Blame - crypto/asymmetric_keys/rsa.c - kernel/msm-4.9

blob: 508b57b77474c4ef9da5481584fdecf3b9ff235d [file] [log] [blame]

David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	1	/* RSA asymmetric public-key algorithm [RFC3447]
				2	*
				3	* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
				4	* Written by David Howells (dhowells@redhat.com)
				5	*
				6	* This program is free software; you can redistribute it and/or
				7	* modify it under the terms of the GNU General Public Licence
				8	* as published by the Free Software Foundation; either version
				9	* 2 of the Licence, or (at your option) any later version.
				10	*/
				11
				12	#define pr_fmt(fmt) "RSA: "fmt
				13	#include <linux/module.h>
				14	#include <linux/kernel.h>
				15	#include <linux/slab.h>
James Yonan	6bf37e5	2013-09-26 02:20:39 -0600	[diff] [blame]	16	#include <crypto/algapi.h>
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	17	#include "public_key.h"
				18
				19	MODULE_LICENSE("GPL");
				20	MODULE_DESCRIPTION("RSA Public Key Algorithm");
				21
				22	#define kenter(FMT, ...) \
				23	pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
				24	#define kleave(FMT, ...) \
				25	pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
				26
				27	/*
				28	* Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
				29	*/
				30	static const u8 RSA_digest_info_MD5[] = {
				31	0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
				32	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
				33	0x05, 0x00, 0x04, 0x10
				34	};
				35
				36	static const u8 RSA_digest_info_SHA1[] = {
				37	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
				38	0x2B, 0x0E, 0x03, 0x02, 0x1A,
				39	0x05, 0x00, 0x04, 0x14
				40	};
				41
				42	static const u8 RSA_digest_info_RIPE_MD_160[] = {
				43	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
				44	0x2B, 0x24, 0x03, 0x02, 0x01,
				45	0x05, 0x00, 0x04, 0x14
				46	};
				47
				48	static const u8 RSA_digest_info_SHA224[] = {
				49	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
				50	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
				51	0x05, 0x00, 0x04, 0x1C
				52	};
				53
				54	static const u8 RSA_digest_info_SHA256[] = {
				55	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
				56	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
				57	0x05, 0x00, 0x04, 0x20
				58	};
				59
				60	static const u8 RSA_digest_info_SHA384[] = {
				61	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
				62	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
				63	0x05, 0x00, 0x04, 0x30
				64	};
				65
				66	static const u8 RSA_digest_info_SHA512[] = {
				67	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
				68	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
				69	0x05, 0x00, 0x04, 0x40
				70	};
				71
				72	static const struct {
				73	const u8 *data;
				74	size_t size;
				75	} RSA_ASN1_templates[PKEY_HASH__LAST] = {
				76	#define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
Dmitry Kasatkin	3fe78ca	2013-05-06 15:58:15 +0300	[diff] [blame]	77	[HASH_ALGO_MD5] = _(MD5),
				78	[HASH_ALGO_SHA1] = _(SHA1),
				79	[HASH_ALGO_RIPE_MD_160] = _(RIPE_MD_160),
				80	[HASH_ALGO_SHA256] = _(SHA256),
				81	[HASH_ALGO_SHA384] = _(SHA384),
				82	[HASH_ALGO_SHA512] = _(SHA512),
				83	[HASH_ALGO_SHA224] = _(SHA224),
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	84	#undef _
				85	};
				86
				87	/*
				88	* RSAVP1() function [RFC3447 sec 5.2.2]
				89	*/
				90	static int RSAVP1(const struct public_key key, MPI s, MPI _m)
				91	{
				92	MPI m;
				93	int ret;
				94
				95	/* (1) Validate 0 <= s < n */
				96	if (mpi_cmp_ui(s, 0) < 0) {
				97	kleave(" = -EBADMSG [s < 0]");
				98	return -EBADMSG;
				99	}
				100	if (mpi_cmp(s, key->rsa.n) >= 0) {
				101	kleave(" = -EBADMSG [s >= n]");
				102	return -EBADMSG;
				103	}
				104
				105	m = mpi_alloc(0);
				106	if (!m)
				107	return -ENOMEM;
				108
				109	/* (2) m = s^e mod n */
				110	ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
				111	if (ret < 0) {
				112	mpi_free(m);
				113	return ret;
				114	}
				115
				116	*_m = m;
				117	return 0;
				118	}
				119
				120	/*
				121	* Integer to Octet String conversion [RFC3447 sec 4.1]
				122	*/
Guenter Roeck	2cdcc35	2015-06-24 15:27:01 -0700	[diff] [blame]	123	static int RSA_I2OSP(MPI x, size_t xLen, u8 **pX)
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	124	{
				125	unsigned X_size, x_size;
				126	int X_sign;
				127	u8 *X;
				128
				129	/* Make sure the string is the right length. The number should begin
				130	* with { 0x00, 0x01, ... } so we have to account for 15 leading zero
				131	* bits not being reported by MPI.
