| Revision | af30313f5d14531bff3df468e2c59cff15b2d5a0 (tree) |
|---|---|
| Zeit | 2006-08-27 20:51:31 |
| Autor | Solar Designer <solar@open...> |
| Commiter | Willy Tarreau |
[PATCH] crypto : prevent cryptoloop from oopsing on stupid ciphers
With the cryptoloop patch applied, it's possible to request
ECB mode encryption, which will result in a Oops because of
uninitialized function pointers. Initializing them to the
nocrypt_iv() function does not completely solve the problem
because cryptoloop does not check the return code, and kernel
memory will leak uninitialized through cryptoloop.
Proposed solution :
Response from Herbert Xu :
Final solution :
crypto/cipher.c (diff)| @@ -147,6 +147,15 @@ static int ecb_encrypt(struct crypto_tfm *tfm, | ||
| 147 | 147 | ecb_process, 1, NULL); |
| 148 | 148 | } |
| 149 | 149 | |
| 150 | +static int ecb_encrypt_iv(struct crypto_tfm *tfm, | |
| 151 | + struct scatterlist *dst, | |
| 152 | + struct scatterlist *src, | |
| 153 | + unsigned int nbytes, u8 *iv) | |
| 154 | +{ | |
| 155 | + ecb_encrypt(tfm, dst, src, nbytes); | |
| 156 | + return -ENOSYS; | |
| 157 | +} | |
| 158 | + | |
| 150 | 159 | static int ecb_decrypt(struct crypto_tfm *tfm, |
| 151 | 160 | struct scatterlist *dst, |
| 152 | 161 | struct scatterlist *src, |
| @@ -157,6 +166,15 @@ static int ecb_decrypt(struct crypto_tfm *tfm, | ||
| 157 | 166 | ecb_process, 1, NULL); |
| 158 | 167 | } |
| 159 | 168 | |
| 169 | +static int ecb_decrypt_iv(struct crypto_tfm *tfm, | |
| 170 | + struct scatterlist *dst, | |
| 171 | + struct scatterlist *src, | |
| 172 | + unsigned int nbytes, u8 *iv) | |
| 173 | +{ | |
| 174 | + ecb_decrypt(tfm, dst, src, nbytes); | |
| 175 | + return -ENOSYS; | |
| 176 | +} | |
| 177 | + | |
| 160 | 178 | static int cbc_encrypt(struct crypto_tfm *tfm, |
| 161 | 179 | struct scatterlist *dst, |
| 162 | 180 | struct scatterlist *src, |
| @@ -197,11 +215,20 @@ static int cbc_decrypt_iv(struct crypto_tfm *tfm, | ||
| 197 | 215 | cbc_process, 0, iv); |
| 198 | 216 | } |
| 199 | 217 | |
| 218 | +/* | |
| 219 | + * nocrypt*() zeroize the destination buffer to make sure we don't leak | |
| 220 | + * uninitialized memory contents if the caller ignores the return value. | |
| 221 | + * This is bad since the data in the source buffer is unused and may be | |
| 222 | + * lost, but an infoleak would be even worse. The performance cost of | |
| 223 | + * memset() is irrelevant since a well-behaved caller would not bump into | |
| 224 | + * the error repeatedly. | |
| 225 | + */ | |
| 200 | 226 | static int nocrypt(struct crypto_tfm *tfm, |
| 201 | 227 | struct scatterlist *dst, |
| 202 | 228 | struct scatterlist *src, |
| 203 | 229 | unsigned int nbytes) |
| 204 | 230 | { |
| 231 | + memset(dst, 0, nbytes); | |
| 205 | 232 | return -ENOSYS; |
| 206 | 233 | } |
| 207 | 234 |
| @@ -210,6 +237,7 @@ static int nocrypt_iv(struct crypto_tfm *tfm, | ||
| 210 | 237 | struct scatterlist *src, |
| 211 | 238 | unsigned int nbytes, u8 *iv) |
| 212 | 239 | { |
| 240 | + memset(dst, 0, nbytes); | |
| 213 | 241 | return -ENOSYS; |
| 214 | 242 | } |
| 215 | 243 |
| @@ -235,6 +263,11 @@ int crypto_init_cipher_ops(struct crypto_tfm *tfm) | ||
| 235 | 263 | case CRYPTO_TFM_MODE_ECB: |
| 236 | 264 | ops->cit_encrypt = ecb_encrypt; |
| 237 | 265 | ops->cit_decrypt = ecb_decrypt; |
| 266 | +/* These should have been nocrypt_iv, but patch-cryptoloop-jari-2.4.22.0 | |
| 267 | + * (and its other revisions) directly calls the *_iv() functions even in | |
| 268 | + * ECB mode and ignores their return value. */ | |
| 269 | + ops->cit_encrypt_iv = ecb_encrypt_iv; | |
| 270 | + ops->cit_decrypt_iv = ecb_decrypt_iv; | |
| 238 | 271 | break; |
| 239 | 272 | |
| 240 | 273 | case CRYPTO_TFM_MODE_CBC: |
Linux Kernel Documents
Fork