1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* In-software asymmetric public-key crypto subtype 3 * 4 * See Documentation/crypto/asymmetric-keys.rst 5 * 6 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 7 * Written by David Howells (dhowells@redhat.com) 8 */ 9 10 #define pr_fmt(fmt) "PKEY: "fmt 11 #include <linux/module.h> 12 #include <linux/export.h> 13 #include <linux/kernel.h> 14 #include <linux/slab.h> 15 #include <linux/seq_file.h> 16 #include <linux/scatterlist.h> 17 #include <linux/asn1.h> 18 #include <keys/asymmetric-subtype.h> 19 #include <crypto/public_key.h> 20 #include <crypto/akcipher.h> 21 #include <crypto/sm2.h> 22 #include <crypto/sm3_base.h> 23 24 MODULE_DESCRIPTION("In-software asymmetric public-key subtype"); 25 MODULE_AUTHOR("Red Hat, Inc."); 26 MODULE_LICENSE("GPL"); 27 28 /* 29 * Provide a part of a description of the key for /proc/keys. 30 */ 31 static void public_key_describe(const struct key *asymmetric_key, 32 struct seq_file *m) 33 { 34 struct public_key *key = asymmetric_key->payload.data[asym_crypto]; 35 36 if (key) 37 seq_printf(m, "%s.%s", key->id_type, key->pkey_algo); 38 } 39 40 /* 41 * Destroy a public key algorithm key. 42 */ 43 void public_key_free(struct public_key *key) 44 { 45 if (key) { 46 kfree(key->key); 47 kfree(key->params); 48 kfree(key); 49 } 50 } 51 EXPORT_SYMBOL_GPL(public_key_free); 52 53 /* 54 * Destroy a public key algorithm key. 55 */ 56 static void public_key_destroy(void *payload0, void *payload3) 57 { 58 public_key_free(payload0); 59 public_key_signature_free(payload3); 60 } 61 62 /* 63 * Given a public_key, and an encoding and hash_algo to be used for signing 64 * and/or verification with that key, determine the name of the corresponding 65 * akcipher algorithm. Also check that encoding and hash_algo are allowed. 66 */ 67 static int 68 software_key_determine_akcipher(const struct public_key *pkey, 69 const char *encoding, const char *hash_algo, 70 char alg_name[CRYPTO_MAX_ALG_NAME]) 71 { 72 int n; 73 74 if (!encoding) 75 return -EINVAL; 76 77 if (strcmp(pkey->pkey_algo, "rsa") == 0) { 78 /* 79 * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2]. 80 */ 81 if (strcmp(encoding, "pkcs1") == 0) { 82 if (!hash_algo) 83 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 84 "pkcs1pad(%s)", 85 pkey->pkey_algo); 86 else 87 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 88 "pkcs1pad(%s,%s)", 89 pkey->pkey_algo, hash_algo); 90 return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; 91 } 92 if (strcmp(encoding, "raw") != 0) 93 return -EINVAL; 94 /* 95 * Raw RSA cannot differentiate between different hash 96 * algorithms. 97 */ 98 if (hash_algo) 99 return -EINVAL; 100 } else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { 101 if (strcmp(encoding, "x962") != 0) 102 return -EINVAL; 103 /* 104 * ECDSA signatures are taken over a raw hash, so they don't 105 * differentiate between different hash algorithms. That means 106 * that the verifier should hard-code a specific hash algorithm. 