From e1bd95bf7c25530a99ce371e0a26e4932efc021d Mon Sep 17 00:00:00 2001 From: Stephan Mueller Date: Tue, 11 Nov 2014 05:37:57 +0100 Subject: crypto: algif - zeroize IV buffer Zeroize the buffer holding the IV used for the completed cipher operation before the buffer is released by the skcipher AF_ALG interface handler. Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu --- crypto/algif_skcipher.c | 1 + 1 file changed, 1 insertion(+) (limited to 'crypto/algif_skcipher.c') diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 83187f497c7c..85e3bdbe214c 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -566,6 +566,7 @@ static void skcipher_sock_destruct(struct sock *sk) struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(&ctx->req); skcipher_free_sgl(sk); + memzero_explicit(ctx->iv, crypto_ablkcipher_ivsize(tfm)); sock_kfree_s(sk, ctx->iv, crypto_ablkcipher_ivsize(tfm)); sock_kfree_s(sk, ctx, ctx->len); af_alg_release_parent(sk); -- cgit v1.2.3 From 79e886599e6416d0de26e8562e4464577d081c3d Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Wed, 19 Nov 2014 17:13:11 +0100 Subject: crypto: algif - add and use sock_kzfree_s() instead of memzero_explicit() Commit e1bd95bf7c25 ("crypto: algif - zeroize IV buffer") and 2a6af25befd0 ("crypto: algif - zeroize message digest buffer") added memzero_explicit() calls on buffers that are later on passed back to sock_kfree_s(). This is a discussed follow-up that, instead, extends the sock API and adds sock_kzfree_s(), which internally uses kzfree() instead of kfree() for passing the buffers back to slab. Having sock_kzfree_s() allows to keep the changes more minimal by just having a drop-in replacement instead of adding memzero_explicit() calls everywhere before sock_kfree_s(). In kzfree(), the compiler is not allowed to optimize the memset() away and thus there's no need for memzero_explicit(). Both, sock_kfree_s() and sock_kzfree_s() are wrappers for __sock_kfree_s() and call into kfree() resp. kzfree(); here, __sock_kfree_s() needs to be explicitly inlined as we want the compiler to optimize the call and condition away and thus it produces e.g. on x86_64 the _same_ assembler output for sock_kfree_s() before and after, and thus also allows for avoiding code duplication. Cc: David S. Miller Signed-off-by: Daniel Borkmann Signed-off-by: Herbert Xu --- crypto/algif_hash.c | 6 ++---- crypto/algif_skcipher.c | 3 +-- include/net/sock.h | 1 + net/core/sock.c | 24 ++++++++++++++++++++---- 4 files changed, 24 insertions(+), 10 deletions(-) (limited to 'crypto/algif_skcipher.c') diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index f75db4ce48bf..e6050396a3b3 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -258,10 +258,8 @@ static void hash_sock_destruct(struct sock *sk) struct alg_sock *ask = alg_sk(sk); struct hash_ctx *ctx = ask->private; - memzero_explicit(ctx->result, - crypto_ahash_digestsize(crypto_ahash_reqtfm(&ctx->req))); - sock_kfree_s(sk, ctx->result, - crypto_ahash_digestsize(crypto_ahash_reqtfm(&ctx->req))); + sock_kzfree_s(sk, ctx->result, + crypto_ahash_digestsize(crypto_ahash_reqtfm(&ctx->req))); sock_kfree_s(sk, ctx, ctx->len); af_alg_release_parent(sk); } diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 85e3bdbe214c..34389964000d 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -566,8 +566,7 @@ static void skcipher_sock_destruct(struct sock *sk) struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(&ctx->req); skcipher_free_sgl(sk); - memzero_explicit(ctx->iv, crypto_ablkcipher_ivsize(tfm)); - sock_kfree_s(sk, ctx->iv, crypto_ablkcipher_ivsize(tfm)); + sock_kzfree_s(sk, ctx->iv, crypto_ablkcipher_ivsize(tfm)); sock_kfree_s(sk, ctx, ctx->len); af_alg_release_parent(sk); } diff --git a/include/net/sock.h b/include/net/sock.h index 7db3db112baa..37d6cc5dcf33 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -1588,6 +1588,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, int *errcode, int max_page_order); void *sock_kmalloc(struct sock *sk, int size, gfp_t priority); void sock_kfree_s(struct sock *sk, void *mem, int size); +void sock_kzfree_s(struct sock *sk, void *mem, int size); void sk_send_sigurg(struct sock *sk); /* diff --git a/net/core/sock.c b/net/core/sock.c index 15e0c67b1069..04ce26a996bd 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1713,18 +1713,34 @@ void *sock_kmalloc(struct sock *sk, int size, gfp_t priority) } EXPORT_SYMBOL(sock_kmalloc); -/* - * Free an option memory block. +/* Free an option memory block. Note, we actually want the inline + * here as this allows gcc to detect the nullify and fold away the + * condition entirely. */ -void sock_kfree_s(struct sock *sk, void *mem, int size) +static inline void __sock_kfree_s(struct sock *sk, void *mem, int size, + const bool