1 /* Crypto operations using stored keys
3 * Copyright (c) 2016, Intel Corporation
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
11 #include <linux/mpi.h>
12 #include <linux/slab.h>
13 #include <linux/uaccess.h>
14 #include <linux/crypto.h>
15 #include <crypto/hash.h>
16 #include <keys/user-type.h>
20 * Public key or shared secret generation function [RFC2631 sec 2.1.1]
26 * where xa is the local private key, ya is the local public key, g is
27 * the generator, p is the prime, yb is the remote public key, and ZZ
28 * is the shared secret.
30 * Both are the same calculation, so g or yb are the "base" and ya or
31 * ZZ are the "result".
33 static int do_dh(MPI result
, MPI base
, MPI xa
, MPI p
)
35 return mpi_powm(result
, base
, xa
, p
);
38 static ssize_t
mpi_from_key(key_serial_t keyid
, size_t maxlen
, MPI
*mpi
)
45 key_ref
= lookup_user_key(keyid
, 0, KEY_NEED_READ
);
46 if (IS_ERR(key_ref
)) {
51 key
= key_ref_to_ptr(key_ref
);
54 if (key
->type
== &key_type_user
) {
56 status
= key_validate(key
);
58 const struct user_key_payload
*payload
;
60 payload
= user_key_payload_locked(key
);
64 ret
= payload
->datalen
;
65 } else if (payload
->datalen
<= maxlen
) {
66 *mpi
= mpi_read_raw_data(payload
->data
,
69 ret
= payload
->datalen
;
83 struct shash_desc shash
;
87 static int kdf_alloc(struct kdf_sdesc
**sdesc_ret
, char *hashname
)
89 struct crypto_shash
*tfm
;
90 struct kdf_sdesc
*sdesc
;
93 /* allocate synchronous hash */
94 tfm
= crypto_alloc_shash(hashname
, 0, 0);
96 pr_info("could not allocate digest TFM handle %s\n", hashname
);
100 size
= sizeof(struct shash_desc
) + crypto_shash_descsize(tfm
);
101 sdesc
= kmalloc(size
, GFP_KERNEL
);
104 sdesc
->shash
.tfm
= tfm
;
105 sdesc
->shash
.flags
= 0x0;
112 static void kdf_dealloc(struct kdf_sdesc
*sdesc
)
117 if (sdesc
->shash
.tfm
)
118 crypto_free_shash(sdesc
->shash
.tfm
);
123 /* convert 32 bit integer into its string representation */
124 static inline void crypto_kw_cpu_to_be32(u32 val
, u8
*buf
)
126 __be32
*a
= (__be32
*)buf
;
128 *a
= cpu_to_be32(val
);
132 * Implementation of the KDF in counter mode according to SP800-108 section 5.1
133 * as well as SP800-56A section 5.8.1 (Single-step KDF).
