Root/
1 | /* RSA asymmetric public-key algorithm [RFC3447] |
2 | * |
3 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. |
4 | * Written by David Howells (dhowells@redhat.com) |
5 | * |
6 | * This program is free software; you can redistribute it and/or |
7 | * modify it under the terms of the GNU General Public Licence |
8 | * as published by the Free Software Foundation; either version |
9 | * 2 of the Licence, or (at your option) any later version. |
10 | */ |
11 | |
12 | #define pr_fmt(fmt) "RSA: "fmt |
13 | #include <linux/module.h> |
14 | #include <linux/kernel.h> |
15 | #include <linux/slab.h> |
16 | #include <crypto/algapi.h> |
17 | #include "public_key.h" |
18 | |
19 | MODULE_LICENSE("GPL"); |
20 | MODULE_DESCRIPTION("RSA Public Key Algorithm"); |
21 | |
22 | #define kenter(FMT, ...) \ |
23 | pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) |
24 | #define kleave(FMT, ...) \ |
25 | pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) |
26 | |
27 | /* |
28 | * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. |
29 | */ |
30 | static const u8 RSA_digest_info_MD5[] = { |
31 | 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, |
32 | 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */ |
33 | 0x05, 0x00, 0x04, 0x10 |
34 | }; |
35 | |
36 | static const u8 RSA_digest_info_SHA1[] = { |
37 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, |
38 | 0x2B, 0x0E, 0x03, 0x02, 0x1A, |
39 | 0x05, 0x00, 0x04, 0x14 |
40 | }; |
41 | |
42 | static const u8 RSA_digest_info_RIPE_MD_160[] = { |
43 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, |
44 | 0x2B, 0x24, 0x03, 0x02, 0x01, |
45 | 0x05, 0x00, 0x04, 0x14 |
46 | }; |
47 | |
48 | static const u8 RSA_digest_info_SHA224[] = { |
49 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, |
50 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, |
51 | 0x05, 0x00, 0x04, 0x1C |
52 | }; |
53 | |
54 | static const u8 RSA_digest_info_SHA256[] = { |
55 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, |
56 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, |
57 | 0x05, 0x00, 0x04, 0x20 |
58 | }; |
59 | |
60 | static const u8 RSA_digest_info_SHA384[] = { |
61 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, |
62 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, |
63 | 0x05, 0x00, 0x04, 0x30 |
64 | }; |
65 | |
66 | static const u8 RSA_digest_info_SHA512[] = { |
67 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, |
68 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, |
69 | 0x05, 0x00, 0x04, 0x40 |
70 | }; |
71 | |
72 | static const struct { |
73 | const u8 *data; |
74 | size_t size; |
75 | } RSA_ASN1_templates[PKEY_HASH__LAST] = { |
76 | #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) } |
77 | [HASH_ALGO_MD5] = _(MD5), |
78 | [HASH_ALGO_SHA1] = _(SHA1), |
79 | [HASH_ALGO_RIPE_MD_160] = _(RIPE_MD_160), |
80 | [HASH_ALGO_SHA256] = _(SHA256), |
81 | [HASH_ALGO_SHA384] = _(SHA384), |
82 | [HASH_ALGO_SHA512] = _(SHA512), |
83 | [HASH_ALGO_SHA224] = _(SHA224), |
84 | #undef _ |
85 | }; |
86 | |
87 | /* |
88 | * RSAVP1() function [RFC3447 sec 5.2.2] |
89 | */ |
90 | static int RSAVP1(const struct public_key *key, MPI s, MPI *_m) |
91 | { |
92 | MPI m; |
93 | int ret; |
94 | |
95 | /* (1) Validate 0 <= s < n */ |
96 | if (mpi_cmp_ui(s, 0) < 0) { |
97 | kleave(" = -EBADMSG [s < 0]"); |
98 | return -EBADMSG; |
99 | } |
100 | if (mpi_cmp(s, key->rsa.n) >= 0) { |
101 | kleave(" = -EBADMSG [s >= n]"); |
102 | return -EBADMSG; |
103 | } |
104 | |
105 | m = mpi_alloc(0); |
106 | if (!m) |
107 | return -ENOMEM; |
108 | |
109 | /* (2) m = s^e mod n */ |
110 | ret = mpi_powm(m, s, key->rsa.e, key->rsa.n); |
111 | if (ret < 0) { |
112 | mpi_free(m); |
113 | return ret; |
114 | } |
115 | |
116 | *_m = m; |
117 | return 0; |
118 | } |
119 | |
120 | /* |
121 | * Integer to Octet String conversion [RFC3447 sec 4.1] |
122 | */ |
123 | static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) |
124 | { |
125 | unsigned X_size, x_size; |
126 | int X_sign; |
127 | u8 *X; |
128 | |
129 | /* Make sure the string is the right length. The number should begin |
130 | * with { 0x00, 0x01, ... } so we have to account for 15 leading zero |
131 | * bits not being reported by MPI. |
132 | */ |
133 | x_size = mpi_get_nbits(x); |
134 | pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8); |
135 | if (x_size != xLen * 8 - 15) |
136 | return -ERANGE; |
137 | |
138 | X = mpi_get_buffer(x, &X_size, &X_sign); |
139 | if (!X) |
140 | return -ENOMEM; |
141 | if (X_sign < 0) { |
142 | kfree(X); |
143 | return -EBADMSG; |
144 | } |
145 | if (X_size != xLen - 1) { |
146 | kfree(X); |
147 | return -EBADMSG; |
148 | } |
149 | |
150 | *_X = X; |
151 | return 0; |
152 | } |
153 | |
154 | /* |
155 | * Perform the RSA signature verification. |
156 | * @H: Value of hash of data and metadata |
157 | * @EM: The computed signature value |
158 | * @k: The size of EM (EM[0] is an invalid location but should hold 0x00) |
159 | * @hash_size: The size of H |
160 | * @asn1_template: The DigestInfo ASN.1 template |
161 | * @asn1_size: Size of asm1_template[] |
162 | */ |
163 | static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size, |
164 | const u8 *asn1_template, size_t asn1_size) |
165 | { |
166 | unsigned PS_end, T_offset, i; |
167 | |
168 | kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size); |
169 | |
170 | if (k < 2 + 1 + asn1_size + hash_size) |
171 | return -EBADMSG; |
172 | |
173 | /* Decode the EMSA-PKCS1-v1_5 */ |
174 | if (EM[1] != 0x01) { |
175 | kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]); |
176 | return -EBADMSG; |
177 | } |
178 | |
179 | T_offset = k - (asn1_size + hash_size); |
180 | PS_end = T_offset - 1; |
181 | if (EM[PS_end] != 0x00) { |
182 | kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]); |
183 | return -EBADMSG; |
184 | } |
185 | |
186 | for (i = 2; i < PS_end; i++) { |
187 | if (EM[i] != 0xff) { |
188 | kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]); |
189 | return -EBADMSG; |
190 | } |
191 | } |
192 | |
193 | if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) { |
194 | kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]"); |
195 | return -EBADMSG; |
196 | } |
197 | |
198 | if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) { |
199 | kleave(" = -EKEYREJECTED [EM[T] hash mismatch]"); |
200 | return -EKEYREJECTED; |
201 | } |
202 | |
203 | kleave(" = 0"); |
204 | return 0; |
205 | } |
206 | |
207 | /* |
208 | * Perform the verification step [RFC3447 sec 8.2.2]. |
209 | */ |
210 | static int RSA_verify_signature(const struct public_key *key, |
211 | const struct public_key_signature *sig) |
212 | { |
213 | size_t tsize; |
214 | int ret; |
215 | |
216 | /* Variables as per RFC3447 sec 8.2.2 */ |
217 | const u8 *H = sig->digest; |
218 | u8 *EM = NULL; |
219 | MPI m = NULL; |
220 | size_t k; |
221 | |
222 | kenter(""); |
223 | |
224 | if (!RSA_ASN1_templates[sig->pkey_hash_algo].data) |
225 | return -ENOTSUPP; |
226 | |
227 | /* (1) Check the signature size against the public key modulus size */ |
228 | k = mpi_get_nbits(key->rsa.n); |
229 | tsize = mpi_get_nbits(sig->rsa.s); |
230 | |
231 | /* According to RFC 4880 sec 3.2, length of MPI is computed starting |
232 | * from most significant bit. So the RFC 3447 sec 8.2.2 size check |
233 | * must be relaxed to conform with shorter signatures - so we fail here |
234 | * only if signature length is longer than modulus size. |
235 | */ |
236 | pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize); |
237 | if (k < tsize) { |
238 | ret = -EBADMSG; |
239 | goto error; |
240 | } |
241 | |
242 | /* Round up and convert to octets */ |
243 | k = (k + 7) / 8; |
244 | |
245 | /* (2b) Apply the RSAVP1 verification primitive to the public key */ |
246 | ret = RSAVP1(key, sig->rsa.s, &m); |
247 | if (ret < 0) |
248 | goto error; |
249 | |
250 | /* (2c) Convert the message representative (m) to an encoded message |
251 | * (EM) of length k octets. |
252 | * |
253 | * NOTE! The leading zero byte is suppressed by MPI, so we pass a |
254 | * pointer to the _preceding_ byte to RSA_verify()! |
255 | */ |
256 | ret = RSA_I2OSP(m, k, &EM); |
257 | if (ret < 0) |
258 | goto error; |
259 | |
260 | ret = RSA_verify(H, EM - 1, k, sig->digest_size, |
261 | RSA_ASN1_templates[sig->pkey_hash_algo].data, |
262 | RSA_ASN1_templates[sig->pkey_hash_algo].size); |
263 | |
264 | error: |
265 | kfree(EM); |
266 | mpi_free(m); |
267 | kleave(" = %d", ret); |
268 | return ret; |
269 | } |
270 | |
271 | const struct public_key_algorithm RSA_public_key_algorithm = { |
272 | .name = "RSA", |
273 | .n_pub_mpi = 2, |
274 | .n_sec_mpi = 3, |
275 | .n_sig_mpi = 1, |
276 | .verify_signature = RSA_verify_signature, |
277 | }; |
278 | EXPORT_SYMBOL_GPL(RSA_public_key_algorithm); |
279 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9