public_key.c source code [linux/crypto/asymmetric_keys/public_key.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/ In-software asymmetric public-key crypto subtype*
3	*
4	* See Documentation/crypto/asymmetric-keys.rst
5	*
6	* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
7	* Written by David Howells (dhowells@redhat.com)
8	*/
9
10	#define pr_fmt(fmt) "PKEY: "fmt
11	#include <crypto/akcipher.h>
12	#include <crypto/public_key.h>
13	#include <crypto/sig.h>
14	#include <keys/asymmetric-subtype.h>
15	#include <linux/asn1.h>
16	#include <linux/err.h>
17	#include <linux/kernel.h>
18	#include <linux/module.h>
19	#include <linux/seq_file.h>
20	#include <linux/slab.h>
21	#include <linux/string.h>
22
23	MODULE_DESCRIPTION("In-software asymmetric public-key subtype");
24	MODULE_AUTHOR("Red Hat, Inc.");
25	MODULE_LICENSE("GPL");
26
27	/*
28	* Provide a part of a description of the key for /proc/keys.
29	*/
30	static void public_key_describe(const struct key *asymmetric_key,
31	struct seq_file *m)
32	{
33	struct public_key *key = asymmetric_key->payload.data[asym_crypto];
34
35	if (key)
36	seq_printf(m, fmt: "%s.%s", key->id_type, key->pkey_algo);
37	}
38
39	/*
40	* Destroy a public key algorithm key.
41	*/
42	void public_key_free(struct public_key *key)
43	{
44	if (key) {
45	kfree_sensitive(objp: key->key);
46	kfree(objp: key->params);
47	kfree(objp: key);
48	}
49	}
50	EXPORT_SYMBOL_GPL(public_key_free);
51
52	/*
53	* Destroy a public key algorithm key.
54	*/
55	static void public_key_destroy(void payload0, void* *payload3)
56	{
57	public_key_free(payload0);
58	public_key_signature_free(sig: payload3);
59	}
60
61	/*
62	* Given a public_key, and an encoding and hash_algo to be used for signing
63	* and/or verification with that key, determine the name of the corresponding
64	* akcipher algorithm. Also check that encoding and hash_algo are allowed.
65	*/
66	static int
67	software_key_determine_akcipher(const struct public_key *pkey,
68	const char encoding, const* char *hash_algo,
69	char alg_name[CRYPTO_MAX_ALG_NAME], bool *sig,
70	enum kernel_pkey_operation op)
71	{
72	int n;
73
74	*sig = true;
75
76	if (!encoding)
77	return -EINVAL;
78
79	if (strcmp(pkey->pkey_algo, "rsa") == `0`) {
80	/*
81	* RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2].
82	*/
83	if (strcmp(encoding, "pkcs1") == `0`) {
84	*sig = op == kernel_pkey_sign \|\|
85	op == kernel_pkey_verify;
86	if (!hash_algo) {
87	n = snprintf(buf: alg_name, CRYPTO_MAX_ALG_NAME,
88	fmt: "pkcs1pad(%s)",
89	pkey->pkey_algo);
90	} else {
91	n = snprintf(buf: alg_name, CRYPTO_MAX_ALG_NAME,
92	fmt: "pkcs1pad(%s,%s)",
93	pkey->pkey_algo, hash_algo);
94	}
95	return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : `0`;
96	}
97	if (strcmp(encoding, "raw") != `0`)
98	return -EINVAL;
99	/*
100	* Raw RSA cannot differentiate between different hash
101	* algorithms.
102	*/
103	if (hash_algo)
104	return -EINVAL;
105	*sig = false;
106	} else if (strncmp(pkey->pkey_algo, "ecdsa", `5`) == `0`) {
107	if (strcmp(encoding, "x962") != `0`)
108	return -EINVAL;
109	/*
110	* ECDSA signatures are taken over a raw hash, so they don't
111	* differentiate between different hash algorithms. That means
112	* that the verifier should hard-code a specific hash algorithm.
113	* Unfortunately, in practice ECDSA is used with multiple SHAs,
114	* so we have to allow all of them and not just one.
