26b265cd29
Pull crypto update from Herbert Xu: - Made x86 ablk_helper generic for ARM - Phase out chainiv in favour of eseqiv (affects IPsec) - Fixed aes-cbc IV corruption on s390 - Added constant-time crypto_memneq which replaces memcmp - Fixed aes-ctr in omap-aes - Added OMAP3 ROM RNG support - Add PRNG support for MSM SoC's - Add and use Job Ring API in caam - Misc fixes [ NOTE! This pull request was sent within the merge window, but Herbert has some questionable email sending setup that makes him public enemy #1 as far as gmail is concerned. So most of his emails seem to be trapped by gmail as spam, resulting in me not seeing them. - Linus ] * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (49 commits) crypto: s390 - Fix aes-cbc IV corruption crypto: omap-aes - Fix CTR mode counter length crypto: omap-sham - Add missing modalias padata: make the sequence counter an atomic_t crypto: caam - Modify the interface layers to use JR API's crypto: caam - Add API's to allocate/free Job Rings crypto: caam - Add Platform driver for Job Ring hwrng: msm - Add PRNG support for MSM SoC's ARM: DT: msm: Add Qualcomm's PRNG driver binding document crypto: skcipher - Use eseqiv even on UP machines crypto: talitos - Simplify key parsing crypto: picoxcell - Simplify and harden key parsing crypto: ixp4xx - Simplify and harden key parsing crypto: authencesn - Simplify key parsing crypto: authenc - Export key parsing helper function crypto: mv_cesa: remove deprecated IRQF_DISABLED hwrng: OMAP3 ROM Random Number Generator support crypto: sha256_ssse3 - also test for BMI2 crypto: mv_cesa - Remove redundant of_match_ptr crypto: sahara - Remove redundant of_match_ptr ...
278 lines
6.7 KiB
C
278 lines
6.7 KiB
C
/* RSA asymmetric public-key algorithm [RFC3447]
|
|
*
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public Licence
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the Licence, or (at your option) any later version.
|
|
*/
|
|
|
|
#define pr_fmt(fmt) "RSA: "fmt
|
|
#include <linux/module.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/slab.h>
|
|
#include <crypto/algapi.h>
|
|
#include "public_key.h"
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_DESCRIPTION("RSA Public Key Algorithm");
|
|
|
|
#define kenter(FMT, ...) \
|
|
pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
|
|
#define kleave(FMT, ...) \
|
|
pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
|
|
|
|
/*
|
|
* Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
|
|
*/
|
|
static const u8 RSA_digest_info_MD5[] = {
|
|
0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
|
|
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
|
|
0x05, 0x00, 0x04, 0x10
|
|
};
|
|
|
|
static const u8 RSA_digest_info_SHA1[] = {
|
|
0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
|
|
0x2B, 0x0E, 0x03, 0x02, 0x1A,
|
|
0x05, 0x00, 0x04, 0x14
|
|
};
|
|
|
|
static const u8 RSA_digest_info_RIPE_MD_160[] = {
|
|
0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
|
|
0x2B, 0x24, 0x03, 0x02, 0x01,
|
|
0x05, 0x00, 0x04, 0x14
|
|
};
|
|
|
|
static const u8 RSA_digest_info_SHA224[] = {
|
|
0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
|
|
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
|
|
0x05, 0x00, 0x04, 0x1C
|
|
};
|
|
|
|
static const u8 RSA_digest_info_SHA256[] = {
|
|
0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
|
|
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
|
|
0x05, 0x00, 0x04, 0x20
|
|
};
|
|
|
|
static const u8 RSA_digest_info_SHA384[] = {
|
|
0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
|
|
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
|
|
0x05, 0x00, 0x04, 0x30
|
|
};
|
|
|
|
static const u8 RSA_digest_info_SHA512[] = {
|
|
0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
|
|
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
|
|
0x05, 0x00, 0x04, 0x40
|
|
};
|
|
|
|
static const struct {
|
|
const u8 *data;
|
|
size_t size;
|
|
} RSA_ASN1_templates[PKEY_HASH__LAST] = {
|
|
#define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
|
|
[HASH_ALGO_MD5] = _(MD5),
|
|
[HASH_ALGO_SHA1] = _(SHA1),
|
|
[HASH_ALGO_RIPE_MD_160] = _(RIPE_MD_160),
|
|
[HASH_ALGO_SHA256] = _(SHA256),
|
|
[HASH_ALGO_SHA384] = _(SHA384),
|
|
[HASH_ALGO_SHA512] = _(SHA512),
|
|
[HASH_ALGO_SHA224] = _(SHA224),
|
|
#undef _
|
|
};
|
|
|
|
/*
|
|
* RSAVP1() function [RFC3447 sec 5.2.2]
|
|
*/
|
|
static int RSAVP1(const struct public_key *key, MPI s, MPI *_m)
|
|
{
|
|
MPI m;
|
|
int ret;
|
|
|
|
/* (1) Validate 0 <= s < n */
|
|
if (mpi_cmp_ui(s, 0) < 0) {
|
|
kleave(" = -EBADMSG [s < 0]");
|
|
return -EBADMSG;
|
|
}
|
|
if (mpi_cmp(s, key->rsa.n) >= 0) {
|
|
kleave(" = -EBADMSG [s >= n]");
|
|
return -EBADMSG;
|
|
}
|
|
|
|
m = mpi_alloc(0);
|
|
if (!m)
|
|
return -ENOMEM;
|
|
|
|
/* (2) m = s^e mod n */
|
|
ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
|
|
if (ret < 0) {
|
|
mpi_free(m);
|
|
return ret;
|
|
}
|
|
|
|
*_m = m;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Integer to Octet String conversion [RFC3447 sec 4.1]
|
|
*/
|
|
static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X)
|
|
{
|
|
unsigned X_size, x_size;
|
|
int X_sign;
|
|
u8 *X;
|
|
|
|
/* Make sure the string is the right length. The number should begin
|
|
* with { 0x00, 0x01, ... } so we have to account for 15 leading zero
|
|
* bits not being reported by MPI.
