1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* In-software asymmetric public-key crypto subtype |
3 | * |
4 | * See Documentation/crypto/asymmetric-keys.rst |
5 | * |
6 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. |
7 | * Written by David Howells (dhowells@redhat.com) |
8 | */ |
9 | |
10 | #define pr_fmt(fmt) "PKEY: "fmt |
11 | #include <crypto/akcipher.h> |
12 | #include <crypto/public_key.h> |
13 | #include <crypto/sig.h> |
14 | #include <keys/asymmetric-subtype.h> |
15 | #include <linux/asn1.h> |
16 | #include <linux/err.h> |
17 | #include <linux/kernel.h> |
18 | #include <linux/module.h> |
19 | #include <linux/seq_file.h> |
20 | #include <linux/slab.h> |
21 | #include <linux/string.h> |
22 | |
23 | MODULE_DESCRIPTION("In-software asymmetric public-key subtype" ); |
24 | MODULE_AUTHOR("Red Hat, Inc." ); |
25 | MODULE_LICENSE("GPL" ); |
26 | |
27 | /* |
28 | * Provide a part of a description of the key for /proc/keys. |
29 | */ |
30 | static void public_key_describe(const struct key *asymmetric_key, |
31 | struct seq_file *m) |
32 | { |
33 | struct public_key *key = asymmetric_key->payload.data[asym_crypto]; |
34 | |
35 | if (key) |
36 | seq_printf(m, fmt: "%s.%s" , key->id_type, key->pkey_algo); |
37 | } |
38 | |
39 | /* |
40 | * Destroy a public key algorithm key. |
41 | */ |
42 | void public_key_free(struct public_key *key) |
43 | { |
44 | if (key) { |
45 | kfree_sensitive(objp: key->key); |
46 | kfree(objp: key->params); |
47 | kfree(objp: key); |
48 | } |
49 | } |
50 | EXPORT_SYMBOL_GPL(public_key_free); |
51 | |
52 | /* |
53 | * Destroy a public key algorithm key. |
54 | */ |
55 | static void public_key_destroy(void *payload0, void *payload3) |
56 | { |
57 | public_key_free(payload0); |
58 | public_key_signature_free(sig: payload3); |
59 | } |
60 | |
61 | /* |
62 | * Given a public_key, and an encoding and hash_algo to be used for signing |
63 | * and/or verification with that key, determine the name of the corresponding |
64 | * akcipher algorithm. Also check that encoding and hash_algo are allowed. |
65 | */ |
66 | static int |
67 | software_key_determine_akcipher(const struct public_key *pkey, |
68 | const char *encoding, const char *hash_algo, |
69 | char alg_name[CRYPTO_MAX_ALG_NAME], bool *sig, |
70 | enum kernel_pkey_operation op) |
71 | { |
72 | int n; |
73 | |
74 | *sig = true; |
75 | |
76 | if (!encoding) |
77 | return -EINVAL; |
78 | |
79 | if (strcmp(pkey->pkey_algo, "rsa" ) == 0) { |
80 | /* |
81 | * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2]. |
82 | */ |
83 | if (strcmp(encoding, "pkcs1" ) == 0) { |
84 | *sig = op == kernel_pkey_sign || |
85 | op == kernel_pkey_verify; |
86 | if (!hash_algo) { |
87 | n = snprintf(buf: alg_name, CRYPTO_MAX_ALG_NAME, |
88 | fmt: "pkcs1pad(%s)" , |
89 | pkey->pkey_algo); |
90 | } else { |
91 | n = snprintf(buf: alg_name, CRYPTO_MAX_ALG_NAME, |
92 | fmt: "pkcs1pad(%s,%s)" , |
93 | pkey->pkey_algo, hash_algo); |
94 | } |
95 | return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; |
96 | } |
97 | if (strcmp(encoding, "raw" ) != 0) |
98 | return -EINVAL; |
99 | /* |
