Commit | Line | Data |
---|---|---|
2874c5fd | 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
ddbb4114 MM |
2 | /* Crypto operations using stored keys |
3 | * | |
4 | * Copyright (c) 2016, Intel Corporation | |
ddbb4114 MM |
5 | */ |
6 | ||
ddbb4114 MM |
7 | #include <linux/slab.h> |
8 | #include <linux/uaccess.h> | |
7cbe0932 | 9 | #include <linux/scatterlist.h> |
f1c316a3 SM |
10 | #include <linux/crypto.h> |
11 | #include <crypto/hash.h> | |
7cbe0932 MM |
12 | #include <crypto/kpp.h> |
13 | #include <crypto/dh.h> | |
ddbb4114 MM |
14 | #include <keys/user-type.h> |
15 | #include "internal.h" | |
16 | ||
7cbe0932 | 17 | static ssize_t dh_data_from_key(key_serial_t keyid, void **data) |
ddbb4114 MM |
18 | { |
19 | struct key *key; | |
20 | key_ref_t key_ref; | |
21 | long status; | |
22 | ssize_t ret; | |
23 | ||
24 | key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ); | |
25 | if (IS_ERR(key_ref)) { | |
26 | ret = -ENOKEY; | |
27 | goto error; | |
28 | } | |
29 | ||
30 | key = key_ref_to_ptr(key_ref); | |
31 | ||
32 | ret = -EOPNOTSUPP; | |
33 | if (key->type == &key_type_user) { | |
34 | down_read(&key->sem); | |
35 | status = key_validate(key); | |
36 | if (status == 0) { | |
37 | const struct user_key_payload *payload; | |
7cbe0932 | 38 | uint8_t *duplicate; |
ddbb4114 | 39 | |
0837e49a | 40 | payload = user_key_payload_locked(key); |
ddbb4114 | 41 | |
7cbe0932 MM |
42 | duplicate = kmemdup(payload->data, payload->datalen, |
43 | GFP_KERNEL); | |
44 | if (duplicate) { | |
45 | *data = duplicate; | |
ddbb4114 | 46 | ret = payload->datalen; |
ddbb4114 | 47 | } else { |
7cbe0932 | 48 | ret = -ENOMEM; |
ddbb4114 MM |
49 | } |
50 | } | |
51 | up_read(&key->sem); | |
52 | } | |
53 | ||
54 | key_put(key); | |
55 | error: | |
56 | return ret; | |
57 | } | |
58 | ||
7cbe0932 MM |
59 | static void dh_free_data(struct dh *dh) |
60 | { | |
453431a5 WL |
61 | kfree_sensitive(dh->key); |
62 | kfree_sensitive(dh->p); | |
63 | kfree_sensitive(dh->g); | |
7cbe0932 MM |
64 | } |
65 | ||
66 | struct dh_completion { | |
67 | struct completion completion; | |
68 | int err; | |
69 | }; | |
70 | ||
71 | static void dh_crypto_done(struct crypto_async_request *req, int err) | |
72 | { | |
73 | struct dh_completion *compl = req->data; | |
74 | ||
75 | if (err == -EINPROGRESS) | |
76 | return; | |
77 | ||
78 | compl->err = err; | |
79 | complete(&compl->completion); | |
80 | } | |
81 | ||
f1c316a3 SM |
82 | struct kdf_sdesc { |
83 | struct shash_desc shash; | |
84 | char ctx[]; | |
85 | }; | |
86 | ||
87 | static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname) | |
88 | { | |
89 | struct crypto_shash *tfm; | |
90 | struct kdf_sdesc *sdesc; | |
91 | int size; | |
bbe24045 | 92 | int err; |
f1c316a3 SM |
93 | |
94 | /* allocate synchronous hash */ | |
95 | tfm = crypto_alloc_shash(hashname, 0, 0); | |
96 | if (IS_ERR(tfm)) { | |
97 | pr_info("could not allocate digest TFM handle %s\n", hashname); | |
98 | return PTR_ERR(tfm); | |
99 | } | |
100 | ||
bbe24045 EB |
101 | err = -EINVAL; |
102 | if (crypto_shash_digestsize(tfm) == 0) | |
103 | goto out_free_tfm; | |
104 | ||
105 | err = -ENOMEM; | |
f1c316a3 SM |
106 | size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm); |