115	*/
116	if (!hash_algo)
117	return -EINVAL;
118	if (strcmp(hash_algo, "sha1") != `0` &&
119	strcmp(hash_algo, "sha224") != `0` &&
120	strcmp(hash_algo, "sha256") != `0` &&
121	strcmp(hash_algo, "sha384") != `0` &&
122	strcmp(hash_algo, "sha512") != `0` &&
123	strcmp(hash_algo, "sha3-256") != `0` &&
124	strcmp(hash_algo, "sha3-384") != `0` &&
125	strcmp(hash_algo, "sha3-512") != `0`)
126	return -EINVAL;
127	} else if (strcmp(pkey->pkey_algo, "sm2") == `0`) {
128	if (strcmp(encoding, "raw") != `0`)
129	return -EINVAL;
130	if (!hash_algo)
131	return -EINVAL;
132	if (strcmp(hash_algo, "sm3") != `0`)
133	return -EINVAL;
134	} else if (strcmp(pkey->pkey_algo, "ecrdsa") == `0`) {
135	if (strcmp(encoding, "raw") != `0`)
136	return -EINVAL;
137	if (!hash_algo)
138	return -EINVAL;
139	if (strcmp(hash_algo, "streebog256") != `0` &&
140	strcmp(hash_algo, "streebog512") != `0`)
141	return -EINVAL;
142	} else {
143	/ Unknown public key algorithm /
144	return -ENOPKG;
145	}
146	if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < `0`)
147	return -EINVAL;
148	return `0`;
149	}
150
151	static u8 pkey_pack_u32(u8 dst, u32 val)
152	{
153	memcpy(dst, &val, sizeof(val));
154	return dst + sizeof(val);
155	}
156
157	/*
158	* Query information about a key.
159	*/
160	static int software_key_query(const struct kernel_pkey_params *params,
161	struct kernel_pkey_query *info)
162	{
163	struct crypto_akcipher *tfm;
164	struct public_key *pkey = params->key->payload.data[asym_crypto];
165	char alg_name[CRYPTO_MAX_ALG_NAME];
166	struct crypto_sig *sig;
167	u8 key, ptr;
168	int ret, len;
169	bool issig;
170
171	ret = software_key_determine_akcipher(pkey, encoding: params->encoding,
172	hash_algo: params->hash_algo, alg_name,
173	sig: &issig, op: kernel_pkey_sign);
174	if (ret < `0`)
175	return ret;
176
177	key = kmalloc(size: pkey->keylen + sizeof(u32) * `2` + pkey->paramlen,
178	GFP_KERNEL);
179	if (!key)
180	return -ENOMEM;
181
182	memcpy(key, pkey->key, pkey->keylen);
183	ptr = key + pkey->keylen;
184	ptr = pkey_pack_u32(dst: ptr, val: pkey->algo);
185	ptr = pkey_pack_u32(dst: ptr, val: pkey->paramlen);
186	memcpy(ptr, pkey->params, pkey->paramlen);
187
188	if (issig) {
189	sig = crypto_alloc_sig(alg_name, type: `0`, mask: `0`);
190	if (IS_ERR(ptr: sig)) {
191	ret = PTR_ERR(ptr: sig);
192	goto error_free_key;
193	}
194
195	if (pkey->key_is_private)
196	ret = crypto_sig_set_privkey(tfm: sig, key, keylen: pkey->keylen);
197	else
198	ret = crypto_sig_set_pubkey(tfm: sig, key, keylen: pkey->keylen);
199	if (ret < `0`)
200	goto error_free_tfm;
201
202	len = crypto_sig_maxsize(tfm: sig);
203
204	info->supported_ops = KEYCTL_SUPPORTS_VERIFY;
205	if (pkey->key_is_private)
206	info->supported_ops \|= KEYCTL_SUPPORTS_SIGN;
207
208	if (strcmp(params->encoding, "pkcs1") == `0`) {
209	info->supported_ops \|= KEYCTL_SUPPORTS_ENCRYPT;
210	if (pkey->key_is_private)
211	info->supported_ops \|= KEYCTL_SUPPORTS_DECRYPT;
212	}
213	} else {
214	tfm = crypto_alloc_akcipher(alg_name, type: `0`, mask: `0`);
215	if (IS_ERR(ptr: tfm)) {
216	ret = PTR_ERR(ptr: tfm);
217	goto error_free_key;
218	}
219
220	if (pkey->key_is_private)
221	ret = crypto_akcipher_set_priv_key(tfm, key, keylen: pkey->keylen);
222	else
223	ret = crypto_akcipher_set_pub_key(tfm, key, keylen: pkey->keylen);
224	if (ret < `0`)
225	goto error_free_tfm;
226
227	len = crypto_akcipher_maxsize(tfm);
228
229	info->supported_ops = KEYCTL_SUPPORTS_ENCRYPT;
230	if (pkey->key_is_private)
231	info->supported_ops \|= KEYCTL_SUPPORTS_DECRYPT;
232	}
233
234	info->key_size = len * `8`;
235
236	if (strncmp(pkey->pkey_algo, "ecdsa", `5`) == `0`) {
237	/*
238	* ECDSA key sizes are much smaller than RSA, and thus could
239	* operate on (hashed) inputs that are larger than key size.
