lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sat, 5 Jun 2021 00:29:21 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     linux-fscrypt@...r.kernel.org
Cc:     linux-ext4@...r.kernel.org, stable@...r.kernel.org,
        Daniel Rosenberg <drosen@...gle.com>,
        linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [PATCH] fscrypt: fix derivation of SipHash keys on big endian
 CPUs

On Thu, May 27, 2021 at 03:55:25PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
> 
> Typically, the cryptographic APIs that fscrypt uses take keys as byte
> arrays, which avoids endianness issues.  However, siphash_key_t is an
> exception.  It is defined as 'u64 key[2];', i.e. the 128-bit key is
> expected to be given directly as two 64-bit words in CPU endianness.
> 
> fscrypt_derive_dirhash_key() forgot to take this into account.
> Therefore, the SipHash keys used to index encrypted+casefolded
> directories differ on big endian vs. little endian platforms.
> This makes such directories non-portable between these platforms.
> 
> Fix this by always using the little endian order.  This is a breaking
> change for big endian platforms, but this should be fine in practice
> since the encrypt+casefold support isn't known to actually be used on
> any big endian platforms yet.
> 
> Fixes: aa408f835d02 ("fscrypt: derive dirhash key for casefolded directories")
> Cc: <stable@...r.kernel.org> # v5.6+
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
> ---
>  fs/crypto/keysetup.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)

I missed that fscrypt_setup_iv_ino_lblk_32_key() has the same bug too.
I'll send out a new patch which fixes both of these...

- Eric

Powered by blists - more mailing lists