blob: 6ba6fcd92dd10cd2c78898b35c65a0540b19bfb3
1 | /* |
2 | * Copyright (C) 2011 Nokia Corporation |
3 | * Copyright (C) 2011 Intel Corporation |
4 | * |
5 | * Author: |
6 | * Dmitry Kasatkin <dmitry.kasatkin@nokia.com> |
7 | * <dmitry.kasatkin@intel.com> |
8 | * |
9 | * This program is free software; you can redistribute it and/or modify |
10 | * it under the terms of the GNU General Public License as published by |
11 | * the Free Software Foundation, version 2 of the License. |
12 | * |
13 | * File: sign.c |
14 | * implements signature (RSA) verification |
15 | * pkcs decoding is based on LibTomCrypt code |
16 | */ |
17 | |
18 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
19 | |
20 | #include <linux/err.h> |
21 | #include <linux/module.h> |
22 | #include <linux/slab.h> |
23 | #include <linux/key.h> |
24 | #include <linux/crypto.h> |
25 | #include <crypto/hash.h> |
26 | #include <crypto/sha.h> |
27 | #include <keys/user-type.h> |
28 | #include <linux/mpi.h> |
29 | #include <linux/digsig.h> |
30 | |
31 | static struct crypto_shash *shash; |
32 | |
33 | static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg, |
34 | unsigned long msglen, |
35 | unsigned long modulus_bitlen, |
36 | unsigned long *outlen) |
37 | { |
38 | unsigned long modulus_len, ps_len, i; |
39 | |
40 | modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0); |
41 | |
42 | /* test message size */ |
43 | if ((msglen > modulus_len) || (modulus_len < 11)) |
44 | return NULL; |
45 | |
46 | /* separate encoded message */ |
47 | if (msg[0] != 0x00 || msg[1] != 0x01) |
48 | return NULL; |
49 | |
50 | for (i = 2; i < modulus_len - 1; i++) |
51 | if (msg[i] != 0xFF) |
52 | break; |
53 | |
54 | /* separator check */ |
55 | if (msg[i] != 0) |
56 | /* There was no octet with hexadecimal value 0x00 |
57 | to separate ps from m. */ |
58 | return NULL; |
59 | |
60 | ps_len = i - 2; |
61 | |
62 | *outlen = (msglen - (2 + ps_len + 1)); |
63 | |
64 | return msg + 2 + ps_len + 1; |
65 | } |
66 | |
67 | /* |
68 | * RSA Signature verification with public key |
69 | */ |
70 | static int digsig_verify_rsa(struct key *key, |
71 | const char *sig, int siglen, |
72 | const char *h, int hlen) |
73 | { |
74 | int err = -EINVAL; |
75 | unsigned long len; |
76 | unsigned long mlen, mblen; |
77 | unsigned nret, l; |
78 | int head, i; |
79 | unsigned char *out1 = NULL; |
80 | const char *m; |
81 | MPI in = NULL, res = NULL, pkey[2]; |
82 | uint8_t *p, *datap; |
83 | const uint8_t *endp; |
84 | const struct user_key_payload *ukp; |
85 | struct pubkey_hdr *pkh; |
86 | |
87 | down_read(&key->sem); |
88 | ukp = user_key_payload_locked(key); |
89 | |
90 | if (!ukp) { |
91 | /* key was revoked before we acquired its semaphore */ |
92 | err = -EKEYREVOKED; |
93 | goto err1; |
94 | } |
95 | |
96 | if (ukp->datalen < sizeof(*pkh)) |
97 | goto err1; |
98 | |
99 | pkh = (struct pubkey_hdr *)ukp->data; |
100 | |
101 | if (pkh->version != 1) |
102 | goto err1; |
103 | |
104 | if (pkh->algo != PUBKEY_ALGO_RSA) |
105 | goto err1; |
106 | |
107 | if (pkh->nmpi != 2) |
108 | goto err1; |
109 | |
110 | datap = pkh->mpi; |
111 | endp = ukp->data + ukp->datalen; |
112 | |
113 | for (i = 0; i < pkh->nmpi; i++) { |
114 | unsigned int remaining = endp - datap; |
115 | pkey[i] = mpi_read_from_buffer(datap, &remaining); |
116 | if (IS_ERR(pkey[i])) { |
117 | err = PTR_ERR(pkey[i]); |
118 | goto err; |
119 | } |
120 | datap += remaining; |
121 | } |
122 | |
123 | mblen = mpi_get_nbits(pkey[0]); |
124 | mlen = DIV_ROUND_UP(mblen, 8); |
125 | |
126 | if (mlen == 0) { |
127 | err = -EINVAL; |
128 | goto err; |
129 | } |
130 | |
131 | err = -ENOMEM; |
132 | |
133 | out1 = kzalloc(mlen, GFP_KERNEL); |
134 | if (!out1) |
135 | goto err; |
136 | |
137 | nret = siglen; |
138 | in = mpi_read_from_buffer(sig, &nret); |
139 | if (IS_ERR(in)) { |
140 | err = PTR_ERR(in); |