100 | * Raw RSA cannot differentiate between different hash |
101 | * algorithms. |
102 | */ |
103 | if (hash_algo) |
104 | return -EINVAL; |
105 | *sig = false; |
106 | } else if (strncmp(pkey->pkey_algo, "ecdsa" , 5) == 0) { |
107 | if (strcmp(encoding, "x962" ) != 0) |
108 | return -EINVAL; |
109 | /* |
110 | * ECDSA signatures are taken over a raw hash, so they don't |
111 | * differentiate between different hash algorithms. That means |
112 | * that the verifier should hard-code a specific hash algorithm. |
113 | * Unfortunately, in practice ECDSA is used with multiple SHAs, |
114 | * so we have to allow all of them and not just one. |
115 | */ |
116 | if (!hash_algo) |
117 | return -EINVAL; |
118 | if (strcmp(hash_algo, "sha224" ) != 0 && |
119 | strcmp(hash_algo, "sha256" ) != 0 && |
120 | strcmp(hash_algo, "sha384" ) != 0 && |
121 | strcmp(hash_algo, "sha512" ) != 0 && |
122 | strcmp(hash_algo, "sha3-256" ) != 0 && |
123 | strcmp(hash_algo, "sha3-384" ) != 0 && |
124 | strcmp(hash_algo, "sha3-512" ) != 0) |
125 | return -EINVAL; |
126 | } else if (strcmp(pkey->pkey_algo, "sm2" ) == 0) { |
127 | if (strcmp(encoding, "raw" ) != 0) |
128 | return -EINVAL; |
129 | if (!hash_algo) |
130 | return -EINVAL; |
131 | if (strcmp(hash_algo, "sm3" ) != 0) |
132 | return -EINVAL; |
133 | } else if (strcmp(pkey->pkey_algo, "ecrdsa" ) == 0) { |
134 | if (strcmp(encoding, "raw" ) != 0) |
135 | return -EINVAL; |
136 | if (!hash_algo) |
137 | return -EINVAL; |
138 | if (strcmp(hash_algo, "streebog256" ) != 0 && |
139 | strcmp(hash_algo, "streebog512" ) != 0) |
140 | return -EINVAL; |
141 | } else { |
142 | /* Unknown public key algorithm */ |
143 | return -ENOPKG; |
144 | } |
145 | if (strscpy(p: alg_name, q: pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0) |
146 | return -EINVAL; |
147 | return 0; |
148 | } |
149 | |
150 | static u8 *pkey_pack_u32(u8 *dst, u32 val) |
151 | { |
152 | memcpy(dst, &val, sizeof(val)); |
153 | return dst + sizeof(val); |
154 | } |
155 | |
156 | /* |
157 | * Query information about a key. |
158 | */ |
159 | static int software_key_query(const struct kernel_pkey_params *params, |
160 | struct kernel_pkey_query *info) |
161 | { |
162 | struct crypto_akcipher *tfm; |
163 | struct public_key *pkey = params->key->payload.data[asym_crypto]; |
164 | char alg_name[CRYPTO_MAX_ALG_NAME]; |
165 | struct crypto_sig *sig; |
166 | u8 *key, *ptr; |
167 | int ret, len; |
168 | bool issig; |
169 | |
170 | ret = software_key_determine_akcipher(pkey, encoding: params->encoding, |
171 | hash_algo: params->hash_algo, alg_name, |
172 | sig: &issig, op: kernel_pkey_sign); |
173 | if (ret < 0) |
174 | return ret; |
175 | |
176 | key = kmalloc(size: pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, |
177 | GFP_KERNEL); |
178 | if (!key) |
179 | return -ENOMEM; |
180 | |
181 | memcpy(key, pkey->key, pkey->keylen); |
182 | ptr = key + pkey->keylen; |
183 | ptr = pkey_pack_u32(dst: ptr, val: pkey->algo); |
184 | ptr = pkey_pack_u32(dst: ptr, val: pkey->paramlen); |
185 | memcpy(ptr, pkey->params, pkey->paramlen); |
186 | |
187 | if (issig) { |
