1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Nokia Corporation 4 * Copyright (C) 2011 Intel Corporation 5 * 6 * Author: 7 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com> 8 * <dmitry.kasatkin@intel.com> 9 * 10 * File: sign.c 11 * implements signature (RSA) verification 12 * pkcs decoding is based on LibTomCrypt code 13 */ 14 15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 16 17 #include <linux/err.h> 18 #include <linux/module.h> 19 #include <linux/slab.h> 20 #include <linux/key.h> 21 #include <crypto/sha1.h> 22 #include <keys/user-type.h> 23 #include <linux/mpi.h> 24 #include <linux/digsig.h> 25 26 static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg, 27 unsigned long msglen, 28 unsigned long modulus_bitlen, 29 unsigned long *outlen) 30 { 31 unsigned long modulus_len, ps_len, i; 32 33 modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0); 34 35 /* test message size */ 36 if ((msglen > modulus_len) || (modulus_len < 11)) 37 return NULL; 38 39 /* separate encoded message */ 40 if (msg[0] != 0x00 || msg[1] != 0x01) 41 return NULL; 42 43 for (i = 2; i < modulus_len - 1; i++) 44 if (msg[i] != 0xFF) 45 break; 46 47 /* separator check */ 48 if (msg[i] != 0) 49 /* There was no octet with hexadecimal value 0x00 50 to separate ps from m. */ 51 return NULL; 52 53 ps_len = i - 2; 54 55 *outlen = (msglen - (2 + ps_len + 1)); 56 57 return msg + 2 + ps_len + 1; 58 } 59 60 /* 61 * RSA Signature verification with public key 62 */ 63 static int digsig_verify_rsa(struct key *key, 64 const char *sig, int siglen, 65 const char *h, int hlen) 66 { 67 int err = -EINVAL; 68 unsigned long len; 69 unsigned long mlen, mblen; 70 unsigned nret, l; 71 int head, i; 72 unsigned char *out1 = NULL; 73 const char *m; 74 MPI in = NULL, res = NULL, pkey[2]; 75 uint8_t *p, *datap; 76 const uint8_t *endp; 77 const struct user_key_payload *ukp; 78 struct pubkey_hdr *pkh; 79 80 down_read(&key->sem); 81 ukp = user_key_payload_locked(key); 82 83 if (!ukp) { 84 /* key was revoked before we acquired its semaphore */ 85 err = -EKEYREVOKED; 86 goto err1; 87 } 88 89 if (ukp->datalen < sizeof(*pkh)) 90 goto err1; 91 92 pkh = (struct pubkey_hdr *)ukp->data; 93 94 if (pkh->version != 1) 95 goto err1; 96 97 if (pkh->algo != PUBKEY_ALGO_RSA) 98 goto err1; 99 100 if (pkh->nmpi != 2) 101 goto err1; 102 103 datap = pkh->mpi; 104 endp = ukp->data + ukp->datalen; 105 106 for (i = 0; i < pkh->nmpi; i++) { 107 unsigned int remaining = endp - datap; 108 pkey[i] = mpi_read_from_buffer(datap, &remaining); 109 if (IS_ERR(pkey[i])) { 110 err = PTR_ERR(pkey[i]); 111 goto err; 112 } 113 datap += remaining; 114 } 115 116 mblen = mpi_get_nbits(pkey[0]); 117 mlen = DIV_ROUND_UP(mblen, 8); 118 119 if (mlen == 0) { 120 err = -EINVAL; 121 goto err; 122 } 123 124 err = -ENOMEM; 125 126 out1 = kzalloc(mlen, GFP_KERNEL); 127 if (!out1) 128 goto err; 129 130 nret = siglen; 131 in = mpi_read_from_buffer(sig, &nret); 132 if (IS_ERR(in)) { 133 err = PTR_ERR(in); 134 goto err; 135 } 136 137 res = mpi_alloc(mpi_get_nlimbs(in) * 2); 138 if (!res) 139 goto err; 140 141 err = mpi_powm(res, in, pkey[1], pkey[0]); 142 if (err) 143 goto err; 144 145 if (mpi_get_nlimbs(res) * BYTES_PER_MPI_LIMB > mlen) { 146 err = -EINVAL; 147 goto err; 148 } 149 150 p = mpi_get_buffer(res, &l, NULL); 151 if (!p) { 152 err = -EINVAL; 153 goto err; 154 } 155 156 len = mlen; 157 head = len - l; 158 memcpy(out1 + head, p, l); 159 160 kfree(p); 161 162 m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len); 163 164 if (!m || len != hlen || memcmp(m, h, hlen)) 165 err = -EINVAL; 166 167 err: 168 mpi_free(in); 169 mpi_free(res); 170 kfree(out1); 171 while (--i >= 0) 172 mpi_free(pkey[i]); 173 err1: 174 up_read(&key->sem); 175 176 return err; 177 } 178 179 /** 180 * digsig_verify() - digital signature verification with public key 181 * @keyring: keyring to search key in 182 * @sig: digital signature 183 * @siglen: length of the signature 184 * @data: data 185 * @datalen: length of the data 186 * 187 * Returns 0 on success, -EINVAL otherwise 188 * 189 * Verifies data integrity against digital signature. 190 * Currently only RSA is supported. 191 * Normally hash of the content is used as a data for this function. 192 * 193 */ 194 int digsig_verify(struct key *keyring, const char *sig, int siglen, 195 const char *data, int datalen) 196 { 197 struct signature_hdr *sh = (struct signature_hdr *)sig; 198 struct sha1_ctx ctx; 199 unsigned char hash[SHA1_DIGEST_SIZE]; 200 struct key *key; 201 char name[20]; 202 int err; 203 204 if (siglen < sizeof(*sh) + 2) 205 return -EINVAL; 206 207 if (sh->algo != PUBKEY_ALGO_RSA) 208 return -ENOTSUPP; 209 210 sprintf(name, "%llX", __be64_to_cpup((uint64_t *)sh->keyid)); 211 212 if (keyring) { 213 /* search in specific keyring */ 214 key_ref_t kref; 215 kref = keyring_search(make_key_ref(keyring, 1UL), 216 &key_type_user, name, true); 217 if (IS_ERR(kref)) 218 key = ERR_CAST(kref); 219 else 220 key = key_ref_to_ptr(kref); 221 } else { 222 key = request_key(&key_type_user, name, NULL); 223 } 224 if (IS_ERR(key)) { 225 pr_err("key not found, id: %s\n", name); 226 return PTR_ERR(key); 227 } 228 229 sha1_init(&ctx); 230 sha1_update(&ctx, data, datalen); 231 sha1_update(&ctx, sig, sizeof(*sh)); 232 sha1_final(&ctx, hash); 233 234 /* pass signature mpis address */ 235 err = digsig_verify_rsa(key, sig + sizeof(*sh), siglen - sizeof(*sh), 236 hash, sizeof(hash)); 237 238 key_put(key); 239 240 return err ? -EINVAL : 0; 241 } 242 EXPORT_SYMBOL_GPL(digsig_verify); 243 244 MODULE_LICENSE("GPL"); 245