From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: keyrings@vger.kernel.org, Vitaly Chikunov <vt@altlinux.org>,
Denis Kenzior <denkenz@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH v2 2/5] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
Date: Tue, 18 Jan 2022 16:13:03 -0800 [thread overview]
Message-ID: <20220119001306.85355-3-ebiggers@kernel.org> (raw)
In-Reply-To: <20220119001306.85355-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
Commit c7381b012872 ("crypto: akcipher - new verify API for public key
algorithms") changed akcipher_alg::verify to take in both the signature
and the actual hash and do the signature verification, rather than just
return the hash expected by the signature as was the case before. To do
this, it implemented a hack where the signature and hash are
concatenated with each other in one scatterlist.
Obviously, for this to work correctly, akcipher_alg::verify needs to
correctly extract the two items from the scatterlist it is given.
Unfortunately, it doesn't correctly extract the hash in the case where
the signature is longer than the RSA key size, as it assumes that the
signature's length is equal to the RSA key size. This causes a prefix
of the hash, or even the entire hash, to be taken from the *signature*.
(Note, the case of a signature longer than the RSA key size should not
be allowed in the first place; a separate patch will fix that.)
It is unclear whether the resulting scheme has any useful security
properties.
Fix this by correctly extracting the hash from the scatterlist.
Fixes: c7381b012872 ("crypto: akcipher - new verify API for public key algorithms")
Cc: <stable@vger.kernel.org> # v5.2+
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
crypto/rsa-pkcs1pad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c
index 1b35457814258..7b223adebabf6 100644
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -495,7 +495,7 @@ static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
sg_nents_for_len(req->src,
req->src_len + req->dst_len),
req_ctx->out_buf + ctx->key_size,
- req->dst_len, ctx->key_size);
+ req->dst_len, req->src_len);
/* Do the actual verification step. */
if (memcmp(req_ctx->out_buf + ctx->key_size, out_buf + pos,
req->dst_len) != 0)
--
2.34.1
next prev parent reply other threads:[~2022-01-19 0:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-19 0:13 [PATCH v2 0/5] crypto: rsa-pkcs1pad fixes Eric Biggers
2022-01-19 0:13 ` [PATCH v2 1/5] crypto: rsa-pkcs1pad - only allow with rsa Eric Biggers
2022-01-19 0:13 ` Eric Biggers [this message]
2022-01-19 0:13 ` [PATCH v2 3/5] crypto: rsa-pkcs1pad - restore signature length check Eric Biggers
2022-01-19 0:13 ` [PATCH v2 4/5] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() Eric Biggers
2022-01-19 0:13 ` [PATCH v2 5/5] crypto: rsa-pkcs1pad - use clearer variable names Eric Biggers
2022-01-28 6:26 ` [PATCH v2 0/5] crypto: rsa-pkcs1pad fixes Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220119001306.85355-3-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=denkenz@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.