• Eric Biggers's avatar
    crypto: aead - set CRYPTO_TFM_NEED_KEY if ->setkey() fails · 736807d6
    Eric Biggers authored
    commit 6ebc9700 upstream.
    
    Some algorithms have a ->setkey() method that is not atomic, in the
    sense that setting a key can fail after changes were already made to the
    tfm context.  In this case, if a key was already set the tfm can end up
    in a state that corresponds to neither the old key nor the new key.
    
    For example, in gcm.c, if the kzalloc() fails due to lack of memory,
    then the CTR part of GCM will have the new key but GHASH will not.
    
    It's not feasible to make all ->setkey() methods atomic, especially ones
    that have to key multiple sub-tfms.  Therefore, make the crypto API set
    CRYPTO_TFM_NEED_KEY if ->setkey() fails, to prevent the tfm from being
    used until a new key is set.
    
    [Cc stable mainly because when introducing the NEED_KEY flag I changed
     AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
     previously didn't have this problem.  So these "incompletely keyed"
     states became theoretically accessible via AF_ALG -- though, the
     opportunities for causing real mischief seem pretty limited.]
    
    Fixes: dc26c17f ("crypto: aead - prevent using AEADs without setting key")
    Cc: <stable@vger.kernel.org> # v4.16+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    736807d6
aead.c 10.3 KB