crypto/asymmetric_keys/public_key.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* In-software asymmetric public-key crypto subtype
0003  *
0004  * See Documentation/crypto/asymmetric-keys.rst
0005  *
0006  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
0007  * Written by David Howells (dhowells@redhat.com)
0008  */
0009
0010 #define pr_fmt(fmt) "PKEY: "fmt
0011 #include <linux/module.h>
0012 #include <linux/export.h>
0013 #include <linux/kernel.h>
0014 #include <linux/slab.h>
0015 #include <linux/seq_file.h>
0016 #include <linux/scatterlist.h>
0017 #include <linux/asn1.h>
0018 #include <keys/asymmetric-subtype.h>
0019 #include <crypto/public_key.h>
0020 #include <crypto/akcipher.h>
0021 #include <crypto/sm2.h>
0022 #include <crypto/sm3_base.h>
0023
0024 MODULE_DESCRIPTION("In-software asymmetric public-key subtype");
0025 MODULE_AUTHOR("Red Hat, Inc.");
0026 MODULE_LICENSE("GPL");
0027
0028 /*
0029  * Provide a part of a description of the key for /proc/keys.
0030  */
0031 static void public_key_describe(const struct key *asymmetric_key,
0032                 struct seq_file *m)
0033 {
0034     struct public_key *key = asymmetric_key->payload.data[asym_crypto];
0035
0036     if (key)
0037         seq_printf(m, "%s.%s", key->id_type, key->pkey_algo);
0038 }
0039
0040 /*
0041  * Destroy a public key algorithm key.
0042  */
0043 void public_key_free(struct public_key *key)
0044 {
0045     if (key) {
0046         kfree(key->key);
0047         kfree(key->params);
0048         kfree(key);
0049     }
0050 }
0051 EXPORT_SYMBOL_GPL(public_key_free);
0052
0053 /*
0054  * Destroy a public key algorithm key.
0055  */
0056 static void public_key_destroy(void *payload0, void *payload3)
0057 {
0058     public_key_free(payload0);
0059     public_key_signature_free(payload3);
0060 }
0061
0062 /*
0063  * Given a public_key, and an encoding and hash_algo to be used for signing
0064  * and/or verification with that key, determine the name of the corresponding
0065  * akcipher algorithm.  Also check that encoding and hash_algo are allowed.
0066  */
0067 static int
0068 software_key_determine_akcipher(const struct public_key *pkey,
0069                 const char *encoding, const char *hash_algo,
0070                 char alg_name[CRYPTO_MAX_ALG_NAME])
0071 {
0072     int n;
0073
0074     if (!encoding)
0075         return -EINVAL;
0076
0077     if (strcmp(pkey->pkey_algo, "rsa") == 0) {
0078         /*
0079          * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2].
0080          */
0081         if (strcmp(encoding, "pkcs1") == 0) {
0082             if (!hash_algo)
0083                 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
0084                          "pkcs1pad(%s)",
0085                          pkey->pkey_algo);
0086             else
0087                 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
0088                          "pkcs1pad(%s,%s)",
0089                          pkey->pkey_algo, hash_algo);
0090             return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;
0091         }
0092         if (strcmp(encoding, "raw") != 0)
0093             return -EINVAL;
0094         /*
0095          * Raw RSA cannot differentiate between different hash
0096          * algorithms.
0097          */
0098         if (hash_algo)
0099             return -EINVAL;
0100     } else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) {
0101         if (strcmp(encoding, "x962") != 0)
0102             return -EINVAL;
0103         /*
0104          * ECDSA signatures are taken over a raw hash, so they don't
0105          * differentiate between different hash algorithms.  That means
0106          * that the verifier should hard-code a specific hash algorithm.
0107          * Unfortunately, in practice ECDSA is used with multiple SHAs,
0108          * so we have to allow all of them and not just one.
