LXR linux/crypto/asymmetric

   1/* RSA asymmetric public-key algorithm [RFC3447]
   2 *
   3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
   4 * Written by David Howells (dhowells@redhat.com)
   5 *
   6 * This program is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU General Public Licence
   8 * as published by the Free Software Foundation; either version
   9 * 2 of the Licence, or (at your option) any later version.
  10 */
  11
  12#define pr_fmt(fmt) "RSA: "fmt
  13#include <linux/module.h>
  14#include <linux/kernel.h>
  15#include <linux/slab.h>
  16#include "public_key.h"
  17
  18MODULE_LICENSE("GPL");
  19MODULE_DESCRIPTION("RSA Public Key Algorithm");
  20
  21#define kenter(FMT, ...) \
  22        pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
  23#define kleave(FMT, ...) \
  24        pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
  25
  26/*
  27 * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
  28 */
  29static const u8 RSA_digest_info_MD5[] = {
  30        0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
  31        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
  32        0x05, 0x00, 0x04, 0x10
  33};
  34
  35static const u8 RSA_digest_info_SHA1[] = {
  36        0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
  37        0x2B, 0x0E, 0x03, 0x02, 0x1A,
  38        0x05, 0x00, 0x04, 0x14
  39};
  40
  41static const u8 RSA_digest_info_RIPE_MD_160[] = {
  42        0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
  43        0x2B, 0x24, 0x03, 0x02, 0x01,
  44        0x05, 0x00, 0x04, 0x14
  45};
  46
  47static const u8 RSA_digest_info_SHA224[] = {
  48        0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
  49        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
  50        0x05, 0x00, 0x04, 0x1C
  51};
  52
  53static const u8 RSA_digest_info_SHA256[] = {
  54        0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
  55        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
  56        0x05, 0x00, 0x04, 0x20
  57};
  58
  59static const u8 RSA_digest_info_SHA384[] = {
  60        0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
  61        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
  62        0x05, 0x00, 0x04, 0x30
  63};
  64
  65static const u8 RSA_digest_info_SHA512[] = {
  66        0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
  67        0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
  68        0x05, 0x00, 0x04, 0x40
  69};
  70
  71static const struct {
  72        const u8 *data;
  73        size_t size;
  74} RSA_ASN1_templates[PKEY_HASH__LAST] = {
  75#define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
  76        [PKEY_HASH_MD5]         = _(MD5),
  77        [PKEY_HASH_SHA1]        = _(SHA1),
  78        [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160),
  79        [PKEY_HASH_SHA256]      = _(SHA256),
  80        [PKEY_HASH_SHA384]      = _(SHA384),
  81        [PKEY_HASH_SHA512]      = _(SHA512),
  82        [PKEY_HASH_SHA224]      = _(SHA224),
  83#undef _
  84};
  85
  86/*
  87 * RSAVP1() function [RFC3447 sec 5.2.2]
  88 */
  89static int RSAVP1(const struct public_key *key, MPI s, MPI *_m)
  90{
  91        MPI m;
  92        int ret;
  93
  94        /* (1) Validate 0 <= s < n */
  95        if (mpi_cmp_ui(s, 0) < 0) {
  96                kleave(" = -EBADMSG [s < 0]");
  97                return -EBADMSG;
  98        }
  99        if (mpi_cmp(s, key->rsa.n) >= 0) {
 100                kleave(" = -EBADMSG [s >= n]");
 101                return -EBADMSG;
 102        }
 103
 104        m = mpi_alloc(0);
 105        if (!m)
 106                return -ENOMEM;
 107
 108        /* (2) m = s^e mod n */
 109        ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
 110        if (ret < 0) {
 111                mpi_free(m);
 112                return ret;
 113        }
 114
 115        *_m = m;
 116        return 0;
 117}
 118
 119/*
 120 * Integer to Octet String conversion [RFC3447 sec 4.1]
 121 */
 122static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X)
 123{
 124        unsigned X_size, x_size;
 125        int X_sign;
 126        u8 *X;
 127
 128        /* Make sure the string is the right length.  The number should begin
 129         * with { 0x00, 0x01, ... } so we have to account for 15 leading zero
 130         * bits not being reported by MPI.
