linux-stable.git/crypto/ablkcipher.c, branch v3.2.99 Linux kernel stable tree crypto: {blk,giv}cipher: Set has_setkey 2016-04-01T00:54:31+00:00 Ben Hutchings ben@decadent.org.uk 2016-03-06T19:52:46+00:00 16b059733afec75695550c0cfa3b116f79c54720 Commit a1383cd86a06 ("crypto: skcipher - Add crypto_skcipher_has_setkey") was incorrectly backported to the 3.2.y and 3.16.y stable branches. We need to set ablkcipher_tfm::has_setkey in the crypto_init_blkcipher_ops_async() and crypto_init_givcipher_ops() functions as well as crypto_init_ablkcipher_ops(). Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
Commit a1383cd86a06 ("crypto: skcipher - Add crypto_skcipher_has_setkey")
was incorrectly backported to the 3.2.y and 3.16.y stable branches.
We need to set ablkcipher_tfm::has_setkey in the
crypto_init_blkcipher_ops_async() and crypto_init_givcipher_ops()
functions as well as crypto_init_ablkcipher_ops().

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
crypto: skcipher - Add crypto_skcipher_has_setkey 2016-02-13T10:34:12+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-01-11T13:26:50+00:00 3ba1945b048afd9cd8dba6b341160fffc4e431a0 commit a1383cd86a062fc798899ab20f0ec2116cce39cb upstream. This patch adds a way for skcipher users to determine whether a key is required by a transform. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> [bwh: Backported to 3.2: add to ablkcipher API instead] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit a1383cd86a062fc798899ab20f0ec2116cce39cb upstream.

This patch adds a way for skcipher users to determine whether a key
is required by a transform.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.2: add to ablkcipher API instead]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
crypto: skcipher - Copy iv from desc even for 0-len walks 2016-01-22T21:40:03+00:00 Jason A. Donenfeld Jason@zx2c4.com 2015-12-06T01:51:37+00:00 f659a818a42f4be9cffdc8bda4afca8b7cc5d98d commit 70d906bc17500edfa9bdd8c8b7e59618c7911613 upstream. Some ciphers actually support encrypting zero length plaintexts. For example, many AEAD modes support this. The resulting ciphertext for those winds up being only the authentication tag, which is a result of the key, the iv, the additional data, and the fact that the plaintext had zero length. The blkcipher constructors won't copy the IV to the right place, however, when using a zero length input, resulting in some significant problems when ciphers call their initialization routines, only to find that the ->iv parameter is uninitialized. One such example of this would be using chacha20poly1305 with a zero length input, which then calls chacha20, which calls the key setup routine, which eventually OOPSes due to the uninitialized ->iv member. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 70d906bc17500edfa9bdd8c8b7e59618c7911613 upstream.

Some ciphers actually support encrypting zero length plaintexts. For
example, many AEAD modes support this. The resulting ciphertext for
those winds up being only the authentication tag, which is a result of
the key, the iv, the additional data, and the fact that the plaintext
had zero length. The blkcipher constructors won't copy the IV to the
right place, however, when using a zero length input, resulting in
some significant problems when ciphers call their initialization
routines, only to find that the ->iv parameter is uninitialized. One
such example of this would be using chacha20poly1305 with a zero length
input, which then calls chacha20, which calls the key setup routine,
which eventually OOPSes due to the uninitialized ->iv member.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
crypto: api - Only abort operations on fatal signal 2015-11-17T15:54:44+00:00 Herbert Xu herbert@gondor.apana.org.au 2015-10-19T10:23:57+00:00 ff4b4b7e746fec864262066eadcc66f7e28575f8 commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream. Currently a number of Crypto API operations may fail when a signal occurs. This causes nasty problems as the caller of those operations are often not in a good position to restart the operation. In fact there is currently no need for those operations to be interrupted by user signals at all. All we need is for them to be killable. This patch replaces the relevant calls of signal_pending with fatal_signal_pending, and wait_for_completion_interruptible with wait_for_completion_killable, respectively. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> [bwh: Backported to 3.2: drop change to crypto_user_skcipher_alg(), which we don't have] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream.

