diff options
| author | Eric Biggers <ebiggers@google.com> | 2018-06-18 13:22:40 -0400 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2018-07-01 09:00:44 -0400 |
| commit | 0917b873127cebd4a259b92d43af5963484981ae (patch) | |
| tree | 863d6988a27042ca432b7da830fc924cf6434324 /crypto/vmac.c | |
| parent | ed331adab35bcddc595dae066522ca6336ee9210 (diff) | |
crypto: vmac - remove insecure version with hardcoded nonce
Remove the original version of the VMAC template that had the nonce
hardcoded to 0 and produced a digest with the wrong endianness. I'm
unsure whether this had users or not (there are no explicit in-kernel
references to it), but given that the hardcoded nonce made it wildly
insecure unless a unique key was used for each message, let's try
removing it and see if anyone complains.
Leave the new "vmac64" template that requires the nonce to be explicitly
specified as the first 16 bytes of data and uses the correct endianness
for the digest.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/vmac.c')
| -rw-r--r-- | crypto/vmac.c | 84 |
1 files changed, 7 insertions, 77 deletions
diff --git a/crypto/vmac.c b/crypto/vmac.c index bf1e385bc684..5f436dfdfc61 100644 --- a/crypto/vmac.c +++ b/crypto/vmac.c | |||
| @@ -490,16 +490,6 @@ static int vmac_init(struct shash_desc *desc) | |||
| 490 | return 0; | 490 | return 0; |
| 491 | } | 491 | } |
| 492 | 492 | ||
| 493 | static int vmac_init_with_hardcoded_nonce(struct shash_desc *desc) | ||
| 494 | { | ||
| 495 | struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); | ||
| 496 | |||
| 497 | vmac_init(desc); | ||
| 498 | memset(&dctx->nonce, 0, VMAC_NONCEBYTES); | ||
| 499 | dctx->nonce_size = VMAC_NONCEBYTES; | ||
| 500 | return 0; | ||
| 501 | } | ||
| 502 | |||
| 503 | static int vmac_update(struct shash_desc *desc, const u8 *p, unsigned int len) | 493 | static int vmac_update(struct shash_desc *desc, const u8 *p, unsigned int len) |
| 504 | { | 494 | { |
| 505 | const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); | 495 | const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); |
| @@ -570,7 +560,7 @@ static u64 vhash_final(const struct vmac_tfm_ctx *tctx, | |||
| 570 | return l3hash(ch, cl, tctx->l3key[0], tctx->l3key[1], partial * 8); | 560 | return l3hash(ch, cl, tctx->l3key[0], tctx->l3key[1], partial * 8); |
| 571 | } | 561 | } |
| 572 | 562 | ||
| 573 | static int __vmac_final(struct shash_desc *desc, u64 *mac) | 563 | static int vmac_final(struct shash_desc *desc, u8 *out) |
| 574 | { | 564 | { |
| 575 | const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); | 565 | const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); |
| 576 | struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); | 566 | struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); |
| @@ -601,31 +591,7 @@ static int __vmac_final(struct shash_desc *desc, u64 *mac) | |||
| 601 | pad = be64_to_cpu(dctx->nonce.pads[index]); | 591 | pad = be64_to_cpu(dctx->nonce.pads[index]); |
| 602 | 592 | ||
| 603 | /* The VMAC is the sum of VHASH and the pseudorandom pad */ | 593 | /* The VMAC is the sum of VHASH and the pseudorandom pad */ |
| 604 | *mac = hash + pad; | 594 | put_unaligned_be64(hash + pad, out); |
| 605 | return 0; | ||
| 606 | } | ||
| 607 | |||
| 608 | static int vmac_final_le(struct shash_desc *desc, u8 *out) | ||
| 609 | { | ||
| 610 | u64 mac; | ||
| 611 | int err; | ||
| 612 | |||
| 613 | err = __vmac_final(desc, &mac); | ||
| 614 | if (err) | ||
| 615 | return err; | ||
| 616 | put_unaligned_le64(mac, out); | ||
| 617 | return 0; | ||
| 618 | } | ||
| 619 | |||
| 620 | static int vmac_final_be(struct shash_desc *desc, u8 *out) | ||
| 621 | { | ||
| 622 | u64 mac; | ||
| 623 | int err; | ||
| 624 | |||
| 625 | err = __vmac_final(desc, &mac); | ||
| 626 | if (err) | ||
| 627 | return err; | ||
| 628 | put_unaligned_be64(mac, out); | ||
| 629 | return 0; | 595 | return 0; |
| 630 | } | 596 | } |
| 631 | 597 | ||
| @@ -651,8 +617,7 @@ static void vmac_exit_tfm(struct crypto_tfm *tfm) | |||
| 651 | crypto_free_cipher(tctx->cipher); | 617 | crypto_free_cipher(tctx->cipher); |
| 652 | } | 618 | } |
| 653 | 619 | ||
| 654 | static int vmac_create_common(struct crypto_template *tmpl, struct rtattr **tb, | 620 | static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb) |
| 655 | bool vmac64) | ||
| 656 | { | 621 | { |
| 657 | struct shash_instance *inst; | 622 | struct shash_instance *inst; |
| 658 | struct crypto_alg *alg; | 623 | struct crypto_alg *alg; |
| @@ -692,15 +657,9 @@ static int vmac_create_common(struct crypto_template *tmpl, struct rtattr **tb, | |||
| 692 | 657 | ||
| 693 | inst->alg.descsize = sizeof(struct vmac_desc_ctx); | 658 | inst->alg.descsize = sizeof(struct vmac_desc_ctx); |
| 694 | inst->alg.digestsize = VMAC_TAG_LEN / 8; | 659 | inst->alg.digestsize = VMAC_TAG_LEN / 8; |
| 695 | if (vmac64) { | 660 | inst->alg.init = vmac_init; |
| 696 | inst->alg.init = vmac_init; | ||
| 697 | inst->alg.final = vmac_final_be; | ||
| 698 | } else { | ||
| 699 | pr_warn("vmac: using insecure hardcoded nonce\n"); | ||
| 700 | inst->alg.init = vmac_init_with_hardcoded_nonce; | ||
| 701 | inst->alg.final = vmac_final_le; | ||
| 702 | } | ||
| 703 | inst->alg.update = vmac_update; | 661 | inst->alg.update = vmac_update; |
| 662 | inst->alg.final = vmac_final; | ||
| 704 | inst->alg.setkey = vmac_setkey; | 663 | inst->alg.setkey = vmac_setkey; |
| 705 | 664 | ||
| 706 | err = shash_register_instance(tmpl, inst); | 665 | err = shash_register_instance(tmpl, inst); |
| @@ -714,48 +673,20 @@ out_put_alg: | |||
| 714 | return err; | 673 | return err; |
| 715 | } | 674 | } |
| 716 | 675 | ||
| 717 | static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb) | ||
| 718 | { | ||
| 719 | return vmac_create_common(tmpl, tb, false); | ||
| 720 | } | ||
| 721 | |||
| 722 | static int vmac64_create(struct crypto_template *tmpl, struct rtattr **tb) | ||
| 723 | { | ||
| 724 | return vmac_create_common(tmpl, tb, true); | ||
| 725 | } | ||
| 726 | |||
| 727 | static struct crypto_template vmac_tmpl = { | ||
| 728 | .name = "vmac", | ||
| 729 | .create = vmac_create, | ||
| 730 | .free = shash_free_instance, | ||
| 731 | .module = THIS_MODULE, | ||
| 732 | }; | ||
| 733 | |||
| 734 | static struct crypto_template vmac64_tmpl = { | 676 | static struct crypto_template vmac64_tmpl = { |
| 735 | .name = "vmac64", | 677 | .name = "vmac64", |
| 736 | .create = vmac64_create, | 678 | .create = vmac_create, |
| 737 | .free = shash_free_instance, | 679 | .free = shash_free_instance, |
| 738 | .module = THIS_MODULE, | 680 | .module = THIS_MODULE, |
| 739 | }; | 681 | }; |
| 740 | 682 | ||
| 741 | static int __init vmac_module_init(void) | 683 | static int __init vmac_module_init(void) |
| 742 | { | 684 | { |
| 743 | int err; | 685 | return crypto_register_template(&vmac64_tmpl); |
| 744 | |||
| 745 | err = crypto_register_template(&vmac_tmpl); | ||
| 746 | if (err) | ||
| 747 | return err; | ||
| 748 | |||
| 749 | err = crypto_register_template(&vmac64_tmpl); | ||
| 750 | if (err) | ||
| 751 | crypto_unregister_template(&vmac_tmpl); | ||
| 752 | |||
| 753 | return err; | ||
| 754 | } | 686 | } |
| 755 | 687 | ||
| 756 | static void __exit vmac_module_exit(void) | 688 | static void __exit vmac_module_exit(void) |
| 757 | { | 689 | { |
| 758 | crypto_unregister_template(&vmac_tmpl); | ||
| 759 | crypto_unregister_template(&vmac64_tmpl); | 690 | crypto_unregister_template(&vmac64_tmpl); |
| 760 | } | 691 | } |
| 761 | 692 | ||
| @@ -764,5 +695,4 @@ module_exit(vmac_module_exit); | |||
| 764 | 695 | ||
| 765 | MODULE_LICENSE("GPL"); | 696 | MODULE_LICENSE("GPL"); |
| 766 | MODULE_DESCRIPTION("VMAC hash algorithm"); | 697 | MODULE_DESCRIPTION("VMAC hash algorithm"); |
| 767 | MODULE_ALIAS_CRYPTO("vmac"); | ||
| 768 | MODULE_ALIAS_CRYPTO("vmac64"); | 698 | MODULE_ALIAS_CRYPTO("vmac64"); |