240	* For example SHA384-hashed input used with secp256r1
241	* based keys. Set max_data_size to be at least as large as
242	* the largest supported hash size (SHA512)
243	*/
244	info->max_data_size = `64`;
245
246	/*
247	* Verify takes ECDSA-Sig (described in RFC 5480) as input,
248	* which is actually 2 'key_size'-bit integers encoded in
249	* ASN.1. Account for the ASN.1 encoding overhead here.
250	*/
251	info->max_sig_size = `2` * (len + `3`) + `2`;
252	} else {
253	info->max_data_size = len;
254	info->max_sig_size = len;
255	}
256
257	info->max_enc_size = len;
258	info->max_dec_size = len;
259
260	ret = `0`;
261
262	error_free_tfm:
263	if (issig)
264	crypto_free_sig(tfm: sig);
265	else
266	crypto_free_akcipher(tfm);
267	error_free_key:
268	kfree_sensitive(objp: key);
269	pr_devel("<==%s() = %d\n", __func__, ret);
270	return ret;
271	}
272
273	/*
274	* Do encryption, decryption and signing ops.
275	*/
276	static int software_key_eds_op(struct kernel_pkey_params *params,
277	const void in, void* *out)
278	{
279	const struct public_key *pkey = params->key->payload.data[asym_crypto];
280	char alg_name[CRYPTO_MAX_ALG_NAME];
281	struct crypto_akcipher *tfm;
282	struct crypto_sig *sig;
283	char key, ptr;
284	bool issig;
285	int ksz;
286	int ret;
287
288	pr_devel("==>%s()\n", __func__);
289
290	ret = software_key_determine_akcipher(pkey, encoding: params->encoding,
291	hash_algo: params->hash_algo, alg_name,
292	sig: &issig, op: params->op);
293	if (ret < `0`)
294	return ret;
295
296	key = kmalloc(size: pkey->keylen + sizeof(u32) * `2` + pkey->paramlen,
297	GFP_KERNEL);
298	if (!key)
299	return -ENOMEM;
300
301	memcpy(key, pkey->key, pkey->keylen);
302	ptr = key + pkey->keylen;
303	ptr = pkey_pack_u32(dst: ptr, val: pkey->algo);
304	ptr = pkey_pack_u32(dst: ptr, val: pkey->paramlen);
305	memcpy(ptr, pkey->params, pkey->paramlen);
306
307	if (issig) {
308	sig = crypto_alloc_sig(alg_name, type: `0`, mask: `0`);
309	if (IS_ERR(ptr: sig)) {
310	ret = PTR_ERR(ptr: sig);
311	goto error_free_key;
312	}
313
314	if (pkey->key_is_private)
315	ret = crypto_sig_set_privkey(tfm: sig, key, keylen: pkey->keylen);
316	else
317	ret = crypto_sig_set_pubkey(tfm: sig, key, keylen: pkey->keylen);
318	if (ret)
319	goto error_free_tfm;
320
321	ksz = crypto_sig_maxsize(tfm: sig);
322	} else {
323	tfm = crypto_alloc_akcipher(alg_name, type: `0`, mask: `0`);
324	if (IS_ERR(ptr: tfm)) {
325	ret = PTR_ERR(ptr: tfm);
326	goto error_free_key;
327	}
328
329	if (pkey->key_is_private)
330	ret = crypto_akcipher_set_priv_key(tfm, key, keylen: pkey->keylen);
331	else
332	ret = crypto_akcipher_set_pub_key(tfm, key, keylen: pkey->keylen);
333	if (ret)
334	goto error_free_tfm;
335
336	ksz = crypto_akcipher_maxsize(tfm);
337	}
338
339	ret = -EINVAL;
340
341	/ Perform the encryption calculation. /
342	switch (params->op) {
343	case kernel_pkey_encrypt:
344	if (issig)
345	break;
346	ret = crypto_akcipher_sync_encrypt(tfm, src: in, slen: params->in_len,
347	dst: out, dlen: params->out_len);
348	break;
349	case kernel_pkey_decrypt:
350	if (issig)
351	break;
352	ret = crypto_akcipher_sync_decrypt(tfm, src: in, slen: params->in_len,
353	dst: out, dlen: params->out_len);
354	break;
355	case kernel_pkey_sign:
356	if (!issig)
357	break;
358	ret = crypto_sig_sign(tfm: sig, src: in, slen: params->in_len,
359	dst: out, dlen: params->out_len);
360	break;
361	default:
362	BUG();
363	}
364
365	if (ret == `0`)
366	ret = ksz;
367
368	error_free_tfm:
369	if (issig)
370	crypto_free_sig(tfm: sig);
371	else
372	crypto_free_akcipher(tfm);
373	error_free_key:
374	kfree_sensitive(objp: key);
375	pr_devel("<==%s() = %d\n", __func__, ret);
376	return ret;
377	}
378
379	/*
380	* Verify a signature using a public key.
