From patchwork Tue Feb 8 09:27:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "tianjia.zhang" X-Patchwork-Id: 12738388 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6AFAC4332F for ; Tue, 8 Feb 2022 09:27:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231997AbiBHJ1g (ORCPT ); Tue, 8 Feb 2022 04:27:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37544 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237653AbiBHJ1f (ORCPT ); Tue, 8 Feb 2022 04:27:35 -0500 Received: from out30-42.freemail.mail.aliyun.com (out30-42.freemail.mail.aliyun.com [115.124.30.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05A31C03FEC0; Tue, 8 Feb 2022 01:27:32 -0800 (PST) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R151e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04407;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=13;SR=0;TI=SMTPD_---0V3vbhCo_1644312448; Received: from localhost(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0V3vbhCo_1644312448) by smtp.aliyun-inc.com(127.0.0.1); Tue, 08 Feb 2022 17:27:28 +0800 From: Tianjia Zhang To: Eric Biggers , Mimi Zohar , Vitaly Chikunov , Stefan Berger , Jarkko Sakkinen , "Gilad Ben-Yossef" , David Howells , Herbert Xu , "David S. Miller" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org Cc: Tianjia Zhang Subject: [PATCH v2] KEYS: asymmetric: enforce SM2 signature use pkey algo Date: Tue, 8 Feb 2022 17:27:27 +0800 Message-Id: <20220208092727.20092-1-tianjia.zhang@linux.alibaba.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220208052448.409152-1-ebiggers@kernel.org> References: <20220208052448.409152-1-ebiggers@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The signature verification of SM2 needs to add the Za value and recalculate sig->digest, which requires the detection of the pkey_algo in public_key_verify_signature(). As Eric Biggers said, the pkey_algo field in sig is attacker-controlled and should be use pkey->pkey_algo instead of sig->pkey_algo, and secondly, if sig->pkey_algo is NULL, it will also cause signature verification failure. The software_key_determine_akcipher() already forces the algorithms are matched, so the SM3 algorithm is enforced in the SM2 signature, although this has been checked, we still avoid using any algorithm information in the signature as input. Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") Reported-by: Eric Biggers Cc: stable@vger.kernel.org # v5.10+ Signed-off-by: Tianjia Zhang --- v2: - add Fixes tag to commit message crypto/asymmetric_keys/public_key.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index a603ee8afdb8..ea9a5501f87e 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -309,7 +309,8 @@ static int cert_sig_digest_update(const struct public_key_signature *sig, if (ret) return ret; - tfm = crypto_alloc_shash(sig->hash_algo, 0, 0); + /* SM2 signatures always use the SM3 hash algorithm */ + tfm = crypto_alloc_shash("sm3", 0, 0); if (IS_ERR(tfm)) return PTR_ERR(tfm); @@ -414,8 +415,7 @@ int public_key_verify_signature(const struct public_key *pkey, if (ret) goto error_free_key; - if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 && - sig->data_size) { + if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) { ret = cert_sig_digest_update(sig, tfm); if (ret) goto error_free_key;