1. 21 May, 2019 1 commit
    • Eric Biggers's avatar
      crypto: chacha20poly1305 - set cra_name correctly · 559c1730
      Eric Biggers authored
      commit 5e27f38f1f3f45a0c938299c3a34a2d2db77165a upstream.
      
      If the rfc7539 template is instantiated with specific implementations,
      e.g. "rfc7539(chacha20-generic,poly1305-generic)" rather than
      "rfc7539(chacha20,poly1305)", then the implementation names end up
      included in the instance's cra_name.  This is incorrect because it then
      prevents all users from allocating "rfc7539(chacha20,poly1305)", if the
      highest priority implementations of chacha20 and poly1305 were selected.
      Also, the self-tests aren't run on an instance allocated in this way.
      
      Fix it by setting the instance's cra_name from the underlying
      algorithms' actual cra_names, rather than from the requested names.
      This matches what other templates do.
      
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Cc: <stable@vger.kernel.org> # v4.2+
      Cc: Martin Willi <martin@strongswan.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      559c1730
  2. 10 Jan, 2018 1 commit
    • Eric Biggers's avatar
      crypto: chacha20poly1305 - validate the digest size · 9c36498f
      Eric Biggers authored
      commit e57121d0 upstream.
      
      If the rfc7539 template was instantiated with a hash algorithm with
      digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
      overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
      subsequent memory, including 'cryptlen'.  This caused a crash during
      crypto_skcipher_decrypt().
      
      Fix it by, when instantiating the template, requiring that the
      underlying hash algorithm has the digest size expected for Poly1305.
      
      Reproducer:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          int main()
          {
                  int algfd, reqfd;
                  struct sockaddr_alg addr = {
                          .salg_type = "aead",
                          .salg_name = "rfc7539(chacha20,sha256)",
                  };
                  unsigned char buf[32] = { 0 };
      
                  algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  bind(algfd, (void *)&addr, sizeof(addr));
                  setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
                  reqfd = accept(algfd, 0, 0);
                  write(reqfd, buf, 16);
                  read(reqfd, buf, 16);
          }
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c36498f
  3. 01 Nov, 2016 2 commits
  4. 18 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: chacha20poly1305 - Use skcipher · 1e1f0061
      Herbert Xu authored
      This patch converts chacha20poly1305 to use the new skcipher
      interface as opposed to ablkcipher.
      
      It also fixes a buglet where we may end up with an async poly1305
      when the user asks for a async algorithm.  This shouldn't be a
      problem yet as there aren't any async implementations of poly1305
      out there.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1e1f0061
  5. 09 Dec, 2015 1 commit
  6. 17 Aug, 2015 1 commit
  7. 17 Jul, 2015 3 commits
  8. 17 Jun, 2015 1 commit
  9. 04 Jun, 2015 2 commits