From patchwork Wed Jan  3 19:16:30 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 10142881
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	ADF74601A1 for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed,  3 Jan 2018 19:18:40 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9D11526247
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed,  3 Jan 2018 19:18:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 92244290FA; Wed,  3 Jan 2018 19:18:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30FD926247
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed,  3 Jan 2018 19:18:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751021AbeACTSh (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Wed, 3 Jan 2018 14:18:37 -0500
Received: from mail-io0-f194.google.com ([209.85.223.194]:33794 "EHLO
	mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750819AbeACTSd (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Wed, 3 Jan 2018 14:18:33 -0500
Received: by mail-io0-f194.google.com with SMTP id q188so3162586iod.1
	for <linux-crypto@vger.kernel.org>;
	Wed, 03 Jan 2018 11:18:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=Sg07HCHLFCtUVH+6iuEPiedrk37cEDm0mtCyh4h4SKw=;
	b=vgJ8Z59f9xSsdgEPZHhOvPbqolLV7rmdeeal8YWZLg15hw2dyi6k2WbFphTYAot86H
	jGm38ngQ91bJyAu3INqEoYEAAmN+wvXCeyO9/nnGxxk0nMYkbzRWqh92vFByV2abXJ0b
	DgcTGLpT9S9r3S0nG4eujbtZq5xI0M8mWnVOlgyaY8tJh2SpZUT1nzLS1F+3mUg0bW9/
	iSMUZUUkDKIS522tpSjR4s/wF4nyf1cQDF9FrqCXnQTq/gJANqdhPUNYJ2Ygb3db2x3p
	4JSPR/Q1sKdF0qBkHccCMGvzY8yhyFVn94NPI1LTEIT4hPipQlS3oAuJVmM2+8GanfHJ
	QJJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=Sg07HCHLFCtUVH+6iuEPiedrk37cEDm0mtCyh4h4SKw=;
	b=DruGp51KsZLySZjdUheLSYgw3MrZMmVQELPTt+pIhsuHEcwuWN7Te10H1557E+cnAQ
	Qi0Rw/r+BCTs+c/3pzzy+P3dzAisGTD1JTqB00ueD/ViGZKslyg29pMqITmPAP5EISVV
	A581vVq99Gsr1xMJh/24rYeaC/h6XZhol2TNm5p4LDUtt1UTd9bIclg6BrOoh5PEdski
	txR6hO3z73w37IgSK9cl7geubkr8nvDtKSW2nrLxnhDcD72My1jpxFF8U6aalaurXrIi
	7ejdYpwOFm7D9vlkYuQu+WT3C+eWNOIzavFwbzTw6UnfuHC0LZey4elwJ7okn5fTnYQH
	pTWQ==
X-Gm-Message-State: AKGB3mK+dg0oRbeQc3X3diF59Cbvdi67srRMDFdDhNs3sZgk2Hy6eedG
	DuIDV8eImFA2i5J0DABzLIXvm3Ea
X-Google-Smtp-Source: 
 ACJfBos8OHx+Ultyy0ES6UbMtu7bqquR9sXnh4zmw95IyaSfsTmITjlU6/bbGvSmeIKbzvL1CRo+ng==
X-Received: by 10.107.9.163 with SMTP id 35mr2577561ioj.16.1515007112968;
	Wed, 03 Jan 2018 11:18:32 -0800 (PST)
Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.175.88])
	by smtp.gmail.com with ESMTPSA id
	o66sm944386iod.87.2018.01.03.11.18.31
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 03 Jan 2018 11:18:32 -0800 (PST)
From: Eric Biggers <ebiggers3@gmail.com>
To: linux-crypto@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Biggers <ebiggers@google.com>
Subject: [RFC PATCH 9/9] crypto: aead - prevent using AEADs without setting
	key
Date: Wed,  3 Jan 2018 11:16:30 -0800
Message-Id: <20180103191630.79917-10-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
In-Reply-To: <20180103191630.79917-1-ebiggers3@gmail.com>
References: <20180103191630.79917-1-ebiggers3@gmail.com>
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

Similar to what was done for the hash API, update the AEAD API to track
whether each transform has been keyed, and reject encryption/decryption
if a key is needed but one hasn't been set.

