1 From 6a1faa4a43f5fabf9cbeaa742d916e7b5e73120f Mon Sep 17 00:00:00 2001
2 From: Eric Biggers <ebiggers@google.com>
3 Date: Thu, 18 Apr 2019 14:44:27 -0700
4 Subject: crypto: ccm - fix incompatibility between "ccm" and "ccm_base"
6 From: Eric Biggers <ebiggers@google.com>
8 commit 6a1faa4a43f5fabf9cbeaa742d916e7b5e73120f upstream.
10 CCM instances can be created by either the "ccm" template, which only
11 allows choosing the block cipher, e.g. "ccm(aes)"; or by "ccm_base",
12 which allows choosing the ctr and cbcmac implementations, e.g.
13 "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
15 However, a "ccm_base" instance prevents a "ccm" instance from being
16 registered using the same implementations. Nor will the instance be
17 found by lookups of "ccm". This can be used as a denial of service.
18 Moreover, "ccm_base" instances are never tested by the crypto
19 self-tests, even if there are compatible "ccm" tests.
21 The root cause of these problems is that instances of the two templates
22 use different cra_names. Therefore, fix these problems by making
23 "ccm_base" instances set the same cra_name as "ccm" instances, e.g.
24 "ccm(aes)" instead of "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
26 This requires extracting the block cipher name from the name of the ctr
27 and cbcmac algorithms. It also requires starting to verify that the
28 algorithms are really ctr and cbcmac using the same block cipher, not
29 something else entirely. But it would be bizarre if anyone were
30 actually using non-ccm-compatible algorithms with ccm_base, so this
31 shouldn't break anyone in practice.
33 Fixes: 4a49b499dfa0 ("[CRYPTO] ccm: Added CCM mode")
34 Cc: stable@vger.kernel.org
35 Signed-off-by: Eric Biggers <ebiggers@google.com>
36 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
37 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
41 crypto/ccm.c | 44 ++++++++++++++++++--------------------------
42 1 file changed, 18 insertions(+), 26 deletions(-)
46 @@ -455,7 +455,6 @@ static void crypto_ccm_free(struct aead_
48 static int crypto_ccm_create_common(struct crypto_template *tmpl,
50 - const char *full_name,
54 @@ -483,7 +482,8 @@ static int crypto_ccm_create_common(stru
56 mac = __crypto_hash_alg_common(mac_alg);
58 - if (mac->digestsize != 16)
59 + if (strncmp(mac->base.cra_name, "cbcmac(", 7) != 0 ||
60 + mac->digestsize != 16)
63 inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
64 @@ -506,23 +506,27 @@ static int crypto_ccm_create_common(stru
66 ctr = crypto_spawn_skcipher_alg(&ictx->ctr);
68 - /* Not a stream cipher? */
69 + /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
71 - if (ctr->base.cra_blocksize != 1)
72 + if (strncmp(ctr->base.cra_name, "ctr(", 4) != 0 ||
73 + crypto_skcipher_alg_ivsize(ctr) != 16 ||
74 + ctr->base.cra_blocksize != 1)
77 - /* We want the real thing! */
78 - if (crypto_skcipher_alg_ivsize(ctr) != 16)
79 + /* ctr and cbcmac must use the same underlying block cipher. */
80 + if (strcmp(ctr->base.cra_name + 4, mac->base.cra_name + 7) != 0)
84 + if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
85 + "ccm(%s", ctr->base.cra_name + 4) >= CRYPTO_MAX_ALG_NAME)
88 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
89 "ccm_base(%s,%s)", ctr->base.cra_driver_name,
90 mac->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
93 - memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
95 inst->alg.base.cra_flags = ctr->base.cra_flags & CRYPTO_ALG_ASYNC;
96 inst->alg.base.cra_priority = (mac->base.cra_priority +
97 ctr->base.cra_priority) / 2;
98 @@ -564,7 +568,6 @@ static int crypto_ccm_create(struct cryp
99 const char *cipher_name;
100 char ctr_name[CRYPTO_MAX_ALG_NAME];
101 char mac_name[CRYPTO_MAX_ALG_NAME];
102 - char full_name[CRYPTO_MAX_ALG_NAME];
104 cipher_name = crypto_attr_alg_name(tb[1]);
105 if (IS_ERR(cipher_name))
106 @@ -578,12 +581,7 @@ static int crypto_ccm_create(struct cryp
107 cipher_name) >= CRYPTO_MAX_ALG_NAME)
108 return -ENAMETOOLONG;
110 - if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm(%s)", cipher_name) >=
111 - CRYPTO_MAX_ALG_NAME)
112 - return -ENAMETOOLONG;
114 - return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name,
116 + return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name);
119 static struct crypto_template crypto_ccm_tmpl = {
120 @@ -596,23 +594,17 @@ static int crypto_ccm_base_create(struct
123 const char *ctr_name;
124 - const char *cipher_name;
125 - char full_name[CRYPTO_MAX_ALG_NAME];
126 + const char *mac_name;
128 ctr_name = crypto_attr_alg_name(tb[1]);
129 if (IS_ERR(ctr_name))
130 return PTR_ERR(ctr_name);
132 - cipher_name = crypto_attr_alg_name(tb[2]);
133 - if (IS_ERR(cipher_name))
134 - return PTR_ERR(cipher_name);
136 - if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "ccm_base(%s,%s)",
137 - ctr_name, cipher_name) >= CRYPTO_MAX_ALG_NAME)
138 - return -ENAMETOOLONG;
139 + mac_name = crypto_attr_alg_name(tb[2]);
140 + if (IS_ERR(mac_name))
141 + return PTR_ERR(mac_name);
143 - return crypto_ccm_create_common(tmpl, tb, full_name, ctr_name,
145 + return crypto_ccm_create_common(tmpl, tb, ctr_name, mac_name);
148 static struct crypto_template crypto_ccm_base_tmpl = {