kernel/include/crypto/hash.h, branch linux-4.15.y

crypto: hash - prevent using keyed hashes without setting key

2018-02-16T19:06:48Z

commit 9fa68f620041be04720d0cbfb1bd3ddfc6310b24 upstream. Currently, almost none of the keyed hash algorithms check whether a key has been set before proceeding. Some algorithms are okay with this and will effectively just use a key of all 0's or some other bogus default. However, others will severely break, as demonstrated using "hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash via a (potentially exploitable) stack buffer overflow. A while ago, this problem was solved for AF_ALG by pairing each hash transform with a 'has_key' bool. However, there are still other places in the kernel where userspace can specify an arbitrary hash algorithm by name, and the kernel uses it as unkeyed hash without checking whether it is really unkeyed. Examples of this include: - KEYCTL_DH_COMPUTE, via the KDF extension - dm-verity - dm-crypt, via the ESSIV support - dm-integrity, via the "internal hash" mode with no key given - drbd (Distributed Replicated Block Device) This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no privileges to call. Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the ->crt_flags of each hash transform that indicates whether the transform still needs to be keyed or not. Then, make the hash init, import, and digest functions return -ENOKEY if the key is still needed. The new flag also replaces the 'has_key' bool which algif_hash was previously using, thereby simplifying the algif_hash implementation. Reported-by: syzbot Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman

crypto: doc - clarify return values for async hash methods

2017-09-22T09:43:03Z

* fix documentation of return values for crypto_ahash_init(), crypto_ahash_finup(), crypto_ahash_final(), crypto_ahash_digest() and crypto_ahash_update() Also while at it: * add notes for device driver developers in struct ahash_alg description * fix description of @final method in struct ahash_alg * fix typo in crypto_ahash_finup() description Signed-off-by: Kamil Konieczny Signed-off-by: Herbert Xu

crypto: doc - Fix hash export state information

2017-02-03T10:16:11Z

The documentation states that crypto_ahash_reqsize() provides the size of the state structure used by crypto_ahash_export(). But it's actually crypto_ahash_statesize() which provides this size. Signed-off-by: Rabin Vincent Signed-off-by: Herbert Xu

crypto: doc - fix source comments for Sphinx

2016-12-13T23:38:05Z

Update comments to avoid any complaints from Sphinx during compilation. Signed-off-by: Stephan Mueller Signed-off-by: Jonathan Corbet

crypto: doc - document correct return value for request allocation

2016-04-15T14:35:44Z

Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu

crypto: hash - Add helpers to return alg and driver names

2016-02-06T07:33:13Z

This patch adds helpers to retrieve the alg name and driver name of crypto_shash and crypto_ahash objects. Signed-off-by: Herbert Xu

crypto: hash - Add crypto_has_ahash helper

2016-01-25T14:42:13Z

This patch adds the helper crypto_has_ahash which should replace crypto_has_hash. Signed-off-by: Herbert Xu

crypto: hash - Add helpers to zero stack request/descriptor

2016-01-25T14:42:11Z

As the size of an ahash_request or shash_desc is variable, it's awkward to zero them explicitly. This patch adds helpers to do that which should be used when they are created on the stack. Signed-off-by: Herbert Xu

crypto: hash - Add crypto_ahash_has_setkey

2016-01-18T10:16:11Z

This patch adds a way for ahash users to determine whether a key is required by a crypto_ahash transform. Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu

crypto: ahash - Add crypto_ahash_blocksize

2015-10-20T14:10:48Z

This patch adds the missing helper crypto_ahash_blocksize which returns the block size of an ahash algorithm. Signed-off-by: Herbert Xu