dh.c 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /* Crypto operations using stored keys
  3. *
  4. * Copyright (c) 2016, Intel Corporation
  5. */
  6. #include <linux/slab.h>
  7. #include <linux/uaccess.h>
  8. #include <linux/scatterlist.h>
  9. #include <linux/crypto.h>
  10. #include <crypto/hash.h>
  11. #include <crypto/kpp.h>
  12. #include <crypto/dh.h>
  13. #include <crypto/kdf_sp800108.h>
  14. #include <keys/user-type.h>
  15. #include "internal.h"
  16. static ssize_t dh_data_from_key(key_serial_t keyid, const void **data)
  17. {
  18. struct key *key;
  19. key_ref_t key_ref;
  20. long status;
  21. ssize_t ret;
  22. key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
  23. if (IS_ERR(key_ref)) {
  24. ret = -ENOKEY;
  25. goto error;
  26. }
  27. key = key_ref_to_ptr(key_ref);
  28. ret = -EOPNOTSUPP;
  29. if (key->type == &key_type_user) {
  30. down_read(&key->sem);
  31. status = key_validate(key);
  32. if (status == 0) {
  33. const struct user_key_payload *payload;
  34. uint8_t *duplicate;
  35. payload = user_key_payload_locked(key);
  36. duplicate = kmemdup(payload->data, payload->datalen,
  37. GFP_KERNEL);
  38. if (duplicate) {
  39. *data = duplicate;
  40. ret = payload->datalen;
  41. } else {
  42. ret = -ENOMEM;
  43. }
  44. }
  45. up_read(&key->sem);
  46. }
  47. key_put(key);
  48. error:
  49. return ret;
  50. }
  51. static void dh_free_data(struct dh *dh)
  52. {
  53. kfree_sensitive(dh->key);
  54. kfree_sensitive(dh->p);
  55. kfree_sensitive(dh->g);
  56. }
  57. static int kdf_alloc(struct crypto_shash **hash, char *hashname)
  58. {
  59. struct crypto_shash *tfm;
  60. /* allocate synchronous hash */
  61. tfm = crypto_alloc_shash(hashname, 0, 0);
  62. if (IS_ERR(tfm)) {
  63. pr_info("could not allocate digest TFM handle %s\n", hashname);
  64. return PTR_ERR(tfm);
  65. }
  66. if (crypto_shash_digestsize(tfm) == 0) {
  67. crypto_free_shash(tfm);
  68. return -EINVAL;
  69. }
  70. *hash = tfm;
  71. return 0;
  72. }
  73. static void kdf_dealloc(struct crypto_shash *hash)
  74. {
  75. if (hash)
  76. crypto_free_shash(hash);
  77. }
  78. static int keyctl_dh_compute_kdf(struct crypto_shash *hash,
  79. char __user *buffer, size_t buflen,
  80. uint8_t *kbuf, size_t kbuflen)
  81. {
  82. struct kvec kbuf_iov = { .iov_base = kbuf, .iov_len = kbuflen };
  83. uint8_t *outbuf = NULL;
  84. int ret;
  85. size_t outbuf_len = roundup(buflen, crypto_shash_digestsize(hash));
  86. outbuf = kmalloc(outbuf_len, GFP_KERNEL);
  87. if (!outbuf) {
  88. ret = -ENOMEM;
  89. goto err;
  90. }
  91. ret = crypto_kdf108_ctr_generate(hash, &kbuf_iov, 1, outbuf, outbuf_len);
  92. if (ret)
  93. goto err;
  94. ret = buflen;
  95. if (copy_to_user(buffer, outbuf, buflen) != 0)
  96. ret = -EFAULT;
  97. err:
  98. kfree_sensitive(outbuf);
  99. return ret;
  100. }
  101. long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
  102. char __user *buffer, size_t buflen,
  103. struct keyctl_kdf_params *kdfcopy)
  104. {
  105. long ret;
  106. ssize_t dlen;
  107. int secretlen;
  108. int outlen;
  109. struct keyctl_dh_params pcopy;
  110. struct dh dh_inputs;
  111. struct scatterlist outsg;
  112. DECLARE_CRYPTO_WAIT(compl);
  113. struct crypto_kpp *tfm;
  114. struct kpp_request *req;
  115. uint8_t *secret;
  116. uint8_t *outbuf;
  117. struct crypto_shash *hash = NULL;
  118. if (!params || (!buffer && buflen)) {
  119. ret = -EINVAL;
  120. goto out1;
  121. }
  122. if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
  123. ret = -EFAULT;
  124. goto out1;
  125. }
  126. if (kdfcopy) {
  127. char *hashname;
  128. if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
  129. ret = -EINVAL;
  130. goto out1;
  131. }
  132. if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
  133. kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
