1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-or-later
2*4882a593Smuzhiyun /* RSA asymmetric public-key algorithm [RFC3447]
3*4882a593Smuzhiyun *
4*4882a593Smuzhiyun * Copyright (c) 2015, Intel Corporation
5*4882a593Smuzhiyun * Authors: Tadeusz Struk <tadeusz.struk@intel.com>
6*4882a593Smuzhiyun */
7*4882a593Smuzhiyun
8*4882a593Smuzhiyun #include <linux/module.h>
9*4882a593Smuzhiyun #include <linux/mpi.h>
10*4882a593Smuzhiyun #include <crypto/internal/rsa.h>
11*4882a593Smuzhiyun #include <crypto/internal/akcipher.h>
12*4882a593Smuzhiyun #include <crypto/akcipher.h>
13*4882a593Smuzhiyun #include <crypto/algapi.h>
14*4882a593Smuzhiyun
15*4882a593Smuzhiyun struct rsa_mpi_key {
16*4882a593Smuzhiyun MPI n;
17*4882a593Smuzhiyun MPI e;
18*4882a593Smuzhiyun MPI d;
19*4882a593Smuzhiyun };
20*4882a593Smuzhiyun
21*4882a593Smuzhiyun /*
22*4882a593Smuzhiyun * RSAEP function [RFC3447 sec 5.1.1]
23*4882a593Smuzhiyun * c = m^e mod n;
24*4882a593Smuzhiyun */
_rsa_enc(const struct rsa_mpi_key * key,MPI c,MPI m)25*4882a593Smuzhiyun static int _rsa_enc(const struct rsa_mpi_key *key, MPI c, MPI m)
26*4882a593Smuzhiyun {
27*4882a593Smuzhiyun /* (1) Validate 0 <= m < n */
28*4882a593Smuzhiyun if (mpi_cmp_ui(m, 0) < 0 || mpi_cmp(m, key->n) >= 0)
29*4882a593Smuzhiyun return -EINVAL;
30*4882a593Smuzhiyun
31*4882a593Smuzhiyun /* (2) c = m^e mod n */
32*4882a593Smuzhiyun return mpi_powm(c, m, key->e, key->n);
33*4882a593Smuzhiyun }
34*4882a593Smuzhiyun
35*4882a593Smuzhiyun /*
36*4882a593Smuzhiyun * RSADP function [RFC3447 sec 5.1.2]
37*4882a593Smuzhiyun * m = c^d mod n;
38*4882a593Smuzhiyun */
_rsa_dec(const struct rsa_mpi_key * key,MPI m,MPI c)39*4882a593Smuzhiyun static int _rsa_dec(const struct rsa_mpi_key *key, MPI m, MPI c)
40*4882a593Smuzhiyun {
41*4882a593Smuzhiyun /* (1) Validate 0 <= c < n */
42*4882a593Smuzhiyun if (mpi_cmp_ui(c, 0) < 0 || mpi_cmp(c, key->n) >= 0)
43*4882a593Smuzhiyun return -EINVAL;
44*4882a593Smuzhiyun
45*4882a593Smuzhiyun /* (2) m = c^d mod n */
46*4882a593Smuzhiyun return mpi_powm(m, c, key->d, key->n);
47*4882a593Smuzhiyun }
48*4882a593Smuzhiyun
rsa_get_key(struct crypto_akcipher * tfm)49*4882a593Smuzhiyun static inline struct rsa_mpi_key *rsa_get_key(struct crypto_akcipher *tfm)
50*4882a593Smuzhiyun {
51*4882a593Smuzhiyun return akcipher_tfm_ctx(tfm);
52*4882a593Smuzhiyun }
53*4882a593Smuzhiyun
rsa_enc(struct akcipher_request * req)54*4882a593Smuzhiyun static int rsa_enc(struct akcipher_request *req)
55*4882a593Smuzhiyun {
56*4882a593Smuzhiyun struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
57*4882a593Smuzhiyun const struct rsa_mpi_key *pkey = rsa_get_key(tfm);
58*4882a593Smuzhiyun MPI m, c = mpi_alloc(0);
59*4882a593Smuzhiyun int ret = 0;
60*4882a593Smuzhiyun int sign;
61*4882a593Smuzhiyun
62*4882a593Smuzhiyun if (!c)
63*4882a593Smuzhiyun return -ENOMEM;
64*4882a593Smuzhiyun
65*4882a593Smuzhiyun if (unlikely(!pkey->n || !pkey->e)) {
66*4882a593Smuzhiyun ret = -EINVAL;
67*4882a593Smuzhiyun goto err_free_c;
