[linux-2.6-block.git] / security / keys / dh.c

// SPDX-License-Identifier: GPL-2.0-or-later
/* Crypto operations using stored keys
 *
 * Copyright (c) 2016, Intel Corporation
 */

#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/scatterlist.h>
#include <linux/crypto.h>
#include <crypto/hash.h>
#include <crypto/kpp.h>
#include <crypto/dh.h>
#include <keys/user-type.h>
#include "internal.h"

static ssize_t dh_data_from_key(key_serial_t keyid, void **data)
{
	struct key *key;
	key_ref_t key_ref;
	long status;
	ssize_t ret;

	key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
	if (IS_ERR(key_ref)) {
		ret = -ENOKEY;
		goto error;
	}

	key = key_ref_to_ptr(key_ref);

	ret = -EOPNOTSUPP;
	if (key->type == &key_type_user) {
		down_read(&key->sem);
		status = key_validate(key);
		if (status == 0) {
			const struct user_key_payload *payload;
			uint8_t *duplicate;

			payload = user_key_payload_locked(key);

			duplicate = kmemdup(payload->data, payload->datalen,
					    GFP_KERNEL);
			if (duplicate) {
				*data = duplicate;
				ret = payload->datalen;
			} else {
				ret = -ENOMEM;
			}
		}
		up_read(&key->sem);
	}

	key_put(key);
error:
	return ret;
}

static void dh_free_data(struct dh *dh)
{
	kfree_sensitive(dh->key);
	kfree_sensitive(dh->p);
	kfree_sensitive(dh->g);
}

struct dh_completion {
	struct completion completion;
	int err;
};

static void dh_crypto_done(struct crypto_async_request *req, int err)
{
	struct dh_completion *compl = req->data;

	if (err == -EINPROGRESS)
		return;

	compl->err = err;
	complete(&compl->completion);
}

struct kdf_sdesc {
	struct shash_desc shash;
	char ctx[];
};

static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
{
	struct crypto_shash *tfm;
	struct kdf_sdesc *sdesc;
	int size;
	int err;

	/* allocate synchronous hash */
	tfm = crypto_alloc_shash(hashname, 0, 0);
	if (IS_ERR(tfm)) {
		pr_info("could not allocate digest TFM handle %s\n", hashname);
		return PTR_ERR(tfm);
	}

	err = -EINVAL;
	if (crypto_shash_digestsize(tfm) == 0)
		goto out_free_tfm;

	err = -ENOMEM;
	size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
	sdesc = kmalloc(size, GFP_KERNEL);
	if (!sdesc)
		goto out_free_tfm;
	sdesc->shash.tfm = tfm;

	*sdesc_ret = sdesc;

	return 0;

out_free_tfm:
	crypto_free_shash(tfm);
	return err;
}

static void kdf_dealloc(struct kdf_sdesc *sdesc)
{
	if (!sdesc)
		return;

	if (sdesc->shash.tfm)
		crypto_free_shash(sdesc->shash.tfm);

	kfree_sensitive(sdesc);
}

/*
 * Implementation of the KDF in counter mode according to SP800-108 section 5.1
 * as well as SP800-56A section 5.8.1 (Single-step KDF).
 *
 * SP800-56A:
 * The src pointer is defined as Z || other info where Z is the shared secret
 * from DH and other info is an arbitrary string (see SP800-56A section
 * 5.8.1.2).
 *
 * 'dlen' must be a multiple of the digest size.
 */
static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
		   u8 *dst, unsigned int dlen)
{
	struct shash_desc *desc = &sdesc->shash;
	unsigned int h = crypto_shash_digestsize(desc->tfm);
	int err = 0;
	u8 *dst_orig = dst;
	__be32 counter = cpu_to_be32(1);

	while (dlen) {
		err = crypto_shash_init(desc);
		if (err)
			goto err;

		err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32));
		if (err)
			goto err;

		if (src && slen) {
			err = crypto_shash_update(desc, src, slen);
			if (err)
				goto err;
		}

		err = crypto_shash_final(desc, dst);
		if (err)
			goto err;

		dlen -= h;
		dst += h;
		counter = cpu_to_be32(be32_to_cpu(counter) + 1);
	}

	return 0;

err:
	memzero_explicit(dst_orig, dlen);
	return err;
}

static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
				 char __user *buffer, size_t buflen,
				 uint8_t *kbuf, size_t kbuflen)
{
	uint8_t *outbuf = NULL;
	int ret;
	size_t outbuf_len = roundup(buflen,
				    crypto_shash_digestsize(sdesc->shash.tfm));

	outbuf = kmalloc(outbuf_len, GFP_KERNEL);
	if (!outbuf) {
		ret = -ENOMEM;
		goto err;
	}

	ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len);
	if (ret)
		goto err;

	ret = buflen;
	if (copy_to_user(buffer, outbuf, buflen) != 0)
		ret = -EFAULT;

err:
	kfree_sensitive(outbuf);
	return ret;
}

long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
			 char __user *buffer, size_t buflen,
			 struct keyctl_kdf_params *kdfcopy)
{
	long ret;
	ssize_t dlen;
	int secretlen;
	int outlen;
	struct keyctl_dh_params pcopy;
	struct dh dh_inputs;
	struct scatterlist outsg;
	struct dh_completion compl;
	struct crypto_kpp *tfm;
	struct kpp_request *req;
	uint8_t *secret;
	uint8_t *outbuf;
	struct kdf_sdesc *sdesc = NULL;

	if (!params || (!buffer && buflen)) {
		ret = -EINVAL;
		goto out1;
	}
	if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
		ret = -EFAULT;
		goto out1;
	}

	if (kdfcopy) {
		char *hashname;

		if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
			ret = -EINVAL;
			goto out1;
		}

		if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
		    kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
			ret = -EMSGSIZE;
			goto out1;
		}

		/* get KDF name string */
		hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
		if (IS_ERR(hashname)) {
			ret = PTR_ERR(hashname);
			goto out1;
		}

		/* allocate KDF from the kernel crypto API */
		ret = kdf_alloc(&sdesc, hashname);
		kfree(hashname);
		if (ret)
			goto out1;
	}

	memset(&dh_inputs, 0, sizeof(dh_inputs));

	dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p);
	if (dlen < 0) {
		ret = dlen;
		goto out1;
	}
	dh_inputs.p_size = dlen;

	dlen = dh_data_from_key(pcopy.base, &dh_inputs.g);
	if (dlen < 0) {
		ret = dlen;
		goto out2;
	}
	dh_inputs.g_size = dlen;

	dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
	if (dlen < 0) {
		ret = dlen;
		goto out2;
	}
	dh_inputs.key_size = dlen;

	secretlen = crypto_dh_key_len(&dh_inputs);
	secret = kmalloc(secretlen, GFP_KERNEL);
	if (!secret) {
		ret = -ENOMEM;
		goto out2;
	}
	ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs);
	if (ret)
		goto out3;

	tfm = crypto_alloc_kpp("dh", 0, 0);
	if (IS_ERR(tfm)) {
		ret = PTR_ERR(tfm);
		goto out3;
	}

	ret = crypto_kpp_set_secret(tfm, secret, secretlen);
	if (ret)
		goto out4;

	outlen = crypto_kpp_maxsize(tfm);

	if (!kdfcopy) {
		/*
		 * When not using a KDF, buflen 0 is used to read the
		 * required buffer length
		 */
		if (buflen == 0) {
			ret = outlen;
			goto out4;
		} else if (outlen > buflen) {
			ret = -EOVERFLOW;
			goto out4;
		}
	}

	outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen,
			 GFP_KERNEL);
	if (!outbuf) {
		ret = -ENOMEM;
		goto out4;
	}

	sg_init_one(&outsg, outbuf, outlen);

	req = kpp_request_alloc(tfm, GFP_KERNEL);
	if (!req) {
		ret = -ENOMEM;
		goto out5;
	}

	kpp_request_set_input(req, NULL, 0);
	kpp_request_set_output(req, &outsg, outlen);
	init_completion(&compl.completion);
	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
				 CRYPTO_TFM_REQ_MAY_SLEEP,
				 dh_crypto_done, &compl);

