[PATCH 3/6] crypto: crc32-generic - remove __crc32_le()

2018-05-19 Thread Eric Biggers 
From: Eric Biggers 

The __crc32_le() wrapper function is pointless.  Just call crc32_le()
directly instead.

Signed-off-by: Eric Biggers 
---
 crypto/crc32_generic.c | 10 ++
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/crypto/crc32_generic.c b/crypto/crc32_generic.c
index 20b879881a2d..00facd27bcc2 100644
--- a/crypto/crc32_generic.c
+++ b/crypto/crc32_generic.c
@@ -40,11 +40,6 @@
 #define CHKSUM_BLOCK_SIZE  1
 #define CHKSUM_DIGEST_SIZE 4
 
-static u32 __crc32_le(u32 crc, unsigned char const *p, size_t len)
-{
-   return crc32_le(crc, p, len);
-}
-
 /** No default init with ~0 */
 static int crc32_cra_init(struct crypto_tfm *tfm)
 {
@@ -55,7 +50,6 @@ static int crc32_cra_init(struct crypto_tfm *tfm)
return 0;
 }
 
-
 /*
  * Setting the seed allows arbitrary accumulators and flexible XOR policy
  * If your algorithm starts with ~0, then XOR with ~0 before you set
@@ -89,7 +83,7 @@ static int crc32_update(struct shash_desc *desc, const u8 
*data,
 {
u32 *crcp = shash_desc_ctx(desc);
 
-   *crcp = __crc32_le(*crcp, data, len);
+   *crcp = crc32_le(*crcp, data, len);
return 0;
 }
 
@@ -97,7 +91,7 @@ static int crc32_update(struct shash_desc *desc, const u8 
*data,
 static int __crc32_finup(u32 *crcp, const u8 *data, unsigned int len,
 u8 *out)
 {
-   put_unaligned_le32(__crc32_le(*crcp, data, len), out);
+   put_unaligned_le32(crc32_le(*crcp, data, len), out);
return 0;
 }
 
-- 
2.17.0

[PATCH 2/6] crypto: crc32c-generic - remove cra_alignmask

2018-05-19 Thread Eric Biggers 
From: Eric Biggers 

crc32c-generic sets an alignmask, but actually its ->update() works with
any alignment; only its ->setkey() and outputting the final digest
assume an alignment.  To prevent the buffer from having to be aligned by
the crypto API for just these cases, switch these cases over to the
unaligned access macros and remove the cra_alignmask.  Note that this
also makes crc32c-generic more consistent with crc32-generic.

Signed-off-by: Eric Biggers 
---
 crypto/crc32c_generic.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/crc32c_generic.c b/crypto/crc32c_generic.c
index 372320399622..7283066ecc98 100644
--- a/crypto/crc32c_generic.c
+++ b/crypto/crc32c_generic.c
@@ -35,6 +35,7 @@
  *
  */
 
+#include 
 #include 
 #include 
 #include 
@@ -82,7 +83,7 @@ static int chksum_setkey(struct crypto_shash *tfm, const u8 
*key,
crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
return -EINVAL;
}
-   mctx->key = le32_to_cpu(*(__le32 *)key);
+   mctx->key = get_unaligned_le32(key);
return 0;
 }
 
@@ -99,13 +100,13 @@ static int chksum_final(struct shash_desc *desc, u8 *out)
 {
struct chksum_desc_ctx *ctx = shash_desc_ctx(desc);
 
-   *(__le32 *)out = ~cpu_to_le32p(>crc);
+   put_unaligned_le32(~ctx->crc, out);
return 0;
 }
 
 static int __chksum_finup(u32 *crcp, const u8 *data, unsigned int len, u8 *out)
 {
-   *(__le32 *)out = ~cpu_to_le32(__crc32c_le(*crcp, data, len));
+   put_unaligned_le32(~__crc32c_le(*crcp, data, len), out);
return 0;
 }
 
@@ -148,7 +149,6 @@ static struct shash_alg alg = {
.cra_priority   =   100,
.cra_flags  =   CRYPTO_ALG_OPTIONAL_KEY,
.cra_blocksize  =   CHKSUM_BLOCK_SIZE,
-   .cra_alignmask  =   3,
.cra_ctxsize=   sizeof(struct chksum_ctx),
.cra_module =   THIS_MODULE,
.cra_init   =   crc32c_cra_init,
-- 
2.17.0

[PATCH 6/6] crypto: testmgr - add more unkeyed crc32 and crc32c test vectors

2018-05-19 Thread Eric Biggers 
From: Eric Biggers 

crc32c has an unkeyed test vector but crc32 did not.  Add the crc32c one
(which uses an empty input) to crc32 too, and also add a new one to both
that uses a nonempty input.  These test vectors verify that crc32 and
crc32c implementations use the correct default initial state.

Signed-off-by: Eric Biggers 
---
 crypto/testmgr.h | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 816e3eb197b2..9350f9846451 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -42292,6 +42292,15 @@ static const struct hash_testvec 
michael_mic_tv_template[] = {
  * CRC32 test vectors
  */
 static const struct hash_testvec crc32_tv_template[] = {
+   {
+   .psize = 0,
+   .digest = "\x00\x00\x00\x00",
+   },
+   {
+   .plaintext = "abcdefg",
+   .psize = 7,
+   .digest = "\xd8\xb5\x46\xac",
+   },
{
.key = "\x87\xa9\xcb\xed",
.ksize = 4,
@@ -42728,6 +42737,11 @@ static const struct hash_testvec crc32c_tv_template[] 
= {
.psize = 0,
.digest = "\x00\x00\x00\x00",
},
+   {
+   .plaintext = "abcdefg",
+   .psize = 7,
+   .digest = "\x41\xf4\x27\xe6",
+   },
{
.key = "\x87\xa9\xcb\xed",
.ksize = 4,
-- 
2.17.0

[PATCH 1/6] crypto: crc32-generic - use unaligned access macros when needed

2018-05-19 Thread Eric Biggers 
From: Eric Biggers 

crc32-generic doesn't have a cra_alignmask set, which is desired as its
->update() works with any alignment.  However, it incorrectly assumes
4-byte alignment in ->setkey() and when outputting the final digest.

Fix this by using the unaligned access macros in those cases.

Signed-off-by: Eric Biggers 
---
 crypto/crc32_generic.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypto/crc32_generic.c b/crypto/crc32_generic.c
index 718cbce8d169..20b879881a2d 100644
--- a/crypto/crc32_generic.c
+++ b/crypto/crc32_generic.c
@@ -29,6 +29,7 @@
  * This is crypto api shash wrappers to crc32_le.
  */
 
+#include 
 #include 
 #include 
 #include 
@@ -69,7 +70,7 @@ static int crc32_setkey(struct crypto_shash *hash, const u8 
*key,
crypto_shash_set_flags(hash, CRYPTO_TFM_RES_BAD_KEY_LEN);
return -EINVAL;
}
-   *mctx = le32_to_cpup((__le32 *)key);
+   *mctx = get_unaligned_le32(key);
return 0;
 }
 
@@ -96,7 +97,7 @@ static int crc32_update(struct shash_desc *desc, const u8 
*data,
 static int __crc32_finup(u32 *crcp, const u8 *data, unsigned int len,
 u8 *out)
 {
-   *(__le32 *)out = cpu_to_le32(__crc32_le(*crcp, data, len));
+   put_unaligned_le32(__crc32_le(*crcp, data, len), out);
return 0;
 }
 
@@ -110,7 +111,7 @@ static int crc32_final(struct shash_desc *desc, u8 *out)
 {
u32 *crcp = shash_desc_ctx(desc);
 
-   *(__le32 *)out = cpu_to_le32p(crcp);
+   put_unaligned_le32(*crcp, out);
return 0;
 }
 
-- 
2.17.0

[PATCH 0/6] crypto: crc32 cleanups and unkeyed tests

2018-05-19 Thread Eric Biggers 
This series fixes up alignment for crc32-generic and crc32c-generic,
removes test vectors for bfin_crc that are no longer needed, and adds
unkeyed test vectors for crc32 and an extra unkeyed test vector for
crc32c.  Adding the unkeyed test vectors also required a testmgr change
to allow a single hash algorithm to have both unkeyed and keyed tests,
without relying on having it work by accident.

The new test vectors pass with the generic and x86 CRC implementations.
I haven't tested others yet; if any happen to be broken, they'll need to
be fixed.

Eric Biggers (6):
  crypto: crc32-generic - use unaligned access macros when needed
  crypto: crc32c-generic - remove cra_alignmask
  crypto: crc32-generic - remove __crc32_le()
  crypto: testmgr - remove bfin_crc "hmac(crc32)" test vectors
  crypto: testmgr - fix testing OPTIONAL_KEY hash algorithms
  crypto: testmgr - add more unkeyed crc32 and crc32c test vectors

 crypto/crc32_generic.c  |  15 ++
 crypto/crc32c_generic.c |   8 ++--
 crypto/tcrypt.c |   4 --
 crypto/testmgr.c|  56 +-
 crypto/testmgr.h| 102 ++--
 5 files changed, 66 insertions(+), 119 deletions(-)

-- 
2.17.0

[PATCH 4/6] crypto: testmgr - remove bfin_crc "hmac(crc32)" test vectors

2018-05-19 Thread Eric Biggers 
From: Eric Biggers 

The Blackfin CRC driver was removed by commit 9678a8dc53c1 ("crypto:
bfin_crc - remove blackfin CRC driver"), but it was forgotten to remove
the corresponding "hmac(crc32)" test vectors.  I see no point in keeping
them since nothing else appears to implement or use "hmac(crc32)", which
isn't an algorithm that makes sense anyway because HMAC is meant to be
used with a cryptographically secure hash function, which CRC's are not.

Thus, remove the unneeded test vectors.

Signed-off-by: Eric Biggers 
---
 crypto/tcrypt.c  |  4 ---
 crypto/testmgr.c |  6 
 crypto/testmgr.h | 88 
 3 files changed, 98 deletions(-)

diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index e721faab6fc8..d5bcdd905007 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -1942,10 +1942,6 @@ static int do_test(const char *alg, u32 type, u32 mask, 
int m, u32 num_mb)
ret += tcrypt_test("vmac(aes)");
break;
 
-   case 110:
-   ret += tcrypt_test("hmac(crc32)");
-   break;
-
case 111:
ret += tcrypt_test("hmac(sha3-224)");
break;
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 41a5f42d4104..7e57530ecd52 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -3168,12 +3168,6 @@ static const struct alg_test_desc alg_test_descs[] = {
.suite = {
.hash = __VECS(ghash_tv_template)
}
-   }, {
-   .alg = "hmac(crc32)",
-   .test = alg_test_hash,
-   .suite = {
-   .hash = __VECS(bfin_crc_tv_template)
-   }
}, {
.alg = "hmac(md5)",
.test = alg_test_hash,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 552d8f00d85b..816e3eb197b2 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -43156,94 +43156,6 @@ static const struct hash_testvec crc32c_tv_template[] 
= {
}
 };
 
