kernel/linux.git/crypto/authencesn.c, branch v6.12.91Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.912026-05-07T04:09:47+00:00crypto: authencesn - reject short ahash digests during instance creation2026-05-07T04:09:47+00:00Yucheng Lukanolyc@gmail.com2026-04-22T13:45:04+00:00urn:sha1:67f1f0933cc3d78dde222842bcad2778ec7a0b88
commit 5db6ef9847717329f12c5ea8aba7e9f588a980c0 upstream.
authencesn requires either a zero authsize or an authsize of at least
4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of
high-order sequence number data at the end of the authenticated data.
While crypto_authenc_esn_setauthsize() already rejects explicit
non-zero authsizes in the range 1..3, crypto_authenc_esn_create()
still copied auth->digestsize into inst->alg.maxauthsize without
validating it. The AEAD core then initialized the tfm's default
authsize from that value.
As a result, selecting an ahash with digest size 1..3, such as
cbcmac(cipher_null), exposed authencesn instances whose default
authsize was invalid even though setauthsize() would have rejected the
same value. AF_ALG could then trigger the ESN tail handling with a
too-short tag and hit an out-of-bounds access.
Reject authencesn instances whose ahash digest size is in the invalid
non-zero range 1..3 so that no tfm can inherit an unsupported default
authsize.
Fixes: f15f05b0a5de ("crypto: ccm - switch to separate cbcmac driver")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Yucheng Lu <kanolyc@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
crypto: authencesn - Fix src offset when decrypting in-place2026-04-30T09:14:46+00:00Herbert Xuherbert@gondor.apana.org.au2026-04-30T06:07:01+00:00urn:sha1:129f129344010572dc7407ade1dd89925519eb33
commit 1f48ad3b19a9dfc947868edda0bb8e48e5b5a8fa upstream.
The src SG list offset wasn't set properly when decrypting in-place,
fix it.
Reported-by: Wolfgang Walter <linux@stwm.de>
Fixes: e02494114ebf ("crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption2026-04-30T09:14:46+00:00Herbert Xuherbert@gondor.apana.org.au2026-04-30T06:07:00+00:00urn:sha1:89fe118b6470119b20c04afc36e45b81a69ea11f
commit e02494114ebf7c8b42777c6cd6982f113bfdbec7 upstream.
When decrypting data that is not in-place (src != dst), there is
no need to save the high-order sequence bits in dst as it could
simply be re-copied from the source.
However, the data to be hashed need to be rearranged accordingly.
Reported-by: Taeyang Lee <0wn@theori.io>
Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
crypto: authenc - use memcpy_sglist() instead of null skcipher2026-04-30T09:14:46+00:00Eric Biggersebiggers@google.com2026-04-30T06:06:59+00:00urn:sha1:7bc058a9b82b066fa68d4bc8b8d2b61834609410
commit dbc4b1458e931e47198c3165ff5853bc1ad6bd7a upstream.
For copying data between two scatterlists, just use memcpy_sglist()
instead of the so-called "null skcipher". This is much simpler.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec2026-01-30T09:28:39+00:00Taeyang Lee0wn@theori.io2026-01-16T07:03:58+00:00urn:sha1:161bdc90fce25bd9890adc67fa1c8563a7acbf40
[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ]
authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
the minimum expected length, crypto_authenc_esn_decrypt() can advance past
the end of the destination scatterlist and trigger a NULL pointer dereference
in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
Add a minimum AAD length check to fail fast on invalid inputs.
Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
Reported-By: Taeyang Lee <0wn@theori.io>
Signed-off-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
crypto: authencesn - stop using alignmask of ahash2023-10-27T10:04:29+00:00Eric Biggersebiggers@google.com2023-10-22T08:10:46+00:00urn:sha1:03be4e45074e2a9cb5e06bf527141716262574e6
Now that the alignmask for ahash and shash algorithms is always 0,
simplify the code in authenc accordingly.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: authencesn - Only access common skcipher fields on spawn2023-10-13T10:27:26+00:00Herbert Xuherbert@gondor.apana.org.au2023-10-03T03:43:24+00:00urn:sha1:24a285cea82961824d9709025dea69dbc84e01a0
As skcipher spawns may be of the type lskcipher, only the common
fields may be accessed. This was already the case but use the
correct helpers to make this more obvious.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: api - Use data directly in completion function2023-02-13T10:35:14+00:00Herbert Xuherbert@gondor.apana.org.au2023-02-08T05:58:44+00:00urn:sha1:255e48eb17684157336bd6dd98d22c1b2d9e3f43
This patch does the final flag day conversion of all completion
functions which are now all contained in the Crypto API.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: algapi - use common mechanism for inheriting flags2020-07-16T11:49:08+00:00Eric Biggersebiggers@google.com2020-07-10T06:20:38+00:00urn:sha1:7bcb2c99f8ed032cfb3f5596b4dccac6b1f501df
The flag CRYPTO_ALG_ASYNC is "inherited" in the sense that when a
template is instantiated, the template will have CRYPTO_ALG_ASYNC set if
any of the algorithms it uses has CRYPTO_ALG_ASYNC set.
We'd like to add a second flag (CRYPTO_ALG_ALLOCATES_MEMORY) that gets
"inherited" in the same way. This is difficult because the handling of
CRYPTO_ALG_ASYNC is hardcoded everywhere. Address this by:
- Add CRYPTO_ALG_INHERITED_FLAGS, which contains the set of flags that
have these inheritance semantics.
- Add crypto_algt_inherited_mask(), for use by template ->create()
methods. It returns any of these flags that the user asked to be
unset and thus must be passed in the 'mask' to crypto_grab_*().
- Also modify crypto_check_attr_type() to handle computing the 'mask'
so that most templates can just use this.
- Make crypto_grab_*() propagate these flags to the template instance
being created so that templates don't have to do this themselves.
Make crypto/simd.c propagate these flags too, since it "wraps" another
algorithm, similar to a template.
Based on a patch by Mikulas Patocka <mpatocka@redhat.com>
(https://lore.kernel.org/r/alpine.LRH.2.02.2006301414580.30526@file01.intranet.prod.int.rdu2.redhat.com).
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: authencesn - fix weird comma-terminated line2020-03-06T01:28:22+00:00Eric Biggersebiggers@google.com2020-02-26T04:59:13+00:00urn:sha1:d1dc4df1fe21df4f83b8aa7997310480df72eddc
Fix a weird case where a line was terminated by a comma rather than a
semicolon, causing the statement to be continued on the next line.
Fortunately the code still behaved as intended, though.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>