RSA: Implement signature verification algorithm [PKCS#1 / RFC3447]

Implement RSA public key cryptography [PKCS#1 / RFC3447]. At this time, only the signature verification algorithm is supported. This uses the asymmetric public key subtype to hold its key data. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
author: David Howells <dhowells@redhat.com> 2012-09-21 18:25:40 -0400
committer: Rusty Russell <rusty@rustcorp.com.au> 2012-10-07 23:20:16 -0400
commit: 612e0fe99965a4028359cd1da5af56b7f6caf7f6 (patch)
tree: ff7fe3993067c3dc4f011ea702480add96b8e1e7
parent: 12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 (diff)
4 files changed, 279 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index bbfccaa35293..561759d6a65f 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -18,4 +18,11 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
          appropriate hash algorithms (such as SHA-1) must be available.
          ENOPKG will be reported if the requisite algorithm is unavailable.
+config PUBLIC_KEY_ALGO_RSA
+        tristate "RSA public-key algorithm"
+        depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+        select MPILIB_EXTRA
+        help
+          This option enables support for the RSA algorithm (PKCS#1, RFC3447).
 endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 8dcdf0cdb261..7c92691a45eb 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -7,3 +7,4 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
 asymmetric_keys-y := asymmetric_type.o signature.o
 obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
+obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o
diff --git a/crypto/asymmetric_keys/public_key.h b/crypto/asymmetric_keys/public_key.h
index 1f86aad31003..5e5e35626899 100644
--- a/crypto/asymmetric_keys/public_key.h
+++ b/crypto/asymmetric_keys/public_key.h
@@ -26,3 +26,5 @@ struct public_key_algorithm {
        int (*verify_signature)(const struct public_key *key,
                                const struct public_key_signature *sig);
 };
+extern const struct public_key_algorithm RSA_public_key_algorithm;
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c
new file mode 100644
index 000000000000..9b31ee25a459
--- /dev/null
+++ b/crypto/asymmetric_keys/rsa.c
@@ -0,0 +1,269 @@
+/* RSA asymmetric public-key algorithm [RFC3447]
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#define pr_fmt(fmt) "RSA: "fmt
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include "public_key.h"
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("RSA Public Key Algorithm");
+#define kenter(FMT, ...) \
+        pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
+#define kleave(FMT, ...) \
+        pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
+/*
+ * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
+ */
+static const u8 RSA_digest_info_MD5[] = {
+        0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
+        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
+        0x05, 0x00, 0x04, 0x10
+};
+static const u8 RSA_digest_info_SHA1[] = {
+        0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
+        0x2B, 0x0E, 0x03, 0x02, 0x1A,
+        0x05, 0x00, 0x04, 0x14
+};
+static const u8 RSA_digest_info_RIPE_MD_160[] = {
+        0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
+        0x2B, 0x24, 0x03, 0x02, 0x01,
+        0x05, 0x00, 0x04, 0x14
+};
+static const u8 RSA_digest_info_SHA224[] = {
+        0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
+        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
+        0x05, 0x00, 0x04, 0x1C
+};
+static const u8 RSA_digest_info_SHA256[] = {
+        0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
+        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
+        0x05, 0x00, 0x04, 0x20
+};
+static const u8 RSA_digest_info_SHA384[] = {
+        0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
+        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
+        0x05, 0x00, 0x04, 0x30
+};
+static const u8 RSA_digest_info_SHA512[] = {
+        0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
+        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
+        0x05, 0x00, 0x04, 0x40
+};
+static const struct {
+        const u8 *data;
+        size_t size;
+} RSA_ASN1_templates[PKEY_HASH__LAST] = {
+#define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
+        [PKEY_HASH_MD5]         = _(MD5),
+        [PKEY_HASH_SHA1]        = _(SHA1),
+        [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160),
+        [PKEY_HASH_SHA256]      = _(SHA256),
+        [PKEY_HASH_SHA384]      = _(SHA384),
