1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* In-software asymmetric public-key crypto subtype 3 * 4 * See Documentation/crypto/asymmetric-keys.rst 5 * 6 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 7 * Written by David Howells (dhowells@redhat.com) 8 */ 9 10 #define pr_fmt(fmt) "PKEY: "fmt 11 #include <crypto/akcipher.h> 12 #include <crypto/public_key.h> 13 #include <crypto/sig.h> 14 #include <keys/asymmetric-subtype.h> 15 #include <linux/asn1.h> 16 #include <linux/err.h> 17 #include <linux/kernel.h> 18 #include <linux/module.h> 19 #include <linux/seq_file.h> 20 #include <linux/slab.h> 21 #include <linux/string.h> 22 23 MODULE_DESCRIPTION("In-software asymmetric public-key subtype"); 24 MODULE_AUTHOR("Red Hat, Inc."); 25 MODULE_LICENSE("GPL"); 26 27 /* 28 * Provide a part of a description of the key for /proc/keys. 29 */ 30 static void public_key_describe(const struct key *asymmetric_key, 31 struct seq_file *m) 32 { 33 struct public_key *key = asymmetric_key->payload.data[asym_crypto]; 34 35 if (key) 36 seq_printf(m, "%s.%s", key->id_type, key->pkey_algo); 37 } 38 39 /* 40 * Destroy a public key algorithm key. 41 */ 42 void public_key_free(struct public_key *key) 43 { 44 if (key) { 45 kfree_sensitive(key->key); 46 kfree(key->params); 47 kfree(key); 48 } 49 } 50 EXPORT_SYMBOL_GPL(public_key_free); 51 52 /* 53 * Destroy a public key algorithm key. 54 */ 55 static void public_key_destroy(void *payload0, void *payload3) 56 { 57 public_key_free(payload0); 58 public_key_signature_free(payload3); 59 } 60 61 /* 62 * Given a public_key, and an encoding and hash_algo to be used for signing 63 * and/or verification with that key, determine the name of the corresponding 64 * akcipher algorithm. Also check that encoding and hash_algo are allowed. 65 */ 66 static int 67 software_key_determine_akcipher(const struct public_key *pkey, 68 const char *encoding, const char *hash_algo, 69 char alg_name[CRYPTO_MAX_ALG_NAME], bool *sig, 70 enum kernel_pkey_operation op) 71 { 72 int n; 73 74 *sig = true; 75 76 if (!encoding) 77 return -EINVAL; 78 79 if (strcmp(pkey->pkey_algo, "rsa") == 0) { 80 /* 81 * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2]. 82 */ 83 if (strcmp(encoding, "pkcs1") == 0) { 84 *sig = op == kernel_pkey_sign || 85 op == kernel_pkey_verify; 86 if (!hash_algo) { 87 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 88 "pkcs1pad(%s)", 89 pkey->pkey_algo); 90 } else { 91 n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, 92 "pkcs1pad(%s,%s)", 93 pkey->pkey_algo, hash_algo); 94 } 95 return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; 96 } 97 if (strcmp(encoding, "raw") != 0) 98 return -EINVAL; 99 /* 100 * Raw RSA cannot differentiate between different hash 101 * algorithms. 102 */ 103 if (hash_algo) 104 return -EINVAL; 105 *sig = false; 106 } else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { 107 if (strcmp(encoding, "x962") != 0) 108 return -EINVAL; 109 /* 110 * ECDSA signatures are taken over a raw hash, so they don't 111 * differentiate between different hash algorithms. That means 112 * that the verifier should hard-code a specific hash algorithm. 