107 * Unfortunately, in practice ECDSA is used with multiple SHAs, 108 * so we have to allow all of them and not just one. 109 */ 110 if (!hash_algo) 111 return -EINVAL; 112 if (strcmp(hash_algo, "sha1") != 0 && 113 strcmp(hash_algo, "sha224") != 0 && 114 strcmp(hash_algo, "sha256") != 0 && 115 strcmp(hash_algo, "sha384") != 0 && 116 strcmp(hash_algo, "sha512") != 0) 117 return -EINVAL; 118 } else if (strcmp(pkey->pkey_algo, "sm2") == 0) { 119 if (strcmp(encoding, "raw") != 0) 120 return -EINVAL; 121 if (!hash_algo) 122 return -EINVAL; 123 if (strcmp(hash_algo, "sm3") != 0) 124 return -EINVAL; 125 } else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) { 126 if (strcmp(encoding, "raw") != 0) 127 return -EINVAL; 128 if (!hash_algo) 129 return -EINVAL; 130 if (strcmp(hash_algo, "streebog256") != 0 && 131 strcmp(hash_algo, "streebog512") != 0) 132 return -EINVAL; 133 } else { 134 /* Unknown public key algorithm */ 135 return -ENOPKG; 136 } 137 if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0) 138 return -EINVAL; 139 return 0; 140 } 141 142 static u8 *pkey_pack_u32(u8 *dst, u32 val) 143 { 144 memcpy(dst, &val, sizeof(val)); 145 return dst + sizeof(val); 146 } 147 148 /* 149 * Query information about a key. 150 */ 151 static int software_key_query(const struct kernel_pkey_params *params, 152 struct kernel_pkey_query *info) 153 { 154 struct crypto_akcipher *tfm; 155 struct public_key *pkey = params->key->payload.data[asym_crypto]; 156 char alg_name[CRYPTO_MAX_ALG_NAME]; 157 u8 *key, *ptr; 158 int ret, len; 159 160 ret = software_key_determine_akcipher(pkey, params->encoding, 161 params->hash_algo, alg_name); 162 if (ret < 0) 163 return ret; 164 165 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 166 if (IS_ERR(tfm)) 167 return PTR_ERR(tfm); 168 169 ret = -ENOMEM; 170 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 171 GFP_KERNEL); 172 if (!key) 173 goto error_free_tfm; 174 memcpy(key, pkey->key, pkey->keylen); 175 ptr = key + pkey->keylen; 176 ptr = pkey_pack_u32(ptr, pkey->algo); 177 ptr = pkey_pack_u32(ptr, pkey->paramlen); 178 memcpy(ptr, pkey->params, pkey->paramlen); 179 180 if (pkey->key_is_private) 181 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 182 else 183 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 184 if (ret < 0) 185 goto error_free_key; 186 187 len = crypto_akcipher_maxsize(tfm); 188 info->key_size = len * 8; 189 info->max_data_size = len; 190 info->max_sig_size = len; 191 info->max_enc_size = len; 192 info->max_dec_size = len; 193 info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT | 194 KEYCTL_SUPPORTS_VERIFY); 195 if (pkey->key_is_private) 196 info->supported_ops |= (KEYCTL_SUPPORTS_DECRYPT | 197 KEYCTL_SUPPORTS_SIGN); 198 ret = 0; 199 200 error_free_key: 201 kfree(key); 202 error_free_tfm: 203 crypto_free_akcipher(tfm); 204 pr_devel("<==%s() = %d\n", __func__, ret); 205 return ret; 206 } 207 208 /* 209 * Do encryption, decryption and signing ops. 210 */ 211 static int software_key_eds_op(struct kernel_pkey_params *params, 212 const void *in, void *out) 213 { 214 const struct public_key *pkey = params->key->payload.data[asym_crypto]; 215 struct akcipher_request *req; 216 struct crypto_akcipher *tfm; 217 struct crypto_wait cwait; 218 struct scatterlist in_sg, out_sg; 219 char alg_name[CRYPTO_MAX_ALG_NAME]; 220 char *key, *ptr; 221 int ret; 222 223 pr_devel("==>%s()\n", __func__); 224 225 ret = software_key_determine_akcipher(pkey, params->encoding, 226 params->hash_algo, alg_name); 227 if (ret < 0) 228 return ret; 229 230 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 