188 | sig = crypto_alloc_sig(alg_name, type: 0, mask: 0); |
189 | if (IS_ERR(ptr: sig)) { |
190 | ret = PTR_ERR(ptr: sig); |
191 | goto error_free_key; |
192 | } |
193 | |
194 | if (pkey->key_is_private) |
195 | ret = crypto_sig_set_privkey(tfm: sig, key, keylen: pkey->keylen); |
196 | else |
197 | ret = crypto_sig_set_pubkey(tfm: sig, key, keylen: pkey->keylen); |
198 | if (ret < 0) |
199 | goto error_free_tfm; |
200 | |
201 | len = crypto_sig_maxsize(tfm: sig); |
202 | |
203 | info->supported_ops = KEYCTL_SUPPORTS_VERIFY; |
204 | if (pkey->key_is_private) |
205 | info->supported_ops |= KEYCTL_SUPPORTS_SIGN; |
206 | |
207 | if (strcmp(params->encoding, "pkcs1" ) == 0) { |
208 | info->supported_ops |= KEYCTL_SUPPORTS_ENCRYPT; |
209 | if (pkey->key_is_private) |
210 | info->supported_ops |= KEYCTL_SUPPORTS_DECRYPT; |
211 | } |
212 | } else { |
213 | tfm = crypto_alloc_akcipher(alg_name, type: 0, mask: 0); |
214 | if (IS_ERR(ptr: tfm)) { |
215 | ret = PTR_ERR(ptr: tfm); |
216 | goto error_free_key; |
217 | } |
218 | |
219 | if (pkey->key_is_private) |
220 | ret = crypto_akcipher_set_priv_key(tfm, key, keylen: pkey->keylen); |
221 | else |
222 | ret = crypto_akcipher_set_pub_key(tfm, key, keylen: pkey->keylen); |
223 | if (ret < 0) |
224 | goto error_free_tfm; |
225 | |
226 | len = crypto_akcipher_maxsize(tfm); |
227 | |
228 | info->supported_ops = KEYCTL_SUPPORTS_ENCRYPT; |
229 | if (pkey->key_is_private) |
230 | info->supported_ops |= KEYCTL_SUPPORTS_DECRYPT; |
231 | } |
232 | |
233 | info->key_size = len * 8; |
234 | |
235 | if (strncmp(pkey->pkey_algo, "ecdsa" , 5) == 0) { |
236 | /* |
237 | * ECDSA key sizes are much smaller than RSA, and thus could |
238 | * operate on (hashed) inputs that are larger than key size. |
239 | * For example SHA384-hashed input used with secp256r1 |
240 | * based keys. Set max_data_size to be at least as large as |
241 | * the largest supported hash size (SHA512) |
242 | */ |
243 | info->max_data_size = 64; |
244 | |
245 | /* |
246 | * Verify takes ECDSA-Sig (described in RFC 5480) as input, |
247 | * which is actually 2 'key_size'-bit integers encoded in |
248 | * ASN.1. Account for the ASN.1 encoding overhead here. |
249 | */ |
250 | info->max_sig_size = 2 * (len + 3) + 2; |
251 | } else { |
252 | info->max_data_size = len; |
253 | info->max_sig_size = len; |
254 | } |
255 | |
256 | info->max_enc_size = len; |
257 | info->max_dec_size = len; |
258 | |
259 | ret = 0; |
260 | |
261 | error_free_tfm: |
262 | if (issig) |
263 | crypto_free_sig(tfm: sig); |
264 | else |
265 | crypto_free_akcipher(tfm); |
266 | error_free_key: |
267 | kfree_sensitive(objp: key); |
268 | pr_devel("<==%s() = %d\n" , __func__, ret); |
269 | return ret; |
270 | } |
271 | |
272 | /* |
273 | * Do encryption, decryption and signing ops. |
274 | */ |
275 | static int software_key_eds_op(struct kernel_pkey_params *params, |
276 | const void *in, void *out) |
277 | { |
278 | const struct public_key *pkey = params->key->payload.data[asym_crypto]; |
279 | char alg_name[CRYPTO_MAX_ALG_NAME]; |
280 | struct crypto_akcipher *tfm; |
281 | struct crypto_sig *sig; |
