[mirror_ubuntu-hirsute-kernel.git] / security / keys / dh.c

/* Crypto operations using stored keys
 *
 * Copyright (c) 2016, Intel Corporation
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 */

#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/scatterlist.h>
#include <linux/crypto.h>
#include <crypto/hash.h>
#include <crypto/kpp.h>
#include <crypto/dh.h>
#include <keys/user-type.h>
#include "internal.h"

static ssize_t dh_data_from_key(key_serial_t keyid, void **data)
{
	struct key *key;
	key_ref_t key_ref;
	long status;
	ssize_t ret;

	key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
	if (IS_ERR(key_ref)) {
		ret = -ENOKEY;
		goto error;
	}

	key = key_ref_to_ptr(key_ref);

	ret = -EOPNOTSUPP;
	if (key->type == &key_type_user) {
		down_read(&key->sem);
		status = key_validate(key);
		if (status == 0) {
			const struct user_key_payload *payload;
			uint8_t *duplicate;

			payload = user_key_payload_locked(key);

			duplicate = kmemdup(payload->data, payload->datalen,
					    GFP_KERNEL);
			if (duplicate) {
				*data = duplicate;
				ret = payload->datalen;
			} else {
				ret = -ENOMEM;
			}
		}
		up_read(&key->sem);
	}

	key_put(key);
error:
	return ret;
}

static void dh_free_data(struct dh *dh)
{
	kzfree(dh->key);
	kzfree(dh->p);
	kzfree(dh->g);
}

struct dh_completion {
	struct completion completion;
	int err;
};

static void dh_crypto_done(struct crypto_async_request *req, int err)
{
	struct dh_completion *compl = req->data;

	if (err == -EINPROGRESS)
		return;

	compl->err = err;
	complete(&compl->completion);
}

struct kdf_sdesc {
	struct shash_desc shash;
	char ctx[];
};

static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
{
	struct crypto_shash *tfm;
	struct kdf_sdesc *sdesc;
	int size;
	int err;

	/* allocate synchronous hash */
	tfm = crypto_alloc_shash(hashname, 0, 0);
	if (IS_ERR(tfm)) {
		pr_info("could not allocate digest TFM handle %s\n", hashname);
		return PTR_ERR(tfm);
	}

	err = -EINVAL;
	if (crypto_shash_digestsize(tfm) == 0)
		goto out_free_tfm;

	err = -ENOMEM;
	size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
	sdesc = kmalloc(size, GFP_KERNEL);
	if (!sdesc)
		goto out_free_tfm;
	sdesc->shash.tfm = tfm;
	sdesc->shash.flags = 0x0;

	*sdesc_ret = sdesc;

	return 0;

out_free_tfm:
	crypto_free_shash(tfm);
	return err;
}

static void kdf_dealloc(struct kdf_sdesc *sdesc)
{
	if (!sdesc)
		return;

	if (sdesc->shash.tfm)
		crypto_free_shash(sdesc->shash.tfm);

	kzfree(sdesc);
}

/*
 * Implementation of the KDF in counter mode according to SP800-108 section 5.1
 * as well as SP800-56A section 5.8.1 (Single-step KDF).
 *
 * SP800-56A:
 * The src pointer is defined as Z || other info where Z is the shared secret
 * from DH and other info is an arbitrary string (see SP800-56A section
 * 5.8.1.2).
 */
static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
		   u8 *dst, unsigned int dlen, unsigned int zlen)
{
	struct shash_desc *desc = &sdesc->shash;
	unsigned int h = crypto_shash_digestsize(desc->tfm);
	int err = 0;
	u8 *dst_orig = dst;
	__be32 counter = cpu_to_be32(1);

	while (dlen) {
		err = crypto_shash_init(desc);
		if (err)
			goto err;

		err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32));
		if (err)
			goto err;

		if (zlen && h) {
			u8 tmpbuffer[h];
			size_t chunk = min_t(size_t, zlen, h);
			memset(tmpbuffer, 0, chunk);

			do {
				err = crypto_shash_update(desc, tmpbuffer,
							  chunk);
				if (err)
					goto err;

				zlen -= chunk;
				chunk = min_t(size_t, zlen, h);
			} while (zlen);
		}

		if (src && slen) {
			err = crypto_shash_update(desc, src, slen);
			if (err)
				goto err;
		}

