Commit | Line | Data |
---|---|---|
2874c5fd | 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
ddbb4114 MM |
2 | /* Crypto operations using stored keys |
3 | * | |
4 | * Copyright (c) 2016, Intel Corporation | |
ddbb4114 MM |
5 | */ |
6 | ||
ddbb4114 MM |
7 | #include <linux/slab.h> |
8 | #include <linux/uaccess.h> | |
7cbe0932 | 9 | #include <linux/scatterlist.h> |
f1c316a3 SM |
10 | #include <linux/crypto.h> |
11 | #include <crypto/hash.h> | |
7cbe0932 MM |
12 | #include <crypto/kpp.h> |
13 | #include <crypto/dh.h> | |
d3b04a43 | 14 | #include <crypto/kdf_sp800108.h> |
ddbb4114 MM |
15 | #include <keys/user-type.h> |
16 | #include "internal.h" | |
17 | ||
215bebc8 | 18 | static ssize_t dh_data_from_key(key_serial_t keyid, const void **data) |
ddbb4114 MM |
19 | { |
20 | struct key *key; | |
21 | key_ref_t key_ref; | |
22 | long status; | |
23 | ssize_t ret; | |
24 | ||
25 | key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ); | |
26 | if (IS_ERR(key_ref)) { | |
27 | ret = -ENOKEY; | |
28 | goto error; | |
29 | } | |
30 | ||
31 | key = key_ref_to_ptr(key_ref); | |
32 | ||
33 | ret = -EOPNOTSUPP; | |
34 | if (key->type == &key_type_user) { | |
35 | down_read(&key->sem); | |
36 | status = key_validate(key); | |
37 | if (status == 0) { | |
38 | const struct user_key_payload *payload; | |
7cbe0932 | 39 | uint8_t *duplicate; |
ddbb4114 | 40 | |
0837e49a | 41 | payload = user_key_payload_locked(key); |
ddbb4114 | 42 | |
7cbe0932 MM |
43 | duplicate = kmemdup(payload->data, payload->datalen, |
44 | GFP_KERNEL); | |
45 | if (duplicate) { | |
46 | *data = duplicate; | |
ddbb4114 | 47 | ret = payload->datalen; |
ddbb4114 | 48 | } else { |
7cbe0932 | 49 | ret = -ENOMEM; |
ddbb4114 MM |
50 | } |
51 | } | |
52 | up_read(&key->sem); | |
53 | } | |
54 | ||
55 | key_put(key); | |
56 | error: | |
57 | return ret; | |
58 | } | |
59 | ||
7cbe0932 MM |
60 | static void dh_free_data(struct dh *dh) |
61 | { | |
453431a5 WL |
62 | kfree_sensitive(dh->key); |
63 | kfree_sensitive(dh->p); | |
64 | kfree_sensitive(dh->g); | |
7cbe0932 MM |
65 | } |
66 | ||
67 | struct dh_completion { | |
68 | struct completion completion; | |
69 | int err; | |
70 | }; | |
71 | ||
72 | static void dh_crypto_done(struct crypto_async_request *req, int err) | |
73 | { | |
74 | struct dh_completion *compl = req->data; | |
75 | ||
76 | if (err == -EINPROGRESS) | |
77 | return; | |
78 | ||
79 | compl->err = err; | |
80 | complete(&compl->completion); | |
81 | } | |
82 | ||
d3b04a43 | 83 | static int kdf_alloc(struct crypto_shash **hash, char *hashname) |
f1c316a3 SM |
84 | { |
85 | struct crypto_shash *tfm; | |
f1c316a3 SM |
86 | |
87 | /* allocate synchronous hash */ | |
88 | tfm = crypto_alloc_shash(hashname, 0, 0); | |
89 | if (IS_ERR(tfm)) { | |
90 | pr_info("could not allocate digest TFM handle %s\n", hashname); | |
91 | return PTR_ERR(tfm); | |
92 | } | |
93 | ||
d3b04a43 SM |
94 | if (crypto_shash_digestsize(tfm) == 0) { |
95 | crypto_free_shash(tfm); | |
96 | return -EINVAL; | |
97 | } | |
f1c316a3 | 98 | |
d3b04a43 | 99 | *hash = tfm; |
f1c316a3 SM |
100 | |
101 | return 0; | |
102 | } | |
103 | ||
d3b04a43 | 104 | static void kdf_dealloc(struct crypto_shash *hash) |
f1c316a3 | 105 | { |
d3b04a43 SM |
106 | if (hash) |
107 | crypto_free_shash(hash); | |
f1c316a3 SM |
108 | } |
109 | ||
d3b04a43 | 110 | static int keyctl_dh_compute_kdf(struct crypto_shash *hash, |
f1c316a3 | 111 | char __user *buffer, size_t buflen, |
d7921344 | 112 | uint8_t *kbuf, size_t kbuflen) |
f1c316a3 | 113 | { |
d3b04a43 | 114 | struct kvec kbuf_iov = { .iov_base = kbuf, .iov_len = kbuflen }; |