This isn't quite as important as the equivalent fix for the hash API
because AEADs always require a key, so are unlikely to be used without
one.  Still, tracking the key will prevent accidental unkeyed use.
algif_aead also had to track the key anyway, so the new flag replaces
that and slightly simplifies the algif_aead implementation.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/aead.c         | 13 +++++++++++--
 crypto/algif_aead.c   | 11 +++--------
 include/crypto/aead.h | 10 +++++++++-
 3 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/crypto/aead.c b/crypto/aead.c
index fe00cbd7243d..60b3bbe973e7 100644
--- a/crypto/aead.c
+++ b/crypto/aead.c
@@ -54,11 +54,18 @@ int crypto_aead_setkey(struct crypto_aead *tfm,
 		       const u8 *key, unsigned int keylen)
 {
 	unsigned long alignmask = crypto_aead_alignmask(tfm);
+	int err;
 
 	if ((unsigned long)key & alignmask)
-		return setkey_unaligned(tfm, key, keylen);
+		err = setkey_unaligned(tfm, key, keylen);
+	else
+		err = crypto_aead_alg(tfm)->setkey(tfm, key, keylen);
+
+	if (err)
+		return err;
 
-	return crypto_aead_alg(tfm)->setkey(tfm, key, keylen);
+	crypto_aead_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
+	return 0;
 }
 EXPORT_SYMBOL_GPL(crypto_aead_setkey);
 
@@ -93,6 +100,8 @@ static int crypto_aead_init_tfm(struct crypto_tfm *tfm)
 	struct crypto_aead *aead = __crypto_aead_cast(tfm);
 	struct aead_alg *alg = crypto_aead_alg(aead);
 
+	crypto_aead_set_flags(aead, CRYPTO_TFM_NEED_KEY);
+
 	aead->authsize = alg->maxauthsize;
 
 	if (alg->exit)
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
index d963c8cf8a55..4b07edd5a9ff 100644
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -42,7 +42,6 @@
 
 struct aead_tfm {
 	struct crypto_aead *aead;
-	bool has_key;
 	struct crypto_skcipher *null_tfm;
 };
 
@@ -398,7 +397,7 @@ static int aead_check_key(struct socket *sock)
 
 	err = -ENOKEY;
 	lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
-	if (!tfm->has_key)
+	if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY)
 		goto unlock;
 
 	if (!pask->refcnt++)
@@ -523,12 +522,8 @@ static int aead_setauthsize(void *private, unsigned int authsize)
 static int aead_setkey(void *private, const u8 *key, unsigned int keylen)
 {
 	struct aead_tfm *tfm = private;
-	int err;
-
-	err = crypto_aead_setkey(tfm->aead, key, keylen);
-	tfm->has_key = !err;
 
-	return err;
+	return crypto_aead_setkey(tfm->aead, key, keylen);
 }
 
 static void aead_sock_destruct(struct sock *sk)
@@ -589,7 +584,7 @@ static int aead_accept_parent(void *private, struct sock *sk)
 {
 	struct aead_tfm *tfm = private;
 
-	if (!tfm->has_key)
+	if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY)
 		return -ENOKEY;
 
 	return aead_accept_parent_nokey(private, sk);
diff --git a/include/crypto/aead.h b/include/crypto/aead.h
index 03b97629442c..1e26f790b03f 100644
--- a/include/crypto/aead.h
+++ b/include/crypto/aead.h
@@ -327,7 +327,12 @@ static inline struct crypto_aead *crypto_aead_reqtfm(struct aead_request *req)
  */
 static inline int crypto_aead_encrypt(struct aead_request *req)
 {
-	return crypto_aead_alg(crypto_aead_reqtfm(req))->encrypt(req);
+	struct crypto_aead *aead = crypto_aead_reqtfm(req);
+
+	if (crypto_aead_get_flags(aead) & CRYPTO_TFM_NEED_KEY)
+		return -ENOKEY;
+
+	return crypto_aead_alg(aead)->encrypt(req);
 }
 
 /**
@@ -356,6 +361,9 @@ static inline int crypto_aead_decrypt(struct aead_request *req)
 {
 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
 
+	if (crypto_aead_get_flags(aead) & CRYPTO_TFM_NEED_KEY)
+		return -ENOKEY;
+
 	if (req->cryptlen < crypto_aead_authsize(aead))
 		return -EINVAL;