]>
Commit | Line | Data |
---|---|---|
ddbb4114 MM |
1 | /* Crypto operations using stored keys |
2 | * | |
3 | * Copyright (c) 2016, Intel Corporation | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or | |
6 | * modify it under the terms of the GNU General Public License | |
7 | * as published by the Free Software Foundation; either version | |
8 | * 2 of the License, or (at your option) any later version. | |
9 | */ | |
10 | ||
ddbb4114 MM |
11 | #include <linux/slab.h> |
12 | #include <linux/uaccess.h> | |
7cbe0932 | 13 | #include <linux/scatterlist.h> |
f1c316a3 SM |
14 | #include <linux/crypto.h> |
15 | #include <crypto/hash.h> | |
7cbe0932 MM |
16 | #include <crypto/kpp.h> |
17 | #include <crypto/dh.h> | |
ddbb4114 MM |
18 | #include <keys/user-type.h> |
19 | #include "internal.h" | |
20 | ||
7cbe0932 | 21 | static ssize_t dh_data_from_key(key_serial_t keyid, void **data) |
ddbb4114 MM |
22 | { |
23 | struct key *key; | |
24 | key_ref_t key_ref; | |
25 | long status; | |
26 | ssize_t ret; | |
27 | ||
28 | key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ); | |
29 | if (IS_ERR(key_ref)) { | |
30 | ret = -ENOKEY; | |
31 | goto error; | |
32 | } | |
33 | ||
34 | key = key_ref_to_ptr(key_ref); | |
35 | ||
36 | ret = -EOPNOTSUPP; | |
37 | if (key->type == &key_type_user) { | |
38 | down_read(&key->sem); | |
39 | status = key_validate(key); | |
40 | if (status == 0) { | |
41 | const struct user_key_payload *payload; | |
7cbe0932 | 42 | uint8_t *duplicate; |
ddbb4114 | 43 | |
0837e49a | 44 | payload = user_key_payload_locked(key); |
ddbb4114 | 45 | |
7cbe0932 MM |
46 | duplicate = kmemdup(payload->data, payload->datalen, |
47 | GFP_KERNEL); | |
48 | if (duplicate) { | |
49 | *data = duplicate; | |
ddbb4114 | 50 | ret = payload->datalen; |
ddbb4114 | 51 | } else { |
7cbe0932 | 52 | ret = -ENOMEM; |
ddbb4114 MM |
53 | } |
54 | } | |
55 | up_read(&key->sem); | |
56 | } | |
57 | ||
58 | key_put(key); | |
59 | error: | |
60 | return ret; | |
61 | } | |
62 | ||
7cbe0932 MM |
63 | static void dh_free_data(struct dh *dh) |
64 | { | |
65 | kzfree(dh->key); | |
66 | kzfree(dh->p); | |
67 | kzfree(dh->g); | |
68 | } | |
69 | ||
70 | struct dh_completion { | |
71 | struct completion completion; | |
72 | int err; | |
73 | }; | |
74 | ||
75 | static void dh_crypto_done(struct crypto_async_request *req, int err) | |
76 | { | |
77 | struct dh_completion *compl = req->data; | |
78 | ||
79 | if (err == -EINPROGRESS) | |
80 | return; | |
81 | ||
82 | compl->err = err; | |
83 | complete(&compl->completion); | |
84 | } | |
85 | ||
f1c316a3 SM |
86 | struct kdf_sdesc { |
87 | struct shash_desc shash; | |
88 | char ctx[]; | |
89 | }; | |
90 | ||
91 | static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname) | |
92 | { | |
93 | struct crypto_shash *tfm; | |
94 | struct kdf_sdesc *sdesc; | |
95 | int size; | |
bbe24045 | 96 | int err; |
f1c316a3 SM |
97 | |
98 | /* allocate synchronous hash */ | |
99 | tfm = crypto_alloc_shash(hashname, 0, 0); | |
100 | if (IS_ERR(tfm)) { | |
101 | pr_info("could not allocate digest TFM handle %s\n", hashname); | |
102 | return PTR_ERR(tfm); | |
103 | } | |
104 | ||
bbe24045 EB |
105 | err = -EINVAL; |
106 | if (crypto_shash_digestsize(tfm) == 0) | |
107 | goto out_free_tfm; | |
108 | ||
109 | err = -ENOMEM; | |
f1c316a3 SM |
110 | size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm); |
