1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* RSA asymmetric public-key algorithm [RFC3447] 3 * 4 * Copyright (c) 2015, Intel Corporation 5 * Authors: Tadeusz Struk <tadeusz.struk@intel.com> 6 */ 7 8 #include <linux/fips.h> 9 #include <linux/module.h> 10 #include <linux/mpi.h> 11 #include <crypto/internal/rsa.h> 12 #include <crypto/internal/akcipher.h> 13 #include <crypto/akcipher.h> 14 #include <crypto/algapi.h> 15 16 struct rsa_mpi_key { 17 MPI n; 18 MPI e; 19 MPI d; 20 MPI p; 21 MPI q; 22 MPI dp; 23 MPI dq; 24 MPI qinv; 25 }; 26 27 /* 28 * RSAEP function [RFC3447 sec 5.1.1] 29 * c = m^e mod n; 30 */ 31 static int _rsa_enc(const struct rsa_mpi_key *key, MPI c, MPI m) 32 { 33 /* (1) Validate 0 <= m < n */ 34 if (mpi_cmp_ui(m, 0) < 0 || mpi_cmp(m, key->n) >= 0) 35 return -EINVAL; 36 37 /* (2) c = m^e mod n */ 38 return mpi_powm(c, m, key->e, key->n); 39 } 40 41 /* 42 * RSADP function [RFC3447 sec 5.1.2] 43 * m_1 = c^dP mod p; 44 * m_2 = c^dQ mod q; 45 * h = (m_1 - m_2) * qInv mod p; 46 * m = m_2 + q * h; 47 */ 48 static int _rsa_dec_crt(const struct rsa_mpi_key *key, MPI m_or_m1_or_h, MPI c) 49 { 50 MPI m2, m12_or_qh; 51 int ret = -ENOMEM; 52 53 /* (1) Validate 0 <= c < n */ 54 if (mpi_cmp_ui(c, 0) < 0 || mpi_cmp(c, key->n) >= 0) 55 return -EINVAL; 56 57 m2 = mpi_alloc(0); 58 m12_or_qh = mpi_alloc(0); 59 if (!m2 || !m12_or_qh) 60 goto err_free_mpi; 61 62 /* (2i) m_1 = c^dP mod p */ 63 ret = mpi_powm(m_or_m1_or_h, c, key->dp, key->p); 64 if (ret) 65 goto err_free_mpi; 66 67 /* (2i) m_2 = c^dQ mod q */ 68 ret = mpi_powm(m2, c, key->dq, key->q); 69 if (ret) 70 goto err_free_mpi; 71 72 /* (2iii) h = (m_1 - m_2) * qInv mod p */ 73 mpi_sub(m12_or_qh, m_or_m1_or_h, m2); 74 mpi_mulm(m_or_m1_or_h, m12_or_qh, key->qinv, key->p); 75 76 /* (2iv) m = m_2 + q * h */ 77 mpi_mul(m12_or_qh, key->q, m_or_m1_or_h); 78 mpi_addm(m_or_m1_or_h, m2, m12_or_qh, key->n); 79 80 ret = 0; 81 82 err_free_mpi: 83 mpi_free(m12_or_qh); 84 mpi_free(m2); 85 return ret; 86 } 87 88 static inline struct rsa_mpi_key *rsa_get_key(struct crypto_akcipher *tfm) 89 { 90 return akcipher_tfm_ctx(tfm); 91 } 92 93 static int rsa_enc(struct akcipher_request *req) 94 { 95 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 96 const struct rsa_mpi_key *pkey = rsa_get_key(tfm); 97 MPI m, c = mpi_alloc(0); 98 int ret = 0; 99 int sign; 100 101 if (!c) 102 return -ENOMEM; 103 104 if (unlikely(!pkey->n || !pkey->e)) { 105 ret = -EINVAL; 106 goto err_free_c; 107 } 108 109 ret = -ENOMEM; 110 m = mpi_read_raw_from_sgl(req->src, req->src_len); 111 if (!m) 112 goto err_free_c; 113 114 ret = _rsa_enc(pkey, c, m); 115 if (ret) 116 goto err_free_m; 117 118 ret = mpi_write_to_sgl(c, req->dst, req->dst_len, &sign); 119 if (ret) 120 goto err_free_m; 121 122 if (sign < 0) 123 ret = -EBADMSG; 124 125 err_free_m: 126 mpi_free(m); 127 err_free_c: 128 mpi_free(c); 129 return ret; 130 } 131 132 static int rsa_dec(struct akcipher_request *req) 133 { 134 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 135 const struct rsa_mpi_key *pkey = rsa_get_key(tfm); 136 MPI c, m = mpi_alloc(0); 137 int ret = 0; 138 int sign; 139 140 if (!m) 141 return -ENOMEM; 142 143 if (unlikely(!pkey->n || !pkey->d)) { 144 ret = -EINVAL; 145 goto err_free_m; 146 } 147 148 ret = -ENOMEM; 149 c = mpi_read_raw_from_sgl(req->src, req->src_len); 150 if (!c) 151 goto err_free_m; 152 153 ret = _rsa_dec_crt(pkey, m, c); 154 if (ret) 155 goto err_free_c; 156 157 ret = mpi_write_to_sgl(m, req->dst, req->dst_len, &sign); 158 if (ret) 159 goto err_free_c; 160 161 if (sign < 0) 162 ret = -EBADMSG; 163 err_free_c: 164 mpi_free(c); 165 err_free_m: 166 mpi_free(m); 167 return ret; 168 } 169 170 static void rsa_free_mpi_key(struct rsa_mpi_key *key) 171 { 172 mpi_free(key->d); 173 mpi_free(key->e); 174 mpi_free(key->n); 175 mpi_free(key->p); 176 mpi_free(key->q); 177 mpi_free(key->dp); 178 mpi_free(key->dq); 179 mpi_free(key->qinv); 180 key->d = NULL; 181 key->e = NULL; 182 key->n = NULL; 