David Howells | 612e0fe | 2012-09-21 23:25:40 +0100 | [diff] [blame] | 1 | /* RSA asymmetric public-key algorithm [RFC3447] |
| 2 | * |
| 3 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. |
| 4 | * Written by David Howells (dhowells@redhat.com) |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public Licence |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the Licence, or (at your option) any later version. |
| 10 | */ |
| 11 | |
| 12 | #define pr_fmt(fmt) "RSA: "fmt |
| 13 | #include <linux/module.h> |
| 14 | #include <linux/kernel.h> |
| 15 | #include <linux/slab.h> |
| 16 | #include "public_key.h" |
| 17 | |
| 18 | MODULE_LICENSE("GPL"); |
| 19 | MODULE_DESCRIPTION("RSA Public Key Algorithm"); |
| 20 | |
| 21 | #define kenter(FMT, ...) \ |
| 22 | pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) |
| 23 | #define kleave(FMT, ...) \ |
| 24 | pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) |
| 25 | |
| 26 | /* |
| 27 | * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. |
| 28 | */ |
| 29 | static const u8 RSA_digest_info_MD5[] = { |
| 30 | 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, |
| 31 | 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */ |
| 32 | 0x05, 0x00, 0x04, 0x10 |
| 33 | }; |
| 34 | |
| 35 | static const u8 RSA_digest_info_SHA1[] = { |
| 36 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, |
| 37 | 0x2B, 0x0E, 0x03, 0x02, 0x1A, |
| 38 | 0x05, 0x00, 0x04, 0x14 |
| 39 | }; |
| 40 | |
| 41 | static const u8 RSA_digest_info_RIPE_MD_160[] = { |
| 42 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, |
| 43 | 0x2B, 0x24, 0x03, 0x02, 0x01, |
| 44 | 0x05, 0x00, 0x04, 0x14 |
| 45 | }; |
| 46 | |
| 47 | static const u8 RSA_digest_info_SHA224[] = { |
| 48 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, |
| 49 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, |
| 50 | 0x05, 0x00, 0x04, 0x1C |
| 51 | }; |
| 52 | |
| 53 | static const u8 RSA_digest_info_SHA256[] = { |
| 54 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, |
| 55 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, |
| 56 | 0x05, 0x00, 0x04, 0x20 |
| 57 | }; |
| 58 | |
| 59 | static const u8 RSA_digest_info_SHA384[] = { |
| 60 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, |
| 61 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, |
| 62 | 0x05, 0x00, 0x04, 0x30 |
| 63 | }; |
| 64 | |
| 65 | static const u8 RSA_digest_info_SHA512[] = { |
| 66 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, |
| 67 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, |
| 68 | 0x05, 0x00, 0x04, 0x40 |
| 69 | }; |
| 70 | |
| 71 | static const struct { |
| 72 | const u8 *data; |
| 73 | size_t size; |
| 74 | } RSA_ASN1_templates[PKEY_HASH__LAST] = { |
| 75 | #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) } |
| 76 | [PKEY_HASH_MD5] = _(MD5), |
| 77 | [PKEY_HASH_SHA1] = _(SHA1), |
| 78 | [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160), |
| 79 | [PKEY_HASH_SHA256] = _(SHA256), |
| 80 | [PKEY_HASH_SHA384] = _(SHA384), |
| 81 | [PKEY_HASH_SHA512] = _(SHA512), |
| 82 | [PKEY_HASH_SHA224] = _(SHA224), |
| 83 | #undef _ |
| 84 | }; |
| 85 | |
| 86 | /* |
| 87 | * RSAVP1() function [RFC3447 sec 5.2.2] |
| 88 | */ |
| 89 | static int RSAVP1(const struct public_key *key, MPI s, MPI *_m) |
