]>
Commit | Line | Data |
---|---|---|
ddbb4114 MM |
1 | /* Crypto operations using stored keys |
2 | * | |
3 | * Copyright (c) 2016, Intel Corporation | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or | |
6 | * modify it under the terms of the GNU General Public License | |
7 | * as published by the Free Software Foundation; either version | |
8 | * 2 of the License, or (at your option) any later version. | |
9 | */ | |
10 | ||
ddbb4114 MM |
11 | #include <linux/slab.h> |
12 | #include <linux/uaccess.h> | |
7cbe0932 | 13 | #include <linux/scatterlist.h> |
f1c316a3 SM |
14 | #include <linux/crypto.h> |
15 | #include <crypto/hash.h> | |
7cbe0932 MM |
16 | #include <crypto/kpp.h> |
17 | #include <crypto/dh.h> | |
ddbb4114 MM |
18 | #include <keys/user-type.h> |
19 | #include "internal.h" | |
20 | ||
7cbe0932 | 21 | static ssize_t dh_data_from_key(key_serial_t keyid, void **data) |
ddbb4114 MM |
22 | { |
23 | struct key *key; | |
24 | key_ref_t key_ref; | |
25 | long status; | |
26 | ssize_t ret; | |
27 | ||
28 | key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ); | |
29 | if (IS_ERR(key_ref)) { | |
30 | ret = -ENOKEY; | |
31 | goto error; | |
32 | } | |
33 | ||
34 | key = key_ref_to_ptr(key_ref); | |
35 | ||
36 | ret = -EOPNOTSUPP; | |
37 | if (key->type == &key_type_user) { | |
38 | down_read(&key->sem); | |
39 | status = key_validate(key); | |
40 | if (status == 0) { | |
41 | const struct user_key_payload *payload; | |
7cbe0932 | 42 | uint8_t *duplicate; |
ddbb4114 | 43 | |
0837e49a | 44 | payload = user_key_payload_locked(key); |
ddbb4114 | 45 | |
7cbe0932 MM |
46 | duplicate = kmemdup(payload->data, payload->datalen, |
47 | GFP_KERNEL); | |
48 | if (duplicate) { | |
49 | *data = duplicate; | |
ddbb4114 | 50 | ret = payload->datalen; |
ddbb4114 | 51 | } else { |
7cbe0932 | 52 | ret = -ENOMEM; |
ddbb4114 MM |
53 | } |
54 | } | |
55 | up_read(&key->sem); | |
56 | } | |
57 | ||
58 | key_put(key); | |
59 | error: | |
60 | return ret; | |
61 | } | |
62 | ||
7cbe0932 MM |
63 | static void dh_free_data(struct dh *dh) |
64 | { | |
65 | kzfree(dh->key); | |
66 | kzfree(dh->p); | |
67 | kzfree(dh->g); | |
68 | } | |
69 | ||
70 | struct dh_completion { | |
71 | struct completion completion; | |
72 | int err; | |
73 | }; | |
74 | ||
75 | static void dh_crypto_done(struct crypto_async_request *req, int err) | |
76 | { | |
77 | struct dh_completion *compl = req->data; | |
78 | ||
79 | if (err == -EINPROGRESS) | |
80 | return; | |
81 | ||
82 | compl->err = err; | |
83 | complete(&compl->completion); | |
84 | } | |
85 | ||
f1c316a3 SM |
86 | struct kdf_sdesc { |
87 | struct shash_desc shash; | |
88 | char ctx[]; | |
89 | }; | |
90 | ||
91 | static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname) | |
92 | { | |
93 | struct crypto_shash *tfm; | |
94 | struct kdf_sdesc *sdesc; | |
95 | int size; | |
bbe24045 | 96 | int err; |
f1c316a3 SM |
97 | |
98 | /* allocate synchronous hash */ | |
99 | tfm = crypto_alloc_shash(hashname, 0, 0); | |
100 | if (IS_ERR(tfm)) { | |
101 | pr_info("could not allocate digest TFM handle %s\n", hashname); | |
102 | return PTR_ERR(tfm); | |
103 | } | |
104 | ||
bbe24045 EB |
105 | err = -EINVAL; |
106 | if (crypto_shash_digestsize(tfm) == 0) | |
107 | goto out_free_tfm; | |
108 | ||
109 | err = -ENOMEM; | |
f1c316a3 SM |
