Merge tag 'linux-kselftest-kunit-fixes-5.11-rc3' of git://git.kernel.org/pub/scm...
[linux/fpc-iii.git] / security / keys / keyctl_pkey.c
blob931d8dfb4a7f42172a934236d046d19de4130c86
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Public-key operation keyctls
4 * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
8 #include <linux/slab.h>
9 #include <linux/err.h>
10 #include <linux/key.h>
11 #include <linux/keyctl.h>
12 #include <linux/parser.h>
13 #include <linux/uaccess.h>
14 #include <keys/user-type.h>
15 #include "internal.h"
17 static void keyctl_pkey_params_free(struct kernel_pkey_params *params)
19 kfree(params->info);
20 key_put(params->key);
23 enum {
24 Opt_err,
25 Opt_enc, /* "enc=<encoding>" eg. "enc=oaep" */
26 Opt_hash, /* "hash=<digest-name>" eg. "hash=sha1" */
29 static const match_table_t param_keys = {
30 { Opt_enc, "enc=%s" },
31 { Opt_hash, "hash=%s" },
32 { Opt_err, NULL }
36 * Parse the information string which consists of key=val pairs.
38 static int keyctl_pkey_params_parse(struct kernel_pkey_params *params)
40 unsigned long token_mask = 0;
41 substring_t args[MAX_OPT_ARGS];
42 char *c = params->info, *p, *q;
43 int token;
45 while ((p = strsep(&c, " \t"))) {
46 if (*p == '\0' || *p == ' ' || *p == '\t')
47 continue;
48 token = match_token(p, param_keys, args);
49 if (token == Opt_err)
50 return -EINVAL;
51 if (__test_and_set_bit(token, &token_mask))
52 return -EINVAL;
53 q = args[0].from;
54 if (!q[0])
55 return -EINVAL;
57 switch (token) {
58 case Opt_enc:
59 params->encoding = q;
60 break;
62 case Opt_hash:
63 params->hash_algo = q;
64 break;
66 default:
67 return -EINVAL;
71 return 0;
75 * Interpret parameters. Callers must always call the free function
76 * on params, even if an error is returned.
78 static int keyctl_pkey_params_get(key_serial_t id,
79 const char __user *_info,
80 struct kernel_pkey_params *params)
82 key_ref_t key_ref;
83 void *p;
84 int ret;
86 memset(params, 0, sizeof(*params));
87 params->encoding = "raw";
89 p = strndup_user(_info, PAGE_SIZE);
90 if (IS_ERR(p))
91 return PTR_ERR(p);
92 params->info = p;
94 ret = keyctl_pkey_params_parse(params);
95 if (ret < 0)
96 return ret;
98 key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
99 if (IS_ERR(key_ref))
100 return PTR_ERR(key_ref);
101 params->key = key_ref_to_ptr(key_ref);
103 if (!params->key->type->asym_query)
104 return -EOPNOTSUPP;
106 return 0;
110 * Get parameters from userspace. Callers must always call the free function
111 * on params, even if an error is returned.
113 static int keyctl_pkey_params_get_2(const struct keyctl_pkey_params __user *_params,
114 const char __user *_info,
115 int op,
116 struct kernel_pkey_params *params)
118 struct keyctl_pkey_params uparams;
119 struct kernel_pkey_query info;
120 int ret;
122 memset(params, 0, sizeof(*params));
123 params->encoding = "raw";
125 if (copy_from_user(&uparams, _params, sizeof(uparams)) != 0)
126 return -EFAULT;
128 ret = keyctl_pkey_params_get(uparams.key_id, _info, params);
129 if (ret < 0)
130 return ret;
132 ret = params->key->type->asym_query(params, &info);
133 if (ret < 0)
134 return ret;
136 switch (op) {
137 case KEYCTL_PKEY_ENCRYPT:
138 case KEYCTL_PKEY_DECRYPT:
139 if (uparams.in_len > info.max_enc_size ||
140 uparams.out_len > info.max_dec_size)
141 return -EINVAL;
142 break;
143 case KEYCTL_PKEY_SIGN:
144 case KEYCTL_PKEY_VERIFY:
145 if (uparams.in_len > info.max_sig_size ||
146 uparams.out_len > info.max_data_size)
147 return -EINVAL;
148 break;
149 default:
150 BUG();
153 params->in_len = uparams.in_len;
154 params->out_len = uparams.out_len;
155 return 0;
159 * Query information about an asymmetric key.
