Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
rsa.c
Go to the documentation of this file.
1 /* RSA asymmetric public-key algorithm [RFC3447]
2  *
3  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells ([email protected])
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public Licence
8  * as published by the Free Software Foundation; either version
9  * 2 of the Licence, or (at your option) any later version.
10  */
11 
12 #define pr_fmt(fmt) "RSA: "fmt
13 #include <linux/module.h>
14 #include <linux/kernel.h>
15 #include <linux/slab.h>
16 #include "public_key.h"
17 
18 MODULE_LICENSE("GPL");
19 MODULE_DESCRIPTION("RSA Public Key Algorithm");
20 
21 #define kenter(FMT, ...) \
22  pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
23 #define kleave(FMT, ...) \
24  pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
25 
26 /*
27  * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
28  */
29 static const u8 RSA_digest_info_MD5[] = {
30  0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
31  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
32  0x05, 0x00, 0x04, 0x10
33 };
34 
35 static const u8 RSA_digest_info_SHA1[] = {
36  0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
37  0x2B, 0x0E, 0x03, 0x02, 0x1A,
38  0x05, 0x00, 0x04, 0x14
39 };
40 
41 static const u8 RSA_digest_info_RIPE_MD_160[] = {
42  0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
43  0x2B, 0x24, 0x03, 0x02, 0x01,
44  0x05, 0x00, 0x04, 0x14
45 };
46 
47 static const u8 RSA_digest_info_SHA224[] = {
48  0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
49  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
50  0x05, 0x00, 0x04, 0x1C
51 };
52 
53 static const u8 RSA_digest_info_SHA256[] = {
54  0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
55  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
56  0x05, 0x00, 0x04, 0x20
57 };
58 
59 static const u8 RSA_digest_info_SHA384[] = {
60  0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
61  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
62  0x05, 0x00, 0x04, 0x30
63 };
64 
65 static const u8 RSA_digest_info_SHA512[] = {
66  0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
67  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
68  0x05, 0x00, 0x04, 0x40
69 };
70 
71 static const struct {
72  const u8 *data;
73  size_t size;
74 } RSA_ASN1_templates[PKEY_HASH__LAST] = {
75 #define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
76  [PKEY_HASH_MD5] = _(MD5),
77  [PKEY_HASH_SHA1] = _(SHA1),
78  [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160),
80  [PKEY_HASH_SHA384] = _(SHA384),
83 #undef _
84 };
85 
86 /*
87  * RSAVP1() function [RFC3447 sec 5.2.2]
88  */
89 static int RSAVP1(const struct public_key *key, MPI s, MPI *_m)
90 {
91  MPI m;
92  int ret;
93 
94  /* (1) Validate 0 <= s < n */
95  if (mpi_cmp_ui(s, 0) < 0) {
96  kleave(" = -EBADMSG [s < 0]");
97  return -EBADMSG;
98  }
99  if (mpi_cmp(s, key->rsa.n) >= 0) {
100  kleave(" = -EBADMSG [s >= n]");
101  return -EBADMSG;
102  }
103 
104  m = mpi_alloc(0);
105  if (!m)
106  return -ENOMEM;
107 
108  /* (2) m = s^e mod n */
109  ret = mpi_powm(m, s, key->rsa.e, key->rsa.n);
110  if (ret < 0) {
111  mpi_free(m);
112  return ret;
113  }
114 
115  *_m = m;
116  return 0;
117 }
118 
119 /*
120  * Integer to Octet String conversion [RFC3447 sec 4.1]
121  */
122 static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X)
123 {
124  unsigned X_size, x_size;
125  int X_sign;
126  u8 *X;
127 
128  /* Make sure the string is the right length. The number should begin
129  * with { 0x00, 0x01, ... } so we have to account for 15 leading zero
130  * bits not being reported by MPI.
131  */
132  x_size = mpi_get_nbits(x);
133  pr_devel("size(x)=%u xLen*8=%zu\n", x_size, xLen * 8);
134  if (x_size != xLen * 8 - 15)
135  return -ERANGE;
136 
137  X = mpi_get_buffer(x, &X_size, &X_sign);
138  if (!X)
139  return -ENOMEM;
140  if (X_sign < 0) {
141  kfree(X);
142  return -EBADMSG;
143  }
144  if (X_size != xLen - 1) {
145  kfree(X);
146  return -EBADMSG;
147  }
148 
149  *_X = X;
150  return 0;
151 }
152 
153 /*
154  * Perform the RSA signature verification.
