the-tree/crypto/rsa.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* RSA asymmetric public-key algorithm [RFC3447]
0003  *
0004  * Copyright (c) 2015, Intel Corporation
0005  * Authors: Tadeusz Struk <tadeusz.struk@intel.com>
0006  */
0007
0008 #include <linux/fips.h>
0009 #include <linux/module.h>
0010 #include <linux/mpi.h>
0011 #include <crypto/internal/rsa.h>
0012 #include <crypto/internal/akcipher.h>
0013 #include <crypto/akcipher.h>
0014 #include <crypto/algapi.h>
0015
0016 struct rsa_mpi_key {
0017     MPI n;
0018     MPI e;
0019     MPI d;
0020     MPI p;
0021     MPI q;
0022     MPI dp;
0023     MPI dq;
0024     MPI qinv;
0025 };
0026
0027 /*
0028  * RSAEP function [RFC3447 sec 5.1.1]
0029  * c = m^e mod n;
0030  */
0031 static int _rsa_enc(const struct rsa_mpi_key *key, MPI c, MPI m)
0032 {
0033     /* (1) Validate 0 <= m < n */
0034     if (mpi_cmp_ui(m, 0) < 0 || mpi_cmp(m, key->n) >= 0)
0035         return -EINVAL;
0036
0037     /* (2) c = m^e mod n */
0038     return mpi_powm(c, m, key->e, key->n);
0039 }
0040
0041 /*
0042  * RSADP function [RFC3447 sec 5.1.2]
0043  * m_1 = c^dP mod p;
0044  * m_2 = c^dQ mod q;
0045  * h = (m_1 - m_2) * qInv mod p;
0046  * m = m_2 + q * h;
0047  */
0048 static int _rsa_dec_crt(const struct rsa_mpi_key *key, MPI m_or_m1_or_h, MPI c)
0049 {
0050     MPI m2, m12_or_qh;
0051     int ret = -ENOMEM;
0052
0053     /* (1) Validate 0 <= c < n */
0054     if (mpi_cmp_ui(c, 0) < 0 || mpi_cmp(c, key->n) >= 0)
0055         return -EINVAL;
0056
0057     m2 = mpi_alloc(0);
0058     m12_or_qh = mpi_alloc(0);
0059     if (!m2 || !m12_or_qh)
0060         goto err_free_mpi;
0061
0062     /* (2i) m_1 = c^dP mod p */
0063     ret = mpi_powm(m_or_m1_or_h, c, key->dp, key->p);
0064     if (ret)
0065         goto err_free_mpi;
0066
0067     /* (2i) m_2 = c^dQ mod q */
0068     ret = mpi_powm(m2, c, key->dq, key->q);
0069     if (ret)
0070         goto err_free_mpi;
0071
0072     /* (2iii) h = (m_1 - m_2) * qInv mod p */
0073     mpi_sub(m12_or_qh, m_or_m1_or_h, m2);
0074     mpi_mulm(m_or_m1_or_h, m12_or_qh, key->qinv, key->p);
0075
0076     /* (2iv) m = m_2 + q * h */
0077     mpi_mul(m12_or_qh, key->q, m_or_m1_or_h);
0078     mpi_addm(m_or_m1_or_h, m2, m12_or_qh, key->n);
0079
0080     ret = 0;
0081
0082 err_free_mpi:
0083     mpi_free(m12_or_qh);
0084     mpi_free(m2);
0085     return ret;
0086 }
0087
0088 static inline struct rsa_mpi_key *rsa_get_key(struct crypto_akcipher *tfm)
0089 {
0090     return akcipher_tfm_ctx(tfm);
0091 }
0092
0093 static int rsa_enc(struct akcipher_request *req)
0094 {
0095     struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
0096     const struct rsa_mpi_key *pkey = rsa_get_key(tfm);
0097     MPI m, c = mpi_alloc(0);
0098     int ret = 0;
0099     int sign;
0100
0101     if (!c)
0102         return -ENOMEM;
0103
0104     if (unlikely(!pkey->n || !pkey->e)) {
0105         ret = -EINVAL;
0106         goto err_free_c;
0107     }
0108
0109     ret = -ENOMEM;
0110     m = mpi_read_raw_from_sgl(req->src, req->src_len);
0111     if (!m)
0112         goto err_free_c;
0113
0114     ret = _rsa_enc(pkey, c, m);
0115     if (ret)
0116         goto err_free_m;
