On Thu, Sep 6, 2018 at 7:49 AM, Ard Biesheuvel
[off-list ref] wrote:

On 6 September 2018 at 15:11, Herbert Xu [off-list ref] wrote:

quoted

On Thu, Sep 06, 2018 at 11:29:41AM +0200, Ard Biesheuvel wrote:

quoted

Perhaps not, but it is not enforced atm.

In any case, limiting the reqsize is going to break things, so that
needs to occur based on the sync/async nature of the algo. That also
means we'll corrupt the stack if we ever end up using
SKCIPHER_REQUEST_ON_STACK() with an async algo whose reqsize is
greater than the sync reqsize limit, so I do think some additional
sanity check is appropriate.

I'd prefer compile-time based checks.  Perhaps we can introduce
a wrapper around crypto_skcipher, say crypto_skcipher_sync which
could then be used by SKCIPHER_REQUEST_ON_STACK to ensure that
only sync algorithms can use this construct.

That would require lots of changes in the callers, including ones that
already take care to use sync algos only.

How about we do something like the below instead?

Oh, I like this, thanks!

-Kees

-- 
Kees Cook
Pixel Security