+        [PKEY_HASH_SHA512]      = _(SHA512),
+        [PKEY_HASH_SHA224]      = _(SHA224),
+#undef _
+};
+/*
+ * RSAVP1() function [RFC3447 sec 5.2.2]
+ */
+static int RSAVP1(const struct public_key *key, MPI s, MPI *_m)
+{
+        MPI m;
+        int ret;
+        /* (1) Validate 0 <= s < n */
+        if (mpi_cmp_ui(s, 0) < 0) {
+                kleave(" = -EBADMSG [s < 0]");
+                return -EBADMSG;
+        }
+        if (mpi_cmp(s, key->rsa.n) >= 0) {
+                kleave(" = -EBADMSG [s >= n]");
+                return -EBADMSG;
+        }
+        m = mpi_alloc(0);
+        if (!m)
+                return -ENOMEM;
+        /* (2) m = s^e mod n */
+        ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
+        if (ret < 0) {
+                mpi_free(m);
+                return ret;
+        }
+        *_m = m;
+        return 0;
+}
+/*
+ * Integer to Octet String conversion [RFC3447 sec 4.1]
+ */
+static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X)
+{
+        unsigned X_size, x_size;
+        int X_sign;
+        u8 *X;
+        /* Make sure the string is the right length.  The number should begin
+         * with { 0x00, 0x01, ... } so we have to account for 15 leading zero
+         * bits not being reported by MPI.
+         */
+        x_size = mpi_get_nbits(x);
+        pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8);
+        if (x_size != xLen * 8 - 15)
+                return -ERANGE;
+        X = mpi_get_buffer(x, &X_size, &X_sign);
+        if (!X)
+                return -ENOMEM;
+        if (X_sign < 0) {
+                kfree(X);
+                return -EBADMSG;
+        }
+        if (X_size != xLen - 1) {
+                kfree(X);
+                return -EBADMSG;
+        }
+        *_X = X;
+        return 0;
+}
+/*
+ * Perform the RSA signature verification.
+ * @H: Value of hash of data and metadata
+ * @EM: The computed signature value
+ * @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
+ * @hash_size: The size of H
+ * @asn1_template: The DigestInfo ASN.1 template
+ * @asn1_size: Size of asm1_template[]
+ */
+static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
+                      const u8 *asn1_template, size_t asn1_size)
+{
+        unsigned PS_end, T_offset, i;
+        kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
+        if (k < 2 + 1 + asn1_size + hash_size)
+                return -EBADMSG;
+        /* Decode the EMSA-PKCS1-v1_5 */
+        if (EM[1] != 0x01) {
+                kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
+                return -EBADMSG;
+        }
+        T_offset = k - (asn1_size + hash_size);
+        PS_end = T_offset - 1;
+        if (EM[PS_end] != 0x00) {
+                kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
+                return -EBADMSG;
+        }
+        for (i = 2; i < PS_end; i++) {
+                if (EM[i] != 0xff) {
+                        kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
+                        return -EBADMSG;
+                }
+        }
+        if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {
+                kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
+                return -EBADMSG;
+        }
+        if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {
+                kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
+                return -EKEYREJECTED;
+        }
+        kleave(" = 0");
+        return 0;
+}
+/*
+ * Perform the verification step [RFC3447 sec 8.2.2].
+ */
+static int RSA_verify_signature(const struct public_key *key,
+                                const struct public_key_signature *sig)
+{
+        size_t tsize;
+        int ret;
+        /* Variables as per RFC3447 sec 8.2.2 */
+        const u8 *H = sig->digest;
+        u8 *EM = NULL;
+        MPI m = NULL;
+        size_t k;
+        kenter("");
+        if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
+                return -ENOTSUPP;
+        /* (1) Check the signature size against the public key modulus size */
+        k = (mpi_get_nbits(key->rsa.n) + 7) / 8;
+        tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8;
+        pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
+        if (tsize != k) {
+                ret = -EBADMSG;
+                goto error;
+        }
+        /* (2b) Apply the RSAVP1 verification primitive to the public key */
+        ret = RSAVP1(key, sig->rsa.s, &m);
+        if (ret < 0)
+                goto error;
+        /* (2c) Convert the message representative (m) to an encoded message
+         *      (EM) of length k octets.