107 | sdesc = kmalloc(size, GFP_KERNEL); | |
108 | if (!sdesc) | |
bbe24045 | 109 | goto out_free_tfm; |
f1c316a3 | 110 | sdesc->shash.tfm = tfm; |
f1c316a3 SM |
111 | |
112 | *sdesc_ret = sdesc; | |
113 | ||
114 | return 0; | |
bbe24045 EB |
115 | |
116 | out_free_tfm: | |
117 | crypto_free_shash(tfm); | |
118 | return err; | |
f1c316a3 SM |
119 | } |
120 | ||
121 | static void kdf_dealloc(struct kdf_sdesc *sdesc) | |
122 | { | |
123 | if (!sdesc) | |
124 | return; | |
125 | ||
126 | if (sdesc->shash.tfm) | |
127 | crypto_free_shash(sdesc->shash.tfm); | |
128 | ||
453431a5 | 129 | kfree_sensitive(sdesc); |
f1c316a3 SM |
130 | } |
131 | ||
f1c316a3 SM |
132 | /* |
133 | * Implementation of the KDF in counter mode according to SP800-108 section 5.1 | |
134 | * as well as SP800-56A section 5.8.1 (Single-step KDF). | |
135 | * | |
136 | * SP800-56A: | |
137 | * The src pointer is defined as Z || other info where Z is the shared secret | |
138 | * from DH and other info is an arbitrary string (see SP800-56A section | |
139 | * 5.8.1.2). | |
3619dec5 EB |
140 | * |
141 | * 'dlen' must be a multiple of the digest size. | |
f1c316a3 SM |
142 | */ |
143 | static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen, | |
d7921344 | 144 | u8 *dst, unsigned int dlen) |
f1c316a3 SM |
145 | { |
146 | struct shash_desc *desc = &sdesc->shash; | |
147 | unsigned int h = crypto_shash_digestsize(desc->tfm); | |
148 | int err = 0; | |
149 | u8 *dst_orig = dst; | |
0ddd9f1a | 150 | __be32 counter = cpu_to_be32(1); |
f1c316a3 SM |
151 | |
152 | while (dlen) { | |
153 | err = crypto_shash_init(desc); | |
154 | if (err) | |
155 | goto err; | |
156 | ||
0ddd9f1a | 157 | err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32)); |
f1c316a3 SM |
158 | if (err) |
159 | goto err; | |
160 | ||
161 | if (src && slen) { | |
162 | err = crypto_shash_update(desc, src, slen); | |
163 | if (err) | |
164 | goto err; | |
165 | } | |
166 | ||
383203ef TA |
167 | err = crypto_shash_final(desc, dst); |
168 | if (err) | |
169 | goto err; | |
f1c316a3 | 170 | |
383203ef TA |
171 | dlen -= h; |
172 | dst += h; | |
173 | counter = cpu_to_be32(be32_to_cpu(counter) + 1); | |
f1c316a3 SM |
174 | } |
175 | ||
176 | return 0; | |
177 | ||
178 | err: | |
179 | memzero_explicit(dst_orig, dlen); | |
180 | return err; | |
181 | } | |
182 | ||
183 | static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc, | |
184 | char __user *buffer, size_t buflen, | |
d7921344 | 185 | uint8_t *kbuf, size_t kbuflen) |
f1c316a3 SM |
186 | { |
187 | uint8_t *outbuf = NULL; | |
188 | int ret; | |
3619dec5 EB |
189 | size_t outbuf_len = roundup(buflen, |
190 | crypto_shash_digestsize(sdesc->shash.tfm)); | |
f1c316a3 | 191 | |
383203ef | 192 | outbuf = kmalloc(outbuf_len, GFP_KERNEL); |
f1c316a3 SM |
193 | if (!outbuf) { |
194 | ret = -ENOMEM; | |
195 | goto err; | |
196 | } | |
197 | ||
d7921344 | 198 | ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len); |
f1c316a3 SM |
199 | if (ret) |
200 | goto err; | |
201 | ||
202 | ret = buflen; | |
203 | if (copy_to_user(buffer, outbuf, buflen) != 0) | |
204 | ret = -EFAULT; | |
205 | ||
206 | err: | |
453431a5 | 207 | kfree_sensitive(outbuf); |
f1c316a3 SM |
208 | return ret; |
209 | } | |
