PKCS#7: Digest the data in a signed-data message

Digest the data in a PKCS#7 signed-data message and attach to the public_key_signature struct contained in the pkcs7_message struct. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org>
author: David Howells <dhowells@redhat.com> 2014-07-01 11:40:19 -0400
committer: David Howells <dhowells@redhat.com> 2014-07-08 08:50:03 -0400
commit: 9f0d33146e2ae81342a493c579c0e0c1aa84a527 (patch)
tree: 9b31262f91e15d69cf80ff014a52dfe6bdf8ab34 /crypto
parent: 2e3fadbf730fd0d13c891d5e555af3e7f39ca3f4 (diff)
2 files changed, 175 insertions, 1 deletions
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 59d8cade5cfe..b6b39e7bea01 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -32,7 +32,8 @@ clean-files	+= x509_rsakey-asn1.c x509_rsakey-asn1.h
 obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o
 pkcs7_message-y := \
        pkcs7-asn1.o \
-        pkcs7_parser.o
+        pkcs7_parser.o \
+        pkcs7_verify.o
 $(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h
 $(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
new file mode 100644
index 000000000000..0bb408a5b64f
--- /dev/null
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -0,0 +1,173 @@
+/* Verify the signature on a PKCS#7 message.
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#define pr_fmt(fmt) "PKCS7: "fmt
+#include <linux/kernel.h>
+#include <linux/export.h>
+#include <linux/slab.h>
+#include <linux/err.h>
+#include <linux/asn1.h>
+#include <crypto/hash.h>
+#include "public_key.h"
+#include "pkcs7_parser.h"
+/*
+ * Digest the relevant parts of the PKCS#7 data
+ */
+static int pkcs7_digest(struct pkcs7_message *pkcs7,
+                        struct pkcs7_signed_info *sinfo)
+{
+        struct crypto_shash *tfm;
+        struct shash_desc *desc;
+        size_t digest_size, desc_size;
+        void *digest;
+        int ret;
+        kenter(",%u,%u", sinfo->index, sinfo->sig.pkey_hash_algo);
+        if (sinfo->sig.pkey_hash_algo >= PKEY_HASH__LAST ||
+            !hash_algo_name[sinfo->sig.pkey_hash_algo])
+                return -ENOPKG;
+        /* Allocate the hashing algorithm we're going to need and find out how
+         * big the hash operational data will be.
+         */
+        tfm = crypto_alloc_shash(hash_algo_name[sinfo->sig.pkey_hash_algo],
+                                 0, 0);
+        if (IS_ERR(tfm))
+                return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
+        desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
+        sinfo->sig.digest_size = digest_size = crypto_shash_digestsize(tfm);
+        ret = -ENOMEM;
+        digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
+        if (!digest)
+                goto error_no_desc;
+        desc = digest + digest_size;
+        desc->tfm   = tfm;
+        desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+        /* Digest the message [RFC2315 9.3] */
+        ret = crypto_shash_init(desc);
+        if (ret < 0)
+                goto error;
+        ret = crypto_shash_finup(desc, pkcs7->data, pkcs7->data_len, digest);
+        if (ret < 0)
+                goto error;
+        pr_devel("MsgDigest = [%*ph]\n", 8, digest);
+        /* However, if there are authenticated attributes, there must be a
+         * message digest attribute amongst them which corresponds to the
+         * digest we just calculated.
+         */
+        if (sinfo->msgdigest) {
+                u8 tag;
+                if (sinfo->msgdigest_len != sinfo->sig.digest_size) {
+                        pr_debug("Sig %u: Invalid digest size (%u)\n",
+                                 sinfo->index, sinfo->msgdigest_len);
+                        ret = -EBADMSG;
+                        goto error;
+                }
+                if (memcmp(digest, sinfo->msgdigest, sinfo->msgdigest_len) != 0) {
+                        pr_debug("Sig %u: Message digest doesn't match\n",
+                                 sinfo->index);
+                        ret = -EKEYREJECTED;
+                        goto error;
+                }
+                /* We then calculate anew, using the authenticated attributes
+                 * as the contents of the digest instead.  Note that we need to
+                 * convert the attributes from a CONT.0 into a SET before we
+                 * hash it.