111 | sdesc = kmalloc(size, GFP_KERNEL); | |
112 | if (!sdesc) | |
bbe24045 | 113 | goto out_free_tfm; |
f1c316a3 SM |
114 | sdesc->shash.tfm = tfm; |
115 | sdesc->shash.flags = 0x0; | |
116 | ||
117 | *sdesc_ret = sdesc; | |
118 | ||
119 | return 0; | |
bbe24045 EB |
120 | |
121 | out_free_tfm: | |
122 | crypto_free_shash(tfm); | |
123 | return err; | |
f1c316a3 SM |
124 | } |
125 | ||
126 | static void kdf_dealloc(struct kdf_sdesc *sdesc) | |
127 | { | |
128 | if (!sdesc) | |
129 | return; | |
130 | ||
131 | if (sdesc->shash.tfm) | |
132 | crypto_free_shash(sdesc->shash.tfm); | |
133 | ||
134 | kzfree(sdesc); | |
135 | } | |
136 | ||
f1c316a3 SM |
137 | /* |
138 | * Implementation of the KDF in counter mode according to SP800-108 section 5.1 | |
139 | * as well as SP800-56A section 5.8.1 (Single-step KDF). | |
140 | * | |
141 | * SP800-56A: | |
142 | * The src pointer is defined as Z || other info where Z is the shared secret | |
143 | * from DH and other info is an arbitrary string (see SP800-56A section | |
144 | * 5.8.1.2). | |
3619dec5 EB |
145 | * |
146 | * 'dlen' must be a multiple of the digest size. | |
f1c316a3 SM |
147 | */ |
148 | static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen, | |
7cbe0932 | 149 | u8 *dst, unsigned int dlen, unsigned int zlen) |
f1c316a3 SM |
150 | { |
151 | struct shash_desc *desc = &sdesc->shash; | |
152 | unsigned int h = crypto_shash_digestsize(desc->tfm); | |
153 | int err = 0; | |
154 | u8 *dst_orig = dst; | |
0ddd9f1a | 155 | __be32 counter = cpu_to_be32(1); |
f1c316a3 SM |
156 | |
157 | while (dlen) { | |
158 | err = crypto_shash_init(desc); | |
159 | if (err) | |
160 | goto err; | |
161 | ||
0ddd9f1a | 162 | err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32)); |
f1c316a3 SM |
163 | if (err) |
164 | goto err; | |
165 | ||
7cbe0932 | 166 | if (zlen && h) { |
890e2abe TA |
167 | u8 tmpbuffer[32]; |
168 | size_t chunk = min_t(size_t, zlen, sizeof(tmpbuffer)); | |
7cbe0932 MM |
169 | memset(tmpbuffer, 0, chunk); |
170 | ||
171 | do { | |
172 | err = crypto_shash_update(desc, tmpbuffer, | |
173 | chunk); | |
174 | if (err) | |
175 | goto err; | |
176 | ||
177 | zlen -= chunk; | |
890e2abe | 178 | chunk = min_t(size_t, zlen, sizeof(tmpbuffer)); |
7cbe0932 MM |
179 | } while (zlen); |
180 | } | |
181 | ||
f1c316a3 SM |
182 | if (src && slen) { |
183 | err = crypto_shash_update(desc, src, slen); | |
184 | if (err) | |
185 | goto err; | |
186 | } | |
187 | ||
383203ef TA |
188 | err = crypto_shash_final(desc, dst); |
189 | if (err) | |
190 | goto err; | |
f1c316a3 | 191 | |
383203ef TA |
192 | dlen -= h; |
193 | dst += h; | |
194 | counter = cpu_to_be32(be32_to_cpu(counter) + 1); | |
f1c316a3 SM |
195 | } |
196 | ||
197 | return 0; | |
198 | ||
199 | err: | |
200 | memzero_explicit(dst_orig, dlen); | |
201 | return err; | |
202 | } | |
203 | ||
204 | static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc, | |
205 | char __user *buffer, size_t buflen, | |
7cbe0932 | 206 | uint8_t *kbuf, size_t kbuflen, size_t lzero) |
f1c316a3 SM |
207 | { |
208 | uint8_t *outbuf = NULL; | |
209 | int ret; | |
3619dec5 EB |
210 | size_t outbuf_len = roundup(buflen, |
211 | crypto_shash_digestsize(sdesc->shash.tfm)); | |
f1c316a3 | 212 | |
383203ef | 213 | outbuf = kmalloc(outbuf_len, GFP_KERNEL); |
f1c316a3 SM |
214 | if (!outbuf) { |
215 | ret = -ENOMEM; | |
216 | goto err; | |
