rsa.c source code [linux/crypto/rsa.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/ RSA asymmetric public-key algorithm [RFC3447]*
3	*
4	* Copyright (c) 2015, Intel Corporation
5	* Authors: Tadeusz Struk <tadeusz.struk@intel.com>
6	*/
7
8	#include <linux/fips.h>
9	#include <linux/module.h>
10	#include <linux/mpi.h>
11	#include <crypto/internal/rsa.h>
12	#include <crypto/internal/akcipher.h>
13	#include <crypto/akcipher.h>
14	#include <crypto/algapi.h>
15
16	struct rsa_mpi_key {
17	MPI n;
18	MPI e;
19	MPI d;
20	MPI p;
21	MPI q;
22	MPI dp;
23	MPI dq;
24	MPI qinv;
25	};
26
27	static int rsa_check_payload(MPI x, MPI n)
28	{
29	MPI n1;
30
31	if (mpi_cmp_ui(u: x, v: `1`) <= `0`)
32	return -EINVAL;
33
34	n1 = mpi_alloc(nlimbs: `0`);
35	if (!n1)
36	return -ENOMEM;
37
38	if (mpi_sub_ui(w: n1, u: n, vval: `1`) \|\| mpi_cmp(u: x, v: n1) >= `0`) {
39	mpi_free(a: n1);
40	return -EINVAL;
41	}
42
43	mpi_free(a: n1);
44	return `0`;
45	}
46
47	/*
48	* RSAEP function [RFC3447 sec 5.1.1]
49	* c = m^e mod n;
50	*/
51	static int _rsa_enc(const struct rsa_mpi_key *key, MPI c, MPI m)
52	{
53	/*
54	* Even though (1) in RFC3447 only requires 0 <= m <= n - 1, we are
55	* slightly more conservative and require 1 < m < n - 1. This is in line
56	* with SP 800-56Br2, Section 7.1.1.
57	*/
58	if (rsa_check_payload(x: m, n: key->n))
59	return -EINVAL;
60
61	/ (2) c = m^e mod n /
62	return mpi_powm(res: c, base: m, exp: key->e, mod: key->n);
63	}
64
65	/*
66	* RSADP function [RFC3447 sec 5.1.2]
67	* m_1 = c^dP mod p;
68	* m_2 = c^dQ mod q;
69	* h = (m_1 - m_2) * qInv mod p;
70	* m = m_2 + q * h;
71	*/
72	static int _rsa_dec_crt(const struct rsa_mpi_key *key, MPI m_or_m1_or_h, MPI c)
73	{
74	MPI m2, m12_or_qh;
75	int ret = -ENOMEM;
76
77	/*
78	* Even though (1) in RFC3447 only requires 0 <= c <= n - 1, we are
79	* slightly more conservative and require 1 < c < n - 1. This is in line
80	* with SP 800-56Br2, Section 7.1.2.
81	*/
82	if (rsa_check_payload(x: c, n: key->n))
83	return -EINVAL;
84
85	m2 = mpi_alloc(nlimbs: `0`);
86	m12_or_qh = mpi_alloc(nlimbs: `0`);
87	if (!m2 \|\| !m12_or_qh)
88	goto err_free_mpi;
89
90	/ (2i) m_1 = c^dP mod p /
91	ret = mpi_powm(res: m_or_m1_or_h, base: c, exp: key->dp, mod: key->p);
92	if (ret)
93	goto err_free_mpi;
94
95	/ (2i) m_2 = c^dQ mod q /
96	ret = mpi_powm(res: m2, base: c, exp: key->dq, mod: key->q);
97	if (ret)
98	goto err_free_mpi;
99
100	/ (2iii) h = (m_1 - m_2) * qInv mod p /
101	ret = mpi_sub(w: m12_or_qh, u: m_or_m1_or_h, v: m2) ?:
102	mpi_mulm(w: m_or_m1_or_h, u: m12_or_qh, v: key->qinv, m: key->p);
103
104	/ (2iv) m = m_2 + q * h /
105	ret = ret ?:
106	mpi_mul(w: m12_or_qh, u: key->q, v: m_or_m1_or_h) ?:
