1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-only
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * Copyright (C) 2011 Nokia Corporation
4*4882a593Smuzhiyun * Copyright (C) 2011 Intel Corporation
5*4882a593Smuzhiyun *
6*4882a593Smuzhiyun * Author:
7*4882a593Smuzhiyun * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
8*4882a593Smuzhiyun * <dmitry.kasatkin@intel.com>
9*4882a593Smuzhiyun *
10*4882a593Smuzhiyun * File: sign.c
11*4882a593Smuzhiyun * implements signature (RSA) verification
12*4882a593Smuzhiyun * pkcs decoding is based on LibTomCrypt code
13*4882a593Smuzhiyun */
14*4882a593Smuzhiyun
15*4882a593Smuzhiyun #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16*4882a593Smuzhiyun
17*4882a593Smuzhiyun #include <linux/err.h>
18*4882a593Smuzhiyun #include <linux/module.h>
19*4882a593Smuzhiyun #include <linux/slab.h>
20*4882a593Smuzhiyun #include <linux/key.h>
21*4882a593Smuzhiyun #include <linux/crypto.h>
22*4882a593Smuzhiyun #include <crypto/hash.h>
23*4882a593Smuzhiyun #include <crypto/sha.h>
24*4882a593Smuzhiyun #include <keys/user-type.h>
25*4882a593Smuzhiyun #include <linux/mpi.h>
26*4882a593Smuzhiyun #include <linux/digsig.h>
27*4882a593Smuzhiyun
28*4882a593Smuzhiyun static struct crypto_shash *shash;
29*4882a593Smuzhiyun
pkcs_1_v1_5_decode_emsa(const unsigned char * msg,unsigned long msglen,unsigned long modulus_bitlen,unsigned long * outlen)30*4882a593Smuzhiyun static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg,
31*4882a593Smuzhiyun unsigned long msglen,
32*4882a593Smuzhiyun unsigned long modulus_bitlen,
33*4882a593Smuzhiyun unsigned long *outlen)
34*4882a593Smuzhiyun {
35*4882a593Smuzhiyun unsigned long modulus_len, ps_len, i;
36*4882a593Smuzhiyun
37*4882a593Smuzhiyun modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0);
38*4882a593Smuzhiyun
39*4882a593Smuzhiyun /* test message size */
40*4882a593Smuzhiyun if ((msglen > modulus_len) || (modulus_len < 11))
41*4882a593Smuzhiyun return NULL;
42*4882a593Smuzhiyun
43*4882a593Smuzhiyun /* separate encoded message */
44*4882a593Smuzhiyun if (msg[0] != 0x00 || msg[1] != 0x01)
45*4882a593Smuzhiyun return NULL;
46*4882a593Smuzhiyun
47*4882a593Smuzhiyun for (i = 2; i < modulus_len - 1; i++)
48*4882a593Smuzhiyun if (msg[i] != 0xFF)
49*4882a593Smuzhiyun break;
50*4882a593Smuzhiyun
51*4882a593Smuzhiyun /* separator check */
52*4882a593Smuzhiyun if (msg[i] != 0)
53*4882a593Smuzhiyun /* There was no octet with hexadecimal value 0x00
54*4882a593Smuzhiyun to separate ps from m. */
55*4882a593Smuzhiyun return NULL;
56*4882a593Smuzhiyun
57*4882a593Smuzhiyun ps_len = i - 2;
58*4882a593Smuzhiyun
59*4882a593Smuzhiyun *outlen = (msglen - (2 + ps_len + 1));
60*4882a593Smuzhiyun
61*4882a593Smuzhiyun return msg + 2 + ps_len + 1;
62*4882a593Smuzhiyun }
63*4882a593Smuzhiyun
64*4882a593Smuzhiyun /*
65*4882a593Smuzhiyun * RSA Signature verification with public key
66*4882a593Smuzhiyun */
digsig_verify_rsa(struct key * key,const char * sig,int siglen,const char * h,int hlen)67*4882a593Smuzhiyun static int digsig_verify_rsa(struct key *key,
68*4882a593Smuzhiyun const char *sig, int siglen,
69*4882a593Smuzhiyun const char *h, int hlen)
70*4882a593Smuzhiyun {
71*4882a593Smuzhiyun int err = -EINVAL;
72*4882a593Smuzhiyun unsigned long len;
73*4882a593Smuzhiyun unsigned long mlen, mblen;
74*4882a593Smuzhiyun unsigned nret, l;
75*4882a593Smuzhiyun int head, i;
76*4882a593Smuzhiyun unsigned char *out1 = NULL;
77*4882a593Smuzhiyun const char *m;
78*4882a593Smuzhiyun MPI in = NULL, res = NULL, pkey[2];
79*4882a593Smuzhiyun uint8_t *p, *datap;
80*4882a593Smuzhiyun const uint8_t *endp;
81*4882a593Smuzhiyun const struct user_key_payload *ukp;
82*4882a593Smuzhiyun struct pubkey_hdr *pkh;
83*4882a593Smuzhiyun
84*4882a593Smuzhiyun down_read(&key->sem);
85*4882a593Smuzhiyun ukp = user_key_payload_locked(key);
86*4882a593Smuzhiyun
87*4882a593Smuzhiyun if (!ukp) {
88*4882a593Smuzhiyun /* key was revoked before we acquired its semaphore */
89*4882a593Smuzhiyun err = -EKEYREVOKED;
90*4882a593Smuzhiyun goto err1;
91*4882a593Smuzhiyun }
92*4882a593Smuzhiyun
93*4882a593Smuzhiyun if (ukp->datalen < sizeof(*pkh))
94*4882a593Smuzhiyun goto err1;
95*4882a593Smuzhiyun
96*4882a593Smuzhiyun pkh = (struct pubkey_hdr *)ukp->data;
97*4882a593Smuzhiyun
98*4882a593Smuzhiyun if (pkh->version != 1)
99*4882a593Smuzhiyun goto err1;
100*4882a593Smuzhiyun
101*4882a593Smuzhiyun if (pkh->algo != PUBKEY_ALGO_RSA)
102*4882a593Smuzhiyun goto err1;
103*4882a593Smuzhiyun
104*4882a593Smuzhiyun if (pkh->nmpi != 2)
105*4882a593Smuzhiyun goto err1;
106*4882a593Smuzhiyun
107*4882a593Smuzhiyun datap = pkh->mpi;
108*4882a593Smuzhiyun endp = ukp->data + ukp->datalen;
109*4882a593Smuzhiyun
110*4882a593Smuzhiyun for (i = 0; i < pkh->nmpi; i++) {
111*4882a593Smuzhiyun unsigned int remaining = endp - datap;
112*4882a593Smuzhiyun pkey[i] = mpi_read_from_buffer(datap, &remaining);
113*4882a593Smuzhiyun if (IS_ERR(pkey[i])) {
114*4882a593Smuzhiyun err = PTR_ERR(pkey[i]);
115*4882a593Smuzhiyun goto err;
116*4882a593Smuzhiyun }
117*4882a593Smuzhiyun datap += remaining;
118*4882a593Smuzhiyun }
119*4882a593Smuzhiyun
120*4882a593Smuzhiyun mblen = mpi_get_nbits(pkey[0]);
121*4882a593Smuzhiyun mlen = DIV_ROUND_UP(mblen, 8);
122*4882a593Smuzhiyun
123*4882a593Smuzhiyun if (mlen == 0) {
124*4882a593Smuzhiyun err = -EINVAL;
125*4882a593Smuzhiyun goto err;
126*4882a593Smuzhiyun }
127*4882a593Smuzhiyun
