1 /* 2 * Copyright (C) 2011 Nokia Corporation 3 * Copyright (C) 2011 Intel Corporation 4 * 5 * Author: 6 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com> 7 * <dmitry.kasatkin@intel.com> 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License as published by 11 * the Free Software Foundation, version 2 of the License. 12 * 13 * File: sign.c 14 * implements signature (RSA) verification 15 * pkcs decoding is based on LibTomCrypt code 16 */ 17 18 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 19 20 #include <linux/err.h> 21 #include <linux/module.h> 22 #include <linux/slab.h> 23 #include <linux/key.h> 24 #include <linux/crypto.h> 25 #include <crypto/hash.h> 26 #include <crypto/sha.h> 27 #include <keys/user-type.h> 28 #include <linux/mpi.h> 29 #include <linux/digsig.h> 30 31 static struct crypto_shash *shash; 32 33 static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg, 34 unsigned long msglen, 35 unsigned long modulus_bitlen, 36 unsigned long *outlen) 37 { 38 unsigned long modulus_len, ps_len, i; 39 40 modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0); 41 42 /* test message size */ 43 if ((msglen > modulus_len) || (modulus_len < 11)) 44 return NULL; 45 46 /* separate encoded message */ 47 if (msg[0] != 0x00 || msg[1] != 0x01) 48 return NULL; 49 50 for (i = 2; i < modulus_len - 1; i++) 51 if (msg[i] != 0xFF) 52 break; 53 54 /* separator check */ 55 if (msg[i] != 0) 56 /* There was no octet with hexadecimal value 0x00 57 to separate ps from m. */ 58 return NULL; 59 60 ps_len = i - 2; 61 62 *outlen = (msglen - (2 + ps_len + 1)); 63 64 return msg + 2 + ps_len + 1; 65 } 66 67 /* 68 * RSA Signature verification with public key 69 */ 70 static int digsig_verify_rsa(struct key *key, 71 const char *sig, int siglen, 72 const char *h, int hlen) 73 { 74 int err = -EINVAL; 75 unsigned long len; 76 unsigned long mlen, mblen; 77 unsigned nret, l; 78 int head, i; 79 unsigned char *out1 = NULL; 80 const char *m; 81 MPI in = NULL, res = NULL, pkey[2]; 82 uint8_t *p, *datap; 83 const uint8_t *endp; 84 const struct user_key_payload *ukp; 85 struct pubkey_hdr *pkh; 86 87 down_read(&key->sem); 88 ukp = user_key_payload_locked(key); 89 90 if (!ukp) { 91 /* key was revoked before we acquired its semaphore */ 92 err = -EKEYREVOKED; 93 goto err1; 94 } 95 96 if (ukp->datalen < sizeof(*pkh)) 97 goto err1; 98 99 pkh = (struct pubkey_hdr *)ukp->data; 100 101 if (pkh->version != 1) 102 goto err1; 103 104 if (pkh->algo != PUBKEY_ALGO_RSA) 105 goto err1; 106 107 if (pkh->nmpi != 2) 108 goto err1; 109 110 datap = pkh->mpi; 111 endp = ukp->data + ukp->datalen; 112 113 for (i = 0; i < pkh->nmpi; i++) { 114 unsigned int remaining = endp - datap; 115 pkey[i] = mpi_read_from_buffer(datap, &remaining); 116 if (IS_ERR(pkey[i])) { 117 err = PTR_ERR(pkey[i]); 118 goto err; 119 } 120 datap += remaining; 121 } 122 123 mblen = mpi_get_nbits(pkey[0]); 124 mlen = DIV_ROUND_UP(mblen, 8); 125 126 if (mlen == 0) { 127 err = -EINVAL; 128 goto err; 129 } 130 131 err = -ENOMEM; 132 133 out1 = kzalloc(mlen, GFP_KERNEL); 134 if (!out1) 135 goto err; 136 137 nret = siglen; 138 in = mpi_read_from_buffer(sig, &nret); 139 if (IS_ERR(in)) { 140 err = PTR_ERR(in); 141 goto err; 142 } 143 144 res = mpi_alloc(mpi_get_nlimbs(in) * 2); 145 if (!res) 146 goto err; 147 148 err = mpi_powm(res, in, pkey[1], pkey[0]); 149 if (err) 150 goto err; 151 152 if (mpi_get_nlimbs(res) * BYTES_PER_MPI_LIMB > mlen) { 153 err = -EINVAL; 154 goto err; 155 } 156 157 p = mpi_get_buffer(res, &l, NULL); 158 if (!p) { 159 err = -EINVAL; 160 goto err; 161 } 162 163 len = mlen; 164 head = len - l; 165 memset(out1, 0, head); 166 memcpy(out1 + head, p, l); 167 168 kfree(p); 169 170 m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len); 171 172 if (!m || len != hlen || memcmp(m, h, hlen)) 173 err = -EINVAL; 174 175 err: 176 mpi_free(in); 177 mpi_free(res); 178 kfree(out1); 179 while (--i >= 0) 180 mpi_free(pkey[i]); 181 err1: 182 up_read(&key->sem); 183 184 return err; 185 } 186 187 /** 188 * digsig_verify() - digital signature verification with public key 189 * @keyring: keyring to search key in 190 * @sig: digital signature 191 * @siglen: length of the signature 192 * @data: data 193 * @datalen: length of the data 194 * 195 * Returns 0 on success, -EINVAL otherwise 196 * 197 * Verifies data integrity against digital signature. 198 * Currently only RSA is supported. 199 * Normally hash of the content is used as a data for this function. 200 * 201 */ 202 int digsig_verify(struct key *keyring, const char *sig, int siglen, 203 const char *data, int datalen) 204 { 205 int err = -ENOMEM; 206 struct signature_hdr *sh = (struct signature_hdr *)sig; 207 struct shash_desc *desc = NULL; 208 unsigned char hash[SHA1_DIGEST_SIZE]; 209 struct key *key; 210 char name[20]; 211 212 if (siglen < sizeof(*sh) + 2) 213 return -EINVAL; 214 215 if (sh->algo != PUBKEY_ALGO_RSA) 216 return -ENOTSUPP; 217 218 sprintf(name, "%llX", __be64_to_cpup((uint64_t *)sh->keyid)); 219 220 if (keyring) { 221 /* search in specific keyring */ 222 key_ref_t kref; 223 kref = keyring_search(make_key_ref(keyring, 1UL), 224 &key_type_user, name); 225 if (IS_ERR(kref)) 226 key = ERR_CAST(kref); 227 else 228 key = key_ref_to_ptr(kref); 229 } else { 230 key = request_key(&key_type_user, name, NULL); 231 } 232 if (IS_ERR(key)) { 233 pr_err("key not found, id: %s\n", name); 234 return PTR_ERR(key); 235 } 236 237 desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), 238 GFP_KERNEL); 239 if (!desc) 240 goto err; 241 242 desc->tfm = shash; 243 desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 244 245 crypto_shash_init(desc); 246 crypto_shash_update(desc, data, datalen); 247 crypto_shash_update(desc, sig, sizeof(*sh)); 248 crypto_shash_final(desc, hash); 249 250 kfree(desc); 251 252 /* pass signature mpis address */ 253 err = digsig_verify_rsa(key, sig + sizeof(*sh), siglen - sizeof(*sh), 254 hash, sizeof(hash)); 255 256 err: 257 key_put(key); 258 259 return err ? -EINVAL : 0; 260 } 261 EXPORT_SYMBOL_GPL(digsig_verify); 262 263 static int __init digsig_init(void) 264 { 265 shash = crypto_alloc_shash("sha1", 0, 0); 266 if (IS_ERR(shash)) { 267 pr_err("shash allocation failed\n"); 268 return PTR_ERR(shash); 269 } 270 271 return 0; 272 273 } 274 275 static void __exit digsig_cleanup(void) 276 { 277 crypto_free_shash(shash); 278 } 279 280 module_init(digsig_init); 281 module_exit(digsig_cleanup); 282 283 MODULE_LICENSE("GPL"); 284