git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Biggers <ebiggers@google.com>
	Wed, 19 Jan 2022 00:13:03 +0000 (16:13 -0800)
committer	Herbert Xu <herbert@gondor.apana.org.au>
	Mon, 31 Jan 2022 00:21:44 +0000 (11:21 +1100)
commit	8b009189f1f4bbffd35deac280dfbe442fc132b1
tree	4d4ff2661182d2336d4f282c4ba778b8b7c52c7a	tree \| snapshot
parent	6a3c754b8460a85043c5368d83ba84c1ce5241e4	commit \| diff

crypto: rsa-pkcs1pad - correctly get hash from source scatterlist

Commit e2c1e967a859 ("crypto: akcipher - new verify API for public key
algorithms") changed akcipher_alg::verify to take in both the signature
and the actual hash and do the signature verification, rather than just
return the hash expected by the signature as was the case before. To do
this, it implemented a hack where the signature and hash are
concatenated with each other in one scatterlist.

Obviously, for this to work correctly, akcipher_alg::verify needs to
correctly extract the two items from the scatterlist it is given.
Unfortunately, it doesn't correctly extract the hash in the case where
the signature is longer than the RSA key size, as it assumes that the
signature's length is equal to the RSA key size. This causes a prefix
of the hash, or even the entire hash, to be taken from the *signature*.

(Note, the case of a signature longer than the RSA key size should not
be allowed in the first place; a separate patch will fix that.)

It is unclear whether the resulting scheme has any useful security
properties.

Fix this by correctly extracting the hash from the scatterlist.

Fixes: e2c1e967a859 ("crypto: akcipher - new verify API for public key algorithms")
Cc: <stable@vger.kernel.org> # v5.2+
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>