a full match (cold). This early-return behavior
      can leak timing information as a side channel, allowing an attacker to
      iteratively guess the correct result.
      
      This patch adds a new method crypto_memneq ("memory not equal to each
      other") to the crypto API that compares memory areas of the same length
      in roughly "constant time" (cache misses could change the timing, but
      since they don't reveal information about the content of the strings
      being compared, they are effectively benign). Iow, best and worst case
      behaviour take the same amount of time to complete (in contrast to
      memcmp).
      
      Note that crypto_memneq (unlike memcmp) can only be used to test for
      equality or inequality, NOT for lexicographical order. This, however,
      is not an issue for its use-cases within the crypto API.
      
      We tried to locate all of the places in the crypto API where memcmp was
      being used for authentication or integrity checking, and convert them
      over to crypto_memneq.
      
      crypto_memneq is declared noinline, placed in its own source file,
      and compiled with optimizations that might increase code size disabled
      ("Os") because a smart compiler (or LTO) might notice that the return
      value is always compared against zero/nonzero, and might then
      reintroduce the same early-return optimization that we are trying to
      avoid.
      
      Using #pragma or __attribute__ optimization annotations of the code
      for disabling optimization was avoided as it seems to be considered
      broken or unmaintained for long time in GCC [1]. Therefore, we work
      around that by specifying the compile flag for memneq.o directly in
      the Makefile. We found that this seems to be most appropriate.
      
      As we use ("Os"), this patch also provides a loop-free "fast-path" for
      frequently used 16 byte digests. Similarly to kernel library string
      functions, leave an option for future even further optimized architecture
      specific assembler implementations.
      
      This was a joint work of James Yonan and Daniel Borkmann. Also thanks
      for feedback from Florian Weimer on this and earlier proposals [2].
      
        [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
        [2] https://lkml.org/lkml/2013/2/10/131Signed-off-by: default avatarJames Yonan <james@openvpn.net>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Florian Weimer <fw@deneb.enyo.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6bf37e5a
  14. 04 Feb, 2013 1 commit
  15. 11 Sep, 2012 1 commit
  16. 02 Dec, 2010 1 commit
  17. 26 May, 2010 1 commit
  18. 20 May, 2010 1 commit
  19. 26 Apr, 2010 1 commit
  20. 03 Mar, 2010 1 commit
  21. 02 Mar, 2010 1 commit
  22. 16 Feb, 2010 1 commit
  23. 05 Aug, 2009 1 commit
  24. 14 Jul, 2009 1 commit
  25. 15 Jan, 2009 1 commit
  26. 25 Dec, 2008 1 commit
  27. 22 Aug, 2008 1 commit
    • Herbert Xu's avatar
      crypto: authenc - Avoid using clobbered request pointer · a697690b
      Herbert Xu authored
      Authenc works in two stages for encryption, it first encrypts and
      then computes an ICV.  The context memory of the request is used
      by both operations.  The problem is that when an asynchronous
      encryption completes, we will compute the ICV and then reread the
      context memory of the encryption to get the original request.
      
      It just happens that we have a buffer of 16 bytes in front of the
      request pointer, so ICVs of 16 bytes (such as SHA1) do not trigger
      the bug.  However, any attempt to uses a larger ICV instantly kills
      the machine when the first asynchronous encryption is completed.
      
      This patch fixes this by saving the request pointer before we start
      the ICV computation.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a697690b
  28. 01 May, 2008 1 commit
    • Patrick McHardy's avatar
      [CRYPTO] authenc: Fix async crypto crash in crypto_authenc_genicv() · 16161329
      Patrick McHardy authored
      crypto_authenc_givencrypt_done uses req->data as struct aead_givcrypt_request,
      while it really points to a struct aead_request, causing this crash:
      
      BUG: unable to handle kernel paging request at 6b6b6b6b
      IP: [<dc87517b>] :authenc:crypto_authenc_genicv+0x23/0x109
      *pde = 00000000
      Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
      Modules linked in: hifn_795x authenc esp4 aead xfrm4_mode_tunnel sha1_generic hmac crypto_hash]
      
      Pid: 3074, comm: ping Not tainted (2.6.25 #4)
      EIP: 0060:[<dc87517b>] EFLAGS: 00010296 CPU: 0
      EIP is at crypto_authenc_genicv+0x23/0x109 [authenc]
      EAX: daa04690 EBX: daa046e0 ECX: dab0a100 EDX: daa046b0
      ESI: 6b6b6b6b EDI: dc872054 EBP: c033ff60 ESP: c033ff0c
       DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
      Process ping (pid: 3074, ti=c033f000 task=db883a80 task.ti=dab6c000)
      Stack: 00000000 daa046b0 c0215a3e daa04690 dab0a100 00000000 ffffffff db9fd7f0
             dba208c0 dbbb1720 00000001 daa04720 00000001 c033ff54 c0119ca9 dc852a75
             c033ff60 c033ff60 daa046e0 00000000 00000001 c033ff6c dc87527b 00000001
      Call Trace:
       [<c0215a3e>] ? dev_alloc_skb+0x14/0x29
       [<c0119ca9>] ? printk+0x15/0x17
       [<dc87527b>] ? crypto_authenc_givencrypt_done+0x1a/0x27 [authenc]
       [<dc850cca>] ? hifn_process_ready+0x34a/0x352 [hifn_795x]
       [<dc8353c7>] ? rhine_napipoll+0x3f2/0x3fd [via_rhine]
       [<dc851a56>] ? hifn_check_for_completion+0x4d/0xa6 [hifn_795x]
       [<dc851ab9>] ? hifn_tasklet_callback+0xa/0xc [hifn_795x]
       [<c011d046>] ? tasklet_action+0x3f/0x66
       [<c011d230>] ? __do_softirq+0x38/0x7a
       [<c0105a5f>] ? do_softirq+0x3e/0x71
       [<c011d17c>] ? irq_exit+0x2c/0x65
       [<c010e0c0>] ? smp_apic_timer_interrupt+0x5f/0x6a
       [<c01042e4>] ? apic_timer_interrupt+0x28/0x30
       [<dc851640>] ? hifn_handle_req+0x44a/0x50d [hifn_795x]
       ...
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      16161329
  29. 10 Jan, 2008 10 commits