107	mpi_addm(w: m_or_m1_or_h, u: m2, v: m12_or_qh, m: key->n);
108
109	err_free_mpi:
110	mpi_free(a: m12_or_qh);
111	mpi_free(a: m2);
112	return ret;
113	}
114
115	static inline struct rsa_mpi_key rsa_get_key(struct* crypto_akcipher *tfm)
116	{
117	return akcipher_tfm_ctx(tfm);
118	}
119
120	static int rsa_enc(struct akcipher_request *req)
121	{
122	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
123	const struct rsa_mpi_key *pkey = rsa_get_key(tfm);
124	MPI m, c = mpi_alloc(nlimbs: `0`);
125	int ret = `0`;
126	int sign;
127
128	if (!c)
129	return -ENOMEM;
130
131	if (unlikely(!pkey->n \|\| !pkey->e)) {
132	ret = -EINVAL;
133	goto err_free_c;
134	}
135
136	ret = -ENOMEM;
137	m = mpi_read_raw_from_sgl(sgl: req->src, len: req->src_len);
138	if (!m)
139	goto err_free_c;
140
141	ret = _rsa_enc(key: pkey, c, m);
142	if (ret)
143	goto err_free_m;
144
145	ret = mpi_write_to_sgl(a: c, sg: req->dst, nbytes: req->dst_len, sign: &sign);
146	if (ret)
147	goto err_free_m;
148
149	if (sign < `0`)
150	ret = -EBADMSG;
151
152	err_free_m:
153	mpi_free(a: m);
154	err_free_c:
155	mpi_free(a: c);
156	return ret;
157	}
158
159	static int rsa_dec(struct akcipher_request *req)
160	{
161	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
162	const struct rsa_mpi_key *pkey = rsa_get_key(tfm);
163	MPI c, m = mpi_alloc(nlimbs: `0`);
164	int ret = `0`;
165	int sign;
166
167	if (!m)
168	return -ENOMEM;
169
170	if (unlikely(!pkey->n \|\| !pkey->d)) {
171	ret = -EINVAL;
172	goto err_free_m;
173	}
174
175	ret = -ENOMEM;
176	c = mpi_read_raw_from_sgl(sgl: req->src, len: req->src_len);
177	if (!c)
178	goto err_free_m;
179
180	ret = _rsa_dec_crt(key: pkey, m_or_m1_or_h: m, c);
181	if (ret)
182	goto err_free_c;
183
184	ret = mpi_write_to_sgl(a: m, sg: req->dst, nbytes: req->dst_len, sign: &sign);
185	if (ret)
186	goto err_free_c;
187
188	if (sign < `0`)
189	ret = -EBADMSG;
190	err_free_c:
191	mpi_free(a: c);
192	err_free_m:
193	mpi_free(a: m);
194	return ret;
195	}
196
197	static void rsa_free_mpi_key(struct rsa_mpi_key *key)
198	{
199	mpi_free(a: key->d);
200	mpi_free(a: key->e);
201	mpi_free(a: key->n);
202	mpi_free(a: key->p);
203	mpi_free(a: key->q);
204	mpi_free(a: key->dp);
205	mpi_free(a: key->dq);
206	mpi_free(a: key->qinv);
207	key->d = NULL;
208	key->e = NULL;
209	key->n = NULL;
210	key->p = NULL;
211	key->q = NULL;
212	key->dp = NULL;
213	key->dq = NULL;
214	key->qinv = NULL;
215	}
216
217	static int rsa_check_key_length(unsigned int len)
218	{
219	switch (len) {
220	case `512`:
221	case `1024`:
222	case `1536`:
223	if (fips_enabled)
224	return -EINVAL;
225	fallthrough;
226	case `2048`:
227	case `3072`:
228	case `4096`:
229	return `0`;
230	}
231
232	return -EINVAL;
233	}
234
235	static int rsa_check_exponent_fips(MPI e)
236	{
237	MPI e_max = NULL;
238	int err;
239
240	/ check if odd /
241	if (!mpi_test_bit(a: e, n: `0`)) {
242	return -EINVAL;
243	}
244
245	/ check if 2^16 < e < 2^256. /
246	if (mpi_cmp_ui(u: e, v: `65536`) <= `0`) {
247	return -EINVAL;
248	}
249
250	e_max = mpi_alloc(nlimbs: `0`);
251	if (!e_max)
252	return -ENOMEM;
253
254	err = mpi_set_bit(a: e_max, n: `256`);
255	if (err) {
256	mpi_free(a: e_max);
257	return err;
258	}
259
260	if (mpi_cmp(u: e, v: e_max) >= `0`) {
261	mpi_free(a: e_max);
262	return -EINVAL;
263	}
264
265	mpi_free(a: e_max);
266	return `0`;
267	}
268
269	static int rsa_set_pub_key(struct crypto_akcipher tfm, const* void *key,
270	unsigned int keylen)
271	{
272	struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm);
273	struct rsa_key raw_key = {`0`};
274	int ret;
275
276	/ Free the old MPI key if any /
277	rsa_free_mpi_key(key: mpi_key);
278
279	ret = rsa_parse_pub_key(rsa_key: &raw_key, key, key_len: keylen);
280	if (ret)
281	return ret;
282
283	mpi_key->e = mpi_read_raw_data(xbuffer: raw_key.e, nbytes: raw_key.e_sz);
284	if (!mpi_key->e)
285	goto err;
286
287	mpi_key->n = mpi_read_raw_data(xbuffer: raw_key.n, nbytes: raw_key.n_sz);
288	if (!mpi_key->n)
289	goto err;
290
291	if (rsa_check_key_length(len: mpi_get_size(a: mpi_key->n) << `3`)) {
292	rsa_free_mpi_key(key: mpi_key);
293	return -EINVAL;
294	}
295
296	if (fips_enabled && rsa_check_exponent_fips(e: mpi_key->e)) {
297	rsa_free_mpi_key(key: mpi_key);
298	return -EINVAL;
299	}
300
301	return `0`;
302
303	err:
304	rsa_free_mpi_key(key: mpi_key);
305	return -ENOMEM;
306	}
307
308	static int rsa_set_priv_key(struct crypto_akcipher tfm, const* void *key,
309	unsigned int keylen)
310	{
311	struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm);
312	struct rsa_key raw_key = {`0`};
313	int ret;
314
315	/ Free the old MPI key if any /
316	rsa_free_mpi_key(key: mpi_key);
317
318	ret = rsa_parse_priv_key(rsa_key: &raw_key, key, key_len: keylen);
319	if (ret)
320	return ret;
321
322	mpi_key->d = mpi_read_raw_data(xbuffer: raw_key.d, nbytes: raw_key.d_sz);
323	if (!mpi_key->d)
324	goto err;
325
326	mpi_key->e = mpi_read_raw_data(xbuffer: raw_key.e, nbytes: raw_key.e_sz);
327	if (!mpi_key->e)
328	goto err;
329
330	mpi_key->n = mpi_read_raw_data(xbuffer: raw_key.n, nbytes: raw_key.n_sz);
331	if (!mpi_key->n)
332	goto err;
333
334	mpi_key->p = mpi_read_raw_data(xbuffer: raw_key.p, nbytes: raw_key.p_sz);
335	if (!mpi_key->p)
336	goto err;
337
338	mpi_key->q = mpi_read_raw_data(xbuffer: raw_key.q, nbytes: raw_key.q_sz);
339	if (!mpi_key->q)
340	goto err;
341
342	mpi_key->dp = mpi_read_raw_data(xbuffer: raw_key.dp, nbytes: raw_key.dp_sz);
343	if (!mpi_key->dp)
344	goto err;
