summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2019-01-06 18:47:44 -0800
committerHerbert Xu <herbert@gondor.apana.org.au>2019-01-18 18:40:24 +0800
commit6ebc97006b196aafa9df0497fdfa866cf26f259b (patch)
treefcc0ccae96877a620ee626445cf63b3b8f35352a
parentb1f6b4bf416b49f00f3abc49c639371cdecaaad1 (diff)
downloadlinux-6ebc97006b196aafa9df0497fdfa866cf26f259b.tar.gz
linux-6ebc97006b196aafa9df0497fdfa866cf26f259b.tar.bz2
linux-6ebc97006b196aafa9df0497fdfa866cf26f259b.zip
crypto: aead - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
Some algorithms have a ->setkey() method that is not atomic, in the sense that setting a key can fail after changes were already made to the tfm context. In this case, if a key was already set the tfm can end up in a state that corresponds to neither the old key nor the new key. For example, in gcm.c, if the kzalloc() fails due to lack of memory, then the CTR part of GCM will have the new key but GHASH will not. It's not feasible to make all ->setkey() methods atomic, especially ones that have to key multiple sub-tfms. Therefore, make the crypto API set CRYPTO_TFM_NEED_KEY if ->setkey() fails, to prevent the tfm from being used until a new key is set. [Cc stable mainly because when introducing the NEED_KEY flag I changed AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG previously didn't have this problem. So these "incompletely keyed" states became theoretically accessible via AF_ALG -- though, the opportunities for causing real mischief seem pretty limited.] Fixes: dc26c17f743a ("crypto: aead - prevent using AEADs without setting key") Cc: <stable@vger.kernel.org> # v4.16+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/aead.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/crypto/aead.c b/crypto/aead.c
index 189c52d1f63a..4908b5e846f0 100644
--- a/crypto/aead.c
+++ b/crypto/aead.c
@@ -61,8 +61,10 @@ int crypto_aead_setkey(struct crypto_aead *tfm,
else
err = crypto_aead_alg(tfm)->setkey(tfm, key, keylen);
- if (err)
+ if (unlikely(err)) {
+ crypto_aead_set_flags(tfm, CRYPTO_TFM_NEED_KEY);
return err;
+ }
crypto_aead_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
return 0;