210 | ||
211 | long __keyctl_dh_compute(struct keyctl_dh_params __user *params, | |
212 | char __user *buffer, size_t buflen, | |
213 | struct keyctl_kdf_params *kdfcopy) | |
ddbb4114 MM |
214 | { |
215 | long ret; | |
7cbe0932 MM |
216 | ssize_t dlen; |
217 | int secretlen; | |
218 | int outlen; | |
ddbb4114 | 219 | struct keyctl_dh_params pcopy; |
7cbe0932 MM |
220 | struct dh dh_inputs; |
221 | struct scatterlist outsg; | |
222 | struct dh_completion compl; | |
223 | struct crypto_kpp *tfm; | |
224 | struct kpp_request *req; | |
225 | uint8_t *secret; | |
226 | uint8_t *outbuf; | |
f1c316a3 | 227 | struct kdf_sdesc *sdesc = NULL; |
ddbb4114 MM |
228 | |
229 | if (!params || (!buffer && buflen)) { | |
230 | ret = -EINVAL; | |
7cbe0932 | 231 | goto out1; |
ddbb4114 MM |
232 | } |
233 | if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) { | |
234 | ret = -EFAULT; | |
7cbe0932 | 235 | goto out1; |
ddbb4114 MM |
236 | } |
237 | ||
f1c316a3 SM |
238 | if (kdfcopy) { |
239 | char *hashname; | |
240 | ||
4f9dabfa EB |
241 | if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) { |
242 | ret = -EINVAL; | |
243 | goto out1; | |
244 | } | |
245 | ||
f1c316a3 SM |
246 | if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN || |
247 | kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) { | |
248 | ret = -EMSGSIZE; | |
7cbe0932 | 249 | goto out1; |
f1c316a3 SM |
250 | } |
251 | ||
252 | /* get KDF name string */ | |
253 | hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME); | |
254 | if (IS_ERR(hashname)) { | |
255 | ret = PTR_ERR(hashname); | |
7cbe0932 | 256 | goto out1; |
f1c316a3 SM |
257 | } |
258 | ||
259 | /* allocate KDF from the kernel crypto API */ | |
260 | ret = kdf_alloc(&sdesc, hashname); | |
261 | kfree(hashname); | |
262 | if (ret) | |
7cbe0932 | 263 | goto out1; |
4693fc73 SM |
264 | } |
265 | ||
7cbe0932 MM |
266 | memset(&dh_inputs, 0, sizeof(dh_inputs)); |
267 | ||
268 | dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p); | |
269 | if (dlen < 0) { | |
270 | ret = dlen; | |
271 | goto out1; | |
ddbb4114 | 272 | } |
7cbe0932 | 273 | dh_inputs.p_size = dlen; |
ddbb4114 | 274 | |
7cbe0932 MM |
275 | dlen = dh_data_from_key(pcopy.base, &dh_inputs.g); |
276 | if (dlen < 0) { | |
277 | ret = dlen; | |
278 | goto out2; | |
279 | } | |
280 | dh_inputs.g_size = dlen; | |
ddbb4114 | 281 | |
8c0f9f5b | 282 | dlen = dh_data_from_key(pcopy.private, &dh_inputs.key); |
7cbe0932 MM |
283 | if (dlen < 0) { |
284 | ret = dlen; | |
285 | goto out2; | |
ddbb4114 | 286 | } |
7cbe0932 | 287 | dh_inputs.key_size = dlen; |
ddbb4114 | 288 | |
7cbe0932 MM |
289 | secretlen = crypto_dh_key_len(&dh_inputs); |
290 | secret = kmalloc(secretlen, GFP_KERNEL); | |
291 | if (!secret) { | |
292 | ret = -ENOMEM; | |
293 | goto out2; | |
294 | } | |
295 | ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs); | |
296 | if (ret) | |
297 | goto out3; | |
298 | ||
85d7311f | 299 | tfm = crypto_alloc_kpp("dh", 0, 0); |
7cbe0932 MM |
300 | if (IS_ERR(tfm)) { |
301 | ret = PTR_ERR(tfm); | |
302 | goto out3; | |
303 | } | |
304 | ||
305 | ret = crypto_kpp_set_secret(tfm, secret, secretlen); | |
306 | if (ret) | |
307 | goto out4; | |
308 | ||
309 | outlen = crypto_kpp_maxsize(tfm); | |