		err = crypto_shash_final(desc, dst);
		if (err)
			goto err;

		dlen -= h;
		dst += h;
		counter = cpu_to_be32(be32_to_cpu(counter) + 1);
	}

	return 0;

err:
	memzero_explicit(dst_orig, dlen);
	return err;
}

static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
				 char __user *buffer, size_t buflen,
				 uint8_t *kbuf, size_t kbuflen, size_t lzero)
{
	uint8_t *outbuf = NULL;
	int ret;
	size_t outbuf_len = round_up(buflen,
			             crypto_shash_digestsize(sdesc->shash.tfm));

	outbuf = kmalloc(outbuf_len, GFP_KERNEL);
	if (!outbuf) {
		ret = -ENOMEM;
		goto err;
	}

	ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len, lzero);
	if (ret)
		goto err;

	ret = buflen;
	if (copy_to_user(buffer, outbuf, buflen) != 0)
		ret = -EFAULT;

err:
	kzfree(outbuf);
	return ret;
}

long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
			 char __user *buffer, size_t buflen,
			 struct keyctl_kdf_params *kdfcopy)
{
	long ret;
	ssize_t dlen;
	int secretlen;
	int outlen;
	struct keyctl_dh_params pcopy;
	struct dh dh_inputs;
	struct scatterlist outsg;
	struct dh_completion compl;
	struct crypto_kpp *tfm;
	struct kpp_request *req;
	uint8_t *secret;
	uint8_t *outbuf;
	struct kdf_sdesc *sdesc = NULL;

	if (!params || (!buffer && buflen)) {
		ret = -EINVAL;
		goto out1;
	}
	if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
		ret = -EFAULT;
		goto out1;
	}

	if (kdfcopy) {
		char *hashname;

		if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
			ret = -EINVAL;
			goto out1;
		}

		if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
		    kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
			ret = -EMSGSIZE;
			goto out1;
		}

		/* get KDF name string */
		hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
		if (IS_ERR(hashname)) {
			ret = PTR_ERR(hashname);
			goto out1;
		}

		/* allocate KDF from the kernel crypto API */
		ret = kdf_alloc(&sdesc, hashname);
		kfree(hashname);
		if (ret)
			goto out1;
	}

	memset(&dh_inputs, 0, sizeof(dh_inputs));

	dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p);
	if (dlen < 0) {
		ret = dlen;
		goto out1;
	}
	dh_inputs.p_size = dlen;

	dlen = dh_data_from_key(pcopy.base, &dh_inputs.g);
	if (dlen < 0) {
		ret = dlen;
		goto out2;
	}
	dh_inputs.g_size = dlen;

	dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
	if (dlen < 0) {
		ret = dlen;
		goto out2;
	}
	dh_inputs.key_size = dlen;

	secretlen = crypto_dh_key_len(&dh_inputs);
	secret = kmalloc(secretlen, GFP_KERNEL);
	if (!secret) {
		ret = -ENOMEM;
		goto out2;
	}
	ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs);
	if (ret)
		goto out3;

	tfm = crypto_alloc_kpp("dh", CRYPTO_ALG_TYPE_KPP, 0);
	if (IS_ERR(tfm)) {
		ret = PTR_ERR(tfm);
		goto out3;
	}

	ret = crypto_kpp_set_secret(tfm, secret, secretlen);
	if (ret)
		goto out4;

	outlen = crypto_kpp_maxsize(tfm);

	if (!kdfcopy) {
		/*
		 * When not using a KDF, buflen 0 is used to read the
		 * required buffer length
		 */
		if (buflen == 0) {
			ret = outlen;
			goto out4;
		} else if (outlen > buflen) {
			ret = -EOVERFLOW;
			goto out4;
		}
	}

	outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen,
			 GFP_KERNEL);
	if (!outbuf) {
		ret = -ENOMEM;
		goto out4;
	}

	sg_init_one(&outsg, outbuf, outlen);

	req = kpp_request_alloc(tfm, GFP_KERNEL);
	if (!req) {
		ret = -ENOMEM;
		goto out5;
	}

	kpp_request_set_input(req, NULL, 0);
	kpp_request_set_output(req, &outsg, outlen);
	init_completion(&compl.completion);
	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
				 CRYPTO_TFM_REQ_MAY_SLEEP,
				 dh_crypto_done, &compl);