381	*/
382	int public_key_verify_signature(const struct public_key *pkey,
383	const struct public_key_signature *sig)
384	{
385	char alg_name[CRYPTO_MAX_ALG_NAME];
386	struct crypto_sig *tfm;
387	char key, ptr;
388	bool issig;
389	int ret;
390
391	pr_devel("==>%s()\n", __func__);
392
393	BUG_ON(!pkey);
394	BUG_ON(!sig);
395	BUG_ON(!sig->s);
396
397	/*
398	* If the signature specifies a public key algorithm, it must match
399	* the key's actual public key algorithm.
400	*
401	* Small exception: ECDSA signatures don't specify the curve, but ECDSA
402	* keys do. So the strings can mismatch slightly in that case:
403	* "ecdsa-nist-*" for the key, but "ecdsa" for the signature.
404	*/
405	if (sig->pkey_algo) {
406	if (strcmp(pkey->pkey_algo, sig->pkey_algo) != `0` &&
407	(strncmp(pkey->pkey_algo, "ecdsa-", `6`) != `0` \|\|
408	strcmp(sig->pkey_algo, "ecdsa") != `0`))
409	return -EKEYREJECTED;
410	}
411
412	ret = software_key_determine_akcipher(pkey, encoding: sig->encoding,
413	hash_algo: sig->hash_algo, alg_name,
414	sig: &issig, op: kernel_pkey_verify);
415	if (ret < `0`)
416	return ret;
417
418	tfm = crypto_alloc_sig(alg_name, type: `0`, mask: `0`);
419	if (IS_ERR(ptr: tfm))
420	return PTR_ERR(ptr: tfm);
421
422	key = kmalloc(size: pkey->keylen + sizeof(u32) * `2` + pkey->paramlen,
423	GFP_KERNEL);
424	if (!key) {
425	ret = -ENOMEM;
426	goto error_free_tfm;
427	}
428
429	memcpy(key, pkey->key, pkey->keylen);
430	ptr = key + pkey->keylen;
431	ptr = pkey_pack_u32(dst: ptr, val: pkey->algo);
432	ptr = pkey_pack_u32(dst: ptr, val: pkey->paramlen);
433	memcpy(ptr, pkey->params, pkey->paramlen);
434
435	if (pkey->key_is_private)
436	ret = crypto_sig_set_privkey(tfm, key, keylen: pkey->keylen);
437	else
438	ret = crypto_sig_set_pubkey(tfm, key, keylen: pkey->keylen);
439	if (ret)
440	goto error_free_key;
441
442	ret = crypto_sig_verify(tfm, src: sig->s, slen: sig->s_size,
443	digest: sig->digest, dlen: sig->digest_size);
444
445	error_free_key:
446	kfree_sensitive(objp: key);
447	error_free_tfm:
448	crypto_free_sig(tfm);
449	pr_devel("<==%s() = %d\n", __func__, ret);
450	if (WARN_ON_ONCE(ret > `0`))
451	ret = -EINVAL;
452	return ret;
453	}
454	EXPORT_SYMBOL_GPL(public_key_verify_signature);
455
456	static int public_key_verify_signature_2(const struct key *key,
457	const struct public_key_signature *sig)
458	{
459	const struct public_key *pk = key->payload.data[asym_crypto];
460	return public_key_verify_signature(pk, sig);
461	}
462
463	/*
464	* Public key algorithm asymmetric key subtype
465	*/
466	struct asymmetric_key_subtype public_key_subtype = {
467	.owner = THIS_MODULE,
468	.name = "public_key",
469	.name_len = sizeof("public_key") - `1`,
470	.describe = public_key_describe,
471	.destroy = public_key_destroy,
472	.query = software_key_query,
473	.eds_op = software_key_eds_op,
474	.verify_signature = public_key_verify_signature_2,
475	};
476	EXPORT_SYMBOL_GPL(public_key_subtype);
477

source code of linux/crypto/asymmetric_keys/public_key.c