diff options
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/asymmetric_keys/Kconfig | 7 | ||||
-rw-r--r-- | crypto/asymmetric_keys/Makefile | 1 | ||||
-rw-r--r-- | crypto/asymmetric_keys/public_key.h | 2 | ||||
-rw-r--r-- | crypto/asymmetric_keys/rsa.c | 269 |
4 files changed, 279 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index bbfccaa35293..561759d6a65f 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig | |||
@@ -18,4 +18,11 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE | |||
18 | appropriate hash algorithms (such as SHA-1) must be available. | 18 | appropriate hash algorithms (such as SHA-1) must be available. |
19 | ENOPKG will be reported if the requisite algorithm is unavailable. | 19 | ENOPKG will be reported if the requisite algorithm is unavailable. |
20 | 20 | ||
21 | config PUBLIC_KEY_ALGO_RSA | ||
22 | tristate "RSA public-key algorithm" | ||
23 | depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE | ||
24 | select MPILIB_EXTRA | ||
25 | help | ||
26 | This option enables support for the RSA algorithm (PKCS#1, RFC3447). | ||
27 | |||
21 | endif # ASYMMETRIC_KEY_TYPE | 28 | endif # ASYMMETRIC_KEY_TYPE |
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index 8dcdf0cdb261..7c92691a45eb 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile | |||
@@ -7,3 +7,4 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o | |||
7 | asymmetric_keys-y := asymmetric_type.o signature.o | 7 | asymmetric_keys-y := asymmetric_type.o signature.o |
8 | 8 | ||
9 | obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o | 9 | obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o |
10 | obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o | ||
diff --git a/crypto/asymmetric_keys/public_key.h b/crypto/asymmetric_keys/public_key.h index 1f86aad31003..5e5e35626899 100644 --- a/crypto/asymmetric_keys/public_key.h +++ b/crypto/asymmetric_keys/public_key.h | |||
@@ -26,3 +26,5 @@ struct public_key_algorithm { | |||
26 | int (*verify_signature)(const struct public_key *key, | 26 | int (*verify_signature)(const struct public_key *key, |
27 | const struct public_key_signature *sig); | 27 | const struct public_key_signature *sig); |
28 | }; | 28 | }; |
29 | |||
30 | extern const struct public_key_algorithm RSA_public_key_algorithm; | ||
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c new file mode 100644 index 000000000000..9b31ee25a459 --- /dev/null +++ b/crypto/asymmetric_keys/rsa.c | |||
@@ -0,0 +1,269 @@ | |||
1 | /* RSA asymmetric public-key algorithm [RFC3447] | ||
2 | * | ||
3 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. | ||
4 | * Written by David Howells (dhowells@redhat.com) | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or | ||
7 | * modify it under the terms of the GNU General Public Licence | ||
8 | * as published by the Free Software Foundation; either version | ||
9 | * 2 of the Licence, or (at your option) any later version. | ||
10 | */ | ||
11 | |||
12 | #define pr_fmt(fmt) "RSA: "fmt | ||
13 | #include <linux/module.h> | ||
14 | #include <linux/kernel.h> | ||
15 | #include <linux/slab.h> | ||
16 | #include "public_key.h" | ||
17 | |||
18 | MODULE_LICENSE("GPL"); | ||
19 | MODULE_DESCRIPTION("RSA Public Key Algorithm"); | ||
20 | |||
21 | #define kenter(FMT, ...) \ | ||
22 | pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) | ||
23 | #define kleave(FMT, ...) \ | ||
24 | pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) | ||
25 | |||
26 | /* | ||
27 | * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. | ||
28 | */ | ||
29 | static const u8 RSA_digest_info_MD5[] = { | ||
30 | 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, | ||
31 | 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */ | ||
32 | 0x05, 0x00, 0x04, 0x10 | ||
33 | }; | ||
34 | |||
35 | static const u8 RSA_digest_info_SHA1[] = { | ||
36 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, | ||
37 | 0x2B, 0x0E, 0x03, 0x02, 0x1A, | ||
38 | 0x05, 0x00, 0x04, 0x14 | ||
39 | }; | ||
40 | |||
41 | static const u8 RSA_digest_info_RIPE_MD_160[] = { | ||
42 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, | ||
43 | 0x2B, 0x24, 0x03, 0x02, 0x01, | ||
44 | 0x05, 0x00, 0x04, 0x14 | ||
45 | }; | ||
46 | |||
47 | static const u8 RSA_digest_info_SHA224[] = { | ||
48 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, | ||
49 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, | ||
50 | 0x05, 0x00, 0x04, 0x1C | ||
51 | }; | ||
52 | |||
53 | static const u8 RSA_digest_info_SHA256[] = { | ||
54 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, | ||
55 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, | ||
56 | 0x05, 0x00, 0x04, 0x20 | ||
57 | }; | ||
58 | |||
59 | static const u8 RSA_digest_info_SHA384[] = { | ||
60 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, | ||
61 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, | ||
62 | 0x05, 0x00, 0x04, 0x30 | ||
63 | }; | ||
64 | |||
65 | static const u8 RSA_digest_info_SHA512[] = { | ||
66 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, | ||
67 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, | ||
68 | 0x05, 0x00, 0x04, 0x40 | ||
69 | }; | ||
70 | |||
71 | static const struct { | ||
72 | const u8 *data; | ||
73 | size_t size; | ||
74 | } RSA_ASN1_templates[PKEY_HASH__LAST] = { | ||
75 | #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) } | ||
76 | [PKEY_HASH_MD5] = _(MD5), | ||
77 | [PKEY_HASH_SHA1] = _(SHA1), | ||
78 | [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160), | ||
79 | [PKEY_HASH_SHA256] = _(SHA256), | ||
80 | [PKEY_HASH_SHA384] = _(SHA384), | ||
81 | [PKEY_HASH_SHA512] = _(SHA512), | ||
82 | [PKEY_HASH_SHA224] = _(SHA224), | ||
83 | #undef _ | ||
84 | }; | ||
85 | |||
86 | /* | ||
87 | * RSAVP1() function [RFC3447 sec 5.2.2] | ||
88 | */ | ||
89 | static int RSAVP1(const struct public_key *key, MPI s, MPI *_m) | ||
90 | { | ||
91 | MPI m; | ||
92 | int ret; | ||
93 | |||
94 | /* (1) Validate 0 <= s < n */ | ||
95 | if (mpi_cmp_ui(s, 0) < 0) { | ||
96 | kleave(" = -EBADMSG [s < 0]"); | ||
97 | return -EBADMSG; | ||
98 | } | ||
99 | if (mpi_cmp(s, key->rsa.n) >= 0) { | ||
100 | kleave(" = -EBADMSG [s >= n]"); | ||
101 | return -EBADMSG; | ||
102 | } | ||
103 | |||
104 | m = mpi_alloc(0); | ||
105 | if (!m) | ||
106 | return -ENOMEM; | ||
107 | |||
108 | /* (2) m = s^e mod n */ | ||
109 | ret = mpi_powm(m, s, key->rsa.e, key->rsa.n); | ||
110 | if (ret < 0) { | ||
111 | mpi_free(m); | ||
112 | return ret; | ||
113 | } | ||
114 | |||
115 | *_m = m; | ||
116 | return 0; | ||
117 | } | ||
118 | |||
119 | /* | ||
120 | * Integer to Octet String conversion [RFC3447 sec 4.1] | ||
121 | */ | ||
122 | static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) | ||
123 | { | ||
124 | unsigned X_size, x_size; | ||
125 | int X_sign; | ||
126 | u8 *X; | ||
127 | |||
128 | /* Make sure the string is the right length. The number should begin | ||
129 | * with { 0x00, 0x01, ... } so we have to account for 15 leading zero | ||
130 | * bits not being reported by MPI. | ||
131 | */ | ||
132 | x_size = mpi_get_nbits(x); | ||
133 | pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8); | ||
134 | if (x_size != xLen * 8 - 15) | ||
135 | return -ERANGE; | ||
136 | |||
137 | X = mpi_get_buffer(x, &X_size, &X_sign); | ||
138 | if (!X) | ||
139 | return -ENOMEM; | ||
140 | if (X_sign < 0) { | ||
141 | kfree(X); | ||
142 | return -EBADMSG; | ||
143 | } | ||
144 | if (X_size != xLen - 1) { | ||
145 | kfree(X); | ||
146 | return -EBADMSG; | ||
147 | } | ||
148 | |||
149 | *_X = X; | ||
150 | return 0; | ||
151 | } | ||
152 | |||
153 | /* | ||
154 | * Perform the RSA signature verification. | ||
155 | * @H: Value of hash of data and metadata | ||
156 | * @EM: The computed signature value | ||