+         *
+         *      NOTE!  The leading zero byte is suppressed by MPI, so we pass a
+         *      pointer to the _preceding_ byte to RSA_verify()!
+         */
+        ret = RSA_I2OSP(m, k, &EM);
+        if (ret < 0)
+                goto error;
+        ret = RSA_verify(H, EM - 1, k, sig->digest_size,
+                         RSA_ASN1_templates[sig->pkey_hash_algo].data,
+                         RSA_ASN1_templates[sig->pkey_hash_algo].size);
+error:
+        kfree(EM);
+        mpi_free(m);
+        kleave(" = %d", ret);
+        return ret;
+}
+const struct public_key_algorithm RSA_public_key_algorithm = {
+        .name           = "RSA",
+        .n_pub_mpi      = 2,
+        .n_sec_mpi      = 3,
+        .n_sig_mpi      = 1,
+        .verify_signature = RSA_verify_signature,
+};
+EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);
author	David Howells <dhowells@redhat.com>	2012-09-21 18:25:40 -0400
committer	Rusty Russell <rusty@rustcorp.com.au>	2012-10-07 23:20:16 -0400
commit	612e0fe99965a4028359cd1da5af56b7f6caf7f6 (patch)
tree	ff7fe3993067c3dc4f011ea702480add96b8e1e7
parent	12f008b6dc5ff1c822fdb2198d20e3dbdc92f3f5 (diff)

diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index bbfccaa35293..561759d6a65f 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig
@@ -18,4 +18,11 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
18	appropriate hash algorithms (such as SHA-1) must be available.	18	appropriate hash algorithms (such as SHA-1) must be available.
19	ENOPKG will be reported if the requisite algorithm is unavailable.	19	ENOPKG will be reported if the requisite algorithm is unavailable.
20		20
		21	config PUBLIC_KEY_ALGO_RSA
		22	tristate "RSA public-key algorithm"
		23	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
		24	select MPILIB_EXTRA
		25	help
		26	This option enables support for the RSA algorithm (PKCS#1, RFC3447).
		27
21	endif # ASYMMETRIC_KEY_TYPE	28	endif # ASYMMETRIC_KEY_TYPE


diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index 8dcdf0cdb261..7c92691a45eb 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile
@@ -7,3 +7,4 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
7	asymmetric_keys-y := asymmetric_type.o signature.o	7	asymmetric_keys-y := asymmetric_type.o signature.o
8		8
9	obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o	9	obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
		10	obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o


diff --git a/crypto/asymmetric_keys/public_key.h b/crypto/asymmetric_keys/public_key.h index 1f86aad31003..5e5e35626899 100644 --- a/crypto/asymmetric_keys/public_key.h +++ b/crypto/asymmetric_keys/public_key.h
@@ -26,3 +26,5 @@ struct public_key_algorithm {
26	int (verify_signature)(const struct public_key key,	26	int (verify_signature)(const struct public_key key,
27	const struct public_key_signature *sig);	27	const struct public_key_signature *sig);
28	};	28	};
		29
		30	extern const struct public_key_algorithm RSA_public_key_algorithm;


diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c new file mode 100644 index 000000000000..9b31ee25a459 --- /dev/null +++ b/crypto/asymmetric_keys/rsa.c
@@ -0,0 +1,269 @@
		1	/* RSA asymmetric public-key algorithm [RFC3447]
		2	*
		3	* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
		4	* Written by David Howells (dhowells@redhat.com)
		5	*
		6	* This program is free software; you can redistribute it and/or
		7	* modify it under the terms of the GNU General Public Licence
		8	* as published by the Free Software Foundation; either version
		9	* 2 of the Licence, or (at your option) any later version.