	/*
	 * For DH, generate_public_key and generate_shared_secret are
	 * the same calculation
	 */
	ret = crypto_kpp_generate_public_key(req);
	if (ret == -EINPROGRESS) {
		wait_for_completion(&compl.completion);
		ret = compl.err;
		if (ret)
			goto out6;
	}

	if (kdfcopy) {
		/*
		 * Concatenate SP800-56A otherinfo past DH shared secret -- the
		 * input to the KDF is (DH shared secret || otherinfo)
		 */
		if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo,
				   kdfcopy->otherinfolen) != 0) {
			ret = -EFAULT;
			goto out6;
		}

		ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf,
					    req->dst_len + kdfcopy->otherinfolen);
	} else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
		ret = req->dst_len;
	} else {
		ret = -EFAULT;
	}

out6:
	kpp_request_free(req);
out5:
	kfree_sensitive(outbuf);
out4:
	crypto_free_kpp(tfm);
out3:
	kfree_sensitive(secret);
out2:
	dh_free_data(&dh_inputs);
out1:
	kdf_dealloc(sdesc);
	return ret;
}

long keyctl_dh_compute(struct keyctl_dh_params __user *params,
		       char __user *buffer, size_t buflen,
		       struct keyctl_kdf_params __user *kdf)
{
	struct keyctl_kdf_params kdfcopy;

	if (!kdf)
		return __keyctl_dh_compute(params, buffer, buflen, NULL);

	if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
		return -EFAULT;