157 | * @k: The size of EM (EM[0] is an invalid location but should hold 0x00) | ||
158 | * @hash_size: The size of H | ||
159 | * @asn1_template: The DigestInfo ASN.1 template | ||
160 | * @asn1_size: Size of asm1_template[] | ||
161 | */ | ||
162 | static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size, | ||
163 | const u8 *asn1_template, size_t asn1_size) | ||
164 | { | ||
165 | unsigned PS_end, T_offset, i; | ||
166 | |||
167 | kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size); | ||
168 | |||
169 | if (k < 2 + 1 + asn1_size + hash_size) | ||
170 | return -EBADMSG; | ||
171 | |||
172 | /* Decode the EMSA-PKCS1-v1_5 */ | ||
173 | if (EM[1] != 0x01) { | ||
174 | kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]); | ||
175 | return -EBADMSG; | ||
176 | } | ||
177 | |||
178 | T_offset = k - (asn1_size + hash_size); | ||
179 | PS_end = T_offset - 1; | ||
180 | if (EM[PS_end] != 0x00) { | ||
181 | kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]); | ||
182 | return -EBADMSG; | ||
183 | } | ||
184 | |||
185 | for (i = 2; i < PS_end; i++) { | ||
186 | if (EM[i] != 0xff) { | ||
187 | kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]); | ||
188 | return -EBADMSG; | ||
189 | } | ||
190 | } | ||
191 | |||
192 | if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) { | ||
193 | kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]"); | ||
194 | return -EBADMSG; | ||
195 | } | ||
196 | |||
197 | if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) { | ||
198 | kleave(" = -EKEYREJECTED [EM[T] hash mismatch]"); | ||
199 | return -EKEYREJECTED; | ||
200 | } | ||
201 | |||
202 | kleave(" = 0"); | ||
203 | return 0; | ||
204 | } | ||
205 | |||
206 | /* | ||
207 | * Perform the verification step [RFC3447 sec 8.2.2]. | ||
208 | */ | ||
209 | static int RSA_verify_signature(const struct public_key *key, | ||
210 | const struct public_key_signature *sig) | ||
211 | { | ||
212 | size_t tsize; | ||
213 | int ret; | ||
214 | |||
215 | /* Variables as per RFC3447 sec 8.2.2 */ | ||
216 | const u8 *H = sig->digest; | ||
217 | u8 *EM = NULL; | ||
218 | MPI m = NULL; | ||
219 | size_t k; | ||
220 | |||
221 | kenter(""); | ||
222 | |||
223 | if (!RSA_ASN1_templates[sig->pkey_hash_algo].data) | ||
224 | return -ENOTSUPP; | ||
225 | |||
226 | /* (1) Check the signature size against the public key modulus size */ | ||
227 | k = (mpi_get_nbits(key->rsa.n) + 7) / 8; | ||
228 | |||
229 | tsize = (mpi_get_nbits(sig->rsa.s) + 7) / 8; | ||
230 | pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize); | ||
231 | if (tsize != k) { | ||
232 | ret = -EBADMSG; | ||
233 | goto error; | ||
234 | } | ||
235 | |||
236 | /* (2b) Apply the RSAVP1 verification primitive to the public key */ | ||
237 | ret = RSAVP1(key, sig->rsa.s, &m); | ||
238 | if (ret < 0) | ||
239 | goto error; | ||
240 | |||
241 | /* (2c) Convert the message representative (m) to an encoded message | ||
242 | * (EM) of length k octets. | ||
243 | * | ||
244 | * NOTE! The leading zero byte is suppressed by MPI, so we pass a | ||
245 | * pointer to the _preceding_ byte to RSA_verify()! | ||
246 | */ | ||
247 | ret = RSA_I2OSP(m, k, &EM); | ||
248 | if (ret < 0) | ||
249 | goto error; | ||
250 | |||
251 | ret = RSA_verify(H, EM - 1, k, sig->digest_size, | ||
252 | RSA_ASN1_templates[sig->pkey_hash_algo].data, | ||
253 | RSA_ASN1_templates[sig->pkey_hash_algo].size); | ||
254 | |||
255 | error: | ||
256 | kfree(EM); | ||
257 | mpi_free(m); | ||
258 | kleave(" = %d", ret); | ||
259 | return ret; | ||
260 | } | ||
261 | |||
262 | const struct public_key_algorithm RSA_public_key_algorithm = { | ||
263 | .name = "RSA", | ||
264 | .n_pub_mpi = 2, | ||
265 | .n_sec_mpi = 3, | ||
266 | .n_sig_mpi = 1, | ||
267 | .verify_signature = RSA_verify_signature, | ||
268 | }; | ||
269 | EXPORT_SYMBOL_GPL(RSA_public_key_algorithm); | ||