1 /* Crypto operations using stored keys
3 * Copyright (c) 2016, Intel Corporation
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
11 #include <linux/slab.h>
12 #include <linux/uaccess.h>
13 #include <linux/scatterlist.h>
14 #include <linux/crypto.h>
15 #include <crypto/hash.h>
16 #include <crypto/kpp.h>
17 #include <crypto/dh.h>
18 #include <keys/user-type.h>
21 static ssize_t
dh_data_from_key(key_serial_t keyid
, void **data
)
28 key_ref
= lookup_user_key(keyid
, 0, KEY_NEED_READ
);
29 if (IS_ERR(key_ref
)) {
34 key
= key_ref_to_ptr(key_ref
);
37 if (key
->type
== &key_type_user
) {
39 status
= key_validate(key
);
41 const struct user_key_payload
*payload
;
44 payload
= user_key_payload_locked(key
);
46 duplicate
= kmemdup(payload
->data
, payload
->datalen
,
50 ret
= payload
->datalen
;
63 static void dh_free_data(struct dh
*dh
)
70 struct dh_completion
{
71 struct completion completion
;
75 static void dh_crypto_done(struct crypto_async_request
*req
, int err
)
77 struct dh_completion
*compl = req
->data
;
79 if (err
== -EINPROGRESS
)
83 complete(&compl->completion
);
87 struct shash_desc shash
;
91 static int kdf_alloc(struct kdf_sdesc
**sdesc_ret
, char *hashname
)
93 struct crypto_shash
*tfm
;
94 struct kdf_sdesc
*sdesc
;
98 /* allocate synchronous hash */
99 tfm
= crypto_alloc_shash(hashname
, 0, 0);
101 pr_info("could not allocate digest TFM handle %s\n", hashname
);
106 if (crypto_shash_digestsize(tfm
) == 0)
110 size
= sizeof(struct shash_desc
) + crypto_shash_descsize(tfm
);
111 sdesc
= kmalloc(size
, GFP_KERNEL
);
114 sdesc
->shash
.tfm
= tfm
;
115 sdesc
->shash
.flags
= 0x0;
122 crypto_free_shash(tfm
);
126 static void kdf_dealloc(struct kdf_sdesc
*sdesc
)
131 if (sdesc
->shash
.tfm
)
132 crypto_free_shash(sdesc
->shash
.tfm
);
138 * Implementation of the KDF in counter mode according to SP800-108 section 5.1
139 * as well as SP800-56A section 5.8.1 (Single-step KDF).
142 * The src pointer is defined as Z || other info where Z is the shared secret
143 * from DH and other info is an arbitrary string (see SP800-56A section
146 * 'dlen' must be a multiple of the digest size.
148 static int kdf_ctr(struct kdf_sdesc
*sdesc
, const u8
*src
, unsigned int slen
,
149 u8
*dst
, unsigned int dlen
, unsigned int zlen
)
151 struct shash_desc
*desc
= &sdesc
->shash
;
152 unsigned int h
= crypto_shash_digestsize(desc
->tfm
);
155 __be32 counter
= cpu_to_be32(1);
158 err
= crypto_shash_init(desc
);
162 err
= crypto_shash_update(desc
, (u8
*)&counter
, sizeof(__be32
));
168 size_t chunk
= min_t(size_t, zlen
, sizeof(tmpbuffer
));
169 memset(tmpbuffer
, 0, chunk
);
172 err
= crypto_shash_update(desc
, tmpbuffer
,
178 chunk
= min_t(size_t, zlen
, sizeof(tmpbuffer
));
183 err
= crypto_shash_update(desc
, src
, slen
);
188 err
= crypto_shash_final(desc
, dst
);
194 counter
= cpu_to_be32(be32_to_cpu(counter
) + 1);
200 memzero_explicit(dst_orig
, dlen
);
204 static int keyctl_dh_compute_kdf(struct kdf_sdesc
*sdesc
,
205 char __user
*buffer
, size_t buflen
,
206 uint8_t *kbuf
, size_t kbuflen
, size_t lzero
)
208 uint8_t *outbuf
= NULL
;
210 size_t outbuf_len
= roundup(buflen
,
211 crypto_shash_digestsize(sdesc
->shash
.tfm
));
213 outbuf
= kmalloc(outbuf_len
, GFP_KERNEL
);
219 ret
= kdf_ctr(sdesc
, kbuf
, kbuflen
