From patchwork Sun Sep 15 00:56:53 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chun-Yi Lee X-Patchwork-Id: 2894181 Return-Path: X-Original-To: patchwork-linux-pm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 8ED26BFF05 for ; Sun, 15 Sep 2013 01:00:40 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id BD717202EC for ; Sun, 15 Sep 2013 01:00:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EA1ED202C0 for ; Sun, 15 Sep 2013 01:00:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932659Ab3IOA5q (ORCPT ); Sat, 14 Sep 2013 20:57:46 -0400 Received: from mail-bk0-f49.google.com ([209.85.214.49]:52640 "EHLO mail-bk0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932507Ab3IOA5n (ORCPT ); Sat, 14 Sep 2013 20:57:43 -0400 Received: by mail-bk0-f49.google.com with SMTP id r7so978750bkg.22 for ; Sat, 14 Sep 2013 17:57:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=RD75YpmvaWYqBklgyicvtzIIHdDqHDMjPcsOgXFpZWU=; b=JwE8ZVGcUWw3TAjvpggUCz6xH+Z4FmcJZHpUdSEo9gffmGzBzs11UAZRKAWJsNPvRv 4DaYerq9plaqN9DYbvrSRHfb6oJPEXXjHxFdKsF+NQeN329InHS5bc5lgCk89e9owT5A P+ZuIITLlXOMjbcLVeMbWaj5fEBtbGRw4BgrqBg/KbPfoTJhm6iaLHYy949bnEoQIC/X 2MvoP52E2ULOm34VjX44rIjrn6jwxdXQqeg0Fl5xx8uhyC8xkfFAynsBw4w3wQW1NHj5 poxEX3rWqD3p2c8nRyye0fY3f1T9OzAbOYaWqGDrsBUj0wTXjQfMNxT73Gfj1elsYiHE 1+ZQ== X-Received: by 10.205.36.70 with SMTP id sz6mr17667756bkb.12.1379206662054; Sat, 14 Sep 2013 17:57:42 -0700 (PDT) Received: from localhost.localdomain ([124.11.22.254]) by mx.google.com with ESMTPSA id zl3sm4941613bkb.4.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 14 Sep 2013 17:57:41 -0700 (PDT) From: "Lee, Chun-Yi" To: linux-kernel@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-pm@vger.kernel.org, linux-crypto@vger.kernel.org, opensuse-kernel@opensuse.org, David Howells , "Rafael J. Wysocki" , Matthew Garrett , Len Brown , Pavel Machek , Josh Boyer , Vojtech Pavlik , Matt Fleming , James Bottomley , Greg KH , JKosina@suse.com, Rusty Russell , Herbert Xu , "David S. Miller" , "H. Peter Anvin" , Michal Marek , Gary Lin , Vivek Goyal , "Lee, Chun-Yi" Subject: [PATCH V4 07/15] asymmetric keys: explicitly add the leading zero byte to encoded message Date: Sun, 15 Sep 2013 08:56:53 +0800 Message-Id: <1379206621-18639-8-git-send-email-jlee@suse.com> X-Mailer: git-send-email 1.6.0.2 In-Reply-To: <1379206621-18639-1-git-send-email-jlee@suse.com> References: <1379206621-18639-1-git-send-email-jlee@suse.com> Sender: linux-pm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pm@vger.kernel.org X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, KHOP_BIG_TO_CC, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Per PKCS1 spec, the EMSA-PKCS1-v1_5 encoded message is leading by 0x00 0x01 in its first 2 bytes. The leading zero byte is suppressed by MPI so we pass a pointer to the _preceding_ byte to RSA_verify() in original code, but it has risk for the byte is not zero because it's not in EM buffer's scope, neither RSA_verify() nor mpi_get_buffer() didn't take care the leading byte. To avoid the risk, that's better we explicitly add the leading zero byte to EM for pass to RSA_verify(). This patch allocate a _EM buffer to capture the result from RSA_I2OSP(), then set the first byte to zero in EM and copy the remaining bytes from _EM. V2: - Check the memory allocate result of EM to avoid use it when allocate fail. Cc: Pavel Machek Reviewed-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- crypto/asymmetric_keys/rsa.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index 0ede317..9763df7 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c @@ -408,6 +408,7 @@ static int RSA_verify_signature(const struct public_key *key, /* Variables as per RFC3447 sec 8.2.2 */ const u8 *H = sig->digest; u8 *EM = NULL; + u8 *EM_tmp = NULL; MPI m = NULL; size_t k; @@ -442,19 +443,28 @@ static int RSA_verify_signature(const struct public_key *key, /* (2c) Convert the message representative (m) to an encoded message * (EM) of length k octets. * - * NOTE! The leading zero byte is suppressed by MPI, so we pass a - * pointer to the _preceding_ byte to RSA_verify()! + * NOTE! The leading zero byte is suppressed by MPI, so we add it + * back to EM before input to RSA_verify()! */ - ret = RSA_I2OSP(m, k, &EM); + ret = RSA_I2OSP(m, k, &EM_tmp); if (ret < 0) goto error; - ret = RSA_verify(H, EM - 1, k, sig->digest_size, + EM = kmalloc(k, GFP_KERNEL); + if (!EM) { + ret = -ENOMEM; + goto error; + } + memset(EM, 0, 1); + memcpy(EM + 1, EM_tmp, k-1); + + ret = RSA_verify(H, EM, k, sig->digest_size, RSA_ASN1_templates[sig->pkey_hash_algo].data, RSA_ASN1_templates[sig->pkey_hash_algo].size); -error: kfree(EM); +error: + kfree(EM_tmp); mpi_free(m); kleave(" = %d", ret); return ret;