1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Crypto operations using stored keys
4 * Copyright (c) 2016, Intel Corporation
7 #include <linux/slab.h>
8 #include <linux/uaccess.h>
9 #include <linux/scatterlist.h>
10 #include <linux/crypto.h>
11 #include <crypto/hash.h>
12 #include <crypto/kpp.h>
13 #include <crypto/dh.h>
14 #include <keys/user-type.h>
17 static ssize_t
dh_data_from_key(key_serial_t keyid
, void **data
)
24 key_ref
= lookup_user_key(keyid
, 0, KEY_NEED_READ
);
25 if (IS_ERR(key_ref
)) {
30 key
= key_ref_to_ptr(key_ref
);
33 if (key
->type
== &key_type_user
) {
35 status
= key_validate(key
);
37 const struct user_key_payload
*payload
;
40 payload
= user_key_payload_locked(key
);
42 duplicate
= kmemdup(payload
->data
, payload
->datalen
,
46 ret
= payload
->datalen
;
59 static void dh_free_data(struct dh
*dh
)
61 kfree_sensitive(dh
->key
);
62 kfree_sensitive(dh
->p
);
63 kfree_sensitive(dh
->g
);
66 struct dh_completion
{
67 struct completion completion
;
71 static void dh_crypto_done(struct crypto_async_request
*req
, int err
)
73 struct dh_completion
*compl = req
->data
;
75 if (err
== -EINPROGRESS
)
79 complete(&compl->completion
);
83 struct shash_desc shash
;
87 static int kdf_alloc(struct kdf_sdesc
**sdesc_ret
, char *hashname
)
89 struct crypto_shash
*tfm
;
90 struct kdf_sdesc
*sdesc
;
94 /* allocate synchronous hash */
95 tfm
= crypto_alloc_shash(hashname
, 0, 0);
97 pr_info("could not allocate digest TFM handle %s\n", hashname
);
102 if (crypto_shash_digestsize(tfm
) == 0)
106 size
= sizeof(struct shash_desc
) + crypto_shash_descsize(tfm
);
107 sdesc
= kmalloc(size
, GFP_KERNEL
);
110 sdesc
->shash
.tfm
= tfm
;
117 crypto_free_shash(tfm
);
121 static void kdf_dealloc(struct kdf_sdesc
*sdesc
)
126 if (sdesc
->shash
.tfm
)
127 crypto_free_shash(sdesc
->shash
.tfm
);
129 kfree_sensitive(sdesc
);
133 * Implementation of the KDF in counter mode according to SP800-108 section 5.1
134 * as well as SP800-56A section 5.8.1 (Single-step KDF).
137 * The src pointer is defined as Z || other info where Z is the shared secret
138 * from DH and other info is an arbitrary string (see SP800-56A section
141 * 'dlen' must be a multiple of the digest size.
143 static int kdf_ctr(struct kdf_sdesc
*sdesc
, const u8
*src
, unsigned int slen
,
144 u8
*dst
, unsigned int dlen
, unsigned int zlen
)
146 struct shash_desc
*desc
= &sdesc
->shash
;
147 unsigned int h
= crypto_shash_digestsize(desc
->tfm
);
150 __be32 counter
= cpu_to_be32(1);
153 err
= crypto_shash_init(desc
);
157 err
= crypto_shash_update(desc
, (u8
*)&counter
, sizeof(__be32
));
163 size_t chunk
= min_t(size_t, zlen
, sizeof(tmpbuffer
));
164 memset(tmpbuffer
, 0, chunk
);
167 err
= crypto_shash_update(desc
, tmpbuffer
,
173 chunk
= min_t(size_t, zlen
, sizeof(tmpbuffer
));
178 err
= crypto_shash_update(desc
, src
, slen
);
183 err
= crypto_shash_final(desc
, dst
);
189 counter
= cpu_to_be32(be32_to_cpu(counter
) + 1);
195 memzero_explicit(dst_orig
, dlen
);
199 static int keyctl_dh_compute_kdf(struct kdf_sdesc
*sdesc
,
200 char __user
*buffer
, size_t buflen
,
201 uint8_t *kbuf
, size_t kbuflen
, size_t lzero
)
203 uint8_t *outbuf
= NULL
;
205 size_t outbuf_len
= roundup(buflen
,
206 crypto_shash_digestsize(sdesc
->shash
.tfm
));
208 outbuf
= kmalloc(outbuf_len
, GFP_KERNEL
);
214 ret
= kdf_ctr(sdesc
, kbuf
, kbuflen
, outbuf
