[mirror_ubuntu-hirsute-kernel.git] / lib / digsig.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright (C) 2011 Nokia Corporation
 * Copyright (C) 2011 Intel Corporation
 *
 * Author:
 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
 *                 <dmitry.kasatkin@intel.com>
 *
 * File: sign.c
 *	implements signature (RSA) verification
 *	pkcs decoding is based on LibTomCrypt code
 */

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/err.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/key.h>
#include <linux/crypto.h>
#include <crypto/hash.h>
#include <crypto/sha.h>
#include <keys/user-type.h>
#include <linux/mpi.h>
#include <linux/digsig.h>

static struct crypto_shash *shash;

static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg,
						unsigned long  msglen,
						unsigned long  modulus_bitlen,
						unsigned long *outlen)
{
	unsigned long modulus_len, ps_len, i;

	modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0);

	/* test message size */
	if ((msglen > modulus_len) || (modulus_len < 11))
		return NULL;

	/* separate encoded message */
	if (msg[0] != 0x00 || msg[1] != 0x01)
		return NULL;

	for (i = 2; i < modulus_len - 1; i++)
		if (msg[i] != 0xFF)
			break;

	/* separator check */
	if (msg[i] != 0)
		/* There was no octet with hexadecimal value 0x00
		to separate ps from m. */
		return NULL;

	ps_len = i - 2;

	*outlen = (msglen - (2 + ps_len + 1));

	return msg + 2 + ps_len + 1;
}

/*
 * RSA Signature verification with public key
 */
static int digsig_verify_rsa(struct key *key,
		    const char *sig, int siglen,
		       const char *h, int hlen)
{
	int err = -EINVAL;
	unsigned long len;
	unsigned long mlen, mblen;
	unsigned nret, l;
	int head, i;
	unsigned char *out1 = NULL;
	const char *m;
	MPI in = NULL, res = NULL, pkey[2];
	uint8_t *p, *datap;
	const uint8_t *endp;
	const struct user_key_payload *ukp;
	struct pubkey_hdr *pkh;

	down_read(&key->sem);
	ukp = user_key_payload_locked(key);

	if (!ukp) {
		/* key was revoked before we acquired its semaphore */
		err = -EKEYREVOKED;
		goto err1;
	}

	if (ukp->datalen < sizeof(*pkh))
		goto err1;

	pkh = (struct pubkey_hdr *)ukp->data;

	if (pkh->version != 1)
		goto err1;

	if (pkh->algo != PUBKEY_ALGO_RSA)
		goto err1;

	if (pkh->nmpi != 2)
		goto err1;

	datap = pkh->mpi;
	endp = ukp->data + ukp->datalen;

	for (i = 0; i < pkh->nmpi; i++) {
		unsigned int remaining = endp - datap;
		pkey[i] = mpi_read_from_buffer(datap, &remaining);
		if (IS_ERR(pkey[i])) {
			err = PTR_ERR(pkey[i]);
			goto err;
		}
		datap += remaining;
	}

	mblen = mpi_get_nbits(pkey[0]);
	mlen = DIV_ROUND_UP(mblen, 8);

	if (mlen == 0) {
		err = -EINVAL;
		goto err;
	}

	err = -ENOMEM;

	out1 = kzalloc(mlen, GFP_KERNEL);
	if (!out1)
		goto err;

	nret = siglen;
	in = mpi_read_from_buffer(sig, &nret);
	if (IS_ERR(in)) {
		err = PTR_ERR(in);
		goto err;
	}

	res = mpi_alloc(mpi_get_nlimbs(in) * 2);
	if (!res)
		goto err;

	err = mpi_powm(res, in, pkey[1], pkey[0]);
	if (err)
		goto err;

	if (mpi_get_nlimbs(res) * BYTES_PER_MPI_LIMB > mlen) {
		err = -EINVAL;
		goto err;
	}

	p = mpi_get_buffer(res, &l, NULL);
	if (!p) {
		err = -EINVAL;
		goto err;
	}

	len = mlen;
	head = len - l;
	memset(out1, 0, head);
	memcpy(out1 + head, p, l);

	kfree(p);

	m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len);

	if (!m || len != hlen || memcmp(m, h, hlen))
		err = -EINVAL;

err:
	mpi_free(in);
	mpi_free(res);
	kfree(out1);
	while (--i >= 0)
		mpi_free(pkey[i]);
err1:
	up_read(&key->sem);

