1 /* Crypto operations using stored keys
3 * Copyright (c) 2016, Intel Corporation
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
11 #include <linux/mpi.h>
12 #include <linux/slab.h>
13 #include <linux/uaccess.h>
14 #include <linux/crypto.h>
15 #include <crypto/hash.h>
16 #include <keys/user-type.h>
20 * Public key or shared secret generation function [RFC2631 sec 2.1.1]
26 * where xa is the local private key, ya is the local public key, g is
27 * the generator, p is the prime, yb is the remote public key, and ZZ
28 * is the shared secret.
30 * Both are the same calculation, so g or yb are the "base" and ya or
31 * ZZ are the "result".
33 static int do_dh(MPI result, MPI base, MPI xa, MPI p)
35 return mpi_powm(result, base, xa, p);
38 static ssize_t mpi_from_key(key_serial_t keyid, size_t maxlen, MPI *mpi)
45 key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
46 if (IS_ERR(key_ref)) {
51 key = key_ref_to_ptr(key_ref);
54 if (key->type == &key_type_user) {
56 status = key_validate(key);
58 const struct user_key_payload *payload;
60 payload = user_key_payload_locked(key);
64 ret = payload->datalen;
65 } else if (payload->datalen <= maxlen) {
66 *mpi = mpi_read_raw_data(payload->data,
69 ret = payload->datalen;
83 struct shash_desc shash;
87 static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
89 struct crypto_shash *tfm;
90 struct kdf_sdesc *sdesc;
94 /* allocate synchronous hash */
95 tfm = crypto_alloc_shash(hashname, 0, 0);
97 pr_info("could not allocate digest TFM handle %s\n", hashname);
102 if (crypto_shash_digestsize(tfm) == 0)
106 size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
107 sdesc = kmalloc(size, GFP_KERNEL);
110 sdesc->shash.tfm = tfm;
111 sdesc->shash.flags = 0x0;
118 crypto_free_shash(tfm);
122 static void kdf_dealloc(struct kdf_sdesc *sdesc)
127 if (sdesc->shash.tfm)
128 crypto_free_shash(sdesc->shash.tfm);
133 /* convert 32 bit integer into its string representation */
134 static inline void crypto_kw_cpu_to_be32(u32 val, u8 *buf)
136 __be32 *a = (__be32 *)buf;
138 *a = cpu_to_be32(val);
142 * Implementation of the KDF in counter mode according to SP800-108 section 5.1
143 * as well as SP800-56A section 5.8.1 (Single-step KDF).
146 * The src pointer is defined as Z || other info where Z is the shared secret
147 * from DH and other info is an arbitrary string (see SP800-56A section
150 static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
151 u8 *dst, unsigned int dlen)
153 struct shash_desc *desc = &sdesc->shash;
154 unsigned int h = crypto_shash_digestsize(desc->tfm);
158 u8 iteration[sizeof(u32)];
161 err = crypto_shash_init(desc);
165 crypto_kw_cpu_to_be32(i, iteration);
166 err = crypto_shash_update(desc, iteration, sizeof(u32));
171 err = crypto_shash_update(desc, src, slen);
179 err = crypto_shash_final(desc, tmpbuffer);
182 memcpy(dst, tmpbuffer, dlen);
183 memzero_explicit(tmpbuffer, h);
186 err = crypto_shash_final(desc, dst);
199 memzero_explicit(dst_orig, dlen);
203 static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
204 char __user *buffer, size_t buflen,
205 uint8_t *kbuf, size_t kbuflen)
207 uint8_t *outbuf = NULL;
210 outbuf = kmalloc(buflen, GFP_KERNEL);
216 ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, buflen);
221 if (copy_to_user(buffer, outbuf, buflen) != 0)
229 long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
230 char __user *buffer, size_t buflen,
231 struct keyctl_kdf_params *kdfcopy)
234 MPI base, private, prime, result;
236 struct keyctl_dh_params pcopy;
240 struct kdf_sdesc *sdesc = NULL;
242 if (!params || (!buffer && buflen)) {
246 if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
254 if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
255 kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
260 /* get KDF name string */
261 hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
262 if (IS_ERR(hashname)) {
263 ret = PTR_ERR(hashname);
267 /* allocate KDF from the kernel crypto API */
268 ret = kdf_alloc(&sdesc, hashname);
275 * If the caller requests postprocessing with a KDF, allow an
276 * arbitrary output buffer size since the KDF ensures proper truncation.
278 keylen = mpi_from_key(pcopy.prime, kdfcopy ? SIZE_MAX : buflen, &prime);
279 if (keylen < 0 || !prime) {
280 /* buflen == 0 may be used to query the required buffer size,
281 * which is the prime key length.
287 /* The result is never longer than the prime */
290 keylen = mpi_from_key(pcopy.base, SIZE_MAX, &base);
291 if (keylen < 0 || !base) {
296 keylen = mpi_from_key(pcopy.private, SIZE_MAX, &private);
297 if (keylen < 0 || !private) {
302 result = mpi_alloc(0);
308 /* allocate space for DH shared secret and SP800-56A otherinfo */
309 kbuf = kmalloc(kdfcopy ? (resultlen + kdfcopy->otherinfolen) : resultlen,
317 * Concatenate SP800-56A otherinfo past DH shared secret -- the
318 * input to the KDF is (DH shared secret || otherinfo)
320 if (kdfcopy && kdfcopy->otherinfo &&
321 copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
322 kdfcopy->otherinfolen) != 0) {
327 ret = do_dh(result, base, private, prime);
331 ret = mpi_read_buffer(result, kbuf, resultlen, &nbytes, NULL);
336 ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, kbuf,
337 resultlen + kdfcopy->otherinfolen);
340 if (copy_to_user(buffer, kbuf, nbytes) != 0)
359 long keyctl_dh_compute(struct keyctl_dh_params __user *params,
360 char __user *buffer, size_t buflen,
361 struct keyctl_kdf_params __user *kdf)
363 struct keyctl_kdf_params kdfcopy;
366 return __keyctl_dh_compute(params, buffer, buflen, NULL);
368 if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
371 return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);