1 /* RSA asymmetric public-key algorithm [RFC3447]
2 *
3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12 #define pr_fmt(fmt) "RSA: "fmt
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/slab.h>
16 #include <crypto/algapi.h>
17 #include "public_key.h"
18
19 MODULE_LICENSE("GPL");
20 MODULE_DESCRIPTION("RSA Public Key Algorithm");
21
22 #define kenter(FMT, ...) \
23 pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
24 #define kleave(FMT, ...) \
25 pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
26
27 /*
28 * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
29 */
30 static const u8 RSA_digest_info_MD5[] = {
31 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
32 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
33 0x05, 0x00, 0x04, 0x10
34 };
35
36 static const u8 RSA_digest_info_SHA1[] = {
37 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
38 0x2B, 0x0E, 0x03, 0x02, 0x1A,
39 0x05, 0x00, 0x04, 0x14
40 };
41
42 static const u8 RSA_digest_info_RIPE_MD_160[] = {
43 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
44 0x2B, 0x24, 0x03, 0x02, 0x01,
45 0x05, 0x00, 0x04, 0x14
46 };
47
48 static const u8 RSA_digest_info_SHA224[] = {
49 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
50 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
51 0x05, 0x00, 0x04, 0x1C
52 };
53
54 static const u8 RSA_digest_info_SHA256[] = {
55 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
56 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
57 0x05, 0x00, 0x04, 0x20
58 };
59
60 static const u8 RSA_digest_info_SHA384[] = {
61 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
62 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
63 0x05, 0x00, 0x04, 0x30
64 };
65
66 static const u8 RSA_digest_info_SHA512[] = {
67 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
68 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
69 0x05, 0x00, 0x04, 0x40
70 };
71
72 static const struct {
73 const u8 *data;
74 size_t size;
75 } RSA_ASN1_templates[PKEY_HASH__LAST] = {
76 #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
77 [PKEY_HASH_MD5] = _(MD5),
78 [PKEY_HASH_SHA1] = _(SHA1),
79 [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160),
80 [PKEY_HASH_SHA256] = _(SHA256),
81 [PKEY_HASH_SHA384] = _(SHA384),
82 [PKEY_HASH_SHA512] = _(SHA512),
83 [PKEY_HASH_SHA224] = _(SHA224),
84 #undef _
85 };
86
87 /*
88 * RSAVP1() function [RFC3447 sec 5.2.2]
89 */
RSAVP1(const struct public_key * key,MPI s,MPI * _m)90 static int RSAVP1(const struct public_key *key, MPI s, MPI *_m)
91 {
92 MPI m;
93 int ret;
94
95 /* (1) Validate 0 <= s < n */
96 if (mpi_cmp_ui(s, 0) < 0) {
97 kleave(" = -EBADMSG [s < 0]");
98 return -EBADMSG;
99 }
100 if (mpi_cmp(s, key->rsa.n) >= 0) {
101 kleave(" = -EBADMSG [s >= n]");
102 return -EBADMSG;
103 }
104
105 m = mpi_alloc(0);
106 if (!m)
107 return -ENOMEM;
108
109 /* (2) m = s^e mod n */
110 ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
111 if (ret < 0) {
112 mpi_free(m);
113 return ret;
114 }
115
116 *_m = m;
117 return 0;
118 }
119
120 /*
121 * Integer to Octet String conversion [RFC3447 sec 4.1]
122 */
RSA_I2OSP(MPI x,size_t xLen,u8 ** _X)123 static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X)
124 {
125 unsigned X_size, x_size;
126 int X_sign;
127 u8 *X;
128
129 /* Make sure the string is the right length. The number should begin
130 * with { 0x00, 0x01, ... } so we have to account for 15 leading zero
131 * bits not being reported by MPI.
132 */
133 x_size = mpi_get_nbits(x);
134 pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8);
135 if (x_size != xLen * 8 - 15)
136 return -ERANGE;
137
138 X = mpi_get_buffer(x, &X_size, &X_sign);
139 if (!X)
140 return -ENOMEM;
141 if (X_sign < 0) {
142 kfree(X);
143 return -EBADMSG;
144 }
145 if (X_size != xLen - 1) {
146 kfree(X);
147 return -EBADMSG;
148 }
149
150 *_X = X;
151 return 0;
152 }
153
154 /*
155 * Perform the RSA signature verification.
