Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp3435471iog; Mon, 27 Jun 2022 16:20:53 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vFceE2a4nPbIVFwcy83DQaX0mAZOPxHkUHCi4aBZOecxfsV4wRahRCtx/0XCbByNXteh9y X-Received: by 2002:a17:906:b01a:b0:718:cc50:4c6 with SMTP id v26-20020a170906b01a00b00718cc5004c6mr14702783ejy.630.1656372053764; Mon, 27 Jun 2022 16:20:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656372053; cv=none; d=google.com; s=arc-20160816; b=cB+yVMzfnSfrGHvAElLvedlRsj6IMg8z1wkFVY4bsgP20BaaxZqBJZ+KkVsQz/etWj +QYTSaXCcXIhSHwpi6iHWQP7lR1YyumRwZQ6lVz2YlG6yOC4W1wJzZQkYcVoGEnJ5q16 ge9MJW9mcJRQyPK3Z4TmkeYSVTNLYVoU6/WJ7vLKYIb9fBFrTqRDpy1Zi0Wcx8MNY9My IS1ydv9KGfFBqHUufITIxBG9QszGuw32gT71avxzyjlcr6vGfoMH4d+l2McxaAiobEUz KJpZFh7QZdQGsz25wmRUKJbZ/EmYcqzfYybJ4TYm5VnFbc1/rbsWGvYbA8k9yaKSMu+b +hbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=WALiU2gW+VDsdwJoXlMj8XyhCp4VF0BvpbSJg+TtD3Q=; b=M2GTFxPkaOWC1Zh7lvV5au+BBafFoHM7aUD6ghEg4u6vQqG83b9ZLUdcSjJyRTpJrY XPtHnr2fXHosbwcUNy0s1b33CNkL0+4RUpDL+HBIddXi+dGXu1tvoOSQoIeg91EnwyLO HGRzIVzk/Ipkonvhse91CyfJ3TUNJaGGKHoiLjKo0rvJexi8HiF60mwFKBW2zI49Vv7t JNuPeQQEj1FC+zzblBa9BdP5CK2HY9nyLiJ692pZCl1EJEdFr8Ws+1LkW4Mt+z0rLgTD dZ5d4U6v2mMa448uZJgCmUx6ld0lANUX/eWHuabay/hcrYVA+PM2AhSyl9sykwiU37b6 M7sQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pVumDj2b; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l22-20020a170906795600b00712236ab6aasi14115962ejo.95.2022.06.27.16.20.28; Mon, 27 Jun 2022 16:20:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pVumDj2b; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238716AbiF0XOr (ORCPT + 99 others); Mon, 27 Jun 2022 19:14:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52388 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237641AbiF0XOr (ORCPT ); Mon, 27 Jun 2022 19:14:47 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 848E623140; Mon, 27 Jun 2022 16:14:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 10C656155C; Mon, 27 Jun 2022 23:14:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1C99BC341C8; Mon, 27 Jun 2022 23:14:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1656371685; bh=h4FR0qftIvkH2uTSynr4CWcZ4lbRTfiY9kRTXC9vhC0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=pVumDj2bJvP3+KrO/DN9mUcf4t+RsXVIMpp/dDhtG24b3DoZqbMhF1Y0p4FNqIY5+ m+GZjCtQzd+mmgOhqsfrrph8ROF9fIUiJYfwHg5uPSfErIvUBv8NcFeS+w+NnrO/Db ms4S+uoY70BrYvOdLhVZ9YQLn8elgC3OG5cM/cUuz7ZZh+jDVSNBZFU6Zz9vLQo7fc o2/6CRy7mwpJTsjz3r013qEeFBsXYa3FiTRF1uuodjuoLy8qHxTT1Qn0j24uVZqyc2 y4dfsB+u8civcJn6Ur0g3rW40NiuYMyD+6ixn2LstAep8DOWmByGR9ojvRyNZqUMe9 6oFZ2w//886pw== Date: Tue, 28 Jun 2022 02:14:41 +0300 From: Jarkko Sakkinen To: Tianjia Zhang Cc: David Howells , Herbert Xu , "David S. Miller" , Gilad Ben-Yossef , Eric Biggers , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 RESEND] KEYS: asymmetric: enforce SM2 signature use pkey algo Message-ID: References: <20220627092027.20858-1-tianjia.zhang@linux.alibaba.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220627092027.20858-1-tianjia.zhang@linux.alibaba.com> X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Jun 27, 2022 at 05:20:27PM +0800, Tianjia Zhang wrote: > The signature verification of SM2 needs to add the Za value and > recalculate sig->digest, which requires the detection of the pkey_algo > in public_key_verify_signature(). As Eric Biggers said, the pkey_algo > field in sig is attacker-controlled and should be use pkey->pkey_algo > instead of sig->pkey_algo, and secondly, if sig->pkey_algo is NULL, it > will also cause signature verification failure. > > The software_key_determine_akcipher() already forces the algorithms > are matched, so the SM3 algorithm is enforced in the SM2 signature, > although this has been checked, we still avoid using any algorithm > information in the signature as input. > > Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") > Reported-by: Eric Biggers > Cc: stable@vger.kernel.org # v5.10+ > Signed-off-by: Tianjia Zhang > --- > crypto/asymmetric_keys/public_key.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c > index 7c9e6be35c30..3f17ee860f89 100644 > --- a/crypto/asymmetric_keys/public_key.c > +++ b/crypto/asymmetric_keys/public_key.c > @@ -309,7 +309,8 @@ static int cert_sig_digest_update(const struct public_key_signature *sig, > if (ret) > return ret; > > - tfm = crypto_alloc_shash(sig->hash_algo, 0, 0); > + /* SM2 signatures always use the SM3 hash algorithm */ > + tfm = crypto_alloc_shash("sm3", 0, 0); So, why this should not validate sig->hash_alog *to be* "sm3"? I.e. add instead guard before crypto_alloc_hash: if (strncmp(sig->hash_algo, "sm3") != 0) { /* error */ } /* continue */ > if (IS_ERR(tfm)) > return PTR_ERR(tfm); > > @@ -414,8 +415,7 @@ int public_key_verify_signature(const struct public_key *pkey, > if (ret) > goto error_free_key; > > - if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 && > - sig->data_size) { > + if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) { > ret = cert_sig_digest_update(sig, tfm); > if (ret) > goto error_free_key; > -- > 2.24.3 (Apple Git-128) > BR, Jarkko