~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/crypto/ecrdsa.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0+
  2 /*
  3  * Elliptic Curve (Russian) Digital Signature Algorithm for Cryptographic API
  4  *
  5  * Copyright (c) 2019 Vitaly Chikunov <vt@altlinux.org>
  6  *
  7  * References:
  8  * GOST 34.10-2018, GOST R 34.10-2012, RFC 7091, ISO/IEC 14888-3:2018.
  9  *
 10  * Historical references:
 11  * GOST R 34.10-2001, RFC 4357, ISO/IEC 14888-3:2006/Amd 1:2010.
 12  *
 13  * This program is free software; you can redistribute it and/or modify it
 14  * under the terms of the GNU General Public License as published by the Free
 15  * Software Foundation; either version 2 of the License, or (at your option)
 16  * any later version.
 17  */
 18 
 19 #include <linux/module.h>
 20 #include <linux/crypto.h>
 21 #include <crypto/streebog.h>
 22 #include <crypto/internal/akcipher.h>
 23 #include <crypto/internal/ecc.h>
 24 #include <crypto/akcipher.h>
 25 #include <linux/oid_registry.h>
 26 #include <linux/scatterlist.h>
 27 #include "ecrdsa_params.asn1.h"
 28 #include "ecrdsa_pub_key.asn1.h"
 29 #include "ecrdsa_defs.h"
 30 
 31 #define ECRDSA_MAX_SIG_SIZE (2 * 512 / 8)
 32 #define ECRDSA_MAX_DIGITS (512 / 64)
 33 
 34 struct ecrdsa_ctx {
 35         enum OID algo_oid; /* overall public key oid */
 36         enum OID curve_oid; /* parameter */
 37         enum OID digest_oid; /* parameter */
 38         const struct ecc_curve *curve; /* curve from oid */
 39         unsigned int digest_len; /* parameter (bytes) */
 40         const char *digest; /* digest name from oid */
 41         unsigned int key_len; /* @key length (bytes) */
 42         const char *key; /* raw public key */
 43         struct ecc_point pub_key;
 44         u64 _pubp[2][ECRDSA_MAX_DIGITS]; /* point storage for @pub_key */
 45 };
 46 
 47 static const struct ecc_curve *get_curve_by_oid(enum OID oid)
 48 {
 49         switch (oid) {
 50         case OID_gostCPSignA:
 51         case OID_gostTC26Sign256B:
 52                 return &gost_cp256a;
 53         case OID_gostCPSignB:
 54         case OID_gostTC26Sign256C:
 55                 return &gost_cp256b;
 56         case OID_gostCPSignC:
 57         case OID_gostTC26Sign256D:
 58                 return &gost_cp256c;
 59         case OID_gostTC26Sign512A:
 60                 return &gost_tc512a;
 61         case OID_gostTC26Sign512B:
 62                 return &gost_tc512b;
 63         /* The following two aren't implemented: */
 64         case OID_gostTC26Sign256A:
 65         case OID_gostTC26Sign512C:
 66         default:
 67                 return NULL;
 68         }
 69 }
 70 
 71 static int ecrdsa_verify(struct akcipher_request *req)
 72 {
 73         struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
 74         struct ecrdsa_ctx *ctx = akcipher_tfm_ctx(tfm);
 75         unsigned char sig[ECRDSA_MAX_SIG_SIZE];
 76         unsigned char digest[STREEBOG512_DIGEST_SIZE];
 77         unsigned int ndigits = req->dst_len / sizeof(u64);
 78         u64 r[ECRDSA_MAX_DIGITS]; /* witness (r) */
 79         u64 _r[ECRDSA_MAX_DIGITS]; /* -r */
 80         u64 s[ECRDSA_MAX_DIGITS]; /* second part of sig (s) */
 81         u64 e[ECRDSA_MAX_DIGITS]; /* h \mod q */
 82         u64 *v = e;               /* e^{-1} \mod q */
 83         u64 z1[ECRDSA_MAX_DIGITS];
 84         u64 *z2 = _r;
 85         struct ecc_point cc = ECC_POINT_INIT(s, e, ndigits); /* reuse s, e */
 86 
 87         /*
 88          * Digest value, digest algorithm, and curve (modulus) should have the
 89          * same length (256 or 512 bits), public key and signature should be
 90          * twice bigger.