156 * @H: Value of hash of data and metadata
157 * @EM: The computed signature value
158 * @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
159 * @hash_size: The size of H
160 * @asn1_template: The DigestInfo ASN.1 template
161 * @asn1_size: Size of asm1_template[]
162 */
RSA_verify(const u8 * H,const u8 * EM,size_t k,size_t hash_size,const u8 * asn1_template,size_t asn1_size)163 static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
164 const u8 *asn1_template, size_t asn1_size)
165 {
166 unsigned PS_end, T_offset, i;
167
168 kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
169
170 if (k < 2 + 1 + asn1_size + hash_size)
171 return -EBADMSG;
172
173 /* Decode the EMSA-PKCS1-v1_5 */
174 if (EM[1] != 0x01) {
175 kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
176 return -EBADMSG;
177 }
178
179 T_offset = k - (asn1_size + hash_size);
180 PS_end = T_offset - 1;
181 if (EM[PS_end] != 0x00) {
182 kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
183 return -EBADMSG;
184 }
185
186 for (i = 2; i < PS_end; i++) {
187 if (EM[i] != 0xff) {
188 kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
189 return -EBADMSG;
190 }
191 }
192
193 if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
194 kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
195 return -EBADMSG;
196 }
197
198 if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
199 kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
200 return -EKEYREJECTED;
201 }
202
203 kleave(" = 0");
204 return 0;
205 }
206
207 /*
208 * Perform the verification step [RFC3447 sec 8.2.2].
209 */
RSA_verify_signature(const struct public_key * key,const struct public_key_signature * sig)210 static int RSA_verify_signature(const struct public_key *key,
211 const struct public_key_signature *sig)
212 {
213 size_t tsize;
214 int ret;
215
216 /* Variables as per RFC3447 sec 8.2.2 */
217 const u8 *H = sig->digest;
218 u8 *EM = NULL;
219 MPI m = NULL;
220 size_t k;
221
222 kenter("");
223
224 if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
225 return -ENOTSUPP;
226
227 /* (1) Check the signature size against the public key modulus size */
228 k = mpi_get_nbits(key->rsa.n);
229 tsize = mpi_get_nbits(sig->rsa.s);
230
231 /* According to RFC 4880 sec 3.2, length of MPI is computed starting
232 * from most significant bit. So the RFC 3447 sec 8.2.2 size check
233 * must be relaxed to conform with shorter signatures - so we fail here
234 * only if signature length is longer than modulus size.
235 */
236 pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
237 if (k < tsize) {
238 ret = -EBADMSG;
239 goto error;
240 }
241
242 /* Round up and convert to octets */
243 k = (k + 7) / 8;
244
245 /* (2b) Apply the RSAVP1 verification primitive to the public key */
246 ret = RSAVP1(key, sig->rsa.s, &m);
247 if (ret < 0)
248 goto error;
249
250 /* (2c) Convert the message representative (m) to an encoded message
251 * (EM) of length k octets.
252 *
253 * NOTE! The leading zero byte is suppressed by MPI, so we pass a
254 * pointer to the _preceding_ byte to RSA_verify()!
255 */
256 ret = RSA_I2OSP(m, k, &EM);
257 if (ret < 0)
258 goto error;
259
260 ret = RSA_verify(H, EM - 1, k, sig->digest_size,
261 RSA_ASN1_templates[sig->pkey_hash_algo].data,
262 RSA_ASN1_templates[sig->pkey_hash_algo].size);
263
264 error:
265 kfree(EM);
266 mpi_free(m);
267 kleave(" = %d", ret);
268 return ret;
269 }
270
271 const struct public_key_algorithm RSA_public_key_algorithm = {
272 .name = "RSA",
273 .n_pub_mpi = 2,
274 .n_sec_mpi = 3,
275 .n_sig_mpi = 1,
276 .verify_signature = RSA_verify_signature,
277 };
278 EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);
279