rsa.c 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278
  1. /* RSA asymmetric public-key algorithm [RFC3447]
  2. *
  3. * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
  4. * Written by David Howells (dhowells@redhat.com)
  5. *
  6. * This program is free software; you can redistribute it and/or
  7. * modify it under the terms of the GNU General Public Licence
  8. * as published by the Free Software Foundation; either version
  9. * 2 of the Licence, or (at your option) any later version.
  10. */
  11. #define pr_fmt(fmt) "RSA: "fmt
  12. #include <linux/module.h>
  13. #include <linux/kernel.h>
  14. #include <linux/slab.h>
  15. #include <crypto/algapi.h>
  16. #include "public_key.h"
  17. MODULE_LICENSE("GPL");
  18. MODULE_DESCRIPTION("RSA Public Key Algorithm");
  19. #define kenter(FMT, ...) \
  20. pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
  21. #define kleave(FMT, ...) \
  22. pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
  23. /*
  24. * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
  25. */
  26. static const u8 RSA_digest_info_MD5[] = {
  27. 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
  28. 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
  29. 0x05, 0x00, 0x04, 0x10
  30. };
  31. static const u8 RSA_digest_info_SHA1[] = {
  32. 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
  33. 0x2B, 0x0E, 0x03, 0x02, 0x1A,
  34. 0x05, 0x00, 0x04, 0x14
  35. };
  36. static const u8 RSA_digest_info_RIPE_MD_160[] = {
  37. 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
  38. 0x2B, 0x24, 0x03, 0x02, 0x01,
  39. 0x05, 0x00, 0x04, 0x14
  40. };
  41. static const u8 RSA_digest_info_SHA224[] = {
  42. 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
  43. 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
  44. 0x05, 0x00, 0x04, 0x1C
  45. };
  46. static const u8 RSA_digest_info_SHA256[] = {
  47. 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
  48. 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
  49. 0x05, 0x00, 0x04, 0x20
  50. };
  51. static const u8 RSA_digest_info_SHA384[] = {
  52. 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
  53. 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
  54. 0x05, 0x00, 0x04, 0x30
  55. };
  56. static const u8 RSA_digest_info_SHA512[] = {
  57. 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
  58. 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
  59. 0x05, 0x00, 0x04, 0x40
  60. };
  61. static const struct {
  62. const u8 *data;
  63. size_t size;
  64. } RSA_ASN1_templates[PKEY_HASH__LAST] = {
  65. #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
  66. [HASH_ALGO_MD5] = _(MD5),
  67. [HASH_ALGO_SHA1] = _(SHA1),
  68. [HASH_ALGO_RIPE_MD_160] = _(RIPE_MD_160),
  69. [HASH_ALGO_SHA256] = _(SHA256),
  70. [HASH_ALGO_SHA384] = _(SHA384),
  71. [HASH_ALGO_SHA512] = _(SHA512),
  72. [HASH_ALGO_SHA224] = _(SHA224),
  73. #undef _
  74. };
  75. /*
  76. * RSAVP1() function [RFC3447 sec 5.2.2]
  77. */
  78. static int RSAVP1(const struct public_key *key, MPI s, MPI *_m)
  79. {
  80. MPI m;
  81. int ret;
  82. /* (1) Validate 0 <= s < n */
  83. if (mpi_cmp_ui(s, 0) < 0) {
  84. kleave(" = -EBADMSG [s < 0]");
  85. return -EBADMSG;
  86. }
  87. if (mpi_cmp(s, key->rsa.n) >= 0) {
  88. kleave(" = -EBADMSG [s >= n]");
  89. return -EBADMSG;
  90. }
  91. m = mpi_alloc(0);
  92. if (!m)
  93. return -ENOMEM;
  94. /* (2) m = s^e mod n */
  95. ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
  96. if (ret < 0) {
  97. mpi_free(m);
  98. return ret;
  99. }
  100. *_m = m;
  101. return 0;
  102. }
  103. /*
  104. * Integer to Octet String conversion [RFC3447 sec 4.1]
  105. */
  106. static int RSA_I2OSP(MPI x, size_t xLen, u8 **pX)
  107. {
  108. unsigned X_size, x_size;
  109. int X_sign;
  110. u8 *X;
  111. /* Make sure the string is the right length. The number should begin
  112. * with { 0x00, 0x01, ... } so we have to account for 15 leading zero
  113. * bits not being reported by MPI.
  114. */
  115. x_size = mpi_get_nbits(x);
  116. pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8);
  117. if (x_size != xLen * 8 - 15)
  118. return -ERANGE;
  119. X = mpi_get_buffer(x, &X_size, &X_sign);
  120. if (!X)
  121. return -ENOMEM;
  122. if (X_sign < 0) {
  123. kfree(X);
  124. return -EBADMSG;
  125. }
  126. if (X_size != xLen - 1) {
  127. kfree(X);
  128. return -EBADMSG;
  129. }
  130. *pX = X;
  131. return 0;
  132. }
  133. /*
  134. * Perform the RSA signature verification.
  135. * @H: Value of hash of data and metadata
  136. * @EM: The computed signature value
  137. * @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
  138. * @hash_size: The size of H
  139. * @asn1_template: The DigestInfo ASN.1 template
  140. * @asn1_size: Size of asm1_template[]
  141. */
  142. static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
  143. const u8 *asn1_template, size_t asn1_size)
  144. {
  145. unsigned PS_end, T_offset, i;
  146. kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
  147. if (k < 2 + 1 + asn1_size + hash_size)
  148. return -EBADMSG;
  149. /* Decode the EMSA-PKCS1-v1_5 */
  150. if (EM[1] != 0x01) {
  151. kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
  152. return -EBADMSG;
  153. }
  154. T_offset = k - (asn1_size + hash_size);
  155. PS_end = T_offset - 1;
  156. if (EM[PS_end] != 0x00) {
  157. kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
  158. return -EBADMSG;
  159. }
  160. for (i = 2; i < PS_end; i++) {
  161. if (EM[i] != 0xff) {
  162. kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
  163. return -EBADMSG;
  164. }
  165. }
  166. if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
  167. kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
  168. return -EBADMSG;
  169. }
  170. if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
  171. kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
  172. return -EKEYREJECTED;
  173. }
  174. kleave(" = 0");
  175. return 0;
  176. }
  177. /*
  178. * Perform the verification step [RFC3447 sec 8.2.2].
  179. */
  180. static int RSA_verify_signature(const struct public_key *key,
  181. const struct public_key_signature *sig)
  182. {
  183. size_t tsize;
  184. int ret;
  185. /* Variables as per RFC3447 sec 8.2.2 */
  186. const u8 *H = sig->digest;
  187. u8 *EM = NULL;
  188. MPI m = NULL;
  189. size_t k;
  190. kenter("");
  191. if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
  192. return -ENOTSUPP;
  193. /* (1) Check the signature size against the public key modulus size */
  194. k = mpi_get_nbits(key->rsa.n);
  195. tsize = mpi_get_nbits(sig->rsa.s);
  196. /* According to RFC 4880 sec 3.2, length of MPI is computed starting
  197. * from most significant bit. So the RFC 3447 sec 8.2.2 size check
  198. * must be relaxed to conform with shorter signatures - so we fail here
  199. * only if signature length is longer than modulus size.
  200. */
  201. pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
  202. if (k < tsize) {
  203. ret = -EBADMSG;
  204. goto error;
  205. }
  206. /* Round up and convert to octets */
  207. k = (k + 7) / 8;
  208. /* (2b) Apply the RSAVP1 verification primitive to the public key */
  209. ret = RSAVP1(key, sig->rsa.s, &m);
  210. if (ret < 0)
  211. goto error;
  212. /* (2c) Convert the message representative (m) to an encoded message
  213. * (EM) of length k octets.
  214. *
  215. * NOTE! The leading zero byte is suppressed by MPI, so we pass a
  216. * pointer to the _preceding_ byte to RSA_verify()!
  217. */
  218. ret = RSA_I2OSP(m, k, &EM);
  219. if (ret < 0)
  220. goto error;
  221. ret = RSA_verify(H, EM - 1, k, sig->digest_size,
  222. RSA_ASN1_templates[sig->pkey_hash_algo].data,
  223. RSA_ASN1_templates[sig->pkey_hash_algo].size);
  224. error:
  225. kfree(EM);
  226. mpi_free(m);
  227. kleave(" = %d", ret);
  228. return ret;
  229. }
  230. const struct public_key_algorithm RSA_public_key_algorithm = {
  231. .name = "RSA",
  232. .n_pub_mpi = 2,
  233. .n_sec_mpi = 3,
  234. .n_sig_mpi = 1,
  235. .verify_signature = RSA_verify_signature,
  236. };
  237. EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);