Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.14.331 2016-09-13T10:44:57Z 2016-09-13T10:44:57Z Herbert Xu herbert@gondor.apana.org.au 2016-09-07T10:42:08Z urn:sha1:53a5d5ddccf849dbc27a8c1bba0b43c3a45fb792 The current implementation uses a global per-cpu array to store data which are used to derive the next IV. This is insecure as the attacker may change the stored data. This patch removes all traces of chaining and replaces it with multiplication of the salt and the sequence number. Fixes: a10f554fa7e0 ("crypto: echainiv - Add encrypted chain IV...") Cc: stable@vger.kernel.org Reported-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2016-07-18T09:35:42Z Herbert Xu herbert@gondor.apana.org.au 2016-07-12T05:17:43Z urn:sha1:0e8bff47f6d3e863bf1829e020000c249c59ecd2 This patch replaces use of the obsolete blkcipher with skcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2015-08-17T08:53:46Z Herbert Xu herbert@gondor.apana.org.au 2015-08-13T09:29:01Z urn:sha1:376e0d697a8194a5ab684d7fc57b2ce5483bda53 This patch replaces the echainiv init/exit handlers with the generic geniv helpers. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2015-08-17T08:53:43Z Herbert Xu herbert@gondor.apana.org.au 2015-08-13T09:28:56Z urn:sha1:66008d4230f6e599275f1cf01db268fcaaadda44 Now that we no longer have any legacy AEAD implementations the compatibility code path can no longer be triggered. This patch removes it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2015-07-14T06:56:46Z Herbert Xu herbert@gondor.apana.org.au 2015-07-08T23:17:20Z urn:sha1:5499b1a7311f5ec301ac2baa04a3482ee89ac0ab This patch fixes a bug where we were incorrectly including the IV in the AD during encryption. The IV must remain in the plain text for it to be encrypted. During decryption there is no need to copy the IV to dst because it's now part of the AD. This patch removes an unncessary check on authsize which would be performed by the underlying decrypt call. Finally this patch makes use of the type-safe init/exit functions. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2015-06-22T07:49:29Z Herbert Xu herbert@gondor.apana.org.au 2015-06-21T11:11:50Z urn:sha1:9fcc704dfd7967ebfbdd1031603e4332a905994b This patch changes the RNG allocation so that we only hold a reference to the RNG during initialisation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2015-06-04T07:05:00Z Herbert Xu herbert@gondor.apana.org.au 2015-06-03T06:49:24Z urn:sha1:f261c5fbe7121fd88198f3ee4be4e34a5a268120 We currently do the IV seeding on the first givencrypt call in order to conserve entropy. However, this does not work with DRBG which cannot be called from interrupt context. In fact, with DRBG we don't need to conserve entropy anyway. So this patch moves the seeding into the init function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2015-05-28T03:23:18Z Herbert Xu herbert@gondor.apana.org.au 2015-05-27T06:37:34Z urn:sha1:9d03aee125d73908ddbe9c1b96338c9b69e1abc0 This patch fixes a bug in the context size calculation where we were still referring to the old cra_aead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2015-05-28T03:23:18Z Herbert Xu herbert@gondor.apana.org.au 2015-05-27T06:37:33Z urn:sha1:d97de47ca1d160acdf29f0b4eadf2ae831bd5254 This patch makes use of the new common IV generation code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2015-05-28T03:23:18Z Herbert Xu herbert@gondor.apana.org.au 2015-05-27T06:37:31Z urn:sha1:838c9d561aaae4bc3f4b44046ea08b048ecaffe7 As the AD does not necessarily exist in the destination buffer it must be copied along with the plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>