+                 */
+                memset(digest, 0, sinfo->sig.digest_size);
+                ret = crypto_shash_init(desc);
+                if (ret < 0)
+                        goto error;
+                tag = ASN1_CONS_BIT | ASN1_SET;
+                ret = crypto_shash_update(desc, &tag, 1);
+                if (ret < 0)
+                        goto error;
+                ret = crypto_shash_finup(desc, sinfo->authattrs,
+                                         sinfo->authattrs_len, digest);
+                if (ret < 0)
+                        goto error;
+                pr_devel("AADigest = [%*ph]\n", 8, digest);
+        }
+        sinfo->sig.digest = digest;
+        digest = NULL;
+error:
+        kfree(digest);
+error_no_desc:
+        crypto_free_shash(tfm);
+        kleave(" = %d", ret);
+        return ret;
+}
+/*
+/*
+ * Verify one signed information block from a PKCS#7 message.
+ */
+static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
+                            struct pkcs7_signed_info *sinfo)
+{
+        int ret;
+        kenter(",%u", sinfo->index);
+        /* First of all, digest the data in the PKCS#7 message and the
+         * signed information block
+         */
+        ret = pkcs7_digest(pkcs7, sinfo);
+        if (ret < 0)
+                return ret;
+        return 0;
+}
+/**
+ * pkcs7_verify - Verify a PKCS#7 message
+ * @pkcs7: The PKCS#7 message to be verified
+ */
+int pkcs7_verify(struct pkcs7_message *pkcs7)
+{
+        struct pkcs7_signed_info *sinfo;
+        struct x509_certificate *x509;
+        int ret, n;
+        kenter("");
+        for (n = 0, x509 = pkcs7->certs; x509; x509 = x509->next, n++) {
+                ret = x509_get_sig_params(x509);
+                if (ret < 0)
+                        return ret;
+                pr_debug("X.509[%u] %s\n", n, x509->authority);
+        }
+        for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+                ret = pkcs7_verify_one(pkcs7, sinfo);
+                if (ret < 0) {
+                        kleave(" = %d", ret);
+                        return ret;
+                }
+        }
+        kleave(" = 0");
+        return 0;
+}
+EXPORT_SYMBOL_GPL(pkcs7_verify);
author	David Howells <dhowells@redhat.com>	2014-07-01 11:40:19 -0400
committer	David Howells <dhowells@redhat.com>	2014-07-08 08:50:03 -0400
commit	9f0d33146e2ae81342a493c579c0e0c1aa84a527 (patch)
tree	9b31262f91e15d69cf80ff014a52dfe6bdf8ab34 /crypto
parent	2e3fadbf730fd0d13c891d5e555af3e7f39ca3f4 (diff)

diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index 59d8cade5cfe..b6b39e7bea01 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile
@@ -32,7 +32,8 @@ clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h
32	obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o	32	obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o
33	pkcs7_message-y := \	33	pkcs7_message-y := \
34	pkcs7-asn1.o \	34	pkcs7-asn1.o \
35	pkcs7_parser.o	35	pkcs7_parser.o \
		36	pkcs7_verify.o
36		37
37	$(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h	38	$(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h
38	$(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h	39	$(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h


diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c new file mode 100644 index 000000000000..0bb408a5b64f --- /dev/null +++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -0,0 +1,173 @@
		1	/* Verify the signature on a PKCS#7 message.
		2	*
		3	* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
		4	* Written by David Howells (dhowells@redhat.com)
		5	*
		6	* This program is free software; you can redistribute it and/or
		7	* modify it under the terms of the GNU General Public Licence
		8	* as published by the Free Software Foundation; either version
		9	* 2 of the Licence, or (at your option) any later version.
		10	*/
		11
		12	#define pr_fmt(fmt) "PKCS7: "fmt
		13	#include <linux/kernel.h>
		14	#include <linux/export.h>
		15	#include <linux/slab.h>
		16	#include <linux/err.h>
		17	#include <linux/asn1.h>
		18	#include <crypto/hash.h>
		19	#include "public_key.h"
		20	#include "pkcs7_parser.h"
		21
		22	/*
		23	* Digest the relevant parts of the PKCS#7 data
		24	*/
		25	static int pkcs7_digest(struct pkcs7_message *pkcs7,
		26	struct pkcs7_signed_info *sinfo)
		27	{
		28	struct crypto_shash *tfm;
		29	struct shash_desc *desc;
		30	size_t digest_size, desc_size;
		31	void *digest;
		32	int ret;
		33
		34	kenter(",%u,%u", sinfo->index, sinfo->sig.pkey_hash_algo);
		35
		36	if (sinfo->sig.pkey_hash_algo >= PKEY_HASH__LAST \|\|
		37	!hash_algo_name[sinfo->sig.pkey_hash_algo])
		38	return -ENOPKG;
		39
		40	/* Allocate the hashing algorithm we're going to need and find out how
		41	* big the hash operational data will be.
