2
* Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
4
* This program is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU General Public License as
6
* published by the Free Software Foundation; either version 2 of the
7
* License, or any later version.
9
* This program is distributed in the hope that it will be useful, but
10
* WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12
* General Public License for more details.
14
* You should have received a copy of the GNU General Public License
15
* along with this program; if not, write to the Free Software
16
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
19
* You can also choose to distribute this program under the terms of
20
* the Unmodified Binary Distribution Licence (as given in the file
21
* COPYING.UBDL), provided that you have satisfied its requirements.
24
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
31
#include <ipxe/asn1.h>
32
#include <ipxe/crypto.h>
33
#include <ipxe/bigint.h>
34
#include <ipxe/random_nz.h>
39
* RSA public-key cryptography
41
* RSA is documented in RFC 3447.
44
/* Disambiguate the various error causes */
45
#define EACCES_VERIFY \
46
__einfo_error ( EINFO_EACCES_VERIFY )
47
#define EINFO_EACCES_VERIFY \
48
__einfo_uniqify ( EINFO_EACCES, 0x01, "RSA signature incorrect" )
50
/** "rsaEncryption" object identifier */
51
static uint8_t oid_rsa_encryption[] = { ASN1_OID_RSAENCRYPTION };
53
/** "rsaEncryption" OID-identified algorithm */
54
struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = {
55
.name = "rsaEncryption",
56
.pubkey = &rsa_algorithm,
58
.oid = ASN1_OID_CURSOR ( oid_rsa_encryption ),
64
* @v digest Digest algorithm
65
* @ret prefix RSA prefix, or NULL
67
static struct rsa_digestinfo_prefix *
68
rsa_find_prefix ( struct digest_algorithm *digest ) {
69
struct rsa_digestinfo_prefix *prefix;
71
for_each_table_entry ( prefix, RSA_DIGESTINFO_PREFIXES ) {
72
if ( prefix->digest == digest )
79
* Free RSA dynamic storage
81
* @v context RSA context
83
static void rsa_free ( struct rsa_context *context ) {
85
free ( context->dynamic );
86
context->dynamic = NULL;
90
* Allocate RSA dynamic storage
92
* @v context RSA context
93
* @v modulus_len Modulus length
94
* @v exponent_len Exponent length
95
* @ret rc Return status code
97
static int rsa_alloc ( struct rsa_context *context, size_t modulus_len,
98
size_t exponent_len ) {
99
unsigned int size = bigint_required_size ( modulus_len );
100
unsigned int exponent_size = bigint_required_size ( exponent_len );
101
bigint_t ( size ) *modulus;
102
bigint_t ( exponent_size ) *exponent;
103
size_t tmp_len = bigint_mod_exp_tmp_len ( modulus, exponent );
105
bigint_t ( size ) modulus;
106
bigint_t ( exponent_size ) exponent;
107
bigint_t ( size ) input;
108
bigint_t ( size ) output;
109
uint8_t tmp[tmp_len];
110
} __attribute__ (( packed )) *dynamic;
112
/* Free any existing dynamic storage */
113
rsa_free ( context );
115
/* Allocate dynamic storage */
116
dynamic = malloc ( sizeof ( *dynamic ) );
120
/* Assign dynamic storage */
121
context->dynamic = dynamic;
122
context->modulus0 = &dynamic->modulus.element[0];
123
context->size = size;
124
context->max_len = modulus_len;
125
context->exponent0 = &dynamic->exponent.element[0];
126
context->exponent_size = exponent_size;
127
context->input0 = &dynamic->input.element[0];
128
context->output0 = &dynamic->output.element[0];
129
context->tmp = &dynamic->tmp;
137
* @v integer Integer to fill in
138
* @v raw ASN.1 cursor
139
* @ret rc Return status code
141
static int rsa_parse_integer ( struct asn1_cursor *integer,
142
const struct asn1_cursor *raw ) {
145
memcpy ( integer, raw, sizeof ( *integer ) );
146
asn1_enter ( integer, ASN1_INTEGER );
148
/* Skip initial sign byte if applicable */
149
if ( ( integer->len > 1 ) &&
150
( *( ( uint8_t * ) integer->data ) == 0x00 ) ) {