110 | size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm); |
111 | sdesc = kmalloc(size, GFP_KERNEL); | |
112 | if (!sdesc) | |
bbe24045 | 113 | goto out_free_tfm; |
f1c316a3 SM |
114 | sdesc->shash.tfm = tfm; |
115 | sdesc->shash.flags = 0x0; | |
116 | ||
117 | *sdesc_ret = sdesc; | |
118 | ||
119 | return 0; | |
bbe24045 EB |
120 | |
121 | out_free_tfm: | |
122 | crypto_free_shash(tfm); | |
123 | return err; | |
f1c316a3 SM |
124 | } |
125 | ||
126 | static void kdf_dealloc(struct kdf_sdesc *sdesc) | |
127 | { | |
128 | if (!sdesc) | |
129 | return; | |
130 | ||
131 | if (sdesc->shash.tfm) | |
132 | crypto_free_shash(sdesc->shash.tfm); | |
133 | ||
134 | kzfree(sdesc); | |
135 | } | |
136 | ||
f1c316a3 SM |
137 | /* |
138 | * Implementation of the KDF in counter mode according to SP800-108 section 5.1 | |
139 | * as well as SP800-56A section 5.8.1 (Single-step KDF). | |
140 | * | |
141 | * SP800-56A: | |
142 | * The src pointer is defined as Z || other info where Z is the shared secret | |
143 | * from DH and other info is an arbitrary string (see SP800-56A section | |
144 | * 5.8.1.2). | |
145 | */ | |
146 | static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen, | |
7cbe0932 | 147 | u8 *dst, unsigned int dlen, unsigned int zlen) |
f1c316a3 SM |
148 | { |
149 | struct shash_desc *desc = &sdesc->shash; | |
150 | unsigned int h = crypto_shash_digestsize(desc->tfm); | |
151 | int err = 0; | |
152 | u8 *dst_orig = dst; | |
0ddd9f1a | 153 | __be32 counter = cpu_to_be32(1); |
f1c316a3 SM |
154 | |
155 | while (dlen) { | |
156 | err = crypto_shash_init(desc); | |
157 | if (err) | |
158 | goto err; | |
159 | ||
0ddd9f1a | 160 | err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32)); |
f1c316a3 SM |
161 | if (err) |
162 | goto err; | |
163 | ||
7cbe0932 MM |
164 | if (zlen && h) { |
165 | u8 tmpbuffer[h]; | |
166 | size_t chunk = min_t(size_t, zlen, h); | |
167 | memset(tmpbuffer, 0, chunk); | |
168 | ||
169 | do { | |
170 | err = crypto_shash_update(desc, tmpbuffer, | |
171 | chunk); | |
172 | if (err) | |
173 | goto err; | |
174 | ||
175 | zlen -= chunk; | |
176 | chunk = min_t(size_t, zlen, h); | |
177 | } while (zlen); | |
178 | } | |
179 | ||
f1c316a3 SM |
180 | if (src && slen) { |
181 | err = crypto_shash_update(desc, src, slen); | |
182 | if (err) | |
183 | goto err; | |
184 | } | |
185 | ||
383203ef TA |
186 | err = crypto_shash_final(desc, dst); |
187 | if (err) | |
188 | goto err; | |
f1c316a3 | 189 | |
383203ef TA |
190 | dlen -= h; |
191 | dst += h; | |
192 | counter = cpu_to_be32(be32_to_cpu(counter) + 1); | |
f1c316a3 SM |
193 | } |
194 | ||
195 | return 0; | |
196 | ||
197 | err: | |
198 | memzero_explicit(dst_orig, dlen); | |
199 | return err; | |
200 | } | |
201 | ||
202 | static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc, | |
203 | char __user *buffer, size_t buflen, | |
7cbe0932 | 204 | uint8_t *kbuf, size_t kbuflen, size_t lzero) |
f1c316a3 SM |
205 | { |
206 | uint8_t *outbuf = NULL; | |
207 | int ret; | |
383203ef TA |
208 | size_t outbuf_len = round_up(buflen, |
209 | crypto_shash_digestsize(sdesc->shash.tfm)); | |
f1c316a3 | 210 | |
383203ef | 211 | outbuf = kmalloc(outbuf_len, GFP_KERNEL); |
f1c316a3 SM |
212 | if (!outbuf) { |
213 | ret = -ENOMEM; | |
214 | goto err; | |
215 | } | |
216 | ||
383203ef | 217 | ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len, lzero); |
f1c316a3 SM |
218 | if (ret) |
219 | goto err; | |
220 | ||
221 | ret = buflen; | |
222 | if (copy_to_user(buffer, outbuf, buflen) != 0) | |
223 | ret = -EFAULT; | |
224 | ||
225 | err: | |
226 | kzfree(outbuf); | |
227 | return ret; | |
228 | } | |
229 | ||
230 | long __keyctl_dh_compute(struct keyctl_dh_params __user *params, | |
231 | char __user *buffer, size_t buflen, | |
232 | struct keyctl_kdf_params *kdfcopy) | |
ddbb4114 MM |
233 | { |
234 | long ret; | |
7cbe0932 MM |
235 | ssize_t dlen; |
236 | int secretlen; | |
237 | int outlen; | |
ddbb4114 | 238 | struct keyctl_dh_params pcopy; |
7cbe0932 MM |
239 | struct dh dh_inputs; |
240 | struct scatterlist outsg; | |
241 | struct dh_completion compl; | |
242 | struct crypto_kpp *tfm; | |
243 | struct kpp_request *req; | |
244 | uint8_t *secret; | |
245 | uint8_t *outbuf; | |
f1c316a3 | 246 | struct kdf_sdesc *sdesc = NULL; |
ddbb4114 MM |
247 | |
248 | if (!params || (!buffer && buflen)) { | |
249 | ret = -EINVAL; | |
7cbe0932 | 250 | goto out1; |
ddbb4114 MM |
251 | } |
252 | if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) { | |
253 | ret = -EFAULT; | |
7cbe0932 | 254 | goto out1; |
ddbb4114 MM |
255 | } |
256 | ||
f1c316a3 SM |
257 | if (kdfcopy) { |
258 | char *hashname; | |
259 | ||
4f9dabfa EB |
260 | if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) { |
261 | ret = -EINVAL; | |
262 | goto out1; | |
263 | } | |
264 | ||
f1c316a3 SM |
265 | if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN || |
266 | kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) { | |
267 | ret = -EMSGSIZE; | |
7cbe0932 | 268 | goto out1; |
f1c316a3 SM |
269 | } |
270 | ||
271 | /* get KDF name string */ | |
272 | hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME); | |
273 | if (IS_ERR(hashname)) { | |
274 | ret = PTR_ERR(hashname); | |
7cbe0932 | 275 | goto out1; |
f1c316a3 SM |
276 | } |
277 | ||
278 | /* allocate KDF from the kernel crypto API */ | |
279 | ret = kdf_alloc(&sdesc, hashname); | |
280 | kfree(hashname); | |
281 | if (ret) | |
7cbe0932 | 282 | goto out1; |
4693fc73 SM |
283 | } |
284 | ||
7cbe0932 MM |
285 | memset(&dh_inputs, 0, sizeof(dh_inputs)); |
286 | ||
287 | dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p); | |
288 | if (dlen < 0) { | |
289 | ret = dlen; | |
290 | goto out1; | |
ddbb4114 | 291 | } |
7cbe0932 | 292 | dh_inputs.p_size = dlen; |
ddbb4114 | 293 | |
7cbe0932 MM |
294 | dlen = dh_data_from_key(pcopy.base, &dh_inputs.g); |
295 | if (dlen < 0) { | |
296 | ret = dlen; | |
297 | goto out2; | |
298 | } | |
299 | dh_inputs.g_size = dlen; | |
ddbb4114 | 300 | |
7cbe0932 MM |
301 | dlen = dh_data_from_key(pcopy.private, &dh_inputs.key); |
302 | if (dlen < 0) { | |
303 | ret = dlen; | |
304 | goto out2; | |
ddbb4114 | 305 | } |
7cbe0932 | 306 | dh_inputs.key_size = dlen; |
ddbb4114 | 307 | |
7cbe0932 MM |
308 | secretlen = crypto_dh_key_len(&dh_inputs); |
309 | secret = kmalloc(secretlen, GFP_KERNEL); | |
310 | if (!secret) { | |
311 | ret = -ENOMEM; | |
312 | goto out2; | |
313 | } | |
314 | ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs); | |
315 | if (ret) | |
316 | goto out3; | |
317 | ||
318 | tfm = crypto_alloc_kpp("dh", CRYPTO_ALG_TYPE_KPP, 0); | |
319 | if (IS_ERR(tfm)) { | |
320 | ret = PTR_ERR(tfm); | |
321 | goto out3; | |
322 | } | |