f1c316a3 SM |
115 | uint8_t *outbuf = NULL; |
116 | int ret; | |
d3b04a43 | 117 | size_t outbuf_len = roundup(buflen, crypto_shash_digestsize(hash)); |
f1c316a3 | 118 | |
383203ef | 119 | outbuf = kmalloc(outbuf_len, GFP_KERNEL); |
f1c316a3 SM |
120 | if (!outbuf) { |
121 | ret = -ENOMEM; | |
122 | goto err; | |
123 | } | |
124 | ||
d3b04a43 | 125 | ret = crypto_kdf108_ctr_generate(hash, &kbuf_iov, 1, outbuf, outbuf_len); |
f1c316a3 SM |
126 | if (ret) |
127 | goto err; | |
128 | ||
129 | ret = buflen; | |
130 | if (copy_to_user(buffer, outbuf, buflen) != 0) | |
131 | ret = -EFAULT; | |
132 | ||
133 | err: | |
453431a5 | 134 | kfree_sensitive(outbuf); |
f1c316a3 SM |
135 | return ret; |
136 | } | |
137 | ||
138 | long __keyctl_dh_compute(struct keyctl_dh_params __user *params, | |
139 | char __user *buffer, size_t buflen, | |
140 | struct keyctl_kdf_params *kdfcopy) | |
ddbb4114 MM |
141 | { |
142 | long ret; | |
7cbe0932 MM |
143 | ssize_t dlen; |
144 | int secretlen; | |
145 | int outlen; | |
ddbb4114 | 146 | struct keyctl_dh_params pcopy; |
7cbe0932 MM |
147 | struct dh dh_inputs; |
148 | struct scatterlist outsg; | |
149 | struct dh_completion compl; | |
150 | struct crypto_kpp *tfm; | |
151 | struct kpp_request *req; | |
152 | uint8_t *secret; | |
153 | uint8_t *outbuf; | |
d3b04a43 | 154 | struct crypto_shash *hash = NULL; |
ddbb4114 MM |
155 | |
156 | if (!params || (!buffer && buflen)) { | |
157 | ret = -EINVAL; | |
7cbe0932 | 158 | goto out1; |
ddbb4114 MM |
159 | } |
160 | if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) { | |
161 | ret = -EFAULT; | |
7cbe0932 | 162 | goto out1; |
ddbb4114 MM |
163 | } |
164 | ||
f1c316a3 SM |
165 | if (kdfcopy) { |
166 | char *hashname; | |
167 | ||
4f9dabfa EB |
168 | if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) { |
169 | ret = -EINVAL; | |
170 | goto out1; | |
171 | } | |
172 | ||
f1c316a3 SM |
173 | if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN || |
174 | kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) { | |
175 | ret = -EMSGSIZE; | |
7cbe0932 | 176 | goto out1; |
f1c316a3 SM |
177 | } |
178 | ||
179 | /* get KDF name string */ | |
180 | hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME); | |
181 | if (IS_ERR(hashname)) { | |
182 | ret = PTR_ERR(hashname); | |
7cbe0932 | 183 | goto out1; |
f1c316a3 SM |
184 | } |
185 | ||
186 | /* allocate KDF from the kernel crypto API */ | |
d3b04a43 | 187 | ret = kdf_alloc(&hash, hashname); |
f1c316a3 SM |
188 | kfree(hashname); |
189 | if (ret) | |
7cbe0932 | 190 | goto out1; |
4693fc73 SM |
191 | } |
192 | ||
7cbe0932 MM |
193 | memset(&dh_inputs, 0, sizeof(dh_inputs)); |
194 | ||
195 | dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p); | |
196 | if (dlen < 0) { | |
197 | ret = dlen; | |
198 | goto out1; | |
ddbb4114 | 199 | } |
7cbe0932 | 200 | dh_inputs.p_size = dlen; |
ddbb4114 | 201 | |
7cbe0932 MM |
202 | dlen = dh_data_from_key(pcopy.base, &dh_inputs.g); |
203 | if (dlen < 0) { | |
204 | ret = dlen; | |
205 | goto out2; | |
206 | } | |
207 | dh_inputs.g_size = dlen; | |
ddbb4114 | 208 | |
8c0f9f5b | 209 | dlen = dh_data_from_key(pcopy.private, &dh_inputs.key); |
7cbe0932 MM |
210 | if (dlen < 0) { |
211 | ret = dlen; | |
212 | goto out2; | |
ddbb4114 | 213 | } |
7cbe0932 | 214 | dh_inputs.key_size = dlen; |
ddbb4114 | 215 | |
7cbe0932 MM |
216 | secretlen = crypto_dh_key_len(&dh_inputs); |
217 | secret = kmalloc(secretlen, GFP_KERNEL); | |
218 | if (!secret) { | |
219 | ret = -ENOMEM; | |
220 | goto out2; | |
221 | } | |
222 | ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs); | |