	return err;
}

/**
 * digsig_verify() - digital signature verification with public key
 * @keyring:	keyring to search key in
 * @sig:	digital signature
 * @siglen:	length of the signature
 * @data:	data
 * @datalen:	length of the data
 *
 * Returns 0 on success, -EINVAL otherwise
 *
 * Verifies data integrity against digital signature.
 * Currently only RSA is supported.
 * Normally hash of the content is used as a data for this function.
 *
 */
int digsig_verify(struct key *keyring, const char *sig, int siglen,
						const char *data, int datalen)
{
	int err = -ENOMEM;
	struct signature_hdr *sh = (struct signature_hdr *)sig;
	struct shash_desc *desc = NULL;
	unsigned char hash[SHA1_DIGEST_SIZE];
	struct key *key;
	char name[20];

	if (siglen < sizeof(*sh) + 2)
		return -EINVAL;

	if (sh->algo != PUBKEY_ALGO_RSA)
		return -ENOTSUPP;

	sprintf(name, "%llX", __be64_to_cpup((uint64_t *)sh->keyid));

	if (keyring) {
		/* search in specific keyring */
		key_ref_t kref;
		kref = keyring_search(make_key_ref(keyring, 1UL),
				      &key_type_user, name, true);
		if (IS_ERR(kref))
			key = ERR_CAST(kref);
		else
			key = key_ref_to_ptr(kref);
	} else {
		key = request_key(&key_type_user, name, NULL);
	}
	if (IS_ERR(key)) {
		pr_err("key not found, id: %s\n", name);
		return PTR_ERR(key);
	}

	desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash),
		       GFP_KERNEL);
	if (!desc)
		goto err;

	desc->tfm = shash;

	crypto_shash_init(desc);
	crypto_shash_update(desc, data, datalen);
	crypto_shash_update(desc, sig, sizeof(*sh));
	crypto_shash_final(desc, hash);

	kfree(desc);

	/* pass signature mpis address */
	err = digsig_verify_rsa(key, sig + sizeof(*sh), siglen - sizeof(*sh),
			     hash, sizeof(hash));

err:
	key_put(key);

	return err ? -EINVAL : 0;
}
EXPORT_SYMBOL_GPL(digsig_verify);

static int __init digsig_init(void)
{
	shash = crypto_alloc_shash("sha1", 0, 0);
	if (IS_ERR(shash)) {
		pr_err("shash allocation failed\n");
		return  PTR_ERR(shash);
	}

	return 0;

}

static void __exit digsig_cleanup(void)
{
	crypto_free_shash(shash);
}

module_init(digsig_init);
module_exit(digsig_cleanup);