128*4882a593Smuzhiyun err = -ENOMEM;
129*4882a593Smuzhiyun
130*4882a593Smuzhiyun out1 = kzalloc(mlen, GFP_KERNEL);
131*4882a593Smuzhiyun if (!out1)
132*4882a593Smuzhiyun goto err;
133*4882a593Smuzhiyun
134*4882a593Smuzhiyun nret = siglen;
135*4882a593Smuzhiyun in = mpi_read_from_buffer(sig, &nret);
136*4882a593Smuzhiyun if (IS_ERR(in)) {
137*4882a593Smuzhiyun err = PTR_ERR(in);
138*4882a593Smuzhiyun goto err;
139*4882a593Smuzhiyun }
140*4882a593Smuzhiyun
141*4882a593Smuzhiyun res = mpi_alloc(mpi_get_nlimbs(in) * 2);
142*4882a593Smuzhiyun if (!res)
143*4882a593Smuzhiyun goto err;
144*4882a593Smuzhiyun
145*4882a593Smuzhiyun err = mpi_powm(res, in, pkey[1], pkey[0]);
146*4882a593Smuzhiyun if (err)
147*4882a593Smuzhiyun goto err;
148*4882a593Smuzhiyun
149*4882a593Smuzhiyun if (mpi_get_nlimbs(res) * BYTES_PER_MPI_LIMB > mlen) {
150*4882a593Smuzhiyun err = -EINVAL;
151*4882a593Smuzhiyun goto err;
152*4882a593Smuzhiyun }
153*4882a593Smuzhiyun
154*4882a593Smuzhiyun p = mpi_get_buffer(res, &l, NULL);
155*4882a593Smuzhiyun if (!p) {
156*4882a593Smuzhiyun err = -EINVAL;
157*4882a593Smuzhiyun goto err;
158*4882a593Smuzhiyun }
159*4882a593Smuzhiyun
160*4882a593Smuzhiyun len = mlen;
161*4882a593Smuzhiyun head = len - l;
162*4882a593Smuzhiyun memset(out1, 0, head);
163*4882a593Smuzhiyun memcpy(out1 + head, p, l);
164*4882a593Smuzhiyun
165*4882a593Smuzhiyun kfree(p);
166*4882a593Smuzhiyun
167*4882a593Smuzhiyun m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len);
168*4882a593Smuzhiyun
169*4882a593Smuzhiyun if (!m || len != hlen || memcmp(m, h, hlen))
170*4882a593Smuzhiyun err = -EINVAL;
171*4882a593Smuzhiyun
172*4882a593Smuzhiyun err:
173*4882a593Smuzhiyun mpi_free(in);
174*4882a593Smuzhiyun mpi_free(res);
175*4882a593Smuzhiyun kfree(out1);
176*4882a593Smuzhiyun while (--i >= 0)
177*4882a593Smuzhiyun mpi_free(pkey[i]);
178*4882a593Smuzhiyun err1:
179*4882a593Smuzhiyun up_read(&key->sem);
180*4882a593Smuzhiyun
181*4882a593Smuzhiyun return err;
182*4882a593Smuzhiyun }
183*4882a593Smuzhiyun
184*4882a593Smuzhiyun /**
185*4882a593Smuzhiyun * digsig_verify() - digital signature verification with public key
186*4882a593Smuzhiyun * @keyring: keyring to search key in
187*4882a593Smuzhiyun * @sig: digital signature
188*4882a593Smuzhiyun * @siglen: length of the signature
189*4882a593Smuzhiyun * @data: data
190*4882a593Smuzhiyun * @datalen: length of the data
191*4882a593Smuzhiyun *
192*4882a593Smuzhiyun * Returns 0 on success, -EINVAL otherwise
193*4882a593Smuzhiyun *
194*4882a593Smuzhiyun * Verifies data integrity against digital signature.
195*4882a593Smuzhiyun * Currently only RSA is supported.
196*4882a593Smuzhiyun * Normally hash of the content is used as a data for this function.