				132	*/
				133	x_size = mpi_get_nbits(x);
				134	pr_devel("size(x)=%u xLen8=%zu\n", x_size, xLen 8);
				135	if (x_size != xLen * 8 - 15)
				136	return -ERANGE;
				137
				138	X = mpi_get_buffer(x, &X_size, &X_sign);
				139	if (!X)
				140	return -ENOMEM;
				141	if (X_sign < 0) {
				142	kfree(X);
				143	return -EBADMSG;
				144	}
				145	if (X_size != xLen - 1) {
				146	kfree(X);
				147	return -EBADMSG;
				148	}
				149
Guenter Roeck	2cdcc35	2015-06-24 15:27:01 -0700	[diff] [blame]	150	*pX = X;
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	151	return 0;
				152	}
				153
				154	/*
				155	* Perform the RSA signature verification.
				156	* @H: Value of hash of data and metadata
				157	* @EM: The computed signature value
				158	* @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
				159	* @hash_size: The size of H
				160	* @asn1_template: The DigestInfo ASN.1 template
				161	* @asn1_size: Size of asm1_template[]
				162	*/
				163	static int RSA_verify(const u8 H, const u8 EM, size_t k, size_t hash_size,
				164	const u8 *asn1_template, size_t asn1_size)
				165	{
				166	unsigned PS_end, T_offset, i;
				167
				168	kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
				169
				170	if (k < 2 + 1 + asn1_size + hash_size)
				171	return -EBADMSG;
				172
				173	/* Decode the EMSA-PKCS1-v1_5 */
				174	if (EM[1] != 0x01) {
				175	kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
				176	return -EBADMSG;
				177	}
				178
				179	T_offset = k - (asn1_size + hash_size);
				180	PS_end = T_offset - 1;
				181	if (EM[PS_end] != 0x00) {
				182	kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
				183	return -EBADMSG;
				184	}
				185
				186	for (i = 2; i < PS_end; i++) {
				187	if (EM[i] != 0xff) {
				188	kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
				189	return -EBADMSG;
				190	}
				191	}
				192
James Yonan	6bf37e5	2013-09-26 02:20:39 -0600	[diff] [blame]	193	if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	194	kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
				195	return -EBADMSG;
				196	}
				197
James Yonan	6bf37e5	2013-09-26 02:20:39 -0600	[diff] [blame]	198	if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	199	kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
				200	return -EKEYREJECTED;
				201	}
				202
				203	kleave(" = 0");
				204	return 0;
				205	}
				206
				207	/*
				208	* Perform the verification step [RFC3447 sec 8.2.2].
				209	*/
				210	static int RSA_verify_signature(const struct public_key *key,
				211	const struct public_key_signature *sig)
				212	{
				213	size_t tsize;
				214	int ret;
				215
				216	/* Variables as per RFC3447 sec 8.2.2 */
				217	const u8 *H = sig->digest;
				218	u8 *EM = NULL;
				219	MPI m = NULL;
				220	size_t k;
				221
				222	kenter("");
				223
				224	if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
				225	return -ENOTSUPP;
				226
				227	/* (1) Check the signature size against the public key modulus size */
David Howells	0b1568a	2012-09-21 23:28:05 +0100	[diff] [blame]	228	k = mpi_get_nbits(key->rsa.n);
				229	tsize = mpi_get_nbits(sig->rsa.s);
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	230
David Howells	0b1568a	2012-09-21 23:28:05 +0100	[diff] [blame]	231	/* According to RFC 4880 sec 3.2, length of MPI is computed starting
				232	* from most significant bit. So the RFC 3447 sec 8.2.2 size check
				233	* must be relaxed to conform with shorter signatures - so we fail here
				234	* only if signature length is longer than modulus size.
				235	*/
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	236	pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
David Howells	0b1568a	2012-09-21 23:28:05 +0100	[diff] [blame]	237	if (k < tsize) {
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	238	ret = -EBADMSG;
				239	goto error;
				240	}
				241
David Howells	0b1568a	2012-09-21 23:28:05 +0100	[diff] [blame]	242	/* Round up and convert to octets */
				243	k = (k + 7) / 8;
				244
David Howells	612e0fe	2012-09-21 23:25:40 +0100	[diff] [blame]	245	/* (2b) Apply the RSAVP1 verification primitive to the public key */
				246	ret = RSAVP1(key, sig->rsa.s, &m);
				247	if (ret < 0)
				248	goto error;
				249
				250	/* (2c) Convert the message representative (m) to an encoded message
				251	* (EM) of length k octets.
				252	*
				253	* NOTE! The leading zero byte is suppressed by MPI, so we pass a
				254	* pointer to the _preceding_ byte to RSA_verify()!
				255	*/
				256	ret = RSA_I2OSP(m, k, &EM);
				257	if (ret < 0)
				258	goto error;
				259
				260	ret = RSA_verify(H, EM - 1, k, sig->digest_size,
				261	RSA_ASN1_templates[sig->pkey_hash_algo].data,
				262	RSA_ASN1_templates[sig->pkey_hash_algo].size);
				263
				264	error:
				265	kfree(EM);
				266	mpi_free(m);
				267	kleave(" = %d", ret);
				268	return ret;
				269	}
				270
				271	const struct public_key_algorithm RSA_public_key_algorithm = {
				272	.name = "RSA",
				273	.n_pub_mpi = 2,
				274	.n_sec_mpi = 3,
				275	.n_sig_mpi = 1,
				276	.verify_signature = RSA_verify_signature,
				277	};
				278	EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);