KEYS: asymmetric: Fix ECDSA use via keyctl uapi

When support for ECDSA keys was added, constraints for data & signature
sizes were never updated.  This makes it impossible to use such keys via
keyctl API from userspace.

Update constraint on max_data_size to 64 bytes in order to support
SHA512-based signatures. Also update the signature length constraints
per ECDSA signature encoding described in RFC 5480.

Fixes: 299f561a6693 ("x509: Add support for parsing x509 certs with ECDSA keys")
Signed-off-by: Denis Kenzior <denkenz@gmail.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 2f8352e8886022acf8e1d268299a235c2fb3b275..eca5671ad3f2288eefe2a07b31d50b1a5728a8ed 100644 (file)
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -186,8 +186,28 @@ static int software_key_query(const struct kernel_pkey_params *params,
 
        len = crypto_akcipher_maxsize(tfm);
        info->key_size = len * 8;
-       info->max_data_size = len;
-       info->max_sig_size = len;
+
+       if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) {
+               /*
+                * ECDSA key sizes are much smaller than RSA, and thus could
+                * operate on (hashed) inputs that are larger than key size.
+                * For example SHA384-hashed input used with secp256r1
+                * based keys.  Set max_data_size to be at least as large as
+                * the largest supported hash size (SHA512)
+                */
+               info->max_data_size = 64;
+
+               /*
+                * Verify takes ECDSA-Sig (described in RFC 5480) as input,
+                * which is actually 2 'key_size'-bit integers encoded in
+                * ASN.1.  Account for the ASN.1 encoding overhead here.
+                */
+               info->max_sig_size = 2 * (len + 3) + 2;
+       } else {
+               info->max_data_size = len;
+               info->max_sig_size = len;
+       }
+
        info->max_enc_size = len;
        info->max_dec_size = len;
        info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT |