From 1f35065a9e2573427ce3fd6c4a40b355c2ddfb92 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 13 Dec 2010 16:53:12 -0500 Subject: encrypted-keys: verify datablob size before converting to binary Verify the hex ascii datablob length is correct before converting the IV, encrypted data, and HMAC to binary. Reported-by: David Howells Signed-off-by: Mimi Zohar Acked-by: David Howells Signed-off-by: James Morris --- security/keys/encrypted_defined.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'security') diff --git a/security/keys/encrypted_defined.c b/security/keys/encrypted_defined.c index 3f4085703e6c..d653e991c694 100644 --- a/security/keys/encrypted_defined.c +++ b/security/keys/encrypted_defined.c @@ -129,8 +129,7 @@ out: * On success returns 0, otherwise -EINVAL. */ static int datablob_parse(char *datablob, char **master_desc, - char **decrypted_datalen, char **hex_encoded_iv, - char **hex_encoded_data) + char **decrypted_datalen, char **hex_encoded_iv) { substring_t args[MAX_OPT_ARGS]; int ret = -EINVAL; @@ -167,7 +166,6 @@ static int datablob_parse(char *datablob, char **master_desc, *hex_encoded_iv = strsep(&datablob, " \t"); if (!*hex_encoded_iv) break; - *hex_encoded_data = *hex_encoded_iv + (2 * ivsize) + 2; ret = 0; break; case Opt_update: @@ -558,18 +556,24 @@ static struct encrypted_key_payload *encrypted_key_alloc(struct key *key, } static int encrypted_key_decrypt(struct encrypted_key_payload *epayload, - const char *hex_encoded_iv, - const char *hex_encoded_data) + const char *hex_encoded_iv) { struct key *mkey; u8 derived_key[HASH_SIZE]; u8 *master_key; u8 *hmac; + const char *hex_encoded_data; unsigned int master_keylen; unsigned int encrypted_datalen; + size_t asciilen; int ret; encrypted_datalen = roundup(epayload->decrypted_datalen, blksize); + asciilen = (ivsize + 1 + encrypted_datalen + HASH_SIZE) * 2; + if (strlen(hex_encoded_iv) != asciilen) + return -EINVAL; + + hex_encoded_data = hex_encoded_iv + (2 * ivsize) + 2; hex2bin(epayload->iv, hex_encoded_iv, ivsize); hex2bin(epayload->encrypted_data, hex_encoded_data, encrypted_datalen); @@ -620,20 +624,18 @@ static void __ekey_init(struct encrypted_key_payload *epayload, */ static int encrypted_init(struct encrypted_key_payload *epayload, const char *master_desc, const char *datalen, - const char *hex_encoded_iv, - const char *hex_encoded_data) + const char *hex_encoded_iv) { int ret = 0; __ekey_init(epayload, master_desc, datalen); - if (!hex_encoded_data) { + if (!hex_encoded_iv) { get_random_bytes(epayload->iv, ivsize); get_random_bytes(epayload->decrypted_data, epayload->decrypted_datalen); } else - ret = encrypted_key_decrypt(epayload, hex_encoded_iv, - hex_encoded_data); + ret = encrypted_key_decrypt(epayload, hex_encoded_iv); return ret; } @@ -653,7 +655,6 @@ static int encrypted_instantiate(struct key *key, const void *data, char *master_desc = NULL; char *decrypted_datalen = NULL; char *hex_encoded_iv = NULL; - char *hex_encoded_data = NULL; int ret; if (datalen <= 0 || datalen > 32767 || !data) @@ -665,7 +666,7 @@ static int encrypted_instantiate(struct key *key, const void *data, datablob[datalen] = 0; memcpy(datablob, data, datalen); ret = datablob_parse(datablob, &master_desc, &decrypted_datalen, - &hex_encoded_iv, &hex_encoded_data); + &hex_encoded_iv); if (ret < 0) goto out; @@ -675,7 +676,7 @@ static int encrypted_instantiate(struct key *key, const void *data, goto out; } ret = encrypted_init(epayload, master_desc, decrypted_datalen, - hex_encoded_iv, hex_encoded_data); + hex_encoded_iv); if (ret < 0) { kfree(epayload); goto out; @@ -722,7 +723,7 @@ static int encrypted_update(struct key *key, const void *data, size_t datalen) buf[datalen] = 0; memcpy(buf, data, datalen); - ret = datablob_parse(buf, &new_master_desc, NULL, NULL, NULL); + ret = datablob_parse(buf, &new_master_desc, NULL, NULL); if (ret < 0) goto out; -- cgit v1.2.3-70-g09d2