		42	*/
		43	tfm = crypto_alloc_shash(hash_algo_name[sinfo->sig.pkey_hash_algo],
		44	0, 0);
		45	if (IS_ERR(tfm))
		46	return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
		47
		48	desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
		49	sinfo->sig.digest_size = digest_size = crypto_shash_digestsize(tfm);
		50
		51	ret = -ENOMEM;
		52	digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
		53	if (!digest)
		54	goto error_no_desc;
		55
		56	desc = digest + digest_size;
		57	desc->tfm = tfm;
		58	desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
		59
		60	/* Digest the message [RFC2315 9.3] */
		61	ret = crypto_shash_init(desc);
		62	if (ret < 0)
		63	goto error;
		64	ret = crypto_shash_finup(desc, pkcs7->data, pkcs7->data_len, digest);
		65	if (ret < 0)
		66	goto error;
		67	pr_devel("MsgDigest = [%*ph]\n", 8, digest);
		68
		69	/* However, if there are authenticated attributes, there must be a
		70	* message digest attribute amongst them which corresponds to the
		71	* digest we just calculated.
		72	*/
		73	if (sinfo->msgdigest) {
		74	u8 tag;
		75
		76	if (sinfo->msgdigest_len != sinfo->sig.digest_size) {
		77	pr_debug("Sig %u: Invalid digest size (%u)\n",
		78	sinfo->index, sinfo->msgdigest_len);
		79	ret = -EBADMSG;
		80	goto error;
		81	}
		82
		83	if (memcmp(digest, sinfo->msgdigest, sinfo->msgdigest_len) != 0) {
		84	pr_debug("Sig %u: Message digest doesn't match\n",
		85	sinfo->index);
		86	ret = -EKEYREJECTED;
		87	goto error;
		88	}
		89
		90	/* We then calculate anew, using the authenticated attributes
		91	* as the contents of the digest instead. Note that we need to
		92	* convert the attributes from a CONT.0 into a SET before we
		93	* hash it.
		94	*/
		95	memset(digest, 0, sinfo->sig.digest_size);
		96
		97	ret = crypto_shash_init(desc);
		98	if (ret < 0)
		99	goto error;
		100	tag = ASN1_CONS_BIT \| ASN1_SET;
		101	ret = crypto_shash_update(desc, &tag, 1);
		102	if (ret < 0)
		103	goto error;
		104	ret = crypto_shash_finup(desc, sinfo->authattrs,
		105	sinfo->authattrs_len, digest);
		106	if (ret < 0)
		107	goto error;
		108	pr_devel("AADigest = [%*ph]\n", 8, digest);
		109	}
		110
		111	sinfo->sig.digest = digest;
		112	digest = NULL;
		113
		114	error:
		115	kfree(digest);
		116	error_no_desc:
		117	crypto_free_shash(tfm);
		118	kleave(" = %d", ret);
		119	return ret;
		120	}
		121
		122	/*
		123	/*
		124	* Verify one signed information block from a PKCS#7 message.
		125	*/
		126	static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
		127	struct pkcs7_signed_info *sinfo)
		128	{
		129	int ret;
		130
		131	kenter(",%u", sinfo->index);
		132
		133	/* First of all, digest the data in the PKCS#7 message and the
		134	* signed information block
		135	*/
		136	ret = pkcs7_digest(pkcs7, sinfo);
		137	if (ret < 0)
		138	return ret;
		139
		140	return 0;
		141	}
		142
		143	/**
		144	* pkcs7_verify - Verify a PKCS#7 message
		145	* @pkcs7: The PKCS#7 message to be verified
		146	*/
		147	int pkcs7_verify(struct pkcs7_message *pkcs7)
		148	{
		149	struct pkcs7_signed_info *sinfo;
		150	struct x509_certificate *x509;
		151	int ret, n;
		152
		153	kenter("");
		154
		155	for (n = 0, x509 = pkcs7->certs; x509; x509 = x509->next, n++) {
		156	ret = x509_get_sig_params(x509);
		157	if (ret < 0)
		158	return ret;
		159	pr_debug("X.509[%u] %s\n", n, x509->authority);
		160	}
		161
		162	for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
		163	ret = pkcs7_verify_one(pkcs7, sinfo);
		164	if (ret < 0) {
		165	kleave(" = %d", ret);
		166	return ret;
		167	}
		168	}
		169
		170	kleave(" = 0");
		171	return 0;
		172	}
		173	EXPORT_SYMBOL_GPL(pkcs7_verify);