ecrdsa.c 8.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298
  1. // SPDX-License-Identifier: GPL-2.0+
  2. /*
  3. * Elliptic Curve (Russian) Digital Signature Algorithm for Cryptographic API
  4. *
  5. * Copyright (c) 2019 Vitaly Chikunov <vt@altlinux.org>
  6. *
  7. * References:
  8. * GOST 34.10-2018, GOST R 34.10-2012, RFC 7091, ISO/IEC 14888-3:2018.
  9. *
  10. * Historical references:
  11. * GOST R 34.10-2001, RFC 4357, ISO/IEC 14888-3:2006/Amd 1:2010.
  12. *
  13. * This program is free software; you can redistribute it and/or modify it
  14. * under the terms of the GNU General Public License as published by the Free
  15. * Software Foundation; either version 2 of the License, or (at your option)
  16. * any later version.
  17. */
  18. #include <linux/module.h>
  19. #include <linux/crypto.h>
  20. #include <crypto/sig.h>
  21. #include <crypto/streebog.h>
  22. #include <crypto/internal/ecc.h>
  23. #include <crypto/internal/sig.h>
  24. #include <linux/oid_registry.h>
  25. #include "ecrdsa_params.asn1.h"
  26. #include "ecrdsa_pub_key.asn1.h"
  27. #include "ecrdsa_defs.h"
  28. #define ECRDSA_MAX_SIG_SIZE (2 * 512 / 8)
  29. #define ECRDSA_MAX_DIGITS (512 / 64)
  30. struct ecrdsa_ctx {
  31. enum OID algo_oid; /* overall public key oid */
  32. enum OID curve_oid; /* parameter */
  33. enum OID digest_oid; /* parameter */
  34. const struct ecc_curve *curve; /* curve from oid */
  35. unsigned int digest_len; /* parameter (bytes) */
  36. const char *digest; /* digest name from oid */
  37. unsigned int key_len; /* @key length (bytes) */
  38. const char *key; /* raw public key */
  39. struct ecc_point pub_key;
  40. u64 _pubp[2][ECRDSA_MAX_DIGITS]; /* point storage for @pub_key */
  41. };
  42. static const struct ecc_curve *get_curve_by_oid(enum OID oid)
  43. {
  44. switch (oid) {
  45. case OID_gostCPSignA:
  46. case OID_gostTC26Sign256B:
  47. return &gost_cp256a;
  48. case OID_gostCPSignB:
  49. case OID_gostTC26Sign256C:
  50. return &gost_cp256b;
  51. case OID_gostCPSignC:
  52. case OID_gostTC26Sign256D:
  53. return &gost_cp256c;
  54. case OID_gostTC26Sign512A:
  55. return &gost_tc512a;
  56. case OID_gostTC26Sign512B:
  57. return &gost_tc512b;
  58. /* The following two aren't implemented: */
  59. case OID_gostTC26Sign256A:
  60. case OID_gostTC26Sign512C:
  61. default:
  62. return NULL;
  63. }
  64. }
  65. static int ecrdsa_verify(struct crypto_sig *tfm,
  66. const void *src, unsigned int slen,
  67. const void *digest, unsigned int dlen)
  68. {
  69. struct ecrdsa_ctx *ctx = crypto_sig_ctx(tfm);
  70. unsigned int ndigits = dlen / sizeof(u64);
  71. u64 r[ECRDSA_MAX_DIGITS]; /* witness (r) */
  72. u64 _r[ECRDSA_MAX_DIGITS]; /* -r */
  73. u64 s[ECRDSA_MAX_DIGITS]; /* second part of sig (s) */
  74. u64 e[ECRDSA_MAX_DIGITS]; /* h \mod q */
  75. u64 *v = e; /* e^{-1} \mod q */
  76. u64 z1[ECRDSA_MAX_DIGITS];
  77. u64 *z2 = _r;
  78. struct ecc_point cc = ECC_POINT_INIT(s, e, ndigits); /* reuse s, e */
  79. /*
  80. * Digest value, digest algorithm, and curve (modulus) should have the
  81. * same length (256 or 512 bits), public key and signature should be
  82. * twice bigger.
