1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright (C) 2013 Intel Corporation
4 *
5 * Author:
6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
7 */
8
9#include <linux/err.h>
10#include <linux/ratelimit.h>
11#include <linux/key-type.h>
12#include <crypto/public_key.h>
13#include <crypto/hash_info.h>
14#include <keys/asymmetric-type.h>
15#include <keys/system_keyring.h>
16
17#include "integrity.h"
18
19/*
20 * Request an asymmetric key.
21 */
22static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
23{
24	struct key *key;
25	char name[12];
26
27	sprintf(name, "id:%08x", keyid);
28
29	pr_debug("key search: \"%s\"\n", name);
30
31	key = get_ima_blacklist_keyring();
32	if (key) {
33		key_ref_t kref;
34
35		kref = keyring_search(make_key_ref(key, 1),
36				      &key_type_asymmetric, name, true);
37		if (!IS_ERR(kref)) {
38			pr_err("Key '%s' is in ima_blacklist_keyring\n", name);
39			return ERR_PTR(-EKEYREJECTED);
40		}
41	}
42
43	if (keyring) {
44		/* search in specific keyring */
45		key_ref_t kref;
46
47		kref = keyring_search(make_key_ref(keyring, 1),
48				      &key_type_asymmetric, name, true);
49		if (IS_ERR(kref))
50			key = ERR_CAST(kref);
51		else
52			key = key_ref_to_ptr(kref);
53	} else {
54		key = request_key(&key_type_asymmetric, name, NULL);
55	}
56
57	if (IS_ERR(key)) {
58		if (keyring)
59			pr_err_ratelimited("Request for unknown key '%s' in '%s' keyring. err %ld\n",
60					   name, keyring->description,
61					   PTR_ERR(key));
62		else
63			pr_err_ratelimited("Request for unknown key '%s' err %ld\n",
64					   name, PTR_ERR(key));
65
66		switch (PTR_ERR(key)) {
67			/* Hide some search errors */
68		case -EACCES:
69		case -ENOTDIR:
70		case -EAGAIN:
71			return ERR_PTR(-ENOKEY);
72		default:
73			return key;
74		}
75	}
76
77	pr_debug("%s() = 0 [%x]\n", __func__, key_serial(key));
78
79	return key;
80}
81
82int asymmetric_verify(struct key *keyring, const char *sig,
83		      int siglen, const char *data, int datalen)
84{
85	struct public_key_signature pks;
86	struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
87	const struct public_key *pk;
88	struct key *key;
89	int ret;
90
91	if (siglen <= sizeof(*hdr))
92		return -EBADMSG;
93
94	siglen -= sizeof(*hdr);
95
96	if (siglen != be16_to_cpu(hdr->sig_size))
97		return -EBADMSG;
98
99	if (hdr->hash_algo >= HASH_ALGO__LAST)
100		return -ENOPKG;
101
102	key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
103	if (IS_ERR(key))
104		return PTR_ERR(key);
105
106	memset(&pks, 0, sizeof(pks));
107
108	pks.hash_algo = hash_algo_name[hdr->hash_algo];
109
110	pk = asymmetric_key_public_key(key);
111	pks.pkey_algo = pk->pkey_algo;
112	if (!strcmp(pk->pkey_algo, "rsa")) {
113		pks.encoding = "pkcs1";
114	} else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) {
115		/* edcsa-nist-p192 etc. */
116		pks.encoding = "x962";
117	} else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
118		   !strcmp(pk->pkey_algo, "sm2")) {
119		pks.encoding = "raw";
120	} else {
121		ret = -ENOPKG;
122		goto out;
123	}
124
125	pks.digest = (u8 *)data;
126	pks.digest_size = datalen;
127	pks.s = hdr->sig;
128	pks.s_size = siglen;
129	ret = verify_signature(key, &pks);
130out:
131	key_put(key);
132	pr_debug("%s() = %d\n", __func__, ret);
133	return ret;
134}
135