^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-or-later
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /* Crypto operations using stored keys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) * Copyright (c) 2016, Intel Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) #include <linux/uaccess.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) #include <linux/scatterlist.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include <linux/crypto.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <crypto/hash.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <crypto/kpp.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <crypto/dh.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <keys/user-type.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include "internal.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) static ssize_t dh_data_from_key(key_serial_t keyid, void **data)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) key_ref_t key_ref;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) long status;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) ssize_t ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) if (IS_ERR(key_ref)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) ret = -ENOKEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) key = key_ref_to_ptr(key_ref);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) ret = -EOPNOTSUPP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) if (key->type == &key_type_user) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) down_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) status = key_validate(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) if (status == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) const struct user_key_payload *payload;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) uint8_t *duplicate;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) payload = user_key_payload_locked(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) duplicate = kmemdup(payload->data, payload->datalen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) if (duplicate) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) *data = duplicate;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) ret = payload->datalen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) up_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) error:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) static void dh_free_data(struct dh *dh)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) kfree_sensitive(dh->key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) kfree_sensitive(dh->p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) kfree_sensitive(dh->g);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) struct dh_completion {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) struct completion completion;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) static void dh_crypto_done(struct crypto_async_request *req, int err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) struct dh_completion *compl = req->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) if (err == -EINPROGRESS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) compl->err = err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) complete(&compl->completion);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) struct kdf_sdesc {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) struct shash_desc shash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) char ctx[];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) struct crypto_shash *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) struct kdf_sdesc *sdesc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) int size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) /* allocate synchronous hash */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) tfm = crypto_alloc_shash(hashname, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) if (IS_ERR(tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) pr_info("could not allocate digest TFM handle %s\n", hashname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) return PTR_ERR(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) if (crypto_shash_digestsize(tfm) == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) goto out_free_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) sdesc = kmalloc(size, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) if (!sdesc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) goto out_free_tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) sdesc->shash.tfm = tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) *sdesc_ret = sdesc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) out_free_tfm:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) crypto_free_shash(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) static void kdf_dealloc(struct kdf_sdesc *sdesc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) if (!sdesc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) if (sdesc->shash.tfm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) crypto_free_shash(sdesc->shash.tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) kfree_sensitive(sdesc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) * Implementation of the KDF in counter mode according to SP800-108 section 5.1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) * as well as SP800-56A section 5.8.1 (Single-step KDF).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) * SP800-56A:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) * The src pointer is defined as Z || other info where Z is the shared secret
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) * from DH and other info is an arbitrary string (see SP800-56A section
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) * 5.8.1.2).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) * 'dlen' must be a multiple of the digest size.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) u8 *dst, unsigned int dlen, unsigned int zlen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) struct shash_desc *desc = &sdesc->shash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) unsigned int h = crypto_shash_digestsize(desc->tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) int err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) u8 *dst_orig = dst;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) __be32 counter = cpu_to_be32(1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) while (dlen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) err = crypto_shash_init(desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) if (zlen && h) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) u8 tmpbuffer[32];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) size_t chunk = min_t(size_t, zlen, sizeof(tmpbuffer));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) memset(tmpbuffer, 0, chunk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) do {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) err = crypto_shash_update(desc, tmpbuffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) chunk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) zlen -= chunk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) chunk = min_t(size_t, zlen, sizeof(tmpbuffer));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) } while (zlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) if (src && slen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) err = crypto_shash_update(desc, src, slen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) err = crypto_shash_final(desc, dst);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) dlen -= h;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) dst += h;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) counter = cpu_to_be32(be32_to_cpu(counter) + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) memzero_explicit(dst_orig, dlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) char __user *buffer, size_t buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) uint8_t *kbuf, size_t kbuflen, size_t lzero)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) uint8_t *outbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) size_t outbuf_len = roundup(buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) crypto_shash_digestsize(sdesc->shash.tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) outbuf = kmalloc(outbuf_len, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) if (!outbuf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len, lzero);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) ret = buflen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) if (copy_to_user(buffer, outbuf, buflen) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) kfree_sensitive(outbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) char __user *buffer, size_t buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) struct