aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorDavid Howells2012-09-21 17:28:05 -0500
committerRusty Russell2012-10-07 22:20:17 -0500
commit0b1568a4536ff287a87908d7fc35c05bd7736a53 (patch)
tree2e2eab236c2fa23d568e0ee7179fbfdc5cf2b3ba /crypto
parent612e0fe99965a4028359cd1da5af56b7f6caf7f6 (diff)
downloadkernel-video-0b1568a4536ff287a87908d7fc35c05bd7736a53.tar.gz
kernel-video-0b1568a4536ff287a87908d7fc35c05bd7736a53.tar.xz
kernel-video-0b1568a4536ff287a87908d7fc35c05bd7736a53.zip
RSA: Fix signature verification for shorter signatures
gpg can produce a signature file where length of signature is less than the modulus size because the amount of space an MPI takes up is kept as low as possible by discarding leading zeros. This regularly happens for several modules during the build. Fix it by relaxing check in RSA verification code. Thanks to Tomas Mraz and Miloslav Trmac for help. Signed-off-by: Milan Broz <mbroz@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'crypto')
-rw-r--r--crypto/asymmetric_keys/rsa.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c
index 9b31ee25a45..4a6a0696f8a 100644
--- a/crypto/asymmetric_keys/rsa.c
+++ b/crypto/asymmetric_keys/rsa.c
@@ -224,15 +224,23 @@ static int RSA_verify_signature(const struct public_key *key,
224 return -ENOTSUPP; 224 return -ENOTSUPP;
225 225
226 /* (1) Check the signature size against the public key modulus size */ 226 /* (1) Check the signature size against the public key modulus size */
227 k = (mpi_get_nbits(key->rsa.n) + 7) / 8; 227 k = mpi_get_nbits(key->rsa.n);
228 tsize = mpi_get_nbits(sig->rsa.s);
228 229
229 tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8; 230 /* According to RFC 4880 sec 3.2, length of MPI is computed starting
231 * from most significant bit. So the RFC 3447 sec 8.2.2 size check
232 * must be relaxed to conform with shorter signatures - so we fail here
233 * only if signature length is longer than modulus size.
234 */
230 pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize); 235 pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
231 if (tsize != k) { 236 if (k < tsize) {
232 ret = -EBADMSG; 237 ret = -EBADMSG;
233 goto error; 238 goto error;
234 } 239 }
235 240
241 /* Round up and convert to octets */
242 k = (k + 7) / 8;
243
236 /* (2b) Apply the RSAVP1 verification primitive to the public key */ 244 /* (2b) Apply the RSAVP1 verification primitive to the public key */
237 ret = RSAVP1(key, sig->rsa.s, &m); 245 ret = RSAVP1(key, sig->rsa.s, &m);
238 if (ret < 0) 246 if (ret < 0)