113 * Unfortunately, in practice ECDSA is used with multiple SHAs, 114 * so we have to allow all of them and not just one. 115 */ 116 if (!hash_algo) 117 return -EINVAL; 118 if (strcmp(hash_algo, "sha1") != 0 && 119 strcmp(hash_algo, "sha224") != 0 && 120 strcmp(hash_algo, "sha256") != 0 && 121 strcmp(hash_algo, "sha384") != 0 && 122 strcmp(hash_algo, "sha512") != 0 && 123 strcmp(hash_algo, "sha3-256") != 0 && 124 strcmp(hash_algo, "sha3-384") != 0 && 125 strcmp(hash_algo, "sha3-512") != 0) 126 return -EINVAL; 127 } else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) { 128 if (strcmp(encoding, "raw") != 0) 129 return -EINVAL; 130 if (!hash_algo) 131 return -EINVAL; 132 if (strcmp(hash_algo, "streebog256") != 0 && 133 strcmp(hash_algo, "streebog512") != 0) 134 return -EINVAL; 135 } else { 136 /* Unknown public key algorithm */ 137 return -ENOPKG; 138 } 139 if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0) 140 return -EINVAL; 141 return 0; 142 } 143 144 static u8 *pkey_pack_u32(u8 *dst, u32 val) 145 { 146 memcpy(dst, &val, sizeof(val)); 147 return dst + sizeof(val); 148 } 149 150 /* 151 * Query information about a key. 152 */ 153 static int software_key_query(const struct kernel_pkey_params *params, 154 struct kernel_pkey_query *info) 155 { 156 struct crypto_akcipher *tfm; 157 struct public_key *pkey = params->key->payload.data[asym_crypto]; 158 char alg_name[CRYPTO_MAX_ALG_NAME]; 159 struct crypto_sig *sig; 160 u8 *key, *ptr; 161 int ret, len; 162 bool issig; 163 164 ret = software_key_determine_akcipher(pkey, params->encoding, 165 params->hash_algo, alg_name, 166 &issig, kernel_pkey_sign); 167 if (ret < 0) 168 return ret; 169 170 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 171 GFP_KERNEL); 172 if (!key) 173 return -ENOMEM; 174 175 memcpy(key, pkey->key, pkey->keylen); 176 ptr = key + pkey->keylen; 177 ptr = pkey_pack_u32(ptr, pkey->algo); 178 ptr = pkey_pack_u32(ptr, pkey->paramlen); 179 memcpy(ptr, pkey->params, pkey->paramlen); 180 181 if (issig) { 182 sig = crypto_alloc_sig(alg_name, 0, 0); 183 if (IS_ERR(sig)) { 184 ret = PTR_ERR(sig); 185 goto error_free_key; 186 } 187 188 if (pkey->key_is_private) 189 ret = crypto_sig_set_privkey(sig, key, pkey->keylen); 190 else 191 ret = crypto_sig_set_pubkey(sig, key, pkey->keylen); 192 if (ret < 0) 193 goto error_free_tfm; 194 195 len = crypto_sig_maxsize(sig); 196 197 info->supported_ops = KEYCTL_SUPPORTS_VERIFY; 198 if (pkey->key_is_private) 199 info->supported_ops |= KEYCTL_SUPPORTS_SIGN; 200 201 if (strcmp(params->encoding, "pkcs1") == 0) { 202 info->supported_ops |= KEYCTL_SUPPORTS_ENCRYPT; 203 if (pkey->key_is_private) 204 info->supported_ops |= KEYCTL_SUPPORTS_DECRYPT; 205 } 206 } else { 207 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 208 if (IS_ERR(tfm)) { 209 ret = PTR_ERR(tfm); 210 goto error_free_key; 211 } 212 213 if (pkey->key_is_private) 214 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 215 else 216 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 217 if (ret < 0) 218 goto error_free_tfm; 219 220 len = crypto_akcipher_maxsize(tfm); 221 222 info->supported_ops = KEYCTL_SUPPORTS_ENCRYPT; 223 if (pkey->key_is_private) 224 info->supported_ops |= KEYCTL_SUPPORTS_DECRYPT; 225 } 226 227 info->key_size = len * 8; 228 229 if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { 230 int slen = len; 231 /* 232 * ECDSA key sizes are much smaller than RSA, and thus could 233 * operate on (hashed) inputs that are larger than key size. 234 * For