  83. */
  84. if (!ctx->curve ||
  85. !ctx->digest ||
  86. !src ||
  87. !digest ||
  88. !ctx->pub_key.x ||
  89. dlen != ctx->digest_len ||
  90. dlen != ctx->curve->g.ndigits * sizeof(u64) ||
  91. ctx->pub_key.ndigits != ctx->curve->g.ndigits ||
  92. dlen * 2 != slen ||
  93. WARN_ON(slen > ECRDSA_MAX_SIG_SIZE) ||
  94. WARN_ON(dlen > STREEBOG512_DIGEST_SIZE))
  95. return -EBADMSG;
  96. vli_from_be64(s, src, ndigits);
  97. vli_from_be64(r, src + ndigits * sizeof(u64), ndigits);
  98. /* Step 1: verify that 0 < r < q, 0 < s < q */
  99. if (vli_is_zero(r, ndigits) ||
  100. vli_cmp(r, ctx->curve->n, ndigits) >= 0 ||
  101. vli_is_zero(s, ndigits) ||
  102. vli_cmp(s, ctx->curve->n, ndigits) >= 0)
  103. return -EKEYREJECTED;
  104. /* Step 2: calculate hash (h) of the message (passed as input) */
  105. /* Step 3: calculate e = h \mod q */
  106. vli_from_le64(e, digest, ndigits);
  107. if (vli_cmp(e, ctx->curve->n, ndigits) >= 0)
  108. vli_sub(e, e, ctx->curve->n, ndigits);
  109. if (vli_is_zero(e, ndigits))
  110. e[0] = 1;
  111. /* Step 4: calculate v = e^{-1} \mod q */
  112. vli_mod_inv(v, e, ctx->curve->n, ndigits);
  113. /* Step 5: calculate z_1 = sv \mod q, z_2 = -rv \mod q */
  114. vli_mod_mult_slow(z1, s, v, ctx->curve->n, ndigits);
  115. vli_sub(_r, ctx->curve->n, r, ndigits);
  116. vli_mod_mult_slow(z2, _r, v, ctx->curve->n, ndigits);
  117. /* Step 6: calculate point C = z_1P + z_2Q, and R = x_c \mod q */
  118. ecc_point_mult_shamir(&cc, z1, &ctx->curve->g, z2, &ctx->pub_key,
  119. ctx->curve);
  120. if (vli_cmp(cc.x, ctx->curve->n, ndigits) >= 0)
  121. vli_sub(cc.x, cc.x, ctx->curve->n, ndigits);
  122. /* Step 7: if R == r signature is valid */
  123. if (!vli_cmp(cc.x, r, ndigits))
  124. return 0;
  125. else
  126. return -EKEYREJECTED;
  127. }
  128. int ecrdsa_param_curve(void *context, size_t hdrlen, unsigned char tag,
  129. const void *value, size_t vlen)
  130. {
  131. struct ecrdsa_ctx *ctx = context;
  132. ctx->curve_oid = look_up_OID(value, vlen);
  133. if (!ctx->curve_oid)
  134. return -EINVAL;
  135. ctx->curve = get_curve_by_oid(ctx->curve_oid);
  136. return 0;
  137. }
  138. /* Optional. If present should match expected digest algo OID. */
  139. int ecrdsa_param_digest(void *context, size_t hdrlen, unsigned char tag,
  140. const void *value, size_t vlen)
  141. {
  142. struct ecrdsa_ctx *ctx = context;
  143. int digest_oid = look_up_OID(value, vlen);
  144. if (digest_oid != ctx->digest_oid)
  145. return -EINVAL;
  146. return 0;
  147. }
  148. int ecrdsa_parse_pub_key(void *context, size_t hdrlen, unsigned char tag,
  149. const void *value, size_t vlen)
  150. {
  151. struct ecrdsa_ctx *ctx = context;
  152. ctx->key = value;
  153. ctx->key_len = vlen;
  154. return 0;
  155. }
  156. static u8 *ecrdsa_unpack_u32(u32 *dst, void *src)
  157. {
  158. memcpy(dst, src, sizeof(u32));
  159. return src + sizeof(u32);
  160. }
  161. /* Parse BER encoded subjectPublicKey. */
  162. static int ecrdsa_set_pub_key(struct crypto_sig *tfm, const void *key,
  163. unsigned int keylen)
  164. {
  165. struct ecrdsa_ctx *ctx = crypto_sig_ctx(tfm);
  166. unsigned int ndigits;
  167. u32 algo, paramlen;
  168. u8 *params;
  169. int err;
  170. err = asn1_ber_decoder(&ecrdsa_pub_key_decoder, ctx, key, keylen);
  171. if (err < 0)
  172. return err;
  173. /* Key parameters is in the key after keylen. */
  174. params = ecrdsa_unpack_u32(&paramlen,
  175. ecrdsa_unpack_u32(&algo, (u8 *)key + keylen));
  176. if (algo == OID_gost2012PKey256) {
  177. ctx->digest = "streebog256";
  178. ctx->digest_oid = OID_gost2012Digest256;
  179. ctx->digest_len = 256 / 8;
  180. } else if (algo == OID_gost2012PKey512) {
  181. ctx->digest = "streebog512";
  182. ctx->digest_oid = OID_gost2012Digest512;
  183. ctx->digest_len = 512 / 8;
  184. } else
  185. return -ENOPKG;
  186. ctx->algo_oid = algo;
  187. /* Parse SubjectPublicKeyInfo.AlgorithmIdentifier.parameters. */
  188. err = asn1_ber_decoder(&ecrdsa_params_decoder, ctx, params, paramlen);
  189. if (err < 0)
  190. return err;
  191. /*
  192. * Sizes of algo (set in digest_len) and curve should match
  193. * each other.