0109          */
0110         if (!hash_algo)
0111             return -EINVAL;
0112         if (strcmp(hash_algo, "sha1") != 0 &&
0113             strcmp(hash_algo, "sha224") != 0 &&
0114             strcmp(hash_algo, "sha256") != 0 &&
0115             strcmp(hash_algo, "sha384") != 0 &&
0116             strcmp(hash_algo, "sha512") != 0)
0117             return -EINVAL;
0118     } else if (strcmp(pkey->pkey_algo, "sm2") == 0) {
0119         if (strcmp(encoding, "raw") != 0)
0120             return -EINVAL;
0121         if (!hash_algo)
0122             return -EINVAL;
0123         if (strcmp(hash_algo, "sm3") != 0)
0124             return -EINVAL;
0125     } else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) {
0126         if (strcmp(encoding, "raw") != 0)
0127             return -EINVAL;
0128         if (!hash_algo)
0129             return -EINVAL;
0130         if (strcmp(hash_algo, "streebog256") != 0 &&
0131             strcmp(hash_algo, "streebog512") != 0)
0132             return -EINVAL;
0133     } else {
0134         /* Unknown public key algorithm */
0135         return -ENOPKG;
0136     }
0137     if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0)
0138         return -EINVAL;
0139     return 0;
0140 }
0141
0142 static u8 *pkey_pack_u32(u8 *dst, u32 val)
0143 {
0144     memcpy(dst, &val, sizeof(val));
0145     return dst + sizeof(val);
0146 }
0147
0148 /*
0149  * Query information about a key.
0150  */
0151 static int software_key_query(const struct kernel_pkey_params *params,
0152                   struct kernel_pkey_query *info)
0153 {
0154     struct crypto_akcipher *tfm;
0155     struct public_key *pkey = params->key->payload.data[asym_crypto];
0156     char alg_name[CRYPTO_MAX_ALG_NAME];
0157     u8 *key, *ptr;
0158     int ret, len;
0159
0160     ret = software_key_determine_akcipher(pkey, params->encoding,
0161                           params->hash_algo, alg_name);
0162     if (ret < 0)
0163         return ret;
0164
0165     tfm = crypto_alloc_akcipher(alg_name, 0, 0);
0166     if (IS_ERR(tfm))
0167         return PTR_ERR(tfm);
0168
0169     ret = -ENOMEM;
0170     key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen,
0171               GFP_KERNEL);
0172     if (!key)
0173         goto error_free_tfm;
0174     memcpy(key, pkey->key, pkey->keylen);
0175     ptr = key + pkey->keylen;
0176     ptr = pkey_pack_u32(ptr, pkey->algo);
0177     ptr = pkey_pack_u32(ptr, pkey->paramlen);
0178     memcpy(ptr, pkey->params, pkey->paramlen);
0179
0180     if (pkey->key_is_private)
0181         ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen);
0182     else
0183         ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen);
0184     if (ret < 0)
0185         goto error_free_key;
0186
0187     len = crypto_akcipher_maxsize(tfm);
0188     info->key_size = len * 8;
0189     info->max_data_size = len;
0190     info->max_sig_size = len;
0191     info->max_enc_size = len;
0192     info->max_dec_size = len;
0193     info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT |
0194                    KEYCTL_SUPPORTS_VERIFY);
0195     if (pkey->key_is_private)
0196         info->supported_ops |= (KEYCTL_SUPPORTS_DECRYPT |
0197                     KEYCTL_SUPPORTS_SIGN);
0198     ret = 0;
0199
0200 error_free_key:
0201     kfree(key);
0202 error_free_tfm:
0203     crypto_free_akcipher(tfm);
0204     pr_devel("<==%s() = %d\n", __func__, ret);
0205     return ret;
0206 }
0207
0208 /*
0209  * Do encryption, decryption and signing ops.