-/*
- * Blakcifn CRC test vectors
- */
-static const struct hash_testvec bfin_crc_tv_template[] = {
-   {
-   .psize = 0,
-   .digest = "\x00\x00\x00\x00",
-   },
-   {
-   .key = "\x87\xa9\xcb\xed",
-   .ksize = 4,
-   .psize = 0,
-   .digest = "\x87\xa9\xcb\xed",
-   },
-   {
-   .key = "\xff\xff\xff\xff",
-   .ksize = 4,
-   .plaintext = "\x01\x02\x03\x04\x05\x06\x07\x08"
-"\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
-"\x11\x12\x13\x14\x15\x16\x17\x18"
-"\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
-"\x21\x22\x23\x24\x25\x26\x27\x28",
-   .psize = 40,
-   .digest = "\x84\x0c\x8d\xa2",
-   },
-   {
-   .key = "\xff\xff\xff\xff",
-   .ksize = 4,
-   .plaintext = "\x01\x02\x03\x04\x05\x06\x07\x08"
-"\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
-"\x11\x12\x13\x14\x15\x16\x17\x18"
-"\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
-"\x21\x22\x23\x24\x25\x26",
-   .psize = 38,
-   .digest = "\x8c\x58\xec\xb7",
-   },
-   {
-   .key = "\xff\xff\xff\xff",
-   .ksize = 4,
-   .plaintext = "\x01\x02\x03\x04\x05\x06\x07\x08"
-"\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
-"\x11\x12\x13\x14\x15\x16\x17\x18"
-"\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
-"\x21\x22\x23\x24\x25\x26\x27",
-   .psize = 39,
-   .digest = "\xdc\x50\x28\x7b",
-   },
-   {
-   .key = "\xff\xff\xff\xff",
-   .ksize = 4,
-   .plaintext = "\x01\x02\x03\x04\x05\x06\x07\x08"
-"\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
-"\x11\x12\x13\x14\x15\x16\x17\x18"
-"\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
-"\x21\x22\x23\x24\x25\x26\x27\x28"
-"\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
-"\x31\x32\x33\x34\x35\x36\x37\x38"
-"\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
-"\x41\x42\x43\x44\x45\x46\x47\x48"
-"\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
-"\x51\x52\x53\x54\x55\x56\x57\x58"
-"\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
-"\x61\x62\x63\x64\x65\x66\x67\x68"
-"\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
-"\x71\x72\x73\x74\x75\x76\x77\x78"
-"\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
-

[PATCH 5/6] crypto: testmgr - fix testing OPTIONAL_KEY hash algorithms

2018-05-19 Thread Eric Biggers 
From: Eric Biggers 

Since testmgr uses a single tfm for all tests of each hash algorithm,
once a key is set the tfm won't be unkeyed anymore.  But with crc32 and
crc32c, the key is really the "default initial state" and is optional;
those algorithms should have both keyed and unkeyed test vectors, to
verify that implementations use the correct default key.

Simply listing the unkeyed test vectors first isn't guaranteed to work
yet because testmgr makes multiple passes through the test vectors.
crc32c does have an unkeyed test vector listed first currently, but it
only works by chance because the last crc32c test vector happens to use
a key that is the same as the default key.

Therefore, teach testmgr to split hash test vectors into unkeyed and
keyed sections, and do all the unkeyed ones before the keyed ones.

Signed-off-by: Eric Biggers 
---
 crypto/testmgr.c | 50 +---
 1 file changed, 43 insertions(+), 7 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 7e57530ecd52..d3335d347e10 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1798,8 +1798,9 @@ static int alg_test_comp(const struct alg_test_desc 
*desc, const char *driver,
return err;
 }
 
-static int alg_test_hash(const struct alg_test_desc *desc, const char *driver,
-u32 type, u32 mask)
+static int __alg_test_hash(const struct hash_testvec *template,
+  unsigned int tcount, const char *driver,
+  u32 type, u32 mask)
 {
struct crypto_ahash *tfm;
int err;
@@ -1811,16 +1812,51 @@ static int alg_test_hash(const struct alg_test_desc 
*desc, const char *driver,
return PTR_ERR(tfm);
}
 
-   err = test_hash(tfm, desc->suite.hash.vecs,
-   desc->suite.hash.count, true);
+   err = test_hash(tfm, template, tcount, true);
if (!err)
-   err = test_hash(tfm, desc->suite.hash.vecs,
-   desc->suite.hash.count, false);
-
+   err = test_hash(tfm, template, tcount, false);
crypto_free_ahash(tfm);
return err;
 }
 
