]>
git.ipfire.org Git - thirdparty/kernel/stable.git/blob - crypto/rsa.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* RSA asymmetric public-key algorithm [RFC3447]
4 * Copyright (c) 2015, Intel Corporation
5 * Authors: Tadeusz Struk <tadeusz.struk@intel.com>
8 #include <linux/fips.h>
9 #include <linux/module.h>
10 #include <linux/mpi.h>
11 #include <crypto/internal/rsa.h>
12 #include <crypto/internal/akcipher.h>
13 #include <crypto/akcipher.h>
14 #include <crypto/algapi.h>
27 static int rsa_check_payload(MPI x
, MPI n
)
31 if (mpi_cmp_ui(x
, 1) <= 0)
38 if (mpi_sub_ui(n1
, n
, 1) || mpi_cmp(x
, n1
) >= 0) {
48 * RSAEP function [RFC3447 sec 5.1.1]
51 static int _rsa_enc(const struct rsa_mpi_key
*key
, MPI c
, MPI m
)
54 * Even though (1) in RFC3447 only requires 0 <= m <= n - 1, we are
55 * slightly more conservative and require 1 < m < n - 1. This is in line
56 * with SP 800-56Br2, Section 7.1.1.
58 if (rsa_check_payload(m
, key
->n
))
61 /* (2) c = m^e mod n */
62 return mpi_powm(c
, m
, key
->e
, key
->n
);
66 * RSADP function [RFC3447 sec 5.1.2]
69 * h = (m_1 - m_2) * qInv mod p;
72 static int _rsa_dec_crt(const struct rsa_mpi_key
*key
, MPI m_or_m1_or_h
, MPI c
)
78 * Even though (1) in RFC3447 only requires 0 <= c <= n - 1, we are
79 * slightly more conservative and require 1 < c < n - 1. This is in line
80 * with SP 800-56Br2, Section 7.1.2.
82 if (rsa_check_payload(c
, key
->n
))
86 m12_or_qh
= mpi_alloc(0);
87 if (!m2
|| !m12_or_qh
)
90 /* (2i) m_1 = c^dP mod p */
91 ret
= mpi_powm(m_or_m1_or_h
, c
, key
->dp
, key
->p
);
95 /* (2i) m_2 = c^dQ mod q */
96 ret
= mpi_powm(m2
, c
, key
->dq
, key
->q
);
100 /* (2iii) h = (m_1 - m_2) * qInv mod p */
101 mpi_sub(m12_or_qh
, m_or_m1_or_h
, m2
);
102 mpi_mulm(m_or_m1_or_h
, m12_or_qh
, key
->qinv
, key
->p
);
104 /* (2iv) m = m_2 + q * h */
105 mpi_mul(m12_or_qh
, key
->q
, m_or_m1_or_h
);
106 mpi_addm(m_or_m1_or_h
, m2
, m12_or_qh
, key
->n
);
116 static inline struct rsa_mpi_key
*rsa_get_key(struct crypto_akcipher
*tfm
)
118 return akcipher_tfm_ctx(tfm
);
121 static int rsa_enc(struct akcipher_request
*req
)
123 struct crypto_akcipher
*tfm
= crypto_akcipher_reqtfm(req
);
124 const struct rsa_mpi_key
*pkey
= rsa_get_key(tfm
);
125 MPI m
, c
= mpi_alloc(0);
132 if (unlikely(!pkey
->n
|| !pkey
->e
)) {
138 m
= mpi_read_raw_from_sgl(req
->src
, req
->src_len
);
142 ret
= _rsa_enc(pkey
, c
, m
);
146 ret
= mpi_write_to_sgl(c
, req
->dst
, req
->dst_len
, &sign
);
160 static int rsa_dec(struct akcipher_request
*req
)
162 struct crypto_akcipher
*tfm
= crypto_akcipher_reqtfm(req
);
163 const struct rsa_mpi_key
*pkey
= rsa_get_key(tfm
);
164 MPI c
, m
= mpi_alloc(0);
171 if (unlikely(!pkey
->n
|| !pkey
->d
)) {
177 c
= mpi_read_raw_from_sgl(req
->src
, req
->src_len
);
181 ret
= _rsa_dec_crt(pkey
, m
, c
);
185 ret
= mpi_write_to_sgl(m
, req
->dst
, req
->dst_len
, &sign
);
198 static void rsa_free_mpi_key(struct rsa_mpi_key
*key
)
218 static int rsa_check_key_length(unsigned int len
)
236 static int rsa_check_exponent_fips(MPI e
)
241 if (!mpi_test_bit(e
, 0)) {
245 /* check if 2^16 < e < 2^256. */
246 if (mpi_cmp_ui(e
, 65536) <= 0) {
250 e_max
= mpi_alloc(0);
253 mpi_set_bit(e_max
, 256);
255 if (mpi_cmp(e
, e_max
) >= 0) {
264 static int rsa_set_pub_key(struct crypto_akcipher
*tfm
, const void *key
,
267 struct rsa_mpi_key
*mpi_key
= akcipher_tfm_ctx(tfm
);
268 struct rsa_key raw_key
= {0};
271 /* Free the old MPI key if any */
272 rsa_free_mpi_key(mpi_key
);
274 ret
= rsa_parse_pub_key(&raw_key
, key
, keylen
);
278 mpi_key
->e
= mpi_read_raw_data(raw_key
.e
, raw_key
.e_sz
);
282 mpi_key
->n
= mpi_read_raw_data(raw_key
.n
, raw_key
.n_sz
);
286 if (rsa_check_key_length(mpi_get_size(mpi_key
->n
) << 3)) {
287 rsa_free_mpi_key(mpi_key
);
291 if (fips_enabled
&& rsa_check_exponent_fips(mpi_key
->e
)) {
292 rsa_free_mpi_key(mpi_key
);
299 rsa_free_mpi_key(mpi_key
);
303 static int rsa_set_priv_key(struct crypto_akcipher
*tfm
, const void *key
,
306 struct rsa_mpi_key
*mpi_key
= akcipher_tfm_ctx(tfm
);
307 struct rsa_key raw_key
= {0};
310 /* Free the old MPI key if any */
311 rsa_free_mpi_key(mpi_key
);
313 ret
= rsa_parse_priv_key(&raw_key
, key
, keylen
);
317 mpi_key
->d
= mpi_read_raw_data(raw_key
.d
, raw_key
.d_sz
);
321 mpi_key
->e
= mpi_read_raw_data(raw_key
.e
, raw_key
.e_sz
);
325 mpi_key
->n
= mpi_read_raw_data(raw_key
.n
, raw_key
.n_sz
);
329 mpi_key
->p
= mpi_read_raw_data(raw_key
.p
, raw_key
.p_sz
);
333 mpi_key
->q
= mpi_read_raw_data(raw_key
.q
, raw_key
.q_sz
);
337 mpi_key
->dp
= mpi_read_raw_data(raw_key
.dp
, raw_key
.dp_sz
);
341 mpi_key
->dq
= mpi_read_raw_data(raw_key
.dq
, raw_key
.dq_sz
);
345 mpi_key
->qinv
= mpi_read_raw_data(raw_key
.qinv
, raw_key
.qinv_sz
);
349 if (rsa_check_key_length(mpi_get_size(mpi_key
->n
) << 3)) {
350 rsa_free_mpi_key(mpi_key
);
354 if (fips_enabled
&& rsa_check_exponent_fips(mpi_key
->e
)) {
355 rsa_free_mpi_key(mpi_key
);
362 rsa_free_mpi_key(mpi_key
);
366 static unsigned int rsa_max_size(struct crypto_akcipher
*tfm
)
368 struct rsa_mpi_key
*pkey
= akcipher_tfm_ctx(tfm
);
370 return mpi_get_size(pkey
->n
);
373 static void rsa_exit_tfm(struct crypto_akcipher
*tfm
)
375 struct rsa_mpi_key
*pkey
= akcipher_tfm_ctx(tfm
);
377 rsa_free_mpi_key(pkey
);
380 static struct akcipher_alg rsa
= {
383 .set_priv_key
= rsa_set_priv_key
,
384 .set_pub_key
= rsa_set_pub_key
,
385 .max_size
= rsa_max_size
,
386 .exit
= rsa_exit_tfm
,
389 .cra_driver_name
= "rsa-generic",
391 .cra_module
= THIS_MODULE
,
392 .cra_ctxsize
= sizeof(struct rsa_mpi_key
),
396 static int __init
rsa_init(void)
400 err
= crypto_register_akcipher(&rsa
);
404 err
= crypto_register_template(&rsa_pkcs1pad_tmpl
);
406 crypto_unregister_akcipher(&rsa
);
413 static void __exit
rsa_exit(void)
415 crypto_unregister_template(&rsa_pkcs1pad_tmpl
);
416 crypto_unregister_akcipher(&rsa
);
419 subsys_initcall(rsa_init
);
420 module_exit(rsa_exit
);
421 MODULE_ALIAS_CRYPTO("rsa");
422 MODULE_LICENSE("GPL");
423 MODULE_DESCRIPTION("RSA generic algorithm");