 131         */
 132        x_size = mpi_get_nbits(x);
 133        pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8);
 134        if (x_size != xLen * 8 - 15)
 135                return -ERANGE;
 136
 137        X = mpi_get_buffer(x, &X_size, &X_sign);
 138        if (!X)
 139                return -ENOMEM;
 140        if (X_sign < 0) {
 141                kfree(X);
 142                return -EBADMSG;
 143        }
 144        if (X_size != xLen - 1) {
 145                kfree(X);
 146                return -EBADMSG;
 147        }
 148
 149        *_X = X;
 150        return 0;
 151}
 152
 153/*
 154 * Perform the RSA signature verification.
 155 * @H: Value of hash of data and metadata
 156 * @EM: The computed signature value
 157 * @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
 158 * @hash_size: The size of H
 159 * @asn1_template: The DigestInfo ASN.1 template
 160 * @asn1_size: Size of asm1_template[]
 161 */
 162static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
 163                      const u8 *asn1_template, size_t asn1_size)
 164{
 165        unsigned PS_end, T_offset, i;
 166
 167        kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
 168
 169        if (k < 2 + 1 + asn1_size + hash_size)
 170                return -EBADMSG;
 171
 172        /* Decode the EMSA-PKCS1-v1_5 */
 173        if (EM[1] != 0x01) {
 174                kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
 175                return -EBADMSG;
 176        }
 177
 178        T_offset = k - (asn1_size + hash_size);
 179        PS_end = T_offset - 1;
 180        if (EM[PS_end] != 0x00) {
 181                kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
 182                return -EBADMSG;
 183        }
 184
 185        for (i = 2; i < PS_end; i++) {
 186                if (EM[i] != 0xff) {
 187                        kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
 188                        return -EBADMSG;
 189                }
 190        }
 191
 192        if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {
 193                kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
 194                return -EBADMSG;
 195        }
 196
 197        if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {
 198                kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
 199                return -EKEYREJECTED;
 200        }
 201
 202        kleave(" = 0");
 203        return 0;
 204}
 205
 206/*
 207 * Perform the verification step [RFC3447 sec 8.2.2].
 208 */
 209static int RSA_verify_signature(const struct public_key *key,
 210                                const struct public_key_signature *sig)
 211{
 212        size_t tsize;
 213        int ret;
 214
 215        /* Variables as per RFC3447 sec 8.2.2 */
 216        const u8 *H = sig->digest;
 217        u8 *EM = NULL;
 218        MPI m = NULL;
 219        size_t k;
 220
 221        kenter("");
 222
 223        if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
 224                return -ENOTSUPP;
 225
 226        /* (1) Check the signature size against the public key modulus size */
 227        k = mpi_get_nbits(key->rsa.n);
 228        tsize = mpi_get_nbits(sig->rsa.s);
 229
 230        /* According to RFC 4880 sec 3.2, length of MPI is computed starting
 231         * from most significant bit.  So the RFC 3447 sec 8.2.2 size check
 232         * must be relaxed to conform with shorter signatures - so we fail here
 233         * only if signature length is longer than modulus size.
 234         */
 235        pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
 236        if (k < tsize) {
 237                ret = -EBADMSG;
 238                goto error;
 239        }
 240
 241        /* Round up and convert to octets */
 242        k = (k + 7) / 8;
 243
 244        /* (2b) Apply the RSAVP1 verification primitive to the public key */
 245        ret = RSAVP1(key, sig->rsa.s, &m);
 246        if (ret < 0)
 247                goto error;
 248
 249        /* (2c) Convert the message representative (m) to an encoded message
 250         *      (EM) of length k octets.
 251         *
 252         *      NOTE!  The leading zero byte is suppressed by MPI, so we pass a
 253         *      pointer to the _preceding_ byte to RSA_verify()!
 254         */
 255        ret = RSA_I2OSP(m, k, &EM);
 256        if (ret < 0)
 257                goto error;
 258
 259        ret = RSA_verify(H, EM - 1, k, sig->digest_size,
 260                         RSA_ASN1_templates[sig->pkey_hash_algo].data,
 261                         RSA_ASN1_templates[sig->pkey_hash_algo].size);
 262
 263error:
 264        kfree(EM);
 265        mpi_free(m);
 266        kleave(" = %d", ret);
 267        return ret;
 268}
 269
 270const struct public_key_algorithm RSA_public_key_algorithm = {
 271        .name           = "RSA",
 272        .n_pub_mpi      = 2,
 273        .n_sec_mpi      = 3,
 274        .n_sig_mpi      = 1,
 275        .verify_signature = RSA_verify_signature,
 276};
 277EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);
 278