+static int alg_test_hash(const struct alg_test_desc *desc, const char *driver,
+u32 type, u32 mask)
+{
+   const struct hash_testvec *template = desc->suite.hash.vecs;
+   unsigned int tcount = desc->suite.hash.count;
+   unsigned int nr_unkeyed, nr_keyed;
+   int err;
+
+   /*
+* For OPTIONAL_KEY algorithms, we have to do all the unkeyed tests
+* first, before setting a key on the tfm.  To make this easier, we
+* require that the unkeyed test vectors (if any) are listed first.
+*/
+
+   for (nr_unkeyed = 0; nr_unkeyed < tcount; nr_unkeyed++) {
+   if (template[nr_unkeyed].ksize)
+   break;
+   }
+   for (nr_keyed = 0; nr_unkeyed + nr_keyed < tcount; nr_keyed++) {
+   if (!template[nr_unkeyed + nr_keyed].ksize) {
+   pr_err("alg: hash: test vectors for %s out of order, "
+  "unkeyed ones must come first\n", desc->alg);
+   return -EINVAL;
+   }
+   }
+
+   err = 0;
+   if (nr_unkeyed) {
+   err = __alg_test_hash(template, nr_unkeyed, driver, type, mask);
+   template += nr_unkeyed;
+   }
+
+   if (!err && nr_keyed)
+   err = __alg_test_hash(template, nr_keyed, driver, type, mask);
+
+   return err;
+}
+
 static int alg_test_crc32c(const struct alg_test_desc *desc,
   const char *driver, u32 type, u32 mask)
 {
-- 
2.17.0

Re: [PATCH 3/3] crypto: x86 - Add optimized AEGIS implementations

2018-05-19 Thread Eric Biggers 
Hi Ondrej,

On Fri, May 11, 2018 at 02:12:51PM +0200, Ondrej Mosnáček wrote:
> From: Ondrej Mosnacek 
> 
> This patch adds optimized implementations of AEGIS-128, AEGIS-128L,
> and AEGIS-256, utilizing the AES-NI and SSE2 x86 extensions.
> 
> Signed-off-by: Ondrej Mosnacek 
[...]
> +static int crypto_aegis256_aesni_setkey(struct crypto_aead *aead, const u8 
> *key,
> + unsigned int keylen)
> +{
> + struct aegis_ctx *ctx = crypto_aegis256_aesni_ctx(aead);
> +
> + if (keylen != AEGIS256_KEY_SIZE) {
> + crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
> + return -EINVAL;
> + }
> +
> + memcpy(ctx->key.bytes, key, AEGIS256_KEY_SIZE);
> +
> + return 0;
> +}

This code is copying 32 bytes into a 16-byte buffer.