		10	*/
		11
		12	#define pr_fmt(fmt) "RSA: "fmt
		13	#include <linux/module.h>
		14	#include <linux/kernel.h>
		15	#include <linux/slab.h>
		16	#include "public_key.h"
		17
		18	MODULE_LICENSE("GPL");
		19	MODULE_DESCRIPTION("RSA Public Key Algorithm");
		20
		21	#define kenter(FMT, ...) \
		22	pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
		23	#define kleave(FMT, ...) \
		24	pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
		25
		26	/*
		27	* Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
		28	*/
		29	static const u8 RSA_digest_info_MD5[] = {
		30	0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
		31	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
		32	0x05, 0x00, 0x04, 0x10
		33	};
		34
		35	static const u8 RSA_digest_info_SHA1[] = {
		36	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
		37	0x2B, 0x0E, 0x03, 0x02, 0x1A,
		38	0x05, 0x00, 0x04, 0x14
		39	};
		40
		41	static const u8 RSA_digest_info_RIPE_MD_160[] = {
		42	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
		43	0x2B, 0x24, 0x03, 0x02, 0x01,
		44	0x05, 0x00, 0x04, 0x14
		45	};
		46
		47	static const u8 RSA_digest_info_SHA224[] = {
		48	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
		49	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
		50	0x05, 0x00, 0x04, 0x1C
		51	};
		52
		53	static const u8 RSA_digest_info_SHA256[] = {
		54	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
		55	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
		56	0x05, 0x00, 0x04, 0x20
		57	};
		58
		59	static const u8 RSA_digest_info_SHA384[] = {
		60	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
		61	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
		62	0x05, 0x00, 0x04, 0x30
		63	};
		64
		65	static const u8 RSA_digest_info_SHA512[] = {
		66	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
		67	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
		68	0x05, 0x00, 0x04, 0x40
		69	};
		70
		71	static const struct {
		72	const u8 *data;
		73	size_t size;
		74	} RSA_ASN1_templates[PKEY_HASH__LAST] = {
		75	#define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
		76	[PKEY_HASH_MD5] = _(MD5),
		77	[PKEY_HASH_SHA1] = _(SHA1),
		78	[PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160),
		79	[PKEY_HASH_SHA256] = _(SHA256),
		80	[PKEY_HASH_SHA384] = _(SHA384),
		81	[PKEY_HASH_SHA512] = _(SHA512),
		82	[PKEY_HASH_SHA224] = _(SHA224),
		83	#undef _
		84	};
		85
		86	/*
		87	* RSAVP1() function [RFC3447 sec 5.2.2]
		88	*/
		89	static int RSAVP1(const struct public_key key, MPI s, MPI _m)
		90	{
		91	MPI m;
		92	int ret;
		93
		94	/* (1) Validate 0 <= s < n */
		95	if (mpi_cmp_ui(s, 0) < 0) {
		96	kleave(" = -EBADMSG [s < 0]");
		97	return -EBADMSG;
		98	}
		99	if (mpi_cmp(s, key->rsa.n) >= 0) {
		100	kleave(" = -EBADMSG [s >= n]");
		101	return -EBADMSG;
		102	}
		103
		104	m = mpi_alloc(0);
		105	if (!m)
		106	return -ENOMEM;
		107
		108	/* (2) m = s^e mod n */
		109	ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
		110	if (ret < 0) {
		111	mpi_free(m);
		112	return ret;
		113	}
		114
		115	*_m = m;
		116	return 0;
		117	}
		118
		119	/*
		120	* Integer to Octet String conversion [RFC3447 sec 4.1]
		121	*/
		122	static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X)
		123	{
		124	unsigned X_size, x_size;
		125	int X_sign;
		126	u8 *X;
		127
		128	/* Make sure the string is the right length. The number should begin
		129	* with { 0x00, 0x01, ... } so we have to account for 15 leading zero
		130	* bits not being reported by MPI.
