]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/keys/dh.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KEYS: DH: ensure the KDF counter is properly aligned
[mirror_ubuntu-artful-kernel.git] / security / keys / dh.c
1 /* Crypto operations using stored keys
2 *
3 * Copyright (c) 2016, Intel Corporation
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
9 */
10
11 #include <linux/mpi.h>
12 #include <linux/slab.h>
13 #include <linux/uaccess.h>
14 #include <linux/crypto.h>
15 #include <crypto/hash.h>
16 #include <keys/user-type.h>
17 #include "internal.h"
18
19 /*
20 * Public key or shared secret generation function [RFC2631 sec 2.1.1]
21 *
22 * ya = g^xa mod p;
23 * or
24 * ZZ = yb^xa mod p;
25 *
26 * where xa is the local private key, ya is the local public key, g is
27 * the generator, p is the prime, yb is the remote public key, and ZZ
28 * is the shared secret.
29 *
30 * Both are the same calculation, so g or yb are the "base" and ya or
31 * ZZ are the "result".
32 */
33 static int do_dh(MPI result, MPI base, MPI xa, MPI p)
34 {
35 return mpi_powm(result, base, xa, p);
36 }
37
38 static ssize_t mpi_from_key(key_serial_t keyid, size_t maxlen, MPI *mpi)
39 {
40 struct key *key;
41 key_ref_t key_ref;
42 long status;
43 ssize_t ret;
44
45 key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
46 if (IS_ERR(key_ref)) {
47 ret = -ENOKEY;
48 goto error;
49 }
50
51 key = key_ref_to_ptr(key_ref);
52
53 ret = -EOPNOTSUPP;
54 if (key->type == &key_type_user) {
55 down_read(&key->sem);
56 status = key_validate(key);
57 if (status == 0) {
58 const struct user_key_payload *payload;
59
60 payload = user_key_payload_locked(key);
61
62 if (maxlen == 0) {
63 *mpi = NULL;
64 ret = payload->datalen;
65 } else if (payload->datalen <= maxlen) {
66 *mpi = mpi_read_raw_data(payload->data,
67 payload->datalen);
68 if (*mpi)
69 ret = payload->datalen;
70 } else {
71 ret = -EINVAL;
72 }
73 }
74 up_read(&key->sem);
75 }
76
77 key_put(key);
78 error:
79 return ret;
80 }
81
82 struct kdf_sdesc {
83 struct shash_desc shash;
84 char ctx[];
85 };
86
87 static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
88 {
89 struct crypto_shash *tfm;
90 struct kdf_sdesc *sdesc;
91 int size;
92 int err;
93
94 /* allocate synchronous hash */
95 tfm = crypto_alloc_shash(hashname, 0, 0);
96 if (IS_ERR(tfm)) {
97 pr_info("could not allocate digest TFM handle %s\n", hashname);
98 return PTR_ERR(tfm);
99 }
100
101 err = -EINVAL;
102 if (crypto_shash_digestsize(tfm) == 0)
103 goto out_free_tfm;
104
105 err = -ENOMEM;
106 size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
107 sdesc = kmalloc(size, GFP_KERNEL);
108 if (!sdesc)
109 goto out_free_tfm;
110 sdesc->shash.tfm = tfm;
111 sdesc->shash.flags = 0x0;
112
113 *sdesc_ret = sdesc;
114
115 return 0;
116
117 out_free_tfm:
118 crypto_free_shash(tfm);
119 return err;
120 }
121
122 static void kdf_dealloc(struct kdf_sdesc *sdesc)
123 {
124 if (!sdesc)
125 return;
126
127 if (sdesc->shash.tfm)
128 crypto_free_shash(sdesc->shash.tfm);
129
130 kzfree(sdesc);
131 }
132
133 /*
134 * Implementation of the KDF in counter mode according to SP800-108 section 5.1
135 * as well as SP800-56A section 5.8.1 (Single-step KDF).
136 *
137 * SP800-56A:
138 * The src pointer is defined as Z || other info where Z is the shared secret
139 * from DH and other info is an arbitrary string (see SP800-56A section
140 * 5.8.1.2).
