From 876a053bb3938fd7b35beec1081d1db2f62a4113 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 6 Jan 2019 18:47:42 -0800 Subject: crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails Some algorithms have a ->setkey() method that is not atomic, in the sense that setting a key can fail after changes were already made to the tfm context. In this case, if a key was already set the tfm can end up in a state that corresponds to neither the old key nor the new key. It's not feasible to make all ->setkey() methods atomic, especially ones that have to key multiple sub-tfms. Therefore, make the crypto API set CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a key, to prevent the tfm from being used until a new key is set. Note: we can't set CRYPTO_TFM_NEED_KEY for OPTIONAL_KEY algorithms, so ->setkey() for those must nevertheless be atomic. That's fine for now since only the crc32 and crc32c algorithms set OPTIONAL_KEY, and it's not intended that OPTIONAL_KEY be used much. [Cc stable mainly because when introducing the NEED_KEY flag I changed AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG previously didn't have this problem. So these "incompletely keyed" states became theoretically accessible via AF_ALG -- though, the opportunities for causing real mischief seem pretty limited.] Fixes: 40c60e1610b6 ("crypto: hash - prevent using keyed hashes without setting key") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu --- crypto/shash.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'crypto/shash.c') diff --git a/crypto/shash.c b/crypto/shash.c index 44d297b8..40311cca 100644 --- a/crypto/shash.c +++ b/crypto/shash.c @@ -53,6 +53,13 @@ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key, return err; } +static void shash_set_needkey(struct crypto_shash *tfm, struct shash_alg *alg) +{ + if (crypto_shash_alg_has_setkey(alg) && + !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) + crypto_shash_set_flags(tfm, CRYPTO_TFM_NEED_KEY); +} + int crypto_shash_setkey(struct crypto_shash *tfm, const u8 *key, unsigned int keylen) { @@ -65,8 +72,10 @@ int crypto_shash_setkey(struct crypto_shash *tfm, const u8 *key, else err = shash->setkey(tfm, key, keylen); - if (err) + if (unlikely(err)) { + shash_set_needkey(tfm, shash); return err; + } crypto_shash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY); return 0; @@ -373,7 +382,8 @@ int crypto_init_shash_ops_async(struct crypto_tfm *tfm) crt->final = shash_async_final; crt->finup = shash_async_finup; crt->digest = shash_async_digest; - crt->setkey = shash_async_setkey; + if (crypto_shash_alg_has_setkey(alg)) + crt->setkey = shash_async_setkey; crypto_ahash_set_flags(crt, crypto_shash_get_flags(shash) & CRYPTO_TFM_NEED_KEY); @@ -395,9 +405,7 @@ static int crypto_shash_init_tfm(struct crypto_tfm *tfm) hash->descsize = alg->descsize; - if (crypto_shash_alg_has_setkey(alg) && - !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) - crypto_shash_set_flags(hash, CRYPTO_TFM_NEED_KEY); + shash_set_needkey(hash, alg); return 0; } -- cgit v1.2.3 From 2ab40e63dd048c38f750e3fe1848543a81694042 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 6 Jan 2019 19:07:20 -0800 Subject: crypto: shash - require neither or both ->export() and ->import() Prevent registering shash algorithms that implement ->export() but not ->import(), or ->import() but not ->export(). Such cases don't make sense and could confuse the check that shash_prepare_alg() does for just ->export(). I don't believe this affects any existing algorithms; this is just preventing future mistakes. Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu --- crypto/shash.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'crypto/shash.c') diff --git a/crypto/shash.c b/crypto/shash.c index 40311cca..2bffdecf 100644 --- a/crypto/shash.c +++ b/crypto/shash.c @@ -472,6 +472,9 @@ static int shash_prepare_alg(struct shash_alg *alg) alg->statesize > HASH_MAX_STATESIZE) return -EINVAL; + if ((alg->export && !alg->import) || (alg->import && !alg->export)) + return -EINVAL; + base->cra_type = &crypto_shash_type; base->cra_flags &= ~CRYPTO_ALG_TYPE_MASK; base->cra_flags |= CRYPTO_ALG_TYPE_SHASH; -- cgit v1.2.3 From 120faf3caa61be210fb1ff50ffa7f9e274760188 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 6 Jan 2019 19:08:01 -0800 Subject: crypto: shash - remove pointless checks of shash_alg::{export,import} crypto_init_shash_ops_async() only gives the ahash tfm non-NULL ->export() and ->import() if the underlying shash alg has these non-NULL. This doesn't make sense because when an shash algorithm is registered, shash_prepare_alg() sets a default ->export() and ->import() if the implementor didn't provide them. And elsewhere it's assumed that all shash algs and ahash tfms have non-NULL ->export() and ->import(). Therefore, remove these unnecessary, always-true conditions. Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu --- crypto/shash.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'crypto/shash.c') diff --git a/crypto/shash.c b/crypto/shash.c index 2bffdecf..15b369c4 100644 --- a/crypto/shash.c +++ b/crypto/shash.c @@ -388,10 +388,8 @@ int crypto_init_shash_ops_async(struct crypto_tfm *tfm) crypto_ahash_set_flags(crt, crypto_shash_get_flags(shash) & CRYPTO_TFM_NEED_KEY); - if (alg->export) - crt->export = shash_async_export; - if (alg->import) - crt->import = shash_async_import; + crt->export = shash_async_export; + crt->import = shash_async_import; crt->reqsize = sizeof(struct shash_desc) + crypto_shash_descsize(shash); -- cgit v1.2.3