  134. ret = -EMSGSIZE;
  135. goto out1;
  136. }
  137. /* get KDF name string */
  138. hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
  139. if (IS_ERR(hashname)) {
  140. ret = PTR_ERR(hashname);
  141. goto out1;
  142. }
  143. /* allocate KDF from the kernel crypto API */
  144. ret = kdf_alloc(&hash, hashname);
  145. kfree(hashname);
  146. if (ret)
  147. goto out1;
  148. }
  149. memset(&dh_inputs, 0, sizeof(dh_inputs));
  150. dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p);
  151. if (dlen < 0) {
  152. ret = dlen;
  153. goto out1;
  154. }
  155. dh_inputs.p_size = dlen;
  156. dlen = dh_data_from_key(pcopy.base, &dh_inputs.g);
  157. if (dlen < 0) {
  158. ret = dlen;
  159. goto out2;
  160. }
  161. dh_inputs.g_size = dlen;
  162. dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
  163. if (dlen < 0) {
  164. ret = dlen;
  165. goto out2;
  166. }
  167. dh_inputs.key_size = dlen;
  168. secretlen = crypto_dh_key_len(&dh_inputs);
  169. secret = kmalloc(secretlen, GFP_KERNEL);
  170. if (!secret) {
  171. ret = -ENOMEM;
  172. goto out2;
  173. }
  174. ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs);
  175. if (ret)
  176. goto out3;
  177. tfm = crypto_alloc_kpp("dh", 0, 0);
  178. if (IS_ERR(tfm)) {
  179. ret = PTR_ERR(tfm);
  180. goto out3;
  181. }
  182. ret = crypto_kpp_set_secret(tfm, secret, secretlen);
  183. if (ret)
  184. goto out4;
  185. outlen = crypto_kpp_maxsize(tfm);
  186. if (!kdfcopy) {
  187. /*
  188. * When not using a KDF, buflen 0 is used to read the
  189. * required buffer length
  190. */
  191. if (buflen == 0) {
  192. ret = outlen;
  193. goto out4;
  194. } else if (outlen > buflen) {
  195. ret = -EOVERFLOW;
  196. goto out4;
  197. }
  198. }
  199. outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen,
  200. GFP_KERNEL);
  201. if (!outbuf) {
  202. ret = -ENOMEM;
  203. goto out4;
  204. }
  205. sg_init_one(&outsg, outbuf, outlen);
  206. req = kpp_request_alloc(tfm, GFP_KERNEL);
  207. if (!req) {
  208. ret = -ENOMEM;
  209. goto out5;
  210. }
  211. kpp_request_set_input(req, NULL, 0);
  212. kpp_request_set_output(req, &outsg, outlen);
  213. kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
  214. CRYPTO_TFM_REQ_MAY_SLEEP,
  215. crypto_req_done, &compl);
  216. /*
  217. * For DH, generate_public_key and generate_shared_secret are
  218. * the same calculation
  219. */
  220. ret = crypto_kpp_generate_public_key(req);
  221. ret = crypto_wait_req(ret, &compl);
  222. if (ret)
  223. goto out6;
  224. if (kdfcopy) {
  225. /*
  226. * Concatenate SP800-56A otherinfo past DH shared secret -- the
  227. * input to the KDF is (DH shared secret || otherinfo)
  228. */
  229. if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo,
  230. kdfcopy->otherinfolen) != 0) {
  231. ret = -EFAULT;
  232. goto out6;
  233. }
  234. ret = keyctl_dh_compute_kdf(hash, buffer, buflen, outbuf,
  235. req->dst_len + kdfcopy->otherinfolen);
  236. } else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
  237. ret = req->dst_len;
  238. } else {
  239. ret = -EFAULT;
  240. }
  241. out6:
  242. kpp_request_free(req);
  243. out5:
  244. kfree_sensitive(outbuf);
  245. out4:
  246. crypto_free_kpp(tfm);
  247. out3:
  248. kfree_sensitive(secret);
  249. out2:
  250. dh_free_data(&dh_inputs);
  251. out1:
  252. kdf_dealloc(hash);
  253. return ret;
  254. }
  255. long keyctl_dh_compute(struct keyctl_dh_params __user *params,
  256. char __user *buffer, size_t buflen,
  257. struct keyctl_kdf_params __user *kdf)
  258. {
  259. struct keyctl_kdf_params kdfcopy;
  260. if (!kdf)
  261. return __keyctl_dh_compute(params, buffer, buflen, NULL);
  262. if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
  263. return -EFAULT;
  264. return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
  265. }