example SHA384-hashed input used with secp256r1 235 * based keys. Set max_data_size to be at least as large as 236 * the largest supported hash size (SHA512) 237 */ 238 info->max_data_size = 64; 239 240 /* 241 * Verify takes ECDSA-Sig (described in RFC 5480) as input, 242 * which is actually 2 'key_size'-bit integers encoded in 243 * ASN.1. Account for the ASN.1 encoding overhead here. 244 * 245 * NIST P192/256/384 may prepend a '0' to a coordinate to 246 * indicate a positive integer. NIST P521 never needs it. 247 */ 248 if (strcmp(pkey->pkey_algo, "ecdsa-nist-p521") != 0) 249 slen += 1; 250 /* Length of encoding the x & y coordinates */ 251 slen = 2 * (slen + 2); 252 /* 253 * If coordinate encoding takes at least 128 bytes then an 254 * additional byte for length encoding is needed. 255 */ 256 info->max_sig_size = 1 + (slen >= 128) + 1 + slen; 257 } else { 258 info->max_data_size = len; 259 info->max_sig_size = len; 260 } 261 262 info->max_enc_size = len; 263 info->max_dec_size = len; 264 265 ret = 0; 266 267 error_free_tfm: 268 if (issig) 269 crypto_free_sig(sig); 270 else 271 crypto_free_akcipher(tfm); 272 error_free_key: 273 kfree_sensitive(key); 274 pr_devel("<==%s() = %d\n", __func__, ret); 275 return ret; 276 } 277 278 /* 279 * Do encryption, decryption and signing ops. 280 */ 281 static int software_key_eds_op(struct kernel_pkey_params *params, 282 const void *in, void *out) 283 { 284 const struct public_key *pkey = params->key->payload.data[asym_crypto]; 285 char alg_name[CRYPTO_MAX_ALG_NAME]; 286 struct crypto_akcipher *tfm; 287 struct crypto_sig *sig; 288 char *key, *ptr; 289 bool issig; 290 int ksz; 291 int ret; 292 293 pr_devel("==>%s()\n", __func__); 294 295 ret = software_key_determine_akcipher(pkey, params->encoding, 296 params->hash_algo, alg_name, 297 &issig, params->op); 298 if (ret < 0) 299 return ret; 300 301 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 302 GFP_KERNEL); 303 if (!key) 304 return -ENOMEM; 305 306 memcpy(key, pkey->key, pkey->keylen); 307 ptr = key + pkey->keylen; 308 ptr = pkey_pack_u32(ptr, pkey->algo); 309 ptr = pkey_pack_u32(ptr, pkey->paramlen); 310 memcpy(ptr, pkey->params, pkey->paramlen); 311 312 if (issig) { 313 sig = crypto_alloc_sig(alg_name, 0, 0); 314 if (IS_ERR(sig)) { 315 ret = PTR_ERR(sig); 316 goto error_free_key; 317 } 318 319 if (pkey->key_is_private) 320 ret = crypto_sig_set_privkey(sig, key, pkey->keylen); 321 else 322 ret = crypto_sig_set_pubkey(sig, key, pkey->keylen); 323 if (ret) 324 goto error_free_tfm; 325 326 ksz = crypto_sig_maxsize(sig); 327 } else { 328 tfm = crypto_alloc_akcipher(alg_name, 0, 0); 329 if (IS_ERR(tfm)) { 330 ret = PTR_ERR(tfm); 331 goto error_free_key; 332 } 333 334 if (pkey->key_is_private) 335 ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen); 336 else 337 ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen); 338 if (ret) 339 goto error_free_tfm; 340 341 ksz = crypto_akcipher_maxsize(tfm); 342 } 343 344 ret = -EINVAL; 345 346 /* Perform the encryption calculation. */ 347 switch (params->op) { 348 case kernel_pkey_encrypt: 349 if (issig) 350 break; 351 ret = crypto_akcipher_sync_encrypt(tfm, in, params->in_len, 352 out, params->out_len); 353 break; 354 case kernel_pkey_decrypt: 355 if (issig) 356 break; 357 ret = crypto_akcipher_sync_decrypt(tfm, in, params->in_len, 