 91          */
 92         if (!ctx->curve ||
 93             !ctx->digest ||
 94             !req->src ||
 95             !ctx->pub_key.x ||
 96             req->dst_len != ctx->digest_len ||
 97             req->dst_len != ctx->curve->g.ndigits * sizeof(u64) ||
 98             ctx->pub_key.ndigits != ctx->curve->g.ndigits ||
 99             req->dst_len * 2 != req->src_len ||
100             WARN_ON(req->src_len > sizeof(sig)) ||
101             WARN_ON(req->dst_len > sizeof(digest)))
102                 return -EBADMSG;
103 
104         sg_copy_to_buffer(req->src, sg_nents_for_len(req->src, req->src_len),
105                           sig, req->src_len);
106         sg_pcopy_to_buffer(req->src,
107                            sg_nents_for_len(req->src,
108                                             req->src_len + req->dst_len),
109                            digest, req->dst_len, req->src_len);
110 
111         vli_from_be64(s, sig, ndigits);
112         vli_from_be64(r, sig + ndigits * sizeof(u64), ndigits);
113 
114         /* Step 1: verify that 0 < r < q, 0 < s < q */
115         if (vli_is_zero(r, ndigits) ||
116             vli_cmp(r, ctx->curve->n, ndigits) >= 0 ||
117             vli_is_zero(s, ndigits) ||
118             vli_cmp(s, ctx->curve->n, ndigits) >= 0)
119                 return -EKEYREJECTED;
120 
121         /* Step 2: calculate hash (h) of the message (passed as input) */
122         /* Step 3: calculate e = h \mod q */
123         vli_from_le64(e, digest, ndigits);
124         if (vli_cmp(e, ctx->curve->n, ndigits) >= 0)
125                 vli_sub(e, e, ctx->curve->n, ndigits);
126         if (vli_is_zero(e, ndigits))
127                 e[0] = 1;
128 
129         /* Step 4: calculate v = e^{-1} \mod q */
130         vli_mod_inv(v, e, ctx->curve->n, ndigits);
131 
132         /* Step 5: calculate z_1 = sv \mod q, z_2 = -rv \mod q */
133         vli_mod_mult_slow(z1, s, v, ctx->curve->n, ndigits);
134         vli_sub(_r, ctx->curve->n, r, ndigits);
135         vli_mod_mult_slow(z2, _r, v, ctx->curve->n, ndigits);
136 
137         /* Step 6: calculate point C = z_1P + z_2Q, and R = x_c \mod q */
138         ecc_point_mult_shamir(&cc, z1, &ctx->curve->g, z2, &ctx->pub_key,
139                               ctx->curve);
140         if (vli_cmp(cc.x, ctx->curve->n, ndigits) >= 0)
141                 vli_sub(cc.x, cc.x, ctx->curve->n, ndigits);
142 
143         /* Step 7: if R == r signature is valid */
144         if (!vli_cmp(cc.x, r, ndigits))
145                 return 0;
146         else
147                 return -EKEYREJECTED;
148 }
149 
150 int ecrdsa_param_curve(void *context, size_t hdrlen, unsigned char tag,
151                        const void *value, size_t vlen)
152 {
153         struct ecrdsa_ctx *ctx = context;
154 
155         ctx->curve_oid = look_up_OID(value, vlen);
156         if (!ctx->curve_oid)
157                 return -EINVAL;
158         ctx->curve = get_curve_by_oid(ctx->curve_oid);
159         return 0;
160 }
161 
162 /* Optional. If present should match expected digest algo OID. */
163 int ecrdsa_param_digest(void *context, size_t hdrlen, unsigned char tag,
164                         const void *value, size_t vlen)
165 {
166         struct ecrdsa_ctx *ctx = context;
167         int digest_oid = look_up_OID(value, vlen);
168 
169         if (digest_oid != ctx->digest_oid)
170                 return -EINVAL;
171         return 0;
172 }
173 
174 int ecrdsa_parse_pub_key(void *context, size_t hdrlen, unsigned char tag,
175                          const void *value, size_t vlen)
176 {
177         struct ecrdsa_ctx *ctx = context;
178 
179         ctx->key = value;
180         ctx->key_len = vlen;
181         return 0;
182 }
183 
184 static u8 *ecrdsa_unpack_u32(u32 *dst, void *src)
185 {
186         memcpy(dst, src, sizeof(u32));
187         return src + sizeof(u32);
188 }
189 
190 /* Parse BER encoded subjectPublicKey. */
191 static int ecrdsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