231 if (IS_ERR(tfm)) 232 return PTR_ERR(tfm); 233 234 ret = -ENOMEM; 235 req = akcipher_request_alloc(tfm, GFP_KERNEL); 236 if (!req) 237 goto error_free_tfm; 238 239 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 240 GFP_KERNEL); 241 if (!key) 242 goto error_free_req; 243 244 memcpy(key, pkey->key, pkey->keylen); 245 ptr = key + pkey->keylen; 246 ptr = pkey_pack_u32(ptr, pkey->algo); 247 ptr = pkey_pack_u32(ptr, pkey->paramlen); 248 memcpy(ptr, pkey->params, pkey->paramlen); 249 250 if (pkey->key_is_private) 251 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 252 else 253 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 254 if (ret) 255 goto error_free_key; 256 257 sg_init_one(&in_sg, in, params->in_len); 258 sg_init_one(&out_sg, out, params->out_len); 259 akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len, 260 params->out_len); 261 crypto_init_wait(&cwait); 262 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 263 CRYPTO_TFM_REQ_MAY_SLEEP, 264 crypto_req_done, &cwait); 265 266 /* Perform the encryption calculation. */ 267 switch (params->op) { 268 case kernel_pkey_encrypt: 269 ret = crypto_akcipher_encrypt(req); 270 break; 271 case kernel_pkey_decrypt: 272 ret = crypto_akcipher_decrypt(req); 273 break; 274 case kernel_pkey_sign: 275 ret = crypto_akcipher_sign(req); 276 break; 277 default: 278 BUG(); 279 } 280 281 ret = crypto_wait_req(ret, &cwait); 282 if (ret == 0) 283 ret = req->dst_len; 284 285 error_free_key: 286 kfree(key); 287 error_free_req: 288 akcipher_request_free(req); 289 error_free_tfm: 290 crypto_free_akcipher(tfm); 291 pr_devel("<==%s() = %d\n", __func__, ret); 292 return ret; 293 } 294 295 #if IS_REACHABLE(CONFIG_CRYPTO_SM2) 296 static int cert_sig_digest_update(const struct public_key_signature *sig, 297 struct crypto_akcipher *tfm_pkey) 298 { 299 struct crypto_shash *tfm; 300 struct shash_desc *desc; 301 size_t desc_size; 302 unsigned char dgst[SM3_DIGEST_SIZE]; 303 int ret; 304 305 BUG_ON(!sig->data); 306 307 ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID, 308 SM2_DEFAULT_USERID_LEN, dgst); 309 if (ret) 310 return ret; 311 312 tfm = crypto_alloc_shash(sig->hash_algo, 0, 0); 313 if (IS_ERR(tfm)) 314 return PTR_ERR(tfm); 315 316 desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); 317 desc = kzalloc(desc_size, GFP_KERNEL); 318 if (!desc) { 319 ret = -ENOMEM; 320 goto error_free_tfm; 321 } 322 323 desc->tfm = tfm; 324 325 ret = crypto_shash_init(desc); 326 if (ret < 0) 327 goto error_free_desc; 328 329 ret = crypto_shash_update(desc, dgst, SM3_DIGEST_SIZE); 330 if (ret < 0) 331 goto error_free_desc; 332 333 ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest); 334 335 error_free_desc: 336 kfree(desc); 337 error_free_tfm: 338 crypto_free_shash(tfm); 339 return ret; 340 } 341 #else 342 static inline int cert_sig_digest_update( 343 const struct public_key_signature *sig, 344 struct crypto_akcipher *tfm_pkey) 345 { 346 return -ENOTSUPP; 347 } 348 #endif /* ! IS_REACHABLE(CONFIG_CRYPTO_SM2) */ 349 350 /* 351 * Verify a signature using a public key. 352 */ 353 int public_key_verify_signature(const struct public_key *pkey, 354 const struct public_key_signature *sig) 355 { 356 struct crypto_wait cwait; 357 struct crypto_akcipher *tfm; 358 struct akcipher_request *req; 359 struct scatterlist src_sg[2]; 360 char alg_name[CRYPTO_MAX_ALG_NAME]; 361 char *key, *ptr; 362 int ret; 363 364 pr_devel("==>%s()\n", __func__); 365 366 BUG_ON(!pkey); 367 BUG_ON(!sig); 368 BUG_ON(!sig->s); 369 370 /* 371 * If the signature specifies a public key algorithm, it *must* match 372 * the key's actual public key algorithm. 