345
346	mpi_key->dq = mpi_read_raw_data(xbuffer: raw_key.dq, nbytes: raw_key.dq_sz);
347	if (!mpi_key->dq)
348	goto err;
349
350	mpi_key->qinv = mpi_read_raw_data(xbuffer: raw_key.qinv, nbytes: raw_key.qinv_sz);
351	if (!mpi_key->qinv)
352	goto err;
353
354	if (rsa_check_key_length(len: mpi_get_size(a: mpi_key->n) << `3`)) {
355	rsa_free_mpi_key(key: mpi_key);
356	return -EINVAL;
357	}
358
359	if (fips_enabled && rsa_check_exponent_fips(e: mpi_key->e)) {
360	rsa_free_mpi_key(key: mpi_key);
361	return -EINVAL;
362	}
363
364	return `0`;
365
366	err:
367	rsa_free_mpi_key(key: mpi_key);
368	return -ENOMEM;
369	}
370
371	static unsigned int rsa_max_size(struct crypto_akcipher *tfm)
372	{
373	struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm);
374
375	return mpi_get_size(a: pkey->n);
376	}
377
378	static void rsa_exit_tfm(struct crypto_akcipher *tfm)
379	{
380	struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm);
381
382	rsa_free_mpi_key(key: pkey);
383	}
384
385	static struct akcipher_alg rsa = {
386	.encrypt = rsa_enc,
387	.decrypt = rsa_dec,
388	.set_priv_key = rsa_set_priv_key,
389	.set_pub_key = rsa_set_pub_key,
390	.max_size = rsa_max_size,
391	.exit = rsa_exit_tfm,
392	.base = {
393	.cra_name = "rsa",
394	.cra_driver_name = "rsa-generic",
395	.cra_priority = `100`,
396	.cra_module = THIS_MODULE,
397	.cra_ctxsize = sizeof(struct rsa_mpi_key),
398	},
399	};
400
401	static int __init rsa_init(void)
402	{
403	int err;
404
405	err = crypto_register_akcipher(alg: &rsa);
406	if (err)
407	return err;
408
409	err = crypto_register_template(tmpl: &rsa_pkcs1pad_tmpl);
410	if (err)
411	goto err_unregister_rsa;
412
413	err = crypto_register_template(tmpl: &rsassa_pkcs1_tmpl);
414	if (err)
415	goto err_unregister_rsa_pkcs1pad;
416
417	return `0`;
418
419	err_unregister_rsa_pkcs1pad:
420	crypto_unregister_template(tmpl: &rsa_pkcs1pad_tmpl);
421	err_unregister_rsa:
422	crypto_unregister_akcipher(alg: &rsa);
423	return err;
424	}
425
426	static void __exit rsa_exit(void)
427	{
428	crypto_unregister_template(tmpl: &rsassa_pkcs1_tmpl);
429	crypto_unregister_template(tmpl: &rsa_pkcs1pad_tmpl);
430	crypto_unregister_akcipher(alg: &rsa);
431	}
432
433	module_init(rsa_init);
434	module_exit(rsa_exit);
435	MODULE_ALIAS_CRYPTO("rsa");
436	MODULE_LICENSE("GPL");
437	MODULE_DESCRIPTION("RSA generic algorithm");
438

Provided by KDAB

Definitions

rsa_mpi_key
rsa_check_payload
_rsa_enc
_rsa_dec_crt
rsa_get_key
rsa_enc
rsa_dec
rsa_free_mpi_key
rsa_check_key_length
rsa_check_exponent_fips
rsa_set_pub_key
rsa_set_priv_key
rsa_max_size
rsa_exit_tfm
rsa
rsa_init

Improve your Profiling and Debugging skills

Find out more

Definitions

source code of linux/crypto/rsa.c