diff mbox series

[v3,18/18] keyctl_pkey: Add pkey parameters saltlen and mgfhash for PSS

Message ID 20210420114124.9684-19-varad.gautam@suse.com
State New
Headers show
Series Implement RSASSA-PSS signature verification | expand

Commit Message

Varad Gautam April 20, 2021, 11:41 a.m. UTC
keyctl pkey_* operations accept enc and hash parameters at present.
RSASSA-PSS signatures also require passing in the signature salt
length and the mgf hash function.

Add parameters:
- 'saltlen' to feed in salt length of a PSS signature.
- 'mgfhash' to feed in the hash function used for MGF.

Signed-off-by: Varad Gautam <varad.gautam@suse.com>
CC: Jarkko Sakkinen <jarkko@kernel.org>
CC: Ben Boeckel <me@benboeckel.net>
---
v3: Rename slen to saltlen, update Documentation/security/keys/core.rst.

 Documentation/security/keys/core.rst     | 14 +++++++++++++-
 crypto/asymmetric_keys/asymmetric_type.c |  2 ++
 include/linux/keyctl.h                   |  2 ++
 security/keys/keyctl_pkey.c              | 13 +++++++++++++
 4 files changed, 30 insertions(+), 1 deletion(-)

Comments

Ben Boeckel April 20, 2021, 1:27 p.m. UTC | #1
On Tue, Apr 20, 2021 at 13:41:23 +0200, Varad Gautam wrote:
> keyctl pkey_* operations accept enc and hash parameters at present.
> RSASSA-PSS signatures also require passing in the signature salt
> length and the mgf hash function.
> 
> Add parameters:
> - 'saltlen' to feed in salt length of a PSS signature.
> - 'mgfhash' to feed in the hash function used for MGF.
> 
> Signed-off-by: Varad Gautam <varad.gautam@suse.com>
> CC: Jarkko Sakkinen <jarkko@kernel.org>
> CC: Ben Boeckel <me@benboeckel.net>
> ---
> v3: Rename slen to saltlen, update Documentation/security/keys/core.rst.
> 
>  Documentation/security/keys/core.rst     | 14 +++++++++++++-
>  crypto/asymmetric_keys/asymmetric_type.c |  2 ++
>  include/linux/keyctl.h                   |  2 ++
>  security/keys/keyctl_pkey.c              | 13 +++++++++++++
>  4 files changed, 30 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/security/keys/core.rst b/Documentation/security/keys/core.rst
> index b3ed5c581034c..4bd774c56899e 100644
> --- a/Documentation/security/keys/core.rst
> +++ b/Documentation/security/keys/core.rst
> @@ -1022,6 +1022,15 @@ The keyctl syscall functions are:
>  			which hash function was used, the hash function can be
>  			specified with this, eg. "hash=sha256".
>  
> +	``mgfhash=<algo>`` In case of "RSASSA-PSS" ("enc=pss"), this specifies
> +			the hash function used with the Mask Generation Function
> +			to generate a signature, eg. "mgfhash=sha256". Supported
> +			hashes are: sha1, sha224, sha256, sha384, and sha512.
> +
> +	``saltlen=<salt_length>`` In case of "RSASSA-PSS" ("enc=pss"), this
> +			specifies the salt length as a u16, used to generate a
                                                ^

This feels like it is missing a comma at the designated location (after
`length` if the whitespace gets mangled).

> +			signature. Eg. "saltlen=32".
> +
>       The ``__spare[]`` space in the parameter block must be set to 0.  This is
>       intended, amongst other things, to allow the passing of passphrases
>       required to unlock a key.
> @@ -1700,6 +1709,8 @@ The structure has a number of fields, some of which are mandatory:
>  			__u32	in2_len;
>  		};
>  		enum kernel_pkey_operation op : 8;
> +		__u16		salt_len;
> +		const char	*mgf_hash_algo;
>  	};
>  
>       This includes the key to be used; a string indicating the encoding to use
> @@ -1707,7 +1718,8 @@ The structure has a number of fields, some of which are mandatory:
>       RSASSA-PKCS1-v1.5 or RSAES-PKCS1-v1.5 encoding or "raw" if no encoding);
>       the name of the hash algorithm used to generate the data for a signature
>       (if appropriate); the sizes of the input and output (or second input)
> -     buffers; and the ID of the operation to be performed.
> +     buffers; the ID of the operation to be performed; salt length to be used
> +     in case of RSASSA-PSS; and hash algorithm used with MGF for RSASSA-PSS.
>  
>       For a given operation ID, the input and output buffers are used as
>       follows::

Thanks for the docs, they look good to me overall. Other than the comma:

    Acked-by: Ben Boeckel <mathstuf@gmail.com>

--Ben
diff mbox series

Patch

diff --git a/Documentation/security/keys/core.rst b/Documentation/security/keys/core.rst
index b3ed5c581034c..4bd774c56899e 100644
--- a/Documentation/security/keys/core.rst
+++ b/Documentation/security/keys/core.rst
@@ -1022,6 +1022,15 @@  The keyctl syscall functions are:
 			which hash function was used, the hash function can be
 			specified with this, eg. "hash=sha256".
 