141 | goto err; |
142 | } |
143 | |
144 | res = mpi_alloc(mpi_get_nlimbs(in) * 2); |
145 | if (!res) |
146 | goto err; |
147 | |
148 | err = mpi_powm(res, in, pkey[1], pkey[0]); |
149 | if (err) |
150 | goto err; |
151 | |
152 | if (mpi_get_nlimbs(res) * BYTES_PER_MPI_LIMB > mlen) { |
153 | err = -EINVAL; |
154 | goto err; |
155 | } |
156 | |
157 | p = mpi_get_buffer(res, &l, NULL); |
158 | if (!p) { |
159 | err = -EINVAL; |
160 | goto err; |
161 | } |
162 | |
163 | len = mlen; |
164 | head = len - l; |
165 | memset(out1, 0, head); |
166 | memcpy(out1 + head, p, l); |
167 | |
168 | kfree(p); |
169 | |
170 | m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len); |
171 | |
172 | if (!m || len != hlen || memcmp(m, h, hlen)) |
173 | err = -EINVAL; |
174 | |
175 | err: |
176 | mpi_free(in); |
177 | mpi_free(res); |
178 | kfree(out1); |
179 | while (--i >= 0) |
180 | mpi_free(pkey[i]); |
181 | err1: |
182 | up_read(&key->sem); |
183 | |
184 | return err; |
185 | } |
186 | |
187 | /** |
188 | * digsig_verify() - digital signature verification with public key |
189 | * @keyring: keyring to search key in |
190 | * @sig: digital signature |
191 | * @siglen: length of the signature |
192 | * @data: data |
193 | * @datalen: length of the data |
194 | * |
195 | * Returns 0 on success, -EINVAL otherwise |
196 | * |
197 | * Verifies data integrity against digital signature. |
198 | * Currently only RSA is supported. |
199 | * Normally hash of the content is used as a data for this function. |
200 | * |
201 | */ |
202 | int digsig_verify(struct key *keyring, const char *sig, int siglen, |
203 | const char *data, int datalen) |
204 | { |
205 | int err = -ENOMEM; |
206 | struct signature_hdr *sh = (struct signature_hdr *)sig; |
207 | struct shash_desc *desc = NULL; |
208 | unsigned char hash[SHA1_DIGEST_SIZE]; |
209 | struct key *key; |
210 | char name[20]; |
211 | |
212 | if (siglen < sizeof(*sh) + 2) |
213 | return -EINVAL; |
214 | |
215 | if (sh->algo != PUBKEY_ALGO_RSA) |
216 | return -ENOTSUPP; |
217 | |
218 | sprintf(name, "%llX", __be64_to_cpup((uint64_t *)sh->keyid)); |
219 | |
220 | if (keyring) { |
221 | /* search in specific keyring */ |
222 | key_ref_t kref; |
223 | kref = keyring_search(make_key_ref(keyring, 1UL), |
224 | &key_type_user, name); |
225 | if (IS_ERR(kref)) |
226 | key = ERR_CAST(kref); |
227 | else |
228 | key = key_ref_to_ptr(kref); |
229 | } else { |
230 | key = request_key(&key_type_user, name, NULL); |
231 | } |
232 | if (IS_ERR(key)) { |
233 | pr_err("key not found, id: %s\n", name); |
234 | return PTR_ERR(key); |
235 | } |
236 | |
237 | desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), |
238 | GFP_KERNEL); |
239 | if (!desc) |
240 | goto err; |
241 | |
242 | desc->tfm = shash; |
243 | desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; |
244 | |
245 | crypto_shash_init(desc); |
246 | crypto_shash_update(desc, data, datalen); |
247 | crypto_shash_update(desc, sig, sizeof(*sh)); |
248 | crypto_shash_final(desc, hash); |
249 | |
250 | kfree(desc); |
251 | |
252 | /* pass signature mpis address */ |
253 | err = digsig_verify_rsa(key, sig + sizeof(*sh), siglen - sizeof(*sh), |
254 | hash, sizeof(hash)); |
255 | |
256 | err: |
257 | key_put(key); |
258 | |
259 | return err ? -EINVAL : 0; |
260 | } |
261 | EXPORT_SYMBOL_GPL(digsig_verify); |
262 | |
263 | static int __init digsig_init(void) |
264 | { |
265 | shash = crypto_alloc_shash("sha1", 0, 0); |
266 | if (IS_ERR(shash)) { |
267 | pr_err("shash allocation failed\n"); |
268 | return PTR_ERR(shash); |
269 | } |
270 | |
271 | return 0; |
272 | |
273 | } |
274 | |
275 | static void __exit digsig_cleanup(void) |
276 | { |
277 | crypto_free_shash(shash); |
278 | } |
279 | |
280 | module_init(digsig_init); |
281 | module_exit(digsig_cleanup); |
282 | |
283 | MODULE_LICENSE("GPL"); |
284 |