From: Eric Biggers <ebiggers@xxxxxxxxxx> This series updates the crypto API to consistently prevent using keyed algorithms without setting the key. Currently this is prevented for AF_ALG but not for other crypto API users, which is very problematic for other places in the kernel where userspace can specify a hash algorithm by name, e.g. KEYCTL_DH_COMPUTE as demonstrated by syzbot (https://marc.info/?l=linux-crypto-vger&m=151395810921850). This series fixes the bug for all users by adding a flag CRYPTO_ALG_NEED_KEY to crypto_tfm.crt_flags. This flag is set if needed when the tfm is created, is cleared when the key is set, and is checked when doing an operation that would require the key. Patches 1-6 update the hash API, which is the primary fix. I've marked all those patches for stable, which is kind of a pain, but it seems the alternative would be very messy -- we'd have to patch at least 5 different crypto API users (probably missing some), then revert those patches upstream once we have the proper fix at the API level. The last two patches also extend the fix to the skcipher and AEAD APIs, primarily as a sanity check since users should be less likely to try to use skciphers or AEADs without setting a key. Eric Biggers (9): crypto: hash - introduce crypto_hash_alg_has_setkey() crypto: cryptd - pass through absence of ->setkey() crypto: mcryptd - pass through absence of ->setkey() crypto: poly1305 - remove ->setkey() method crypto: hash - annotate algorithms taking optional key crypto: hash - prevent using keyed hashes without setting key crypto: ghash - remove checks for key being set crypto: skcipher - prevent using skciphers without setting key crypto: aead - prevent using AEADs without setting key arch/arm/crypto/crc32-ce-glue.c | 2 + arch/arm64/crypto/crc32-ce-glue.c | 2 + arch/powerpc/crypto/crc32c-vpmsum_glue.c | 1 + arch/s390/crypto/crc32-vx.c | 3 ++ arch/sparc/crypto/crc32c_glue.c | 1 + arch/x86/crypto/crc32-pclmul_glue.c | 1 + arch/x86/crypto/crc32c-intel_glue.c | 1 + arch/x86/crypto/poly1305_glue.c | 1 - crypto/aead.c | 13 ++++- crypto/ahash.c | 33 ++++++++++-- crypto/algif_aead.c | 11 ++-- crypto/algif_hash.c | 52 ++++--------------- crypto/algif_skcipher.c | 59 +++++----------------- crypto/crc32_generic.c | 1 + crypto/crc32c_generic.c | 1 + crypto/cryptd.c | 10 ++-- crypto/ghash-generic.c | 6 --- crypto/mcryptd.c | 10 ++-- crypto/poly1305_generic.c | 17 ++----- crypto/shash.c | 25 +++++++-- crypto/skcipher.c | 30 +++++++++-- drivers/crypto/bfin_crc.c | 3 +- drivers/crypto/stm32/stm32_crc32.c | 2 + .../lustre/lnet/libcfs/linux/linux-crypto-adler.c | 1 + include/crypto/aead.h | 10 +++- include/crypto/hash.h | 34 +++++++++---- include/crypto/internal/hash.h | 2 + include/crypto/poly1305.h | 2 - include/crypto/skcipher.h | 11 ++-- include/linux/crypto.h | 8 +++ 30 files changed, 195 insertions(+), 158 deletions(-) -- 2.15.1.620.gb9897f4670-goog
