1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2013 Intel Corporation
4 *
5 * Author:
6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
7 */
8
9 #include <linux/err.h>
10 #include <linux/ratelimit.h>
11 #include <linux/key-type.h>
12 #include <crypto/public_key.h>
13 #include <crypto/hash_info.h>
14 #include <keys/asymmetric-type.h>
15 #include <keys/system_keyring.h>
16
17 #include "integrity.h"
18
19 /*
20 * Request an asymmetric key.
21 */
request_asymmetric_key(struct key * keyring,uint32_t keyid)22 static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
23 {
24 struct key *key;
25 char name[12];
26
27 sprintf(name, "id:%08x", keyid);
28
29 pr_debug("key search: \"%s\"\n", name);
30
31 key = get_ima_blacklist_keyring();
32 if (key) {
33 key_ref_t kref;
34
35 kref = keyring_search(make_key_ref(key, 1),
36 &key_type_asymmetric, name, true);
37 if (!IS_ERR(kref)) {
38 pr_err("Key '%s' is in ima_blacklist_keyring\n", name);
39 return ERR_PTR(-EKEYREJECTED);
40 }
41 }
42
43 if (keyring) {
44 /* search in specific keyring */
45 key_ref_t kref;
46
47 kref = keyring_search(make_key_ref(keyring, 1),
48 &key_type_asymmetric, name, true);
49 if (IS_ERR(kref))
50 key = ERR_CAST(kref);
51 else
52 key = key_ref_to_ptr(kref);
53 } else {
54 key = request_key(&key_type_asymmetric, name, NULL);
55 }
56
57 if (IS_ERR(key)) {
58 if (keyring)
59 pr_err_ratelimited("Request for unknown key '%s' in '%s' keyring. err %ld\n",
60 name, keyring->description,
61 PTR_ERR(key));
62 else
63 pr_err_ratelimited("Request for unknown key '%s' err %ld\n",
64 name, PTR_ERR(key));
65
66 switch (PTR_ERR(key)) {
67 /* Hide some search errors */
68 case -EACCES:
69 case -ENOTDIR:
70 case -EAGAIN:
71 return ERR_PTR(-ENOKEY);
72 default:
73 return key;
74 }
75 }
76
77 pr_debug("%s() = 0 [%x]\n", __func__, key_serial(key));
78
79 return key;
80 }
81
asymmetric_verify(struct key * keyring,const char * sig,int siglen,const char * data,int datalen)82 int asymmetric_verify(struct key *keyring, const char *sig,
83 int siglen, const char *data, int datalen)
84 {
85 struct public_key_signature pks;
86 struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
87 const struct public_key *pk;
88 struct key *key;
89 int ret;
90
91 if (siglen <= sizeof(*hdr))
92 return -EBADMSG;
93
94 siglen -= sizeof(*hdr);
95
96 if (siglen != be16_to_cpu(hdr->sig_size))
97 return -EBADMSG;
98
99 if (hdr->hash_algo >= HASH_ALGO__LAST)
100 return -ENOPKG;
101
102 key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
103 if (IS_ERR(key))
104 return PTR_ERR(key);
105
106 memset(&pks, 0, sizeof(pks));
107
108 pks.hash_algo = hash_algo_name[hdr->hash_algo];
109
110 pk = asymmetric_key_public_key(key);
111 pks.pkey_algo = pk->pkey_algo;
112 if (!strcmp(pk->pkey_algo, "rsa")) {
113 pks.encoding = "pkcs1";
114 } else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) {
115 /* edcsa-nist-p192 etc. */
116 pks.encoding = "x962";
117 } else if (!strcmp(pk->pkey_algo, "ecrdsa")) {
118 pks.encoding = "raw";
119 } else {
120 ret = -ENOPKG;
121 goto out;
122 }
123
124 pks.digest = (u8 *)data;
125 pks.digest_size = datalen;
126 pks.s = hdr->sig;
127 pks.s_size = siglen;
128 ret = verify_signature(key, &pks);
129 out:
130 key_put(key);
131 pr_debug("%s() = %d\n", __func__, ret);
132 return ret;
133 }
134