[linux-block.git] / security / keys / dh.c

// SPDX-License-Identifier: GPL-2.0-or-later
/* Crypto operations using stored keys
 *
 * Copyright (c) 2016, Intel Corporation
 */

#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/scatterlist.h>
#include <linux/crypto.h>
#include <crypto/hash.h>
#include <crypto/kpp.h>
#include <crypto/dh.h>
#include <crypto/kdf_sp800108.h>
#include <keys/user-type.h>
#include "internal.h"

static ssize_t dh_data_from_key(key_serial_t keyid, const void **data)
{
	struct key *key;
	key_ref_t key_ref;
	long status;
	ssize_t ret;

	key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
	if (IS_ERR(key_ref)) {
		ret = -ENOKEY;
		goto error;
	}

	key = key_ref_to_ptr(key_ref);

	ret = -EOPNOTSUPP;
	if (key->type == &key_type_user) {
		down_read(&key->sem);
		status = key_validate(key);
		if (status == 0) {
			const struct user_key_payload *payload;
			uint8_t *duplicate;

			payload = user_key_payload_locked(key);

			duplicate = kmemdup(payload->data, payload->datalen,
					    GFP_KERNEL);
			if (duplicate) {
				*data = duplicate;
				ret = payload->datalen;
			} else {
				ret = -ENOMEM;
			}
		}
		up_read(&key->sem);
	}

	key_put(key);
error:
	return ret;
}

static void dh_free_data(struct dh *dh)
{
	kfree_sensitive(dh->key);
	kfree_sensitive(dh->p);
	kfree_sensitive(dh->g);
}

struct dh_completion {
	struct completion completion;
	int err;
};

static void dh_crypto_done(struct crypto_async_request *req, int err)
{
	struct dh_completion *compl = req->data;

	if (err == -EINPROGRESS)
		return;

	compl->err = err;
	complete(&compl->completion);
}

static int kdf_alloc(struct crypto_shash **hash, char *hashname)
{
	struct crypto_shash *tfm;

	/* allocate synchronous hash */
	tfm = crypto_alloc_shash(hashname, 0, 0);
	if (IS_ERR(tfm)) {
		pr_info("could not allocate digest TFM handle %s\n", hashname);
		return PTR_ERR(tfm);
	}

	if (crypto_shash_digestsize(tfm) == 0) {
		crypto_free_shash(tfm);
		return -EINVAL;
	}

	*hash = tfm;

	return 0;
}

static void kdf_dealloc(struct crypto_shash *hash)
{
	if (hash)
		crypto_free_shash(hash);
}

static int keyctl_dh_compute_kdf(struct crypto_shash *hash,
				 char __user *buffer, size_t buflen,
				 uint8_t *kbuf, size_t kbuflen)
{
	struct kvec kbuf_iov = { .iov_base = kbuf, .iov_len = kbuflen };
	uint8_t *outbuf = NULL;
	int ret;
	size_t outbuf_len = roundup(buflen, crypto_shash_digestsize(hash));

	outbuf = kmalloc(outbuf_len, GFP_KERNEL);
	if (!outbuf) {
		ret = -ENOMEM;
		goto err;
	}

	ret = crypto_kdf108_ctr_generate(hash, &kbuf_iov, 1, outbuf, outbuf_len);
	if (ret)
		goto err;

	ret = buflen;
	if (copy_to_user(buffer, outbuf, buflen) != 0)
		ret = -EFAULT;

err:
	kfree_sensitive(outbuf);
	return ret;
}

long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
			 char __user *buffer, size_t buflen,
			 struct keyctl_kdf_params *kdfcopy)
{
	long ret;
	ssize_t dlen;
	int secretlen;
	int outlen;
	struct keyctl_dh_params pcopy;
	struct dh dh_inputs;
	struct scatterlist outsg;
	struct dh_completion compl;
	struct crypto_kpp *tfm;
	struct kpp_request *req;
	uint8_t *secret;
	uint8_t *outbuf;
	struct crypto_shash *hash = NULL;

	if (!params || (!buffer && buflen)) {
		ret = -EINVAL;
		goto out1;
	}
	if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
		ret = -EFAULT;
		goto out1;
	}

	if (kdfcopy) {
		char *hashname;

		if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
			ret = -EINVAL;
			goto out1;
		}

		if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
		    kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
			ret = -EMSGSIZE;
			goto out1;
		}