310 | ||
311 | if (!kdfcopy) { | |
312 | /* | |
313 | * When not using a KDF, buflen 0 is used to read the | |
314 | * required buffer length | |
315 | */ | |
316 | if (buflen == 0) { | |
317 | ret = outlen; | |
318 | goto out4; | |
319 | } else if (outlen > buflen) { | |
320 | ret = -EOVERFLOW; | |
321 | goto out4; | |
322 | } | |
ddbb4114 MM |
323 | } |
324 | ||
7cbe0932 MM |
325 | outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen, |
326 | GFP_KERNEL); | |
327 | if (!outbuf) { | |
ddbb4114 | 328 | ret = -ENOMEM; |
7cbe0932 | 329 | goto out4; |
ddbb4114 MM |
330 | } |
331 | ||
7cbe0932 MM |
332 | sg_init_one(&outsg, outbuf, outlen); |
333 | ||
334 | req = kpp_request_alloc(tfm, GFP_KERNEL); | |
335 | if (!req) { | |
ddbb4114 | 336 | ret = -ENOMEM; |
7cbe0932 | 337 | goto out5; |
ddbb4114 MM |
338 | } |
339 | ||
7cbe0932 MM |
340 | kpp_request_set_input(req, NULL, 0); |
341 | kpp_request_set_output(req, &outsg, outlen); | |
342 | init_completion(&compl.completion); | |
343 | kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | | |
344 | CRYPTO_TFM_REQ_MAY_SLEEP, | |
345 | dh_crypto_done, &compl); | |
346 | ||
f1c316a3 | 347 | /* |
7cbe0932 MM |
348 | * For DH, generate_public_key and generate_shared_secret are |
349 | * the same calculation | |
f1c316a3 | 350 | */ |
7cbe0932 MM |
351 | ret = crypto_kpp_generate_public_key(req); |
352 | if (ret == -EINPROGRESS) { | |
353 | wait_for_completion(&compl.completion); | |
354 | ret = compl.err; | |
355 | if (ret) | |
356 | goto out6; | |
f1c316a3 SM |
357 | } |
358 | ||
f1c316a3 | 359 | if (kdfcopy) { |
7cbe0932 MM |
360 | /* |
361 | * Concatenate SP800-56A otherinfo past DH shared secret -- the | |
362 | * input to the KDF is (DH shared secret || otherinfo) | |
363 | */ | |
364 | if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo, | |
365 | kdfcopy->otherinfolen) != 0) { | |
f1c316a3 | 366 | ret = -EFAULT; |
7cbe0932 MM |
367 | goto out6; |
368 | } | |
369 | ||
370 | ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf, | |
d7921344 | 371 | req->dst_len + kdfcopy->otherinfolen); |
7cbe0932 MM |
372 | } else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) { |
373 | ret = req->dst_len; | |
374 | } else { | |
375 | ret = -EFAULT; | |
f1c316a3 | 376 | } |
ddbb4114 | 377 | |
7cbe0932 MM |
378 | out6: |
379 | kpp_request_free(req); | |
380 | out5: | |
453431a5 | 381 | kfree_sensitive(outbuf); |
7cbe0932 MM |
382 | out4: |
383 | crypto_free_kpp(tfm); | |
384 | out3: | |
453431a5 | 385 | kfree_sensitive(secret); |
7cbe0932 MM |
386 | out2: |
387 | dh_free_data(&dh_inputs); | |
388 | out1: | |
f1c316a3 | 389 | kdf_dealloc(sdesc); |
ddbb4114 MM |
390 | return ret; |
391 | } | |
f1c316a3 SM |
392 | |
393 | long keyctl_dh_compute(struct keyctl_dh_params __user *params, | |
394 | char __user *buffer, size_t buflen, | |
395 | struct keyctl_kdf_params __user *kdf) | |
396 | { | |
397 | struct keyctl_kdf_params kdfcopy; | |
398 | ||
399 | if (!kdf) | |
400 | return __keyctl_dh_compute(params, buffer, buflen, NULL); | |
401 | ||
402 | if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0) | |
403 | return -EFAULT; | |
404 | ||
405 | return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy); | |
406 | } |