1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* RSA asymmetric public-key algorithm [RFC3447]
4 * Copyright (c) 2015, Intel Corporation
8 #include <linux/fips.h>
9 #include <linux/module.h>
10 #include <linux/mpi.h>
11 #include <crypto/internal/rsa.h>
12 #include <crypto/internal/akcipher.h>
13 #include <crypto/akcipher.h>
14 #include <crypto/algapi.h>
27 static int rsa_check_payload(MPI x, MPI n)
31 if (mpi_cmp_ui(x, 1) <= 0)
38 if (mpi_sub_ui(n1, n, 1) || mpi_cmp(x, n1) >= 0) {
48 * RSAEP function [RFC3447 sec 5.1.1]
51 static int _rsa_enc(const struct rsa_mpi_key *key, MPI c, MPI m)
54 * Even though (1) in RFC3447 only requires 0 <= m <= n - 1, we are
55 * slightly more conservative and require 1 < m < n - 1. This is in line
56 * with SP 800-56Br2, Section 7.1.1.
58 if (rsa_check_payload(m, key->n))
61 /* (2) c = m^e mod n */
62 return mpi_powm(c, m, key->e, key->n);
66 * RSADP function [RFC3447 sec 5.1.2]
69 * h = (m_1 - m_2) * qInv mod p;
72 static int _rsa_dec_crt(const struct rsa_mpi_key *key, MPI m_or_m1_or_h, MPI c)
78 * Even though (1) in RFC3447 only requires 0 <= c <= n - 1, we are
79 * slightly more conservative and require 1 < c < n - 1. This is in line
80 * with SP 800-56Br2, Section 7.1.2.
82 if (rsa_check_payload(c, key->n))
86 m12_or_qh = mpi_alloc(0);
87 if (!m2 || !m12_or_qh)
90 /* (2i) m_1 = c^dP mod p */
91 ret = mpi_powm(m_or_m1_or_h, c, key->dp, key->p);
95 /* (2i) m_2 = c^dQ mod q */
96 ret = mpi_powm(m2, c, key->dq, key->q);
100 /* (2iii) h = (m_1 - m_2) * qInv mod p */
101 ret = mpi_sub(m12_or_qh, m_or_m1_or_h, m2) ?:
102 mpi_mulm(m_or_m1_or_h, m12_or_qh, key->qinv, key->p);
104 /* (2iv) m = m_2 + q * h */
106 mpi_mul(m12_or_qh, key->q, m_or_m1_or_h) ?:
107 mpi_addm(m_or_m1_or_h, m2, m12_or_qh, key->n);
115 static inline struct rsa_mpi_key *rsa_get_key(struct crypto_akcipher *tfm)
117 return akcipher_tfm_ctx(tfm);
120 static int rsa_enc(struct akcipher_request *req)
122 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
123 const struct rsa_mpi_key *pkey = rsa_get_key(tfm);
124 MPI m, c = mpi_alloc(0);
131 if (unlikely(!pkey->n || !pkey->e)) {
137 m = mpi_read_raw_from_sgl(req->src, req->src_len);
141 ret = _rsa_enc(pkey, c, m);
145 ret = mpi_write_to_sgl(c, req->dst, req->dst_len, &sign);
159 static int rsa_dec(struct akcipher_request *req)
161 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
162 const struct rsa_mpi_key *pkey = rsa_get_key(tfm);
163 MPI c, m = mpi_alloc(0);
170 if (unlikely(!pkey->n || !pkey->d)) {
176 c = mpi_read_raw_from_sgl(req->src, req->src_len);
180 ret = _rsa_dec_crt(pkey, m, c);
184 ret = mpi_write_to_sgl(m, req->dst, req->dst_len, &sign);
197 static void rsa_free_mpi_key(struct rsa_mpi_key *key)
217 static int rsa_check_key_length(unsigned int len)
235 static int rsa_check_exponent_fips(MPI e)
241 if (!mpi_test_bit(e, 0)) {
245 /* check if 2^16 < e < 2^256. */
246 if (mpi_cmp_ui(e, 65536) <= 0) {
250 e_max = mpi_alloc(0);
254 err = mpi_set_bit(e_max, 256);
260 if (mpi_cmp(e, e_max) >= 0) {