217 | } | |
218 | ||
383203ef | 219 | ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len, lzero); |
f1c316a3 SM |
220 | if (ret) |
221 | goto err; | |
222 | ||
223 | ret = buflen; | |
224 | if (copy_to_user(buffer, outbuf, buflen) != 0) | |
225 | ret = -EFAULT; | |
226 | ||
227 | err: | |
228 | kzfree(outbuf); | |
229 | return ret; | |
230 | } | |
231 | ||
232 | long __keyctl_dh_compute(struct keyctl_dh_params __user *params, | |
233 | char __user *buffer, size_t buflen, | |
234 | struct keyctl_kdf_params *kdfcopy) | |
ddbb4114 MM |
235 | { |
236 | long ret; | |
7cbe0932 MM |
237 | ssize_t dlen; |
238 | int secretlen; | |
239 | int outlen; | |
ddbb4114 | 240 | struct keyctl_dh_params pcopy; |
7cbe0932 MM |
241 | struct dh dh_inputs; |
242 | struct scatterlist outsg; | |
243 | struct dh_completion compl; | |
244 | struct crypto_kpp *tfm; | |
245 | struct kpp_request *req; | |
246 | uint8_t *secret; | |
247 | uint8_t *outbuf; | |
f1c316a3 | 248 | struct kdf_sdesc *sdesc = NULL; |
ddbb4114 MM |
249 | |
250 | if (!params || (!buffer && buflen)) { | |
251 | ret = -EINVAL; | |
7cbe0932 | 252 | goto out1; |
ddbb4114 MM |
253 | } |
254 | if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) { | |
255 | ret = -EFAULT; | |
7cbe0932 | 256 | goto out1; |
ddbb4114 MM |
257 | } |
258 | ||
f1c316a3 SM |
259 | if (kdfcopy) { |
260 | char *hashname; | |
261 | ||
4f9dabfa EB |
262 | if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) { |
263 | ret = -EINVAL; | |
264 | goto out1; | |
265 | } | |
266 | ||
f1c316a3 SM |
267 | if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN || |
268 | kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) { | |
269 | ret = -EMSGSIZE; | |
7cbe0932 | 270 | goto out1; |
f1c316a3 SM |
271 | } |
272 | ||
273 | /* get KDF name string */ | |
274 | hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME); | |
275 | if (IS_ERR(hashname)) { | |
276 | ret = PTR_ERR(hashname); | |
7cbe0932 | 277 | goto out1; |
f1c316a3 SM |
278 | } |
279 | ||
280 | /* allocate KDF from the kernel crypto API */ | |
281 | ret = kdf_alloc(&sdesc, hashname); | |
282 | kfree(hashname); | |
283 | if (ret) | |
7cbe0932 | 284 | goto out1; |
4693fc73 SM |
285 | } |
286 | ||
7cbe0932 MM |
287 | memset(&dh_inputs, 0, sizeof(dh_inputs)); |
288 | ||
289 | dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p); | |
290 | if (dlen < 0) { | |
291 | ret = dlen; | |
292 | goto out1; | |
ddbb4114 | 293 | } |
7cbe0932 | 294 | dh_inputs.p_size = dlen; |
ddbb4114 | 295 | |
7cbe0932 MM |
296 | dlen = dh_data_from_key(pcopy.base, &dh_inputs.g); |
297 | if (dlen < 0) { | |
298 | ret = dlen; | |
299 | goto out2; | |
300 | } | |
301 | dh_inputs.g_size = dlen; | |
ddbb4114 | 302 | |
7cbe0932 MM |
303 | dlen = dh_data_from_key(pcopy.private, &dh_inputs.key); |
304 | if (dlen < 0) { | |
305 | ret = dlen; | |
306 | goto out2; | |
ddbb4114 | 307 | } |
7cbe0932 | 308 | dh_inputs.key_size = dlen; |
ddbb4114 | 309 | |
7cbe0932 MM |
310 | secretlen = crypto_dh_key_len(&dh_inputs); |
311 | secret = kmalloc(secretlen, GFP_KERNEL); | |
312 | if (!secret) { | |
313 | ret = -ENOMEM; | |
314 | goto out2; | |
315 | } | |
316 | ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs); | |
317 | if (ret) | |
318 | goto out3; | |
319 | ||
85d7311f | 320 | tfm = crypto_alloc_kpp("dh", 0, 0); |
7cbe0932 MM |
321 | if (IS_ERR(tfm)) { |
322 | ret = PTR_ERR(tfm); | |