		131	*/
		132	x_size = mpi_get_nbits(x);
		133	pr_devel("size(x)=%u xLen8=%zu\n", x_size, xLen 8);
		134	if (x_size != xLen * 8 - 15)
		135	return -ERANGE;
		136
		137	X = mpi_get_buffer(x, &X_size, &X_sign);
		138	if (!X)
		139	return -ENOMEM;
		140	if (X_sign < 0) {
		141	kfree(X);
		142	return -EBADMSG;
		143	}
		144	if (X_size != xLen - 1) {
		145	kfree(X);
		146	return -EBADMSG;
		147	}
		148
		149	*_X = X;
		150	return 0;
		151	}
		152
		153	/*
		154	* Perform the RSA signature verification.
		155	* @H: Value of hash of data and metadata
		156	* @EM: The computed signature value
		157	* @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
		158	* @hash_size: The size of H
		159	* @asn1_template: The DigestInfo ASN.1 template
		160	* @asn1_size: Size of asm1_template[]
		161	*/
		162	static int RSA_verify(const u8 H, const u8 EM, size_t k, size_t hash_size,
		163	const u8 *asn1_template, size_t asn1_size)
		164	{
		165	unsigned PS_end, T_offset, i;
		166
		167	kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
		168
		169	if (k < 2 + 1 + asn1_size + hash_size)
		170	return -EBADMSG;
		171
		172	/* Decode the EMSA-PKCS1-v1_5 */
		173	if (EM[1] != 0x01) {
		174	kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
		175	return -EBADMSG;
		176	}
		177
		178	T_offset = k - (asn1_size + hash_size);
		179	PS_end = T_offset - 1;
		180	if (EM[PS_end] != 0x00) {
		181	kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
		182	return -EBADMSG;
		183	}
		184
		185	for (i = 2; i < PS_end; i++) {
		186	if (EM[i] != 0xff) {
		187	kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
		188	return -EBADMSG;
		189	}
		190	}
		191
		192	if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {
		193	kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
		194	return -EBADMSG;
		195	}
		196
		197	if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {
		198	kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
		199	return -EKEYREJECTED;
		200	}
		201
		202	kleave(" = 0");
		203	return 0;
		204	}
		205
		206	/*
		207	* Perform the verification step [RFC3447 sec 8.2.2].
		208	*/
		209	static int RSA_verify_signature(const struct public_key *key,
		210	const struct public_key_signature *sig)
		211	{
		212	size_t tsize;
		213	int ret;
		214
		215	/* Variables as per RFC3447 sec 8.2.2 */
		216	const u8 *H = sig->digest;
		217	u8 *EM = NULL;
		218	MPI m = NULL;
		219	size_t k;
		220
		221	kenter("");
		222
		223	if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
		224	return -ENOTSUPP;
		225
		226	/* (1) Check the signature size against the public key modulus size */
		227	k = (mpi_get_nbits(key->rsa.n) + 7) / 8;
		228
		229	tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8;
		230	pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
		231	if (tsize != k) {
		232	ret = -EBADMSG;
		233	goto error;
		234	}
		235
		236	/* (2b) Apply the RSAVP1 verification primitive to the public key */
		237	ret = RSAVP1(key, sig->rsa.s, &m);
		238	if (ret < 0)
		239	goto error;
		240
		241	/* (2c) Convert the message representative (m) to an encoded message
		242	* (EM) of length k octets.
		243	*
		244	* NOTE! The leading zero byte is suppressed by MPI, so we pass a
		245	* pointer to the _preceding_ byte to RSA_verify()!
		246	*/
		247	ret = RSA_I2OSP(m, k, &EM);
		248	if (ret < 0)
		249	goto error;
		250
		251	ret = RSA_verify(H, EM - 1, k, sig->digest_size,
		252	RSA_ASN1_templates[sig->pkey_hash_algo].data,
		253	RSA_ASN1_templates[sig->pkey_hash_algo].size);
		254
		255	error:
		256	kfree(EM);
		257	mpi_free(m);
		258	kleave(" = %d", ret);
		259	return ret;
		260	}
		261
		262	const struct public_key_algorithm RSA_public_key_algorithm = {
		263	.name = "RSA",
		264	.n_pub_mpi = 2,
		265	.n_sec_mpi = 3,
		266	.n_sig_mpi = 1,
		267	.verify_signature = RSA_verify_signature,
		268	};
		269	EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);