| 90 | { |
| 91 | MPI m; |
| 92 | int ret; |
| 93 | |
| 94 | /* (1) Validate 0 <= s < n */ |
| 95 | if (mpi_cmp_ui(s, 0) < 0) { |
| 96 | kleave(" = -EBADMSG [s < 0]"); |
| 97 | return -EBADMSG; |
| 98 | } |
| 99 | if (mpi_cmp(s, key->rsa.n) >= 0) { |
| 100 | kleave(" = -EBADMSG [s >= n]"); |
| 101 | return -EBADMSG; |
| 102 | } |
| 103 | |
| 104 | m = mpi_alloc(0); |
| 105 | if (!m) |
| 106 | return -ENOMEM; |
| 107 | |
| 108 | /* (2) m = s^e mod n */ |
| 109 | ret = mpi_powm(m, s, key->rsa.e, key->rsa.n); |
| 110 | if (ret < 0) { |
| 111 | mpi_free(m); |
| 112 | return ret; |
| 113 | } |
| 114 | |
| 115 | *_m = m; |
| 116 | return 0; |
| 117 | } |
| 118 | |
| 119 | /* |
| 120 | * Integer to Octet String conversion [RFC3447 sec 4.1] |
| 121 | */ |
| 122 | static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) |
| 123 | { |
| 124 | unsigned X_size, x_size; |
| 125 | int X_sign; |
| 126 | u8 *X; |
| 127 | |
| 128 | /* Make sure the string is the right length. The number should begin |
| 129 | * with { 0x00, 0x01, ... } so we have to account for 15 leading zero |
| 130 | * bits not being reported by MPI. |
| 131 | */ |
| 132 | x_size = mpi_get_nbits(x); |
| 133 | pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8); |
| 134 | if (x_size != xLen * 8 - 15) |
| 135 | return -ERANGE; |
| 136 | |
| 137 | X = mpi_get_buffer(x, &X_size, &X_sign); |
| 138 | if (!X) |
| 139 | return -ENOMEM; |
| 140 | if (X_sign < 0) { |
| 141 | kfree(X); |
| 142 | return -EBADMSG; |
| 143 | } |
| 144 | if (X_size != xLen - 1) { |
| 145 | kfree(X); |
| 146 | return -EBADMSG; |
| 147 | } |
| 148 | |
| 149 | *_X = X; |
| 150 | return 0; |
| 151 | } |
| 152 | |
| 153 | /* |
| 154 | * Perform the RSA signature verification. |
| 155 | * @H: Value of hash of data and metadata |
| 156 | * @EM: The computed signature value |
| 157 | * @k: The size of EM (EM[0] is an invalid location but should hold 0x00) |
| 158 | * @hash_size: The size of H |
| 159 | * @asn1_template: The DigestInfo ASN.1 template |
| 160 | * @asn1_size: Size of asm1_template[] |
| 161 | */ |
| 162 | static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size, |
| 163 | const u8 *asn1_template, size_t asn1_size) |
| 164 | { |
| 165 | unsigned PS_end, T_offset, i; |
| 166 | |
| 167 | kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size); |
| 168 | |
| 169 | if (k < 2 + 1 + asn1_size + hash_size) |
| 170 | return -EBADMSG; |
| 171 | |
| 172 | /* Decode the EMSA-PKCS1-v1_5 */ |
| 173 | if (EM[1] != 0x01) { |
| 174 | kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]); |
| 175 | return -EBADMSG; |
| 176 | } |
| 177 | |
| 178 | T_offset = k - (asn1_size + hash_size); |
| 179 | PS_end = T_offset - 1; |
| 180 | if (EM[PS_end] != 0x00) { |
| 181 | kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]); |
| 182 | return -EBADMSG; |
| 183 | } |
| 184 | |
| 185 | for (i = 2; i < PS_end; i++) { |
| 186 | if (EM[i] != 0xff) { |
| 187 | kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]); |
| 188 | return -EBADMSG; |
| 189 | } |
| 190 | } |
| 191 | |
| 192 | if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) { |
| 193 | kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]"); |
| 194 | return -EBADMSG; |
| 195 | } |
| 196 | |
