From: Stefan Berger <stefanb@linux.ibm.com>
To: The development of GNU GRUB <grub-devel@gnu.org>,
Daniel Axtens <dja@axtens.net>
Cc: rashmica.g@gmail.com, alastair@d-silva.org, nayna@linux.ibm.com
Subject: Re: [PATCH v2 08/22] pgp: factor out rsa_pad
Date: Mon, 12 Jul 2021 08:52:47 -0400 [thread overview]
Message-ID: <3ee39ab1-c792-07ee-2e05-07634216e278@linux.ibm.com> (raw)
In-Reply-To: <20210630084031.2663622-9-dja@axtens.net>
On 6/30/21 4:40 AM, Daniel Axtens wrote:
> rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
> We want to use it in other RSA signature verification applications.
>
> I considered and rejected putting it in lib/crypto.c. That file doesn't
> currently require any MPI functions, but rsa_pad does. That's not so
> much of a problem for the grub kernel and modules, but crypto.c also
> gets built into all the grub utilities. So - despite the utils not
> using any asymmetric ciphers - we would need to built the entire MPI
> infrastructure in to them.
>
> A better and simpler solution is just to spin rsa_pad out into its own
> PKCS#1 v1.5 module.
>
> Signed-off-by: Daniel Axtens <dja@axtens.net>
This an almost straight move of code from one function into another one:
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> grub-core/Makefile.core.def | 8 +++++
> grub-core/commands/pgp.c | 28 ++----------------
> grub-core/lib/pkcs1_v15.c | 59 +++++++++++++++++++++++++++++++++++++
> include/grub/pkcs1_v15.h | 27 +++++++++++++++++
> 4 files changed, 96 insertions(+), 26 deletions(-)
> create mode 100644 grub-core/lib/pkcs1_v15.c
> create mode 100644 include/grub/pkcs1_v15.h
>
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index 8022e1c0a794..915287d44c13 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -2469,6 +2469,14 @@ module = {
> cppflags = '$(CPPFLAGS_GCRY)';
> };
>
> +module = {
> + name = pkcs1_v15;
> + common = lib/pkcs1_v15.c;
> +
> + cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';
> + cppflags = '$(CPPFLAGS_GCRY)';
> +};
> +
> module = {
> name = all_video;
> common = lib/fake_module.c;
> diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
> index 5daa1e9d00c7..2408db4994f6 100644
> --- a/grub-core/commands/pgp.c
> +++ b/grub-core/commands/pgp.c
> @@ -24,6 +24,7 @@
> #include <grub/file.h>
> #include <grub/command.h>
> #include <grub/crypto.h>
> +#include <grub/pkcs1_v15.h>
> #include <grub/i18n.h>
> #include <grub/gcrypt/gcrypt.h>
> #include <grub/pubkey.h>
> @@ -411,32 +412,7 @@ static int
> rsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
> const gcry_md_spec_t *hash, struct grub_public_subkey *sk)
> {
> - grub_size_t tlen, emlen, fflen;
> - grub_uint8_t *em, *emptr;
> - unsigned nbits = gcry_mpi_get_nbits (sk->mpis[0]);
> - int ret;
> - tlen = hash->mdlen + hash->asnlen;
> - emlen = (nbits + 7) / 8;
> - if (emlen < tlen + 11)
> - return 1;
> -
> - em = grub_malloc (emlen);
> - if (!em)
> - return 1;
> -
> - em[0] = 0x00;
> - em[1] = 0x01;
> - fflen = emlen - tlen - 3;
> - for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
> - *emptr = 0xff;
> - *emptr++ = 0x00;
> - grub_memcpy (emptr, hash->asnoid, hash->asnlen);
> - emptr += hash->asnlen;
> - grub_memcpy (emptr, hval, hash->mdlen);
> -
> - ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
> - grub_free (em);
> - return ret;
> + return grub_crypto_rsa_pad(hmpi, hval, hash, sk->mpis[0]);
> }
>
> struct grub_pubkey_context
> diff --git a/grub-core/lib/pkcs1_v15.c b/grub-core/lib/pkcs1_v15.c
> new file mode 100644
> index 000000000000..dbacd563d014
> --- /dev/null
> +++ b/grub-core/lib/pkcs1_v15.c
> @@ -0,0 +1,59 @@
> +/*
> + * GRUB -- GRand Unified Bootloader
> + * Copyright (C) 2013 Free Software Foundation, Inc.
> + *
> + * GRUB is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, either version 3 of the License, or
> + * (at your option) any later version.
> + *
> + * GRUB is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#include <grub/dl.h>
> +#include <grub/gcrypt/gcrypt.h>
> +
> +GRUB_MOD_LICENSE ("GPLv3+");
> +
> +/*
> + * Given a hash value 'hval', of hash specification 'hash', perform
> + * the EMSA-PKCS1-v1_5 padding suitable for a key with modulus 'mod'
> + * (see RFC 8017 s 9.2) and place the result in 'hmpi'.
> + */
> +gcry_err_code_t
> +grub_crypto_rsa_pad (gcry_mpi_t * hmpi, grub_uint8_t * hval,
> + const gcry_md_spec_t * hash, gcry_mpi_t mod)
> +{
> + grub_size_t tlen, emlen, fflen;
> + grub_uint8_t *em, *emptr;
> + unsigned nbits = gcry_mpi_get_nbits (mod);
> + int ret;
> + tlen = hash->mdlen + hash->asnlen;
> + emlen = (nbits + 7) / 8;
> + if (emlen < tlen + 11)
> + return GPG_ERR_TOO_SHORT;
> +
> + em = grub_malloc (emlen);
> + if (!em)
> + return 1;
> +
> + em[0] = 0x00;
> + em[1] = 0x01;
> + fflen = emlen - tlen - 3;
> + for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
> + *emptr = 0xff;
> + *emptr++ = 0x00;
> + grub_memcpy (emptr, hash->asnoid, hash->asnlen);
> + emptr += hash->asnlen;
> + grub_memcpy (emptr, hval, hash->mdlen);
> +
> + ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
> + grub_free (em);
> + return ret;
> +}
> diff --git a/include/grub/pkcs1_v15.h b/include/grub/pkcs1_v15.h
> new file mode 100644
> index 000000000000..5c338c84a158
> --- /dev/null
> +++ b/include/grub/pkcs1_v15.h
> @@ -0,0 +1,27 @@
> +/*
> + * GRUB -- GRand Unified Bootloader
> + * Copyright (C) 2013 Free Software Foundation, Inc.
> + *
> + * GRUB is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, either version 3 of the License, or
> + * (at your option) any later version.
> + *
> + * GRUB is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +/*
> + * Given a hash value 'hval', of hash specification 'hash', perform
> + * the EMSA-PKCS1-v1_5 padding suitable for a key with modulus 'mod'
> + * (See RFC 8017 s 9.2)
> + */
> +gcry_err_code_t
> +grub_crypto_rsa_pad (gcry_mpi_t * hmpi, grub_uint8_t * hval,
> + const gcry_md_spec_t * hash, gcry_mpi_t mod);
> +
next prev parent reply other threads:[~2021-07-12 12:53 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-30 8:40 [PATCH v2 00/22] appended signature secure boot support Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 01/22] ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE Daniel Axtens
2021-07-12 12:33 ` Stefan Berger
2021-07-14 16:21 ` Daniel Kiper
2021-06-30 8:40 ` [PATCH v2 02/22] ieee1275: claim more memory Daniel Axtens
2021-07-12 12:35 ` Stefan Berger
2021-07-15 21:51 ` Daniel Kiper
2021-07-16 3:59 ` Patrick Steinhardt
2021-07-21 14:45 ` Daniel Kiper
2021-07-21 15:24 ` Stefan Berger
2021-07-22 17:11 ` Stefan Berger
2021-07-28 11:17 ` Daniel Kiper
2021-06-30 8:40 ` [PATCH v2 03/22] ieee1275: request memory with ibm, client-architecture-support Daniel Axtens
2021-07-12 12:40 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 04/22] Add suport for signing grub with an appended signature Daniel Axtens
2021-07-12 12:43 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 05/22] docs/grub: Document signing grub under UEFI Daniel Axtens
2021-07-12 12:44 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 06/22] docs/grub: Document signing grub with an appended signature Daniel Axtens
2021-07-12 12:46 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 07/22] dl: provide a fake grub_dl_set_persistent for the emu target Daniel Axtens
2021-07-12 12:48 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 08/22] pgp: factor out rsa_pad Daniel Axtens
2021-07-12 12:52 ` Stefan Berger [this message]
2021-06-30 8:40 ` [PATCH v2 09/22] crypto: move storage for grub_crypto_pk_* to crypto.c Daniel Axtens
2021-07-12 12:54 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 10/22] posix_wrap: tweaks in preparation for libtasn1 Daniel Axtens
2021-07-12 12:56 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 11/22] libtasn1: import libtasn1-4.16.0 Daniel Axtens
2021-07-20 21:46 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 12/22] libtasn1: disable code not needed in grub Daniel Axtens
2021-07-20 21:47 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 13/22] libtasn1: changes for grub compatibility Daniel Axtens
2021-07-12 13:04 ` Stefan Berger
2022-04-21 6:16 ` Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 14/22] libtasn1: compile into asn1 module Daniel Axtens
2021-07-12 13:05 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 15/22] test_asn1: test module for libtasn1 Daniel Axtens
2021-07-12 19:35 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 16/22] grub-install: support embedding x509 certificates Daniel Axtens
2021-07-12 20:24 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 17/22] appended signatures: import GNUTLS's ASN.1 description files Daniel Axtens
2021-07-19 21:09 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 18/22] appended signatures: parse PKCS#7 signedData and X.509 certificates Daniel Axtens
2021-07-19 22:02 ` Stefan Berger
2022-04-21 6:36 ` Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 19/22] appended signatures: support verifying appended signatures Daniel Axtens
2021-07-20 1:31 ` Stefan Berger
2022-04-21 7:10 ` Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 20/22] appended signatures: verification tests Daniel Axtens
2021-07-20 12:49 ` Stefan Berger
2021-06-30 8:40 ` [PATCH v2 21/22] appended signatures: documentation Daniel Axtens
2021-07-19 22:24 ` Stefan Berger
2022-04-21 7:15 ` Daniel Axtens
2021-06-30 8:40 ` [PATCH v2 22/22] ieee1275: enter lockdown based on /ibm,secure-boot Daniel Axtens
2021-07-19 22:08 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3ee39ab1-c792-07ee-2e05-07634216e278@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=alastair@d-silva.org \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=nayna@linux.ibm.com \
--cc=rashmica.g@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.