1// SPDX-License-Identifier: GPL-2.0-or-later 2/* In-software asymmetric public-key crypto subtype 3 * 4 * See Documentation/crypto/asymmetric-keys.rst 5 * 6 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 7 * Written by David Howells (dhowells@redhat.com) 8 */ 9 10#define pr_fmt(fmt) "PKEY: "fmt 11#include <linux/module.h> 12#include <linux/export.h> 13#include <linux/kernel.h> 14#include <linux/slab.h> 15#include <linux/seq_file.h> 16#include <linux/scatterlist.h> 17#include <linux/asn1.h> 18#include <keys/asymmetric-subtype.h> 19#include <crypto/public_key.h> 20#include <crypto/akcipher.h> 21#include <crypto/sm2.h> 22#include <crypto/sm3_base.h> 23 24MODULE_DESCRIPTION("In-software asymmetric public-key subtype"); 25MODULE_AUTHOR("Red Hat, Inc."); 26MODULE_LICENSE("GPL"); 27 28/* 29 * Provide a part of a description of the key for /proc/keys. 30 */ 31static void public_key_describe(const struct key *asymmetric_key, 32 struct seq_file *m) 33{ 34 struct public_key *key = asymmetric_key->payload.data[asym_crypto]; 35 36 if (key) 37 seq_printf(m, "%s.%s", key->id_type, key->pkey_algo); 38} 39 40/* 41 * Destroy a public key algorithm key. 42 */ 43void public_key_free(struct public_key *key) 44{ 45 if (key) { 46 kfree(key->key); 47 kfree(key->params); 48 kfree(key); 49 } 50} 51EXPORT_SYMBOL_GPL(public_key_free); 52 53/* 54 * Destroy a public key algorithm key. 55 */ 56static void public_key_destroy(void *payload0, void *payload3) 57{ 58 public_key_free(payload0); 59 public_key_signature_free(payload3); 60} 61 62/* 63 * Given a public_key, and an encoding and hash_algo to be used for signing 64 * and/or verification with that key, determine the name of the corresponding 65 * akcipher algorithm. Also check that encoding and hash_algo are allowed. 66 */ 67static int 68software_key_determine_akcipher(const struct public_key *pkey, 69 const char *encoding, const char *hash_algo, 70 char alg_name[CRYPTO_MAX_ALG_NAME]) 71{ 72 int n; 73 74 if (!encoding) 75 return -EINVAL; 76 77 if (strcmp(pkey->pkey_algo, "rsa") == 0) { 78 /* 79 * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2]. 80 */ 81 if (strcmp(encoding, "pkcs1") == 0) { 82 if (!hash_algo) 83 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 84 "pkcs1pad(%s)", 85 pkey->pkey_algo); 86 else 87 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 88 "pkcs1pad(%s,%s)", 89 pkey->pkey_algo, hash_algo); 90 return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; 91 } 92 if (strcmp(encoding, "raw") != 0) 93 return -EINVAL; 94 /* 95 * Raw RSA cannot differentiate between different hash 96 * algorithms. 97 */ 98 if (hash_algo) 99 return -EINVAL; 100 } else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { 101 if (strcmp(encoding, "x962") != 0) 102 return -EINVAL; 103 /* 104 * ECDSA signatures are taken over a raw hash, so they don't 105 * differentiate between different hash algorithms. That means 106 * that the verifier should hard-code a specific hash algorithm. 