| 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
|---|---|
| 2 | /* |
| 3 | * RSA Signature Scheme with Appendix - PKCS #1 v1.5 (RFC 8017 sec 8.2) |
| 4 | * |
| 5 | * https://www.rfc-editor.org/rfc/rfc8017#section-8.2 |
| 6 | * |
| 7 | * Copyright (c) 2015 - 2024 Intel Corporation |
| 8 | */ |
| 9 | |
| 10 | #include <linux/module.h> |
| 11 | #include <linux/scatterlist.h> |
| 12 | #include <crypto/akcipher.h> |
| 13 | #include <crypto/algapi.h> |
| 14 | #include <crypto/hash.h> |
| 15 | #include <crypto/sig.h> |
| 16 | #include <crypto/internal/akcipher.h> |
| 17 | #include <crypto/internal/rsa.h> |
| 18 | #include <crypto/internal/sig.h> |
| 19 | |
| 20 | /* |
| 21 | * Full Hash Prefix for EMSA-PKCS1-v1_5 encoding method (RFC 9580 table 24) |
| 22 | * |
| 23 | * RSA keys are usually much larger than the hash of the message to be signed. |
| 24 | * The hash is therefore prepended by the Full Hash Prefix and a 0xff padding. |
| 25 | * The Full Hash Prefix is an ASN.1 SEQUENCE containing the hash algorithm OID. |
| 26 | * |
| 27 | * https://www.rfc-editor.org/rfc/rfc9580#table-24 |
| 28 | */ |
| 29 | |
| 30 | static const u8 hash_prefix_none[] = { }; |
| 31 | |
| 32 | static const u8 hash_prefix_md5[] = { |
| 33 | 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, /* SEQUENCE (SEQUENCE (OID */ |
| 34 | 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* <algorithm>, */ |
| 35 | 0x05, 0x00, 0x04, 0x10 /* NULL), OCTET STRING <hash>) */ |
| 36 | }; |
| 37 | |
| 38 | static const u8 hash_prefix_sha1[] = { |
| 39 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, |
| 40 | 0x2b, 0x0e, 0x03, 0x02, 0x1a, |
| 41 | 0x05, 0x00, 0x04, 0x14 |
| 42 | }; |
| 43 | |
| 44 | static const u8 hash_prefix_rmd160[] = { |
| 45 | 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, |
| 46 | 0x2b, 0x24, 0x03, 0x02, 0x01, |
| 47 | 0x05, 0x00, 0x04, 0x14 |
| 48 | }; |
| 49 | |
| 50 | static const u8 hash_prefix_sha224[] = { |
| 51 | 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, |
| 52 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, |
| 53 | 0x05, 0x00, 0x04, 0x1c |
| 54 | }; |
| 55 | |
| 56 | static const u8 hash_prefix_sha256[] = { |
| 57 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, |
| 58 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, |
| 59 | 0x05, 0x00, 0x04, 0x20 |
| 60 | }; |
| 61 | |
| 62 | static const u8 hash_prefix_sha384[] = { |
| 63 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, |
| 64 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, |
| 65 | 0x05, 0x00, 0x04, 0x30 |
| 66 | }; |
| 67 | |
| 68 | static const u8 hash_prefix_sha512[] = { |
| 69 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, |
| 70 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, |
| 71 | 0x05, 0x00, 0x04, 0x40 |
| 72 | }; |
| 73 | |
| 74 | static const u8 hash_prefix_sha3_256[] = { |
| 75 | 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, |
| 76 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x08, |
| 77 | 0x05, 0x00, 0x04, 0x20 |
| 78 | }; |
| 79 | |
| 80 | static const u8 hash_prefix_sha3_384[] = { |
| 81 | 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, |
| 82 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x09, |
| 83 | 0x05, 0x00, 0x04, 0x30 |
| 84 | }; |
| 85 | |
| 86 | static const u8 hash_prefix_sha3_512[] = { |
| 87 | 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, |
| 88 | 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0a, |
| 89 | 0x05, 0x00, 0x04, 0x40 |
| 90 | }; |
| 91 | |
| 92 | static const struct hash_prefix { |
| 93 | const char *name; |
| 94 | const u8 *data; |
| 95 | size_t size; |
| 96 | } hash_prefixes[] = { |
| 97 | #define _(X) { #X, hash_prefix_##X, sizeof(hash_prefix_##X) } |
| 98 | _(none), |
| 99 | _(md5), |
| 100 | _(sha1), |
| 101 | _(rmd160), |
| 102 | _(sha256), |
| 103 | _(sha384), |
| 104 | _(sha512), |
| 105 | _(sha224), |
| 106 | #undef _ |
| 107 | #define _(X) { "sha3-" #X, hash_prefix_sha3_##X, sizeof(hash_prefix_sha3_##X) } |
| 108 | _(256), |
| 109 | _(384), |
| 110 | _(512), |
| 111 | #undef _ |
| 112 | { NULL } |
| 113 | }; |
| 114 | |
| 115 | static const struct hash_prefix *rsassa_pkcs1_find_hash_prefix(const char *name) |
| 116 | { |
| 117 | const struct hash_prefix *p; |
| 118 | |
| 119 | for (p = hash_prefixes; p->name; p++) |
| 120 | if (strcmp(name, p->name) == 0) |
| 121 | return p; |
| 122 | return NULL; |
| 123 | } |
| 124 | |
| 125 | static bool rsassa_pkcs1_invalid_hash_len(unsigned int len, |
| 126 | const struct hash_prefix *p) |
| 127 | { |
| 128 | /* |
| 129 | * Legacy protocols such as TLS 1.1 or earlier and IKE version 1 |
| 130 | * do not prepend a Full Hash Prefix to the hash. In that case, |
| 131 | * the size of the Full Hash Prefix is zero. |
| 132 | */ |
| 133 | if (p->data == hash_prefix_none) |
| 134 | return false; |
| 135 | |
| 136 | /* |
| 137 | * The final byte of the Full Hash Prefix encodes the hash length. |
| 138 | * |
| 139 | * This needs to be revisited should hash algorithms with more than |
| 140 | * 1016 bits (127 bytes * 8) ever be added. The length would then |
| 141 | * be encoded into more than one byte by ASN.1. |
| 142 | */ |
| 143 | static_assert(HASH_MAX_DIGESTSIZE <= 127); |
| 144 | |
| 145 | return len != p->data[p->size - 1]; |
| 146 | } |
| 147 | |
| 148 | struct rsassa_pkcs1_ctx { |
| 149 | struct crypto_akcipher *child; |
| 150 | unsigned int key_size; |
| 151 | }; |
| 152 | |
| 153 | struct rsassa_pkcs1_inst_ctx { |
| 154 | struct crypto_akcipher_spawn spawn; |
| 155 | const struct hash_prefix *hash_prefix; |
| 156 | }; |
| 157 | |
| 158 | static int rsassa_pkcs1_sign(struct crypto_sig *tfm, |
| 159 | const void *src, unsigned int slen, |
| 160 | void *dst, unsigned int dlen) |
| 161 | { |
| 162 | struct sig_instance *inst = sig_alg_instance(tfm); |
| 163 | struct rsassa_pkcs1_inst_ctx *ictx = sig_instance_ctx(inst); |
| 164 | const struct hash_prefix *hash_prefix = ictx->hash_prefix; |
| 165 | struct rsassa_pkcs1_ctx *ctx = crypto_sig_ctx(tfm); |
| 166 | unsigned int pad_len; |
| 167 | unsigned int ps_end; |
| 168 | unsigned int len; |
| 169 | u8 *in_buf; |
| 170 | int err; |
| 171 | |
| 172 | if (!ctx->key_size) |
| 173 | return -EINVAL; |
| 174 | |
| 175 | if (dlen < ctx->key_size) |
| 176 | return -EOVERFLOW; |
| 177 | |
| 178 | if (rsassa_pkcs1_invalid_hash_len(len: slen, p: hash_prefix)) |
| 179 | return -EINVAL; |
| 180 | |
| 181 | if (slen + hash_prefix->size > ctx->key_size - 11) |
| 182 | return -EOVERFLOW; |
| 183 | |
| 184 | pad_len = ctx->key_size - slen - hash_prefix->size - 1; |
| 185 | |
| 186 | /* RFC 8017 sec 8.2.1 step 1 - EMSA-PKCS1-v1_5 encoding generation */ |
| 187 | in_buf = dst; |
| 188 | memmove(dest: in_buf + pad_len + hash_prefix->size, src, count: slen); |
| 189 | memcpy(to: in_buf + pad_len, from: hash_prefix->data, len: hash_prefix->size); |
| 190 | |
| 191 | ps_end = pad_len - 1; |
| 192 | in_buf[0] = 0x01; |
| 193 | memset(s: in_buf + 1, c: 0xff, n: ps_end - 1); |
| 194 | in_buf[ps_end] = 0x00; |
| 195 | |
| 196 | |
| 197 | /* RFC 8017 sec 8.2.1 step 2 - RSA signature */ |
| 198 | err = crypto_akcipher_sync_decrypt(tfm: ctx->child, src: in_buf, |
| 199 | slen: ctx->key_size - 1, dst: in_buf, |
| 200 | dlen: ctx->key_size); |
| 201 | if (err < 0) |
| 202 | return err; |
| 203 | |
| 204 | len = err; |
| 205 | pad_len = ctx->key_size - len; |
| 206 | |
| 207 | /* Four billion to one */ |
| 208 | if (unlikely(pad_len)) { |
| 209 | memmove(dest: dst + pad_len, src: dst, count: len); |
| 210 | memset(s: dst, c: 0, n: pad_len); |
| 211 | } |
| 212 | |
| 213 | return ctx->key_size; |
| 214 | } |
| 215 | |
| 216 | static int rsassa_pkcs1_verify(struct crypto_sig *tfm, |
| 217 | const void *src, unsigned int slen, |
| 218 | const void *digest, unsigned int dlen) |
| 219 | { |
| 220 | struct sig_instance *inst = sig_alg_instance(tfm); |
| 221 | struct rsassa_pkcs1_inst_ctx *ictx = sig_instance_ctx(inst); |
| 222 | const struct hash_prefix *hash_prefix = ictx->hash_prefix; |
| 223 | struct rsassa_pkcs1_ctx *ctx = crypto_sig_ctx(tfm); |
| 224 | unsigned int child_reqsize = crypto_akcipher_reqsize(tfm: ctx->child); |
| 225 | struct akcipher_request *child_req __free(kfree_sensitive) = NULL; |
| 226 | struct crypto_wait cwait; |
| 227 | struct scatterlist sg; |
| 228 | unsigned int dst_len; |
| 229 | unsigned int pos; |
| 230 | u8 *out_buf; |
| 231 | int err; |
| 232 | |
| 233 | /* RFC 8017 sec 8.2.2 step 1 - length checking */ |
| 234 | if (!ctx->key_size || |
| 235 | slen != ctx->key_size || |
| 236 | rsassa_pkcs1_invalid_hash_len(len: dlen, p: hash_prefix)) |
| 237 | return -EINVAL; |
| 238 | |
| 239 | /* RFC 8017 sec 8.2.2 step 2 - RSA verification */ |
| 240 | child_req = kmalloc(sizeof(*child_req) + child_reqsize + ctx->key_size, |
| 241 | GFP_KERNEL); |
| 242 | if (!child_req) |
| 243 | return -ENOMEM; |
| 244 | |
| 245 | out_buf = (u8 *)(child_req + 1) + child_reqsize; |
| 246 | memcpy(to: out_buf, from: src, len: slen); |
| 247 | |
| 248 | crypto_init_wait(wait: &cwait); |
| 249 | sg_init_one(&sg, out_buf, slen); |
| 250 | akcipher_request_set_tfm(req: child_req, tfm: ctx->child); |
| 251 | akcipher_request_set_crypt(req: child_req, src: &sg, dst: &sg, src_len: slen, dst_len: slen); |
| 252 | akcipher_request_set_callback(req: child_req, CRYPTO_TFM_REQ_MAY_SLEEP, |
| 253 | cmpl: crypto_req_done, data: &cwait); |
| 254 | |
| 255 | err = crypto_akcipher_encrypt(req: child_req); |
| 256 | err = crypto_wait_req(err, wait: &cwait); |
| 257 | if (err) |