155
/* Fail if cursor or integer are invalid */
156
if ( ! integer->len )
163
* Parse RSA modulus and exponent
165
* @v modulus Modulus to fill in
166
* @v exponent Exponent to fill in
167
* @v raw ASN.1 cursor
168
* @ret rc Return status code
170
static int rsa_parse_mod_exp ( struct asn1_cursor *modulus,
171
struct asn1_cursor *exponent,
172
const struct asn1_cursor *raw ) {
173
struct asn1_bit_string bits;
174
struct asn1_cursor cursor;
178
/* Enter subjectPublicKeyInfo/RSAPrivateKey */
179
memcpy ( &cursor, raw, sizeof ( cursor ) );
180
asn1_enter ( &cursor, ASN1_SEQUENCE );
182
/* Determine key format */
183
if ( asn1_type ( &cursor ) == ASN1_INTEGER ) {
189
asn1_skip_any ( &cursor );
197
asn1_skip ( &cursor, ASN1_SEQUENCE );
199
/* Enter subjectPublicKey */
200
if ( ( rc = asn1_integral_bit_string ( &cursor, &bits ) ) != 0 )
202
cursor.data = bits.data;
203
cursor.len = bits.len;
205
/* Enter RSAPublicKey */
206
asn1_enter ( &cursor, ASN1_SEQUENCE );
209
/* Extract modulus */
210
if ( ( rc = rsa_parse_integer ( modulus, &cursor ) ) != 0 )
212
asn1_skip_any ( &cursor );
214
/* Skip public exponent, if applicable */
216
asn1_skip ( &cursor, ASN1_INTEGER );
218
/* Extract publicExponent/privateExponent */
219
if ( ( rc = rsa_parse_integer ( exponent, &cursor ) ) != 0 )
226
* Initialise RSA cipher
230
* @v key_len Length of key
231
* @ret rc Return status code
233
static int rsa_init ( void *ctx, const void *key, size_t key_len ) {
234
struct rsa_context *context = ctx;
235
struct asn1_cursor modulus;
236
struct asn1_cursor exponent;
237
struct asn1_cursor cursor;
240
/* Initialise context */
241
memset ( context, 0, sizeof ( *context ) );
243
/* Initialise cursor */
245
cursor.len = key_len;
247
/* Parse modulus and exponent */
248
if ( ( rc = rsa_parse_mod_exp ( &modulus, &exponent, &cursor ) ) != 0 ){
249
DBGC ( context, "RSA %p invalid modulus/exponent:\n", context );
250
DBGC_HDA ( context, 0, cursor.data, cursor.len );
254
DBGC ( context, "RSA %p modulus:\n", context );
255
DBGC_HDA ( context, 0, modulus.data, modulus.len );
256
DBGC ( context, "RSA %p exponent:\n", context );
257
DBGC_HDA ( context, 0, exponent.data, exponent.len );
259
/* Allocate dynamic storage */
260
if ( ( rc = rsa_alloc ( context, modulus.len, exponent.len ) ) != 0 )
263
/* Construct big integers */
264
bigint_init ( ( ( bigint_t ( context->size ) * ) context->modulus0 ),
265
modulus.data, modulus.len );
266
bigint_init ( ( ( bigint_t ( context->exponent_size ) * )
267
context->exponent0 ), exponent.data, exponent.len );
271
rsa_free ( context );
278
* Calculate RSA maximum output length
281
* @ret max_len Maximum output length
283
static size_t rsa_max_len ( void *ctx ) {
284
struct rsa_context *context = ctx;
286
return context->max_len;
290
* Perform RSA cipher operation
292
* @v context RSA context
294
* @v out Output buffer
296
static void rsa_cipher ( struct rsa_context *context,
297
const void *in, void *out ) {
298
bigint_t ( context->size ) *input = ( ( void * ) context->input0 );
299
bigint_t ( context->size ) *output = ( ( void * ) context->output0 );
300
bigint_t ( context->size ) *modulus = ( ( void * ) context->modulus0 );
301
bigint_t ( context->exponent_size ) *exponent =
302
( ( void * ) context->exponent0 );
304
/* Initialise big integer */
305
bigint_init ( input, in, context->max_len );
307
/* Perform modular exponentiation */
308
bigint_mod_exp ( input, modulus, exponent, output, context->tmp );
310
/* Copy out result */
311
bigint_done ( output, out, context->max_len );
318
* @v plaintext Plaintext
319
* @v plaintext_len Length of plaintext
320
* @v ciphertext Ciphertext
321
* @ret ciphertext_len Length of ciphertext, or negative error
323
static int rsa_encrypt ( void *ctx, const void *plaintext,
324
size_t plaintext_len, void *ciphertext ) {
325
struct rsa_context *context = ctx;
328
size_t max_len = ( context->max_len - 11 );
329
size_t random_nz_len = ( max_len - plaintext_len + 8 );
333
if ( plaintext_len > max_len ) {
334
DBGC ( context, "RSA %p plaintext too long (%zd bytes, max "
335
"%zd)\n", context, plaintext_len, max_len );
338
DBGC ( context, "RSA %p encrypting:\n", context );
339
DBGC_HDA ( context, 0, plaintext, plaintext_len );
341
/* Construct encoded message (using the big integer output
342
* buffer as temporary storage)
344
temp = context->output0;
348
if ( ( rc = get_random_nz ( &encoded[2], random_nz_len ) ) != 0 ) {
349
DBGC ( context, "RSA %p could not generate random data: %s\n",
350
context, strerror ( rc ) );
353
encoded[ 2 + random_nz_len ] = 0x00;
354
memcpy ( &encoded[ context->max_len - plaintext_len ],
355
plaintext, plaintext_len );
357
/* Encipher the encoded message */
358
rsa_cipher ( context, encoded, ciphertext );
359
DBGC ( context, "RSA %p encrypted:\n", context );
360
DBGC_HDA ( context, 0, ciphertext, context->max_len );
362
return context->max_len;
369
* @v ciphertext Ciphertext
370
* @v ciphertext_len Ciphertext length
371
* @v plaintext Plaintext
372
* @ret plaintext_len Plaintext length, or negative error
374
static int rsa_decrypt ( void *ctx, const void *ciphertext,
375
size_t ciphertext_len, void *plaintext ) {
376
struct rsa_context *context = ctx;
382
size_t plaintext_len;
385
if ( ciphertext_len != context->max_len ) {
386
DBGC ( context, "RSA %p ciphertext incorrect length (%zd "
387
"bytes, should be %zd)\n",
388
context, ciphertext_len, context->max_len );
391
DBGC ( context, "RSA %p decrypting:\n", context );
392
DBGC_HDA ( context, 0, ciphertext, ciphertext_len );
394
/* Decipher the message (using the big integer input buffer as
397
temp = context->input0;
399
rsa_cipher ( context, ciphertext, encoded );
401
/* Parse the message */
402
end = ( encoded + context->max_len );
403
if ( ( encoded[0] != 0x00 ) || ( encoded[1] != 0x02 ) )
405
zero = memchr ( &encoded[2], 0, ( end - &encoded[2] ) );
408
start = ( zero + 1 );
409
plaintext_len = ( end - start );
411
/* Copy out message */
412
memcpy ( plaintext, start, plaintext_len );
413
DBGC ( context, "RSA %p decrypted:\n", context );
414
DBGC_HDA ( context, 0, plaintext, plaintext_len );
416
return plaintext_len;
419
DBGC ( context, "RSA %p invalid decrypted message:\n", context );
420
DBGC_HDA ( context, 0, encoded, context->max_len );
427
* @v context RSA context
428
* @v digest Digest algorithm
429
* @v value Digest value
430
* @v encoded Encoded digest
431
* @ret rc Return status code
433
static int rsa_encode_digest ( struct rsa_context *context,
434
struct digest_algorithm *digest,
435
const void *value, void *encoded ) {
436
struct rsa_digestinfo_prefix *prefix;
437
size_t digest_len = digest->digestsize;
438
uint8_t *temp = encoded;
439
size_t digestinfo_len;
443
/* Identify prefix */
444
prefix = rsa_find_prefix ( digest );
446
DBGC ( context, "RSA %p has no prefix for %s\n",
447
context, digest->name );
450
digestinfo_len = ( prefix->len + digest_len );
453
max_len = ( context->max_len - 11 );
454
if ( digestinfo_len > max_len ) {
455
DBGC ( context, "RSA %p %s digestInfo too long (%zd bytes, max"
457
context, digest->name, digestinfo_len, max_len );
460
DBGC ( context, "RSA %p encoding %s digest:\n",
461
context, digest->name );
462
DBGC_HDA ( context, 0, value, digest_len );
464
/* Construct encoded message */
467
pad_len = ( max_len - digestinfo_len + 8 );
468
memset ( temp, 0xff, pad_len );
471
memcpy ( temp, prefix->data, prefix->len );
473
memcpy ( temp, value, digest_len );
475
assert ( temp == ( encoded + context->max_len ) );
476
DBGC ( context, "RSA %p encoded %s digest:\n", context, digest->name );
477
DBGC_HDA ( context, 0, encoded, context->max_len );
483
* Sign digest value using RSA
486
* @v digest Digest algorithm
487
* @v value Digest value
488
* @v signature Signature
489
* @ret signature_len Signature length, or negative error
491
static int rsa_sign ( void *ctx, struct digest_algorithm *digest,
492
const void *value, void *signature ) {
493
struct rsa_context *context = ctx;
497
DBGC ( context, "RSA %p signing %s digest:\n", context, digest->name );
498
DBGC_HDA ( context, 0, value, digest->digestsize );
500
/* Encode digest (using the big integer output buffer as
503
temp = context->output0;
504
if ( ( rc = rsa_encode_digest ( context, digest, value, temp ) ) != 0 )
507
/* Encipher the encoded digest */
508
rsa_cipher ( context, temp, signature );
509
DBGC ( context, "RSA %p signed %s digest:\n", context, digest->name );
510
DBGC_HDA ( context, 0, signature, context->max_len );
512
return context->max_len;
516
* Verify signed digest value using RSA
519
* @v digest Digest algorithm
520
* @v value Digest value
521
* @v signature Signature
522
* @v signature_len Signature length
523
* @ret rc Return status code
525
static int rsa_verify ( void *ctx, struct digest_algorithm *digest,
526
const void *value, const void *signature,
527
size_t signature_len ) {
528
struct rsa_context *context = ctx;
535
if ( signature_len != context->max_len ) {
536
DBGC ( context, "RSA %p signature incorrect length (%zd "
537
"bytes, should be %zd)\n",
538
context, signature_len, context->max_len );
541
DBGC ( context, "RSA %p verifying %s digest:\n",
542
context, digest->name );
543
DBGC_HDA ( context, 0, value, digest->digestsize );
544
DBGC_HDA ( context, 0, signature, signature_len );
546
/* Decipher the signature (using the big integer input buffer
547
* as temporary storage)
549
temp = context->input0;
551
rsa_cipher ( context, signature, expected );
552
DBGC ( context, "RSA %p deciphered signature:\n", context );
553
DBGC_HDA ( context, 0, expected, context->max_len );
555
/* Encode digest (using the big integer output buffer as
558
temp = context->output0;
560
if ( ( rc = rsa_encode_digest ( context, digest, value, actual ) ) !=0 )
563
/* Verify the signature */
564
if ( memcmp ( actual, expected, context->max_len ) != 0 ) {
565
DBGC ( context, "RSA %p signature verification failed\n",
567
return -EACCES_VERIFY;
570
DBGC ( context, "RSA %p signature verified successfully\n", context );
575
* Finalise RSA cipher
579
static void rsa_final ( void *ctx ) {
580
struct rsa_context *context = ctx;
582
rsa_free ( context );
586
* Check for matching RSA public/private key pair
588
* @v private_key Private key
589
* @v private_key_len Private key length
590
* @v public_key Public key
591
* @v public_key_len Public key length
592
* @ret rc Return status code
594
static int rsa_match ( const void *private_key, size_t private_key_len,
595
const void *public_key, size_t public_key_len ) {
596
struct asn1_cursor private_modulus;
597
struct asn1_cursor private_exponent;
598
struct asn1_cursor private_cursor;
599
struct asn1_cursor public_modulus;
600
struct asn1_cursor public_exponent;
601
struct asn1_cursor public_cursor;
604
/* Initialise cursors */
605
private_cursor.data = private_key;
606
private_cursor.len = private_key_len;
607
public_cursor.data = public_key;
608
public_cursor.len = public_key_len;
610
/* Parse moduli and exponents */
611
if ( ( rc = rsa_parse_mod_exp ( &private_modulus, &private_exponent,
612
&private_cursor ) ) != 0 )
614
if ( ( rc = rsa_parse_mod_exp ( &public_modulus, &public_exponent,
615
&public_cursor ) ) != 0 )
619
if ( asn1_compare ( &private_modulus, &public_modulus ) != 0 )
625
/** RSA public-key algorithm */
626
struct pubkey_algorithm rsa_algorithm = {
628
.ctxsize = sizeof ( struct rsa_context ),
630
.max_len = rsa_max_len,
631
.encrypt = rsa_encrypt,
632
.decrypt = rsa_decrypt,
634
.verify = rsa_verify,