282 | char *key, *ptr; |
283 | bool issig; |
284 | int ksz; |
285 | int ret; |
286 | |
287 | pr_devel("==>%s()\n" , __func__); |
288 | |
289 | ret = software_key_determine_akcipher(pkey, encoding: params->encoding, |
290 | hash_algo: params->hash_algo, alg_name, |
291 | sig: &issig, op: params->op); |
292 | if (ret < 0) |
293 | return ret; |
294 | |
295 | key = kmalloc(size: pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, |
296 | GFP_KERNEL); |
297 | if (!key) |
298 | return -ENOMEM; |
299 | |
300 | memcpy(key, pkey->key, pkey->keylen); |
301 | ptr = key + pkey->keylen; |
302 | ptr = pkey_pack_u32(dst: ptr, val: pkey->algo); |
303 | ptr = pkey_pack_u32(dst: ptr, val: pkey->paramlen); |
304 | memcpy(ptr, pkey->params, pkey->paramlen); |
305 | |
306 | if (issig) { |
307 | sig = crypto_alloc_sig(alg_name, type: 0, mask: 0); |
308 | if (IS_ERR(ptr: sig)) { |
309 | ret = PTR_ERR(ptr: sig); |
310 | goto error_free_key; |
311 | } |
312 | |
313 | if (pkey->key_is_private) |
314 | ret = crypto_sig_set_privkey(tfm: sig, key, keylen: pkey->keylen); |
315 | else |
316 | ret = crypto_sig_set_pubkey(tfm: sig, key, keylen: pkey->keylen); |
317 | if (ret) |
318 | goto error_free_tfm; |
319 | |
320 | ksz = crypto_sig_maxsize(tfm: sig); |
321 | } else { |
322 | tfm = crypto_alloc_akcipher(alg_name, type: 0, mask: 0); |
323 | if (IS_ERR(ptr: tfm)) { |
324 | ret = PTR_ERR(ptr: tfm); |
325 | goto error_free_key; |
326 | } |
327 | |
328 | if (pkey->key_is_private) |
329 | ret = crypto_akcipher_set_priv_key(tfm, key, keylen: pkey->keylen); |
330 | else |
331 | ret = crypto_akcipher_set_pub_key(tfm, key, keylen: pkey->keylen); |
332 | if (ret) |
333 | goto error_free_tfm; |
334 | |
335 | ksz = crypto_akcipher_maxsize(tfm); |
336 | } |
337 | |
338 | ret = -EINVAL; |
339 | |
340 | /* Perform the encryption calculation. */ |
341 | switch (params->op) { |
342 | case kernel_pkey_encrypt: |
343 | if (issig) |
344 | break; |
345 | ret = crypto_akcipher_sync_encrypt(tfm, src: in, slen: params->in_len, |
346 | dst: out, dlen: params->out_len); |
347 | break; |
348 | case kernel_pkey_decrypt: |
349 | if (issig) |
350 | break; |
351 | ret = crypto_akcipher_sync_decrypt(tfm, src: in, slen: params->in_len, |
352 | dst: out, dlen: params->out_len); |
353 | break; |
354 | case kernel_pkey_sign: |
355 | if (!issig) |
356 | break; |
357 | ret = crypto_sig_sign(tfm: sig, src: in, slen: params->in_len, |
358 | dst: out, dlen: params->out_len); |
359 | break; |
360 | default: |
361 | BUG(); |
362 | } |
363 | |
364 | if (ret == 0) |
365 | ret = ksz; |
366 | |
367 | error_free_tfm: |
368 | if (issig) |
369 | crypto_free_sig(tfm: sig); |
370 | else |
371 | crypto_free_akcipher(tfm); |
372 | error_free_key: |
373 | kfree_sensitive(objp: key); |
374 | pr_devel("<==%s() = %d\n" , __func__, ret); |
375 | return ret; |
376 | } |
377 | |
378 | /* |
379 | * Verify a signature using a public key. |
380 | */ |
381 | int public_key_verify_signature(const struct public_key *pkey, |
382 | const struct public_key_signature *sig) |
383 | { |
384 | char alg_name[CRYPTO_MAX_ALG_NAME]; |
385 | struct crypto_sig *tfm; |