+	``mgfhash=<algo>`` In case of "RSASSA-PSS" ("enc=pss"), this specifies
+			the hash function used with the Mask Generation Function
+			to generate a signature, eg. "mgfhash=sha256". Supported
+			hashes are: sha1, sha224, sha256, sha384, and sha512.
+
+	``saltlen=<salt_length>`` In case of "RSASSA-PSS" ("enc=pss"), this
+			specifies the salt length as a u16, used to generate a
+			signature. Eg. "saltlen=32".
+
      The ``__spare[]`` space in the parameter block must be set to 0.  This is
      intended, amongst other things, to allow the passing of passphrases
      required to unlock a key.
@@ -1700,6 +1709,8 @@  The structure has a number of fields, some of which are mandatory:
 			__u32	in2_len;
 		};
 		enum kernel_pkey_operation op : 8;
+		__u16		salt_len;
+		const char	*mgf_hash_algo;
 	};
 
      This includes the key to be used; a string indicating the encoding to use
@@ -1707,7 +1718,8 @@  The structure has a number of fields, some of which are mandatory:
      RSASSA-PKCS1-v1.5 or RSAES-PKCS1-v1.5 encoding or "raw" if no encoding);
      the name of the hash algorithm used to generate the data for a signature
      (if appropriate); the sizes of the input and output (or second input)
-     buffers; and the ID of the operation to be performed.
+     buffers; the ID of the operation to be performed; salt length to be used
+     in case of RSASSA-PSS; and hash algorithm used with MGF for RSASSA-PSS.
 
      For a given operation ID, the input and output buffers are used as
      follows::
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index ad8af3d70ac04..2d3419509ec35 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -571,6 +571,8 @@  static int asymmetric_key_verify_signature(struct kernel_pkey_params *params,
 		.hash_algo	= params->hash_algo,
 		.digest		= (void *)in,
 		.s		= (void *)in2,
+		.salt_length	= params->salt_len,
+		.mgf_hash_algo	= params->mgf_hash_algo,
 	};
 
 	return verify_signature(params->key, &sig);
diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h
index 5b79847207ef2..b0122ac6e11c9 100644
--- a/include/linux/keyctl.h
+++ b/include/linux/keyctl.h
@@ -37,6 +37,8 @@  struct kernel_pkey_params {
 		__u32	in2_len;	/* 2nd input data size (verify) */
 	};
 	enum kernel_pkey_operation op : 8;
+	__u16		salt_len;
+	const char	*mgf_hash_algo;
 };
 
 #endif /* __LINUX_KEYCTL_H */
diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
index 5de0d599a2748..019f112474dcd 100644
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -24,11 +24,15 @@  enum {
 	Opt_err,
 	Opt_enc,		/* "enc=<encoding>" eg. "enc=oaep" */
 	Opt_hash,		/* "hash=<digest-name>" eg. "hash=sha1" */
+	Opt_saltlen,		/* "saltlen=<salt-length>" eg. "saltlen=32" */
+	Opt_mgfhash,		/* "mgfhash=<digest-name>" eg. "mgfhash=sha1" */
 };
 
 static const match_table_t param_keys = {
 	{ Opt_enc,	"enc=%s" },
 	{ Opt_hash,	"hash=%s" },
+	{ Opt_saltlen,	"saltlen=%u" },
+	{ Opt_mgfhash,	"mgfhash=%s" },
 	{ Opt_err,	NULL }
 };
 
@@ -63,6 +67,15 @@  static int keyctl_pkey_params_parse(struct kernel_pkey_params *params)
 			params->hash_algo = q;
 			break;
 
+		case Opt_saltlen:
+			if (kstrtou16(q, 0, &params->salt_len))
+				return -EINVAL;
+			break;
+
+		case Opt_mgfhash:
+			params->mgf_hash_algo = q;
+			break;
+
 		default:
 			return -EINVAL;
 		}