68*4882a593Smuzhiyun }
69*4882a593Smuzhiyun
70*4882a593Smuzhiyun ret = -ENOMEM;
71*4882a593Smuzhiyun m = mpi_read_raw_from_sgl(req->src, req->src_len);
72*4882a593Smuzhiyun if (!m)
73*4882a593Smuzhiyun goto err_free_c;
74*4882a593Smuzhiyun
75*4882a593Smuzhiyun ret = _rsa_enc(pkey, c, m);
76*4882a593Smuzhiyun if (ret)
77*4882a593Smuzhiyun goto err_free_m;
78*4882a593Smuzhiyun
79*4882a593Smuzhiyun ret = mpi_write_to_sgl(c, req->dst, req->dst_len, &sign);
80*4882a593Smuzhiyun if (ret)
81*4882a593Smuzhiyun goto err_free_m;
82*4882a593Smuzhiyun
83*4882a593Smuzhiyun if (sign < 0)
84*4882a593Smuzhiyun ret = -EBADMSG;
85*4882a593Smuzhiyun
86*4882a593Smuzhiyun err_free_m:
87*4882a593Smuzhiyun mpi_free(m);
88*4882a593Smuzhiyun err_free_c:
89*4882a593Smuzhiyun mpi_free(c);
90*4882a593Smuzhiyun return ret;
91*4882a593Smuzhiyun }
92*4882a593Smuzhiyun
rsa_dec(struct akcipher_request * req)93*4882a593Smuzhiyun static int rsa_dec(struct akcipher_request *req)
94*4882a593Smuzhiyun {
95*4882a593Smuzhiyun struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
96*4882a593Smuzhiyun const struct rsa_mpi_key *pkey = rsa_get_key(tfm);
97*4882a593Smuzhiyun MPI c, m = mpi_alloc(0);
98*4882a593Smuzhiyun int ret = 0;
99*4882a593Smuzhiyun int sign;
100*4882a593Smuzhiyun
101*4882a593Smuzhiyun if (!m)
102*4882a593Smuzhiyun return -ENOMEM;
103*4882a593Smuzhiyun
104*4882a593Smuzhiyun if (unlikely(!pkey->n || !pkey->d)) {
105*4882a593Smuzhiyun ret = -EINVAL;
106*4882a593Smuzhiyun goto err_free_m;
107*4882a593Smuzhiyun }
108*4882a593Smuzhiyun
109*4882a593Smuzhiyun ret = -ENOMEM;
110*4882a593Smuzhiyun c = mpi_read_raw_from_sgl(req->src, req->src_len);
111*4882a593Smuzhiyun if (!c)
112*4882a593Smuzhiyun goto err_free_m;
113*4882a593Smuzhiyun
114*4882a593Smuzhiyun ret = _rsa_dec(pkey, m, c);
115*4882a593Smuzhiyun if (ret)
116*4882a593Smuzhiyun goto err_free_c;
117*4882a593Smuzhiyun
118*4882a593Smuzhiyun ret = mpi_write_to_sgl(m, req->dst, req->dst_len, &sign);
119*4882a593Smuzhiyun if (ret)
120*4882a593Smuzhiyun goto err_free_c;
121*4882a593Smuzhiyun
122*4882a593Smuzhiyun if (sign < 0)
123*4882a593Smuzhiyun ret = -EBADMSG;
124*4882a593Smuzhiyun err_free_c:
125*4882a593Smuzhiyun mpi_free(c);
126*4882a593Smuzhiyun err_free_m:
127*4882a593Smuzhiyun mpi_free(m);
128*4882a593Smuzhiyun return ret;
129*4882a593Smuzhiyun }
130*4882a593Smuzhiyun
rsa_free_mpi_key(struct rsa_mpi_key * key)131*4882a593Smuzhiyun static void rsa_free_mpi_key(struct rsa_mpi_key *key)
132*4882a593Smuzhiyun {
133*4882a593Smuzhiyun mpi_free(key->d);
134*4882a593Smuzhiyun mpi_free(key->e);
135*4882a593Smuzhiyun mpi_free(key->n);
136*4882a593Smuzhiyun key->d = NULL;
137*4882a593Smuzhiyun key->e = NULL;
138*4882a593Smuzhiyun key->n = NULL;
139*4882a593Smuzhiyun }
140*4882a593Smuzhiyun
rsa_check_key_length(unsigned int len)141*4882a593Smuzhiyun static int rsa_check_key_length(unsigned int len)
142*4882a593Smuzhiyun {
143*4882a593Smuzhiyun switch (len) {
144*4882a593Smuzhiyun case 512:
145*4882a593Smuzhiyun case 1024:
