1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* RSA asymmetric public-key algorithm [RFC3447] |
3 | * |
4 | * Copyright (c) 2015, Intel Corporation |
5 | * Authors: Tadeusz Struk <tadeusz.struk@intel.com> |
6 | */ |
7 | |
8 | #include <linux/fips.h> |
9 | #include <linux/module.h> |
10 | #include <linux/mpi.h> |
11 | #include <crypto/internal/rsa.h> |
12 | #include <crypto/internal/akcipher.h> |
13 | #include <crypto/akcipher.h> |
14 | #include <crypto/algapi.h> |
15 | |
16 | struct rsa_mpi_key { |
17 | MPI n; |
18 | MPI e; |
19 | MPI d; |
20 | MPI p; |
21 | MPI q; |
22 | MPI dp; |
23 | MPI dq; |
24 | MPI qinv; |
25 | }; |
26 | |
27 | static int rsa_check_payload(MPI x, MPI n) |
28 | { |
29 | MPI n1; |
30 | |
31 | if (mpi_cmp_ui(u: x, v: 1) <= 0) |
32 | return -EINVAL; |
33 | |
34 | n1 = mpi_alloc(nlimbs: 0); |
35 | if (!n1) |
36 | return -ENOMEM; |
37 | |
38 | if (mpi_sub_ui(w: n1, u: n, vval: 1) || mpi_cmp(u: x, v: n1) >= 0) { |
39 | mpi_free(a: n1); |
40 | return -EINVAL; |
41 | } |
42 | |
43 | mpi_free(a: n1); |
44 | return 0; |
45 | } |
46 | |
47 | /* |
48 | * RSAEP function [RFC3447 sec 5.1.1] |
49 | * c = m^e mod n; |
50 | */ |
51 | static int _rsa_enc(const struct rsa_mpi_key *key, MPI c, MPI m) |
52 | { |
53 | /* |
54 | * Even though (1) in RFC3447 only requires 0 <= m <= n - 1, we are |
55 | * slightly more conservative and require 1 < m < n - 1. This is in line |
56 | * with SP 800-56Br2, Section 7.1.1. |
57 | */ |
58 | if (rsa_check_payload(x: m, n: key->n)) |
59 | return -EINVAL; |
60 | |
61 | /* (2) c = m^e mod n */ |
62 | return mpi_powm(res: c, base: m, exp: key->e, mod: key->n); |
63 | } |
64 | |
65 | /* |
66 | * RSADP function [RFC3447 sec 5.1.2] |
67 | * m_1 = c^dP mod p; |
68 | * m_2 = c^dQ mod q; |
69 | * h = (m_1 - m_2) * qInv mod p; |
70 | * m = m_2 + q * h; |
71 | */ |
72 | static int _rsa_dec_crt(const struct rsa_mpi_key *key, MPI m_or_m1_or_h, MPI c) |
73 | { |
74 | MPI m2, m12_or_qh; |
75 | int ret = -ENOMEM; |
76 | |
77 | /* |
78 | * Even though (1) in RFC3447 only requires 0 <= c <= n - 1, we are |
79 | * slightly more conservative and require 1 < c < n - 1. This is in line |
80 | * with SP 800-56Br2, Section 7.1.2. |
81 | */ |
82 | if (rsa_check_payload(x: c, n: key->n)) |
83 | return -EINVAL; |
84 | |
85 | m2 = mpi_alloc(nlimbs: 0); |
86 | m12_or_qh = mpi_alloc(nlimbs: 0); |
87 | if (!m2 || !m12_or_qh) |
88 | goto err_free_mpi; |
89 | |
90 | /* (2i) m_1 = c^dP mod p */ |
91 | ret = mpi_powm(res: m_or_m1_or_h, base: c, exp: key->dp, mod: key->p); |
92 | if (ret) |
93 | goto err_free_mpi; |
94 | |
95 | /* (2i) m_2 = c^dQ mod q */ |
96 | ret = mpi_powm(res: m2, base: c, exp: key->dq, mod: key->q); |
97 | if (ret) |
98 | goto err_free_mpi; |
99 | |
100 | /* (2iii) h = (m_1 - m_2) * qInv mod p */ |
101 | mpi_sub(w: m12_or_qh, u: m_or_m1_or_h, v: m2); |
102 | mpi_mulm(w: m_or_m1_or_h, u: m12_or_qh, v: key->qinv, m: key->p); |
103 | |