Currently a number of Crypto API operations may fail when a signal
occurs.  This causes nasty problems as the caller of those operations
are often not in a good position to restart the operation.

In fact there is currently no need for those operations to be
interrupted by user signals at all.  All we need is for them to
be killable.

This patch replaces the relevant calls of signal_pending with
fatal_signal_pending, and wait_for_completion_interruptible with
wait_for_completion_killable, respectively.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.2: drop change to crypto_user_skcipher_alg(), which
 we don't have]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
crypto: user - fix info leaks in report API 2013-03-20T15:03:37+00:00 Mathias Krause minipli@googlemail.com 2013-02-05T17:19:13+00:00 f56cb892159202ee6486c7fd3c5dec3f82bd5114 commit 9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6 upstream. Three errors resulting in kernel memory disclosure: 1/ The structures used for the netlink based crypto algorithm report API are located on the stack. As snprintf() does not fill the remainder of the buffer with null bytes, those stack bytes will be disclosed to users of the API. Switch to strncpy() to fix this. 2/ crypto_report_one() does not initialize all field of struct crypto_user_alg. Fix this to fix the heap info leak. 3/ For the module name we should copy only as many bytes as module_name() returns -- not as much as the destination buffer could hold. But the current code does not and therefore copies random data from behind the end of the module name, as the module name is always shorter than CRYPTO_MAX_ALG_NAME. Also switch to use strncpy() to copy the algorithm's name and driver_name. They are strings, after all. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6 upstream.

Three errors resulting in kernel memory disclosure:

1/ The structures used for the netlink based crypto algorithm report API
are located on the stack. As snprintf() does not fill the remainder of
the buffer with null bytes, those stack bytes will be disclosed to users
of the API. Switch to strncpy() to fix this.

2/ crypto_report_one() does not initialize all field of struct
crypto_user_alg. Fix this to fix the heap info leak.

3/ For the module name we should copy only as many bytes as
module_name() returns -- not as much as the destination buffer could
hold. But the current code does not and therefore copies random data
from behind the end of the module name, as the module name is always
shorter than CRYPTO_MAX_ALG_NAME.

Also switch to use strncpy() to copy the algorithm's name and
driver_name. They are strings, after all.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
crypto: algapi - Fix build problem with NET disabled 2011-11-10T22:57:06+00:00 Herbert Xu herbert@gondor.apana.org.au 2011-11-03T12:46:07+00:00 3acc84739dd5d746840f881ad4d60bd2a428f1dd The report functions use NLA_PUT so we need to ensure that NET is enabled. Reported-by: Luis Henriques <henrix@camandro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
The report functions use NLA_PUT so we need to ensure that NET
is enabled.

Reported-by: Luis Henriques <henrix@camandro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: Add userspace report for givcipher type algorithms 2011-10-21T12:24:05+00:00 Steffen Klassert steffen.klassert@secunet.com 2011-09-27T05:43:24+00:00 3e29c1095a091f606a26c04a6542061c9e5f1d6b Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: Add userspace report for ablkcipher type algorithms 2011-10-21T12:24:05+00:00 Steffen Klassert steffen.klassert@secunet.com 2011-09-27T05:42:32+00:00 29ffc87640e2a5bf0ab98bfeed8d6fc78b2d848e Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: skcipher - remove redundant NULL check 2011-01-29T04:09:43+00:00 Davidlohr Bueso dave@gnu.org 2011-01-29T04:09:43+00:00 33c7c0fb20dbbaca67fcf362f875758ba312f58d Signed-off-by: Davidlohr Bueso <dave@gnu.org> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Signed-off-by: Davidlohr Bueso <dave@gnu.org>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: skcipher - avoid NULL dereference 2010-06-23T10:01:45+00:00 Jiri Slaby jslaby@suse.cz 2010-06-23T10:01:45+00:00 2716fbf63ee39eadc1aa9b3841b20f75b99a9bc3 Stanse found a potential NULL dereference in ablkcipher_next_slow. Even though kmalloc fails, its retval is dereferenced later. Return from that function properly earlier. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Stanse found a potential NULL dereference in ablkcipher_next_slow.
Even though kmalloc fails, its retval is dereferenced later. Return
from that function properly earlier.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>