Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1862534rwb;
        Fri, 19 Aug 2022 10:37:25 -0700 (PDT)
X-Google-Smtp-Source: AA6agR4/nsQ5S/T5gsZk8l/FLYVBa+mHiBj+Y4BDTbEp2mvKrTXgbLShaJeXHDPskT2PCoYwNBIU
X-Received: by 2002:a63:e511:0:b0:41d:2c8d:e9f with SMTP id r17-20020a63e511000000b0041d2c8d0e9fmr7141477pgh.404.1660930645048;
        Fri, 19 Aug 2022 10:37:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660930645; cv=none;
        d=google.com; s=arc-20160816;
        b=oYw4W2oUWEi+BwTAPXeRg2TlxXmpLl7OBsl7L4DOFegXVtWSxix+Zjwnw9L7knSbf2
         6DOsnpXnRsm+87wKHckqgfHSP8hBicsZWdVdbVpzemjU+a2vvy/pN3nLHFWIBBDWqd3Z
         K2ePUEiEA9m5AY/uaagAKbswdIcPndGxdE4ftCszX+SuuNcwNT08ASB7DnpXeuKO5N3t
         kP15xeiI/cb2TXvuatTb6QeYMVEM3rkq8hILeMfs5zoSsLPVSlvJCuCpKEWDsDX6Hupj
         zjuBVPAUiOYvwaZsjoIv2PRUlQZWtXe+zVyq9HFwmdSoSTIp+DMzoP/60/23MxotT8Jt
         CZdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=MY0x25wXRKqr6s8me0VWEjrgAVLAfsU2xDhQ1O6PTk0=;
        b=HGlZTN5W2oJ6E4qI5sAJab2SrhmIJFUWxkD8H6SoPVP913Ps0H6oL4JQlDgv/6th9O
         zfjvbhoSMWrCnSk38wmF5B/kUSd0v+FkmJbIBnpv9gq7C0WMJuEoHxI16mumPVql2JFd
         s8qJJJKZAmyeE6kiXgeyX+k9A2OzUYZG5noZiUcKFyMQvUBY/kKVTy3D3OQkGnThFnpk
         xol2io/IGczcTcUaP/yS+Wu3MCUx7+EaVRDVErK8WRKH1ZyXzXTIELWmbH2me+DnLtuq
         m4whSErLl5vYcnRduxo7pgOsZZ10h8EdLqFc86fmImJlksLjqL+Gpa+XassGW28bmaVy
         kRrA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fBaNxlv4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id 21-20020a631355000000b00429e6ef0e88si4563127pgt.232.2022.08.19.10.37.13;
        Fri, 19 Aug 2022 10:37:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fBaNxlv4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1353606AbiHSQsY (ORCPT <rfc822;andreqb@gmail.com> + 99 others);
        Fri, 19 Aug 2022 12:48:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51966 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1354050AbiHSQpp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Aug 2022 12:45:45 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 027B31136A0;
        Fri, 19 Aug 2022 09:11:47 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 7B2F9618B4;
        Fri, 19 Aug 2022 16:11:47 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B3F7C433C1;
        Fri, 19 Aug 2022 16:11:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660925506;
        bh=msIr613ACoa8RNgncqcEUwmzFWLHI5HcZCYvS+6nmXQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=fBaNxlv4OBLwYhQkpq6FeN/YEpWZ21t/KsP73Tws8bMxkYeu4ipota9TLmhOYxNU1
         sdR1MRgJSIBmpYrzs+vo7TSVneLZVLJQBglYbjwwmoYrZqx8kgTGKmm26w6es9dRCG
         7I2Q5NWmfYCOuZNFO+M0aJ+JJDPrqi1iO/nhedd0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
        Tianjia Zhang <tianjia.zhang@linux.alibaba.com>,
        Jarkko Sakkinen <jarkko@kernel.org>
Subject: [PATCH 5.10 513/545] KEYS: asymmetric: enforce SM2 signature use pkey algo
Date:   Fri, 19 Aug 2022 17:44:43 +0200
Message-Id: <20220819153852.457218291@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220819153829.135562864@linuxfoundation.org>
References: <20220819153829.135562864@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

commit 0815291a8fd66cdcf7db1445d4d99b0d16065829 upstream.

The signature verification of SM2 needs to add the Za value and
recalculate sig->digest, which requires the detection of the pkey_algo
in public_key_verify_signature(). As Eric Biggers said, the pkey_algo
field in sig is attacker-controlled and should be use pkey->pkey_algo
instead of sig->pkey_algo, and secondly, if sig->pkey_algo is NULL, it
will also cause signature verification failure.

The software_key_determine_akcipher() already forces the algorithms
are matched, so the SM3 algorithm is enforced in the SM2 signature,
although this has been checked, we still avoid using any algorithm
information in the signature as input.

Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification")
Reported-by: Eric Biggers <ebiggers@google.com>
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/asymmetric_keys/public_key.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -260,6 +260,10 @@ static int cert_sig_digest_update(const
 
 	BUG_ON(!sig->data);
 
+	/* SM2 signatures always use the SM3 hash algorithm */
+	if (!sig->hash_algo || strcmp(sig->hash_algo, "sm3") != 0)
+		return -EINVAL;
+
 	ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID,
 					SM2_DEFAULT_USERID_LEN, dgst);
 	if (ret)
@@ -356,8 +360,7 @@ int public_key_verify_signature(const st
 	if (ret)
 		goto error_free_key;
 
-	if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 &&
-	    sig->data_size) {
+	if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) {
 		ret = cert_sig_digest_update(sig, tfm);
 		if (ret)
 			goto error_free_key;