Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.16.76 2018-06-16T21:21:52+00:00 2018-06-16T21:21:52+00:00 Eric Biggers ebiggers@google.com 2018-01-03T19:16:27+00:00 urn:sha1:2f5c85c4fa7bfc5862d1438a2d7535a304c7ba4e commit 9fa68f620041be04720d0cbfb1bd3ddfc6310b24 upstream. Currently, almost none of the keyed hash algorithms check whether a key has been set before proceeding. Some algorithms are okay with this and will effectively just use a key of all 0's or some other bogus default. However, others will severely break, as demonstrated using "hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash via a (potentially exploitable) stack buffer overflow. A while ago, this problem was solved for AF_ALG by pairing each hash transform with a 'has_key' bool. However, there are still other places in the kernel where userspace can specify an arbitrary hash algorithm by name, and the kernel uses it as unkeyed hash without checking whether it is really unkeyed. Examples of this include: - KEYCTL_DH_COMPUTE, via the KDF extension - dm-verity - dm-crypt, via the ESSIV support - dm-integrity, via the "internal hash" mode with no key given - drbd (Distributed Replicated Block Device) This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no privileges to call. Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the ->crt_flags of each hash transform that indicates whether the transform still needs to be keyed or not. Then, make the hash init, import, and digest functions return -ENOKEY if the key is still needed. The new flag also replaces the 'has_key' bool which algif_hash was previously using, thereby simplifying the algif_hash implementation. Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> [bwh: Backported to 3.16: - In hash_accept_parent_nokey(), update initialisation of ds to use tfm - Adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2016-02-02T19:09:55+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-01-08T13:28:26+00:00 urn:sha1:2a8bef7ad6aea4016de6fb02d11092ed1953b550 commit a5596d6332787fd383b3b5427b41f94254430827 upstream. This patch adds a way for ahash users to determine whether a key is required by a crypto_ahash transform. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> [ luis: backported to 3.16: adjusted context ] Signed-off-by: Luis Henriques <luis.henriques@canonical.com> 2009-07-15T13:16:05+00:00 Herbert Xu herbert@gondor.apana.org.au 2009-07-15T13:16:05+00:00 urn:sha1:fa64966473830219fe74952029ddb0e981a87749 When an shash algorithm is exported as ahash, ahash will access its digest size through hash_alg_common. That's why the shash layout needs to match hash_alg_common. This wasn't the case because the alignment weren't identical. This patch fixes the problem. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-07-15T04:40:40+00:00 Herbert Xu herbert@gondor.apana.org.au 2009-07-15T04:40:40+00:00 urn:sha1:66f6ce5e52f2f209d5bf1f06167cec888f4f4c13 This patch exports the finup operation where available and adds a default finup operation for ahash. The operations final, finup and digest also will now deal with unaligned result pointers by copying it. Finally export/import operations are will now be exported too. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-07-14T12:29:57+00:00 Herbert Xu herbert@gondor.apana.org.au 2009-07-14T12:29:57+00:00 urn:sha1:500b3e3c3dc8e4845b77ae81e5b7b085ab183ce6 Now that all ahash implementations have been converted to the new ahash type, we can remove old_ahash_alg and its associated support. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-07-14T07:54:07+00:00 Herbert Xu herbert@gondor.apana.org.au 2009-07-14T04:28:26+00:00 urn:sha1:88056ec346ccf41f63dbc7080b24b5fd19d1358d This patch converts crypto_ahash to the new style. The old ahash algorithm type is retained until the existing ahash implementations are also converted. All ahash users will automatically get the new crypto_ahash type. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-07-14T04:58:00+00:00 Herbert Xu herbert@gondor.apana.org.au 2009-07-14T04:50:12+00:00 urn:sha1:113adefc73c291f93f875fe515a46d8f76252fff This patch changes descsize to a run-time attribute so that implementations can change it in their init functions. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-07-12T02:46:03+00:00 Herbert Xu herbert@gondor.apana.org.au 2009-07-11T14:22:14+00:00 urn:sha1:aef73cfcb913eae3d0deeb60eb385f75039db40b This patch changes the kfree call to kzfree for async requests. As the request may contain sensitive data it needs to be zeroed before it can be reallocated by others. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-07-11T10:23:32+00:00 Herbert Xu herbert@gondor.apana.org.au 2009-07-09T12:30:57+00:00 urn:sha1:99d27e1c59e34869605de625b033c52163f5bfa7 This patch replaces the full descriptor export with an export of the partial hash state. This allows the use of a consistent export format across all implementations of a given algorithm. This is useful because a number of cases require the use of the partial hash state, e.g., PadLock can use the SHA1 hash state to get around the fact that it can only hash contiguous data chunks. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-02-18T08:48:06+00:00 Herbert Xu herbert@gondor.apana.org.au 2009-02-03T01:47:44+00:00 urn:sha1:9749598633efc2561224954217ff0d70aeed8b50 This function is needed by algorithms that don't know their own block size, e.g., in s390 where the code is common between multiple versions of SHA. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>