Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp3577853pxb;
        Mon, 21 Feb 2022 00:52:16 -0800 (PST)
X-Google-Smtp-Source: ABdhPJy64GHTdtvGfSi7JwIB039Sbe2BEZqIS6UJfmL7Ha1oY+p4b5WI50rvzu0/QYrhhnLR+evh
X-Received: by 2002:a17:906:8051:b0:6ce:a85d:ed74 with SMTP id x17-20020a170906805100b006cea85ded74mr14970084ejw.58.1645433536341;
        Mon, 21 Feb 2022 00:52:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1645433536; cv=none;
        d=google.com; s=arc-20160816;
        b=qliraYUgIjz4OZWVLANRAYbAnbZMR17t0yhf4ifXue1LidJDZfomszzZTlvmT/93cA
         J9Zv378KAjt2plpMeQR0O+k/C2DrW4TfFN0Ji2VGGF6ZI1gm5Ms5ekDIKlsj7yGFXZPe
         Kahme6oEXJ7vTm+F9fvkOT7mNczk7PNnr2aGq0xzAyc39kiTy2+p3M1KMcGEDiS8WwC5
         m5erzEh8946crjoXP6CJe8pNAraUMBIfmcJtHq7MoUeebs2chLIIYkJIwmI2XJcQh5qF
         S/k6qCDcNPfxdpZrLItNoAzto7o2Jr/iytIqqZuT70lOswCw/RaSOmglGvS80+CnG3a0
         nzOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=qyjKmNEB7bI32oKPSYcZzRyfLurflQZj655a2uBWbjg=;
        b=JLPVvCkzX/jM2JwuXbjqus8mKeBOr6LKc9IXL7A7MEHfjpuYaPpYA8hLIh2tjYaM6l
         VGQdfPh9TzH31CcEadzJJAiLzSv7ScnPP0L0c/IcnyfG9YXFVnns8S/YRKk+flRAGCRL
         9QHWmACKmFLYIsZAHCr9pML+7uC50jTWA/5SohkgTQOjnk1EVFLB+R5JhBuTXK1BgygI
         irYB15GeHfiWhAoBAbmr7Q+gte5M9g6dNpO1IBUgRlM5R+6+c/crTB239hTqa97OO2jO
         LQbs463tYvWrw0C/N7mPt48pqU9mA4s1K/Rm6hVzvVgKsdDRfPPVfpOSk5HtDBMdlqxV
         Xphw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=i8bOsZ7z;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id lx5si3012492ejb.422.2022.02.21.00.51.51;
        Mon, 21 Feb 2022 00:52:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=i8bOsZ7z;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S245496AbiBUBt1 (ORCPT <rfc822;benevolent.opressor@gmail.com>
        + 99 others); Sun, 20 Feb 2022 20:49:27 -0500
Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:57222 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S245495AbiBUBt0 (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Sun, 20 Feb 2022 20:49:26 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CC4D0517D0;
        Sun, 20 Feb 2022 17:49:04 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 7CFABB80E3A;
        Mon, 21 Feb 2022 01:49:03 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B3B1AC340E8;
        Mon, 21 Feb 2022 01:49:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1645408142;
        bh=HI8NVCMsfUlolaSoMOjtjL/nBpAaZNebOImBZ6Z/x+M=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=i8bOsZ7z2/9hNP2dixd0AchqiaV/IHsV0ZEvA0lcp4lStTEKDeSp++UCFu5Ra8oFV
         R8sZnFes4j0ripdQcghiaXGUhzLJjKffOr+AGNAU1XTkd8O+dohR3ScXfcfIn+pELg
         PxYJkzRykkHCObD8N6odV/nJOMpcue0g5ctk/wFjLtFoI/rudwpJ9paZiye/4EliYQ
         KoafkiKLP5+FLZP0bLMDsUgbZIqbxyiwtMQE+s9GyJXfbKLC+zBPehU/qMii9MaBiv
         IVNkbX0rwu9HfLmDdPRSFqh6zr1FzlGRjXHdmHp/4r3bLKNAS5mvoC730NRNwQyCig
         ox/iRUxYjoygg==
Date:   Mon, 21 Feb 2022 02:49:41 +0100
From:   Jarkko Sakkinen <jarkko@kernel.org>
To:     Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Cc:     Eric Biggers <ebiggers@google.com>,
        Mimi Zohar <zohar@linux.ibm.com>,
        Vitaly Chikunov <vt@altlinux.org>,
        Stefan Berger <stefanb@linux.ibm.com>,
        Gilad Ben-Yossef <gilad@benyossef.com>,
        David Howells <dhowells@redhat.com>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        "David S. Miller" <davem@davemloft.net>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH] KEYS: asymmetric: enforce SM2 signature use pkey algo
Message-ID: <YhLvtVT89tAjGnqw@kernel.org>
References: <20220201003414.55380-1-ebiggers@kernel.org>
 <20220207114327.7929-1-tianjia.zhang@linux.alibaba.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220207114327.7929-1-tianjia.zhang@linux.alibaba.com>
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Mon, Feb 07, 2022 at 07:43:27PM +0800, Tianjia Zhang wrote:
> The signature verification of SM2 needs to add the Za value and
> recalculate sig->digest, which requires the detection of the pkey_algo
> in public_key_verify_signature(). As Eric Biggers said, the pkey_algo
> field in sig is attacker-controlled and should be use pkey->pkey_algo
> instead of sig->pkey_algo, and secondly, if sig->pkey_algo is NULL, it
> will also cause signature verification failure.
> 
> The software_key_determine_akcipher() already forces the algorithms
> are matched, so the SM3 algorithm is enforced in the SM2 signature,
> although this has been checked, we still avoid using any algorithm
> information in the signature as input.
> 
> Reported-by: Eric Biggers <ebiggers@google.com>
> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
> ---
>  crypto/asymmetric_keys/public_key.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
> index a603ee8afdb8..ea9a5501f87e 100644
> --- a/crypto/asymmetric_keys/public_key.c
> +++ b/crypto/asymmetric_keys/public_key.c
> @@ -309,7 +309,8 @@ static int cert_sig_digest_update(const struct public_key_signature *sig,
>  	if (ret)
>  		return ret;
>  
> -	tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
> +	/* SM2 signatures always use the SM3 hash algorithm */
> +	tfm = crypto_alloc_shash("sm3", 0, 0);

Why not simply fail when sig->hash_algo != "sm3"?

BR, Jarkko