Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp3582975iog; Mon, 27 Jun 2022 20:51:36 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vyRi53HI2IiRq3lLZmTpeowizNyffEeNbHTvtseUslCElGZNOA9bXCWY/RKrZGSR/aUtvu X-Received: by 2002:a05:6a00:1f94:b0:527:a8f4:9811 with SMTP id bg20-20020a056a001f9400b00527a8f49811mr1294706pfb.71.1656388296191; Mon, 27 Jun 2022 20:51:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656388296; cv=none; d=google.com; s=arc-20160816; b=o6iD0b4p/fvZRuEfpi/WOA5pXP6OF77FM1WvdNnAvgWQSy7FqrKmpd0iIm9P1FkC4r NjpP4NSRWwyGNBL2QXlIzr5Xoo99DnO8IjmHRn/58VCf8l5V7RFKPlGZTqSTTR6ECJAQ rVLIttKYCfWb7/VC8NWFKfGsgq3Oayr74wOOKBwp4W2OdBLAUge5JC9019Dvj9cabchy uT7H4Zr/cyIUkvCKMTWESNZw/s+iZ3Belq6KW2fj5Qvm5BzbpLx11apl2mOuzpqj9Roc f326l8eoOUhHLmDnhkbVAazlUhuWyQiDqtnck4hKk2g9UNLc4oCzFPCgjR1GpIqN3C2b kvnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=8PVfYDfeeH7DqbH+dMq4h+EjfMt9cThG8O8crmxcl4M=; b=vPpu/OEdfF2FjqUsmfOzkJr8qvkq/OosykjIFjki3Ee49i6n8Awygd2U+JFZtHQTq8 r0OmtogeDsn+mVZoaVkKo/ey9BUiSeMCgaF8+DoF8FZIrmZdqNLtNnBjdAvXPB7+ktPj reul5Q6j5ZAnsISAlTNZ7yaexyuQqLh17cNwJWyw4o2IP0djmIYa4lPSCTJtiPbL1yPM f+ac9ngbQQsEBAVZAw26pZu6DFR5pKkVexp3dOboD5Y1ZzJ/cAyPlez00DPWhWR1qeEB QD6atBeMy+tMA33fE7SaRRyu5L0RMbkBlQXLUuUtR49P88mbCOdeC8ulD9ZkuwVxEMY/ zGyw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q14-20020a17090aa00e00b001e85e2bc068si19583168pjp.19.2022.06.27.20.51.24; Mon, 27 Jun 2022 20:51:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242118AbiF1Dhm (ORCPT + 99 others); Mon, 27 Jun 2022 23:37:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243355AbiF1Dh1 (ORCPT ); Mon, 27 Jun 2022 23:37:27 -0400 Received: from out30-45.freemail.mail.aliyun.com (out30-45.freemail.mail.aliyun.com [115.124.30.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0510924F12; Mon, 27 Jun 2022 20:37:24 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R801e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04400;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=10;SR=0;TI=SMTPD_---0VHfBdgf_1656387440; Received: from localhost(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0VHfBdgf_1656387440) by smtp.aliyun-inc.com; Tue, 28 Jun 2022 11:37:21 +0800 From: Tianjia Zhang To: Jarkko Sakkinen , David Howells , Herbert Xu , "David S. Miller" , Gilad Ben-Yossef , Eric Biggers , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Tianjia Zhang Subject: [PATCH v3] KEYS: asymmetric: enforce SM2 signature use pkey algo Date: Tue, 28 Jun 2022 11:37:20 +0800 Message-Id: <20220628033720.43847-1-tianjia.zhang@linux.alibaba.com> X-Mailer: git-send-email 2.24.3 (Apple Git-128) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The signature verification of SM2 needs to add the Za value and recalculate sig->digest, which requires the detection of the pkey_algo in public_key_verify_signature(). As Eric Biggers said, the pkey_algo field in sig is attacker-controlled and should be use pkey->pkey_algo instead of sig->pkey_algo, and secondly, if sig->pkey_algo is NULL, it will also cause signature verification failure. The software_key_determine_akcipher() already forces the algorithms are matched, so the SM3 algorithm is enforced in the SM2 signature, although this has been checked, we still avoid using any algorithm information in the signature as input. Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") Reported-by: Eric Biggers Cc: stable@vger.kernel.org # v5.10+ Signed-off-by: Tianjia Zhang --- crypto/asymmetric_keys/public_key.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index 7c9e6be35c30..2f8352e88860 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -304,6 +304,10 @@ static int cert_sig_digest_update(const struct public_key_signature *sig, BUG_ON(!sig->data); + /* SM2 signatures always use the SM3 hash algorithm */ + if (!sig->hash_algo || strcmp(sig->hash_algo, "sm3") != 0) + return -EINVAL; + ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID, SM2_DEFAULT_USERID_LEN, dgst); if (ret) @@ -414,8 +418,7 @@ int public_key_verify_signature(const struct public_key *pkey, if (ret) goto error_free_key; - if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 && - sig->data_size) { + if (strcmp(pkey->pkey_algo, "sm2") == 0 && sig->data_size) { ret = cert_sig_digest_update(sig, tfm); if (ret) goto error_free_key; -- 2.24.3 (Apple Git-128)