183 key->p = NULL; 184 key->q = NULL; 185 key->dp = NULL; 186 key->dq = NULL; 187 key->qinv = NULL; 188 } 189 190 static int rsa_check_key_length(unsigned int len) 191 { 192 switch (len) { 193 case 512: 194 case 1024: 195 case 1536: 196 if (fips_enabled) 197 return -EINVAL; 198 fallthrough; 199 case 2048: 200 case 3072: 201 case 4096: 202 return 0; 203 } 204 205 return -EINVAL; 206 } 207 208 static int rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key, 209 unsigned int keylen) 210 { 211 struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm); 212 struct rsa_key raw_key = {0}; 213 int ret; 214 215 /* Free the old MPI key if any */ 216 rsa_free_mpi_key(mpi_key); 217 218 ret = rsa_parse_pub_key(&raw_key, key, keylen); 219 if (ret) 220 return ret; 221 222 mpi_key->e = mpi_read_raw_data(raw_key.e, raw_key.e_sz); 223 if (!mpi_key->e) 224 goto err; 225 226 mpi_key->n = mpi_read_raw_data(raw_key.n, raw_key.n_sz); 227 if (!mpi_key->n) 228 goto err; 229 230 if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) { 231 rsa_free_mpi_key(mpi_key); 232 return -EINVAL; 233 } 234 235 return 0; 236 237 err: 238 rsa_free_mpi_key(mpi_key); 239 return -ENOMEM; 240 } 241 242 static int rsa_set_priv_key(struct crypto_akcipher *tfm, const void *key, 243 unsigned int keylen) 244 { 245 struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm); 246 struct rsa_key raw_key = {0}; 247 int ret; 248 249 /* Free the old MPI key if any */ 250 rsa_free_mpi_key(mpi_key); 251 252 ret = rsa_parse_priv_key(&raw_key, key, keylen); 253 if (ret) 254 return ret; 255 256 mpi_key->d = mpi_read_raw_data(raw_key.d, raw_key.d_sz); 257 if (!mpi_key->d) 258 goto err; 259 260 mpi_key->e = mpi_read_raw_data(raw_key.e, raw_key.e_sz); 261 if (!mpi_key->e) 262 goto err; 263 264 mpi_key->n = mpi_read_raw_data(raw_key.n, raw_key.n_sz); 265 if (!mpi_key->n) 266 goto err; 267 268 mpi_key->p = mpi_read_raw_data(raw_key.p, raw_key.p_sz); 269 if (!mpi_key->p) 270 goto err; 271 272 mpi_key->q = mpi_read_raw_data(raw_key.q, raw_key.q_sz); 273 if (!mpi_key->q) 274 goto err; 275 276 mpi_key->dp = mpi_read_raw_data(raw_key.dp, raw_key.dp_sz); 277 if (!mpi_key->dp) 278 goto err; 279 280 mpi_key->dq = mpi_read_raw_data(raw_key.dq, raw_key.dq_sz); 281 if (!mpi_key->dq) 282 goto err; 283 284 mpi_key->qinv = mpi_read_raw_data(raw_key.qinv, raw_key.qinv_sz); 285 if (!mpi_key->qinv) 286 goto err; 287 288 if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) { 289 rsa_free_mpi_key(mpi_key); 290 return -EINVAL; 291 } 292 293 return 0; 294 295 err: 296 rsa_free_mpi_key(mpi_key); 297 return -ENOMEM; 298 } 299 300 static unsigned int rsa_max_size(struct crypto_akcipher *tfm) 301 { 302 struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm); 303 304 return mpi_get_size(pkey->n); 305 } 306 307 static void rsa_exit_tfm(struct crypto_akcipher *tfm) 308 { 309 struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm); 310 311 rsa_free_mpi_key(pkey); 312 } 313 314 static struct akcipher_alg rsa = { 315 .encrypt = rsa_enc, 316 .decrypt = rsa_dec, 317 .set_priv_key = rsa_set_priv_key, 318 .set_pub_key = rsa_set_pub_key, 319 .max_size = rsa_max_size, 320 .exit = rsa_exit_tfm, 321 .base = { 322 .cra_name = "rsa", 323 .cra_driver_name = "rsa-generic", 324 .cra_priority = 100, 325 .cra_module = THIS_MODULE, 326 .cra_ctxsize = sizeof(struct rsa_mpi_key), 327 }, 328 }; 329 330 static int rsa_init(void) 331 { 332 int err; 333 334 err = crypto_register_akcipher(&rsa); 335 if (err) 336 return err; 337 338 err = crypto_register_template(&rsa_pkcs1pad_tmpl); 339 if (err) { 340 crypto_unregister_akcipher(&rsa); 341 return err; 342 } 343 344 return 0; 345 } 346 347 static void rsa_exit(void) 348 { 349 crypto_unregister_template(&rsa_pkcs1pad_tmpl); 350 crypto_unregister_akcipher(&rsa); 351 } 352 353 subsys_initcall(rsa_init); 354 module_exit(rsa_exit); 355 MODULE_ALIAS_CRYPTO("rsa"); 356 MODULE_LICENSE("GPL"); 357 MODULE_DESCRIPTION("RSA generic algorithm"); 358