269 static int rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
272 struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm);
273 struct rsa_key raw_key = {0};
276 /* Free the old MPI key if any */
277 rsa_free_mpi_key(mpi_key);
279 ret = rsa_parse_pub_key(&raw_key, key, keylen);
283 mpi_key->e = mpi_read_raw_data(raw_key.e, raw_key.e_sz);
287 mpi_key->n = mpi_read_raw_data(raw_key.n, raw_key.n_sz);
291 if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) {
292 rsa_free_mpi_key(mpi_key);
296 if (fips_enabled && rsa_check_exponent_fips(mpi_key->e)) {
297 rsa_free_mpi_key(mpi_key);
304 rsa_free_mpi_key(mpi_key);
308 static int rsa_set_priv_key(struct crypto_akcipher *tfm, const void *key,
311 struct rsa_mpi_key *mpi_key = akcipher_tfm_ctx(tfm);
312 struct rsa_key raw_key = {0};
315 /* Free the old MPI key if any */
316 rsa_free_mpi_key(mpi_key);
318 ret = rsa_parse_priv_key(&raw_key, key, keylen);
322 mpi_key->d = mpi_read_raw_data(raw_key.d, raw_key.d_sz);
326 mpi_key->e = mpi_read_raw_data(raw_key.e, raw_key.e_sz);
330 mpi_key->n = mpi_read_raw_data(raw_key.n, raw_key.n_sz);
334 mpi_key->p = mpi_read_raw_data(raw_key.p, raw_key.p_sz);
338 mpi_key->q = mpi_read_raw_data(raw_key.q, raw_key.q_sz);
342 mpi_key->dp = mpi_read_raw_data(raw_key.dp, raw_key.dp_sz);
346 mpi_key->dq = mpi_read_raw_data(raw_key.dq, raw_key.dq_sz);
350 mpi_key->qinv = mpi_read_raw_data(raw_key.qinv, raw_key.qinv_sz);
354 if (rsa_check_key_length(mpi_get_size(mpi_key->n) << 3)) {
355 rsa_free_mpi_key(mpi_key);
359 if (fips_enabled && rsa_check_exponent_fips(mpi_key->e)) {
360 rsa_free_mpi_key(mpi_key);
367 rsa_free_mpi_key(mpi_key);
371 static unsigned int rsa_max_size(struct crypto_akcipher *tfm)
373 struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm);
375 return mpi_get_size(pkey->n);
378 static void rsa_exit_tfm(struct crypto_akcipher *tfm)
380 struct rsa_mpi_key *pkey = akcipher_tfm_ctx(tfm);
382 rsa_free_mpi_key(pkey);
385 static struct akcipher_alg rsa = {
388 .set_priv_key = rsa_set_priv_key,
389 .set_pub_key = rsa_set_pub_key,
390 .max_size = rsa_max_size,
391 .exit = rsa_exit_tfm,
394 .cra_driver_name = "rsa-generic",
396 .cra_module = THIS_MODULE,
397 .cra_ctxsize = sizeof(struct rsa_mpi_key),
401 static int __init rsa_init(void)
405 err = crypto_register_akcipher(&rsa);
409 err = crypto_register_template(&rsa_pkcs1pad_tmpl);
411 goto err_unregister_rsa;
413 err = crypto_register_template(&rsassa_pkcs1_tmpl);
415 goto err_unregister_rsa_pkcs1pad;
419 err_unregister_rsa_pkcs1pad:
420 crypto_unregister_template(&rsa_pkcs1pad_tmpl);
422 crypto_unregister_akcipher(&rsa);
426 static void __exit rsa_exit(void)
428 crypto_unregister_template(&rsassa_pkcs1_tmpl);
429 crypto_unregister_template(&rsa_pkcs1pad_tmpl);
430 crypto_unregister_akcipher(&rsa);
433 subsys_initcall(rsa_init);
434 module_exit(rsa_exit);
435 MODULE_ALIAS_CRYPTO("rsa");
436 MODULE_LICENSE("GPL");
437 MODULE_DESCRIPTION("RSA generic algorithm");
projects / J-linux.git / blob