nullify) { if (WARN_ON_ONCE(!mem)) return; - kfree(mem); + if (nullify) + kzfree(mem); + else + kfree(mem); atomic_sub(size, &sk->sk_omem_alloc); } + +void sock_kfree_s(struct sock *sk, void *mem, int size) +{ + __sock_kfree_s(sk, mem, size, false); +} EXPORT_SYMBOL(sock_kfree_s); +void sock_kzfree_s(struct sock *sk, void *mem, int size) +{ + __sock_kfree_s(sk, mem, size, true); +} +EXPORT_SYMBOL(sock_kzfree_s); + /* It is almost wait_for_tcp_memory minus release_sock/lock_sock. I think, these locks should be removed for datagram sockets. */ -- cgit v1.2.3 From 1e104f9a251b46787c3efc2bc9c8c496dead294b Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 27 Nov 2014 22:38:12 +0800 Subject: crypto: algif_skcipher - Fixed blocking recvmsg As most (all?) users of algif_skcipher are single-threaded and therefore always write before reading from an algif_skcipher socket, they never block and exercise that code-path. It turns out that code path doesn't even work because we never reload ctx->used after waking up so we never even see the new data and immediately return an error (and a loud WARN_ON). This patch fixes this by always reloading ctx->used. Reported-by: Stephan Mueller Signed-off-by: Herbert Xu Acked-by: Stephan Mueller --- crypto/algif_skcipher.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'crypto/algif_skcipher.c') diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 34389964000d..f80e652ef0d0 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -448,14 +448,13 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, while (!sg->length) sg++; - used = ctx->used; - if (!used) { + if (!ctx->used) { err = skcipher_wait_for_data(sk, flags); if (err) goto unlock; } - used = min_t(unsigned long, used, seglen); + used = min_t(unsigned long, ctx->used, seglen); used = af_alg_make_sg(&ctx->rsgl, from, used, 1); err = used; -- cgit v1.2.3 From 9ba0905f1740f4dbd26c51883511079944e9c97d Mon Sep 17 00:00:00 2001 From: "Struk, Tadeusz" Date: Fri, 28 Nov 2014 10:40:45 -0800 Subject: crypto: algif_skcipher - removed unneeded code Remover unneeded code. Signed-off-by: Tadeusz Struk Signed-off-by: Herbert Xu --- crypto/algif_skcipher.c | 4 ---- 1 file changed, 4 deletions(-) (limited to 'crypto/algif_skcipher.c') diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index f80e652ef0d0..f2a88a7a71d3 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -359,8 +359,6 @@ static int skcipher_sendmsg(struct kiocb *unused, struct socket *sock, err = 0; ctx->more = msg->msg_flags & MSG_MORE; - if (!ctx->more && !list_empty(&ctx->tsgl)) - sgl = list_entry(ctx->tsgl.prev, struct skcipher_sg_list, list); unlock: skcipher_data_wakeup(sk); @@ -408,8 +406,6 @@ static ssize_t skcipher_sendpage(struct socket *sock, struct page *page, done: ctx->more = flags & MSG_MORE; - if (!ctx->more && !list_empty(&ctx->tsgl)) - sgl = list_entry(ctx->tsgl.prev, struct skcipher_sg_list, list); unlock: skcipher_data_wakeup(sk); -- cgit v1.2.3 From f26b7b8052daee7ba8bc3f732aa2c20e8c69aea6 Mon Sep 17 00:00:00 2001 From: Stephan Mueller Date: Sun, 30 Nov 2014 10:55:26 +0100 Subject: crypto: algif_skcipher - initialize upon init request When using the algif_skcipher, the following call sequence causess a re-initialization: 1. sendmsg with ALG_SET_OP and iov == NULL, iovlen == 0 (i.e initializing the cipher, but not sending data) 2. sendmsg with msg->msg-controllen == 0 and iov != NULL (using the initalized cipher handle by sending data) In step 2, the cipher operation type (encryption or decryption) is reset to always decryption, because the local variable of enc is put into ctx->enc as ctx->user is still zero. The same applies when all send data is processed and ctx->used falls to zero followed by user space to send new data. This patch changes the behavior to only reset the cipher operation type (and the IV) if such configuration request is received. Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu --- crypto/algif_skcipher.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'crypto/algif_skcipher.c') diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index f2a88a7a71d3..3e84f4a729f0 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -251,6 +251,7 @@ static int skcipher_sendmsg(struct kiocb *unused, struct socket *sock, struct af_alg_control con = {}; long copied = 0; bool enc = 0; + bool init = 0; int err; int i; @@ -259,6 +260,7 @@ static int skcipher_sendmsg(struct kiocb *unused, struct socket *sock, if (err) return err; + init = 1; switch (con.op) { case ALG_OP_ENCRYPT: enc = 1; @@ -280,7 +282,7 @@ static int skcipher_sendmsg(struct kiocb *unused, struct socket *sock, if (!ctx->more && ctx->used) goto unlock; - if (!ctx->used) { + if (init) { ctx->enc = enc; if (con.iv) memcpy(ctx->iv, con.iv->iv, ivsize); -- cgit v1.2.3