0117
0118     ret = mpi_write_to_sgl(c, req->dst, req->dst_len, &sign);
0119     if (ret)
0120         goto err_free_m;
0121
0122     if (sign < 0)
0123         ret = -EBADMSG;
0124
0125 err_free_m:
0126     mpi_free(m);
0127 err_free_c:
0128     mpi_free(c);
0129     return ret;
0130 }
0131
0132 static int rsa_dec(struct akcipher_request *req)
0133 {
0134     struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
0135     const struct rsa_mpi_key *pkey = rsa_get_key(tfm);
0136     MPI c, m = mpi_alloc(0);
0137     int ret = 0;
0138     int sign;
0139
0140     if (!m)
0141         return -ENOMEM;
0142
0143     if (unlikely(!pkey->n || !pkey->d)) {
0144         ret = -EINVAL;
0145         goto err_free_m;
0146     }
0147
0148     ret = -ENOMEM;
0149     c = mpi_read_raw_from_sgl(req->src, req->src_len);
0150     if (!c)
0151         goto err_free_m;
0152
0153     ret = _rsa_dec_crt(pkey, m, c);
0154     if (ret)
0155         goto err_free_c;
0156
0157     ret = mpi_write_to_sgl(m, req->dst, req->dst_len, &sign);
0158     if (ret)
0159         goto err_free_c;
0160
0161     if (sign < 0)
0162         ret = -EBADMSG;
0163 err_free_c:
0164     mpi_free(c);
0165 err_free_m:
0166     mpi_free(m);
0167     return ret;
0168 }
0169
0170 static void rsa_free_mpi_key(struct rsa_mpi_key *key)
0171 {
0172     mpi_free(key->d);
0173     mpi_free(key->e);
0174     mpi_free(key->n);
0175     mpi_free(key->p);
0176     mpi_free(key->q);
0177     mpi_free(key->dp);
0178     mpi_free(key->dq);
0179     mpi_free(key->qinv);
0180     key->d = NULL;
0181     key->e = NULL;
0182     key->n = NULL;
0183     key->p = NULL;
0184     key->q = NULL;
0185     key->dp = NULL;
0186     key->dq = NULL;
0187     key->qinv = NULL;
0188 }
0189
0190 static int rsa_check_key_length(unsigned int len)
0191 {
0192     switch (len) {
0193     case 512:
0194     case 1024:
0195     case 1536:
0196         if (fips_enabled)
0197             return -EINVAL;
0198         fallthrough;
0199     case 2048:
0200     case 3072:
0201     case 4096:
0202         return 0;
0203     }
0204
0205     return -EINVAL;
0206 }
0207
0208 static int rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
0209                unsigned int keylen)
0210 {
0211     struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm);
0212     struct rsa_key raw_key = {0};
0213     int ret;
0214
0215     /* Free the old MPI key if any */
0216     rsa_free_mpi_key(mpi_key);
0217
0218     ret = rsa_parse_pub_key(&raw_key, key, keylen);
0219     if (ret)
0220         return ret;
0221
0222     mpi_key->e = mpi_read_raw_data(raw_key.e, raw_key.e_sz);
0223     if (!mpi_key->e)
0224         goto err;
0225
0226     mpi_key->n = mpi_read_raw_data(raw_key.n, raw_key.n_sz);
0227     if (!mpi_key->n)
0228         goto err;
0229
0230     if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) {
0231         rsa_free_mpi_key(mpi_key);
0232         return -EINVAL;
0233     }
0234
0235     return 0;
0236
0237 err:
0238     rsa_free_mpi_key(mpi_key);
0239     return -ENOMEM;
0240 }
0241
0242 static int rsa_set_priv_key(struct crypto_akcipher *tfm, const void *key,