104 | /* (2iv) m = m_2 + q * h */ |
105 | mpi_mul(w: m12_or_qh, u: key->q, v: m_or_m1_or_h); |
106 | mpi_addm(w: m_or_m1_or_h, u: m2, v: m12_or_qh, m: key->n); |
107 | |
108 | ret = 0; |
109 | |
110 | err_free_mpi: |
111 | mpi_free(a: m12_or_qh); |
112 | mpi_free(a: m2); |
113 | return ret; |
114 | } |
115 | |
116 | static inline struct rsa_mpi_key *rsa_get_key(struct crypto_akcipher *tfm) |
117 | { |
118 | return akcipher_tfm_ctx(tfm); |
119 | } |
120 | |
121 | static int rsa_enc(struct akcipher_request *req) |
122 | { |
123 | struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); |
124 | const struct rsa_mpi_key *pkey = rsa_get_key(tfm); |
125 | MPI m, c = mpi_alloc(nlimbs: 0); |
126 | int ret = 0; |
127 | int sign; |
128 | |
129 | if (!c) |
130 | return -ENOMEM; |
131 | |
132 | if (unlikely(!pkey->n || !pkey->e)) { |
133 | ret = -EINVAL; |
134 | goto err_free_c; |
135 | } |
136 | |
137 | ret = -ENOMEM; |
138 | m = mpi_read_raw_from_sgl(sgl: req->src, len: req->src_len); |
139 | if (!m) |
140 | goto err_free_c; |
141 | |
142 | ret = _rsa_enc(key: pkey, c, m); |
143 | if (ret) |
144 | goto err_free_m; |
145 | |
146 | ret = mpi_write_to_sgl(a: c, sg: req->dst, nbytes: req->dst_len, sign: &sign); |
147 | if (ret) |
148 | goto err_free_m; |
149 | |
150 | if (sign < 0) |
151 | ret = -EBADMSG; |
152 | |
153 | err_free_m: |
154 | mpi_free(a: m); |
155 | err_free_c: |
156 | mpi_free(a: c); |
157 | return ret; |
158 | } |
159 | |
160 | static int rsa_dec(struct akcipher_request *req) |
161 | { |
162 | struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); |
163 | const struct rsa_mpi_key *pkey = rsa_get_key(tfm); |
164 | MPI c, m = mpi_alloc(nlimbs: 0); |
165 | int ret = 0; |
166 | int sign; |
167 | |
168 | if (!m) |
169 | return -ENOMEM; |
170 | |
171 | if (unlikely(!pkey->n || !pkey->d)) { |
172 | ret = -EINVAL; |
173 | goto err_free_m; |
174 | } |
175 | |
176 | ret = -ENOMEM; |
177 | c = mpi_read_raw_from_sgl(sgl: req->src, len: req->src_len); |
178 | if (!c) |
179 | goto err_free_m; |
180 | |
181 | ret = _rsa_dec_crt(key: pkey, m_or_m1_or_h: m, c); |
182 | if (ret) |
183 | goto err_free_c; |
184 | |
185 | ret = mpi_write_to_sgl(a: m, sg: req->dst, nbytes: req->dst_len, sign: &sign); |
186 | if (ret) |
187 | goto err_free_c; |
188 | |
189 | if (sign < 0) |
190 | ret = -EBADMSG; |
191 | err_free_c: |
192 | mpi_free(a: c); |
193 | err_free_m: |
194 | mpi_free(a: m); |
195 | return ret; |
196 | } |
197 | |
198 | static void rsa_free_mpi_key(struct rsa_mpi_key *key) |
199 | { |
200 | mpi_free(a: key->d); |
201 | mpi_free(a: key->e); |
202 | mpi_free(a: key->n); |
203 | mpi_free(a: key->p); |
204 | mpi_free(a: key->q); |
205 | mpi_free(a: key->dp); |
206 | mpi_free(a: key->dq); |
207 | mpi_free(a: key->qinv); |
208 | key->d = NULL; |
209 | key->e = NULL; |
210 | key->n = NULL; |
211 | key->p = NULL; |
212 | key->q = NULL; |
213 | key->dp = NULL; |
214 | key->dq = NULL; |
