203a6763ab
This reverts commit 16ab7cb582
because it
broke iwd. iwd uses the KEYCTL_PKEY_* UAPIs via its dependency libell,
and apparently it is relying on SHA-1 signature support. These UAPIs
are fairly obscure, and their documentation does not mention which
algorithms they support. iwd really should be using a properly
supported userspace crypto library instead. Regardless, since something
broke we have to revert the change.
It may be possible that some parts of this commit can be reinstated
without breaking iwd (e.g. probably the removal of MODULE_SIG_SHA1), but
for now this just does a full revert to get things working again.
Reported-by: Karel Balej <balejk@matfyz.cz>
Closes: https://lore.kernel.org/r/CZSHRUIJ4RKL.34T4EASV5DNJM@matfyz.cz
Cc: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Tested-by: Karel Balej <balejk@matfyz.cz>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
160 lines
4.4 KiB
C
160 lines
4.4 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* Signature verification with an asymmetric key
|
|
*
|
|
* See Documentation/crypto/asymmetric-keys.rst
|
|
*
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#define pr_fmt(fmt) "SIG: "fmt
|
|
#include <keys/asymmetric-subtype.h>
|
|
#include <linux/export.h>
|
|
#include <linux/err.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/keyctl.h>
|
|
#include <crypto/public_key.h>
|
|
#include <keys/user-type.h>
|
|
#include "asymmetric_keys.h"
|
|
|
|
/*
|
|
* Destroy a public key signature.
|
|
*/
|
|
void public_key_signature_free(struct public_key_signature *sig)
|
|
{
|
|
int i;
|
|
|
|
if (sig) {
|
|
for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++)
|
|
kfree(sig->auth_ids[i]);
|
|
kfree(sig->s);
|
|
kfree(sig->digest);
|
|
kfree(sig);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(public_key_signature_free);
|
|
|
|
/**
|
|
* query_asymmetric_key - Get information about an asymmetric key.
|
|
* @params: Various parameters.
|
|
* @info: Where to put the information.
|
|
*/
|
|
int query_asymmetric_key(const struct kernel_pkey_params *params,
|
|
struct kernel_pkey_query *info)
|
|
{
|
|
const struct asymmetric_key_subtype *subtype;
|
|
struct key *key = params->key;
|
|
int ret;
|
|
|
|
pr_devel("==>%s()\n", __func__);
|
|
|
|
if (key->type != &key_type_asymmetric)
|
|
return -EINVAL;
|
|
subtype = asymmetric_key_subtype(key);
|
|
if (!subtype ||
|
|
!key->payload.data[0])
|
|
return -EINVAL;
|
|
if (!subtype->query)
|
|
return -ENOTSUPP;
|
|
|
|
ret = subtype->query(params, info);
|
|
|
|
pr_devel("<==%s() = %d\n", __func__, ret);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL_GPL(query_asymmetric_key);
|
|
|
|
/**
|
|
* encrypt_blob - Encrypt data using an asymmetric key
|
|
* @params: Various parameters
|
|
* @data: Data blob to be encrypted, length params->data_len
|
|
* @enc: Encrypted data buffer, length params->enc_len
|
|
*
|
|
* Encrypt the specified data blob using the private key specified by
|
|
* params->key. The encrypted data is wrapped in an encoding if
|
|
* params->encoding is specified (eg. "pkcs1").
|
|
*
|
|
* Returns the length of the data placed in the encrypted data buffer or an
|
|
* error.
|
|
*/
|
|
int encrypt_blob(struct kernel_pkey_params *params,
|
|
const void *data, void *enc)
|
|
{
|
|
params->op = kernel_pkey_encrypt;
|
|
return asymmetric_key_eds_op(params, data, enc);
|
|
}
|
|
EXPORT_SYMBOL_GPL(encrypt_blob);
|
|
|
|
/**
|
|
* decrypt_blob - Decrypt data using an asymmetric key
|
|
* @params: Various parameters
|
|
* @enc: Encrypted data to be decrypted, length params->enc_len
|
|
* @data: Decrypted data buffer, length params->data_len
|
|
*
|
|
* Decrypt the specified data blob using the private key specified by
|
|
* params->key. The decrypted data is wrapped in an encoding if
|
|
* params->encoding is specified (eg. "pkcs1").
|
|
*
|
|
* Returns the length of the data placed in the decrypted data buffer or an
|
|
* error.
|
|
*/
|
|
int decrypt_blob(struct kernel_pkey_params *params,
|
|
const void *enc, void *data)
|
|
{
|
|
params->op = kernel_pkey_decrypt;
|
|
return asymmetric_key_eds_op(params, enc, data);
|
|
}
|
|
EXPORT_SYMBOL_GPL(decrypt_blob);
|
|
|
|
/**
|
|
* create_signature - Sign some data using an asymmetric key
|
|
* @params: Various parameters
|
|
* @data: Data blob to be signed, length params->data_len
|
|
* @enc: Signature buffer, length params->enc_len
|
|
*
|
|
* Sign the specified data blob using the private key specified by params->key.
|
|
* The signature is wrapped in an encoding if params->encoding is specified
|
|
* (eg. "pkcs1"). If the encoding needs to know the digest type, this can be
|
|
* passed through params->hash_algo (eg. "sha1").
|
|
*
|
|
* Returns the length of the data placed in the signature buffer or an error.
|
|
*/
|
|
int create_signature(struct kernel_pkey_params *params,
|
|
const void *data, void *enc)
|
|
{
|
|
params->op = kernel_pkey_sign;
|
|
return asymmetric_key_eds_op(params, data, enc);
|
|
}
|
|
EXPORT_SYMBOL_GPL(create_signature);
|
|
|
|
/**
|
|
* verify_signature - Initiate the use of an asymmetric key to verify a signature
|
|
* @key: The asymmetric key to verify against
|
|
* @sig: The signature to check
|
|
*
|
|
* Returns 0 if successful or else an error.
|
|
*/
|
|
int verify_signature(const struct key *key,
|
|
const struct public_key_signature *sig)
|
|
{
|
|
const struct asymmetric_key_subtype *subtype;
|
|
int ret;
|
|
|
|
pr_devel("==>%s()\n", __func__);
|
|
|
|
if (key->type != &key_type_asymmetric)
|
|
return -EINVAL;
|
|
subtype = asymmetric_key_subtype(key);
|
|
if (!subtype ||
|
|
!key->payload.data[0])
|
|
return -EINVAL;
|
|
if (!subtype->verify_signature)
|
|
return -ENOTSUPP;
|
|
|
|
ret = subtype->verify_signature(key, sig);
|
|
|
|
pr_devel("<==%s() = %d\n", __func__, ret);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL_GPL(verify_signature);
|