| 258 | return err; |
| 259 | |
| 260 | /* RFC 8017 sec 8.2.2 step 3 - EMSA-PKCS1-v1_5 encoding verification */ |
| 261 | dst_len = child_req->dst_len; |
| 262 | if (dst_len < ctx->key_size - 1) |
| 263 | return -EINVAL; |
| 264 | |
| 265 | if (dst_len == ctx->key_size) { |
| 266 | if (out_buf[0] != 0x00) |
| 267 | /* Encrypted value had no leading 0 byte */ |
| 268 | return -EINVAL; |
| 269 | |
| 270 | dst_len--; |
| 271 | out_buf++; |
| 272 | } |
| 273 | |
| 274 | if (out_buf[0] != 0x01) |
| 275 | return -EBADMSG; |
| 276 | |
| 277 | for (pos = 1; pos < dst_len; pos++) |
| 278 | if (out_buf[pos] != 0xff) |
| 279 | break; |
| 280 | |
| 281 | if (pos < 9 || pos == dst_len || out_buf[pos] != 0x00) |
| 282 | return -EBADMSG; |
| 283 | pos++; |
| 284 | |
| 285 | if (hash_prefix->size > dst_len - pos) |
| 286 | return -EBADMSG; |
| 287 | if (crypto_memneq(a: out_buf + pos, b: hash_prefix->data, size: hash_prefix->size)) |
| 288 | return -EBADMSG; |
| 289 | pos += hash_prefix->size; |
| 290 | |
| 291 | /* RFC 8017 sec 8.2.2 step 4 - comparison of digest with out_buf */ |
| 292 | if (dlen != dst_len - pos) |
| 293 | return -EKEYREJECTED; |
| 294 | if (memcmp(digest, out_buf + pos, dlen) != 0) |
| 295 | return -EKEYREJECTED; |
| 296 | |
| 297 | return 0; |
| 298 | } |
| 299 | |
| 300 | static unsigned int rsassa_pkcs1_key_size(struct crypto_sig *tfm) |
| 301 | { |
| 302 | struct rsassa_pkcs1_ctx *ctx = crypto_sig_ctx(tfm); |
| 303 | |
| 304 | return ctx->key_size * BITS_PER_BYTE; |
| 305 | } |
| 306 | |
| 307 | static int rsassa_pkcs1_set_pub_key(struct crypto_sig *tfm, |
| 308 | const void *key, unsigned int keylen) |
| 309 | { |
| 310 | struct rsassa_pkcs1_ctx *ctx = crypto_sig_ctx(tfm); |
| 311 | |
| 312 | return rsa_set_key(child: ctx->child, key_size: &ctx->key_size, RSA_PUB, key, keylen); |
| 313 | } |
| 314 | |
| 315 | static int rsassa_pkcs1_set_priv_key(struct crypto_sig *tfm, |
| 316 | const void *key, unsigned int keylen) |
| 317 | { |
| 318 | struct rsassa_pkcs1_ctx *ctx = crypto_sig_ctx(tfm); |
| 319 | |
| 320 | return rsa_set_key(child: ctx->child, key_size: &ctx->key_size, RSA_PRIV, key, keylen); |
| 321 | } |
| 322 | |
| 323 | static int rsassa_pkcs1_init_tfm(struct crypto_sig *tfm) |
| 324 | { |
| 325 | struct sig_instance *inst = sig_alg_instance(tfm); |
| 326 | struct rsassa_pkcs1_inst_ctx *ictx = sig_instance_ctx(inst); |
| 327 | struct rsassa_pkcs1_ctx *ctx = crypto_sig_ctx(tfm); |
| 328 | struct crypto_akcipher *child_tfm; |
| 329 | |
| 330 | child_tfm = crypto_spawn_akcipher(spawn: &ictx->spawn); |
| 331 | if (IS_ERR(ptr: child_tfm)) |
| 332 | return PTR_ERR(ptr: child_tfm); |
| 333 | |
| 334 | ctx->child = child_tfm; |
| 335 | |
| 336 | return 0; |
| 337 | } |
| 338 | |
| 339 | static void rsassa_pkcs1_exit_tfm(struct crypto_sig *tfm) |
| 340 | { |
| 341 | struct rsassa_pkcs1_ctx *ctx = crypto_sig_ctx(tfm); |
| 342 | |
| 343 | crypto_free_akcipher(tfm: ctx->child); |
| 344 | } |
| 345 | |
| 346 | static void rsassa_pkcs1_free(struct sig_instance *inst) |
| 347 | { |
| 348 | struct rsassa_pkcs1_inst_ctx *ctx = sig_instance_ctx(inst); |
| 349 | struct crypto_akcipher_spawn *spawn = &ctx->spawn; |
| 350 | |
| 351 | crypto_drop_akcipher(spawn); |
| 352 | kfree(objp: inst); |
| 353 | } |
| 354 | |
| 355 | static int rsassa_pkcs1_create(struct crypto_template *tmpl, struct rtattr **tb) |
| 356 | { |
| 357 | struct rsassa_pkcs1_inst_ctx *ctx; |
| 358 | struct akcipher_alg *rsa_alg; |
| 359 | struct sig_instance *inst; |
| 360 | const char *hash_name; |
| 361 | u32 mask; |
| 362 | int err; |
| 363 | |
| 364 | err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SIG, mask_ret: &mask); |
| 365 | if (err) |
| 366 | return err; |
| 367 | |
| 368 | inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); |
| 369 | if (!inst) |
| 370 | return -ENOMEM; |
| 371 | |
| 372 | ctx = sig_instance_ctx(inst); |
| 373 | |
| 374 | err = crypto_grab_akcipher(spawn: &ctx->spawn, inst: sig_crypto_instance(inst), |
| 375 | name: crypto_attr_alg_name(rta: tb[1]), type: 0, mask); |
| 376 | if (err) |
| 377 | goto err_free_inst; |
| 378 | |
| 379 | rsa_alg = crypto_spawn_akcipher_alg(spawn: &ctx->spawn); |
| 380 | |
| 381 | if (strcmp(rsa_alg->base.cra_name, "rsa") != 0) { |
| 382 | err = -EINVAL; |
| 383 | goto err_free_inst; |
| 384 | } |
| 385 | |
| 386 | hash_name = crypto_attr_alg_name(rta: tb[2]); |
| 387 | if (IS_ERR(ptr: hash_name)) { |
| 388 | err = PTR_ERR(ptr: hash_name); |
| 389 | goto err_free_inst; |
| 390 | } |
| 391 | |
| 392 | ctx->hash_prefix = rsassa_pkcs1_find_hash_prefix(name: hash_name); |
| 393 | if (!ctx->hash_prefix) { |
| 394 | err = -EINVAL; |
| 395 | goto err_free_inst; |
| 396 | } |
| 397 | |
| 398 | err = -ENAMETOOLONG; |
| 399 | if (snprintf(buf: inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, |
| 400 | fmt: "pkcs1(%s,%s)", rsa_alg->base.cra_name, |
| 401 | hash_name) >= CRYPTO_MAX_ALG_NAME) |
| 402 | goto err_free_inst; |
| 403 | |
| 404 | if (snprintf(buf: inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, |
| 405 | fmt: "pkcs1(%s,%s)", rsa_alg->base.cra_driver_name, |
| 406 | hash_name) >= CRYPTO_MAX_ALG_NAME) |
| 407 | goto err_free_inst; |
| 408 | |
| 409 | inst->alg.base.cra_priority = rsa_alg->base.cra_priority; |
| 410 | inst->alg.base.cra_ctxsize = sizeof(struct rsassa_pkcs1_ctx); |
| 411 | |
| 412 | inst->alg.init = rsassa_pkcs1_init_tfm; |
| 413 | inst->alg.exit = rsassa_pkcs1_exit_tfm; |
| 414 | |
| 415 | inst->alg.sign = rsassa_pkcs1_sign; |
| 416 | inst->alg.verify = rsassa_pkcs1_verify; |
| 417 | inst->alg.key_size = rsassa_pkcs1_key_size; |
| 418 | inst->alg.set_pub_key = rsassa_pkcs1_set_pub_key; |
| 419 | inst->alg.set_priv_key = rsassa_pkcs1_set_priv_key; |
| 420 | |
| 421 | inst->free = rsassa_pkcs1_free; |
| 422 | |
| 423 | err = sig_register_instance(tmpl, inst); |
| 424 | if (err) { |
| 425 | err_free_inst: |
| 426 | rsassa_pkcs1_free(inst); |
| 427 | } |
| 428 | return err; |
| 429 | } |
| 430 | |
| 431 | struct crypto_template rsassa_pkcs1_tmpl = { |
| 432 | .name = "pkcs1", |
| 433 | .create = rsassa_pkcs1_create, |
| 434 | .module = THIS_MODULE, |
| 435 | }; |
| 436 | |
| 437 | MODULE_ALIAS_CRYPTO("pkcs1"); |
| 438 |
Generated on 2025-Oct-12 from project Linux revision 6.17.0 (67029a49db6c)
Powered by 
Code Browser 2.1
Generator usage only permitted with license.