386 | char *key, *ptr; |
387 | bool issig; |
388 | int ret; |
389 | |
390 | pr_devel("==>%s()\n" , __func__); |
391 | |
392 | BUG_ON(!pkey); |
393 | BUG_ON(!sig); |
394 | BUG_ON(!sig->s); |
395 | |
396 | /* |
397 | * If the signature specifies a public key algorithm, it *must* match |
398 | * the key's actual public key algorithm. |
399 | * |
400 | * Small exception: ECDSA signatures don't specify the curve, but ECDSA |
401 | * keys do. So the strings can mismatch slightly in that case: |
402 | * "ecdsa-nist-*" for the key, but "ecdsa" for the signature. |
403 | */ |
404 | if (sig->pkey_algo) { |
405 | if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 && |
406 | (strncmp(pkey->pkey_algo, "ecdsa-" , 6) != 0 || |
407 | strcmp(sig->pkey_algo, "ecdsa" ) != 0)) |
408 | return -EKEYREJECTED; |
409 | } |
410 | |
411 | ret = software_key_determine_akcipher(pkey, encoding: sig->encoding, |
412 | hash_algo: sig->hash_algo, alg_name, |
413 | sig: &issig, op: kernel_pkey_verify); |
414 | if (ret < 0) |
415 | return ret; |
416 | |
417 | tfm = crypto_alloc_sig(alg_name, type: 0, mask: 0); |
418 | if (IS_ERR(ptr: tfm)) |
419 | return PTR_ERR(ptr: tfm); |
420 | |
421 | key = kmalloc(size: pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, |
422 | GFP_KERNEL); |
423 | if (!key) { |
424 | ret = -ENOMEM; |
425 | goto error_free_tfm; |
426 | } |
427 | |
428 | memcpy(key, pkey->key, pkey->keylen); |
429 | ptr = key + pkey->keylen; |
430 | ptr = pkey_pack_u32(dst: ptr, val: pkey->algo); |
431 | ptr = pkey_pack_u32(dst: ptr, val: pkey->paramlen); |
432 | memcpy(ptr, pkey->params, pkey->paramlen); |
433 | |
434 | if (pkey->key_is_private) |
435 | ret = crypto_sig_set_privkey(tfm, key, keylen: pkey->keylen); |
436 | else |
437 | ret = crypto_sig_set_pubkey(tfm, key, keylen: pkey->keylen); |
438 | if (ret) |
439 | goto error_free_key; |
440 | |
441 | ret = crypto_sig_verify(tfm, src: sig->s, slen: sig->s_size, |
442 | digest: sig->digest, dlen: sig->digest_size); |
443 | |
444 | error_free_key: |
445 | kfree_sensitive(objp: key); |
446 | error_free_tfm: |
447 | crypto_free_sig(tfm); |
448 | pr_devel("<==%s() = %d\n" , __func__, ret); |
449 | if (WARN_ON_ONCE(ret > 0)) |
450 | ret = -EINVAL; |
451 | return ret; |
452 | } |
453 | EXPORT_SYMBOL_GPL(public_key_verify_signature); |
454 | |
455 | static int public_key_verify_signature_2(const struct key *key, |
456 | const struct public_key_signature *sig) |
457 | { |
458 | const struct public_key *pk = key->payload.data[asym_crypto]; |
459 | return public_key_verify_signature(pk, sig); |
460 | } |
461 | |
462 | /* |
463 | * Public key algorithm asymmetric key subtype |
464 | */ |
465 | struct asymmetric_key_subtype public_key_subtype = { |
466 | .owner = THIS_MODULE, |
467 | .name = "public_key" , |
468 | .name_len = sizeof("public_key" ) - 1, |
469 | .describe = public_key_describe, |
470 | .destroy = public_key_destroy, |
471 | .query = software_key_query, |
472 | .eds_op = software_key_eds_op, |
473 | .verify_signature = public_key_verify_signature_2, |
474 | }; |
475 | EXPORT_SYMBOL_GPL(public_key_subtype); |
476 | |