373 * 374 * Small exception: ECDSA signatures don't specify the curve, but ECDSA 375 * keys do. So the strings can mismatch slightly in that case: 376 * "ecdsa-nist-*" for the key, but "ecdsa" for the signature. 377 */ 378 if (sig->pkey_algo) { 379 if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 && 380 (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 || 381 strcmp(sig->pkey_algo, "ecdsa") != 0)) 382 return -EKEYREJECTED; 383 } 384 385 ret = software_key_determine_akcipher(pkey, sig->encoding, 386 sig->hash_algo, alg_name); 387 if (ret < 0) 388 return ret; 389 390 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 391 if (IS_ERR(tfm)) 392 return PTR_ERR(tfm); 393 394 ret = -ENOMEM; 395 req = akcipher_request_alloc(tfm, GFP_KERNEL); 396 if (!req) 397 goto error_free_tfm; 398 399 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 400 GFP_KERNEL); 401 if (!key) 402 goto error_free_req; 403 404 memcpy(key, pkey->key, pkey->keylen); 405 ptr = key + pkey->keylen; 406 ptr = pkey_pack_u32(ptr, pkey->algo); 407 ptr = pkey_pack_u32(ptr, pkey->paramlen); 408 memcpy(ptr, pkey->params, pkey->paramlen); 409 410 if (pkey->key_is_private) 411 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 412 else 413 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 414 if (ret) 415 goto error_free_key; 416 417 if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 && 418 sig->data_size) { 419 ret = cert_sig_digest_update(sig, tfm); 420 if (ret) 421 goto error_free_key; 422 } 423 424 sg_init_table(src_sg, 2); 425 sg_set_buf(&src_sg[0], sig->s, sig->s_size); 426 sg_set_buf(&src_sg[1], sig->digest, sig->digest_size); 427 akcipher_request_set_crypt(req, src_sg, NULL, sig->s_size, 428 sig->digest_size); 429 crypto_init_wait(&cwait); 430 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 431 CRYPTO_TFM_REQ_MAY_SLEEP, 432 crypto_req_done, &cwait); 433 ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait); 434 435 error_free_key: 436 kfree(key); 437 error_free_req: 438 akcipher_request_free(req); 439 error_free_tfm: 440 crypto_free_akcipher(tfm); 441 pr_devel("<==%s() = %d\n", __func__, ret); 442 if (WARN_ON_ONCE(ret > 0)) 443 ret = -EINVAL; 444 return ret; 445 } 446 EXPORT_SYMBOL_GPL(public_key_verify_signature); 447 448 static int public_key_verify_signature_2(const struct key *key, 449 const struct public_key_signature *sig) 450 { 451 const struct public_key *pk = key->payload.data[asym_crypto]; 452 return public_key_verify_signature(pk, sig); 453 } 454 455 /* 456 * Public key algorithm asymmetric key subtype 457 */ 458 struct asymmetric_key_subtype public_key_subtype = { 459 .owner = THIS_MODULE, 460 .name = "public_key", 461 .name_len = sizeof("public_key") - 1, 462 .describe = public_key_describe, 463 .destroy = public_key_destroy, 464 .query = software_key_query, 465 .eds_op = software_key_eds_op, 466 .verify_signature = public_key_verify_signature_2, 467 }; 468 EXPORT_SYMBOL_GPL(public_key_subtype); 469