Commit d3b04a43 authored by Stephan Müller's avatar Stephan Müller Committed by Herbert Xu

security: DH - use KDF implementation from crypto API

The kernel crypto API provides the SP800-108 counter KDF implementation.
Thus, the separate implementation provided as part of the keys subsystem
can be replaced with calls to the KDF offered by the kernel crypto API.

The keys subsystem uses the counter KDF with a hash primitive. Thus,
it only uses the call to crypto_kdf108_ctr_generate.
Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
Acked-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent d7921344
...@@ -109,7 +109,7 @@ config KEY_DH_OPERATIONS ...@@ -109,7 +109,7 @@ config KEY_DH_OPERATIONS
bool "Diffie-Hellman operations on retained keys" bool "Diffie-Hellman operations on retained keys"
depends on KEYS depends on KEYS
select CRYPTO select CRYPTO
select CRYPTO_HASH select CRYPTO_KDF800108_CTR
select CRYPTO_DH select CRYPTO_DH
help help
This option provides support for calculating Diffie-Hellman This option provides support for calculating Diffie-Hellman
......
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
#include <crypto/hash.h> #include <crypto/hash.h>
#include <crypto/kpp.h> #include <crypto/kpp.h>
#include <crypto/dh.h> #include <crypto/dh.h>
#include <crypto/kdf_sp800108.h>
#include <keys/user-type.h> #include <keys/user-type.h>
#include "internal.h" #include "internal.h"
...@@ -79,17 +80,9 @@ static void dh_crypto_done(struct crypto_async_request *req, int err) ...@@ -79,17 +80,9 @@ static void dh_crypto_done(struct crypto_async_request *req, int err)
complete(&compl->completion); complete(&compl->completion);
} }
struct kdf_sdesc { static int kdf_alloc(struct crypto_shash **hash, char *hashname)
struct shash_desc shash;
char ctx[];
};
static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
{ {
struct crypto_shash *tfm; struct crypto_shash *tfm;
struct kdf_sdesc *sdesc;
int size;
int err;
/* allocate synchronous hash */ /* allocate synchronous hash */
tfm = crypto_alloc_shash(hashname, 0, 0); tfm = crypto_alloc_shash(hashname, 0, 0);
...@@ -98,96 +91,30 @@ static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname) ...@@ -98,96 +91,30 @@ static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
return PTR_ERR(tfm); return PTR_ERR(tfm);
} }
err = -EINVAL; if (crypto_shash_digestsize(tfm) == 0) {
if (crypto_shash_digestsize(tfm) == 0)
goto out_free_tfm;
err = -ENOMEM;
size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
sdesc = kmalloc(size, GFP_KERNEL);
if (!sdesc)
goto out_free_tfm;
sdesc->shash.tfm = tfm;
*sdesc_ret = sdesc;
return 0;
out_free_tfm:
crypto_free_shash(tfm); crypto_free_shash(tfm);
return err; return -EINVAL;
}
static void kdf_dealloc(struct kdf_sdesc *sdesc)
{
if (!sdesc)
return;
if (sdesc->shash.tfm)
crypto_free_shash(sdesc->shash.tfm);
kfree_sensitive(sdesc);
}
/*
* Implementation of the KDF in counter mode according to SP800-108 section 5.1
* as well as SP800-56A section 5.8.1 (Single-step KDF).
*
* SP800-56A:
* The src pointer is defined as Z || other info where Z is the shared secret
* from DH and other info is an arbitrary string (see SP800-56A section
* 5.8.1.2).
*
* 'dlen' must be a multiple of the digest size.
*/
static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
u8 *dst, unsigned int dlen)
{
struct shash_desc *desc = &sdesc->shash;
unsigned int h = crypto_shash_digestsize(desc->tfm);
int err = 0;
u8 *dst_orig = dst;
__be32 counter = cpu_to_be32(1);
while (dlen) {
err = crypto_shash_init(desc);
if (err)
goto err;
err = crypto_shash_update(desc, (u8 *)&counter, sizeof(__be32));
if (err)
goto err;
if (src && slen) {
err = crypto_shash_update(desc, src, slen);
if (err)
goto err;
} }
err = crypto_shash_final(desc, dst); *hash = tfm;
if (err)
goto err;
dlen -= h;
dst += h;
counter = cpu_to_be32(be32_to_cpu(counter) + 1);
}
return 0; return 0;
}
err: static void kdf_dealloc(struct crypto_shash *hash)
memzero_explicit(dst_orig, dlen); {
return err; if (hash)
crypto_free_shash(hash);
} }
static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc, static int keyctl_dh_compute_kdf(struct crypto_shash *hash,
char __user *buffer, size_t buflen, char __user *buffer, size_t buflen,
uint8_t *kbuf, size_t kbuflen) uint8_t *kbuf, size_t kbuflen)
{ {
struct kvec kbuf_iov = { .iov_base = kbuf, .iov_len = kbuflen };
uint8_t *outbuf = NULL; uint8_t *outbuf = NULL;
int ret; int ret;
size_t outbuf_len = roundup(buflen, size_t outbuf_len = roundup(buflen, crypto_shash_digestsize(hash));
crypto_shash_digestsize(sdesc->shash.tfm));
outbuf = kmalloc(outbuf_len, GFP_KERNEL); outbuf = kmalloc(outbuf_len, GFP_KERNEL);
if (!outbuf) { if (!outbuf) {
...@@ -195,7 +122,7 @@ static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc, ...@@ -195,7 +122,7 @@ static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
goto err; goto err;
} }
ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, outbuf_len); ret = crypto_kdf108_ctr_generate(hash, &kbuf_iov, 1, outbuf, outbuf_len);
if (ret) if (ret)
goto err; goto err;
...@@ -224,7 +151,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params, ...@@ -224,7 +151,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
struct kpp_request *req; struct kpp_request *req;
uint8_t *secret; uint8_t *secret;
uint8_t *outbuf; uint8_t *outbuf;
struct kdf_sdesc *sdesc = NULL; struct crypto_shash *hash = NULL;
if (!params || (!buffer && buflen)) { if (!params || (!buffer && buflen)) {
ret = -EINVAL; ret = -EINVAL;
...@@ -257,7 +184,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params, ...@@ -257,7 +184,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
} }
/* allocate KDF from the kernel crypto API */ /* allocate KDF from the kernel crypto API */
ret = kdf_alloc(&sdesc, hashname); ret = kdf_alloc(&hash, hashname);
kfree(hashname); kfree(hashname);
if (ret) if (ret)
goto out1; goto out1;
...@@ -367,7 +294,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params, ...@@ -367,7 +294,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
goto out6; goto out6;
} }
ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, outbuf, ret = keyctl_dh_compute_kdf(hash, buffer, buflen, outbuf,
req->dst_len + kdfcopy->otherinfolen); req->dst_len + kdfcopy->otherinfolen);
} else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) { } else if (copy_to_user(buffer, outbuf, req->dst_len) == 0) {
ret = req->dst_len; ret = req->dst_len;
...@@ -386,7 +313,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params, ...@@ -386,7 +313,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
out2: out2:
dh_free_data(&dh_inputs); dh_free_data(&dh_inputs);
out1: out1:
kdf_dealloc(sdesc); kdf_dealloc(hash);
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment