1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* In-software asymmetric public-key crypto subtype 3 * 4 * See Documentation/crypto/asymmetric-keys.rst 5 * 6 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 7 * Written by David Howells (dhowells@redhat.com) 8 */ 9 10 #define pr_fmt(fmt) "PKEY: "fmt 11 #include <linux/module.h> 12 #include <linux/export.h> 13 #include <linux/kernel.h> 14 #include <linux/slab.h> 15 #include <linux/seq_file.h> 16 #include <linux/scatterlist.h> 17 #include <linux/asn1.h> 18 #include <keys/asymmetric-subtype.h> 19 #include <crypto/public_key.h> 20 #include <crypto/akcipher.h> 21 #include <crypto/sm2.h> 22 #include <crypto/sm3_base.h> 23 24 MODULE_DESCRIPTION("In-software asymmetric public-key subtype"); 25 MODULE_AUTHOR("Red Hat, Inc."); 26 MODULE_LICENSE("GPL"); 27 28 /* 29 * Provide a part of a description of the key for /proc/keys. 30 */ 31 static void public_key_describe(const struct key *asymmetric_key, 32 struct seq_file *m) 33 { 34 struct public_key *key = asymmetric_key->payload.data[asym_crypto]; 35 36 if (key) 37 seq_printf(m, "%s.%s", key->id_type, key->pkey_algo); 38 } 39 40 /* 41 * Destroy a public key algorithm key. 42 */ 43 void public_key_free(struct public_key *key) 44 { 45 if (key) { 46 kfree(key->key); 47 kfree(key->params); 48 kfree(key); 49 } 50 } 51 EXPORT_SYMBOL_GPL(public_key_free); 52 53 /* 54 * Destroy a public key algorithm key. 55 */ 56 static void public_key_destroy(void *payload0, void *payload3) 57 { 58 public_key_free(payload0); 59 public_key_signature_free(payload3); 60 } 61 62 /* 63 * Given a public_key, and an encoding and hash_algo to be used for signing 64 * and/or verification with that key, determine the name of the corresponding 65 * akcipher algorithm. Also check that encoding and hash_algo are allowed. 66 */ 67 static int 68 software_key_determine_akcipher(const struct public_key *pkey, 69 const char *encoding, const char *hash_algo, 70 char alg_name[CRYPTO_MAX_ALG_NAME]) 71 { 72 int n; 73 74 if (!encoding) 75 return -EINVAL; 76 77 if (strcmp(pkey->pkey_algo, "rsa") == 0) { 78 /* 79 * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2]. 80 */ 81 if (strcmp(encoding, "pkcs1") == 0) { 82 if (!hash_algo) 83 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 84 "pkcs1pad(%s)", 85 pkey->pkey_algo); 86 else 87 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 88 "pkcs1pad(%s,%s)", 89 pkey->pkey_algo, hash_algo); 90 return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; 91 } 92 if (strcmp(encoding, "raw") != 0) 93 return -EINVAL; 94 /* 95 * Raw RSA cannot differentiate between different hash 96 * algorithms. 97 */ 98 if (hash_algo) 99 return -EINVAL; 100 } else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { 101 if (strcmp(encoding, "x962") != 0) 102 return -EINVAL; 103 /* 104 * ECDSA signatures are taken over a raw hash, so they don't 105 * differentiate between different hash algorithms. That means 106 * that the verifier should hard-code a specific hash algorithm. 107 * Unfortunately, in practice ECDSA is used with multiple SHAs, 108 * so we have to allow all of them and not just one. 109 */ 110 if (!hash_algo) 111 return -EINVAL; 112 if (strcmp(hash_algo, "sha1") != 0 && 113 strcmp(hash_algo, "sha224") != 0 && 114 strcmp(hash_algo, "sha256") != 0 && 115 strcmp(hash_algo, "sha384") != 0 && 116 strcmp(hash_algo, "sha512") != 0) 117 return -EINVAL; 118 } else if (strcmp(pkey->pkey_algo, "sm2") == 0) { 119 if (strcmp(encoding, "raw") != 0) 120 return -EINVAL; 121 if (!hash_algo) 122 return -EINVAL; 123 if (strcmp(hash_algo, "sm3") != 0) 124 return -EINVAL; 125 } else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) { 126 if (strcmp(encoding, "raw") != 0) 127 return -EINVAL; 128 if (!hash_algo) 129 return -EINVAL; 130 if (strcmp(hash_algo, "streebog256") != 0 && 131 strcmp(hash_algo, "streebog512") != 0) 132 return -EINVAL; 133 } else { 134 /* Unknown public key algorithm */ 135 return -ENOPKG; 136 } 137 if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0) 138 return -EINVAL; 139 return 0; 140 } 141 142 static u8 *pkey_pack_u32(u8 *dst, u32 val) 143 { 144 memcpy(dst, &val, sizeof(val)); 145 return dst + sizeof(val); 146 } 147 148 /* 149 * Query information about a key. 150 */ 151 static int software_key_query(const struct kernel_pkey_params *params, 152 struct kernel_pkey_query *info) 153 { 154 struct crypto_akcipher *tfm; 155 struct public_key *pkey = params->key->payload.data[asym_crypto]; 156 char alg_name[CRYPTO_MAX_ALG_NAME]; 157 u8 *key, *ptr; 158 int ret, len; 159 160 ret = software_key_determine_akcipher(pkey, params->encoding, 161 params->hash_algo, alg_name); 162 if (ret < 0) 163 return ret; 164 165 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 166 if (IS_ERR(tfm)) 167 return PTR_ERR(tfm); 168 169 ret = -ENOMEM; 170 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 171 GFP_KERNEL); 172 if (!key) 173 goto error_free_tfm; 174 memcpy(key, pkey->key, pkey->keylen); 175 ptr = key + pkey->keylen; 176 ptr = pkey_pack_u32(ptr, pkey->algo); 177 ptr = pkey_pack_u32(ptr, pkey->paramlen); 178 memcpy(ptr, pkey->params, pkey->paramlen); 179 180 if (pkey->key_is_private) 181 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 182 else 183 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 184 if (ret < 0) 185 goto error_free_key; 186 187 len = crypto_akcipher_maxsize(tfm); 188 info->key_size = len * 8; 189 190 if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { 191 /* 192 * ECDSA key sizes are much smaller than RSA, and thus could 193 * operate on (hashed) inputs that are larger than key size. 194 * For example SHA384-hashed input used with secp256r1 195 * based keys. Set max_data_size to be at least as large as 196 * the largest supported hash size (SHA512) 197 */ 198 info->max_data_size = 64; 199 200 /* 201 * Verify takes ECDSA-Sig (described in RFC 5480) as input, 202 * which is actually 2 'key_size'-bit integers encoded in 203 * ASN.1. Account for the ASN.1 encoding overhead here. 204 */ 205 info->max_sig_size = 2 * (len + 3) + 2; 206 } else { 207 info->max_data_size = len; 208 info->max_sig_size = len; 209 } 210 211 info->max_enc_size = len; 212 info->max_dec_size = len; 213 info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT | 214 KEYCTL_SUPPORTS_VERIFY); 215 if (pkey->key_is_private) 216 info->supported_ops |= (KEYCTL_SUPPORTS_DECRYPT | 217 KEYCTL_SUPPORTS_SIGN); 218 ret = 0; 219 220 error_free_key: 221 kfree(key); 222 error_free_tfm: 223 crypto_free_akcipher(tfm); 224 pr_devel("<==%s() = %d\n", __func__, ret); 225 return ret; 226 } 227 228 /* 229 * Do encryption, decryption and signing ops. 230 */ 231 static int software_key_eds_op(struct kernel_pkey_params *params, 232 const void *in, void *out) 233 { 234 const struct public_key *pkey = params->key->payload.data[asym_crypto]; 235 struct akcipher_request *req; 236 struct crypto_akcipher *tfm; 237 struct crypto_wait cwait; 238 struct scatterlist in_sg, out_sg; 239 char alg_name[CRYPTO_MAX_ALG_NAME]; 240 char *key, *ptr; 241 int ret; 242 243 pr_devel("==>%s()\n", __func__); 244 245 ret = software_key_determine_akcipher(pkey, params->encoding, 246 params->hash_algo, alg_name); 247 if (ret < 0) 248 return ret; 249 250 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 251 if (IS_ERR(tfm)) 252 return PTR_ERR(tfm); 253 254 ret = -ENOMEM; 255 req = akcipher_request_alloc(tfm, GFP_KERNEL); 256 if (!req) 257 goto error_free_tfm; 258 259 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 260 GFP_KERNEL); 261 if (!key) 262 goto error_free_req; 263 264 memcpy(key, pkey->key, pkey->keylen); 265 ptr = key + pkey->keylen; 266 ptr = pkey_pack_u32(ptr, pkey->algo); 267 ptr = pkey_pack_u32(ptr, pkey->paramlen); 268 memcpy(ptr, pkey->params, pkey->paramlen); 269 270 if (pkey->key_is_private) 271 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 272 else 273 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 274 if (ret) 275 goto error_free_key; 276 277 sg_init_one(&in_sg, in, params->in_len); 278 sg_init_one(&out_sg, out, params->out_len); 279 akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len, 280 params->out_len); 281 crypto_init_wait(&cwait); 282 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 283 CRYPTO_TFM_REQ_MAY_SLEEP, 284 crypto_req_done, &cwait); 285 286 /* Perform the encryption calculation. */ 287 switch (params->op) { 288 case kernel_pkey_encrypt: 289 ret = crypto_akcipher_encrypt(req); 290 break; 291 case kernel_pkey_decrypt: 292 ret = crypto_akcipher_decrypt(req); 293 break; 294 case kernel_pkey_sign: 295 ret = crypto_akcipher_sign(req); 296 break; 297 default: 298 BUG(); 299 } 300 301 ret = crypto_wait_req(ret, &cwait); 302 if (ret == 0) 303 ret = req->dst_len; 304 305 error_free_key: 306 kfree(key); 307 error_free_req: 308 akcipher_request_free(req); 309 error_free_tfm: 310 crypto_free_akcipher(tfm); 311 pr_devel("<==%s() = %d\n", __func__, ret); 312 return ret; 313 } 314 315 #if IS_REACHABLE(CONFIG_CRYPTO_SM2) 316 static int cert_sig_digest_update(const struct public_key_signature *sig, 317 struct crypto_akcipher *tfm_pkey) 318 { 319 struct crypto_shash *tfm; 320 struct shash_desc *desc; 321 size_t desc_size; 322 unsigned char dgst[SM3_DIGEST_SIZE]; 323 int ret; 324 325 BUG_ON(!sig->data); 326 327 /* SM2 signatures always use the SM3 hash algorithm */ 328 if (!sig->hash_algo || strcmp(sig->hash_algo, "sm3") != 0) 329 return -EINVAL; 330 331 ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID, 332 SM2_DEFAULT_USERID_LEN, dgst); 333 if (ret) 334 return ret; 335 336 tfm = crypto_alloc_shash(sig->hash_algo, 0, 0); 337 if (IS_ERR(tfm)) 338 return PTR_ERR(tfm); 339 340 desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); 341 desc = kzalloc(desc_size, GFP_KERNEL); 342 if (!desc) { 343 ret = -ENOMEM; 344 goto error_free_tfm; 345 } 346 347 desc->tfm = tfm; 348 349 ret = crypto_shash_init(desc); 350 if (ret < 0) 351 goto error_free_desc; 352 353 ret = crypto_shash_update(desc, dgst, SM3_DIGEST_SIZE); 354 if (ret < 0) 355 goto error_free_desc; 356 357 ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest); 358 359 error_free_desc: 360 kfree(desc); 361 error_free_tfm: 362 crypto_free_shash(tfm); 363 return ret; 364 } 365 #else 366 static inline int cert_sig_digest_update( 367 const struct public_key_signature *sig, 368 struct crypto_akcipher *tfm_pkey) 369 { 370 return -ENOTSUPP; 371 } 372 #endif /* ! IS_REACHABLE(CONFIG_CRYPTO_SM2) */ 373 374 /* 375 * Verify a signature using a public key. 376 */ 377 int public_key_verify_signature(const struct public_key *pkey, 378 const struct public_key_signature *sig) 379 { 380 struct crypto_wait cwait; 381 struct crypto_akcipher *tfm; 382 struct akcipher_request *req; 383 struct scatterlist src_sg; 384 char alg_name[CRYPTO_MAX_ALG_NAME]; 385 char *buf, *ptr; 386 size_t buf_len; 387 int ret; 388 389 pr_devel("==>%s()\n", __func__); 390 391 BUG_ON(!pkey); 392 BUG_ON(!sig); 393 BUG_ON(!sig->s); 394 395 /* 396 * If the signature specifies a public key algorithm, it *must* match 397 * the key's actual public key algorithm. 