, outbuf_len
, lzero
);
219 if (copy_to_user(buffer
, outbuf
, buflen
) != 0)
223 kfree_sensitive(outbuf
);
227 long __keyctl_dh_compute(struct keyctl_dh_params __user
*params
,
228 char __user
*buffer
, size_t buflen
,
229 struct keyctl_kdf_params
*kdfcopy
)
235 struct keyctl_dh_params pcopy
;
237 struct scatterlist outsg
;
238 struct dh_completion
compl;
239 struct crypto_kpp
*tfm
;
240 struct kpp_request
*req
;
243 struct kdf_sdesc
*sdesc
= NULL
;
245 if (!params
|| (!buffer
&& buflen
)) {
249 if (copy_from_user(&pcopy
, params
, sizeof(pcopy
)) != 0) {
257 if (memchr_inv(kdfcopy
->__spare
, 0, sizeof(kdfcopy
->__spare
))) {
262 if (buflen
> KEYCTL_KDF_MAX_OUTPUT_LEN
||
263 kdfcopy
->otherinfolen
> KEYCTL_KDF_MAX_OI_LEN
) {
268 /* get KDF name string */
269 hashname
= strndup_user(kdfcopy
->hashname
, CRYPTO_MAX_ALG_NAME
);
270 if (IS_ERR(hashname
)) {
271 ret
= PTR_ERR(hashname
);
275 /* allocate KDF from the kernel crypto API */
276 ret
= kdf_alloc(&sdesc
, hashname
);
282 memset(&dh_inputs
, 0, sizeof(dh_inputs
));
284 dlen
= dh_data_from_key(pcopy
.prime
, &dh_inputs
.p
);
289 dh_inputs
.p_size
= dlen
;
291 dlen
= dh_data_from_key(pcopy
.base
, &dh_inputs
.g
);
296 dh_inputs
.g_size
= dlen
;
298 dlen
= dh_data_from_key(pcopy
.private, &dh_inputs
.key
);
303 dh_inputs
.key_size
= dlen
;
305 secretlen
= crypto_dh_key_len(&dh_inputs
);
306 secret
= kmalloc(secretlen
, GFP_KERNEL
);
311 ret
= crypto_dh_encode_key(secret
, secretlen
, &dh_inputs
);
315 tfm
= crypto_alloc_kpp("dh", 0, 0);
321 ret
= crypto_kpp_set_secret(tfm
, secret
, secretlen
);
325 outlen
= crypto_kpp_maxsize(tfm
);
329 * When not using a KDF, buflen 0 is used to read the
330 * required buffer length
335 } else if (outlen
> buflen
) {
341 outbuf
= kzalloc(kdfcopy
? (outlen
+ kdfcopy
->otherinfolen
) : outlen
,
348 sg_init_one(&outsg
, outbuf
, outlen
);
350 req
= kpp_request_alloc(tfm
, GFP_KERNEL
);
356 kpp_request_set_input(req
, NULL
, 0);
357 kpp_request_set_output(req
, &outsg
, outlen
);
358 init_completion(&compl.completion
);
359 kpp_request_set_callback(req
, CRYPTO_TFM_REQ_MAY_BACKLOG
|
360 CRYPTO_TFM_REQ_MAY_SLEEP
,
361 dh_crypto_done
, &compl);
364 * For DH, generate_public_key and generate_shared_secret are
365 * the same calculation
367 ret
= crypto_kpp_generate_public_key(req
);
368 if (ret
== -EINPROGRESS
) {
369 wait_for_completion(&compl.completion
);
377 * Concatenate SP800-56A otherinfo past DH shared secret -- the
378 * input to the KDF is (DH shared secret || otherinfo)
380 if (copy_from_user(outbuf
+ req
->dst_len
, kdfcopy
->otherinfo
,
381 kdfcopy
->otherinfolen
) != 0) {
386 ret
= keyctl_dh_compute_kdf(sdesc
, buffer
, buflen
, outbuf
,
387 req
->dst_len
+ kdfcopy
->otherinfolen
,
388 outlen
- req
->dst_len
);
389 } else if (copy_to_user(buffer
, outbuf
, req
->dst_len
) == 0) {
396 kpp_request_free(req
);
398 kfree_sensitive(outbuf
);
400 crypto_free_kpp(tfm
);
402 kfree_sensitive(secret
);
404 dh_free_data(&dh_inputs
);
410 long keyctl_dh_compute(struct keyctl_dh_params __user
*params
,
411 char __user
*buffer
, size_t buflen
,
412 struct keyctl_kdf_params __user
*kdf
)
414 struct keyctl_kdf_params kdfcopy
;
417 return __keyctl_dh_compute(params
, buffer
, buflen
, NULL
);
419 if (copy_from_user(&kdfcopy
, kdf
, sizeof(kdfcopy
)) != 0)
422 return __keyctl_dh_compute(params
, buffer
, buflen
, &kdfcopy
);