155  * @H: Value of hash of data and metadata
156  * @EM: The computed signature value
157  * @k: The size of EM (EM[0] is an invalid location but should hold 0x00)
158  * @hash_size: The size of H
159  * @asn1_template: The DigestInfo ASN.1 template
160  * @asn1_size: Size of asm1_template[]
161  */
162 static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
163  const u8 *asn1_template, size_t asn1_size)
164 {
165  unsigned PS_end, T_offset, i;
166 
167  kenter(",,%zu,%zu,%zu", k, hash_size, asn1_size);
168 
169  if (k < 2 + 1 + asn1_size + hash_size)
170  return -EBADMSG;
171 
172  /* Decode the EMSA-PKCS1-v1_5 */
173  if (EM[1] != 0x01) {
174  kleave(" = -EBADMSG [EM[1] == %02u]", EM[1]);
175  return -EBADMSG;
176  }
177 
178  T_offset = k - (asn1_size + hash_size);
179  PS_end = T_offset - 1;
180  if (EM[PS_end] != 0x00) {
181  kleave(" = -EBADMSG [EM[T-1] == %02u]", EM[PS_end]);
182  return -EBADMSG;
183  }
184 
185  for (i = 2; i < PS_end; i++) {
186  if (EM[i] != 0xff) {
187  kleave(" = -EBADMSG [EM[PS%x] == %02u]", i - 2, EM[i]);
188  return -EBADMSG;
189  }
190  }
191 
192  if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {
193  kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
194  return -EBADMSG;
195  }
196 
197  if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {
198  kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
199  return -EKEYREJECTED;
200  }
201 
202  kleave(" = 0");
203  return 0;
204 }
205 
206 /*
207  * Perform the verification step [RFC3447 sec 8.2.2].
208  */
209 static int RSA_verify_signature(const struct public_key *key,
210  const struct public_key_signature *sig)
211 {
212  size_t tsize;
213  int ret;
214 
215  /* Variables as per RFC3447 sec 8.2.2 */
216  const u8 *H = sig->digest;
217  u8 *EM = NULL;
218  MPI m = NULL;
219  size_t k;
220 
221  kenter("");
222 
223  if (!RSA_ASN1_templates[sig->pkey_hash_algo].data)
224  return -ENOTSUPP;
225 
226  /* (1) Check the signature size against the public key modulus size */
227  k = mpi_get_nbits(key->rsa.n);
228  tsize = mpi_get_nbits(sig->rsa.s);
229 
230  /* According to RFC 4880 sec 3.2, length of MPI is computed starting
231  * from most significant bit. So the RFC 3447 sec 8.2.2 size check
232  * must be relaxed to conform with shorter signatures - so we fail here
233  * only if signature length is longer than modulus size.
234  */
235  pr_devel("step 1: k=%zu size(S)=%zu\n", k, tsize);
236  if (k < tsize) {
237  ret = -EBADMSG;
238  goto error;
239  }
240 
241  /* Round up and convert to octets */
242  k = (k + 7) / 8;
243 
244  /* (2b) Apply the RSAVP1 verification primitive to the public key */
245  ret = RSAVP1(key, sig->rsa.s, &m);
246  if (ret < 0)
247  goto error;
248 
249  /* (2c) Convert the message representative (m) to an encoded message
250  * (EM) of length k octets.
251  *
252  * NOTE! The leading zero byte is suppressed by MPI, so we pass a
253  * pointer to the _preceding_ byte to RSA_verify()!
254  */
255  ret = RSA_I2OSP(m, k, &EM);
256  if (ret < 0)
257  goto error;
258 
259  ret = RSA_verify(H, EM - 1, k, sig->digest_size,
260  RSA_ASN1_templates[sig->pkey_hash_algo].data,
261  RSA_ASN1_templates[sig->pkey_hash_algo].size);
262 
263 error:
264  kfree(EM);
265  mpi_free(m);
266  kleave(" = %d", ret);
267  return ret;
268 }
269 
271  .name = "RSA",
272  .n_pub_mpi = 2,
273  .n_sec_mpi = 3,
274  .n_sig_mpi = 1,
275  .verify_signature = RSA_verify_signature,
276 };
277 EXPORT_SYMBOL_GPL(RSA_public_key_algorithm);