linux-stable.git/include/crypto/hash.h, branch linux-4.9.y Linux kernel stable tree crypto: hash - prevent using keyed hashes without setting key 2018-02-25T10:05:44+00:00 Eric Biggers ebiggers@google.com 2018-01-03T19:16:27+00:00 adf26e87f4b73d1f820352b0bfa085f6aaf3f51a commit 9fa68f620041be04720d0cbfb1bd3ddfc6310b24 upstream. Currently, almost none of the keyed hash algorithms check whether a key has been set before proceeding. Some algorithms are okay with this and will effectively just use a key of all 0's or some other bogus default. However, others will severely break, as demonstrated using "hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash via a (potentially exploitable) stack buffer overflow. A while ago, this problem was solved for AF_ALG by pairing each hash transform with a 'has_key' bool. However, there are still other places in the kernel where userspace can specify an arbitrary hash algorithm by name, and the kernel uses it as unkeyed hash without checking whether it is really unkeyed. Examples of this include: - KEYCTL_DH_COMPUTE, via the KDF extension - dm-verity - dm-crypt, via the ESSIV support - dm-integrity, via the "internal hash" mode with no key given - drbd (Distributed Replicated Block Device) This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no privileges to call. Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the ->crt_flags of each hash transform that indicates whether the transform still needs to be keyed or not. Then, make the hash init, import, and digest functions return -ENOKEY if the key is still needed. The new flag also replaces the 'has_key' bool which algif_hash was previously using, thereby simplifying the algif_hash implementation. Reported-by: syzbot <syzkaller@googlegroups.com> Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 9fa68f620041be04720d0cbfb1bd3ddfc6310b24 upstream.

Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding.  Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.

A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool.  However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed.  Examples of this include:

    - KEYCTL_DH_COMPUTE, via the KDF extension
    - dm-verity
    - dm-crypt, via the ESSIV support
    - dm-integrity, via the "internal hash" mode with no key given
    - drbd (Distributed Replicated Block Device)

This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.

Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not.  Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.

The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.

Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
crypto: doc - document correct return value for request allocation 2016-04-15T14:35:44+00:00 Eric Biggers ebiggers3@gmail.com 2016-04-02T15:54:56+00:00 6eae29e7e7144d01a6d6af111d232b36cdd30f51 Signed-off-by: Eric Biggers <ebiggers3@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: hash - Add helpers to return alg and driver names 2016-02-06T07:33:13+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-02-01T13:36:52+00:00 d12481bc58fba89427565f8592e88446ec084a24 This patch adds helpers to retrieve the alg name and driver name of crypto_shash and crypto_ahash objects. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
This patch adds helpers to retrieve the alg name and driver name
of crypto_shash and crypto_ahash objects.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: hash - Add crypto_has_ahash helper 2016-01-25T14:42:13+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-01-23T05:52:40+00:00 8d18e34c1fe22418ae0b5475ab0d1956d69ad195 This patch adds the helper crypto_has_ahash which should replace crypto_has_hash. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
This patch adds the helper crypto_has_ahash which should replace
crypto_has_hash.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: hash - Add helpers to zero stack request/descriptor 2016-01-25T14:42:11+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-01-22T15:17:58+00:00 e67ffe0af4d450e95e5f9bb7d081500e30777857 As the size of an ahash_request or shash_desc is variable, it's awkward to zero them explicitly. This patch adds helpers to do that which should be used when they are created on the stack. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
As the size of an ahash_request or shash_desc is variable, it's
awkward to zero them explicitly.  This patch adds helpers to do
that which should be used when they are created on the stack.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: hash - Add crypto_ahash_has_setkey 2016-01-18T10:16:11+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-01-08T13:28:26+00:00 a5596d6332787fd383b3b5427b41f94254430827 This patch adds a way for ahash users to determine whether a key is required by a crypto_ahash transform. Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
This patch adds a way for ahash users to determine whether a key
is required by a crypto_ahash transform.

Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: ahash - Add crypto_ahash_blocksize 2015-10-20T14:10:48+00:00 Herbert Xu herbert@gondor.apana.org.au 2015-10-19T01:37:41+00:00 524e56c31a6fe21e6f6f543360359e7a97dfabfb This patch adds the missing helper crypto_ahash_blocksize which returns the block size of an ahash algorithm. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
This patch adds the missing helper crypto_ahash_blocksize which
returns the block size of an ahash algorithm.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: hash - Add AHASH_REQUEST_ON_STACK 2015-08-21T14:21:20+00:00 Herbert Xu herbert@gondor.apana.org.au 2015-08-20T09:02:40+00:00 d4421c54c45f643731c92daa8e268ce74dcdf5a2 This patch adds the helper AHASH_REQUEST_ON_STACK for those users of ahash that are synchronous only. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
This patch adds the helper AHASH_REQUEST_ON_STACK for those users
of ahash that are synchronous only.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: doc - Fix typo in crypto-API.xml 2015-06-04T07:05:08+00:00 Masanari Iida standby24x7@gmail.com 2015-06-03T15:01:21+00:00 12f7c14aa602f15ad60e5a9da459271f63b92917 This patch fix some typos found in crypto-API.xml. It is because the file is generated from comments in sources, so I had to fix typo in sources. Signed-off-by: Masanari Iida <standby24x7@gmail.com> Acked-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
This patch fix some typos found in crypto-API.xml.
It is because the file is generated from comments in sources,
so I had to fix typo in sources.

Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Acked-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: doc - document uncovered member variables 2014-11-17T14:53:48+00:00 Stephan Mueller smueller@chronox.de 2014-11-14T04:26:21+00:00 52744af3af977ccbbf768be34650d7c75cfc1ad6 Fix documentation typo for shash_alg->descsize. Add documentation for initially uncovered member variables. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Fix documentation typo for shash_alg->descsize.

Add documentation for initially uncovered member variables.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>