keyctl_kdf_params *kdfcopy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) long ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) ssize_t dlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) int secretlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) int outlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) struct keyctl_dh_params pcopy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) struct dh dh_inputs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) struct scatterlist outsg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) struct dh_completion compl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) struct crypto_kpp *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) struct kpp_request *req;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) uint8_t *secret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) uint8_t *outbuf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) struct kdf_sdesc *sdesc = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) if (!params || (!buffer && buflen)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) goto out1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) goto out1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) if (kdfcopy) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) char *hashname;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) if (memchr_inv(kdfcopy->__spare, 0, sizeof(kdfcopy->__spare))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) ret = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) goto out1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) ret = -EMSGSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) goto out1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) /* get KDF name string */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) if (IS_ERR(hashname)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) ret = PTR_ERR(hashname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) goto out1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) /* allocate KDF from the kernel crypto API */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) ret = kdf_alloc(&sdesc, hashname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) kfree(hashname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) goto out1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) memset(&dh_inputs, 0, sizeof(dh_inputs));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) dlen = dh_data_from_key(pcopy.prime, &dh_inputs.p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) if (dlen < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) ret = dlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) goto out1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) dh_inputs.p_size = dlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) dlen = dh_data_from_key(pcopy.base, &dh_inputs.g);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) if (dlen < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) ret = dlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) goto out2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) dh_inputs.g_size = dlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) if (dlen < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) ret = dlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) goto out2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) dh_inputs.key_size = dlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) secretlen = crypto_dh_key_len(&dh_inputs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) secret = kmalloc(secretlen, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) if (!secret) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) goto out2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) ret = crypto_dh_encode_key(secret, secretlen, &dh_inputs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) goto out3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) tfm = crypto_alloc_kpp("dh", 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) if (IS_ERR(tfm)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) ret = PTR_ERR(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) goto out3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) ret = crypto_kpp_set_secret(tfm, secret, secretlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) goto out4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) outlen = crypto_kpp_maxsize(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) if (!kdfcopy) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) * When not using a KDF, buflen 0 is used to read the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) * required buffer length
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) if (buflen == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) ret = outlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) goto out4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) } else if (outlen > buflen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) ret = -EOVERFLOW;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) goto out4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) outbuf = kzalloc(kdfcopy ? (outlen + kdfcopy->otherinfolen) : outlen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) if (!outbuf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) goto out4;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) sg_init_one(&outsg, outbuf, outlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) req = kpp_request_alloc(tfm, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) if (!req) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) goto out5;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) kpp_request_set_input(req, NULL, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) kpp_request_set_output(req, &outsg, outlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) init_completion(&compl.completion);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) CRYPTO_TFM_REQ_MAY_SLEEP,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) dh_crypto_done, &compl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) * For DH, generate_public_key and generate_shared_secret are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) * the same calculation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) ret = crypto_kpp_generate_public_key(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) if (ret == -EINPROGRESS) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) wait_for_completion(&compl.completion);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) ret = compl.err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) goto out6;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) if (kdfcopy) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) * Concatenate SP800-56A otherinfo past DH shared secret -- the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) * input to the KDF is (DH shared secret || otherinfo)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) if (copy_from_user(outbuf + req->dst_len, kdfcopy->otherinfo,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) kdfcopy->otherinfolen) != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) goto out6;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) req->dst_len + kdfcopy->otherinfolen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) outlen - req->dst_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) } else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) ret = req->dst_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) ret = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) out6:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) kpp_request_free(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) out5:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) kfree_sensitive(outbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) out4:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) crypto_free_kpp(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) out3:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) kfree_sensitive(secret);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) out2:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) dh_free_data(&dh_inputs);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) out1:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) kdf_dealloc(sdesc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) long keyctl_dh_compute(struct keyctl_dh_params __user *params,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) char __user *buffer, size_t buflen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) struct keyctl_kdf_params __user *kdf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) struct keyctl_kdf_params kdfcopy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) if (!kdf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) return __keyctl_dh_compute(params, buffer, buflen, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags