From: David Howells <dhowells@redhat.com>
To: herbert@gondor.hengli.com.au, rusty@rustcorp.com.au
Cc: linux-crypto@vger.kernel.org, zohar@us.ibm.com,
dmitry.kasatkin@intel.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 10/16] RSA: Fix signature verification for shorter signatures
Date: Fri, 14 Sep 2012 00:49:31 +0100 [thread overview]
Message-ID: <20120913234931.3575.10461.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20120913234802.3575.77103.stgit@warthog.procyon.org.uk>
gpg can produce a signature file where length of signature is less than the
modulus size because the amount of space an MPI takes up is kept as low as
possible by discarding leading zeros. This regularly happens for several
modules during the build.
Fix it by relaxing check in RSA verification code.
Thanks to Tomas Mraz and Miloslav Trmac for help.
Signed-off-by: Milan Broz <mbroz@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
crypto/asymmetric_keys/rsa.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c
index 9b31ee2..4a6a069 100644
--- a/crypto/asymmetric_keys/rsa.c
+++ b/crypto/asymmetric_keys/rsa.c
@@ -224,15 +224,23 @@ static int RSA_verify_signature(const struct public_key *key,
return -ENOTSUPP;
/* (1) Check the signature size against the public key modulus size */
- k = (mpi_get_nbits(key->rsa.n) + 7) / 8;
+ k = mpi_get_nbits(key->rsa.n);
+ tsize = mpi_get_nbits(sig->rsa.s);
- tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8;
+ /* According to RFC 4880 sec 3.2, length of MPI is computed starting
+ * from most significant bit. So the RFC 3447 sec 8.2.2 size check
+ * must be relaxed to conform with shorter signatures - so we fail here
+ * only if signature length is longer than modulus size.
+ */
pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
- if (tsize != k) {
+ if (k < tsize) {
ret = -EBADMSG;
goto error;
}
+ /* Round up and convert to octets */
+ k = (k + 7) / 8;
+
/* (2b) Apply the RSAVP1 verification primitive to the public key */
ret = RSAVP1(key, sig->rsa.s, &m);
if (ret < 0)
next prev parent reply other threads:[~2012-09-13 23:50 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-13 23:48 [RFC][PATCH 00/16] Asymmetric / Public-key cryptography key type David Howells
2012-09-13 23:48 ` [PATCH 01/16] KEYS: Add payload preparsing opportunity prior to key instantiate or update David Howells
2012-09-13 23:48 ` [PATCH 02/16] MPILIB: Provide count_leading/trailing_zeros() based on arch functions David Howells
2012-09-13 23:48 ` [PATCH 03/16] KEYS: Document asymmetric key type David Howells
2012-09-13 23:48 ` [PATCH 04/16] KEYS: Implement " David Howells
2012-09-13 23:48 ` [PATCH 05/16] KEYS: Asymmetric key pluggable data parsers David Howells
2012-09-13 23:48 ` [PATCH 06/16] KEYS: Asymmetric public-key algorithm crypto key subtype David Howells
2012-09-13 23:49 ` [PATCH 07/16] KEYS: Provide signature verification with an asymmetric key David Howells
2012-09-13 23:49 ` [PATCH 08/16] MPILIB: Reinstate mpi_cmp[_ui]() and export for RSA signature verification David Howells
2012-09-13 23:49 ` [PATCH 09/16] RSA: Implement signature verification algorithm [PKCS#1 / RFC3447] David Howells
2012-09-13 23:49 ` David Howells [this message]
2012-09-13 23:49 ` [PATCH 11/16] X.509: Implement simple static OID registry David Howells
2012-09-13 23:49 ` [PATCH 12/16] X.509: Add utility functions to render OIDs as strings David Howells
2012-09-13 23:49 ` [PATCH 13/16] X.509: Add simple ASN.1 grammar compiler David Howells
2012-09-13 23:50 ` [PATCH 14/16] X.509: Add an ASN.1 decoder David Howells
2012-09-14 9:39 ` Alan Cox
2012-09-18 17:34 ` David Howells
2012-09-18 18:51 ` Alan Cox
2012-09-18 22:19 ` Peter Jones
2012-09-19 4:17 ` James Morris
2012-09-20 9:45 ` David Howells
2012-09-18 22:03 ` David Howells
2012-09-18 22:26 ` David Howells
2012-09-19 13:05 ` David Howells
2012-09-13 23:50 ` [PATCH 15/16] MPILIB: Provide a function to read raw data into an MPI David Howells
2012-09-13 23:50 ` [PATCH 16/16] X.509: Add a crypto key parser for binary (DER) X.509 certificates David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120913234931.3575.10461.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).