[PATCH 0/4] crypto: vmac - various fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Eric Biggers <ebiggers@xxxxxxxxxx>

Hi, this series fixes various bugs in the VMAC template (crypto/vmac.c).
First, the per-request context was being stored in the transform
context, which made VMAC not thread-safe, and the kernel could be
crashed by using the same VMAC transform in multiple threads using
AF_ALG (found by syzkaller).  Also the keys were incorrectly being wiped
after each message.  Patch 2 fixes these bugs, Cc'ed to stable.

But there are also bugs that require breaking changes: the nonce is
hardcoded to 0, and the endianness of the final digest is wrong.  So
patch 3 introduces a fixed version of the VMAC template that takes the
nonce as the first 16 bytes of data, and fixes the digest endianness.

Patch 4 then removes the current version of the VMAC template.  I'm not
100% sure whether we can really do that or not as it may have users
(there are no explicit users in the kernel, though), but given that the
old version was insecure unless a unique key was set for each message, I
think we should try and see if anyone complains.

Eric Biggers (4):
  crypto: vmac - require a block cipher with 128-bit block size
  crypto: vmac - separate tfm and request context
  crypto: vmac - add nonced version with big endian digest
  crypto: vmac - remove insecure version with hardcoded nonce

 crypto/tcrypt.c       |   2 +-
 crypto/testmgr.c      |   4 +-
 crypto/testmgr.h      | 217 +++++++++++++--------
 crypto/vmac.c         | 444 ++++++++++++++++++++----------------------
 include/crypto/vmac.h |  63 ------
 5 files changed, 351 insertions(+), 379 deletions(-)
 delete mode 100644 include/crypto/vmac.h

-- 
2.18.0.rc1.244.gcf134e6275-goog




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux