1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* In-software asymmetric public-key crypto subtype 3 * 4 * See Documentation/crypto/asymmetric-keys.rst 5 * 6 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 7 * Written by David Howells (dhowells@redhat.com) 8 */ 9 10 #define pr_fmt(fmt) "PKEY: "fmt 11 #include <linux/module.h> 12 #include <linux/export.h> 13 #include <linux/kernel.h> 14 #include <linux/slab.h> 15 #include <linux/seq_file.h> 16 #include <linux/scatterlist.h> 17 #include <linux/asn1.h> 18 #include <keys/asymmetric-subtype.h> 19 #include <crypto/public_key.h> 20 #include <crypto/akcipher.h> 21 #include <crypto/sm2.h> 22 #include <crypto/sm3_base.h> 23 24 MODULE_DESCRIPTION("In-software asymmetric public-key subtype"); 25 MODULE_AUTHOR("Red Hat, Inc."); 26 MODULE_LICENSE("GPL"); 27 28 /* 29 * Provide a part of a description of the key for /proc/keys. 30 */ 31 static void public_key_describe(const struct key *asymmetric_key, 32 struct seq_file *m) 33 { 34 struct public_key *key = asymmetric_key->payload.data[asym_crypto]; 35 36 if (key) 37 seq_printf(m, "%s.%s", key->id_type, key->pkey_algo); 38 } 39 40 /* 41 * Destroy a public key algorithm key. 42 */ 43 void public_key_free(struct public_key *key) 44 { 45 if (key) { 46 kfree(key->key); 47 kfree(key->params); 48 kfree(key); 49 } 50 } 51 EXPORT_SYMBOL_GPL(public_key_free); 52 53 /* 54 * Destroy a public key algorithm key. 55 */ 56 static void public_key_destroy(void *payload0, void *payload3) 57 { 58 public_key_free(payload0); 59 public_key_signature_free(payload3); 60 } 61 62 /* 63 * Given a public_key, and an encoding and hash_algo to be used for signing 64 * and/or verification with that key, determine the name of the corresponding 65 * akcipher algorithm. Also check that encoding and hash_algo are allowed. 66 */ 67 static int 68 software_key_determine_akcipher(const struct public_key *pkey, 69 const char *encoding, const char *hash_algo, 70 char alg_name[CRYPTO_MAX_ALG_NAME]) 71 { 72 int n; 73 74 if (!encoding) 75 return -EINVAL; 76 77 if (strcmp(pkey->pkey_algo, "rsa") == 0) { 78 /* 79 * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2]. 80 */ 81 if (strcmp(encoding, "pkcs1") == 0) { 82 if (!hash_algo) 83 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 84 "pkcs1pad(%s)", 85 pkey->pkey_algo); 86 else 87 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 88 "pkcs1pad(%s,%s)", 89 pkey->pkey_algo, hash_algo); 90 return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; 91 } 92 if (strcmp(encoding, "raw") != 0) 93 return -EINVAL; 94 /* 95 * Raw RSA cannot differentiate between different hash 96 * algorithms. 97 */ 98 if (hash_algo) 99 return -EINVAL; 100 } else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { 101 if (strcmp(encoding, "x962") != 0) 102 return -EINVAL; 103 /* 104 * ECDSA signatures are taken over a raw hash, so they don't 105 * differentiate between different hash algorithms. That means 106 * that the verifier should hard-code a specific hash algorithm. 107 * Unfortunately, in practice ECDSA is used with multiple SHAs, 108 * so we have to allow all of them and not just one. 109 */ 110 if (!hash_algo) 111 return -EINVAL; 112 if (strcmp(hash_algo, "sha1") != 0 && 113 strcmp(hash_algo, "sha224") != 0 && 114 strcmp(hash_algo, "sha256") != 0 && 115 strcmp(hash_algo, "sha384") != 0 && 116 strcmp(hash_algo, "sha512") != 0) 117 return -EINVAL; 118 } else if (strcmp(pkey->pkey_algo, "sm2") == 0) { 119 if (strcmp(encoding, "raw") != 0) 120 return -EINVAL; 121 if (!hash_algo) 122 return -EINVAL; 123 if (strcmp(hash_algo, "sm3") != 0) 124 return -EINVAL; 125 } else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) { 126 if (strcmp(encoding, "raw") != 0) 127 return -EINVAL; 128 if (!hash_algo) 129 return -EINVAL; 130 if (strcmp(hash_algo, "streebog256") != 0 && 131 strcmp(hash_algo, "streebog512") != 0) 132 return -EINVAL; 133 } else { 134 /* Unknown public key algorithm */ 135 return -ENOPKG; 136 } 137 if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0) 138 return -EINVAL; 139 return 0; 140 } 141 142 static u8 *pkey_pack_u32(u8 *dst, u32 val) 143 { 144 memcpy(dst, &val, sizeof(val)); 145 return dst + sizeof(val); 146 } 147 148 /* 149 * Query information about a key. 150 */ 151 static int software_key_query(const struct kernel_pkey_params *params, 152 struct kernel_pkey_query *info) 153 { 154 struct crypto_akcipher *tfm; 155 struct public_key *pkey = params->key->payload.data[asym_crypto]; 156 char alg_name[CRYPTO_MAX_ALG_NAME]; 157 u8 *key, *ptr; 158 int ret, len; 159 160 ret = software_key_determine_akcipher(pkey, params->encoding, 161 params->hash_algo, alg_name); 162 if (ret < 0) 163 return ret; 164 165 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 166 if (IS_ERR(tfm)) 167 return PTR_ERR(tfm); 168 169 ret = -ENOMEM; 170 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 171 GFP_KERNEL); 172 if (!key) 173 goto error_free_tfm; 174 memcpy(key, pkey->key, pkey->keylen); 175 ptr = key + pkey->keylen; 176 ptr = pkey_pack_u32(ptr, pkey->algo); 177 ptr = pkey_pack_u32(ptr, pkey->paramlen); 178 memcpy(ptr, pkey->params, pkey->paramlen); 179 180 if (pkey->key_is_private) 181 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 182 else 183 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 184 if (ret < 0) 185 goto error_free_key; 186 187 len = crypto_akcipher_maxsize(tfm); 188 info->key_size = len * 8; 189 info->max_data_size = len; 190 info->max_sig_size = len; 191 info->max_enc_size = len; 192 info->max_dec_size = len; 193 info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT | 194 KEYCTL_SUPPORTS_VERIFY); 195 if (pkey->key_is_private) 196 info->supported_ops |= (KEYCTL_SUPPORTS_DECRYPT | 197 KEYCTL_SUPPORTS_SIGN); 198 ret = 0; 199 200 error_free_key: 201 kfree(key); 202 error_free_tfm: 203 crypto_free_akcipher(tfm); 204 pr_devel("<==%s() = %d\n", __func__, ret); 205 return ret; 206 } 207 208 /* 209 * Do encryption, decryption and signing ops. 210 */ 211 static int software_key_eds_op(struct kernel_pkey_params *params, 212 const void *in, void *out) 213 { 214 const struct public_key *pkey = params->key->payload.data[asym_crypto]; 215 struct akcipher_request *req; 216 struct crypto_akcipher *tfm; 217 struct crypto_wait cwait; 218 struct scatterlist in_sg, out_sg; 219 char alg_name[CRYPTO_MAX_ALG_NAME]; 220 char *key, *ptr; 221 int ret; 222 223 pr_devel("==>%s()\n", __func__); 224 225 ret = software_key_determine_akcipher(pkey, params->encoding, 226 params->hash_algo, alg_name); 227 if (ret < 0) 228 return ret; 229 230 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 231 if (IS_ERR(tfm)) 232 return PTR_ERR(tfm); 233 234 ret = -ENOMEM; 235 req = akcipher_request_alloc(tfm, GFP_KERNEL); 236 if (!req) 237 goto error_free_tfm; 238 239 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 240 GFP_KERNEL); 241 if (!key) 242 goto error_free_req; 243 244 memcpy(key, pkey->key, pkey->keylen); 245 ptr = key + pkey->keylen; 246 ptr = pkey_pack_u32(ptr, pkey->algo); 247 ptr = pkey_pack_u32(ptr, pkey->paramlen); 248 memcpy(ptr, pkey->params, pkey->paramlen); 249 250 if (pkey->key_is_private) 251 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 252 else 253 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 254 if (ret) 255 goto error_free_key; 256 257 sg_init_one(&in_sg, in, params->in_len); 258 sg_init_one(&out_sg, out, params->out_len); 259 akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len, 260 params->out_len); 261 crypto_init_wait(&cwait); 262 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 263 CRYPTO_TFM_REQ_MAY_SLEEP, 264 crypto_req_done, &cwait); 265 266 /* Perform the encryption calculation. */ 267 switch (params->op) { 268 case kernel_pkey_encrypt: 269 ret = crypto_akcipher_encrypt(req); 270 break; 271 case kernel_pkey_decrypt: 272 ret = crypto_akcipher_decrypt(req); 273 break; 274 case kernel_pkey_sign: 275 ret = crypto_akcipher_sign(req); 276 break; 277 default: 278 BUG(); 279 } 280 281 ret = crypto_wait_req(ret, &cwait); 282 if (ret == 0) 283 ret = req->dst_len; 284 285 error_free_key: 286 kfree(key); 287 error_free_req: 288 akcipher_request_free(req); 289 error_free_tfm: 290 crypto_free_akcipher(tfm); 291 pr_devel("<==%s() = %d\n", __func__, ret); 292 return ret; 293 } 294 295 #if IS_REACHABLE(CONFIG_CRYPTO_SM2) 296 static int cert_sig_digest_update(const struct public_key_signature *sig, 297 struct crypto_akcipher *tfm_pkey) 298 { 299 struct crypto_shash *tfm; 300 struct shash_desc *desc; 301 size_t desc_size; 302 unsigned char dgst[SM3_DIGEST_SIZE]; 303 int ret; 304 305 BUG_ON(!sig->data); 306 307 /* SM2 signatures always use the SM3 hash algorithm */ 308 if (!sig->hash_algo || strcmp(sig->hash_algo, "sm3") != 0) 309 return -EINVAL; 310 311 ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID, 312 SM2_DEFAULT_USERID_LEN, dgst); 313 if (ret) 314 return ret; 315 316 tfm = crypto_alloc_shash(sig->hash_algo, 0, 0); 317 if (IS_ERR(tfm)) 318 return PTR_ERR(tfm); 319 320 desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); 321 desc = kzalloc(desc_size, GFP_KERNEL); 322 if (!desc) { 323 ret = -ENOMEM; 324 goto error_free_tfm; 325 } 326 327 desc->tfm = tfm; 328 329 ret = crypto_shash_init(desc); 330 if (ret < 0) 331 goto error_free_desc; 332 333 ret = crypto_shash_update(desc, dgst, SM3_DIGEST_SIZE); 334 if (ret < 0) 335 goto error_free_desc; 336 337 ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest); 338 339 error_free_desc: 340 kfree(desc); 341 error_free_tfm: 342 crypto_free_shash(tfm); 343 return ret; 344 } 345 #else 346 static inline int cert_sig_digest_update( 347 const struct public_key_signature *sig, 348 struct crypto_akcipher *tfm_pkey) 349 { 350 return -ENOTSUPP; 351 } 352 #endif /* ! IS_REACHABLE(CONFIG_CRYPTO_SM2) */ 353 354 /* 355 * Verify a signature using a public key. 356 */ 357 int public_key_verify_signature(const struct public_key *pkey, 358 const struct public_key_signature *sig) 359 { 360 struct crypto_wait cwait; 361 struct crypto_akcipher *tfm; 362 struct akcipher_request *req; 363 struct scatterlist src_sg[2]; 364 char alg_name[CRYPTO_MAX_ALG_NAME]; 365 char *key, *ptr; 366 int ret; 367 368 pr_devel("==>%s()\n", __func__); 369 370 BUG_ON(!pkey); 371 BUG_ON(!sig); 372 BUG_ON(!sig->s); 373 374 /* 375 * If the signature specifies a public key algorithm, it *must* match 376 * the key's actual public key algorithm. 