Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3123419rwb;
        Mon, 15 Aug 2022 18:42:23 -0700 (PDT)
X-Google-Smtp-Source: AA6agR6m/MmAxX4QsSFcYc9adzndwd4Ipg3AgOAP35EhvPG4Z0heuECTEQKUEx1D1MuahWxQMELx
X-Received: by 2002:a17:90b:1b49:b0:1f5:4203:2e4e with SMTP id nv9-20020a17090b1b4900b001f542032e4emr30401771pjb.143.1660614142988;
        Mon, 15 Aug 2022 18:42:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660614142; cv=none;
        d=google.com; s=arc-20160816;
        b=tdtwo3N4lsYuKh/U3VYTO8eIeAj2QuNCSlxfaK5y0D8jhRIcmSlQxJ6llCR8v01RYv
         DYNpoLqPiYOVC70d3Ekr+P9heCKJUfDtKcBxTb2Q7Qz1qMw173pvTasO01L7R9emh4Rl
         sbO3vp7bhrEwYL4n8zoY38H+G+/2Wv1FVqhvl4kapzLTvN9zlVWZhC2avbDVLWpzwOyf
         ZeEEltE+RLtWK7GBgQnl7hcU9LdBILdS90aH7Tqc4PphDcuX9CSfZFKJN0ZJwZ3u2QrD
         4a54U2DjsOMa5O/tl8h27TDPJxPkusPlj2b3WVDMJAdIXVBwOhp1XY9YhhTAEmZ23Q4O
         KYGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=eG0tq9aJ7MAttmERqjxGzsF7AWjEkNq96z4XuNem62g=;
        b=ZWtLHckeq2sHJdtLWPhiklXQE26eBbSBgeei5kbZEPYEDfiircPVVmOfA68TXRrkDX
         NYLaN2euy5NEfalnzN3XHGQfDoQv2ppHyB6+//eZLO55gV0rRiEKjAiNBQepL+aaR0S6
         CVhXtu4zSJ+fMUEBM1CpRdop9dh5n+L5jZOP3QEYM1ZNfmVAKIvmTU6z6DgAFiy8/3qO
         cikOPSc34KUDjKbrfCK7Fs8MQO/DhD9Ru/fk738Zqn2Y6yl2q+fS1BHUojCsmPGkGpTb
         0+3S5RRXbjGcPs162at0xy2h6nPjNHZu4b+HZmh5vQsoM5UxODEGuh+rdoTUv4nZA0vK
         YiKw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lQg5rsoW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id w10-20020a63160a000000b0041a2b18788dsi12274616pgl.364.2022.08.15.18.42.11;
        Mon, 15 Aug 2022 18:42:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lQg5rsoW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1348568AbiHPBFl (ORCPT <rfc822;andrey.bzh.r@gmail.com>
        + 99 others); Mon, 15 Aug 2022 21:05:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55656 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242952AbiHPA73 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Aug 2022 20:59:29 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B897D1A2EAB;
        Mon, 15 Aug 2022 13:49:57 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 94285B8113E;
        Mon, 15 Aug 2022 20:49:55 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id DFAAEC433D6;
        Mon, 15 Aug 2022 20:49:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660596594;
        bh=kxzoYOEPOH9+Y+3lO+DaaJftUEo51nXgjw+Ns0g0fJM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=lQg5rsoWfPUizxIUwDhT+NC4uMv0TQn4/lyLEVhEYLxpaCoZZ6BEOjeOjvuqLTqeB
         OJzSTdWqFBb4WxQmeyRv2Zton7ouXjkZhHvVY8zXnFHNax3eW62vFGl6nZ3gvq9azw
         jfwWGTx/cJXTGTq8b5KKLWZNEkZQYoEx6YL1yieU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
        Tianjia Zhang <tianjia.zhang@linux.alibaba.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.19 1130/1157] KEYS: asymmetric: enforce SM2 signature use pkey algo
Date:   Mon, 15 Aug 2022 20:08:06 +0200
Message-Id: <20220815180525.589278405@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220815180439.416659447@linuxfoundation.org>
References: <20220815180439.416659447@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

[ Upstream commit 0815291a8fd66cdcf7db1445d4d99b0d16065829 ]

The signature verification of SM2 needs to add the Za value and
recalculate sig->digest, which requires the detection of the pkey_algo
in public_key_verify_signature(). As Eric Biggers said, the pkey_algo
field in sig is attacker-controlled and should be use pkey->pkey_algo
instead of sig->pkey_algo, and secondly, if sig->pkey_algo is NULL, it
will also cause signature verification failure.

The software_key_determine_akcipher() already forces the algorithms
are matched, so the SM3 algorithm is enforced in the SM2 signature,
although this has been checked, we still avoid using any algorithm
information in the signature as input.

Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification")
Reported-by: Eric Biggers <ebiggers@google.com>
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 crypto/asymmetric_keys/public_key.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 7c9e6be35c30..2f8352e88860 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -304,6 +304,10 @@ static int cert_sig_digest_update(const struct public_key_signature *sig,
 
 	BUG_ON(!sig->data);
 
+	/* SM2 signatures always use the SM3 hash algorithm */
+	if (!sig->hash_algo || strcmp(sig->hash_algo, "sm3") != 0)
+		return -EINVAL;
+
 	ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID,
 					SM2_DEFAULT_USERID_LEN, dgst);
 	if (ret)
@@ -414,8 +418,7 @@ int public_key_verify_signature(const struct public_key *pkey,
 	if (ret)
 		goto error_free_key;
 
-	if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 &&
-	    sig->data_size) {
+	if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) {
 		ret = cert_sig_digest_update(sig, tfm);
 		if (ret)
 			goto error_free_key;
-- 
2.35.1