aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
Diffstat (limited to 'crypto')
-rw-r--r--crypto/asymmetric_keys/Kconfig7
-rw-r--r--crypto/asymmetric_keys/Makefile1
-rw-r--r--crypto/asymmetric_keys/public_key.h2
-rw-r--r--crypto/asymmetric_keys/rsa.c269
4 files changed, 279 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index bbfccaa35293..561759d6a65f 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -18,4 +18,11 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
18 appropriate hash algorithms (such as SHA-1) must be available. 18 appropriate hash algorithms (such as SHA-1) must be available.
19 ENOPKG will be reported if the requisite algorithm is unavailable. 19 ENOPKG will be reported if the requisite algorithm is unavailable.
20 20
21config PUBLIC_KEY_ALGO_RSA
22 tristate "RSA public-key algorithm"
23 depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
24 select MPILIB_EXTRA
25 help
26 This option enables support for the RSA algorithm (PKCS#1, RFC3447).
27
21endif # ASYMMETRIC_KEY_TYPE 28endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 8dcdf0cdb261..7c92691a45eb 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -7,3 +7,4 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
7asymmetric_keys-y := asymmetric_type.o signature.o 7asymmetric_keys-y := asymmetric_type.o signature.o
8 8
9obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o 9obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
10obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o
diff --git a/crypto/asymmetric_keys/public_key.h b/crypto/asymmetric_keys/public_key.h
index 1f86aad31003..5e5e35626899 100644
--- a/crypto/asymmetric_keys/public_key.h
+++ b/crypto/asymmetric_keys/public_key.h
@@ -26,3 +26,5 @@ struct public_key_algorithm {
26 int (*verify_signature)(const struct public_key *key, 26 int (*verify_signature)(const struct public_key *key,
27 const struct public_key_signature *sig); 27 const struct public_key_signature *sig);
28}; 28};
29
30extern const struct public_key_algorithm RSA_public_key_algorithm;
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c
new file mode 100644
index 000000000000..9b31ee25a459
--- /dev/null
+++ b/crypto/asymmetric_keys/rsa.c
@@ -0,0 +1,269 @@
1/* RSA asymmetric public-key algorithm [RFC3447]
2 *
3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#define pr_fmt(fmt) "RSA: "fmt
13#include <linux/module.h>
14#include <linux/kernel.h>
15#include <linux/slab.h>
16#include "public_key.h"
17
18MODULE_LICENSE("GPL");
19MODULE_DESCRIPTION("RSA Public Key Algorithm");
20
21#define kenter(FMT, ...) \
22 pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
23#define kleave(FMT, ...) \
24 pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
25
26/*
27 * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
28 */
29static const u8 RSA_digest_info_MD5[] = {
30 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
31 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
32 0x05, 0x00, 0x04, 0x10
33};
34
35static const u8 RSA_digest_info_SHA1[] = {
36 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
37 0x2B, 0x0E, 0x03, 0x02, 0x1A,
38 0x05, 0x00, 0x04, 0x14
39};
40
41static const u8 RSA_digest_info_RIPE_MD_160[] = {
42 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
43 0x2B, 0x24, 0x03, 0x02, 0x01,
44 0x05, 0x00, 0x04, 0x14
45};
46
47static const u8 RSA_digest_info_SHA224[] = {
48 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
49 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
50 0x05, 0x00, 0x04, 0x1C
51};
52
53static const u8 RSA_digest_info_SHA256[] = {
54 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
55 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
56 0x05, 0x00, 0x04, 0x20
57};
58
59static const u8 RSA_digest_info_SHA384[] = {
60 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
61 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
62 0x05, 0x00, 0x04, 0x30
63};
64
65static const u8 RSA_digest_info_SHA512[] = {
66 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
67 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
68 0x05, 0x00, 0x04, 0x40
69};
70
71static const struct {
72 const u8 *data;
73 size_t size;
74} RSA_ASN1_templates[PKEY_HASH__LAST] = {
75#define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
76 [PKEY_HASH_MD5] = _(MD5),
77 [PKEY_HASH_SHA1] = _(SHA1),
78 [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160),
79 [PKEY_HASH_SHA256] = _(SHA256),
80 [PKEY_HASH_SHA384] = _(SHA384),
81 [PKEY_HASH_SHA512] = _(SHA512),
82 [PKEY_HASH_SHA224] = _(SHA224),
83#undef _
84};
85
86/*
87 * RSAVP1() function [RFC3447 sec 5.2.2]
88 */
89static int RSAVP1(const struct public_key *key, MPI s, MPI *_m)
90{
91 MPI m;
92 int ret;
93
94 /* (1) Validate 0 <= s < n */
95 if (mpi_cmp_ui(s, 0) < 0) {
96 kleave(" = -EBADMSG [s < 0]");
97 return -EBADMSG;
98 }
99 if (mpi_cmp(s, key->rsa.n) >= 0) {
100 kleave(" = -EBADMSG [s >= n]");
101 return -EBADMSG;
102 }
103
104 m = mpi_alloc(0);
105 if (!m)
106 return -ENOMEM;
107
108 /* (2) m = s^e mod n */
109 ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
110 if (ret < 0) {
111 mpi_free(m);
112 return ret;
113 }
114
115 *_m = m;
116 return 0;
117}
118
119/*
120 * Integer to Octet String conversion [RFC3447 sec 4.1]
121 */
122static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X)
123{
124 unsigned X_size, x_size;
125 int X_sign;
126 u8 *X;
127
128 /* Make sure the string is the right length. The number should begin
129 * with { 0x00, 0x01, ... } so we have to account for 15 leading zero
130 * bits not being reported by MPI.
131 */
132 x_size = mpi_get_nbits(x);
133 pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8);
134 if (x_size != xLen * 8 - 15)
135 return -ERANGE;
136
137 X = mpi_get_buffer(x, &X_size, &X_sign);
138 if (!X)
139 return -ENOMEM;
140 if (X_sign < 0) {
141 kfree(X);
142 return -EBADMSG;
143 }
144 if (X_size != xLen - 1) {
145 kfree(X);
146 return -EBADMSG;
147 }
148
149 *_X = X;
150 return 0;
151}
152
153/*
154 * Perform the RSA signature verification.
155 * @H: Value of hash of data and metadata
156 * @EM: The computed signature value
157 * @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
158 * @hash_size: The size of H
159 * @asn1_template: The DigestInfo ASN.1 template
160 * @asn1_size: Size of asm1_template[]
161 */
162static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
163 const u8 *asn1_template, size_t asn1_size)
164{
165 unsigned PS_end, T_offset, i;
166
167 kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
168
169 if (k < 2 + 1 + asn1_size + hash_size)
170 return -EBADMSG;
171
172 /* Decode the EMSA-PKCS1-v1_5 */
173 if (EM[1] != 0x01) {
174 kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
175 return -EBADMSG;
176 }
177
178 T_offset = k - (asn1_size + hash_size);
179 PS_end = T_offset - 1;
180 if (EM[PS_end] != 0x00) {
181 kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
182 return -EBADMSG;
183 }
184
185 for (i = 2; i < PS_end; i++) {
186 if (EM[i] != 0xff) {
187 kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
188 return -EBADMSG;
189 }
190 }
191
192 if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {
193 kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
194 return -EBADMSG;
195 }
196
197 if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {
198 kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
199 return -EKEYREJECTED;
200 }
201
202 kleave(" = 0");
203 return 0;
204}
205
206/*
207 * Perform the verification step [RFC3447 sec 8.2.2].
208 */
209static int RSA_verify_signature(const struct public_key *key,
210 const struct public_key_signature *sig)
211{
212 size_t tsize;
213 int ret;
214
215 /* Variables as per RFC3447 sec 8.2.2 */
216 const u8 *H = sig->digest;
217 u8 *EM = NULL;
218 MPI m = NULL;
219 size_t k;
220
221 kenter("");
222
223 if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
224 return -ENOTSUPP;
225
226 /* (1) Check the signature size against the public key modulus size */
227 k = (mpi_get_nbits(key->rsa.n) + 7) / 8;
228
229 tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8;
230 pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
231 if (tsize != k) {
232 ret = -EBADMSG;
233 goto error;
234 }
235
236 /* (2b) Apply the RSAVP1 verification primitive to the public key */
237 ret = RSAVP1(key, sig->rsa.s, &m);
238 if (ret < 0)
239 goto error;
240
241 /* (2c) Convert the message representative (m) to an encoded message
242 * (EM) of length k octets.
243 *
244 * NOTE! The leading zero byte is suppressed by MPI, so we pass a
245 * pointer to the _preceding_ byte to RSA_verify()!
246 */
247 ret = RSA_I2OSP(m, k, &EM);
248 if (ret < 0)
249 goto error;
250
251 ret = RSA_verify(H, EM - 1, k, sig->digest_size,
252 RSA_ASN1_templates[sig->pkey_hash_algo].data,
253 RSA_ASN1_templates[sig->pkey_hash_algo].size);
254
255error:
256 kfree(EM);
257 mpi_free(m);
258 kleave(" = %d", ret);
259 return ret;
260}
261
262const struct public_key_algorithm RSA_public_key_algorithm = {
263 .name = "RSA",
264 .n_pub_mpi = 2,
265 .n_sec_mpi = 3,
266 .n_sig_mpi = 1,
267 .verify_signature = RSA_verify_signature,
268};
269EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);