323 | ||
324 | ret = crypto_kpp_set_secret(tfm, secret, secretlen); | |
325 | if (ret) | |
326 | goto out4; | |
327 | ||
328 | outlen = crypto_kpp_maxsize(tfm); | |
329 | ||
330 | if (!kdfcopy) { | |
331 | /* | |
332 | * When not using a KDF, buflen 0 is used to read the | |
333 | * required buffer length | |
334 | */ | |
335 | if (buflen == 0) { | |
336 | ret = outlen; | |
337 | goto out4; | |
338 | } else if (outlen > buflen) { | |
339 | ret = -EOVERFLOW; | |
340 | goto out4; | |
341 | } | |
ddbb4114 MM |
342 | } |
343 | ||
7cbe0932 MM |
344 | outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen, |
345 | GFP_KERNEL); | |
346 | if (!outbuf) { | |
ddbb4114 | 347 | ret = -ENOMEM; |
7cbe0932 | 348 | goto out4; |
ddbb4114 MM |
349 | } |
350 | ||
7cbe0932 MM |
351 | sg_init_one(&outsg, outbuf, outlen); |
352 | ||
353 | req = kpp_request_alloc(tfm, GFP_KERNEL); | |
354 | if (!req) { | |
ddbb4114 | 355 | ret = -ENOMEM; |
7cbe0932 | 356 | goto out5; |
ddbb4114 MM |
357 | } |
358 | ||
7cbe0932 MM |
359 | kpp_request_set_input(req, NULL, 0); |
360 | kpp_request_set_output(req, &outsg, outlen); | |
361 | init_completion(&compl.completion); | |
362 | kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | | |
363 | CRYPTO_TFM_REQ_MAY_SLEEP, | |
364 | dh_crypto_done, &compl); | |
365 | ||
f1c316a3 | 366 | /* |
7cbe0932 MM |
367 | * For DH, generate_public_key and generate_shared_secret are |
368 | * the same calculation | |
f1c316a3 | 369 | */ |
7cbe0932 MM |
370 | ret = crypto_kpp_generate_public_key(req); |
371 | if (ret == -EINPROGRESS) { | |
372 | wait_for_completion(&compl.completion); | |
373 | ret = compl.err; | |
374 | if (ret) | |
375 | goto out6; | |
f1c316a3 SM |
376 | } |
377 | ||
f1c316a3 | 378 | if (kdfcopy) { |
7cbe0932 MM |
379 | /* |
380 | * Concatenate SP800-56A otherinfo past DH shared secret -- the | |
381 | * input to the KDF is (DH shared secret || otherinfo) | |
382 | */ | |
383 | if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo, | |
384 | kdfcopy->otherinfolen) != 0) { | |
f1c316a3 | 385 | ret = -EFAULT; |
7cbe0932 MM |
386 | goto out6; |
387 | } | |
388 | ||
389 | ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf, | |
390 | req->dst_len + kdfcopy->otherinfolen, | |
391 | outlen - req->dst_len); | |
392 | } else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) { | |
393 | ret = req->dst_len; | |
394 | } else { | |
395 | ret = -EFAULT; | |
f1c316a3 | 396 | } |
ddbb4114 | 397 | |
7cbe0932 MM |
398 | out6: |
399 | kpp_request_free(req); | |
400 | out5: | |
401 | kzfree(outbuf); | |
402 | out4: | |
403 | crypto_free_kpp(tfm); | |
404 | out3: | |
405 | kzfree(secret); | |
406 | out2: | |
407 | dh_free_data(&dh_inputs); | |
408 | out1: | |
f1c316a3 | 409 | kdf_dealloc(sdesc); |
ddbb4114 MM |
410 | return ret; |
411 | } | |
f1c316a3 SM |
412 | |
413 | long keyctl_dh_compute(struct keyctl_dh_params __user *params, | |
414 | char __user *buffer, size_t buflen, | |
415 | struct keyctl_kdf_params __user *kdf) | |
416 | { | |
417 | struct keyctl_kdf_params kdfcopy; | |
418 | ||
419 | if (!kdf) | |
420 | return __keyctl_dh_compute(params, buffer, buflen, NULL); | |
421 | ||
422 | if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0) | |
423 | return -EFAULT; | |
424 | ||
425 | return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy); | |
426 | } |