	return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
}
Commit	Line	Data
2874c5fd	1	// SPDX-License-Identifier: GPL-2.0-or-later
ddbb4114 MM	2	/* Crypto operations using stored keys
	3	*
	4	* Copyright (c) 2016, Intel Corporation
ddbb4114 MM	5	*/
ddbb4114 MM	6
ddbb4114 MM	7	#include <linux/slab.h>
ddbb4114 MM	8	#include <linux/uaccess.h>
7cbe0932	9	#include <linux/scatterlist.h>
f1c316a3 SM	10	#include <linux/crypto.h>
f1c316a3 SM	11	#include <crypto/hash.h>
7cbe0932 MM	12	#include <crypto/kpp.h>
7cbe0932 MM	13	#include <crypto/dh.h>
ddbb4114 MM	14	#include <keys/user-type.h>
	15	#include "internal.h"
	16
7cbe0932	17	static ssize_t dh_data_from_key(key_serial_t keyid, void **data)
ddbb4114 MM	18	{
	19	struct key *key;
	20	key_ref_t key_ref;
	21	long status;
	22	ssize_t ret;
	23
	24	key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
	25	if (IS_ERR(key_ref)) {
	26	ret = -ENOKEY;
	27	goto error;
	28	}
	29
	30	key = key_ref_to_ptr(key_ref);
	31
	32	ret = -EOPNOTSUPP;
	33	if (key->type == &key_type_user) {
	34	down_read(&key->sem);
	35	status = key_validate(key);
	36	if (status == 0) {
	37	const struct user_key_payload *payload;
7cbe0932	38	uint8_t *duplicate;
ddbb4114	39
0837e49a	40	payload = user_key_payload_locked(key);
ddbb4114	41
7cbe0932 MM	42	duplicate = kmemdup(payload->data, payload->datalen,
	43	GFP_KERNEL);
	44	if (duplicate) {
	45	*data = duplicate;
ddbb4114	46	ret = payload->datalen;
ddbb4114	47	} else {
7cbe0932	48	ret = -ENOMEM;
ddbb4114 MM	49	}
	50	}
	51	up_read(&key->sem);
	52	}
	53
	54	key_put(key);
	55	error:
	56	return ret;
	57	}
	58
7cbe0932 MM	59	static void dh_free_data(struct dh *dh)
7cbe0932 MM	60	{
453431a5 WL	61	kfree_sensitive(dh->key);
	62	kfree_sensitive(dh->p);
	63	kfree_sensitive(dh->g);
7cbe0932 MM	64	}
	65
	66	struct dh_completion {
	67	struct completion completion;
	68	int err;
	69	};
	70
	71	static void dh_crypto_done(struct crypto_async_request *req, int err)
	72	{
	73	struct dh_completion *compl = req->data;
	74
	75	if (err == -EINPROGRESS)
	76	return;
	77
	78	compl->err = err;
	79	complete(&compl->completion);
	80	}
	81
f1c316a3 SM	82	struct kdf_sdesc {
	83	struct shash_desc shash;
	84	char ctx[];
	85	};
	86
	87	static int kdf_alloc(struct kdf_sdesc *sdesc_ret, char hashname)
	88	{
	89	struct crypto_shash *tfm;
	90	struct kdf_sdesc *sdesc;
	91	int size;
bbe24045	92	int err;
f1c316a3 SM	93
	94	/* allocate synchronous hash */
	95	tfm = crypto_alloc_shash(hashname, 0, 0);
	96	if (IS_ERR(tfm)) {
	97	pr_info("could not allocate digest TFM handle %s\n", hashname);
	98	return PTR_ERR(tfm);
	99	}
	100
bbe24045 EB	101	err = -EINVAL;
	102	if (crypto_shash_digestsize(tfm) == 0)
	103	goto out_free_tfm;
	104
	105	err = -ENOMEM;
f1c316a3 SM	106	size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
	107	sdesc = kmalloc(size, GFP_KERNEL);
	108	if (!sdesc)
bbe24045	109	goto out_free_tfm;
f1c316a3	110	sdesc->shash.tfm = tfm;
f1c316a3 SM	111
	112	*sdesc_ret = sdesc;
	113
	114	return 0;
bbe24045 EB	115
	116	out_free_tfm:
	117	crypto_free_shash(tfm);
	118	return err;
f1c316a3 SM	119	}
	120
	121	static void kdf_dealloc(struct kdf_sdesc *sdesc)
	122	{
	123	if (!sdesc)
	124	return;
	125
	126	if (sdesc->shash.tfm)
	127	crypto_free_shash(sdesc->shash.tfm);
	128
453431a5	129	kfree_sensitive(sdesc);
f1c316a3 SM	130	}
f1c316a3 SM	131
f1c316a3 SM	132	/*
	133	* Implementation of the KDF in counter mode according to SP800-108 section 5.1
	134	* as well as SP800-56A section 5.8.1 (Single-step KDF).
	135	*
	136	* SP800-56A:
	137	* The src pointer is defined as Z \|\| other info where Z is the shared secret
	138	* from DH and other info is an arbitrary string (see SP800-56A section
	139	* 5.8.1.2).