107 * Unfortunately, in practice ECDSA is used with multiple SHAs, 108 * so we have to allow all of them and not just one. 109 */ 110 if (!hash_algo) 111 return -EINVAL; 112 if (strcmp(hash_algo, "sha1") != 0 && 113 strcmp(hash_algo, "sha224") != 0 && 114 strcmp(hash_algo, "sha256") != 0 && 115 strcmp(hash_algo, "sha384") != 0 && 116 strcmp(hash_algo, "sha512") != 0) 117 return -EINVAL; 118 } else if (strcmp(pkey->pkey_algo, "sm2") == 0) { 119 if (strcmp(encoding, "raw") != 0) 120 return -EINVAL; 121 if (!hash_algo) 122 return -EINVAL; 123 if (strcmp(hash_algo, "sm3") != 0) 124 return -EINVAL; 125 } else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) { 126 if (strcmp(encoding, "raw") != 0) 127 return -EINVAL; 128 if (!hash_algo) 129 return -EINVAL; 130 if (strcmp(hash_algo, "streebog256") != 0 && 131 strcmp(hash_algo, "streebog512") != 0) 132 return -EINVAL; 133 } else { 134 /* Unknown public key algorithm */ 135 return -ENOPKG; 136 } 137 if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0) 138 return -EINVAL; 139 return 0; 140} 141 142static u8 *pkey_pack_u32(u8 *dst, u32 val) 143{ 144 memcpy(dst, &val, sizeof(val)); 145 return dst + sizeof(val); 146} 147 148/* 149 * Query information about a key. 150 */ 151static int software_key_query(const struct kernel_pkey_params *params, 152 struct kernel_pkey_query *info) 153{ 154 struct crypto_akcipher *tfm; 155 struct public_key *pkey = params->key->payload.data[asym_crypto]; 156 char alg_name[CRYPTO_MAX_ALG_NAME]; 157 u8 *key, *ptr; 158 int ret, len; 159 160 ret = software_key_determine_akcipher(pkey, params->encoding, 161 params->hash_algo, alg_name); 162 if (ret < 0) 163 return ret; 164 165 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 166 if (IS_ERR(tfm)) 167 return PTR_ERR(tfm); 168 169 ret = -ENOMEM; 170 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 171 GFP_KERNEL); 172 if (!key) 173 goto error_free_tfm; 174 memcpy(key, pkey->key, pkey->keylen); 175 ptr = key + pkey->keylen; 176 ptr = pkey_pack_u32(ptr, pkey->algo); 177 ptr = pkey_pack_u32(ptr, pkey->paramlen); 178 memcpy(ptr, pkey->params, pkey->paramlen); 179 180 if (pkey->key_is_private) 181 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 182 else 183 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 184 if (ret < 0) 185 goto error_free_key; 186 187 len = crypto_akcipher_maxsize(tfm); 188 info->key_size = len * 8; 189 info->max_data_size = len; 190 info->max_sig_size = len; 191 info->max_enc_size = len; 192 info->max_dec_size = len; 193 info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT | 194 KEYCTL_SUPPORTS_VERIFY); 195 if (pkey->key_is_private) 196 info->supported_ops |= (KEYCTL_SUPPORTS_DECRYPT | 197 KEYCTL_SUPPORTS_SIGN); 198 ret = 0; 199 200error_free_key: 201 kfree(key); 202error_free_tfm: 203 crypto_free_akcipher(tfm); 204 pr_devel("<==%s() = %d\n", __func__, ret); 205 return ret; 206} 207 208/* 209 * Do encryption, decryption and signing ops. 210 */ 211static int software_key_eds_op(struct kernel_pkey_params *params, 212 const void *in, void *out) 213{ 214 const struct public_key *pkey = params->key->payload.data[asym_crypto]; 215 struct akcipher_request *req; 216 struct crypto_akcipher *tfm; 217 struct crypto_wait cwait; 218 struct scatterlist in_sg, out_sg; 219 char alg_name[CRYPTO_MAX_ALG_NAME]; 220 char *key, *ptr; 221 int ret; 222 223 pr_devel("==>%s()\n", __func__); 224 225 ret = software_key_determine_akcipher(pkey, params->encoding, 226 params->hash_algo, alg_name); 227 if (ret < 0) 228 return ret; 229 230 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 231 if (IS_ERR(tfm)) 232 return PTR_ERR(tfm); 233 234 ret = -ENOMEM; 235 req = akcipher_request_alloc(tfm, GFP_KERNEL); 236 if (!req) 