223 | if (ret) | |
224 | goto out3; | |
225 | ||
85d7311f | 226 | tfm = crypto_alloc_kpp("dh", 0, 0); |
7cbe0932 MM |
227 | if (IS_ERR(tfm)) { |
228 | ret = PTR_ERR(tfm); | |
229 | goto out3; | |
230 | } | |
231 | ||
232 | ret = crypto_kpp_set_secret(tfm, secret, secretlen); | |
233 | if (ret) | |
234 | goto out4; | |
235 | ||
236 | outlen = crypto_kpp_maxsize(tfm); | |
237 | ||
238 | if (!kdfcopy) { | |
239 | /* | |
240 | * When not using a KDF, buflen 0 is used to read the | |
241 | * required buffer length | |
242 | */ | |
243 | if (buflen == 0) { | |
244 | ret = outlen; | |
245 | goto out4; | |
246 | } else if (outlen > buflen) { | |
247 | ret = -EOVERFLOW; | |
248 | goto out4; | |
249 | } | |
ddbb4114 MM |
250 | } |
251 | ||
7cbe0932 MM |
252 | outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen, |
253 | GFP_KERNEL); | |
254 | if (!outbuf) { | |
ddbb4114 | 255 | ret = -ENOMEM; |
7cbe0932 | 256 | goto out4; |
ddbb4114 MM |
257 | } |
258 | ||
7cbe0932 MM |
259 | sg_init_one(&outsg, outbuf, outlen); |
260 | ||
261 | req = kpp_request_alloc(tfm, GFP_KERNEL); | |
262 | if (!req) { | |
ddbb4114 | 263 | ret = -ENOMEM; |
7cbe0932 | 264 | goto out5; |
ddbb4114 MM |
265 | } |
266 | ||
7cbe0932 MM |
267 | kpp_request_set_input(req, NULL, 0); |
268 | kpp_request_set_output(req, &outsg, outlen); | |
269 | init_completion(&compl.completion); | |
270 | kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | | |
271 | CRYPTO_TFM_REQ_MAY_SLEEP, | |
272 | dh_crypto_done, &compl); | |
273 | ||
f1c316a3 | 274 | /* |
7cbe0932 MM |
275 | * For DH, generate_public_key and generate_shared_secret are |
276 | * the same calculation | |
f1c316a3 | 277 | */ |
7cbe0932 MM |
278 | ret = crypto_kpp_generate_public_key(req); |
279 | if (ret == -EINPROGRESS) { | |
280 | wait_for_completion(&compl.completion); | |
281 | ret = compl.err; | |
282 | if (ret) | |
283 | goto out6; | |
f1c316a3 SM |
284 | } |
285 | ||
f1c316a3 | 286 | if (kdfcopy) { |
7cbe0932 MM |
287 | /* |
288 | * Concatenate SP800-56A otherinfo past DH shared secret -- the | |
289 | * input to the KDF is (DH shared secret || otherinfo) | |
290 | */ | |
291 | if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo, | |
292 | kdfcopy->otherinfolen) != 0) { | |
f1c316a3 | 293 | ret = -EFAULT; |
7cbe0932 MM |
294 | goto out6; |
295 | } | |
296 | ||
d3b04a43 | 297 | ret = keyctl_dh_compute_kdf(hash, buffer, buflen, outbuf, |
d7921344 | 298 | req->dst_len + kdfcopy->otherinfolen); |
7cbe0932 MM |
299 | } else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) { |
300 | ret = req->dst_len; | |
301 | } else { | |
302 | ret = -EFAULT; | |
f1c316a3 | 303 | } |
ddbb4114 | 304 | |
7cbe0932 MM |
305 | out6: |
306 | kpp_request_free(req); | |
307 | out5: | |
453431a5 | 308 | kfree_sensitive(outbuf); |
7cbe0932 MM |
309 | out4: |
310 | crypto_free_kpp(tfm); | |
311 | out3: | |
453431a5 | 312 | kfree_sensitive(secret); |
7cbe0932 MM |
313 | out2: |
314 | dh_free_data(&dh_inputs); | |
315 | out1: | |
d3b04a43 | 316 | kdf_dealloc(hash); |
ddbb4114 MM |
317 | return ret; |
318 | } | |
f1c316a3 SM |
319 | |
320 | long keyctl_dh_compute(struct keyctl_dh_params __user *params, | |
321 | char __user *buffer, size_t buflen, | |
322 | struct keyctl_kdf_params __user *kdf) | |
323 | { | |
324 | struct keyctl_kdf_params kdfcopy; | |
325 | ||
326 | if (!kdf) | |
327 | return __keyctl_dh_compute(params, buffer, buflen, NULL); | |
328 | ||
329 | if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0) | |
330 | return -EFAULT; | |
331 | ||
332 | return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy); | |
333 | } |