0210  */
0211 static int software_key_eds_op(struct kernel_pkey_params *params,
0212                    const void *in, void *out)
0213 {
0214     const struct public_key *pkey = params->key->payload.data[asym_crypto];
0215     struct akcipher_request *req;
0216     struct crypto_akcipher *tfm;
0217     struct crypto_wait cwait;
0218     struct scatterlist in_sg, out_sg;
0219     char alg_name[CRYPTO_MAX_ALG_NAME];
0220     char *key, *ptr;
0221     int ret;
0222
0223     pr_devel("==>%s()\n", __func__);
0224
0225     ret = software_key_determine_akcipher(pkey, params->encoding,
0226                           params->hash_algo, alg_name);
0227     if (ret < 0)
0228         return ret;
0229
0230     tfm = crypto_alloc_akcipher(alg_name, 0, 0);
0231     if (IS_ERR(tfm))
0232         return PTR_ERR(tfm);
0233
0234     ret = -ENOMEM;
0235     req = akcipher_request_alloc(tfm, GFP_KERNEL);
0236     if (!req)
0237         goto error_free_tfm;
0238
0239     key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen,
0240               GFP_KERNEL);
0241     if (!key)
0242         goto error_free_req;
0243
0244     memcpy(key, pkey->key, pkey->keylen);
0245     ptr = key + pkey->keylen;
0246     ptr = pkey_pack_u32(ptr, pkey->algo);
0247     ptr = pkey_pack_u32(ptr, pkey->paramlen);
0248     memcpy(ptr, pkey->params, pkey->paramlen);
0249
0250     if (pkey->key_is_private)
0251         ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen);
0252     else
0253         ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen);
0254     if (ret)
0255         goto error_free_key;
0256
0257     sg_init_one(&in_sg, in, params->in_len);
0258     sg_init_one(&out_sg, out, params->out_len);
0259     akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len,
0260                    params->out_len);
0261     crypto_init_wait(&cwait);
0262     akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
0263                       CRYPTO_TFM_REQ_MAY_SLEEP,
0264                       crypto_req_done, &cwait);
0265
0266     /* Perform the encryption calculation. */
0267     switch (params->op) {
0268     case kernel_pkey_encrypt:
0269         ret = crypto_akcipher_encrypt(req);
0270         break;
0271     case kernel_pkey_decrypt:
0272         ret = crypto_akcipher_decrypt(req);
0273         break;
0274     case kernel_pkey_sign:
0275         ret = crypto_akcipher_sign(req);
0276         break;
0277     default:
0278         BUG();
0279     }
0280
0281     ret = crypto_wait_req(ret, &cwait);
0282     if (ret == 0)
0283         ret = req->dst_len;
0284
0285 error_free_key:
0286     kfree(key);
0287 error_free_req:
0288     akcipher_request_free(req);
0289 error_free_tfm:
0290     crypto_free_akcipher(tfm);
0291     pr_devel("<==%s() = %d\n", __func__, ret);
0292     return ret;
0293 }
0294
0295 #if IS_REACHABLE(CONFIG_CRYPTO_SM2)
0296 static int cert_sig_digest_update(const struct public_key_signature *sig,
0297                   struct crypto_akcipher *tfm_pkey)
0298 {
0299     struct crypto_shash *tfm;
0300     struct shash_desc *desc;
0301     size_t desc_size;
0302     unsigned char dgst[SM3_DIGEST_SIZE];
0303     int ret;
0304
0305     BUG_ON(!sig->data);
0306
0307     /* SM2 signatures always use the SM3 hash algorithm */
0308     if (!sig->hash_algo || strcmp(sig->hash_algo, "sm3") != 0)
0309         return -EINVAL;
0310
0311     ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID,
0312                     SM2_DEFAULT_USERID_LEN, dgst);
0313     if (ret)
0314         return ret;
0315
0316     tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
0317     if (IS_ERR(tfm))
0318         return PTR_ERR(tfm);
0319
0320     desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
0321     desc = kzalloc(desc_size, GFP_KERNEL);
0322     if (!desc) {
0323         ret = -ENOMEM;
0324         goto error_free_tfm;
0325     }
0326
0327     desc->tfm = tfm;
0328
0329     ret = crypto_shash_init(desc);
0330     if (ret < 0)
0331         goto error_free_desc;
0332
0333     ret = crypto_shash_update(desc, dgst, SM3_DIGEST_SIZE);
0334     if (ret < 0)
0335         goto error_free_desc;
0336
0337     ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest);
0338
0339 error_free_desc:
0340     kfree(desc);
0341 error_free_tfm:
0342     crypto_free_shash(tfm);
0343     return ret;
0344 }
0345 #else
0346 static inline int cert_sig_digest_update(
0347     const struct public_key_signature *sig,
0348     struct crypto_akcipher *tfm_pkey)
0349 {
0350     return -ENOTSUPP;
0351 }
0352 #endif /* ! IS_REACHABLE(CONFIG_CRYPTO_SM2) */
0353
0354 /*
0355  * Verify a signature using a public key.