237 goto error_free_tfm; 238 239 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 240 GFP_KERNEL); 241 if (!key) 242 goto error_free_req; 243 244 memcpy(key, pkey->key, pkey->keylen); 245 ptr = key + pkey->keylen; 246 ptr = pkey_pack_u32(ptr, pkey->algo); 247 ptr = pkey_pack_u32(ptr, pkey->paramlen); 248 memcpy(ptr, pkey->params, pkey->paramlen); 249 250 if (pkey->key_is_private) 251 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 252 else 253 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 254 if (ret) 255 goto error_free_key; 256 257 sg_init_one(&in_sg, in, params->in_len); 258 sg_init_one(&out_sg, out, params->out_len); 259 akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len, 260 params->out_len); 261 crypto_init_wait(&cwait); 262 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 263 CRYPTO_TFM_REQ_MAY_SLEEP, 264 crypto_req_done, &cwait); 265 266 /* Perform the encryption calculation. */ 267 switch (params->op) { 268 case kernel_pkey_encrypt: 269 ret = crypto_akcipher_encrypt(req); 270 break; 271 case kernel_pkey_decrypt: 272 ret = crypto_akcipher_decrypt(req); 273 break; 274 case kernel_pkey_sign: 275 ret = crypto_akcipher_sign(req); 276 break; 277 default: 278 BUG(); 279 } 280 281 ret = crypto_wait_req(ret, &cwait); 282 if (ret == 0) 283 ret = req->dst_len; 284 285error_free_key: 286 kfree(key); 287error_free_req: 288 akcipher_request_free(req); 289error_free_tfm: 290 crypto_free_akcipher(tfm); 291 pr_devel("<==%s() = %d\n", __func__, ret); 292 return ret; 293} 294 295#if IS_REACHABLE(CONFIG_CRYPTO_SM2) 296static int cert_sig_digest_update(const struct public_key_signature *sig, 297 struct crypto_akcipher *tfm_pkey) 298{ 299 struct crypto_shash *tfm; 300 struct shash_desc *desc; 301 size_t desc_size; 302 unsigned char dgst[SM3_DIGEST_SIZE]; 303 int ret; 304 305 BUG_ON(!sig->data); 306 307 /* SM2 signatures always use the SM3 hash algorithm */ 308 if (!sig->hash_algo || strcmp(sig->hash_algo, "sm3") != 0) 309 return -EINVAL; 310 311 ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID, 312 SM2_DEFAULT_USERID_LEN, dgst); 313 if (ret) 314 return ret; 315 316 tfm = crypto_alloc_shash(sig->hash_algo, 0, 0); 317 if (IS_ERR(tfm)) 318 return PTR_ERR(tfm); 319 320 desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); 321 desc = kzalloc(desc_size, GFP_KERNEL); 322 if (!desc) { 323 ret = -ENOMEM; 324 goto error_free_tfm; 325 } 326 327 desc->tfm = tfm; 328 329 ret = crypto_shash_init(desc); 330 if (ret < 0) 331 goto error_free_desc; 332 333 ret = crypto_shash_update(desc, dgst, SM3_DIGEST_SIZE); 334 if (ret < 0) 335 goto error_free_desc; 336 337 ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest); 338 339error_free_desc: 340 kfree(desc); 341error_free_tfm: 342 crypto_free_shash(tfm); 343 return ret; 344} 345#else 346static inline int cert_sig_digest_update( 347 const struct public_key_signature *sig, 348 struct crypto_akcipher *tfm_pkey) 349{ 350 return -ENOTSUPP; 351} 352#endif /* ! IS_REACHABLE(CONFIG_CRYPTO_SM2) */ 353 354/* 355 * Verify a signature using a public key. 356 */ 357int public_key_verify_signature(const struct public_key *pkey, 358 const struct public_key_signature *sig) 359{ 360 struct crypto_wait cwait; 361 struct crypto_akcipher *tfm; 362 struct akcipher_request *req; 363 struct scatterlist src_sg; 364 char alg_name[CRYPTO_MAX_ALG_NAME]; 365 char *buf, *ptr; 366 size_t buf_len; 367 int ret; 368 369 pr_devel("==>%s()\n", __func__); 370 371 BUG_ON(!pkey); 372 BUG_ON(!sig); 373 BUG_ON(!sig->s); 374 375 /* 376 * If the signature specifies a public key algorithm, it *must* match 377 * the key's actual public key algorithm. 378 * 379 * Small exception: ECDSA signatures don't specify the curve, but ECDSA 380 * keys do. So the strings can mismatch slightly in that case: 381 * "ecdsa-nist-*" for the key, but "ecdsa" for the signature. 382 */ 383 if (sig->pkey_algo) { 384 if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 && 385 (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 || 386 strcmp(sig->pkey_algo, "ecdsa") != 0)) 387 return -EKEYREJECTED; 388 } 389 390 ret = software_key_determine_akcipher(pkey, sig->encoding, 391 sig->hash_algo, alg_name); 392 if (ret < 0) 393 return ret; 394 395 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 396 if (IS_ERR(tfm)) 397 return PTR_ERR(tfm); 398 399 ret = -ENOMEM; 400 req = akcipher_request_alloc(tfm, GFP_KERNEL); 401 if (!req) 402 goto error_free_tfm; 403 404 buf_len = max_t(size_t, pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 405 sig->s_size + sig->digest_size); 406 407 buf = kmalloc(buf_len, GFP_KERNEL); 408 if (!buf) 409 goto error_free_req; 410 411 memcpy(buf, pkey->key, pkey->keylen); 412 ptr = buf + pkey->keylen; 413 ptr = pkey_pack_u32(ptr, pkey->algo); 414 ptr = pkey_pack_u32(ptr, pkey->paramlen); 415 memcpy(ptr, pkey->params, pkey->paramlen); 416 417 if (pkey->key_is_private) 418 ret = crypto_akcipher_set_priv_key(tfm, buf, pkey->keylen); 419 else 420 ret = crypto_akcipher_set_pub_key(tfm, buf, pkey->keylen); 421 if (ret) 422 goto error_free_buf; 423 424 if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) { 425 ret = cert_sig_digest_update(sig, tfm); 426 if (ret) 427 goto error_free_buf; 428 } 429 430 memcpy(buf, sig->s, sig->s_size); 431 memcpy(buf + sig->s_size, sig->digest, sig->digest_size); 432 433 sg_init_one(&src_sg, buf, sig->s_size + sig->digest_size); 434 akcipher_request_set_crypt(req, &src_sg, NULL, sig->s_size, 435 sig->digest_size); 436 crypto_init_wait(&cwait); 437 akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 438 CRYPTO_TFM_REQ_MAY_SLEEP, 439 crypto_req_done, &cwait); 440 ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait); 441 442error_free_buf: 443 kfree(buf); 444error_free_req: 445 akcipher_request_free(req); 446error_free_tfm: 447 crypto_free_akcipher(tfm); 448 pr_devel("<==%s() = %d\n", __func__, ret); 449 if (WARN_ON_ONCE(ret > 0)) 450 ret = -EINVAL; 451 return ret; 452} 453EXPORT_SYMBOL_GPL(public_key_verify_signature); 454 455static int public_key_verify_signature_2(const struct key *key, 456 const struct public_key_signature *sig) 457{ 458 const struct public_key *pk = key->payload.data[asym_crypto]; 459 return public_key_verify_signature(pk, sig); 460} 461 462/* 463 * Public key algorithm asymmetric key subtype 464 */ 465struct asymmetric_key_subtype public_key_subtype = { 466 .owner = THIS_MODULE, 467 .name = "public_key", 468 .name_len = sizeof("public_key") - 1, 469 .describe = public_key_describe, 470 .destroy = public_key_destroy, 471 .query = software_key_query, 472 .eds_op = software_key_eds_op, 473 .verify_signature = public_key_verify_signature_2, 474}; 475EXPORT_SYMBOL_GPL(public_key_subtype); 476