|
|
*/
|
|
x_size = mpi_get_nbits(x);
|
|
pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8);
|
|
if (x_size != xLen * 8 - 15)
|
|
return -ERANGE;
|
|
|
|
X = mpi_get_buffer(x, &X_size, &X_sign);
|
|
if (!X)
|
|
return -ENOMEM;
|
|
if (X_sign < 0) {
|
|
kfree(X);
|
|
return -EBADMSG;
|
|
}
|
|
if (X_size != xLen - 1) {
|
|
kfree(X);
|
|
return -EBADMSG;
|
|
}
|
|
|
|
*_X = X;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Perform the RSA signature verification.
|
|
* @H: Value of hash of data and metadata
|
|
* @EM: The computed signature value
|
|
* @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
|
|
* @hash_size: The size of H
|
|
* @asn1_template: The DigestInfo ASN.1 template
|
|
* @asn1_size: Size of asm1_template[]
|
|
*/
|
|
static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
|
|
const u8 *asn1_template, size_t asn1_size)
|
|
{
|
|
unsigned PS_end, T_offset, i;
|
|
|
|
kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
|
|
|
|
if (k < 2 + 1 + asn1_size + hash_size)
|
|
return -EBADMSG;
|
|
|
|
/* Decode the EMSA-PKCS1-v1_5 */
|
|
if (EM[1] != 0x01) {
|
|
kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
|
|
return -EBADMSG;
|
|
}
|
|
|
|
T_offset = k - (asn1_size + hash_size);
|
|
PS_end = T_offset - 1;
|
|
if (EM[PS_end] != 0x00) {
|
|
kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
|
|
return -EBADMSG;
|
|
}
|
|
|
|
for (i = 2; i < PS_end; i++) {
|
|
if (EM[i] != 0xff) {
|
|
kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
|
|
return -EBADMSG;
|
|
}
|
|
}
|
|
|
|
if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
|
|
kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
|
|
return -EBADMSG;
|
|
}
|
|
|
|
if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
|
|
kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
|
|
return -EKEYREJECTED;
|
|
}
|
|
|
|
kleave(" = 0");
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Perform the verification step [RFC3447 sec 8.2.2].
|
|
*/
|
|
static int RSA_verify_signature(const struct public_key *key,
|
|
const struct public_key_signature *sig)
|
|
{
|
|
size_t tsize;
|
|
int ret;
|
|
|
|
/* Variables as per RFC3447 sec 8.2.2 */
|
|
const u8 *H = sig->digest;
|
|
u8 *EM = NULL;
|
|
MPI m = NULL;
|
|
size_t k;
|
|
|
|
kenter("");
|
|
|
|
if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
|
|
return -ENOTSUPP;
|
|
|
|
/* (1) Check the signature size against the public key modulus size */
|
|
k = mpi_get_nbits(key->rsa.n);
|
|
tsize = mpi_get_nbits(sig->rsa.s);
|
|
|
|
/* According to RFC 4880 sec 3.2, length of MPI is computed starting
|
|
* from most significant bit. So the RFC 3447 sec 8.2.2 size check
|
|
* must be relaxed to conform with shorter signatures - so we fail here
|
|
* only if signature length is longer than modulus size.
|
|
*/
|
|
pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
|
|
if (k < tsize) {
|
|
ret = -EBADMSG;
|
|
goto error;
|
|
}
|
|
|
|
/* Round up and convert to octets */
|
|
k = (k + 7) / 8;
|
|
|
|
/* (2b) Apply the RSAVP1 verification primitive to the public key */
|
|
ret = RSAVP1(key, sig->rsa.s, &m);
|
|
if (ret < 0)
|
|
goto error;
|
|
|
|
/* (2c) Convert the message representative (m) to an encoded message
|
|
* (EM) of length k octets.
|
|
*
|
|
* NOTE! The leading zero byte is suppressed by MPI, so we pass a
|
|
* pointer to the _preceding_ byte to RSA_verify()!
|
|
*/
|
|
ret = RSA_I2OSP(m, k, &EM);
|
|
if (ret < 0)
|
|
goto error;
|
|
|
|
ret = RSA_verify(H, EM - 1, k, sig->digest_size,
|
|
RSA_ASN1_templates[sig->pkey_hash_algo].data,
|
|
RSA_ASN1_templates[sig->pkey_hash_algo].size);
|
|
|
|
error:
|
|
kfree(EM);
|
|
mpi_free(m);
|
|
kleave(" = %d", ret);
|
|
return ret;
|
|
}
|
|
|
|
const struct public_key_algorithm RSA_public_key_algorithm = {
|
|
.name = "RSA",
|
|
.n_pub_mpi = 2,
|
|
.n_sec_mpi = 3,
|
|
.n_sig_mpi = 1,
|
|
.verify_signature = RSA_verify_signature,
|
|
};
|
|
EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);
|