| 197 | if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) { |
| 198 | kleave(" = -EKEYREJECTED [EM[T] hash mismatch]"); |
| 199 | return -EKEYREJECTED; |
| 200 | } |
| 201 | |
| 202 | kleave(" = 0"); |
| 203 | return 0; |
| 204 | } |
| 205 | |
| 206 | /* |
| 207 | * Perform the verification step [RFC3447 sec 8.2.2]. |
| 208 | */ |
| 209 | static int RSA_verify_signature(const struct public_key *key, |
| 210 | const struct public_key_signature *sig) |
| 211 | { |
| 212 | size_t tsize; |
| 213 | int ret; |
| 214 | |
| 215 | /* Variables as per RFC3447 sec 8.2.2 */ |
| 216 | const u8 *H = sig->digest; |
| 217 | u8 *EM = NULL; |
| 218 | MPI m = NULL; |
| 219 | size_t k; |
| 220 | |
| 221 | kenter(""); |
| 222 | |
| 223 | if (!RSA_ASN1_templates[sig->pkey_hash_algo].data) |
| 224 | return -ENOTSUPP; |
| 225 | |
| 226 | /* (1) Check the signature size against the public key modulus size */ |
David Howells | 0b1568a | 2012-09-21 23:28:05 +0100 | [diff] [blame] | 227 | k = mpi_get_nbits(key->rsa.n); |
| 228 | tsize = mpi_get_nbits(sig->rsa.s); |
David Howells | 612e0fe | 2012-09-21 23:25:40 +0100 | [diff] [blame] | 229 | |
David Howells | 0b1568a | 2012-09-21 23:28:05 +0100 | [diff] [blame] | 230 | /* According to RFC 4880 sec 3.2, length of MPI is computed starting |
| 231 | * from most significant bit. So the RFC 3447 sec 8.2.2 size check |
| 232 | * must be relaxed to conform with shorter signatures - so we fail here |
| 233 | * only if signature length is longer than modulus size. |
| 234 | */ |
David Howells | 612e0fe | 2012-09-21 23:25:40 +0100 | [diff] [blame] | 235 | pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize); |
David Howells | 0b1568a | 2012-09-21 23:28:05 +0100 | [diff] [blame] | 236 | if (k < tsize) { |
David Howells | 612e0fe | 2012-09-21 23:25:40 +0100 | [diff] [blame] | 237 | ret = -EBADMSG; |
| 238 | goto error; |
| 239 | } |
| 240 | |
David Howells | 0b1568a | 2012-09-21 23:28:05 +0100 | [diff] [blame] | 241 | /* Round up and convert to octets */ |
| 242 | k = (k + 7) / 8; |
| 243 | |
David Howells | 612e0fe | 2012-09-21 23:25:40 +0100 | [diff] [blame] | 244 | /* (2b) Apply the RSAVP1 verification primitive to the public key */ |
| 245 | ret = RSAVP1(key, sig->rsa.s, &m); |
| 246 | if (ret < 0) |
| 247 | goto error; |
| 248 | |
| 249 | /* (2c) Convert the message representative (m) to an encoded message |
| 250 | * (EM) of length k octets. |
| 251 | * |
| 252 | * NOTE! The leading zero byte is suppressed by MPI, so we pass a |
| 253 | * pointer to the _preceding_ byte to RSA_verify()! |
| 254 | */ |
| 255 | ret = RSA_I2OSP(m, k, &EM); |
| 256 | if (ret < 0) |
| 257 | goto error; |
| 258 | |
| 259 | ret = RSA_verify(H, EM - 1, k, sig->digest_size, |
| 260 | RSA_ASN1_templates[sig->pkey_hash_algo].data, |
| 261 | RSA_ASN1_templates[sig->pkey_hash_algo].size); |
| 262 | |
| 263 | error: |
| 264 | kfree(EM); |
| 265 | mpi_free(m); |
| 266 | kleave(" = %d", ret); |
| 267 | return ret; |
| 268 | } |
| 269 | |
| 270 | const struct public_key_algorithm RSA_public_key_algorithm = { |
| 271 | .name = "RSA", |
| 272 | .n_pub_mpi = 2, |
| 273 | .n_sec_mpi = 3, |
| 274 | .n_sig_mpi = 1, |
| 275 | .verify_signature = RSA_verify_signature, |
| 276 | }; |
| 277 | EXPORT_SYMBOL_GPL(RSA_public_key_algorithm); |