, outbuf
, outbuf_len
, lzero
);
224 if (copy_to_user(buffer
, outbuf
, buflen
) != 0)
232 long __keyctl_dh_compute(struct keyctl_dh_params __user
*params
,
233 char __user
*buffer
, size_t buflen
,
234 struct keyctl_kdf_params
*kdfcopy
)
240 struct keyctl_dh_params pcopy
;
242 struct scatterlist outsg
;
243 struct dh_completion
compl;
244 struct crypto_kpp
*tfm
;
245 struct kpp_request
*req
;
248 struct kdf_sdesc
*sdesc
= NULL
;
250 if (!params
|| (!buffer
&& buflen
)) {
254 if (copy_from_user(&pcopy
, params
, sizeof(pcopy
)) != 0) {
262 if (memchr_inv(kdfcopy
->__spare
, 0, sizeof(kdfcopy
->__spare
))) {
267 if (buflen
> KEYCTL_KDF_MAX_OUTPUT_LEN
||
268 kdfcopy
->otherinfolen
> KEYCTL_KDF_MAX_OI_LEN
) {
273 /* get KDF name string */
274 hashname
= strndup_user(kdfcopy
->hashname
, CRYPTO_MAX_ALG_NAME
);
275 if (IS_ERR(hashname
)) {
276 ret
= PTR_ERR(hashname
);
280 /* allocate KDF from the kernel crypto API */
281 ret
= kdf_alloc(&sdesc
, hashname
);
287 memset(&dh_inputs
, 0, sizeof(dh_inputs
));
289 dlen
= dh_data_from_key(pcopy
.prime
, &dh_inputs
.p
);
294 dh_inputs
.p_size
= dlen
;
296 dlen
= dh_data_from_key(pcopy
.base
, &dh_inputs
.g
);
301 dh_inputs
.g_size
= dlen
;
303 dlen
= dh_data_from_key(pcopy
.private, &dh_inputs
.key
);
308 dh_inputs
.key_size
= dlen
;
310 secretlen
= crypto_dh_key_len(&dh_inputs
);
311 secret
= kmalloc(secretlen
, GFP_KERNEL
);
316 ret
= crypto_dh_encode_key(secret
, secretlen
, &dh_inputs
);
320 tfm
= crypto_alloc_kpp("dh", 0, 0);
326 ret
= crypto_kpp_set_secret(tfm
, secret
, secretlen
);
330 outlen
= crypto_kpp_maxsize(tfm
);
334 * When not using a KDF, buflen 0 is used to read the
335 * required buffer length
340 } else if (outlen
> buflen
) {
346 outbuf
= kzalloc(kdfcopy
? (outlen
+ kdfcopy
->otherinfolen
) : outlen
,
353 sg_init_one(&outsg
, outbuf
, outlen
);
355 req
= kpp_request_alloc(tfm
, GFP_KERNEL
);
361 kpp_request_set_input(req
, NULL
, 0);
362 kpp_request_set_output(req
, &outsg
, outlen
);
363 init_completion(&compl.completion
);
364 kpp_request_set_callback(req
, CRYPTO_TFM_REQ_MAY_BACKLOG
|
365 CRYPTO_TFM_REQ_MAY_SLEEP
,
366 dh_crypto_done
, &compl);
369 * For DH, generate_public_key and generate_shared_secret are
370 * the same calculation
372 ret
= crypto_kpp_generate_public_key(req
);
373 if (ret
== -EINPROGRESS
) {
374 wait_for_completion(&compl.completion
);
382 * Concatenate SP800-56A otherinfo past DH shared secret -- the
383 * input to the KDF is (DH shared secret || otherinfo)
385 if (copy_from_user(outbuf
+ req
->dst_len
, kdfcopy
->otherinfo
,
386 kdfcopy
->otherinfolen
) != 0) {
391 ret
= keyctl_dh_compute_kdf(sdesc
, buffer
, buflen
, outbuf
,
392 req
->dst_len
+ kdfcopy
->otherinfolen
,
393 outlen
- req
->dst_len
);
394 } else if (copy_to_user(buffer
, outbuf
, req
->dst_len
) == 0) {
401 kpp_request_free(req
);
405 crypto_free_kpp(tfm
);
409 dh_free_data(&dh_inputs
);
415 long keyctl_dh_compute(struct keyctl_dh_params __user
*params
,
416 char __user
*buffer
, size_t buflen
,
417 struct keyctl_kdf_params __user
*kdf
)
419 struct keyctl_kdf_params kdfcopy
;
422 return __keyctl_dh_compute(params
, buffer
, buflen
, NULL
);
424 if (copy_from_user(&kdfcopy
, kdf
, sizeof(kdfcopy
)) != 0)
427 return __keyctl_dh_compute(params
, buffer
, buflen
, &kdfcopy
);