0356  */
0357 int public_key_verify_signature(const struct public_key *pkey,
0358                 const struct public_key_signature *sig)
0359 {
0360     struct crypto_wait cwait;
0361     struct crypto_akcipher *tfm;
0362     struct akcipher_request *req;
0363     struct scatterlist src_sg[2];
0364     char alg_name[CRYPTO_MAX_ALG_NAME];
0365     char *key, *ptr;
0366     int ret;
0367
0368     pr_devel("==>%s()\n", __func__);
0369
0370     BUG_ON(!pkey);
0371     BUG_ON(!sig);
0372     BUG_ON(!sig->s);
0373
0374     /*
0375      * If the signature specifies a public key algorithm, it *must* match
0376      * the key's actual public key algorithm.
0377      *
0378      * Small exception: ECDSA signatures don't specify the curve, but ECDSA
0379      * keys do.  So the strings can mismatch slightly in that case:
0380      * "ecdsa-nist-*" for the key, but "ecdsa" for the signature.
0381      */
0382     if (sig->pkey_algo) {
0383         if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 &&
0384             (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 ||
0385              strcmp(sig->pkey_algo, "ecdsa") != 0))
0386             return -EKEYREJECTED;
0387     }
0388
0389     ret = software_key_determine_akcipher(pkey, sig->encoding,
0390                           sig->hash_algo, alg_name);
0391     if (ret < 0)
0392         return ret;
0393
0394     tfm = crypto_alloc_akcipher(alg_name, 0, 0);
0395     if (IS_ERR(tfm))
0396         return PTR_ERR(tfm);
0397
0398     ret = -ENOMEM;
0399     req = akcipher_request_alloc(tfm, GFP_KERNEL);
0400     if (!req)
0401         goto error_free_tfm;
0402
0403     key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen,
0404               GFP_KERNEL);
0405     if (!key)
0406         goto error_free_req;
0407
0408     memcpy(key, pkey->key, pkey->keylen);
0409     ptr = key + pkey->keylen;
0410     ptr = pkey_pack_u32(ptr, pkey->algo);
0411     ptr = pkey_pack_u32(ptr, pkey->paramlen);
0412     memcpy(ptr, pkey->params, pkey->paramlen);
0413
0414     if (pkey->key_is_private)
0415         ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen);
0416     else
0417         ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen);
0418     if (ret)
0419         goto error_free_key;
0420
0421     if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) {
0422         ret = cert_sig_digest_update(sig, tfm);
0423         if (ret)
0424             goto error_free_key;
0425     }
0426
0427     sg_init_table(src_sg, 2);
0428     sg_set_buf(&src_sg[0], sig->s, sig->s_size);
0429     sg_set_buf(&src_sg[1], sig->digest, sig->digest_size);
0430     akcipher_request_set_crypt(req, src_sg, NULL, sig->s_size,
0431                    sig->digest_size);
0432     crypto_init_wait(&cwait);
0433     akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
0434                       CRYPTO_TFM_REQ_MAY_SLEEP,
0435                       crypto_req_done, &cwait);
0436     ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
0437
0438 error_free_key:
0439     kfree(key);
0440 error_free_req:
0441     akcipher_request_free(req);
0442 error_free_tfm:
0443     crypto_free_akcipher(tfm);
0444     pr_devel("<==%s() = %d\n", __func__, ret);
0445     if (WARN_ON_ONCE(ret > 0))
0446         ret = -EINVAL;
0447     return ret;
0448 }
0449 EXPORT_SYMBOL_GPL(public_key_verify_signature);
0450
0451 static int public_key_verify_signature_2(const struct key *key,
0452                      const struct public_key_signature *sig)
0453 {
0454     const struct public_key *pk = key->payload.data[asym_crypto];
0455     return public_key_verify_signature(pk, sig);
0456 }
0457
0458 /*
0459  * Public key algorithm asymmetric key subtype
0460  */
0461 struct asymmetric_key_subtype public_key_subtype = {
0462     .owner          = THIS_MODULE,
0463     .name           = "public_key",
0464     .name_len       = sizeof("public_key") - 1,
0465     .describe       = public_key_describe,
0466     .destroy        = public_key_destroy,
0467     .query          = software_key_query,
0468     .eds_op         = software_key_eds_op,
0469     .verify_signature   = public_key_verify_signature_2,
0470 };
0471 EXPORT_SYMBOL_GPL(public_key_subtype);