3619dec5 EB	140	*
3619dec5 EB	141	* 'dlen' must be a multiple of the digest size.
f1c316a3 SM	142	*/
f1c316a3 SM	143	static int kdf_ctr(struct kdf_sdesc sdesc, const u8 src, unsigned int slen,
d7921344	144	u8 *dst, unsigned int dlen)
f1c316a3 SM	145	{
	146	struct shash_desc *desc = &sdesc->shash;
	147	unsigned int h = crypto_shash_digestsize(desc->tfm);
	148	int err = 0;
	149	u8 *dst_orig = dst;
0ddd9f1a	150	__be32 counter = cpu_to_be32(1);
f1c316a3 SM	151
	152	while (dlen) {
	153	err = crypto_shash_init(desc);
	154	if (err)
	155	goto err;
	156
0ddd9f1a	157	err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32));
f1c316a3 SM	158	if (err)
	159	goto err;
	160
	161	if (src && slen) {
	162	err = crypto_shash_update(desc, src, slen);
	163	if (err)
	164	goto err;
	165	}
	166
383203ef TA	167	err = crypto_shash_final(desc, dst);
	168	if (err)
	169	goto err;
f1c316a3	170
383203ef TA	171	dlen -= h;
	172	dst += h;
	173	counter = cpu_to_be32(be32_to_cpu(counter) + 1);
f1c316a3 SM	174	}
	175
	176	return 0;
	177
	178	err:
	179	memzero_explicit(dst_orig, dlen);
	180	return err;
	181	}
	182
	183	static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
	184	char __user *buffer, size_t buflen,
d7921344	185	uint8_t *kbuf, size_t kbuflen)
f1c316a3 SM	186	{
	187	uint8_t *outbuf = NULL;
	188	int ret;
3619dec5 EB	189	size_t outbuf_len = roundup(buflen,
3619dec5 EB	190	crypto_shash_digestsize(sdesc->shash.tfm));
f1c316a3	191
383203ef	192	outbuf = kmalloc(outbuf_len, GFP_KERNEL);
f1c316a3 SM	193	if (!outbuf) {
	194	ret = -ENOMEM;
	195	goto err;
	196	}
	197
d7921344	198	ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len);
f1c316a3 SM	199	if (ret)
	200	goto err;
	201
	202	ret = buflen;
	203	if (copy_to_user(buffer, outbuf, buflen) != 0)
	204	ret = -EFAULT;
	205
	206	err:
453431a5	207	kfree_sensitive(outbuf);
f1c316a3 SM	208	return ret;
	209	}
	210
	211	long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
	212	char __user *buffer, size_t buflen,
	213	struct keyctl_kdf_params *kdfcopy)
ddbb4114 MM	214	{
ddbb4114 MM	215	long ret;
7cbe0932 MM	216	ssize_t dlen;
	217	int secretlen;
	218	int outlen;
ddbb4114	219	struct keyctl_dh_params pcopy;
7cbe0932 MM	220	struct dh dh_inputs;
	221	struct scatterlist outsg;
	222	struct dh_completion compl;
	223	struct crypto_kpp *tfm;
	224	struct kpp_request *req;
	225	uint8_t *secret;
	226	uint8_t *outbuf;
f1c316a3	227	struct kdf_sdesc *sdesc = NULL;
ddbb4114 MM	228
	229	if (!params \|\| (!buffer && buflen)) {
	230	ret = -EINVAL;
7cbe0932	231	goto out1;
ddbb4114 MM	232	}
	233	if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
	234	ret = -EFAULT;
7cbe0932	235	goto out1;
ddbb4114 MM	236	}
ddbb4114 MM	237
f1c316a3 SM	238	if (kdfcopy) {
	239	char *hashname;
	240
4f9dabfa EB	241	if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
	242	ret = -EINVAL;
	243	goto out1;
	244	}
	245
f1c316a3 SM	246	if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN \|\|
	247	kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
	248	ret = -EMSGSIZE;
7cbe0932	249	goto out1;
f1c316a3 SM	250	}
	251
	252	/* get KDF name string */
	253	hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
	254	if (IS_ERR(hashname)) {
	255	ret = PTR_ERR(hashname);
7cbe0932	256	goto out1;
f1c316a3 SM	257	}
	258
	259	/* allocate KDF from the kernel crypto API */
	260	ret = kdf_alloc(&sdesc, hashname);
	261	kfree(hashname);
	262	if (ret)
7cbe0932	263	goto out1;
4693fc73 SM	264	}
4693fc73 SM	265
7cbe0932 MM	266	memset(&dh_inputs, 0, sizeof(dh_inputs));
	267
	268	dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p);
	269	if (dlen < 0) {
	270	ret = dlen;
	271	goto out1;
ddbb4114	272	}
7cbe0932	273	dh_inputs.p_size = dlen;
ddbb4114	274
