kernel/linux.git/crypto, branch v4.12.14 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.12.14 2017-09-07T06:37:15+00:00 crypto: algif_skcipher - only call put_page on referenced and used pages 2017-09-07T06:37:15+00:00 Stephan Mueller smueller@chronox.de 2017-08-16T09:56:24+00:00 urn:sha1:726bd348ead3883880912f686144854c8f2cf817 commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream. For asynchronous operation, SGs are allocated without a page mapped to them or with a page that is not used (ref-counted). If the SGL is freed, the code must only call put_page for an SG if there was a page assigned and ref-counted in the first place. This fixes a kernel crash when using io_submit with more than one iocb using the sendmsg and sendpage (vmsplice/splice) interface. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> crypto: chacha20 - fix handling of chunked input 2017-09-07T06:37:14+00:00 Ard Biesheuvel ard.biesheuvel@linaro.org 2017-08-14T13:28:14+00:00 urn:sha1:6fb972d037512f59e4a9fffffe89ce59e815d8c4 commit 4de437265eaac18f880d827f8e105b10de9b87a3 upstream. Commit 9ae433bc79f9 ("crypto: chacha20 - convert generic and x86 versions to skcipher") ported the existing chacha20 code to use the new skcipher API, and introduced a bug along the way. Unfortunately, the tcrypt tests did not catch the error, and it was only found recently by Tobias. Stefan kindly diagnosed the error, and proposed a fix which is similar to the one below, with the exception that 'walk.stride' is used rather than the hardcoded block size. This does not actually matter in this case, but it's a better example of how to use the skcipher walk API. Fixes: 9ae433bc79f9 ("crypto: chacha20 - convert generic and x86 ...") Cc: Steffen Klassert <steffen.klassert@secunet.com> Reported-by: Tobias Brunner <tobias@strongswan.org> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> crypto: authencesn - Fix digest_null crash 2017-08-06T16:21:08+00:00 Herbert Xu herbert@gondor.apana.org.au 2017-07-17T07:32:30+00:00 urn:sha1:0cc185f8da6f5a2171a06251c503bfa73ad30326 commit 41cdf7a45389e01991ee31e3301ed83cb3e3f7dc upstream. When authencesn is used together with digest_null a crash will occur on the decrypt path. This is because normally we perform a special setup to preserve the ESN, but this is skipped if there is no authentication. However, on the post-authentication path it always expects the preservation to be in place, thus causing a crash when digest_null is used. This patch fixes this by also skipping the post-processing when there is no authentication. Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD...") Reported-by: Jan Tluka <jtluka@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> crypto: rsa-pkcs1pad - use constant time memory comparison for MACs 2017-07-15T11:09:05+00:00 Jason A. Donenfeld Jason@zx2c4.com 2017-06-11T21:20:23+00:00 urn:sha1:f85a3c8f00bd687d26e70b0f58df0041aabde601 commit fec17cb2231733174e039ad9054fa16bb358e2ec upstream. Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Suggested-by: Stephan Müller <smueller@chronox.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: linux-crypto@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> crypto: drbg - Fixes panic in wait_for_completion call 2017-07-12T14:55:26+00:00 Stephan Mueller smueller@chronox.de 2017-05-26T10:11:31+00:00 urn:sha1:ead4cb80dbe1e24b8372dd3faa5211adfaa832f9 commit b61929c654f2e725644935737c4c1ea9c741e2f8 upstream. Initialise ctr_completion variable before use. Cc: <stable@vger.kernel.org> Signed-off-by: Harsh Jain <harshjain.prof@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> crypto : asymmetric_keys : verify_pefile:zero memory content before freeing 2017-06-09T03:29:50+00:00 Loganaden Velvindron logan@hackers.mu 2017-06-08T13:50:04+00:00 urn:sha1:da7798a7b6714cf35ea6084ad6b1fe0497566cf2 Signed-off-by: Loganaden Velvindron <logan@hackers.mu> Signed-off-by: Yasir Auleear <yasirmx@hackers.mu> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> X.509: Fix error code in x509_cert_parse() 2017-06-09T03:29:45+00:00 Dan Carpenter dan.carpenter@oracle.com 2017-06-08T13:47:49+00:00 urn:sha1:4e880168e9ffb1cdbdb72b3b48ab0324b30c2d62 We forgot to set the error code on this path so it could result in returning NULL which leads to a NULL dereference. Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> crypto: gcm - wait for crypto op not signal safe 2017-05-23T04:45:11+00:00 Gilad Ben-Yossef gilad@benyossef.com 2017-05-18T13:29:25+00:00 urn:sha1:f3ad587070d6bd961ab942b3fd7a85d00dfc934b crypto_gcm_setkey() was using wait_for_completion_interruptible() to wait for completion of async crypto op but if a signal occurs it may return before DMA ops of HW crypto provider finish, thus corrupting the data buffer that is kfree'ed in this case. Resolve this by using wait_for_completion() instead. Reported-by: Eric Biggers <ebiggers3@gmail.com> Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com> CC: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> crypto: drbg - wait for crypto op not signal safe 2017-05-23T04:45:11+00:00 Gilad Ben-Yossef gilad@benyossef.com 2017-05-18T13:29:24+00:00 urn:sha1:a5dfefb1c3f3db81662556393fd9283511e08430 drbg_kcapi_sym_ctr() was using wait_for_completion_interruptible() to wait for completion of async crypto op but if a signal occurs it may return before DMA ops of HW crypto provider finish, thus corrupting the output buffer. Resolve this by using wait_for_completion() instead. Reported-by: Eric Biggers <ebiggers3@gmail.com> Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com> CC: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> crypto: asymmetric_keys - handle EBUSY due to backlog correctly 2017-05-23T04:45:10+00:00 Gilad Ben-Yossef gilad@benyossef.com 2017-05-18T13:29:23+00:00 urn:sha1:e68368aed56324e2e38d4f6b044bb8cf82077fc2 public_key_verify_signature() was passing the CRYPTO_TFM_REQ_MAY_BACKLOG flag to akcipher_request_set_callback() but was not handling correctly the case where a -EBUSY error could be returned from the call to crypto_akcipher_verify() if backlog was used, possibly casuing data corruption due to use-after-free of buffers. Resolve this by handling -EBUSY correctly. Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com> CC: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>