		/* get KDF name string */
		hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
		if (IS_ERR(hashname)) {
			ret = PTR_ERR(hashname);
			goto out1;
		}

		/* allocate KDF from the kernel crypto API */
		ret = kdf_alloc(&hash, hashname);
		kfree(hashname);
		if (ret)
			goto out1;
	}

	memset(&dh_inputs, 0, sizeof(dh_inputs));

	dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p);
	if (dlen < 0) {
		ret = dlen;
		goto out1;
	}
	dh_inputs.p_size = dlen;

	dlen = dh_data_from_key(pcopy.base, &dh_inputs.g);
	if (dlen < 0) {
		ret = dlen;
		goto out2;
	}
	dh_inputs.g_size = dlen;

	dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
	if (dlen < 0) {
		ret = dlen;
		goto out2;
	}
	dh_inputs.key_size = dlen;

	secretlen = crypto_dh_key_len(&dh_inputs);
	secret = kmalloc(secretlen, GFP_KERNEL);
	if (!secret) {
		ret = -ENOMEM;
		goto out2;
	}
	ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs);
	if (ret)
		goto out3;

	tfm = crypto_alloc_kpp("dh", 0, 0);
	if (IS_ERR(tfm)) {
		ret = PTR_ERR(tfm);
		goto out3;
	}

	ret = crypto_kpp_set_secret(tfm, secret, secretlen);
	if (ret)
		goto out4;

	outlen = crypto_kpp_maxsize(tfm);

	if (!kdfcopy) {
		/*
		 * When not using a KDF, buflen 0 is used to read the
		 * required buffer length
		 */
		if (buflen == 0) {
			ret = outlen;
			goto out4;
		} else if (outlen > buflen) {
			ret = -EOVERFLOW;
			goto out4;
		}
	}

	outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen,
			 GFP_KERNEL);
	if (!outbuf) {
		ret = -ENOMEM;
		goto out4;
	}

	sg_init_one(&outsg, outbuf, outlen);

	req = kpp_request_alloc(tfm, GFP_KERNEL);
	if (!req) {
		ret = -ENOMEM;
		goto out5;
	}

	kpp_request_set_input(req, NULL, 0);
	kpp_request_set_output(req, &outsg, outlen);
	init_completion(&compl.completion);
	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
				 CRYPTO_TFM_REQ_MAY_SLEEP,
				 dh_crypto_done, &compl);

	/*
	 * For DH, generate_public_key and generate_shared_secret are
	 * the same calculation
	 */
	ret = crypto_kpp_generate_public_key(req);
	if (ret == -EINPROGRESS) {
		wait_for_completion(&compl.completion);
		ret = compl.err;
		if (ret)
			goto out6;
	}

	if (kdfcopy) {
		/*
		 * Concatenate SP800-56A otherinfo past DH shared secret -- the
		 * input to the KDF is (DH shared secret || otherinfo)
		 */
		if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo,
				   kdfcopy->otherinfolen) != 0) {
			ret = -EFAULT;
			goto out6;
		}

		ret = keyctl_dh_compute_kdf(hash, buffer, buflen, outbuf,
					    req->dst_len + kdfcopy->otherinfolen);
	} else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
		ret = req->dst_len;
	} else {
		ret = -EFAULT;
	}

out6:
	kpp_request_free(req);
out5:
	kfree_sensitive(outbuf);
out4:
	crypto_free_kpp(tfm);
out3:
	kfree_sensitive(secret);
out2:
	dh_free_data(&dh_inputs);
out1:
	kdf_dealloc(hash);
	return ret;
}

long keyctl_dh_compute(struct keyctl_dh_params __user *params,
		       char __user *buffer, size_t buflen,
		       struct keyctl_kdf_params __user *kdf)
{
	struct keyctl_kdf_params kdfcopy;

	if (!kdf)
		return __keyctl_dh_compute(params, buffer, buflen, NULL);

	if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
		return -EFAULT;

	return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
}
Commit	Line	Data
2874c5fd	1	// SPDX-License-Identifier: GPL-2.0-or-later
ddbb4114 MM	2	/* Crypto operations using stored keys
	3	*
	4	* Copyright (c) 2016, Intel Corporation
ddbb4114 MM	5	*/
ddbb4114 MM	6
ddbb4114 MM	7	#include <linux/slab.h>
ddbb4114 MM	8	#include <linux/uaccess.h>
7cbe0932	9	#include <linux/scatterlist.h>
f1c316a3 SM	10	#include <linux/crypto.h>
f1c316a3 SM	11	#include <crypto/hash.h>
7cbe0932 MM	12	#include <crypto/kpp.h>
7cbe0932 MM	13	#include <crypto/dh.h>
d3b04a43	14	#include <crypto/kdf_sp800108.h>
ddbb4114 MM	15	#include <keys/user-type.h>
	16	#include "internal.h"
	17
215bebc8	18	static ssize_t dh_data_from_key(key_serial_t keyid, const void **data)
ddbb4114 MM	19	{
	20	struct key *key;
	21	key_ref_t key_ref;
	22	long status;
	23	ssize_t ret;
	24
	25	key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
	26	if (IS_ERR(key_ref)) {
	27	ret = -ENOKEY;
	28	goto error;
	29	}
	30
	31	key = key_ref_to_ptr(key_ref);
	32
	33	ret = -EOPNOTSUPP;
	34	if (key->type == &key_type_user) {
	35	down_read(&key->sem);
	36	status = key_validate(key);
	37	if (status == 0) {
	38	const struct user_key_payload *payload;
7cbe0932	39	uint8_t *duplicate;
ddbb4114	40
0837e49a	41	payload = user_key_payload_locked(key);
ddbb4114	42
7cbe0932 MM	43	duplicate = kmemdup(payload->data, payload->datalen,
	44	GFP_KERNEL);
	45	if (duplicate) {
	46	*data = duplicate;
ddbb4114	47	ret = payload->datalen;
ddbb4114	48	} else {
7cbe0932	49	ret = -ENOMEM;
ddbb4114 MM	50	}
	51	}
	52	up_read(&key->sem);
	53	}
	54
	55	key_put(key);
	56	error:
	57	return ret;
	58	}
	59
7cbe0932 MM	60	static void dh_free_data(struct dh *dh)
7cbe0932 MM	61	{
453431a5 WL	62	kfree_sensitive(dh->key);
	63	kfree_sensitive(dh->p);
	64	kfree_sensitive(dh->g);
7cbe0932 MM	65	}
	66
	67	struct dh_completion {
	68	struct completion completion;
	69	int err;
	70	};
	71
	72	static void dh_crypto_done(struct crypto_async_request *req, int err)
	73	{
	74	struct dh_completion *compl = req->data;
	75
	76	if (err == -EINPROGRESS)
	77	return;
	78
	79	compl->err = err;
	80	complete(&compl->completion);
	81	}
	82
d3b04a43	83	static int kdf_alloc(struct crypto_shash *hash, char hashname)
f1c316a3 SM	84	{
f1c316a3 SM	85	struct crypto_shash *tfm;
f1c316a3 SM	86
	87	/* allocate synchronous hash */
	88	tfm = crypto_alloc_shash(hashname, 0, 0);
	89	if (IS_ERR(tfm)) {
	90	pr_info("could not allocate digest TFM handle %s\n", hashname);
	91	return PTR_ERR(tfm);
	92	}
	93
d3b04a43 SM	94	if (crypto_shash_digestsize(tfm) == 0) {
	95	crypto_free_shash(tfm);
	96	return -EINVAL;
	97	}
f1c316a3	98
d3b04a43	99	*hash = tfm;
f1c316a3 SM	100
	101	return 0;
	102	}
	103
d3b04a43	104	static void kdf_dealloc(struct crypto_shash *hash)
f1c316a3	105	{
d3b04a43 SM	106	if (hash)
d3b04a43 SM	107	crypto_free_shash(hash);
f1c316a3 SM	108	}
f1c316a3 SM	109
d3b04a43	110	static int keyctl_dh_compute_kdf(struct crypto_shash *hash,
f1c316a3	111	char __user *buffer, size_t buflen,
d7921344	112	uint8_t *kbuf, size_t kbuflen)
f1c316a3	113	{