7cbe0932 MM	275	dlen = dh_data_from_key(pcopy.base, &dh_inputs.g);
	276	if (dlen < 0) {
	277	ret = dlen;
	278	goto out2;
	279	}
	280	dh_inputs.g_size = dlen;
ddbb4114	281
8c0f9f5b	282	dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
7cbe0932 MM	283	if (dlen < 0) {
	284	ret = dlen;
	285	goto out2;
ddbb4114	286	}
7cbe0932	287	dh_inputs.key_size = dlen;
ddbb4114	288
7cbe0932 MM	289	secretlen = crypto_dh_key_len(&dh_inputs);
	290	secret = kmalloc(secretlen, GFP_KERNEL);
	291	if (!secret) {
	292	ret = -ENOMEM;
	293	goto out2;
	294	}
	295	ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs);
	296	if (ret)
	297	goto out3;
	298
85d7311f	299	tfm = crypto_alloc_kpp("dh", 0, 0);
7cbe0932 MM	300	if (IS_ERR(tfm)) {
	301	ret = PTR_ERR(tfm);
	302	goto out3;
	303	}
	304
	305	ret = crypto_kpp_set_secret(tfm, secret, secretlen);
	306	if (ret)
	307	goto out4;
	308
	309	outlen = crypto_kpp_maxsize(tfm);
	310
	311	if (!kdfcopy) {
	312	/*
	313	* When not using a KDF, buflen 0 is used to read the
	314	* required buffer length
	315	*/
	316	if (buflen == 0) {
	317	ret = outlen;
	318	goto out4;
	319	} else if (outlen > buflen) {
	320	ret = -EOVERFLOW;
	321	goto out4;
	322	}
ddbb4114 MM	323	}
ddbb4114 MM	324
7cbe0932 MM	325	outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen,
	326	GFP_KERNEL);
	327	if (!outbuf) {
ddbb4114	328	ret = -ENOMEM;
7cbe0932	329	goto out4;
ddbb4114 MM	330	}
ddbb4114 MM	331
7cbe0932 MM	332	sg_init_one(&outsg, outbuf, outlen);
	333
	334	req = kpp_request_alloc(tfm, GFP_KERNEL);
	335	if (!req) {
ddbb4114	336	ret = -ENOMEM;
7cbe0932	337	goto out5;
ddbb4114 MM	338	}
ddbb4114 MM	339
7cbe0932 MM	340	kpp_request_set_input(req, NULL, 0);
	341	kpp_request_set_output(req, &outsg, outlen);
	342	init_completion(&compl.completion);
	343	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG \|
	344	CRYPTO_TFM_REQ_MAY_SLEEP,
	345	dh_crypto_done, &compl);
	346
f1c316a3	347	/*
7cbe0932 MM	348	* For DH, generate_public_key and generate_shared_secret are
7cbe0932 MM	349	* the same calculation
f1c316a3	350	*/
7cbe0932 MM	351	ret = crypto_kpp_generate_public_key(req);
	352	if (ret == -EINPROGRESS) {
	353	wait_for_completion(&compl.completion);
	354	ret = compl.err;
	355	if (ret)
	356	goto out6;
f1c316a3 SM	357	}
f1c316a3 SM	358
f1c316a3	359	if (kdfcopy) {
7cbe0932 MM	360	/*
	361	* Concatenate SP800-56A otherinfo past DH shared secret -- the
	362	* input to the KDF is (DH shared secret \|\| otherinfo)
	363	*/
	364	if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo,
	365	kdfcopy->otherinfolen) != 0) {
f1c316a3	366	ret = -EFAULT;
7cbe0932 MM	367	goto out6;
	368	}
	369
	370	ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf,
d7921344	371	req->dst_len + kdfcopy->otherinfolen);
7cbe0932 MM	372	} else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
	373	ret = req->dst_len;
	374	} else {
	375	ret = -EFAULT;
f1c316a3	376	}
ddbb4114	377
7cbe0932 MM	378	out6:
	379	kpp_request_free(req);
	380	out5:
453431a5	381	kfree_sensitive(outbuf);
7cbe0932 MM	382	out4:
	383	crypto_free_kpp(tfm);
	384	out3:
453431a5	385	kfree_sensitive(secret);
7cbe0932 MM	386	out2:
	387	dh_free_data(&dh_inputs);
	388	out1:
f1c316a3	389	kdf_dealloc(sdesc);
ddbb4114 MM	390	return ret;
ddbb4114 MM	391	}
f1c316a3 SM	392
	393	long keyctl_dh_compute(struct keyctl_dh_params __user *params,
	394	char __user *buffer, size_t buflen,
	395	struct keyctl_kdf_params __user *kdf)
	396	{
	397	struct keyctl_kdf_params kdfcopy;
	398
	399	if (!kdf)
	400	return __keyctl_dh_compute(params, buffer, buflen, NULL);
	401
	402	if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
	403	return -EFAULT;
	404
	405	return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
	406	}