  194. */
  195. if (!ctx->curve ||
  196. ctx->curve->g.ndigits * sizeof(u64) != ctx->digest_len)
  197. return -ENOPKG;
  198. /*
  199. * Key is two 256- or 512-bit coordinates which should match
  200. * curve size.
  201. */
  202. if ((ctx->key_len != (2 * 256 / 8) &&
  203. ctx->key_len != (2 * 512 / 8)) ||
  204. ctx->key_len != ctx->curve->g.ndigits * sizeof(u64) * 2)
  205. return -ENOPKG;
  206. ndigits = ctx->key_len / sizeof(u64) / 2;
  207. ctx->pub_key = ECC_POINT_INIT(ctx->_pubp[0], ctx->_pubp[1], ndigits);
  208. vli_from_le64(ctx->pub_key.x, ctx->key, ndigits);
  209. vli_from_le64(ctx->pub_key.y, ctx->key + ndigits * sizeof(u64),
  210. ndigits);
  211. if (ecc_is_pubkey_valid_partial(ctx->curve, &ctx->pub_key))
  212. return -EKEYREJECTED;
  213. return 0;
  214. }
  215. static unsigned int ecrdsa_key_size(struct crypto_sig *tfm)
  216. {
  217. struct ecrdsa_ctx *ctx = crypto_sig_ctx(tfm);
  218. /*
  219. * Verify doesn't need any output, so it's just informational
  220. * for keyctl to determine the key bit size.
  221. */
  222. return ctx->pub_key.ndigits * sizeof(u64) * BITS_PER_BYTE;
  223. }
  224. static unsigned int ecrdsa_max_size(struct crypto_sig *tfm)
  225. {
  226. struct ecrdsa_ctx *ctx = crypto_sig_ctx(tfm);
  227. return 2 * ctx->pub_key.ndigits * sizeof(u64);
  228. }
  229. static void ecrdsa_exit_tfm(struct crypto_sig *tfm)
  230. {
  231. }
  232. static struct sig_alg ecrdsa_alg = {
  233. .verify = ecrdsa_verify,
  234. .set_pub_key = ecrdsa_set_pub_key,
  235. .key_size = ecrdsa_key_size,
  236. .max_size = ecrdsa_max_size,
  237. .exit = ecrdsa_exit_tfm,
  238. .base = {
  239. .cra_name = "ecrdsa",
  240. .cra_driver_name = "ecrdsa-generic",
  241. .cra_priority = 100,
  242. .cra_module = THIS_MODULE,
  243. .cra_ctxsize = sizeof(struct ecrdsa_ctx),
  244. },
  245. };
  246. static int __init ecrdsa_mod_init(void)
  247. {
  248. return crypto_register_sig(&ecrdsa_alg);
  249. }
  250. static void __exit ecrdsa_mod_fini(void)
  251. {
  252. crypto_unregister_sig(&ecrdsa_alg);
  253. }
  254. module_init(ecrdsa_mod_init);
  255. module_exit(ecrdsa_mod_fini);
  256. MODULE_LICENSE("GPL");
  257. MODULE_AUTHOR("Vitaly Chikunov <vt@altlinux.org>");
  258. MODULE_DESCRIPTION("EC-RDSA generic algorithm");
  259. MODULE_ALIAS_CRYPTO("ecrdsa");
  260. MODULE_ALIAS_CRYPTO("ecrdsa-generic");