mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/Documentation/security
History
Nikolaus Voss 1d1a710c19 KEYS: encrypted: fix key instantiation with user-provided data 
commit 5adedd4224 upstream.

Commit cd3bc044af ("KEYS: encrypted: Instantiate key with
user-provided decrypted data") added key instantiation with user
provided decrypted data.  The user data is hex-ascii-encoded but was
just memcpy'ed to the binary buffer. Fix this to use hex2bin instead.

Old keys created from user provided decrypted data saved with "keyctl
pipe" are still valid, however if the key is recreated from decrypted
data the old key must be converted to the correct format. This can be
done with a small shell script, e.g.:

BROKENKEY=abcdefABCDEF1234567890aaaaaaaaaa
NEWKEY=$(echo -ne $BROKENKEY | xxd -p -c32)
keyctl add user masterkey "$(cat masterkey.bin)" @u
keyctl add encrypted testkey "new user:masterkey 32 $NEWKEY" @u

However, NEWKEY is still broken: If for BROKENKEY 32 bytes were
specified, a brute force attacker knowing the key properties would only
need to try at most 2^(16*8) keys, as if the key was only 16 bytes long.

The security issue is a result of the combination of limiting the input
range to hex-ascii and using memcpy() instead of hex2bin(). It could
have been fixed either by allowing binary input or using hex2bin() (and
doubling the ascii input key length). This patch implements the latter.

The corresponding test for the Linux Test Project ltp has also been
fixed (see link below).

Fixes: cd3bc044af ("KEYS: encrypted: Instantiate key with user-provided decrypted data")
Cc: stable@kernel.org
Link: https://lore.kernel.org/ltp/20221006081709.92303897@mail.steuer-voss.de/
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Nikolaus Voss <nikolaus.voss@haag-streit.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-12-21 17:48:11 +01:00
..
keys KEYS: encrypted: fix key instantiation with user-provided data 2022-12-21 17:48:11 +01:00
secrets Documentation: KVM: update amd-memory-encryption.rst references 2022-07-07 13:09:59 -06:00
tpm
IMA-templates.rst ima: support fs-verity file digest based version 3 signatures 2022-05-05 17:41:51 -04:00
SCTP.rst
credentials.rst
digsig.rst
index.rst docs: security: Add secrets/coco documentation 2022-04-13 19:11:20 +02:00
landlock.rst landlock: Fix documentation style 2022-09-29 18:43:04 +02:00
lsm-development.rst
lsm.rst
sak.rst
self-protection.rst
siphash.rst Documentation: siphash: Fix typo in the name of offsetofend macro 2022-07-13 14:01:22 -06:00