On Mon, Jun 18, 2018 at 10:22:36AM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > Hi, this series fixes various bugs in the VMAC template (crypto/vmac.c). > First, the per-request context was being stored in the transform > context, which made VMAC not thread-safe, and the kernel could be > crashed by using the same VMAC transform in multiple threads using > AF_ALG (found by syzkaller). Also the keys were incorrectly being wiped > after each message. Patch 2 fixes these bugs, Cc'ed to stable. > > But there are also bugs that require breaking changes: the nonce is > hardcoded to 0, and the endianness of the final digest is wrong. So > patch 3 introduces a fixed version of the VMAC template that takes the > nonce as the first 16 bytes of data, and fixes the digest endianness. > > Patch 4 then removes the current version of the VMAC template. I'm not > 100% sure whether we can really do that or not as it may have users > (there are no explicit users in the kernel, though), but given that the > old version was insecure unless a unique key was set for each message, I > think we should try and see if anyone complains. > > Eric Biggers (4): > crypto: vmac - require a block cipher with 128-bit block size > crypto: vmac - separate tfm and request context > crypto: vmac - add nonced version with big endian digest > crypto: vmac - remove insecure version with hardcoded nonce > > crypto/tcrypt.c | 2 +- > crypto/testmgr.c | 4 +- > crypto/testmgr.h | 217 +++++++++++++-------- > crypto/vmac.c | 444 ++++++++++++++++++++---------------------- > include/crypto/vmac.h | 63 ------ > 5 files changed, 351 insertions(+), 379 deletions(-) > delete mode 100644 include/crypto/vmac.h All applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt