ecdsa-x962.c 5.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
  1. // SPDX-License-Identifier: GPL-2.0+
  2. /*
  3. * ECDSA X9.62 signature encoding
  4. *
  5. * Copyright (c) 2021 IBM Corporation
  6. * Copyright (c) 2024 Intel Corporation
  7. */
  8. #include <linux/asn1_decoder.h>
  9. #include <linux/err.h>
  10. #include <linux/module.h>
  11. #include <crypto/algapi.h>
  12. #include <crypto/sig.h>
  13. #include <crypto/internal/ecc.h>
  14. #include <crypto/internal/sig.h>
  15. #include "ecdsasignature.asn1.h"
  16. struct ecdsa_x962_ctx {
  17. struct crypto_sig *child;
  18. };
  19. struct ecdsa_x962_signature_ctx {
  20. struct ecdsa_raw_sig sig;
  21. unsigned int ndigits;
  22. };
  23. /* Get the r and s components of a signature from the X.509 certificate. */
  24. static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
  25. const void *value, size_t vlen,
  26. unsigned int ndigits)
  27. {
  28. size_t bufsize = ndigits * sizeof(u64);
  29. const char *d = value;
  30. if (!value || !vlen || vlen > bufsize + 1)
  31. return -EINVAL;
  32. /*
  33. * vlen may be 1 byte larger than bufsize due to a leading zero byte
  34. * (necessary if the most significant bit of the integer is set).
  35. */
  36. if (vlen > bufsize) {
  37. /* skip over leading zeros that make 'value' a positive int */
  38. if (*d == 0) {
  39. vlen -= 1;
  40. d++;
  41. } else {
  42. return -EINVAL;
  43. }
  44. }
  45. ecc_digits_from_bytes(d, vlen, dest, ndigits);
  46. return 0;
  47. }
  48. int ecdsa_get_signature_r(void *context, size_t hdrlen, unsigned char tag,
  49. const void *value, size_t vlen)
  50. {
  51. struct ecdsa_x962_signature_ctx *sig_ctx = context;
  52. return ecdsa_get_signature_rs(sig_ctx->sig.r, hdrlen, tag, value, vlen,
  53. sig_ctx->ndigits);
  54. }
  55. int ecdsa_get_signature_s(void *context, size_t hdrlen, unsigned char tag,
  56. const void *value, size_t vlen)
  57. {
  58. struct ecdsa_x962_signature_ctx *sig_ctx = context;
  59. return ecdsa_get_signature_rs(sig_ctx->sig.s, hdrlen, tag, value, vlen,
  60. sig_ctx->ndigits);
  61. }
  62. static int ecdsa_x962_verify(struct crypto_sig *tfm,
  63. const void *src, unsigned int slen,
  64. const void *digest, unsigned int dlen)
  65. {
  66. struct ecdsa_x962_ctx *ctx = crypto_sig_ctx(tfm);
  67. struct ecdsa_x962_signature_ctx sig_ctx;
  68. int err;
  69. sig_ctx.ndigits = DIV_ROUND_UP_POW2(crypto_sig_keysize(ctx->child),
  70. sizeof(u64) * BITS_PER_BYTE);
  71. err = asn1_ber_decoder(&ecdsasignature_decoder, &sig_ctx, src, slen);
  72. if (err < 0)
  73. return err;
  74. return crypto_sig_verify(ctx->child, &sig_ctx.sig, sizeof(sig_ctx.sig),
  75. digest, dlen);
  76. }
  77. static unsigned int ecdsa_x962_key_size(struct crypto_sig *tfm)
  78. {
  79. struct ecdsa_x962_ctx *ctx = crypto_sig_ctx(tfm);
  80. return crypto_sig_keysize(ctx->child);
  81. }
  82. static unsigned int ecdsa_x962_max_size(struct crypto_sig *tfm)
  83. {
  84. struct ecdsa_x962_ctx *ctx = crypto_sig_ctx(tfm);
  85. struct sig_alg *alg = crypto_sig_alg(ctx->child);
  86. int slen = DIV_ROUND_UP_POW2(crypto_sig_keysize(ctx->child),
  87. BITS_PER_BYTE);
  88. /*
  89. * Verify takes ECDSA-Sig-Value (described in RFC 5480) as input,
  90. * which is actually 2 'key_size'-bit integers encoded in ASN.1.
  91. * Account for the ASN.1 encoding overhead here.
  92. *
  93. * NIST P192/256/384 may prepend a '0' to a coordinate to indicate
  94. * a positive integer. NIST P521 never needs it.
  95. */
  96. if (strcmp(alg->base.cra_name, "ecdsa-nist-p521") != 0)
  97. slen += 1;
  98. /* Length of encoding the x & y coordinates */
  99. slen = 2 * (slen + 2);
  100. /*
  101. * If coordinate encoding takes at least 128 bytes then an
  102. * additional byte for length encoding is needed.
  103. */
  104. return 1 + (slen >= 128) + 1 + slen;
  105. }
  106. static unsigned int ecdsa_x962_digest_size(struct crypto_sig *tfm)
  107. {
  108. struct ecdsa_x962_ctx *ctx = crypto_sig_ctx(tfm);
  109. return crypto_sig_digestsize(ctx->child);
  110. }
  111. static int ecdsa_x962_set_pub_key(struct crypto_sig *tfm,
  112. const void *key, unsigned int keylen)
  113. {
  114. struct ecdsa_x962_ctx *ctx = crypto_sig_ctx(tfm);
  115. return crypto_sig_set_pubkey(ctx->child, key, keylen);
  116. }
  117. static int ecdsa_x962_init_tfm(struct crypto_sig *tfm)
  118. {
  119. struct sig_instance *inst = sig_alg_instance(tfm);
  120. struct crypto_sig_spawn *spawn = sig_instance_ctx(inst);
  121. struct ecdsa_x962_ctx *ctx = crypto_sig_ctx(tfm);
  122. struct crypto_sig *child_tfm;
  123. child_tfm = crypto_spawn_sig(spawn);
  124. if (IS_ERR(child_tfm))
  125. return PTR_ERR(child_tfm);
  126. ctx->child = child_tfm;
  127. return 0;
  128. }
  129. static void ecdsa_x962_exit_tfm(struct crypto_sig *tfm)
  130. {
  131. struct ecdsa_x962_ctx *ctx = crypto_sig_ctx(tfm);
  132. crypto_free_sig(ctx->child);
  133. }
  134. static void ecdsa_x962_free(struct sig_instance *inst)
  135. {
  136. struct crypto_sig_spawn *spawn = sig_instance_ctx(inst);
  137. crypto_drop_sig(spawn);
  138. kfree(inst);
  139. }
  140. static int ecdsa_x962_create(struct crypto_template *tmpl, struct rtattr **tb)
  141. {
  142. struct crypto_sig_spawn *spawn;
  143. struct sig_instance *inst;
  144. struct sig_alg *ecdsa_alg;
  145. u32 mask;
  146. int err;
  147. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SIG, &mask);
  148. if (err)
  149. return err;
  150. inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
  151. if (!inst)
  152. return -ENOMEM;
  153. spawn = sig_instance_ctx(inst);
  154. err = crypto_grab_sig(spawn, sig_crypto_instance(inst),
  155. crypto_attr_alg_name(tb[1]), 0, mask);
  156. if (err)
  157. goto err_free_inst;
  158. ecdsa_alg = crypto_spawn_sig_alg(spawn);
  159. err = -EINVAL;
  160. if (strncmp(ecdsa_alg->base.cra_name, "ecdsa", 5) != 0)
  161. goto err_free_inst;
  162. err = crypto_inst_setname(sig_crypto_instance(inst), tmpl->name,
  163. &ecdsa_alg->base);
  164. if (err)
  165. goto err_free_inst;
  166. inst->alg.base.cra_priority = ecdsa_alg->base.cra_priority;
  167. inst->alg.base.cra_ctxsize = sizeof(struct ecdsa_x962_ctx);
  168. inst->alg.init = ecdsa_x962_init_tfm;
  169. inst->alg.exit = ecdsa_x962_exit_tfm;
  170. inst->alg.verify = ecdsa_x962_verify;
  171. inst->alg.key_size = ecdsa_x962_key_size;
  172. inst->alg.max_size = ecdsa_x962_max_size;
  173. inst->alg.digest_size = ecdsa_x962_digest_size;
  174. inst->alg.set_pub_key = ecdsa_x962_set_pub_key;
  175. inst->free = ecdsa_x962_free;
  176. err = sig_register_instance(tmpl, inst);
  177. if (err) {
  178. err_free_inst:
  179. ecdsa_x962_free(inst);
  180. }
  181. return err;
  182. }
  183. struct crypto_template ecdsa_x962_tmpl = {
  184. .name = "x962",
  185. .create = ecdsa_x962_create,
  186. .module = THIS_MODULE,
  187. };
  188. MODULE_ALIAS_CRYPTO("x962");