215 | key->qinv = NULL; |
216 | } |
217 | |
218 | static int rsa_check_key_length(unsigned int len) |
219 | { |
220 | switch (len) { |
221 | case 512: |
222 | case 1024: |
223 | case 1536: |
224 | if (fips_enabled) |
225 | return -EINVAL; |
226 | fallthrough; |
227 | case 2048: |
228 | case 3072: |
229 | case 4096: |
230 | return 0; |
231 | } |
232 | |
233 | return -EINVAL; |
234 | } |
235 | |
236 | static int rsa_check_exponent_fips(MPI e) |
237 | { |
238 | MPI e_max = NULL; |
239 | |
240 | /* check if odd */ |
241 | if (!mpi_test_bit(a: e, n: 0)) { |
242 | return -EINVAL; |
243 | } |
244 | |
245 | /* check if 2^16 < e < 2^256. */ |
246 | if (mpi_cmp_ui(u: e, v: 65536) <= 0) { |
247 | return -EINVAL; |
248 | } |
249 | |
250 | e_max = mpi_alloc(nlimbs: 0); |
251 | if (!e_max) |
252 | return -ENOMEM; |
253 | mpi_set_bit(a: e_max, n: 256); |
254 | |
255 | if (mpi_cmp(u: e, v: e_max) >= 0) { |
256 | mpi_free(a: e_max); |
257 | return -EINVAL; |
258 | } |
259 | |
260 | mpi_free(a: e_max); |
261 | return 0; |
262 | } |
263 | |
264 | static int rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key, |
265 | unsigned int keylen) |
266 | { |
267 | struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm); |
268 | struct rsa_key raw_key = {0}; |
269 | int ret; |
270 | |
271 | /* Free the old MPI key if any */ |
272 | rsa_free_mpi_key(key: mpi_key); |
273 | |
274 | ret = rsa_parse_pub_key(rsa_key: &raw_key, key, key_len: keylen); |
275 | if (ret) |
276 | return ret; |
277 | |
278 | mpi_key->e = mpi_read_raw_data(xbuffer: raw_key.e, nbytes: raw_key.e_sz); |
279 | if (!mpi_key->e) |
280 | goto err; |
281 | |
282 | mpi_key->n = mpi_read_raw_data(xbuffer: raw_key.n, nbytes: raw_key.n_sz); |
283 | if (!mpi_key->n) |
284 | goto err; |
285 | |
286 | if (rsa_check_key_length(len: mpi_get_size(a: mpi_key->n) << 3)) { |
287 | rsa_free_mpi_key(key: mpi_key); |
288 | return -EINVAL; |
289 | } |
290 | |
291 | if (fips_enabled && rsa_check_exponent_fips(e: mpi_key->e)) { |
292 | rsa_free_mpi_key(key: mpi_key); |
293 | return -EINVAL; |
294 | } |
295 | |
296 | return 0; |
297 | |
298 | err: |
299 | rsa_free_mpi_key(key: mpi_key); |
300 | return -ENOMEM; |
301 | } |
302 | |
303 | static int rsa_set_priv_key(struct crypto_akcipher *tfm, const void *key, |
304 | unsigned int keylen) |
305 | { |
306 | struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm); |
307 | struct rsa_key raw_key = {0}; |
308 | int ret; |
309 | |
310 | /* Free the old MPI key if any */ |
311 | rsa_free_mpi_key(key: mpi_key); |
312 | |
313 | ret = rsa_parse_priv_key(rsa_key: &raw_key, key, key_len: keylen); |
314 | if (ret) |
315 | return ret; |
316 | |
317 | mpi_key->d = mpi_read_raw_data(xbuffer: raw_key.d, nbytes: raw_key.d_sz); |
318 | if (!mpi_key->d) |
319 | goto err; |
320 | |
321 | mpi_key->e = mpi_read_raw_data(xbuffer: raw_key.e, nbytes: raw_key.e_sz); |
322 | if (!mpi_key->e) |
323 | goto err; |
324 | |
325 | mpi_key->n = mpi_read_raw_data(xbuffer: raw_key.n, nbytes: raw_key.n_sz); |
326 | if (!mpi_key->n) |
327 | goto err; |
328 | |
329 | mpi_key->p = mpi_read_raw_data(xbuffer: raw_key.p, nbytes: raw_key.p_sz); |
330 | if (!mpi_key->p) |
331 | goto err; |
332 | |
333 | mpi_key->q = mpi_read_raw_data(xbuffer: raw_key.q, nbytes: raw_key.q_sz); |
334 | if (!mpi_key->q) |
335 | goto err; |
336 | |
337 | mpi_key->dp = mpi_read_raw_data(xbuffer: raw_key.dp, nbytes: raw_key.dp_sz); |
338 | if (!mpi_key->dp) |
339 | goto err; |
340 | |
341 | mpi_key->dq = mpi_read_raw_data(xbuffer: raw_key.dq, nbytes: raw_key.dq_sz); |
342 | if (!mpi_key->dq) |
343 | goto err; |
344 | |
345 | mpi_key->qinv = mpi_read_raw_data(xbuffer: raw_key.qinv, nbytes: raw_key.qinv_sz); |
346 | if (!mpi_key->qinv) |
347 | goto err; |
348 | |
349 | if (rsa_check_key_length(len: mpi_get_size(a: mpi_key->n) << 3)) { |
350 | rsa_free_mpi_key(key: mpi_key); |
351 | return -EINVAL; |
352 | } |
353 | |
354 | if (fips_enabled && rsa_check_exponent_fips(e: mpi_key->e)) { |
355 | rsa_free_mpi_key(key: mpi_key); |
356 | return -EINVAL; |
357 | } |
358 | |
359 | return 0; |
360 | |
361 | err: |
362 | rsa_free_mpi_key(key: mpi_key); |
363 | return -ENOMEM; |
364 | } |
365 | |
366 | static unsigned int rsa_max_size(struct crypto_akcipher *tfm) |
367 | { |
368 | struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm); |
369 | |
370 | return mpi_get_size(a: pkey->n); |
371 | } |
372 | |
373 | static void rsa_exit_tfm(struct crypto_akcipher *tfm) |
374 | { |
375 | struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm); |
376 | |
377 | rsa_free_mpi_key(key: pkey); |
378 | } |
379 | |
380 | static struct akcipher_alg rsa = { |
381 | .encrypt = rsa_enc, |
382 | .decrypt = rsa_dec, |
383 | .set_priv_key = rsa_set_priv_key, |
384 | .set_pub_key = rsa_set_pub_key, |
385 | .max_size = rsa_max_size, |
386 | .exit = rsa_exit_tfm, |
387 | .base = { |
388 | .cra_name = "rsa" , |
389 | .cra_driver_name = "rsa-generic" , |
390 | .cra_priority = 100, |
391 | .cra_module = THIS_MODULE, |
392 | .cra_ctxsize = sizeof(struct rsa_mpi_key), |
393 | }, |
394 | }; |
395 | |
396 | static int __init rsa_init(void) |
397 | { |
398 | int err; |
399 | |
400 | err = crypto_register_akcipher(alg: &rsa); |
401 | if (err) |
402 | return err; |
403 | |
404 | err = crypto_register_template(tmpl: &rsa_pkcs1pad_tmpl); |
405 | if (err) { |
406 | crypto_unregister_akcipher(alg: &rsa); |
407 | return err; |
408 | } |
409 | |
410 | return 0; |
411 | } |
412 | |
413 | static void __exit rsa_exit(void) |
414 | { |
415 | crypto_unregister_template(tmpl: &rsa_pkcs1pad_tmpl); |
416 | crypto_unregister_akcipher(alg: &rsa); |
417 | } |
418 | |
419 | subsys_initcall(rsa_init); |
420 | module_exit(rsa_exit); |
421 | MODULE_ALIAS_CRYPTO("rsa" ); |
422 | MODULE_LICENSE("GPL" ); |
423 | MODULE_DESCRIPTION("RSA generic algorithm" ); |
424 | |