Commit | Line | Data |
---|---|---|
612e0fe9 DH |
1 | /* RSA asymmetric public-key algorithm [RFC3447] |
2 | * | |
3 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. | |
4 | * Written by David Howells (dhowells@redhat.com) | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public Licence | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the Licence, or (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #define pr_fmt(fmt) "RSA: "fmt | |
13 | #include <linux/module.h> | |
14 | #include <linux/kernel.h> | |
15 | #include <linux/slab.h> | |
16 | #include "public_key.h" | |
17 | ||
18 | MODULE_LICENSE("GPL"); | |
19 | MODULE_DESCRIPTION("RSA Public Key Algorithm"); | |
20 | ||
21 | #define kenter(FMT, ...) \ | |
22 | pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) | |
23 | #define kleave(FMT, ...) \ | |
24 | pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) | |
25 | ||
26 | /* | |
27 | * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. | |
28 | */ | |
29 | static const u8 RSA_digest_info_MD5[] = { | |
30 | 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, | |
31 | 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */ | |
32 | 0x05, 0x00, 0x04, 0x10 | |
33 | }; | |
34 | ||
35 | static const u8 RSA_digest_info_SHA1[] = { | |
36 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, | |
37 | 0x2B, 0x0E, 0x03, 0x02, 0x1A, | |
38 | 0x05, 0x00, 0x04, 0x14 | |
39 | }; | |
40 | ||
41 | static const u8 RSA_digest_info_RIPE_MD_160[] = { | |
42 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, | |
43 | 0x2B, 0x24, 0x03, 0x02, 0x01, | |
44 | 0x05, 0x00, 0x04, 0x14 | |
45 | }; | |
46 | ||
47 | static const u8 RSA_digest_info_SHA224[] = { | |
48 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, | |
49 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, | |
50 | 0x05, 0x00, 0x04, 0x1C | |
51 | }; | |
52 | ||
53 | static const u8 RSA_digest_info_SHA256[] = { | |
54 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, | |
55 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, | |
56 | 0x05, 0x00, 0x04, 0x20 | |
57 | }; | |
58 | ||
59 | static const u8 RSA_digest_info_SHA384[] = { | |
60 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, | |
61 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, | |
62 | 0x05, 0x00, 0x04, 0x30 | |
63 | }; | |
64 | ||
65 | static const u8 RSA_digest_info_SHA512[] = { | |
66 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, | |
67 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, | |
68 | 0x05, 0x00, 0x04, 0x40 | |
69 | }; | |
70 | ||
71 | static const struct { | |
72 | const u8 *data; | |
73 | size_t size; | |
74 | } RSA_ASN1_templates[PKEY_HASH__LAST] = { | |
75 | #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) } | |
3fe78ca2 DK |
76 | [HASH_ALGO_MD5] = _(MD5), |
77 | [HASH_ALGO_SHA1] = _(SHA1), | |
78 | [HASH_ALGO_RIPE_MD_160] = _(RIPE_MD_160), | |
79 | [HASH_ALGO_SHA256] = _(SHA256), | |
80 | [HASH_ALGO_SHA384] = _(SHA384), | |
81 | [HASH_ALGO_SHA512] = _(SHA512), | |
82 | [HASH_ALGO_SHA224] = _(SHA224), | |
612e0fe9 DH |
83 | #undef _ |
84 | }; | |
85 | ||
86 | /* | |
87 | * RSAVP1() function [RFC3447 sec 5.2.2] | |
88 | */ | |
89 | static int RSAVP1(const struct public_key *key, MPI s, MPI *_m) | |
90 | { | |
91 | MPI m; | |
92 | int ret; | |
93 | ||
94 | /* (1) Validate 0 <= s < n */ | |
95 | if (mpi_cmp_ui(s, 0) < 0) { | |
96 | kleave(" = -EBADMSG [s < 0]"); | |
97 | return -EBADMSG; | |
98 | } | |
99 | if (mpi_cmp(s, key->rsa.n) >= 0) { | |
100 | kleave(" = -EBADMSG [s >= n]"); | |
101 | return -EBADMSG; | |
102 | } | |
103 | ||
104 | m = mpi_alloc(0); | |
105 | if (!m) | |
106 | return -ENOMEM; | |
107 | ||
108 | /* (2) m = s^e mod n */ | |
109 | ret = mpi_powm(m, s, key->rsa.e, key->rsa.n); | |
110 | if (ret < 0) { | |
111 | mpi_free(m); | |
112 | return ret; | |
113 | } | |
114 | ||
115 | *_m = m; | |
116 | return 0; | |
117 | } | |
118 | ||
119 | /* | |
120 | * Integer to Octet String conversion [RFC3447 sec 4.1] | |
121 | */ | |
122 | static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) | |
123 | { | |
124 | unsigned X_size, x_size; | |
125 | int X_sign; | |
126 | u8 *X; | |
127 | ||
128 | /* Make sure the string is the right length. The number should begin | |
129 | * with { 0x00, 0x01, ... } so we have to account for 15 leading zero | |
130 | * bits not being reported by MPI. | |
131 | */ | |
132 | x_size = mpi_get_nbits(x); | |
133 | pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8); | |
134 | if (x_size != xLen * 8 - 15) | |
135 | return -ERANGE; | |
136 | ||
137 | X = mpi_get_buffer(x, &X_size, &X_sign); | |
138 | if (!X) | |