	/*
	 * For DH, generate_public_key and generate_shared_secret are
	 * the same calculation
	 */
	ret = crypto_kpp_generate_public_key(req);
	if (ret == -EINPROGRESS) {
		wait_for_completion(&compl.completion);
		ret = compl.err;
		if (ret)
			goto out6;
	}

	if (kdfcopy) {
		/*
		 * Concatenate SP800-56A otherinfo past DH shared secret -- the
		 * input to the KDF is (DH shared secret || otherinfo)
		 */
		if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo,
				   kdfcopy->otherinfolen) != 0) {
			ret = -EFAULT;
			goto out6;
		}

		ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf,
					    req->dst_len + kdfcopy->otherinfolen,
					    outlen - req->dst_len);
	} else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
		ret = req->dst_len;
	} else {
		ret = -EFAULT;
	}

out6:
	kpp_request_free(req);
out5:
	kzfree(outbuf);
out4:
	crypto_free_kpp(tfm);
out3:
	kzfree(secret);
out2:
	dh_free_data(&dh_inputs);
out1:
	kdf_dealloc(sdesc);
	return ret;
}

long keyctl_dh_compute(struct keyctl_dh_params __user *params,
		       char __user *buffer, size_t buflen,
		       struct keyctl_kdf_params __user *kdf)
{
	struct keyctl_kdf_params kdfcopy;

	if (!kdf)
		return __keyctl_dh_compute(params, buffer, buflen, NULL);

	if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
		return -EFAULT;

	return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
}
Commit	Line	Data
ddbb4114 MM	1	/* Crypto operations using stored keys
	2	*
	3	* Copyright (c) 2016, Intel Corporation
	4	*
	5	* This program is free software; you can redistribute it and/or
	6	* modify it under the terms of the GNU General Public License
	7	* as published by the Free Software Foundation; either version
	8	* 2 of the License, or (at your option) any later version.
	9	*/
	10
ddbb4114 MM	11	#include <linux/slab.h>
ddbb4114 MM	12	#include <linux/uaccess.h>
7cbe0932	13	#include <linux/scatterlist.h>
f1c316a3 SM	14	#include <linux/crypto.h>
f1c316a3 SM	15	#include <crypto/hash.h>
7cbe0932 MM	16	#include <crypto/kpp.h>
7cbe0932 MM	17	#include <crypto/dh.h>
ddbb4114 MM	18	#include <keys/user-type.h>
	19	#include "internal.h"
	20
7cbe0932	21	static ssize_t dh_data_from_key(key_serial_t keyid, void **data)
ddbb4114 MM	22	{
	23	struct key *key;
	24	key_ref_t key_ref;
	25	long status;
	26	ssize_t ret;
	27
	28	key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
	29	if (IS_ERR(key_ref)) {
	30	ret = -ENOKEY;
	31	goto error;
	32	}
	33
	34	key = key_ref_to_ptr(key_ref);
	35
	36	ret = -EOPNOTSUPP;
	37	if (key->type == &key_type_user) {
	38	down_read(&key->sem);
	39	status = key_validate(key);
	40	if (status == 0) {
	41	const struct user_key_payload *payload;
7cbe0932	42	uint8_t *duplicate;
ddbb4114	43
0837e49a	44	payload = user_key_payload_locked(key);
ddbb4114	45
7cbe0932 MM	46	duplicate = kmemdup(payload->data, payload->datalen,
	47	GFP_KERNEL);
	48	if (duplicate) {
	49	*data = duplicate;
ddbb4114	50	ret = payload->datalen;
ddbb4114	51	} else {
7cbe0932	52	ret = -ENOMEM;
ddbb4114 MM	53	}
	54	}
	55	up_read(&key->sem);
	56	}
	57
	58	key_put(key);
	59	error:
	60	return ret;
	61	}
	62
7cbe0932 MM	63	static void dh_free_data(struct dh *dh)
	64	{
	65	kzfree(dh->key);
	66	kzfree(dh->p);
	67	kzfree(dh->g);
	68	}
	69
	70	struct dh_completion {
	71	struct completion completion;
	72	int err;
	73	};
	74
	75	static void dh_crypto_done(struct crypto_async_request *req, int err)
	76	{
	77	struct dh_completion *compl = req->data;
	78
	79	if (err == -EINPROGRESS)
	80	return;
	81
	82	compl->err = err;
	83	complete(&compl->completion);
	84	}
	85
f1c316a3 SM	86	struct kdf_sdesc {
	87	struct shash_desc shash;
	88	char ctx[];
	89	};
	90
	91	static int kdf_alloc(struct kdf_sdesc *sdesc_ret, char hashname)
	92	{
	93	struct crypto_shash *tfm;
	94	struct kdf_sdesc *sdesc;
	95	int size;
bbe24045	96	int err;
f1c316a3 SM	97
	98	/* allocate synchronous hash */
	99	tfm = crypto_alloc_shash(hashname, 0, 0);
	100	if (IS_ERR(tfm)) {
	101	pr_info("could not allocate digest TFM handle %s\n", hashname);
	102	return PTR_ERR(tfm);
	103	}
	104
bbe24045 EB	105	err = -EINVAL;
	106	if (crypto_shash_digestsize(tfm) == 0)
	107	goto out_free_tfm;
	108
	109	err = -ENOMEM;
f1c316a3 SM	110	size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
	111	sdesc = kmalloc(size, GFP_KERNEL);
	112	if (!sdesc)
bbe24045	113	goto out_free_tfm;
f1c316a3 SM	114	sdesc->shash.tfm = tfm;
	115	sdesc->shash.flags = 0x0;
	116
	117	*sdesc_ret = sdesc;
	118
	119	return 0;
bbe24045 EB	120
	121	out_free_tfm:
	122	crypto_free_shash(tfm);
	123	return err;
f1c316a3 SM	124	}
	125
	126	static void kdf_dealloc(struct kdf_sdesc *sdesc)
	127	{
	128	if (!sdesc)
	129	return;
	130
	131	if (sdesc->shash.tfm)
	132	crypto_free_shash(sdesc->shash.tfm);
	133
	134	kzfree(sdesc);
	135	}
	136
f1c316a3 SM	137	/*
	138	* Implementation of the KDF in counter mode according to SP800-108 section 5.1
	139	* as well as SP800-56A section 5.8.1 (Single-step KDF).
	140	*
	141	* SP800-56A:
	142	* The src pointer is defined as Z \|\| other info where Z is the shared secret
	143	* from DH and other info is an arbitrary string (see SP800-56A section
