Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.18.75 2015-01-30T01:40:46Z 2015-01-30T01:40:46Z Kees Cook keescook@chromium.org 2014-11-25T00:32:38Z urn:sha1:acc5ccb9fe1c1d3840d49e181ae30b924cfc28b5 commit 4943ba16bbc2db05115707b3ff7b4874e9e3c560 upstream. This adds the module loading prefix "crypto-" to the template lookup as well. For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly includes the "crypto-" prefix at every level, correctly rejecting "vfat": net-pf-38 algif-hash crypto-vfat(blowfish) crypto-vfat(blowfish)-all crypto-vfat Reported-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-11-28T14:16:23Z Tom Lendacky thomas.lendacky@amd.com 2013-11-12T17:46:04Z urn:sha1:fc019c7122dfcd69c50142b57a735539aec5da95 When performing an asynchronous ablkcipher operation the authenc completion callback routine is invoked, but it does not locate and use the proper IV. The callback routine, crypto_authenc_encrypt_done, is updated to use the same method of calculating the address of the IV as is done in crypto_authenc_encrypt function which sets up the callback. Cc: stable@vger.kernel.org Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2013-10-16T12:56:25Z Mathias Krause mathias.krause@secunet.com 2013-10-15T11:49:30Z urn:sha1:bc6e2bdb71056607141ada309a185f0a50b1aeaf AEAD key parsing is duplicated to multiple places in the kernel. Add a common helper function to consolidate that functionality. Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Mathias Krause <mathias.krause@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2013-10-07T06:17:06Z James Yonan james@openvpn.net 2013-09-26T08:20:39Z urn:sha1:6bf37e5aa90f18baf5acf4874bca505dd667c37f When comparing MAC hashes, AEAD authentication tags, or other hash values in the context of authentication or integrity checking, it is important not to leak timing information to a potential attacker, i.e. when communication happens over a network. Bytewise memory comparisons (such as memcmp) are usually optimized so that they return a nonzero value as soon as a mismatch is found. E.g, on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch and up to ~850 cyc for a full match (cold). This early-return behavior can leak timing information as a side channel, allowing an attacker to iteratively guess the correct result. This patch adds a new method crypto_memneq ("memory not equal to each other") to the crypto API that compares memory areas of the same length in roughly "constant time" (cache misses could change the timing, but since they don't reveal information about the content of the strings being compared, they are effectively benign). Iow, best and worst case behaviour take the same amount of time to complete (in contrast to memcmp). Note that crypto_memneq (unlike memcmp) can only be used to test for equality or inequality, NOT for lexicographical order. This, however, is not an issue for its use-cases within the crypto API. We tried to locate all of the places in the crypto API where memcmp was being used for authentication or integrity checking, and convert them over to crypto_memneq. crypto_memneq is declared noinline, placed in its own source file, and compiled with optimizations that might increase code size disabled ("Os") because a smart compiler (or LTO) might notice that the return value is always compared against zero/nonzero, and might then reintroduce the same early-return optimization that we are trying to avoid. Using #pragma or __attribute__ optimization annotations of the code for disabling optimization was avoided as it seems to be considered broken or unmaintained for long time in GCC [1]. Therefore, we work around that by specifying the compile flag for memneq.o directly in the Makefile. We found that this seems to be most appropriate. As we use ("Os"), this patch also provides a loop-free "fast-path" for frequently used 16 byte digests. Similarly to kernel library string functions, leave an option for future even further optimized architecture specific assembler implementations. This was a joint work of James Yonan and Daniel Borkmann. Also thanks for feedback from Florian Weimer on this and earlier proposals [2]. [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html [2] https://lkml.org/lkml/2013/2/10/131 Signed-off-by: James Yonan <james@openvpn.net> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Florian Weimer <fw@deneb.enyo.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2013-02-04T13:16:53Z Julia Lawall Julia.Lawall@lip6.fr 2013-01-22T11:29:26Z urn:sha1:3e8afe35c36fa0e928e038667709966a71a9cfa5 Replace PTR_ERR followed by ERR_PTR by ERR_CAST, to be more concise. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression err,x; @@ - err = PTR_ERR(x); if (IS_ERR(x)) - return ERR_PTR(err); + return ERR_CAST(x); // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2012-09-11T04:05:45Z Herbert Xu herbert@gondor.apana.org.au 2012-09-11T04:05:45Z urn:sha1:9b2f4cb65f7083cde86553cd56d6c2878e04932a The authenc code doesn't deal with zero-length associated data correctly and ends up constructing a zero-length sg entry which causes a crash when it's fed into the crypto system. This patch fixes this by avoiding the code-path that triggers the SG construction if we have no associated data. This isn't the most optimal fix as it means that we'll end up using the fallback code-path even when we could still execute the digest function. However, this isn't a big deal as nobody but the test path would supply zero-length associated data. Reported-by: Romain Francoise <romain@orebokech.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Tested-by: Romain Francoise <romain@orebokech.com> 2010-12-02T06:47:16Z Steffen Klassert steffen.klassert@secunet.com 2010-11-22T10:26:54Z urn:sha1:c920fa6051c1e7eb3733eaefd01e5bcdddb3d4c8 Use scatterwalk_crypto_chain in favor of locally defined chaining functions. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2010-05-26T00:36:51Z Julia Lawall julia@diku.dk 2010-05-26T00:36:51Z urn:sha1:8db050786aaf7a43f4c7a900a103f99ea0fb493f Use ERR_CAST(x) rather than ERR_PTR(PTR_ERR(x)). The former makes more clear what is the purpose of the operation, which otherwise looks like a no-op. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ type T; T x; identifier f; @@ T f (...) { <+... - ERR_PTR(PTR_ERR(x)) + x ...+> } @@ expression x; @@ - ERR_PTR(PTR_ERR(x)) + ERR_CAST(x) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2010-05-20T09:40:31Z Shikhar Khattar shikhark@gmail.com 2010-05-20T09:40:31Z urn:sha1:921bae54693f26d01fb8e10ee6968b5cd8184551 This patch (applied against 2.6.34) fixes the calculation of the length of the ABLKCIPHER decrypt request ("cryptlen") after an asynchronous hash request has been completed in the AUTHENC interface. Signed-off-by: Shikhar Khattar <shikhark@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2010-04-26T01:14:05Z Herbert Xu herbert@gondor.apana.org.au 2010-04-26T01:14:05Z urn:sha1:180ce7e81030e1ef763d58f97f9ab840ff57d848 When Steffen originally wrote the authenc async hash patch, he correctly had EINPROGRESS checks in place so that we did not invoke the original completion handler with it. Unfortuantely I told him to remove it before the patch was applied. As only MAY_BACKLOG request completion handlers are required to handle EINPROGRESS completions, those checks are really needed. This patch restores them. Reported-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>