146*4882a593Smuzhiyun case 1536:
147*4882a593Smuzhiyun case 2048:
148*4882a593Smuzhiyun case 3072:
149*4882a593Smuzhiyun case 4096:
150*4882a593Smuzhiyun return 0;
151*4882a593Smuzhiyun }
152*4882a593Smuzhiyun
153*4882a593Smuzhiyun return -EINVAL;
154*4882a593Smuzhiyun }
155*4882a593Smuzhiyun
rsa_set_pub_key(struct crypto_akcipher * tfm,const void * key,unsigned int keylen)156*4882a593Smuzhiyun static int rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
157*4882a593Smuzhiyun unsigned int keylen)
158*4882a593Smuzhiyun {
159*4882a593Smuzhiyun struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm);
160*4882a593Smuzhiyun struct rsa_key raw_key = {0};
161*4882a593Smuzhiyun int ret;
162*4882a593Smuzhiyun
163*4882a593Smuzhiyun /* Free the old MPI key if any */
164*4882a593Smuzhiyun rsa_free_mpi_key(mpi_key);
165*4882a593Smuzhiyun
166*4882a593Smuzhiyun ret = rsa_parse_pub_key(&raw_key, key, keylen);
167*4882a593Smuzhiyun if (ret)
168*4882a593Smuzhiyun return ret;
169*4882a593Smuzhiyun
170*4882a593Smuzhiyun mpi_key->e = mpi_read_raw_data(raw_key.e, raw_key.e_sz);
171*4882a593Smuzhiyun if (!mpi_key->e)
172*4882a593Smuzhiyun goto err;
173*4882a593Smuzhiyun
174*4882a593Smuzhiyun mpi_key->n = mpi_read_raw_data(raw_key.n, raw_key.n_sz);
175*4882a593Smuzhiyun if (!mpi_key->n)
176*4882a593Smuzhiyun goto err;
177*4882a593Smuzhiyun
178*4882a593Smuzhiyun if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) {
179*4882a593Smuzhiyun rsa_free_mpi_key(mpi_key);
180*4882a593Smuzhiyun return -EINVAL;
181*4882a593Smuzhiyun }
182*4882a593Smuzhiyun
183*4882a593Smuzhiyun return 0;
184*4882a593Smuzhiyun
185*4882a593Smuzhiyun err:
186*4882a593Smuzhiyun rsa_free_mpi_key(mpi_key);
187*4882a593Smuzhiyun return -ENOMEM;
188*4882a593Smuzhiyun }
189*4882a593Smuzhiyun
rsa_set_priv_key(struct crypto_akcipher * tfm,const void * key,unsigned int keylen)190*4882a593Smuzhiyun static int rsa_set_priv_key(struct crypto_akcipher *tfm, const void *key,
191*4882a593Smuzhiyun unsigned int keylen)
192*4882a593Smuzhiyun {
193*4882a593Smuzhiyun struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm);
194*4882a593Smuzhiyun struct rsa_key raw_key = {0};
195*4882a593Smuzhiyun int ret;
196*4882a593Smuzhiyun
197*4882a593Smuzhiyun /* Free the old MPI key if any */
198*4882a593Smuzhiyun rsa_free_mpi_key(mpi_key);
199*4882a593Smuzhiyun
200*4882a593Smuzhiyun ret = rsa_parse_priv_key(&raw_key, key, keylen);
201*4882a593Smuzhiyun if (ret)
202*4882a593Smuzhiyun return ret;
203*4882a593Smuzhiyun
204*4882a593Smuzhiyun mpi_key->d = mpi_read_raw_data(raw_key.d, raw_key.d_sz);
205*4882a593Smuzhiyun if (!mpi_key->d)
206*4882a593Smuzhiyun goto err;
207*4882a593Smuzhiyun
208*4882a593Smuzhiyun mpi_key->e = mpi_read_raw_data(raw_key.e, raw_key.e_sz);
209*4882a593Smuzhiyun if (!mpi_key->e)
210*4882a593Smuzhiyun goto err;
211*4882a593Smuzhiyun
212*4882a593Smuzhiyun mpi_key->n = mpi_read_raw_data(raw_key.n, raw_key.n_sz);
213*4882a593Smuzhiyun if (!mpi_key->n)