136 * The src pointer is defined as Z || other info where Z is the shared secret
137 * from DH and other info is an arbitrary string (see SP800-56A section
140 static int kdf_ctr(struct kdf_sdesc
*sdesc
, const u8
*src
, unsigned int slen
,
141 u8
*dst
, unsigned int dlen
)
143 struct shash_desc
*desc
= &sdesc
->shash
;
144 unsigned int h
= crypto_shash_digestsize(desc
->tfm
);
148 u8 iteration
[sizeof(u32
)];
151 err
= crypto_shash_init(desc
);
155 crypto_kw_cpu_to_be32(i
, iteration
);
156 err
= crypto_shash_update(desc
, iteration
, sizeof(u32
));
161 err
= crypto_shash_update(desc
, src
, slen
);
169 err
= crypto_shash_final(desc
, tmpbuffer
);
172 memcpy(dst
, tmpbuffer
, dlen
);
173 memzero_explicit(tmpbuffer
, h
);
176 err
= crypto_shash_final(desc
, dst
);
189 memzero_explicit(dst_orig
, dlen
);
193 static int keyctl_dh_compute_kdf(struct kdf_sdesc
*sdesc
,
194 char __user
*buffer
, size_t buflen
,
195 uint8_t *kbuf
, size_t kbuflen
)
197 uint8_t *outbuf
= NULL
;
200 outbuf
= kmalloc(buflen
, GFP_KERNEL
);
206 ret
= kdf_ctr(sdesc
, kbuf
, kbuflen
, outbuf
, buflen
);
211 if (copy_to_user(buffer
, outbuf
, buflen
) != 0)
219 long __keyctl_dh_compute(struct keyctl_dh_params __user
*params
,
220 char __user
*buffer
, size_t buflen
,
221 struct keyctl_kdf_params
*kdfcopy
)
224 MPI base
, private, prime
, result
;
226 struct keyctl_dh_params pcopy
;
230 struct kdf_sdesc
*sdesc
= NULL
;
232 if (!params
|| (!buffer
&& buflen
)) {
236 if (copy_from_user(&pcopy
, params
, sizeof(pcopy
)) != 0) {
244 if (buflen
> KEYCTL_KDF_MAX_OUTPUT_LEN
||
245 kdfcopy
->otherinfolen
> KEYCTL_KDF_MAX_OI_LEN
) {
250 /* get KDF name string */
251 hashname
= strndup_user(kdfcopy
->hashname
, CRYPTO_MAX_ALG_NAME
);
252 if (IS_ERR(hashname
)) {
253 ret
= PTR_ERR(hashname
);
257 /* allocate KDF from the kernel crypto API */
258 ret
= kdf_alloc(&sdesc
, hashname
);
265 * If the caller requests postprocessing with a KDF, allow an
266 * arbitrary output buffer size since the KDF ensures proper truncation.
268 keylen
= mpi_from_key(pcopy
.prime
, kdfcopy
? SIZE_MAX
: buflen
, &prime
);
269 if (keylen
< 0 || !prime
) {
270 /* buflen == 0 may be used to query the required buffer size,
271 * which is the prime key length.
277 /* The result is never longer than the prime */
280 keylen
= mpi_from_key(pcopy
.base
, SIZE_MAX
, &base
);
281 if (keylen
< 0 || !base
) {
286 keylen
= mpi_from_key(pcopy
.private, SIZE_MAX
, &private);
287 if (keylen
< 0 || !private) {
292 result
= mpi_alloc(0);
298 /* allocate space for DH shared secret and SP800-56A otherinfo */
299 kbuf
= kmalloc(kdfcopy
? (resultlen
+ kdfcopy
->otherinfolen
) : resultlen
,
307 * Concatenate SP800-56A otherinfo past DH shared secret -- the
308 * input to the KDF is (DH shared secret || otherinfo)
310 if (kdfcopy
&& kdfcopy
->otherinfo
&&
311 copy_from_user(kbuf
+ resultlen
, kdfcopy
->otherinfo
,
312 kdfcopy
->otherinfolen
) != 0) {
317 ret
= do_dh(result
, base
, private, prime
);
321 ret
= mpi_read_buffer(result
, kbuf
, resultlen
, &nbytes
, NULL
);
326 ret
= keyctl_dh_compute_kdf(sdesc
, buffer
, buflen
, kbuf
,
327 resultlen
+ kdfcopy
->otherinfolen
);
330 if (copy_to_user(buffer
, kbuf
, nbytes
) != 0)
349 long keyctl_dh_compute(struct keyctl_dh_params __user
*params
,
350 char __user
*buffer
, size_t buflen
,
351 struct keyctl_kdf_params __user
*kdf
)
353 struct keyctl_kdf_params kdfcopy
;
356 return __keyctl_dh_compute(params
, buffer
, buflen
, NULL
);
358 if (copy_from_user(&kdfcopy
, kdf
, sizeof(kdfcopy
)) != 0)
361 return __keyctl_dh_compute(params
, buffer
, buflen
, &kdfcopy
);