MODULE_LICENSE("GPL");
Commit	Line	Data
b886d83c	1	// SPDX-License-Identifier: GPL-2.0-only
051dbb91 DK	2	/*
	3	* Copyright (C) 2011 Nokia Corporation
	4	* Copyright (C) 2011 Intel Corporation
	5	*
	6	* Author:
	7	* Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
	8	* <dmitry.kasatkin@intel.com>
	9	*
051dbb91 DK	10	* File: sign.c
	11	* implements signature (RSA) verification
	12	* pkcs decoding is based on LibTomCrypt code
	13	*/
	14
	15	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
	16
	17	#include <linux/err.h>
	18	#include <linux/module.h>
	19	#include <linux/slab.h>
	20	#include <linux/key.h>
	21	#include <linux/crypto.h>
	22	#include <crypto/hash.h>
	23	#include <crypto/sha.h>
	24	#include <keys/user-type.h>
	25	#include <linux/mpi.h>
	26	#include <linux/digsig.h>
	27
	28	static struct crypto_shash *shash;
	29
26d43845 DK	30	static const char pkcs_1_v1_5_decode_emsa(const unsigned char msg,
	31	unsigned long msglen,
	32	unsigned long modulus_bitlen,
	33	unsigned long *outlen)
051dbb91 DK	34	{
051dbb91 DK	35	unsigned long modulus_len, ps_len, i;
051dbb91 DK	36
	37	modulus_len = (modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0);
	38
	39	/* test message size */
	40	if ((msglen > modulus_len) \|\| (modulus_len < 11))
26d43845	41	return NULL;
051dbb91 DK	42
051dbb91 DK	43	/* separate encoded message */
26d43845 DK	44	if (msg[0] != 0x00 \|\| msg[1] != 0x01)
26d43845 DK	45	return NULL;
051dbb91 DK	46
	47	for (i = 2; i < modulus_len - 1; i++)
	48	if (msg[i] != 0xFF)
	49	break;
	50
	51	/* separator check */
b35e286a	52	if (msg[i] != 0)
051dbb91 DK	53	/* There was no octet with hexadecimal value 0x00
051dbb91 DK	54	to separate ps from m. */
26d43845	55	return NULL;
051dbb91 DK	56
	57	ps_len = i - 2;
	58
051dbb91	59	*outlen = (msglen - (2 + ps_len + 1));
051dbb91	60
26d43845	61	return msg + 2 + ps_len + 1;
051dbb91 DK	62	}
	63
	64	/*
	65	* RSA Signature verification with public key
	66	*/
	67	static int digsig_verify_rsa(struct key *key,
	68	const char *sig, int siglen,
	69	const char *h, int hlen)
	70	{
	71	int err = -EINVAL;
	72	unsigned long len;
	73	unsigned long mlen, mblen;
	74	unsigned nret, l;
b35e286a	75	int head, i;
26d43845 DK	76	unsigned char *out1 = NULL;
26d43845 DK	77	const char *m;
051dbb91	78	MPI in = NULL, res = NULL, pkey[2];
146aa8b1 DH	79	uint8_t p, datap;
	80	const uint8_t *endp;
	81	const struct user_key_payload *ukp;
051dbb91 DK	82	struct pubkey_hdr *pkh;
	83
	84	down_read(&key->sem);
0837e49a	85	ukp = user_key_payload_locked(key);
f58a0815	86
192cabd6 EB	87	if (!ukp) {
	88	/* key was revoked before we acquired its semaphore */
	89	err = -EKEYREVOKED;
	90	goto err1;
	91	}
	92
f58a0815 DK	93	if (ukp->datalen < sizeof(*pkh))
	94	goto err1;
	95
051dbb91 DK	96	pkh = (struct pubkey_hdr *)ukp->data;
	97
	98	if (pkh->version != 1)
	99	goto err1;
	100
	101	if (pkh->algo != PUBKEY_ALGO_RSA)
	102	goto err1;
	103
	104	if (pkh->nmpi != 2)
	105	goto err1;
	106
	107	datap = pkh->mpi;
f58a0815	108	endp = ukp->data + ukp->datalen;
051dbb91 DK	109
	110	for (i = 0; i < pkh->nmpi; i++) {
	111	unsigned int remaining = endp - datap;
	112	pkey[i] = mpi_read_from_buffer(datap, &remaining);
03cdfaad NS	113	if (IS_ERR(pkey[i])) {
03cdfaad NS	114	err = PTR_ERR(pkey[i]);
86f8bedc	115	goto err;
03cdfaad	116	}
051dbb91 DK	117	datap += remaining;
	118	}
	119
	120	mblen = mpi_get_nbits(pkey[0]);
26d43845	121	mlen = DIV_ROUND_UP(mblen, 8);
051dbb91	122
c5ce7c69 NS	123	if (mlen == 0) {
c5ce7c69 NS	124	err = -EINVAL;
f58a0815	125	goto err;
c5ce7c69 NS	126	}
	127
	128	err = -ENOMEM;
051dbb91 DK	129
	130	out1 = kzalloc(mlen, GFP_KERNEL);
	131	if (!out1)
	132	goto err;
	133
051dbb91 DK	134	nret = siglen;