139 | return -ENOMEM; | |
140 | if (X_sign < 0) { | |
141 | kfree(X); | |
142 | return -EBADMSG; | |
143 | } | |
144 | if (X_size != xLen - 1) { | |
145 | kfree(X); | |
146 | return -EBADMSG; | |
147 | } | |
148 | ||
149 | *_X = X; | |
150 | return 0; | |
151 | } | |
152 | ||
153 | /* | |
154 | * Perform the RSA signature verification. | |
155 | * @H: Value of hash of data and metadata | |
156 | * @EM: The computed signature value | |
157 | * @k: The size of EM (EM[0] is an invalid location but should hold 0x00) | |
158 | * @hash_size: The size of H | |
159 | * @asn1_template: The DigestInfo ASN.1 template | |
160 | * @asn1_size: Size of asm1_template[] | |
161 | */ | |
162 | static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size, | |
163 | const u8 *asn1_template, size_t asn1_size) | |
164 | { | |
165 | unsigned PS_end, T_offset, i; | |
166 | ||
167 | kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size); | |
168 | ||
169 | if (k < 2 + 1 + asn1_size + hash_size) | |
170 | return -EBADMSG; | |
171 | ||
172 | /* Decode the EMSA-PKCS1-v1_5 */ | |
173 | if (EM[1] != 0x01) { | |
174 | kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]); | |
175 | return -EBADMSG; | |
176 | } | |
177 | ||
178 | T_offset = k - (asn1_size + hash_size); | |
179 | PS_end = T_offset - 1; | |
180 | if (EM[PS_end] != 0x00) { | |
181 | kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]); | |
182 | return -EBADMSG; | |
183 | } | |
184 | ||
185 | for (i = 2; i < PS_end; i++) { | |
186 | if (EM[i] != 0xff) { | |
187 | kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]); | |
188 | return -EBADMSG; | |
189 | } | |
190 | } | |
191 | ||
192 | if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) { | |
193 | kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]"); | |
194 | return -EBADMSG; | |
195 | } | |
196 | ||
197 | if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) { | |
198 | kleave(" = -EKEYREJECTED [EM[T] hash mismatch]"); | |
199 | return -EKEYREJECTED; | |
200 | } | |
201 | ||
202 | kleave(" = 0"); | |
203 | return 0; | |
204 | } | |
205 | ||
206 | /* | |
207 | * Perform the verification step [RFC3447 sec 8.2.2]. | |
208 | */ | |
209 | static int RSA_verify_signature(const struct public_key *key, | |
210 | const struct public_key_signature *sig) | |
211 | { | |
212 | size_t tsize; | |
213 | int ret; | |
214 | ||
215 | /* Variables as per RFC3447 sec 8.2.2 */ | |
216 | const u8 *H = sig->digest; | |
217 | u8 *EM = NULL; | |
218 | MPI m = NULL; | |
219 | size_t k; | |
220 | ||
221 | kenter(""); | |
222 | ||
223 | if (!RSA_ASN1_templates[sig->pkey_hash_algo].data) | |
224 | return -ENOTSUPP; | |
225 | ||
226 | /* (1) Check the signature size against the public key modulus size */ | |
0b1568a4 DH |
227 | k = mpi_get_nbits(key->rsa.n); |
228 | tsize = mpi_get_nbits(sig->rsa.s); | |
612e0fe9 | 229 | |
0b1568a4 DH |
230 | /* According to RFC 4880 sec 3.2, length of MPI is computed starting |
231 | * from most significant bit. So the RFC 3447 sec 8.2.2 size check | |
232 | * must be relaxed to conform with shorter signatures - so we fail here | |
233 | * only if signature length is longer than modulus size. | |
234 | */ | |
612e0fe9 | 235 | pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize); |
0b1568a4 | 236 | if (k < tsize) { |
612e0fe9 DH |
237 | ret = -EBADMSG; |
238 | goto error; | |
239 | } | |
240 | ||
0b1568a4 DH |
241 | /* Round up and convert to octets */ |
242 | k = (k + 7) / 8; | |
243 | ||
612e0fe9 DH |
244 | /* (2b) Apply the RSAVP1 verification primitive to the public key */ |
245 | ret = RSAVP1(key, sig->rsa.s, &m); | |
246 | if (ret < 0) | |
247 | goto error; | |
248 | ||
249 | /* (2c) Convert the message representative (m) to an encoded message | |
250 | * (EM) of length k octets. | |
251 | * | |
252 | * NOTE! The leading zero byte is suppressed by MPI, so we pass a | |
253 | * pointer to the _preceding_ byte to RSA_verify()! | |
254 | */ | |
255 | ret = RSA_I2OSP(m, k, &EM); | |
256 | if (ret < 0) | |
257 | goto error; | |
258 | ||
259 | ret = RSA_verify(H, EM - 1, k, sig->digest_size, | |
260 | RSA_ASN1_templates[sig->pkey_hash_algo].data, | |
261 | RSA_ASN1_templates[sig->pkey_hash_algo].size); | |
262 | ||
263 | error: | |
264 | kfree(EM); | |
265 | mpi_free(m); | |
266 | kleave(" = %d", ret); | |
267 | return ret; | |
268 | } | |
269 | ||
270 | const struct public_key_algorithm RSA_public_key_algorithm = { | |
271 | .name = "RSA", | |
272 | .n_pub_mpi = 2, | |
273 | .n_sec_mpi = 3, | |
274 | .n_sig_mpi = 1, | |
275 | .verify_signature = RSA_verify_signature, | |
276 | }; | |
277 | EXPORT_SYMBOL_GPL(RSA_public_key_algorithm); |