crypto/asymmetric_keys/rsa.c

   1 /* RSA asymmetric public-key algorithm [RFC3447]
   2  *
   3  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
   4  * Written by David Howells (dhowells@redhat.com)
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU General Public Licence
   8  * as published by the Free Software Foundation; either version
   9  * 2 of the Licence, or (at your option) any later version.
  10  */
  11
  12 #define pr_fmt(fmt) "RSA: "fmt
  13 #include <linux/module.h>
  14 #include <linux/slab.h>
  15 #include <crypto/akcipher.h>
  16 #include <crypto/public_key.h>
  17 #include <crypto/algapi.h>
  18
  19 MODULE_LICENSE("GPL");
  20 MODULE_DESCRIPTION("RSA Public Key Algorithm");
  21
  22 #define kenter(FMT, ...) \
  23         pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
  24 #define kleave(FMT, ...) \
  25         pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
  26
  27 /*
  28  * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
  29  */
  30 static const u8 RSA_digest_info_MD5[] = {
  31         0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
  32         0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
  33         0x05, 0x00, 0x04, 0x10
  34 };
  35
  36 static const u8 RSA_digest_info_SHA1[] = {
  37         0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
  38         0x2B, 0x0E, 0x03, 0x02, 0x1A,
  39         0x05, 0x00, 0x04, 0x14
  40 };
  41
  42 static const u8 RSA_digest_info_RIPE_MD_160[] = {
  43         0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
  44         0x2B, 0x24, 0x03, 0x02, 0x01,
  45         0x05, 0x00, 0x04, 0x14
  46 };
  47
  48 static const u8 RSA_digest_info_SHA224[] = {
  49         0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
  50         0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
  51         0x05, 0x00, 0x04, 0x1C
  52 };
  53
  54 static const u8 RSA_digest_info_SHA256[] = {
  55         0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
  56         0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
  57         0x05, 0x00, 0x04, 0x20
  58 };
  59
  60 static const u8 RSA_digest_info_SHA384[] = {
  61         0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
  62         0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
  63         0x05, 0x00, 0x04, 0x30
  64 };
  65
  66 static const u8 RSA_digest_info_SHA512[] = {
  67         0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
  68         0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
  69         0x05, 0x00, 0x04, 0x40
  70 };
  71
  72 static const struct {
  73         const u8 *data;
  74         size_t size;
  75 } RSA_ASN1_templates[PKEY_HASH__LAST] = {
  76 #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
  77         [HASH_ALGO_MD5]         = _(MD5),
  78         [HASH_ALGO_SHA1]        = _(SHA1),
  79         [HASH_ALGO_RIPE_MD_160] = _(RIPE_MD_160),
  80         [HASH_ALGO_SHA256]      = _(SHA256),
  81         [HASH_ALGO_SHA384]      = _(SHA384),
  82         [HASH_ALGO_SHA512]      = _(SHA512),
  83         [HASH_ALGO_SHA224]      = _(SHA224),
  84 #undef _
  85 };
  86
  87 struct rsa_completion {
  88         struct completion completion;
  89         int err;
  90 };
  91
  92 /*
  93  * Perform the RSA signature verification.
  94  * @H: Value of hash of data and metadata
  95  * @EM: The computed signature value
  96  * @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
  97  * @hash_size: The size of H
  98  * @asn1_template: The DigestInfo ASN.1 template
  99  * @asn1_size: Size of asm1_template[]
 100  */
 101 static int rsa_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
 102                       const u8 *asn1_template, size_t asn1_size)
 103 {
 104         unsigned PS_end, T_offset, i;
 105
 106         kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
 107
 108         if (k < 2 + 1 + asn1_size + hash_size)
 109                 return -EBADMSG;
 110
 111         /* Decode the EMSA-PKCS1-v1_5
 112          * note: leading zeros are stripped by the RSA implementation
 113          */
 114         if (EM[0] != 0x01) {
 115                 kleave(" = -EBADMSG [EM[0] == %02u]", EM[0]);
 116                 return -EBADMSG;
 117         }
 118
 119         T_offset = k - (asn1_size + hash_size);
 120         PS_end = T_offset - 1;
 121         if (EM[PS_end] != 0x00) {
 122                 kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
 123                 return -EBADMSG;
 124         }
 125
 126         for (i = 1; i < PS_end; i++) {
 127                 if (EM[i] != 0xff) {
 128                         kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
 129                         return -EBADMSG;
 130                 }
 131         }
 132
 133         if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
 134                 kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
 135                 return -EBADMSG;
 136         }
 137
 138         if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
 139                 kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
 140                 return -EKEYREJECTED;
 141         }
 142
 143         kleave(" = 0");
 144         return 0;
 145 }
 146
 147 static void public_key_verify_done(struct crypto_async_request *req, int err)
 148 {
 149         struct rsa_completion *compl = req->data;
 150
 151         if (err == -EINPROGRESS)
 152                 return;
 153
 154         compl->err = err;
 155         complete(&compl->completion);
 156 }
 157
 158 int rsa_verify_signature(const struct public_key *pkey,
 159                          const struct public_key_signature *sig)
 160 {
 161         struct crypto_akcipher *tfm;
 162         struct akcipher_request *req;
 163         struct rsa_completion compl;
 164         struct scatterlist sig_sg, sg_out;
 165         void *outbuf = NULL;
 166         unsigned int outlen = 0;
 167         int ret = -ENOMEM;
 168
 169         tfm = crypto_alloc_akcipher("rsa", 0, 0);
 170         if (IS_ERR(tfm))
 171                 goto error_out;
 172
 173         req = akcipher_request_alloc(tfm, GFP_KERNEL);
 174         if (!req)
 175                 goto error_free_tfm;
 176
 177         ret = crypto_akcipher_set_pub_key(tfm, pkey->key, pkey->keylen);
 178         if (ret)
 179                 goto error_free_req;
 180
 181         ret = -EINVAL;
 182         outlen = crypto_akcipher_maxsize(tfm);
 183         if (!outlen)
 184                 goto error_free_req;
 185
 186         /* Initialize the output buffer */
 187         ret = -ENOMEM;
 188         outbuf = kmalloc(outlen, GFP_KERNEL);
 189         if (!outbuf)
 190                 goto error_free_req;
 191
 192         sg_init_one(&sig_sg, sig->s, sig->s_size);
 193         sg_init_one(&sg_out, outbuf, outlen);
 194         akcipher_request_set_crypt(req, &sig_sg, &sg_out, sig->s_size, outlen);
 195         init_completion(&compl.completion);
 196         akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
 197                                       CRYPTO_TFM_REQ_MAY_SLEEP,
 198                                       public_key_verify_done, &compl);
 199
 200         ret = crypto_akcipher_verify(req);
 201         if (ret == -EINPROGRESS) {
 202                 wait_for_completion(&compl.completion);
 203                 ret = compl.err;
 204         }
 205
 206         if (ret)
 207                 goto error_free_req;
 208
 209         /* Output from the operation is an encoded message (EM) of
 210          * length k octets.
 211          */
 212         outlen = req->dst_len;
 213         ret = rsa_verify(sig->digest, outbuf, outlen, sig->digest_size,
 214                          RSA_ASN1_templates[sig->pkey_hash_algo].data,
 215                          RSA_ASN1_templates[sig->pkey_hash_algo].size);
 216 error_free_req:
 217         akcipher_request_free(req);
 218 error_free_tfm:
 219         crypto_free_akcipher(tfm);
 220 error_out:
 221         kfree(outbuf);
 222         return ret;
 223 }
 224 EXPORT_SYMBOL_GPL(rsa_verify_signature);