d3b04a43	114	struct kvec kbuf_iov = { .iov_base = kbuf, .iov_len = kbuflen };
f1c316a3 SM	115	uint8_t *outbuf = NULL;
f1c316a3 SM	116	int ret;
d3b04a43	117	size_t outbuf_len = roundup(buflen, crypto_shash_digestsize(hash));
f1c316a3	118
383203ef	119	outbuf = kmalloc(outbuf_len, GFP_KERNEL);
f1c316a3 SM	120	if (!outbuf) {
	121	ret = -ENOMEM;
	122	goto err;
	123	}
	124
d3b04a43	125	ret = crypto_kdf108_ctr_generate(hash, &kbuf_iov, 1, outbuf, outbuf_len);
f1c316a3 SM	126	if (ret)
	127	goto err;
	128
	129	ret = buflen;
	130	if (copy_to_user(buffer, outbuf, buflen) != 0)
	131	ret = -EFAULT;
	132
	133	err:
453431a5	134	kfree_sensitive(outbuf);
f1c316a3 SM	135	return ret;
	136	}
	137
	138	long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
	139	char __user *buffer, size_t buflen,
	140	struct keyctl_kdf_params *kdfcopy)
ddbb4114 MM	141	{
ddbb4114 MM	142	long ret;
7cbe0932 MM	143	ssize_t dlen;
	144	int secretlen;
	145	int outlen;
ddbb4114	146	struct keyctl_dh_params pcopy;
7cbe0932 MM	147	struct dh dh_inputs;
	148	struct scatterlist outsg;
	149	struct dh_completion compl;
	150	struct crypto_kpp *tfm;
	151	struct kpp_request *req;
	152	uint8_t *secret;
	153	uint8_t *outbuf;
d3b04a43	154	struct crypto_shash *hash = NULL;
ddbb4114 MM	155
	156	if (!params \|\| (!buffer && buflen)) {
	157	ret = -EINVAL;
7cbe0932	158	goto out1;
ddbb4114 MM	159	}
	160	if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
	161	ret = -EFAULT;
7cbe0932	162	goto out1;
ddbb4114 MM	163	}
ddbb4114 MM	164
f1c316a3 SM	165	if (kdfcopy) {
	166	char *hashname;
	167
4f9dabfa EB	168	if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
	169	ret = -EINVAL;
	170	goto out1;
	171	}
	172
f1c316a3 SM	173	if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN \|\|
	174	kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
	175	ret = -EMSGSIZE;
7cbe0932	176	goto out1;
f1c316a3 SM	177	}
	178
	179	/* get KDF name string */
	180	hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
	181	if (IS_ERR(hashname)) {
	182	ret = PTR_ERR(hashname);
7cbe0932	183	goto out1;
f1c316a3 SM	184	}
	185
	186	/* allocate KDF from the kernel crypto API */
d3b04a43	187	ret = kdf_alloc(&hash, hashname);
f1c316a3 SM	188	kfree(hashname);
f1c316a3 SM	189	if (ret)
7cbe0932	190	goto out1;
4693fc73 SM	191	}
4693fc73 SM	192
7cbe0932 MM	193	memset(&dh_inputs, 0, sizeof(dh_inputs));
	194
	195	dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p);
	196	if (dlen < 0) {
	197	ret = dlen;
	198	goto out1;
ddbb4114	199	}
7cbe0932	200	dh_inputs.p_size = dlen;
ddbb4114	201
7cbe0932 MM	202	dlen = dh_data_from_key(pcopy.base, &dh_inputs.g);
	203	if (dlen < 0) {
	204	ret = dlen;
	205	goto out2;
	206	}
	207	dh_inputs.g_size = dlen;
ddbb4114	208
8c0f9f5b	209	dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
7cbe0932 MM	210	if (dlen < 0) {
	211	ret = dlen;
	212	goto out2;
ddbb4114	213	}
7cbe0932	214	dh_inputs.key_size = dlen;
ddbb4114	215
7cbe0932 MM	216	secretlen = crypto_dh_key_len(&dh_inputs);
	217	secret = kmalloc(secretlen, GFP_KERNEL);
	218	if (!secret) {
	219	ret = -ENOMEM;
	220	goto out2;
	221	}
	222	ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs);