358 out, params->out_len); 359 break; 360 case kernel_pkey_sign: 361 if (!issig) 362 break; 363 ret = crypto_sig_sign(sig, in, params->in_len, 364 out, params->out_len); 365 break; 366 default: 367 BUG(); 368 } 369 370 if (ret == 0) 371 ret = ksz; 372 373 error_free_tfm: 374 if (issig) 375 crypto_free_sig(sig); 376 else 377 crypto_free_akcipher(tfm); 378 error_free_key: 379 kfree_sensitive(key); 380 pr_devel("<==%s() = %d\n", __func__, ret); 381 return ret; 382 } 383 384 /* 385 * Verify a signature using a public key. 386 */ 387 int public_key_verify_signature(const struct public_key *pkey, 388 const struct public_key_signature *sig) 389 { 390 char alg_name[CRYPTO_MAX_ALG_NAME]; 391 struct crypto_sig *tfm; 392 char *key, *ptr; 393 bool issig; 394 int ret; 395 396 pr_devel("==>%s()\n", __func__); 397 398 BUG_ON(!pkey); 399 BUG_ON(!sig); 400 BUG_ON(!sig->s); 401 402 /* 403 * If the signature specifies a public key algorithm, it *must* match 404 * the key's actual public key algorithm. 405 * 406 * Small exception: ECDSA signatures don't specify the curve, but ECDSA 407 * keys do. So the strings can mismatch slightly in that case: 408 * "ecdsa-nist-*" for the key, but "ecdsa" for the signature. 409 */ 410 if (sig->pkey_algo) { 411 if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 && 412 (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 || 413 strcmp(sig->pkey_algo, "ecdsa") != 0)) 414 return -EKEYREJECTED; 415 } 416 417 ret = software_key_determine_akcipher(pkey, sig->encoding, 418 sig->hash_algo, alg_name, 419 &issig, kernel_pkey_verify); 420 if (ret < 0) 421 return ret; 422 423 tfm = crypto_alloc_sig(alg_name, 0, 0); 424 if (IS_ERR(tfm)) 425 return PTR_ERR(tfm); 426 427 key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen, 428 GFP_KERNEL); 429 if (!key) { 430 ret = -ENOMEM; 431 goto error_free_tfm; 432 } 433 434 memcpy(key, pkey->key, pkey->keylen); 435 ptr = key + pkey->keylen; 436 ptr = pkey_pack_u32(ptr, pkey->algo); 437 ptr = pkey_pack_u32(ptr, pkey->paramlen); 438 memcpy(ptr, pkey->params, pkey->paramlen); 439 440 if (pkey->key_is_private) 441 ret = crypto_sig_set_privkey(tfm, key, pkey->keylen); 442 else 443 ret = crypto_sig_set_pubkey(tfm, key, pkey->keylen); 444 if (ret) 445 goto error_free_key; 446 447 ret = crypto_sig_verify(tfm, sig->s, sig->s_size, 448 sig->digest, sig->digest_size); 449 450 error_free_key: 451 kfree_sensitive(key); 452 error_free_tfm: 453 crypto_free_sig(tfm); 454 pr_devel("<==%s() = %d\n", __func__, ret); 455 if (WARN_ON_ONCE(ret > 0)) 456 ret = -EINVAL; 457 return ret; 458 } 459 EXPORT_SYMBOL_GPL(public_key_verify_signature); 460 461 static int public_key_verify_signature_2(const struct key *key, 462 const struct public_key_signature *sig) 463 { 464 const struct public_key *pk = key->payload.data[asym_crypto]; 465 return public_key_verify_signature(pk, sig); 466 } 467 468 /* 469 * Public key algorithm asymmetric key subtype 470 */ 471 struct asymmetric_key_subtype public_key_subtype = { 472 .owner = THIS_MODULE, 473 .name = "public_key", 474 .name_len = sizeof("public_key") - 1, 475 .describe = public_key_describe, 476 .destroy = public_key_destroy, 477 .query = software_key_query, 478 .eds_op = software_key_eds_op, 479 .verify_signature = public_key_verify_signature_2, 480 }; 481 EXPORT_SYMBOL_GPL(public_key_subtype); 482