Commit 10de7b54 authored by Denis Kenzior's avatar Denis Kenzior Committed by Jarkko Sakkinen
Browse files

KEYS: asymmetric: Fix ECDSA use via keyctl uapi 



When support for ECDSA keys was added, constraints for data & signature
sizes were never updated.  This makes it impossible to use such keys via
keyctl API from userspace.

Update constraint on max_data_size to 64 bytes in order to support
SHA512-based signatures. Also update the signature length constraints
per ECDSA signature encoding described in RFC 5480.

Fixes: 299f561a ("x509: Add support for parsing x509 certs with ECDSA keys")
Signed-off-by: default avatarDenis Kenzior <denkenz@gmail.com>
Reviewed-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
parent c95e8f6f

crypto/asymmetric_keys/public_key.c

+22 −2
Original line number Diff line number Diff line
@@ -186,8 +186,28 @@ static int software_key_query(const struct kernel_pkey_params *params, 


	len = crypto_akcipher_maxsize(tfm);

	info->key_size = len * 8;



	if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) {

		/*

		 * ECDSA key sizes are much smaller than RSA, and thus could

		 * operate on (hashed) inputs that are larger than key size.

		 * For example SHA384-hashed input used with secp256r1

		 * based keys.  Set max_data_size to be at least as large as

		 * the largest supported hash size (SHA512)

		 */

		info->max_data_size = 64;



		/*

		 * Verify takes ECDSA-Sig (described in RFC 5480) as input,

		 * which is actually 2 'key_size'-bit integers encoded in

		 * ASN.1.  Account for the ASN.1 encoding overhead here.

		 */

		info->max_sig_size = 2 * (len + 3) + 2;

	} else {

		info->max_data_size = len;

		info->max_sig_size = len;

	}



	info->max_enc_size = len;

	info->max_dec_size = len;

	info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT |