Re: [PATCH 1/2] KEYS: asymmetric: enforce that sig algo matches key algo

From: Eric Biggers <ebiggers@kernel.org>
To: Vitaly Chikunov <vt@altlinux.org>
Cc: keyrings@vger.kernel.org, Jarkko Sakkinen <jarkko@kernel.org>,
	David Howells <dhowells@redhat.com>,
	linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
	Stefan Berger <stefanb@linux.ibm.com>,
	Gilad Ben-Yossef <gilad@benyossef.com>,
	Tianjia Zhang <tianjia.zhang@linux.alibaba.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH 1/2] KEYS: asymmetric: enforce that sig algo matches key algo
Date: Tue, 1 Feb 2022 19:22:40 -0800	[thread overview]
Message-ID: <Yfn5AFaH6mMa6FB3@sol.localdomain> (raw)
In-Reply-To: <Yfn2KZgjuFRSJzSj@sol.localdomain>

On Tue, Feb 01, 2022 at 07:10:33PM -0800, Eric Biggers wrote:
> > This seem incorrect too, as sig->pkey_algo could be NULL for direct
> > signature verification calls. For example, for keyctl pkey_verify.
> 
> We can make it optional if some callers aren't providing it.  Of course, such
> callers wouldn't be able to verify ECDSA signatures.

Sorry, I got that backwards.  ECDSA signatures don't specify the curve, but the
keys do (as I noted in a comment).  So ECDSA wouldn't require sig->pkey_algo.

Since it appears that KEYCTL_PKEY_VERIFY does in fact have no way to specify a
pkey_algo, I'll allow NULL pkey_algo in v2.

Note that SM2 isn't implemented correctly when sig->pkey_algo is NULL, as the
following code incorrectly uses the signature's pkey_algo rather than the key's:

        if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 &&
            sig->data_size) {
                ret = cert_sig_digest_update(sig, tfm);
                if (ret)
                        goto error_free_key;
        }

I'm not sure whether I should even bother fixing that, given how broken the SM2
stuff is anyway.

- Eric