141 */
142 static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
143 u8 *dst, unsigned int dlen)
144 {
145 struct shash_desc *desc = &sdesc->shash;
146 unsigned int h = crypto_shash_digestsize(desc->tfm);
147 int err = 0;
148 u8 *dst_orig = dst;
149 __be32 counter = cpu_to_be32(1);
150
151 while (dlen) {
152 err = crypto_shash_init(desc);
153 if (err)
154 goto err;
155
156 err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32));
157 if (err)
158 goto err;
159
160 if (src && slen) {
161 err = crypto_shash_update(desc, src, slen);
162 if (err)
163 goto err;
164 }
165
166 if (dlen < h) {
167 u8 tmpbuffer[h];
168
169 err = crypto_shash_final(desc, tmpbuffer);
170 if (err)
171 goto err;
172 memcpy(dst, tmpbuffer, dlen);
173 memzero_explicit(tmpbuffer, h);
174 return 0;
175 } else {
176 err = crypto_shash_final(desc, dst);
177 if (err)
178 goto err;
179
180 dlen -= h;
181 dst += h;
182 counter = cpu_to_be32(be32_to_cpu(counter) + 1);
183 }
184 }
185
186 return 0;
187
188 err:
189 memzero_explicit(dst_orig, dlen);
190 return err;
191 }
192
193 static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
194 char __user *buffer, size_t buflen,
195 uint8_t *kbuf, size_t kbuflen)
196 {
197 uint8_t *outbuf = NULL;
198 int ret;
199
200 outbuf = kmalloc(buflen, GFP_KERNEL);
201 if (!outbuf) {
202 ret = -ENOMEM;
203 goto err;
204 }
205
206 ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, buflen);
207 if (ret)
208 goto err;
209
210 ret = buflen;
211 if (copy_to_user(buffer, outbuf, buflen) != 0)
212 ret = -EFAULT;
213
214 err:
215 kzfree(outbuf);
216 return ret;
217 }
218
219 long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
220 char __user *buffer, size_t buflen,
221 struct keyctl_kdf_params *kdfcopy)
222 {
223 long ret;
224 MPI base, private, prime, result;
225 unsigned nbytes;
226 struct keyctl_dh_params pcopy;
227 uint8_t *kbuf;
228 ssize_t keylen;
229 size_t resultlen;
230 struct kdf_sdesc *sdesc = NULL;
231
232 if (!params || (!buffer && buflen)) {
233 ret = -EINVAL;
234 goto out;
235 }
236 if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
237 ret = -EFAULT;
238 goto out;
239 }
240
241 if (kdfcopy) {
242 char *hashname;
243
244 if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
245 kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
246 ret = -EMSGSIZE;
247 goto out;
248 }
249
250 /* get KDF name string */
251 hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
252 if (IS_ERR(hashname)) {
253 ret = PTR_ERR(hashname);
254 goto out;
255 }
256
257 /* allocate KDF from the kernel crypto API */
258 ret = kdf_alloc(&sdesc, hashname);
259 kfree(hashname);
260 if (ret)
261 goto out;
262 }
263
264 /*
265 * If the caller requests postprocessing with a KDF, allow an
266 * arbitrary output buffer size since the KDF ensures proper truncation.
267 */
268 keylen = mpi_from_key(pcopy.prime, kdfcopy ? SIZE_MAX : buflen, &prime);
269 if (keylen < 0 || !prime) {
270 /* buflen == 0 may be used to query the required buffer size,
271 * which is the prime key length.
272 */
273 ret = keylen;
274 goto out;
275 }
276
277 /* The result is never longer than the prime */
278 resultlen = keylen;
279
280 keylen = mpi_from_key(pcopy.base, SIZE_MAX, &base);
281 if (keylen < 0 || !base) {
282 ret = keylen;
283 goto error1;
284 }
285
286 keylen = mpi_from_key(pcopy.private, SIZE_MAX, &private);
287 if (keylen < 0 || !private) {
288 ret = keylen;
289 goto error2;
290 }
291
292 result = mpi_alloc(0);
293 if (!result) {
294 ret = -ENOMEM;
295 goto error3;
296 }
297
298 /* allocate space for DH shared secret and SP800-56A otherinfo */
299 kbuf = kmalloc(kdfcopy ? (resultlen + kdfcopy->otherinfolen) : resultlen,
300 GFP_KERNEL);
301 if (!kbuf) {
302 ret = -ENOMEM;
303 goto error4;
304 }
305
306 /*
307 * Concatenate SP800-56A otherinfo past DH shared secret -- the
308 * input to the KDF is (DH shared secret || otherinfo)
309 */
310 if (kdfcopy &&
311 copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
312 kdfcopy->otherinfolen) != 0) {
313 ret = -EFAULT;
314 goto error5;
315 }
316
317 ret = do_dh(result, base, private, prime);
318 if (ret)
319 goto error5;
320
321 ret = mpi_read_buffer(result, kbuf, resultlen, &nbytes, NULL);
322 if (ret != 0)
323 goto error5;
324
325 if (kdfcopy) {
326 ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, kbuf,
327 resultlen + kdfcopy->otherinfolen);
328 } else {
329 ret = nbytes;
330 if (copy_to_user(buffer, kbuf, nbytes) != 0)
331 ret = -EFAULT;
332 }
333
334 error5:
335 kzfree(kbuf);
336 error4:
337 mpi_free(result);
338 error3:
339 mpi_free(private);
340 error2:
341 mpi_free(base);
342 error1:
343 mpi_free(prime);
344 out:
345 kdf_dealloc(sdesc);
346 return ret;
347 }
348
349 long keyctl_dh_compute(struct keyctl_dh_params __user *params,
350 char __user *buffer, size_t buflen,
351 struct keyctl_kdf_params __user *kdf)
352 {
353 struct keyctl_kdf_params kdfcopy;
354
355 if (!kdf)
356 return __keyctl_dh_compute(params, buffer, buflen, NULL);
357
358 if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
359 return -EFAULT;
360
361 return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
362 }
Ubuntu Artful kernel mirror