1// SPDX-License-Identifier: GPL-2.0-or-later
  2/* In-software asymmetric public-key crypto subtype
  3 *
  4 * See Documentation/crypto/asymmetric-keys.rst
  5 *
  6 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
  7 * Written by David Howells (dhowells@redhat.com)
  8 */
  9
 10#define pr_fmt(fmt) "PKEY: "fmt
 11#include <linux/module.h>
 12#include <linux/export.h>
 13#include <linux/kernel.h>
 14#include <linux/slab.h>
 15#include <linux/seq_file.h>
 16#include <linux/scatterlist.h>
 17#include <linux/asn1.h>
 18#include <keys/asymmetric-subtype.h>
 19#include <crypto/public_key.h>
 20#include <crypto/akcipher.h>
 21#include <crypto/sm2.h>
 22#include <crypto/sm3_base.h>
 23
 24MODULE_DESCRIPTION("In-software asymmetric public-key subtype");
 25MODULE_AUTHOR("Red Hat, Inc.");
 26MODULE_LICENSE("GPL");
 27
 28/*
 29 * Provide a part of a description of the key for /proc/keys.
 30 */
 31static void public_key_describe(const struct key *asymmetric_key,
 32				struct seq_file *m)
 33{
 34	struct public_key *key = asymmetric_key->payload.data[asym_crypto];
 35
 36	if (key)
 37		seq_printf(m, "%s.%s", key->id_type, key->pkey_algo);
 38}
 39
 40/*
 41 * Destroy a public key algorithm key.
 42 */
 43void public_key_free(struct public_key *key)
 44{
 45	if (key) {
 46		kfree(key->key);
 47		kfree(key->params);
 48		kfree(key);
 49	}
 50}
 51EXPORT_SYMBOL_GPL(public_key_free);
 52
 53/*
 54 * Destroy a public key algorithm key.
 55 */
 56static void public_key_destroy(void *payload0, void *payload3)
 57{
 58	public_key_free(payload0);
 59	public_key_signature_free(payload3);
 60}
 61
 62/*
 63 * Given a public_key, and an encoding and hash_algo to be used for signing
 64 * and/or verification with that key, determine the name of the corresponding
 65 * akcipher algorithm.  Also check that encoding and hash_algo are allowed.
 66 */
 67static int
 68software_key_determine_akcipher(const struct public_key *pkey,
 69				const char *encoding, const char *hash_algo,
 70				char alg_name[CRYPTO_MAX_ALG_NAME])
 71{
 72	int n;
 73
 74	if (!encoding)
 75		return -EINVAL;
 76
 77	if (strcmp(pkey->pkey_algo, "rsa") == 0) {
 78		/*
 79		 * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2].
 80		 */
 81		if (strcmp(encoding, "pkcs1") == 0) {
 82			if (!hash_algo)
 83				n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
 84					     "pkcs1pad(%s)",
 85					     pkey->pkey_algo);
 86			else
 87				n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
 88					     "pkcs1pad(%s,%s)",
 89					     pkey->pkey_algo, hash_algo);
 90			return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;
 91		}
 92		if (strcmp(encoding, "raw") != 0)
 93			return -EINVAL;
 94		/*
 95		 * Raw RSA cannot differentiate between different hash
 96		 * algorithms.
 97		 */
 98		if (hash_algo)
 99			return -EINVAL;
100	} else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) {
101		if (strcmp(encoding, "x962") != 0)
102			return -EINVAL;
103		/*
104		 * ECDSA signatures are taken over a raw hash, so they don't
105		 * differentiate between different hash algorithms.  That means
106		 * that the verifier should hard-code a specific hash algorithm.
107		 * Unfortunately, in practice ECDSA is used with multiple SHAs,
108		 * so we have to allow all of them and not just one.
109		 */
110		if (!hash_algo)
111			return -EINVAL;
112		if (strcmp(hash_algo, "sha1") != 0 &&
113		    strcmp(hash_algo, "sha224") != 0 &&
114		    strcmp(hash_algo, "sha256") != 0 &&
115		    strcmp(hash_algo, "sha384") != 0 &&
116		    strcmp(hash_algo, "sha512") != 0)
117			return -EINVAL;
118	} else if (strcmp(pkey->pkey_algo, "sm2") == 0) {
119		if (strcmp(encoding, "raw") != 0)
120			return -EINVAL;
121		if (!hash_algo)
122			return -EINVAL;
123		if (strcmp(hash_algo, "sm3") != 0)
124			return -EINVAL;
125	} else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) {
126		if (strcmp(encoding, "raw") != 0)
127			return -EINVAL;
128		if (!hash_algo)
129			return -EINVAL;
130		if (strcmp(hash_algo, "streebog256") != 0 &&
131		    strcmp(hash_algo, "streebog512") != 0)
132			return -EINVAL;
133	} else {
134		/* Unknown public key algorithm */
135		return -ENOPKG;
136	}
137	if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0)
138		return -EINVAL;
139	return 0;
140}
141
142static u8 *pkey_pack_u32(u8 *dst, u32 val)
143{
144	memcpy(dst, &val, sizeof(val));
145	return dst + sizeof(val);
146}
147
148/*
149 * Query information about a key.
150 */
151static int software_key_query(const struct kernel_pkey_params *params,
152			      struct kernel_pkey_query *info)
153{
154	struct crypto_akcipher *tfm;
155	struct public_key *pkey = params->key->payload.data[asym_crypto];
156	char alg_name[CRYPTO_MAX_ALG_NAME];
157	u8 *key, *ptr;
158	int ret, len;
159
160	ret = software_key_determine_akcipher(pkey, params->encoding,
161					      params->hash_algo, alg_name);
162	if (ret < 0)
163		return ret;
164
165	tfm = crypto_alloc_akcipher(alg_name, 0, 0);
166	if (IS_ERR(tfm))
167		return PTR_ERR(tfm);
168
169	ret = -ENOMEM;
170	key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen,
171		      GFP_KERNEL);
172	if (!key)
173		goto error_free_tfm;
174	memcpy(key, pkey->key, pkey->keylen);
175	ptr = key + pkey->keylen;
176	ptr = pkey_pack_u32(ptr, pkey->algo);
177	ptr = pkey_pack_u32(ptr, pkey->paramlen);
178	memcpy(ptr, pkey->params, pkey->paramlen);
179
180	if (pkey->key_is_private)
181		ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen);
182	else
183		ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen);
184	if (ret < 0)
185		goto error_free_key;
186
187	len = crypto_akcipher_maxsize(tfm);
188	info->key_size = len * 8;
189	info->max_data_size = len;
190	info->max_sig_size = len;
191	info->max_enc_size = len;
192	info->max_dec_size = len;
193	info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT |
194			       KEYCTL_SUPPORTS_VERIFY);
195	if (pkey->key_is_private)
196		info->supported_ops |= (KEYCTL_SUPPORTS_DECRYPT |
197					KEYCTL_SUPPORTS_SIGN);
198	ret = 0;
199
200error_free_key:
201	kfree(key);
202error_free_tfm:
203	crypto_free_akcipher(tfm);
204	pr_devel("<==%s() = %d\n", __func__, ret);
205	return ret;
206}
207
208/*
209 * Do encryption, decryption and signing ops.
210 */
211static int software_key_eds_op(struct kernel_pkey_params *params,
212			       const void *in, void *out)
213{
214	const struct public_key *pkey = params->key->payload.data[asym_crypto];
215	struct akcipher_request *req;
216	struct crypto_akcipher *tfm;
217	struct crypto_wait cwait;
218	struct scatterlist in_sg, out_sg;
219	char alg_name[CRYPTO_MAX_ALG_NAME];
220	char *key, *ptr;
221	int ret;
222
223	pr_devel("==>%s()\n", __func__);
224
225	ret = software_key_determine_akcipher(pkey, params->encoding,
226					      params->hash_algo, alg_name);
227	if (ret < 0)
228		return ret;
229
230	tfm = crypto_alloc_akcipher(alg_name, 0, 0);
231	if (IS_ERR(tfm))
232		return PTR_ERR(tfm);
233
234	ret = -ENOMEM;
235	req = akcipher_request_alloc(tfm, GFP_KERNEL);
236	if (!req)
237		goto error_free_tfm;
238
239	key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen,
240		      GFP_KERNEL);
241	if (!key)
242		goto error_free_req;
243
244	memcpy(key, pkey->key, pkey->keylen);
245	ptr = key + pkey->keylen;
246	ptr = pkey_pack_u32(ptr, pkey->algo);
247	ptr = pkey_pack_u32(ptr, pkey->paramlen);
248	memcpy(ptr, pkey->params, pkey->paramlen);
249
250	if (pkey->key_is_private)
251		ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen);
252	else
253		ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen);
254	if (ret)
255		goto error_free_key;
256
257	sg_init_one(&in_sg, in, params->in_len);
258	sg_init_one(&out_sg, out, params->out_len);
259	akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len,
260				   params->out_len);
261	crypto_init_wait(&cwait);
262	akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
263				      CRYPTO_TFM_REQ_MAY_SLEEP,
264				      crypto_req_done, &cwait);
265
266	/* Perform the encryption calculation. */
267	switch (params->op) {
268	case kernel_pkey_encrypt:
269		ret = crypto_akcipher_encrypt(req);
270		break;
271	case kernel_pkey_decrypt:
272		ret = crypto_akcipher_decrypt(req);
273		break;
274	case kernel_pkey_sign:
275		ret = crypto_akcipher_sign(req);
276		break;
277	default:
278		BUG();
279	}
280
281	ret = crypto_wait_req(ret, &cwait);
282	if (ret == 0)
283		ret = req->dst_len;
284
285error_free_key:
286	kfree(key);
287error_free_req:
288	akcipher_request_free(req);
289error_free_tfm:
290	crypto_free_akcipher(tfm);
291	pr_devel("<==%s() = %d\n", __func__, ret);
292	return ret;
293}
294
295#if IS_REACHABLE(CONFIG_CRYPTO_SM2)
296static int cert_sig_digest_update(const struct public_key_signature *sig,
297				  struct crypto_akcipher *tfm_pkey)
298{
299	struct crypto_shash *tfm;
300	struct shash_desc *desc;
301	size_t desc_size;
302	unsigned char dgst[SM3_DIGEST_SIZE];
303	int ret;
304
305	BUG_ON(!sig->data);
306
307	/* SM2 signatures always use the SM3 hash algorithm */
308	if (!sig->hash_algo || strcmp(sig->hash_algo, "sm3") != 0)
309		return -EINVAL;
310
311	ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID,
312					SM2_DEFAULT_USERID_LEN, dgst);
313	if (ret)
314		return ret;
315
316	tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
317	if (IS_ERR(tfm))
318		return PTR_ERR(tfm);
319
320	desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
321	desc = kzalloc(desc_size, GFP_KERNEL);
322	if (!desc) {
323		ret = -ENOMEM;
324		goto error_free_tfm;
325	}
326
327	desc->tfm = tfm;
328
329	ret = crypto_shash_init(desc);
330	if (ret < 0)
331		goto error_free_desc;
332
333	ret = crypto_shash_update(desc, dgst, SM3_DIGEST_SIZE);
334	if (ret < 0)
335		goto error_free_desc;
336
337	ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest);
338
339error_free_desc:
340	kfree(desc);
341error_free_tfm:
342	crypto_free_shash(tfm);
343	return ret;
344}
345#else
346static inline int cert_sig_digest_update(
347	const struct public_key_signature *sig,
348	struct crypto_akcipher *tfm_pkey)
349{
350	return -ENOTSUPP;
351}
352#endif /* ! IS_REACHABLE(CONFIG_CRYPTO_SM2) */
353
354/*
355 * Verify a signature using a public key.