398 * 399 * Small exception: ECDSA signatures don't specify the curve, but ECDSA 400 * keys do. So the strings can mismatch slightly in that case: 401 * "ecdsa-nist-*" for the key, but "ecdsa" for the signature. 402 */ 403 if (sig->pkey_algo) { 404 if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 && 405 (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 || 406 strcmp(sig->pkey_algo, "ecdsa") != 0)) 407 return -EKEYREJECTED; 408 } 409 410 ret = software_key_determine_akcipher(pkey, sig->encoding, 411 sig->hash_algo, alg_name); 412 if (ret < 0) 413 return ret; 414 415 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 416 if (IS_ERR(tfm)) 417 return PTR_ERR(tfm); 418 419 ret = -ENOMEM; 420 req = akcipher_request_alloc(tfm, GFP_KERNEL); 421 if (!req) 422 goto error_free_tfm; 423 424 buf_len = max_t(size_t, pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 425 sig->s_size + sig->digest_size); 426 427 buf = kmalloc(buf_len, GFP_KERNEL); 428 if (!buf) 429 goto error_free_req; 430 431 memcpy(buf, pkey->key, pkey->keylen); 432 ptr = buf + pkey->keylen; 433 ptr = pkey_pack_u32(ptr, pkey->algo); 434 ptr = pkey_pack_u32(ptr, pkey->paramlen); 435 memcpy(ptr, pkey->params, pkey->paramlen); 436 437 if (pkey->key_is_private) 438 ret = crypto_akcipher_set_priv_key(tfm, buf, pkey->keylen); 439 else 440 ret = crypto_akcipher_set_pub_key(tfm, buf, pkey->keylen); 441 if (ret) 442 goto error_free_buf; 443 444 if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) { 445 ret = cert_sig_digest_update(sig, tfm); 446 if (ret) 447 goto error_free_buf; 448 } 449 450 memcpy(buf, sig->s, sig->s_size); 451 memcpy(buf + sig->s_size, sig->digest, sig->digest_size); 452 453 sg_init_one(&src_sg, buf, sig->s_size + sig->digest_size); 454 akcipher_request_set_crypt(req, &src_sg, NULL, sig->s_size, 455 sig->digest_size); 456 crypto_init_wait(&cwait); 457 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 458 CRYPTO_TFM_REQ_MAY_SLEEP, 459 crypto_req_done, &cwait); 460 ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait); 461 462 error_free_buf: 463 kfree(buf); 464 error_free_req: 465 akcipher_request_free(req); 466 error_free_tfm: 467 crypto_free_akcipher(tfm); 468 pr_devel("<==%s() = %d\n", __func__, ret); 469 if (WARN_ON_ONCE(ret > 0)) 470 ret = -EINVAL; 471 return ret; 472 } 473 EXPORT_SYMBOL_GPL(public_key_verify_signature); 474 475 static int public_key_verify_signature_2(const struct key *key, 476 const struct public_key_signature *sig) 477 { 478 const struct public_key *pk = key->payload.data[asym_crypto]; 479 return public_key_verify_signature(pk, sig); 480 } 481 482 /* 483 * Public key algorithm asymmetric key subtype 484 */ 485 struct asymmetric_key_subtype public_key_subtype = { 486 .owner = THIS_MODULE, 487 .name = "public_key", 488 .name_len = sizeof("public_key") - 1, 489 .describe = public_key_describe, 490 .destroy = public_key_destroy, 491 .query = software_key_query, 492 .eds_op = software_key_eds_op, 493 .verify_signature = public_key_verify_signature_2, 494 }; 495 EXPORT_SYMBOL_GPL(public_key_subtype); 496