377 * 378 * Small exception: ECDSA signatures don't specify the curve, but ECDSA 379 * keys do. So the strings can mismatch slightly in that case: 380 * "ecdsa-nist-*" for the key, but "ecdsa" for the signature. 381 */ 382 if (sig->pkey_algo) { 383 if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 && 384 (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 || 385 strcmp(sig->pkey_algo, "ecdsa") != 0)) 386 return -EKEYREJECTED; 387 } 388 389 ret = software_key_determine_akcipher(pkey, sig->encoding, 390 sig->hash_algo, alg_name); 391 if (ret < 0) 392 return ret; 393 394 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 395 if (IS_ERR(tfm)) 396 return PTR_ERR(tfm); 397 398 ret = -ENOMEM; 399 req = akcipher_request_alloc(tfm, GFP_KERNEL); 400 if (!req) 401 goto error_free_tfm; 402 403 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 404 GFP_KERNEL); 405 if (!key) 406 goto error_free_req; 407 408 memcpy(key, pkey->key, pkey->keylen); 409 ptr = key + pkey->keylen; 410 ptr = pkey_pack_u32(ptr, pkey->algo); 411 ptr = pkey_pack_u32(ptr, pkey->paramlen); 412 memcpy(ptr, pkey->params, pkey->paramlen); 413 414 if (pkey->key_is_private) 415 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 416 else 417 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 418 if (ret) 419 goto error_free_key; 420 421 if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) { 422 ret = cert_sig_digest_update(sig, tfm); 423 if (ret) 424 goto error_free_key; 425 } 426 427 sg_init_table(src_sg, 2); 428 sg_set_buf(&src_sg[0], sig->s, sig->s_size); 429 sg_set_buf(&src_sg[1], sig->digest, sig->digest_size); 430 akcipher_request_set_crypt(req, src_sg, NULL, sig->s_size, 431 sig->digest_size); 432 crypto_init_wait(&cwait); 433 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 434 CRYPTO_TFM_REQ_MAY_SLEEP, 435 crypto_req_done, &cwait); 436 ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait); 437 438 error_free_key: 439 kfree(key); 440 error_free_req: 441 akcipher_request_free(req); 442 error_free_tfm: 443 crypto_free_akcipher(tfm); 444 pr_devel("<==%s() = %d\n", __func__, ret); 445 if (WARN_ON_ONCE(ret > 0)) 446 ret = -EINVAL; 447 return ret; 448 } 449 EXPORT_SYMBOL_GPL(public_key_verify_signature); 450 451 static int public_key_verify_signature_2(const struct key *key, 452 const struct public_key_signature *sig) 453 { 454 const struct public_key *pk = key->payload.data[asym_crypto]; 455 return public_key_verify_signature(pk, sig); 456 } 457 458 /* 459 * Public key algorithm asymmetric key subtype 460 */ 461 struct asymmetric_key_subtype public_key_subtype = { 462 .owner = THIS_MODULE, 463 .name = "public_key", 464 .name_len = sizeof("public_key") - 1, 465 .describe = public_key_describe, 466 .destroy = public_key_destroy, 467 .query = software_key_query, 468 .eds_op = software_key_eds_op, 469 .verify_signature = public_key_verify_signature_2, 470 }; 471 EXPORT_SYMBOL_GPL(public_key_subtype); 472