Commit 0cf43f50 authored by Herbert Xu's avatar Herbert Xu

crypto: rsa-pkcs1pad - Handle leading zero for decryption

As the software RSA implementation now produces fixed-length
output, we need to eliminate leading zeros in the calling code
instead.

This patch does just that for pkcs1pad decryption while signature
verification was fixed in an earlier patch.

Fixes: 9b45b7bb ("crypto: rsa - Generate fixed-length output")
Reported-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 456bee98
...@@ -298,41 +298,48 @@ static int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err) ...@@ -298,41 +298,48 @@ static int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err)
struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
unsigned int dst_len;
unsigned int pos; unsigned int pos;
u8 *out_buf;
if (err == -EOVERFLOW)
/* Decrypted value had no leading 0 byte */
err = -EINVAL;
if (err) if (err)
goto done; goto done;
if (req_ctx->child_req.dst_len != ctx->key_size - 1) {
err = -EINVAL; err = -EINVAL;
dst_len = req_ctx->child_req.dst_len;
if (dst_len < ctx->key_size - 1)
goto done; goto done;
}
if (req_ctx->out_buf[0] != 0x02) { out_buf = req_ctx->out_buf;
err = -EINVAL; if (dst_len == ctx->key_size) {
if (out_buf[0] != 0x00)
/* Decrypted value had no leading 0 byte */
goto done; goto done;
dst_len--;
out_buf++;
} }
for (pos = 1; pos < req_ctx->child_req.dst_len; pos++)
if (req_ctx->out_buf[pos] == 0x00) if (out_buf[0] != 0x02)
goto done;
for (pos = 1; pos < dst_len; pos++)
if (out_buf[pos] == 0x00)
break; break;
if (pos < 9 || pos == req_ctx->child_req.dst_len) { if (pos < 9 || pos == dst_len)
err = -EINVAL;
goto done; goto done;
}
pos++; pos++;
if (req->dst_len < req_ctx->child_req.dst_len - pos) err = 0;
if (req->dst_len < dst_len - pos)
err = -EOVERFLOW; err = -EOVERFLOW;
req->dst_len = req_ctx->child_req.dst_len - pos; req->dst_len = dst_len - pos;
if (!err) if (!err)
sg_copy_from_buffer(req->dst, sg_copy_from_buffer(req->dst,
sg_nents_for_len(req->dst, req->dst_len), sg_nents_for_len(req->dst, req->dst_len),
req_ctx->out_buf + pos, req->dst_len); out_buf + pos, req->dst_len);
done: done:
kzfree(req_ctx->out_buf); kzfree(req_ctx->out_buf);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment