On Mon, Jun 18, 2018 at 10:22:36AM -0700, Eric Biggers wrote:
> From: Eric Biggers
>
> Hi, this series fixes various bugs in the VMAC template (crypto/vmac.c).
> First, the per-request context was being stored in the transform
> context, which made VMAC not thread-safe, and the kernel could be
> crashed by using the same VMAC transform in multiple threads using
> AF_ALG (found by syzkaller). Also the keys were incorrectly being wiped
> after each message. Patch 2 fixes these bugs, Cc'ed to stable.
>
> But there are also bugs that require breaking changes: the nonce is
> hardcoded to 0, and the endianness of the final digest is wrong. So
> patch 3 introduces a fixed version of the VMAC template that takes the
> nonce as the first 16 bytes of data, and fixes the digest endianness.
>
> Patch 4 then removes the current version of the VMAC template. I'm not
> 100% sure whether we can really do that or not as it may have users
> (there are no explicit users in the kernel, though), but given that the
> old version was insecure unless a unique key was set for each message, I
> think we should try and see if anyone complains.
>
> Eric Biggers (4):
> crypto: vmac - require a block cipher with 128-bit block size
> crypto: vmac - separate tfm and request context
> crypto: vmac - add nonced version with big endian digest
> crypto: vmac - remove insecure version with hardcoded nonce
>
> crypto/tcrypt.c | 2 +-
> crypto/testmgr.c | 4 +-
> crypto/testmgr.h | 217 +
> crypto/vmac.c | 444 --
> include/crypto/vmac.h | 63 --
> 5 files changed, 351 insertions(+), 379 deletions(-)
> delete mode 100644 include/crypto/vmac.h
All applied. Thanks.
--
Email: Herbert Xu
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
