linux/security/keys
Jason A. Donenfeld 428490e38b security/keys: rewrite all of big_key crypto
This started out as just replacing the use of crypto/rng with
get_random_bytes_wait, so that we wouldn't use bad randomness at boot
time. But, upon looking further, it appears that there were even deeper
underlying cryptographic problems, and that this seems to have been
committed with very little crypto review. So, I rewrote the whole thing,
trying to keep to the conventions introduced by the previous author, to
fix these cryptographic flaws.

It makes no sense to seed crypto/rng at boot time and then keep
using it like this, when in fact there's already get_random_bytes_wait,
which can ensure there's enough entropy and be a much more standard way
of generating keys. Since this sensitive material is being stored
untrusted, using ECB and no authentication is simply not okay at all. I
find it surprising and a bit horrifying that this code even made it past
basic crypto review, which perhaps points to some larger issues. This
patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely
generated each time, we can set the nonce to zero. There was also a race
condition in which the same key would be reused at the same time in
different threads. A mutex fixes this issue now.

So, to summarize, this commit fixes the following vulnerabilities:

  * Low entropy key generation, allowing an attacker to potentially
    guess or predict keys.
  * Unauthenticated encryption, allowing an attacker to modify the
    cipher text in particular ways in order to manipulate the plaintext,
    which is is even more frightening considering the next point.
  * Use of ECB mode, allowing an attacker to trivially swap blocks or
    compare identical plaintext blocks.
  * Key re-use.
  * Faulty memory zeroing.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
Cc: stable@vger.kernel.org
2017-09-25 23:31:58 +01:00
..
encrypted-keys There has been a fair amount of activity in the docs tree this time 2017-07-03 21:13:25 -07:00
big_key.c security/keys: rewrite all of big_key crypto 2017-09-25 23:31:58 +01:00
compat_dh.c KEYS: DH: validate __spare field 2017-07-14 11:01:38 +10:00
compat.c KEYS: add SP800-56A KDF support for DH 2017-04-04 22:33:38 +01:00
dh.c KEYS: DH: validate __spare field 2017-07-14 11:01:38 +10:00
gc.c KEYS: sanitize key structs before freeing 2017-06-09 13:29:48 +10:00
internal.h KEYS: prevent creating a different user's keyrings 2017-09-25 15:19:57 +01:00
Kconfig security/keys: rewrite all of big_key crypto 2017-09-25 23:31:58 +01:00
key.c KEYS: reset parent each time before searching key_user_tree 2017-09-25 15:19:57 +01:00
keyctl.c KEYS: prevent KEYCTL_READ on negative key 2017-09-25 15:19:57 +01:00
keyring.c KEYS: prevent creating a different user's keyrings 2017-09-25 15:19:57 +01:00
Makefile KEYS: add SP800-56A KDF support for DH 2017-04-04 22:33:38 +01:00
permission.c KEYS: Move the flags representing required permission to linux/key.h 2014-03-14 17:44:49 +00:00
persistent.c sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h> 2017-03-02 08:42:31 +01:00
proc.c KEYS: restrict /proc/keys by credentials at open time 2017-09-25 15:19:57 +01:00
process_keys.c KEYS: prevent creating a different user's keyrings 2017-09-25 15:19:57 +01:00
request_key_auth.c KEYS: use kmemdup() in request_key_auth_new() 2017-09-25 15:19:57 +01:00
request_key.c doc: ReSTify keys-request-key.txt 2017-05-18 10:33:51 -06:00
sysctl.c security: Convert use of typedef ctl_table to struct ctl_table 2014-04-15 13:39:58 +10:00
trusted.c There has been a fair amount of activity in the docs tree this time 2017-07-03 21:13:25 -07:00
trusted.h keys, trusted: move struct trusted_key_options to trusted-type.h 2015-10-19 01:01:21 +02:00
user_defined.c KEYS: user_defined: sanitize key payloads 2017-06-09 13:29:48 +10:00