197*4882a593Smuzhiyun *
198*4882a593Smuzhiyun */
digsig_verify(struct key * keyring,const char * sig,int siglen,const char * data,int datalen)199*4882a593Smuzhiyun int digsig_verify(struct key *keyring, const char *sig, int siglen,
200*4882a593Smuzhiyun const char *data, int datalen)
201*4882a593Smuzhiyun {
202*4882a593Smuzhiyun int err = -ENOMEM;
203*4882a593Smuzhiyun struct signature_hdr *sh = (struct signature_hdr *)sig;
204*4882a593Smuzhiyun struct shash_desc *desc = NULL;
205*4882a593Smuzhiyun unsigned char hash[SHA1_DIGEST_SIZE];
206*4882a593Smuzhiyun struct key *key;
207*4882a593Smuzhiyun char name[20];
208*4882a593Smuzhiyun
209*4882a593Smuzhiyun if (siglen < sizeof(*sh) + 2)
210*4882a593Smuzhiyun return -EINVAL;
211*4882a593Smuzhiyun
212*4882a593Smuzhiyun if (sh->algo != PUBKEY_ALGO_RSA)
213*4882a593Smuzhiyun return -ENOTSUPP;
214*4882a593Smuzhiyun
215*4882a593Smuzhiyun sprintf(name, "%llX", __be64_to_cpup((uint64_t *)sh->keyid));
216*4882a593Smuzhiyun
217*4882a593Smuzhiyun if (keyring) {
218*4882a593Smuzhiyun /* search in specific keyring */
219*4882a593Smuzhiyun key_ref_t kref;
220*4882a593Smuzhiyun kref = keyring_search(make_key_ref(keyring, 1UL),
221*4882a593Smuzhiyun &key_type_user, name, true);
222*4882a593Smuzhiyun if (IS_ERR(kref))
223*4882a593Smuzhiyun key = ERR_CAST(kref);
224*4882a593Smuzhiyun else
225*4882a593Smuzhiyun key = key_ref_to_ptr(kref);
226*4882a593Smuzhiyun } else {
227*4882a593Smuzhiyun key = request_key(&key_type_user, name, NULL);
228*4882a593Smuzhiyun }
229*4882a593Smuzhiyun if (IS_ERR(key)) {
230*4882a593Smuzhiyun pr_err("key not found, id: %s\n", name);
231*4882a593Smuzhiyun return PTR_ERR(key);
232*4882a593Smuzhiyun }
233*4882a593Smuzhiyun
234*4882a593Smuzhiyun desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash),
235*4882a593Smuzhiyun GFP_KERNEL);
236*4882a593Smuzhiyun if (!desc)
237*4882a593Smuzhiyun goto err;
238*4882a593Smuzhiyun
239*4882a593Smuzhiyun desc->tfm = shash;
240*4882a593Smuzhiyun
241*4882a593Smuzhiyun crypto_shash_init(desc);
242*4882a593Smuzhiyun crypto_shash_update(desc, data, datalen);
243*4882a593Smuzhiyun crypto_shash_update(desc, sig, sizeof(*sh));
244*4882a593Smuzhiyun crypto_shash_final(desc, hash);
245*4882a593Smuzhiyun
246*4882a593Smuzhiyun kfree(desc);
247*4882a593Smuzhiyun
248*4882a593Smuzhiyun /* pass signature mpis address */
249*4882a593Smuzhiyun err = digsig_verify_rsa(key, sig + sizeof(*sh), siglen - sizeof(*sh),
250*4882a593Smuzhiyun hash, sizeof(hash));
251*4882a593Smuzhiyun
252*4882a593Smuzhiyun err:
253*4882a593Smuzhiyun key_put(key);
254*4882a593Smuzhiyun
255*4882a593Smuzhiyun return err ? -EINVAL : 0;
256*4882a593Smuzhiyun }
257*4882a593Smuzhiyun EXPORT_SYMBOL_GPL(digsig_verify);
258*4882a593Smuzhiyun
digsig_init(void)259*4882a593Smuzhiyun static int __init digsig_init(void)
260*4882a593Smuzhiyun {
261*4882a593Smuzhiyun shash = crypto_alloc_shash("sha1", 0, 0);
262*4882a593Smuzhiyun if (IS_ERR(shash)) {
263*4882a593Smuzhiyun pr_err("shash allocation failed\n");
264*4882a593Smuzhiyun return PTR_ERR(shash);
265*4882a593Smuzhiyun }
266*4882a593Smuzhiyun
267*4882a593Smuzhiyun return 0;
268*4882a593Smuzhiyun
269*4882a593Smuzhiyun }
270*4882a593Smuzhiyun
digsig_cleanup(void)271*4882a593Smuzhiyun static void __exit digsig_cleanup(void)
272*4882a593Smuzhiyun {
273*4882a593Smuzhiyun crypto_free_shash(shash);
274*4882a593Smuzhiyun }
275*4882a593Smuzhiyun
276*4882a593Smuzhiyun module_init(digsig_init);
277*4882a593Smuzhiyun module_exit(digsig_cleanup);
278*4882a593Smuzhiyun
279*4882a593Smuzhiyun MODULE_LICENSE("GPL");
280