214*4882a593Smuzhiyun goto err;
215*4882a593Smuzhiyun
216*4882a593Smuzhiyun if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) {
217*4882a593Smuzhiyun rsa_free_mpi_key(mpi_key);
218*4882a593Smuzhiyun return -EINVAL;
219*4882a593Smuzhiyun }
220*4882a593Smuzhiyun
221*4882a593Smuzhiyun return 0;
222*4882a593Smuzhiyun
223*4882a593Smuzhiyun err:
224*4882a593Smuzhiyun rsa_free_mpi_key(mpi_key);
225*4882a593Smuzhiyun return -ENOMEM;
226*4882a593Smuzhiyun }
227*4882a593Smuzhiyun
rsa_max_size(struct crypto_akcipher * tfm)228*4882a593Smuzhiyun static unsigned int rsa_max_size(struct crypto_akcipher *tfm)
229*4882a593Smuzhiyun {
230*4882a593Smuzhiyun struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm);
231*4882a593Smuzhiyun
232*4882a593Smuzhiyun return mpi_get_size(pkey->n);
233*4882a593Smuzhiyun }
234*4882a593Smuzhiyun
rsa_exit_tfm(struct crypto_akcipher * tfm)235*4882a593Smuzhiyun static void rsa_exit_tfm(struct crypto_akcipher *tfm)
236*4882a593Smuzhiyun {
237*4882a593Smuzhiyun struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm);
238*4882a593Smuzhiyun
239*4882a593Smuzhiyun rsa_free_mpi_key(pkey);
240*4882a593Smuzhiyun }
241*4882a593Smuzhiyun
242*4882a593Smuzhiyun static struct akcipher_alg rsa = {
243*4882a593Smuzhiyun .encrypt = rsa_enc,
244*4882a593Smuzhiyun .decrypt = rsa_dec,
245*4882a593Smuzhiyun .set_priv_key = rsa_set_priv_key,
246*4882a593Smuzhiyun .set_pub_key = rsa_set_pub_key,
247*4882a593Smuzhiyun .max_size = rsa_max_size,
248*4882a593Smuzhiyun .exit = rsa_exit_tfm,
249*4882a593Smuzhiyun .base = {
250*4882a593Smuzhiyun .cra_name = "rsa",
251*4882a593Smuzhiyun .cra_driver_name = "rsa-generic",
252*4882a593Smuzhiyun .cra_priority = 100,
253*4882a593Smuzhiyun .cra_module = THIS_MODULE,
254*4882a593Smuzhiyun .cra_ctxsize = sizeof(struct rsa_mpi_key),
255*4882a593Smuzhiyun },
256*4882a593Smuzhiyun };
257*4882a593Smuzhiyun
rsa_init(void)258*4882a593Smuzhiyun static int rsa_init(void)
259*4882a593Smuzhiyun {
260*4882a593Smuzhiyun int err;
261*4882a593Smuzhiyun
262*4882a593Smuzhiyun err = crypto_register_akcipher(&rsa);
263*4882a593Smuzhiyun if (err)
264*4882a593Smuzhiyun return err;
265*4882a593Smuzhiyun
266*4882a593Smuzhiyun err = crypto_register_template(&rsa_pkcs1pad_tmpl);
267*4882a593Smuzhiyun if (err) {
268*4882a593Smuzhiyun crypto_unregister_akcipher(&rsa);
269*4882a593Smuzhiyun return err;
270*4882a593Smuzhiyun }
271*4882a593Smuzhiyun
272*4882a593Smuzhiyun return 0;
273*4882a593Smuzhiyun }
274*4882a593Smuzhiyun
rsa_exit(void)275*4882a593Smuzhiyun static void rsa_exit(void)
276*4882a593Smuzhiyun {
277*4882a593Smuzhiyun crypto_unregister_template(&rsa_pkcs1pad_tmpl);
278*4882a593Smuzhiyun crypto_unregister_akcipher(&rsa);
279*4882a593Smuzhiyun }
280*4882a593Smuzhiyun
281*4882a593Smuzhiyun subsys_initcall(rsa_init);
282*4882a593Smuzhiyun module_exit(rsa_exit);
283*4882a593Smuzhiyun MODULE_ALIAS_CRYPTO("rsa");
284*4882a593Smuzhiyun MODULE_LICENSE("GPL");
285*4882a593Smuzhiyun MODULE_DESCRIPTION("RSA generic algorithm");
286