0243                 unsigned int keylen)
0244 {
0245     struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm);
0246     struct rsa_key raw_key = {0};
0247     int ret;
0248
0249     /* Free the old MPI key if any */
0250     rsa_free_mpi_key(mpi_key);
0251
0252     ret = rsa_parse_priv_key(&raw_key, key, keylen);
0253     if (ret)
0254         return ret;
0255
0256     mpi_key->d = mpi_read_raw_data(raw_key.d, raw_key.d_sz);
0257     if (!mpi_key->d)
0258         goto err;
0259
0260     mpi_key->e = mpi_read_raw_data(raw_key.e, raw_key.e_sz);
0261     if (!mpi_key->e)
0262         goto err;
0263
0264     mpi_key->n = mpi_read_raw_data(raw_key.n, raw_key.n_sz);
0265     if (!mpi_key->n)
0266         goto err;
0267
0268     mpi_key->p = mpi_read_raw_data(raw_key.p, raw_key.p_sz);
0269     if (!mpi_key->p)
0270         goto err;
0271
0272     mpi_key->q = mpi_read_raw_data(raw_key.q, raw_key.q_sz);
0273     if (!mpi_key->q)
0274         goto err;
0275
0276     mpi_key->dp = mpi_read_raw_data(raw_key.dp, raw_key.dp_sz);
0277     if (!mpi_key->dp)
0278         goto err;
0279
0280     mpi_key->dq = mpi_read_raw_data(raw_key.dq, raw_key.dq_sz);
0281     if (!mpi_key->dq)
0282         goto err;
0283
0284     mpi_key->qinv = mpi_read_raw_data(raw_key.qinv, raw_key.qinv_sz);
0285     if (!mpi_key->qinv)
0286         goto err;
0287
0288     if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) {
0289         rsa_free_mpi_key(mpi_key);
0290         return -EINVAL;
0291     }
0292
0293     return 0;
0294
0295 err:
0296     rsa_free_mpi_key(mpi_key);
0297     return -ENOMEM;
0298 }
0299
0300 static unsigned int rsa_max_size(struct crypto_akcipher *tfm)
0301 {
0302     struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm);
0303
0304     return mpi_get_size(pkey->n);
0305 }
0306
0307 static void rsa_exit_tfm(struct crypto_akcipher *tfm)
0308 {
0309     struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm);
0310
0311     rsa_free_mpi_key(pkey);
0312 }
0313
0314 static struct akcipher_alg rsa = {
0315     .encrypt = rsa_enc,
0316     .decrypt = rsa_dec,
0317     .set_priv_key = rsa_set_priv_key,
0318     .set_pub_key = rsa_set_pub_key,
0319     .max_size = rsa_max_size,
0320     .exit = rsa_exit_tfm,
0321     .base = {
0322         .cra_name = "rsa",
0323         .cra_driver_name = "rsa-generic",
0324         .cra_priority = 100,
0325         .cra_module = THIS_MODULE,
0326         .cra_ctxsize = sizeof(struct rsa_mpi_key),
0327     },
0328 };
0329
0330 static int rsa_init(void)
0331 {
0332     int err;
0333
0334     err = crypto_register_akcipher(&rsa);
0335     if (err)
0336         return err;
0337
0338     err = crypto_register_template(&rsa_pkcs1pad_tmpl);
0339     if (err) {
0340         crypto_unregister_akcipher(&rsa);
0341         return err;
0342     }
0343
0344     return 0;
0345 }
0346
0347 static void rsa_exit(void)
0348 {
0349     crypto_unregister_template(&rsa_pkcs1pad_tmpl);
0350     crypto_unregister_akcipher(&rsa);
0351 }
0352
0353 subsys_initcall(rsa_init);
0354 module_exit(rsa_exit);
0355 MODULE_ALIAS_CRYPTO("rsa");
0356 MODULE_LICENSE("GPL");
0357 MODULE_DESCRIPTION("RSA generic algorithm");