diff options
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asymmetric_keys/rsa.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c index 9b31ee25a459..4a6a0696f8a3 100644 --- a/crypto/asymmetric_keys/rsa.c +++ b/crypto/asymmetric_keys/rsa.c | |||
| @@ -224,15 +224,23 @@ static int RSA_verify_signature(const struct public_key *key, | |||
| 224 | return -ENOTSUPP; | 224 | return -ENOTSUPP; |
| 225 | 225 | ||
| 226 | /* (1) Check the signature size against the public key modulus size */ | 226 | /* (1) Check the signature size against the public key modulus size */ |
| 227 | k = (mpi_get_nbits(key->rsa.n) + 7) / 8; | 227 | k = mpi_get_nbits(key->rsa.n); |
| 228 | tsize = mpi_get_nbits(sig->rsa.s); | ||
| 228 | 229 | ||
| 229 | tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8; | 230 | /* According to RFC 4880 sec 3.2, length of MPI is computed starting |
| 231 | * from most significant bit. So the RFC 3447 sec 8.2.2 size check | ||
| 232 | * must be relaxed to conform with shorter signatures - so we fail here | ||
| 233 | * only if signature length is longer than modulus size. | ||
| 234 | */ | ||
| 230 | pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize); | 235 | pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize); |
| 231 | if (tsize != k) { | 236 | if (k < tsize) { |
| 232 | ret = -EBADMSG; | 237 | ret = -EBADMSG; |
| 233 | goto error; | 238 | goto error; |
| 234 | } | 239 | } |
| 235 | 240 | ||
| 241 | /* Round up and convert to octets */ | ||
| 242 | k = (k + 7) / 8; | ||
| 243 | |||
| 236 | /* (2b) Apply the RSAVP1 verification primitive to the public key */ | 244 | /* (2b) Apply the RSAVP1 verification primitive to the public key */ |
| 237 | ret = RSAVP1(key, sig->rsa.s, &m); | 245 | ret = RSAVP1(key, sig->rsa.s, &m); |
| 238 | if (ret < 0) | 246 | if (ret < 0) |