051dbb91 DK	135	in = mpi_read_from_buffer(sig, &nret);
03cdfaad NS	136	if (IS_ERR(in)) {
03cdfaad NS	137	err = PTR_ERR(in);
051dbb91	138	goto err;
03cdfaad	139	}
051dbb91 DK	140
	141	res = mpi_alloc(mpi_get_nlimbs(in) * 2);
	142	if (!res)
	143	goto err;
	144
	145	err = mpi_powm(res, in, pkey[1], pkey[0]);
	146	if (err)
	147	goto err;
	148
	149	if (mpi_get_nlimbs(res) * BYTES_PER_MPI_LIMB > mlen) {
	150	err = -EINVAL;
	151	goto err;
	152	}
	153
	154	p = mpi_get_buffer(res, &l, NULL);
	155	if (!p) {
	156	err = -EINVAL;
	157	goto err;
	158	}
	159
	160	len = mlen;
	161	head = len - l;
	162	memset(out1, 0, head);
	163	memcpy(out1 + head, p, l);
	164
7810cc1e YH	165	kfree(p);
7810cc1e YH	166
26d43845	167	m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len);
051dbb91	168
26d43845	169	if (!m \|\| len != hlen \|\| memcmp(m, h, hlen))
bc01637a	170	err = -EINVAL;
051dbb91 DK	171
	172	err:
	173	mpi_free(in);
	174	mpi_free(res);
	175	kfree(out1);
86f8bedc DK	176	while (--i >= 0)
86f8bedc DK	177	mpi_free(pkey[i]);
051dbb91 DK	178	err1:
	179	up_read(&key->sem);
	180
	181	return err;
	182	}
	183
	184	/**
	185	* digsig_verify() - digital signature verification with public key
	186	* @keyring: keyring to search key in
	187	* @sig: digital signature
54b14f40	188	* @siglen: length of the signature
051dbb91 DK	189	* @data: data
051dbb91 DK	190	* @datalen: length of the data
54b14f40 FF	191	*
54b14f40 FF	192	* Returns 0 on success, -EINVAL otherwise
051dbb91 DK	193	*
	194	* Verifies data integrity against digital signature.
	195	* Currently only RSA is supported.
	196	* Normally hash of the content is used as a data for this function.
	197	*
	198	*/
	199	int digsig_verify(struct key keyring, const char sig, int siglen,
	200	const char *data, int datalen)
	201	{
	202	int err = -ENOMEM;
	203	struct signature_hdr sh = (struct signature_hdr )sig;
	204	struct shash_desc *desc = NULL;
	205	unsigned char hash[SHA1_DIGEST_SIZE];
	206	struct key *key;
	207	char name[20];
	208
	209	if (siglen < sizeof(*sh) + 2)
	210	return -EINVAL;
	211
	212	if (sh->algo != PUBKEY_ALGO_RSA)
	213	return -ENOTSUPP;
	214
	215	sprintf(name, "%llX", __be64_to_cpup((uint64_t *)sh->keyid));
	216
	217	if (keyring) {
	218	/* search in specific keyring */
	219	key_ref_t kref;
	220	kref = keyring_search(make_key_ref(keyring, 1UL),
dcf49dbc	221	&key_type_user, name, true);
051dbb91	222	if (IS_ERR(kref))
ff6092a8	223	key = ERR_CAST(kref);
051dbb91 DK	224	else
	225	key = key_ref_to_ptr(kref);
	226	} else {
028db3e2	227	key = request_key(&key_type_user, name, NULL);
051dbb91 DK	228	}
	229	if (IS_ERR(key)) {
	230	pr_err("key not found, id: %s\n", name);
	231	return PTR_ERR(key);
	232	}
	233
	234	desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash),
	235	GFP_KERNEL);
	236	if (!desc)
	237	goto err;
	238
	239	desc->tfm = shash;
051dbb91 DK	240
	241	crypto_shash_init(desc);
	242	crypto_shash_update(desc, data, datalen);
	243	crypto_shash_update(desc, sig, sizeof(*sh));
	244	crypto_shash_final(desc, hash);
	245
	246	kfree(desc);
	247
	248	/* pass signature mpis address */
	249	err = digsig_verify_rsa(key, sig + sizeof(sh), siglen - sizeof(sh),
	250	hash, sizeof(hash));
	251
	252	err:
	253	key_put(key);
	254
	255	return err ? -EINVAL : 0;
	256	}
	257	EXPORT_SYMBOL_GPL(digsig_verify);
	258
	259	static int __init digsig_init(void)
	260	{
	261	shash = crypto_alloc_shash("sha1", 0, 0);
	262	if (IS_ERR(shash)) {
	263	pr_err("shash allocation failed\n");
	264	return PTR_ERR(shash);
	265	}
	266
	267	return 0;
	268
	269	}
	270
	271	static void __exit digsig_cleanup(void)
	272	{
	273	crypto_free_shash(shash);
	274	}
	275
	276	module_init(digsig_init);
	277	module_exit(digsig_cleanup);
	278
	279	MODULE_LICENSE("GPL");