drbd: forbid keyed hash algorithms for online verify

HMAC algorithms are only used for authenticating peers (configured in cram-hmac-alg). For the verify algorithm, it does not make sense to use a keyed hash, and it also crashes DRBD. Explicitly forbid using verify algorithms which require a key.
LINBIT · Mar 1, 2021 · 34ee32e · 34ee32e
1 parent f4d6482
commit 34ee32e
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/drbd/drbd_nl.c b/drbd/drbd_nl.c
@@ -3704,6 +3704,10 @@ alloc_crypto(struct crypto *crypto, struct net_conf *new_net_conf)
 			return ERR_INTEGRITY_ALG;
 		}
 	}
+	if (crypto->verify_tfm && (crypto_shash_get_flags(crypto->verify_tfm) & CRYPTO_TFM_NEED_KEY)) {
+		pr_err("may not use a keyed alorithm for verify (tried to use %s, but it requires a key)\n", new_net_conf->verify_alg);
+		return ERR_INTEGRITY_ALG;
+	}
 	if (new_net_conf->cram_hmac_alg[0] != 0) {
 		snprintf(hmac_name, CRYPTO_MAX_ALG_NAME, "hmac(%s)",
 			 new_net_conf->cram_hmac_alg);