192                               unsigned int keylen)
193 {
194         struct ecrdsa_ctx *ctx = akcipher_tfm_ctx(tfm);
195         unsigned int ndigits;
196         u32 algo, paramlen;
197         u8 *params;
198         int err;
199 
200         err = asn1_ber_decoder(&ecrdsa_pub_key_decoder, ctx, key, keylen);
201         if (err < 0)
202                 return err;
203 
204         /* Key parameters is in the key after keylen. */
205         params = ecrdsa_unpack_u32(&paramlen,
206                           ecrdsa_unpack_u32(&algo, (u8 *)key + keylen));
207 
208         if (algo == OID_gost2012PKey256) {
209                 ctx->digest     = "streebog256";
210                 ctx->digest_oid = OID_gost2012Digest256;
211                 ctx->digest_len = 256 / 8;
212         } else if (algo == OID_gost2012PKey512) {
213                 ctx->digest     = "streebog512";
214                 ctx->digest_oid = OID_gost2012Digest512;
215                 ctx->digest_len = 512 / 8;
216         } else
217                 return -ENOPKG;
218         ctx->algo_oid = algo;
219 
220         /* Parse SubjectPublicKeyInfo.AlgorithmIdentifier.parameters. */
221         err = asn1_ber_decoder(&ecrdsa_params_decoder, ctx, params, paramlen);
222         if (err < 0)
223                 return err;
224         /*
225          * Sizes of algo (set in digest_len) and curve should match
226          * each other.
227          */
228         if (!ctx->curve ||
229             ctx->curve->g.ndigits * sizeof(u64) != ctx->digest_len)
230                 return -ENOPKG;
231         /*
232          * Key is two 256- or 512-bit coordinates which should match
233          * curve size.
234          */
235         if ((ctx->key_len != (2 * 256 / 8) &&
236              ctx->key_len != (2 * 512 / 8)) ||
237             ctx->key_len != ctx->curve->g.ndigits * sizeof(u64) * 2)
238                 return -ENOPKG;
239 
240         ndigits = ctx->key_len / sizeof(u64) / 2;
241         ctx->pub_key = ECC_POINT_INIT(ctx->_pubp[0], ctx->_pubp[1], ndigits);
242         vli_from_le64(ctx->pub_key.x, ctx->key, ndigits);
243         vli_from_le64(ctx->pub_key.y, ctx->key + ndigits * sizeof(u64),
244                       ndigits);
245 
246         if (ecc_is_pubkey_valid_partial(ctx->curve, &ctx->pub_key))
247                 return -EKEYREJECTED;
248 
249         return 0;
250 }
251 
252 static unsigned int ecrdsa_max_size(struct crypto_akcipher *tfm)
253 {
254         struct ecrdsa_ctx *ctx = akcipher_tfm_ctx(tfm);
255 
256         /*
257          * Verify doesn't need any output, so it's just informational
258          * for keyctl to determine the key bit size.
259          */
260         return ctx->pub_key.ndigits * sizeof(u64);
261 }
262 
263 static void ecrdsa_exit_tfm(struct crypto_akcipher *tfm)
264 {
265 }
266 
267 static struct akcipher_alg ecrdsa_alg = {
268         .verify         = ecrdsa_verify,
269         .set_pub_key    = ecrdsa_set_pub_key,
270         .max_size       = ecrdsa_max_size,
271         .exit           = ecrdsa_exit_tfm,
272         .base = {
273                 .cra_name        = "ecrdsa",
274                 .cra_driver_name = "ecrdsa-generic",
275                 .cra_priority    = 100,
276                 .cra_module      = THIS_MODULE,
277                 .cra_ctxsize     = sizeof(struct ecrdsa_ctx),
278         },
279 };
280 
281 static int __init ecrdsa_mod_init(void)
282 {
283         return crypto_register_akcipher(&ecrdsa_alg);
284 }
285 
286 static void __exit ecrdsa_mod_fini(void)
287 {
288         crypto_unregister_akcipher(&ecrdsa_alg);
289 }
290 
291 module_init(ecrdsa_mod_init);
292 module_exit(ecrdsa_mod_fini);
293 
294 MODULE_LICENSE("GPL");
295 MODULE_AUTHOR("Vitaly Chikunov <vt@altlinux.org>");
296 MODULE_DESCRIPTION("EC-RDSA generic algorithm");
297 MODULE_ALIAS_CRYPTO("ecrdsa");
298 MODULE_ALIAS_CRYPTO("ecrdsa-generic");
299 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php