323 | goto out3; | |
324 | } | |
325 | ||
326 | ret = crypto_kpp_set_secret(tfm, secret, secretlen); | |
327 | if (ret) | |
328 | goto out4; | |
329 | ||
330 | outlen = crypto_kpp_maxsize(tfm); | |
331 | ||
332 | if (!kdfcopy) { | |
333 | /* | |
334 | * When not using a KDF, buflen 0 is used to read the | |
335 | * required buffer length | |
336 | */ | |
337 | if (buflen == 0) { | |
338 | ret = outlen; | |
339 | goto out4; | |
340 | } else if (outlen > buflen) { | |
341 | ret = -EOVERFLOW; | |
342 | goto out4; | |
343 | } | |
ddbb4114 MM |
344 | } |
345 | ||
7cbe0932 MM |
346 | outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen, |
347 | GFP_KERNEL); | |
348 | if (!outbuf) { | |
ddbb4114 | 349 | ret = -ENOMEM; |
7cbe0932 | 350 | goto out4; |
ddbb4114 MM |
351 | } |
352 | ||
7cbe0932 MM |
353 | sg_init_one(&outsg, outbuf, outlen); |
354 | ||
355 | req = kpp_request_alloc(tfm, GFP_KERNEL); | |
356 | if (!req) { | |
ddbb4114 | 357 | ret = -ENOMEM; |
7cbe0932 | 358 | goto out5; |
ddbb4114 MM |
359 | } |
360 | ||
7cbe0932 MM |
361 | kpp_request_set_input(req, NULL, 0); |
362 | kpp_request_set_output(req, &outsg, outlen); | |
363 | init_completion(&compl.completion); | |
364 | kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | | |
365 | CRYPTO_TFM_REQ_MAY_SLEEP, | |
366 | dh_crypto_done, &compl); | |
367 | ||
f1c316a3 | 368 | /* |
7cbe0932 MM |
369 | * For DH, generate_public_key and generate_shared_secret are |
370 | * the same calculation | |
f1c316a3 | 371 | */ |
7cbe0932 MM |
372 | ret = crypto_kpp_generate_public_key(req); |
373 | if (ret == -EINPROGRESS) { | |
374 | wait_for_completion(&compl.completion); | |
375 | ret = compl.err; | |
376 | if (ret) | |
377 | goto out6; | |
f1c316a3 SM |
378 | } |
379 | ||
f1c316a3 | 380 | if (kdfcopy) { |
7cbe0932 MM |
381 | /* |
382 | * Concatenate SP800-56A otherinfo past DH shared secret -- the | |
383 | * input to the KDF is (DH shared secret || otherinfo) | |
384 | */ | |
385 | if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo, | |
386 | kdfcopy->otherinfolen) != 0) { | |
f1c316a3 | 387 | ret = -EFAULT; |
7cbe0932 MM |
388 | goto out6; |
389 | } | |
390 | ||
391 | ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf, | |
392 | req->dst_len + kdfcopy->otherinfolen, | |
393 | outlen - req->dst_len); | |
394 | } else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) { | |
395 | ret = req->dst_len; | |
396 | } else { | |
397 | ret = -EFAULT; | |
f1c316a3 | 398 | } |
ddbb4114 | 399 | |
7cbe0932 MM |
400 | out6: |
401 | kpp_request_free(req); | |
402 | out5: | |
403 | kzfree(outbuf); | |
404 | out4: | |
405 | crypto_free_kpp(tfm); | |
406 | out3: | |
407 | kzfree(secret); | |
408 | out2: | |
409 | dh_free_data(&dh_inputs); | |
410 | out1: | |
f1c316a3 | 411 | kdf_dealloc(sdesc); |
ddbb4114 MM |
412 | return ret; |
413 | } | |
f1c316a3 SM |
414 | |
415 | long keyctl_dh_compute(struct keyctl_dh_params __user *params, | |
416 | char __user *buffer, size_t buflen, | |
417 | struct keyctl_kdf_params __user *kdf) | |
418 | { | |
419 | struct keyctl_kdf_params kdfcopy; | |
420 | ||
421 | if (!kdf) | |
422 | return __keyctl_dh_compute(params, buffer, buflen, NULL); | |
423 | ||
424 | if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0) | |
425 | return -EFAULT; | |
426 | ||
427 | return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy); | |
428 | } |