==
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
BUG: KASAN: slab-out-of-bounds in crypto_aegis256_aesni_setkey+0x23/0x60 
arch/x86/crypto/aegis256-aesni-glue.c:167
Write of size 32 at addr 88006c16b650 by task cryptomgr_test/120
CPU: 2 PID: 120 Comm: cryptomgr_test Not tainted 4.17.0-rc1-00069-g6ecc9d9ff91f 
#31
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
1.11.0-20171110_100015-anatol 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x86/0xca lib/dump_stack.c:113
 print_address_description+0x65/0x204 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.6+0x242/0x304 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13c/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x37/0x50 mm/kasan/kasan.c:303
 memcpy include/linux/string.h:345 [inline]
 crypto_aegis256_aesni_setkey+0x23/0x60 
arch/x86/crypto/aegis256-aesni-glue.c:167
 crypto_aead_setkey+0xa4/0x1e0 crypto/aead.c:62
 cryptd_aead_setkey+0x30/0x50 crypto/cryptd.c:938
 crypto_aead_setkey+0xa4/0x1e0 crypto/aead.c:62
 cryptd_aegis256_aesni_setkey+0x30/0x50 
arch/x86/crypto/aegis256-aesni-glue.c:259
 crypto_aead_setkey+0xa4/0x1e0 crypto/aead.c:62
 __test_aead+0x8bf/0x3770 crypto/testmgr.c:675
 test_aead+0x28/0x110 crypto/testmgr.c:957
 alg_test_aead+0x8b/0x140 crypto/testmgr.c:1690
 alg_test.part.5+0x1bb/0x4d0 crypto/testmgr.c:3845
 alg_test+0x23/0x25 crypto/testmgr.c:3865
 cryptomgr_test+0x56/0x80 crypto/algboss.c:223
 kthread+0x329/0x3f0 kernel/kthread.c:238
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412
Allocated by task 120:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x5f/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x114/0x1d0 mm/slab.c:3727
 kmalloc include/linux/slab.h:517 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 crypto_create_tfm+0x80/0x2c0 crypto/api.c:464
 crypto_spawn_tfm2+0x57/0x90 crypto/algapi.c:717
 crypto_spawn_aead include/crypto/internal/aead.h:112 [inline]
 cryptd_aead_init_tfm+0x3d/0x110 crypto/cryptd.c:1033
 crypto_aead_init_tfm+0x130/0x190 crypto/aead.c:111
 crypto_create_tfm+0xda/0x2c0 crypto/api.c:471
 crypto_alloc_tfm+0xcf/0x1d0 crypto/api.c:543
 crypto_alloc_aead+0x14/0x20 crypto/aead.c:351
 cryptd_alloc_aead+0xeb/0x1c0 crypto/cryptd.c:1334
 cryptd_aegis256_aesni_init_tfm+0x24/0xf0 
arch/x86/crypto/aegis256-aesni-glue.c:308
 crypto_aead_init_tfm+0x130/0x190 crypto/aead.c:111
 crypto_create_tfm+0xda/0x2c0 crypto/api.c:471
 crypto_alloc_tfm+0xcf/0x1d0 crypto/api.c:543
 crypto_alloc_aead+0x14/0x20 crypto/aead.c:351
 alg_test_aead+0x1f/0x140 crypto/testmgr.c:1682
 alg_test.part.5+0x1bb/0x4d0 crypto/testmgr.c:3845
 alg_test+0x23/0x25 crypto/testmgr.c:3865
 cryptomgr_test+0x56/0x80 crypto/algboss.c:223
 kthread+0x329/0x3f0 kernel/kthread.c:238
 ret_from_[   16.453502] serial8250: too much work for irq4
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at 88006c16b600
The buggy address is located 80 bytes inside of
The buggy address belongs to the page:
page:ea00017a4f68 count:1 mapcount:0 mapping:88006c16b000 index:0x0
flags: 0x1000100(slab)
raw: 01000100 88006c16b000  00010015
raw: ea00017a2470 88006d401548 88006d400400
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 88006c16b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 88006c16b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>88006c16b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
  ^
 88006c16b680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 88006c16b700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==
Disabling lock debugging due to kernel taint

[PATCH v2][RESEND] X.509: unpack RSA signatureValue field from BIT STRING

2018-05-19 Thread Maciej S. Szmigiero 
The signatureValue field of a X.509 certificate is encoded as a BIT STRING.
For RSA signatures this BIT STRING is of so-called primitive subtype, which
contains a u8 prefix indicating a count of unused bits in the encoding.

We have to strip this prefix from signature data, just as we already do for
key data in x509_extract_key_data() function.

This wasn't noticed earlier because this prefix byte is zero for RSA key
sizes divisible by 8. Since BIT STRING is a big-endian encoding adding zero
prefixes has no bearing on its value.

The signature length, however was incorrect, which is a problem for RSA
implementations that need it to be exactly correct (like AMD CCP).

Signed-off-by: Maciej S. Szmigiero 
Fixes: c26fd69fa009 ("X.509: Add a crypto key parser for binary (DER) X.509 
certificates")
Cc: sta...@vger.kernel.org
---
This is a resend of a patch that was previously submitted in one series
with CCP driver changes since this particular patch should go through
the security (rather than crypto) tree.

Changes from v1: Change '!' to '== 0'.

 crypto/asymmetric_keys/x509_cert_parser.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c 
b/crypto/asymmetric_keys/x509_cert_parser.c
index 7d81e6bb461a..b6cabac4b62b 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -249,6 +249,15 @@ int x509_note_signature(void *context, size_t hdrlen,
return -EINVAL;
}
 
+   if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0) {
+   /* Discard the BIT STRING metadata */
+   if (vlen < 1 || *(const u8 *)value != 0)
+   return -EBADMSG;
+
+   value++;
+   vlen--;
+   }
+
ctx->cert->raw_sig = value;
ctx->cert->raw_sig_size = vlen;
return 0;