	144	* 5.8.1.2).
	145	*/
	146	static int kdf_ctr(struct kdf_sdesc sdesc, const u8 src, unsigned int slen,
7cbe0932	147	u8 *dst, unsigned int dlen, unsigned int zlen)
f1c316a3 SM	148	{
	149	struct shash_desc *desc = &sdesc->shash;
	150	unsigned int h = crypto_shash_digestsize(desc->tfm);
	151	int err = 0;
	152	u8 *dst_orig = dst;
0ddd9f1a	153	__be32 counter = cpu_to_be32(1);
f1c316a3 SM	154
	155	while (dlen) {
	156	err = crypto_shash_init(desc);
	157	if (err)
	158	goto err;
	159
0ddd9f1a	160	err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32));
f1c316a3 SM	161	if (err)
	162	goto err;
	163
7cbe0932 MM	164	if (zlen && h) {
	165	u8 tmpbuffer[h];
	166	size_t chunk = min_t(size_t, zlen, h);
	167	memset(tmpbuffer, 0, chunk);
	168
	169	do {
	170	err = crypto_shash_update(desc, tmpbuffer,
	171	chunk);
	172	if (err)
	173	goto err;
	174
	175	zlen -= chunk;
	176	chunk = min_t(size_t, zlen, h);
	177	} while (zlen);
	178	}
	179
f1c316a3 SM	180	if (src && slen) {
	181	err = crypto_shash_update(desc, src, slen);
	182	if (err)
	183	goto err;
	184	}
	185
383203ef TA	186	err = crypto_shash_final(desc, dst);
	187	if (err)
	188	goto err;
f1c316a3	189
383203ef TA	190	dlen -= h;
	191	dst += h;
	192	counter = cpu_to_be32(be32_to_cpu(counter) + 1);
f1c316a3 SM	193	}
	194
	195	return 0;
	196
	197	err:
	198	memzero_explicit(dst_orig, dlen);
	199	return err;
	200	}
	201
	202	static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
	203	char __user *buffer, size_t buflen,
7cbe0932	204	uint8_t *kbuf, size_t kbuflen, size_t lzero)
f1c316a3 SM	205	{
	206	uint8_t *outbuf = NULL;
	207	int ret;
383203ef TA	208	size_t outbuf_len = round_up(buflen,
383203ef TA	209	crypto_shash_digestsize(sdesc->shash.tfm));
f1c316a3	210
383203ef	211	outbuf = kmalloc(outbuf_len, GFP_KERNEL);
f1c316a3 SM	212	if (!outbuf) {
	213	ret = -ENOMEM;
	214	goto err;
	215	}
	216
383203ef	217	ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len, lzero);
f1c316a3 SM	218	if (ret)
	219	goto err;
	220
	221	ret = buflen;
	222	if (copy_to_user(buffer, outbuf, buflen) != 0)
	223	ret = -EFAULT;
	224
	225	err:
	226	kzfree(outbuf);
	227	return ret;
	228	}
	229
	230	long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
	231	char __user *buffer, size_t buflen,
	232	struct keyctl_kdf_params *kdfcopy)
ddbb4114 MM	233	{
ddbb4114 MM	234	long ret;
7cbe0932 MM	235	ssize_t dlen;
	236	int secretlen;
	237	int outlen;
ddbb4114	238	struct keyctl_dh_params pcopy;
7cbe0932 MM	239	struct dh dh_inputs;
	240	struct scatterlist outsg;
	241	struct dh_completion compl;
	242	struct crypto_kpp *tfm;
	243	struct kpp_request *req;
	244	uint8_t *secret;
	245	uint8_t *outbuf;
f1c316a3	246	struct kdf_sdesc *sdesc = NULL;
ddbb4114 MM	247
	248	if (!params \|\| (!buffer && buflen)) {
	249	ret = -EINVAL;
7cbe0932	250	goto out1;
ddbb4114 MM	251	}
	252	if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
	253	ret = -EFAULT;
7cbe0932	254	goto out1;
ddbb4114 MM	255	}
ddbb4114 MM	256
f1c316a3 SM	257	if (kdfcopy) {
	258	char *hashname;
	259
4f9dabfa EB	260	if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
	261	ret = -EINVAL;
	262	goto out1;
	263	}
	264
f1c316a3 SM	265	if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN \|\|
	266	kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
	267	ret = -EMSGSIZE;
7cbe0932	268	goto out1;
f1c316a3 SM	269	}
	270
	271	/* get KDF name string */
	272	hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
	273	if (IS_ERR(hashname)) {
	274	ret = PTR_ERR(hashname);
7cbe0932	275	goto out1;
f1c316a3 SM	276	}
	277
	278	/* allocate KDF from the kernel crypto API */
	279	ret = kdf_alloc(&sdesc, hashname);
	280	kfree(hashname);
	281	if (ret)
7cbe0932	282	goto out1;
4693fc73 SM	283	}
4693fc73 SM	284
7cbe0932 MM	285	memset(&dh_inputs, 0, sizeof(dh_inputs));
	286