161 long keyctl_pkey_query(key_serial_t id,
162 const char __user *_info,
163 struct keyctl_pkey_query __user *_res)
165 struct kernel_pkey_params params;
166 struct kernel_pkey_query res;
167 long ret;
169 memset(&params, 0, sizeof(params));
171 ret = keyctl_pkey_params_get(id, _info, &params);
172 if (ret < 0)
173 goto error;
175 ret = params.key->type->asym_query(&params, &res);
176 if (ret < 0)
177 goto error;
179 ret = -EFAULT;
180 if (copy_to_user(_res, &res, sizeof(res)) == 0 &&
181 clear_user(_res->__spare, sizeof(_res->__spare)) == 0)
182 ret = 0;
184 error:
185 keyctl_pkey_params_free(&params);
186 return ret;
190 * Encrypt/decrypt/sign
192 * Encrypt data, decrypt data or sign data using a public key.
194 * _info is a string of supplementary information in key=val format. For
195 * instance, it might contain:
197 * "enc=pkcs1 hash=sha256"
199 * where enc= specifies the encoding and hash= selects the OID to go in that
200 * particular encoding if required. If enc= isn't supplied, it's assumed that
201 * the caller is supplying raw values.
203 * If successful, the amount of data written into the output buffer is
204 * returned.
206 long keyctl_pkey_e_d_s(int op,
207 const struct keyctl_pkey_params __user *_params,
208 const char __user *_info,
209 const void __user *_in,
210 void __user *_out)
212 struct kernel_pkey_params params;
213 void *in, *out;
214 long ret;
216 ret = keyctl_pkey_params_get_2(_params, _info, op, &params);
217 if (ret < 0)
218 goto error_params;
220 ret = -EOPNOTSUPP;
221 if (!params.key->type->asym_eds_op)
222 goto error_params;
224 switch (op) {
225 case KEYCTL_PKEY_ENCRYPT:
226 params.op = kernel_pkey_encrypt;
227 break;
228 case KEYCTL_PKEY_DECRYPT:
229 params.op = kernel_pkey_decrypt;
230 break;
231 case KEYCTL_PKEY_SIGN:
232 params.op = kernel_pkey_sign;
233 break;
234 default:
235 BUG();
238 in = memdup_user(_in, params.in_len);
239 if (IS_ERR(in)) {
240 ret = PTR_ERR(in);
241 goto error_params;
244 ret = -ENOMEM;
245 out = kmalloc(params.out_len, GFP_KERNEL);
246 if (!out)
247 goto error_in;
249 ret = params.key->type->asym_eds_op(&params, in, out);
250 if (ret < 0)
251 goto error_out;
253 if (copy_to_user(_out, out, ret) != 0)
254 ret = -EFAULT;
256 error_out:
257 kfree(out);
258 error_in:
259 kfree(in);
260 error_params:
261 keyctl_pkey_params_free(&params);
262 return ret;
266 * Verify a signature.
268 * Verify a public key signature using the given key, or if not given, search
269 * for a matching key.
271 * _info is a string of supplementary information in key=val format. For
272 * instance, it might contain:
274 * "enc=pkcs1 hash=sha256"
276 * where enc= specifies the signature blob encoding and hash= selects the OID
277 * to go in that particular encoding. If enc= isn't supplied, it's assumed
278 * that the caller is supplying raw values.
280 * If successful, 0 is returned.
282 long keyctl_pkey_verify(const struct keyctl_pkey_params __user *_params,
283 const char __user *_info,
284 const void __user *_in,
285 const void __user *_in2)
287 struct kernel_pkey_params params;
288 void *in, *in2;
289 long ret;
291 ret = keyctl_pkey_params_get_2(_params, _info, KEYCTL_PKEY_VERIFY,
292 &params);
293 if (ret < 0)
294 goto error_params;
296 ret = -EOPNOTSUPP;
297 if (!params.key->type->asym_verify_signature)
298 goto error_params;
300 in = memdup_user(_in, params.in_len);
301 if (IS_ERR(in)) {
302 ret = PTR_ERR(in);
303 goto error_params;
306 in2 = memdup_user(_in2, params.in2_len);
307 if (IS_ERR(in2)) {
308 ret = PTR_ERR(in2);
309 goto error_in;
312 params.op = kernel_pkey_verify;
313 ret = params.key->type->asym_verify_signature(&params, in, in2);
315 kfree(in2);
316 error_in:
317 kfree(in);
318 error_params:
319 keyctl_pkey_params_free(&params);
320 return ret;