	223	if (ret)
	224	goto out3;
	225
85d7311f	226	tfm = crypto_alloc_kpp("dh", 0, 0);
7cbe0932 MM	227	if (IS_ERR(tfm)) {
	228	ret = PTR_ERR(tfm);
	229	goto out3;
	230	}
	231
	232	ret = crypto_kpp_set_secret(tfm, secret, secretlen);
	233	if (ret)
	234	goto out4;
	235
	236	outlen = crypto_kpp_maxsize(tfm);
	237
	238	if (!kdfcopy) {
	239	/*
	240	* When not using a KDF, buflen 0 is used to read the
	241	* required buffer length
	242	*/
	243	if (buflen == 0) {
	244	ret = outlen;
	245	goto out4;
	246	} else if (outlen > buflen) {
	247	ret = -EOVERFLOW;
	248	goto out4;
	249	}
ddbb4114 MM	250	}
ddbb4114 MM	251
7cbe0932 MM	252	outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen,
	253	GFP_KERNEL);
	254	if (!outbuf) {
ddbb4114	255	ret = -ENOMEM;
7cbe0932	256	goto out4;
ddbb4114 MM	257	}
ddbb4114 MM	258
7cbe0932 MM	259	sg_init_one(&outsg, outbuf, outlen);
	260
	261	req = kpp_request_alloc(tfm, GFP_KERNEL);
	262	if (!req) {
ddbb4114	263	ret = -ENOMEM;
7cbe0932	264	goto out5;
ddbb4114 MM	265	}
ddbb4114 MM	266
7cbe0932 MM	267	kpp_request_set_input(req, NULL, 0);
	268	kpp_request_set_output(req, &outsg, outlen);
	269	init_completion(&compl.completion);
	270	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG \|
	271	CRYPTO_TFM_REQ_MAY_SLEEP,
	272	dh_crypto_done, &compl);
	273
f1c316a3	274	/*
7cbe0932 MM	275	* For DH, generate_public_key and generate_shared_secret are
7cbe0932 MM	276	* the same calculation
f1c316a3	277	*/
7cbe0932 MM	278	ret = crypto_kpp_generate_public_key(req);
	279	if (ret == -EINPROGRESS) {
	280	wait_for_completion(&compl.completion);
	281	ret = compl.err;
	282	if (ret)
	283	goto out6;
f1c316a3 SM	284	}
f1c316a3 SM	285
f1c316a3	286	if (kdfcopy) {
7cbe0932 MM	287	/*
	288	* Concatenate SP800-56A otherinfo past DH shared secret -- the
	289	* input to the KDF is (DH shared secret \|\| otherinfo)
	290	*/
	291	if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo,
	292	kdfcopy->otherinfolen) != 0) {
f1c316a3	293	ret = -EFAULT;
7cbe0932 MM	294	goto out6;
	295	}
	296
d3b04a43	297	ret = keyctl_dh_compute_kdf(hash, buffer, buflen, outbuf,
d7921344	298	req->dst_len + kdfcopy->otherinfolen);
7cbe0932 MM	299	} else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
	300	ret = req->dst_len;
	301	} else {
	302	ret = -EFAULT;
f1c316a3	303	}
ddbb4114	304
7cbe0932 MM	305	out6:
	306	kpp_request_free(req);
	307	out5:
453431a5	308	kfree_sensitive(outbuf);
7cbe0932 MM	309	out4:
	310	crypto_free_kpp(tfm);
	311	out3:
453431a5	312	kfree_sensitive(secret);
7cbe0932 MM	313	out2:
	314	dh_free_data(&dh_inputs);
	315	out1:
d3b04a43	316	kdf_dealloc(hash);
ddbb4114 MM	317	return ret;
ddbb4114 MM	318	}
f1c316a3 SM	319
	320	long keyctl_dh_compute(struct keyctl_dh_params __user *params,
	321	char __user *buffer, size_t buflen,
	322	struct keyctl_kdf_params __user *kdf)
	323	{
	324	struct keyctl_kdf_params kdfcopy;
	325
	326	if (!kdf)
	327	return __keyctl_dh_compute(params, buffer, buflen, NULL);
	328
	329	if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
	330	return -EFAULT;
	331
	332	return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
	333	}