	287	dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p);
	288	if (dlen < 0) {
	289	ret = dlen;
	290	goto out1;
ddbb4114	291	}
7cbe0932	292	dh_inputs.p_size = dlen;
ddbb4114	293
7cbe0932 MM	294	dlen = dh_data_from_key(pcopy.base, &dh_inputs.g);
	295	if (dlen < 0) {
	296	ret = dlen;
	297	goto out2;
	298	}
	299	dh_inputs.g_size = dlen;
ddbb4114	300
7cbe0932 MM	301	dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
	302	if (dlen < 0) {
	303	ret = dlen;
	304	goto out2;
ddbb4114	305	}
7cbe0932	306	dh_inputs.key_size = dlen;
ddbb4114	307
7cbe0932 MM	308	secretlen = crypto_dh_key_len(&dh_inputs);
	309	secret = kmalloc(secretlen, GFP_KERNEL);
	310	if (!secret) {
	311	ret = -ENOMEM;
	312	goto out2;
	313	}
	314	ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs);
	315	if (ret)
	316	goto out3;
	317
	318	tfm = crypto_alloc_kpp("dh", CRYPTO_ALG_TYPE_KPP, 0);
	319	if (IS_ERR(tfm)) {
	320	ret = PTR_ERR(tfm);
	321	goto out3;
	322	}
	323
	324	ret = crypto_kpp_set_secret(tfm, secret, secretlen);
	325	if (ret)
	326	goto out4;
	327
	328	outlen = crypto_kpp_maxsize(tfm);
	329
	330	if (!kdfcopy) {
	331	/*
	332	* When not using a KDF, buflen 0 is used to read the
	333	* required buffer length
	334	*/
	335	if (buflen == 0) {
	336	ret = outlen;
	337	goto out4;
	338	} else if (outlen > buflen) {
	339	ret = -EOVERFLOW;
	340	goto out4;
	341	}
ddbb4114 MM	342	}
ddbb4114 MM	343
7cbe0932 MM	344	outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen,
	345	GFP_KERNEL);
	346	if (!outbuf) {
ddbb4114	347	ret = -ENOMEM;
7cbe0932	348	goto out4;
ddbb4114 MM	349	}
ddbb4114 MM	350
7cbe0932 MM	351	sg_init_one(&outsg, outbuf, outlen);
	352
	353	req = kpp_request_alloc(tfm, GFP_KERNEL);
	354	if (!req) {
ddbb4114	355	ret = -ENOMEM;
7cbe0932	356	goto out5;
ddbb4114 MM	357	}
ddbb4114 MM	358
7cbe0932 MM	359	kpp_request_set_input(req, NULL, 0);
	360	kpp_request_set_output(req, &outsg, outlen);
	361	init_completion(&compl.completion);
	362	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG \|
	363	CRYPTO_TFM_REQ_MAY_SLEEP,
	364	dh_crypto_done, &compl);
	365
f1c316a3	366	/*
7cbe0932 MM	367	* For DH, generate_public_key and generate_shared_secret are
7cbe0932 MM	368	* the same calculation
f1c316a3	369	*/
7cbe0932 MM	370	ret = crypto_kpp_generate_public_key(req);
	371	if (ret == -EINPROGRESS) {
	372	wait_for_completion(&compl.completion);
	373	ret = compl.err;
	374	if (ret)
	375	goto out6;
f1c316a3 SM	376	}
f1c316a3 SM	377
f1c316a3	378	if (kdfcopy) {
7cbe0932 MM	379	/*
	380	* Concatenate SP800-56A otherinfo past DH shared secret -- the
	381	* input to the KDF is (DH shared secret \|\| otherinfo)
	382	*/
	383	if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo,
	384	kdfcopy->otherinfolen) != 0) {
f1c316a3	385	ret = -EFAULT;
7cbe0932 MM	386	goto out6;
	387	}
	388
	389	ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf,
	390	req->dst_len + kdfcopy->otherinfolen,
	391	outlen - req->dst_len);
	392	} else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
	393	ret = req->dst_len;
	394	} else {
	395	ret = -EFAULT;
f1c316a3	396	}
ddbb4114	397
7cbe0932 MM	398	out6:
	399	kpp_request_free(req);
	400	out5:
	401	kzfree(outbuf);
	402	out4:
	403	crypto_free_kpp(tfm);
	404	out3:
	405	kzfree(secret);
	406	out2:
	407	dh_free_data(&dh_inputs);
	408	out1:
f1c316a3	409	kdf_dealloc(sdesc);
ddbb4114 MM	410	return ret;
ddbb4114 MM	411	}
f1c316a3 SM	412
	413	long keyctl_dh_compute(struct keyctl_dh_params __user *params,
	414	char __user *buffer, size_t buflen,
	415	struct keyctl_kdf_params __user *kdf)
	416	{
	417	struct keyctl_kdf_params kdfcopy;
	418
	419	if (!kdf)
	420	return __keyctl_dh_compute(params, buffer, buflen, NULL);
	421
	422	if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
	423	return -EFAULT;
	424
	425	return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
	426	}