356 */
357int public_key_verify_signature(const struct public_key *pkey,
358				const struct public_key_signature *sig)
359{
360	struct crypto_wait cwait;
361	struct crypto_akcipher *tfm;
362	struct akcipher_request *req;
363	struct scatterlist src_sg[2];
364	char alg_name[CRYPTO_MAX_ALG_NAME];
365	char *key, *ptr;
366	int ret;
367
368	pr_devel("==>%s()\n", __func__);
369
370	BUG_ON(!pkey);
371	BUG_ON(!sig);
372	BUG_ON(!sig->s);
373
374	/*
375	 * If the signature specifies a public key algorithm, it *must* match
376	 * the key's actual public key algorithm.
377	 *
378	 * Small exception: ECDSA signatures don't specify the curve, but ECDSA
379	 * keys do.  So the strings can mismatch slightly in that case:
380	 * "ecdsa-nist-*" for the key, but "ecdsa" for the signature.
381	 */
382	if (sig->pkey_algo) {
383		if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 &&
384		    (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 ||
385		     strcmp(sig->pkey_algo, "ecdsa") != 0))
386			return -EKEYREJECTED;
387	}
388
389	ret = software_key_determine_akcipher(pkey, sig->encoding,
390					      sig->hash_algo, alg_name);
391	if (ret < 0)
392		return ret;
393
394	tfm = crypto_alloc_akcipher(alg_name, 0, 0);
395	if (IS_ERR(tfm))
396		return PTR_ERR(tfm);
397
398	ret = -ENOMEM;
399	req = akcipher_request_alloc(tfm, GFP_KERNEL);
400	if (!req)
401		goto error_free_tfm;
402
403	key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen,
404		      GFP_KERNEL);
405	if (!key)
406		goto error_free_req;
407
408	memcpy(key, pkey->key, pkey->keylen);
409	ptr = key + pkey->keylen;
410	ptr = pkey_pack_u32(ptr, pkey->algo);
411	ptr = pkey_pack_u32(ptr, pkey->paramlen);
412	memcpy(ptr, pkey->params, pkey->paramlen);
413
414	if (pkey->key_is_private)
415		ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen);
416	else
417		ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen);
418	if (ret)
419		goto error_free_key;
420
421	if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) {
422		ret = cert_sig_digest_update(sig, tfm);
423		if (ret)
424			goto error_free_key;
425	}
426
427	sg_init_table(src_sg, 2);
428	sg_set_buf(&src_sg[0], sig->s, sig->s_size);
429	sg_set_buf(&src_sg[1], sig->digest, sig->digest_size);
430	akcipher_request_set_crypt(req, src_sg, NULL, sig->s_size,
431				   sig->digest_size);
432	crypto_init_wait(&cwait);
433	akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
434				      CRYPTO_TFM_REQ_MAY_SLEEP,
435				      crypto_req_done, &cwait);
436	ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
437
438error_free_key:
439	kfree(key);
440error_free_req:
441	akcipher_request_free(req);
442error_free_tfm:
443	crypto_free_akcipher(tfm);
444	pr_devel("<==%s() = %d\n", __func__, ret);
445	if (WARN_ON_ONCE(ret > 0))
446		ret = -EINVAL;
447	return ret;
448}
449EXPORT_SYMBOL_GPL(public_key_verify_signature);
450
451static int public_key_verify_signature_2(const struct key *key,
452					 const struct public_key_signature *sig)
453{
454	const struct public_key *pk = key->payload.data[asym_crypto];
455	return public_key_verify_signature(pk, sig);
456}
457
458/*
459 * Public key algorithm asymmetric key subtype
460 */
461struct asymmetric_key_subtype public_key_subtype = {
462	.owner			= THIS_MODULE,
463	.name			= "public_key",
464	.name_len		= sizeof("public_key") - 1,
465	.describe		= public_key_describe,
466	.destroy		= public_key_destroy,
467	.query			= software_key_query,
468	.eds_op			= software_key_eds_op,
469	.verify_signature	= public_key_verify_signature_2,
470};
471EXPORT_SYMBOL_GPL(public_key_subtype);