| blob | 02699e6e6d13cfbdbea378ba99fe86f95d1786dd |
1 /*
2 * QEMU Crypto akcipher algorithms
3 *
4 * Copyright (c) 2022 Bytedance
5 * Author: lei he <helei.sig11@bytedance.com>
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 *
20 */
22 #include <nettle/rsa.h>
24 #include "qemu/osdep.h"
25 #include "qemu/host-utils.h"
26 #include "crypto/akcipher.h"
27 #include "crypto/random.h"
28 #include "qapi/error.h"
29 #include "sysemu/cryptodev.h"
30 #include "rsakey.h"
32 typedef struct QCryptoNettleRSA {
33 QCryptoAkCipher akcipher;
34 struct rsa_public_key pub;
35 struct rsa_private_key priv;
36 QCryptoRSAPaddingAlgorithm padding_alg;
37 QCryptoHashAlgorithm hash_alg;
38 } QCryptoNettleRSA;
40 static void qcrypto_nettle_rsa_free(QCryptoAkCipher *akcipher)
41 {
42 QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
43 if (!rsa) {
44 return;
45 }
47 rsa_public_key_clear(&rsa->pub);
48 rsa_private_key_clear(&rsa->priv);
49 g_free(rsa);
50 }
52 static QCryptoAkCipher *qcrypto_nettle_rsa_new(
53 const QCryptoAkCipherOptionsRSA *opt,
54 QCryptoAkCipherKeyType type,
55 const uint8_t *key, size_t keylen,
56 Error **errp);
58 QCryptoAkCipher *qcrypto_akcipher_new(const QCryptoAkCipherOptions *opts,
59 QCryptoAkCipherKeyType type,
60 const uint8_t *key, size_t keylen,
61 Error **errp)
62 {
63 switch (opts->alg) {
64 case QCRYPTO_AKCIPHER_ALG_RSA:
65 return qcrypto_nettle_rsa_new(&opts->u.rsa, type, key, keylen, errp);
67 default:
68 error_setg(errp, "Unsupported algorithm: %u", opts->alg);
69 return NULL;
70 }
72 return NULL;
73 }
75 static void qcrypto_nettle_rsa_set_akcipher_size(QCryptoAkCipher *akcipher,
76 int key_size)
77 {
78 akcipher->max_plaintext_len = key_size;
79 akcipher->max_ciphertext_len = key_size;
80 akcipher->max_signature_len = key_size;
81 akcipher->max_dgst_len = key_size;
82 }
84 static int qcrypt_nettle_parse_rsa_private_key(QCryptoNettleRSA *rsa,
85 const uint8_t *key,
86 size_t keylen,
87 Error **errp)
88 {
89 g_autoptr(QCryptoAkCipherRSAKey) rsa_key = qcrypto_akcipher_rsakey_parse(
90 QCRYPTO_AKCIPHER_KEY_TYPE_PRIVATE, key, keylen, errp);
92 if (!rsa_key) {
93 return -1;
94 }
96 nettle_mpz_init_set_str_256_u(rsa->pub.n, rsa_key->n.len, rsa_key->n.data);
97 nettle_mpz_init_set_str_256_u(rsa->pub.e, rsa_key->e.len, rsa_key->e.data);
98 nettle_mpz_init_set_str_256_u(rsa->priv.d, rsa_key->d.len, rsa_key->d.data);
99 nettle_mpz_init_set_str_256_u(rsa->priv.p, rsa_key->p.len, rsa_key->p.data);
100 nettle_mpz_init_set_str_256_u(rsa->priv.q, rsa_key->q.len, rsa_key->q.data);
101 nettle_mpz_init_set_str_256_u(rsa->priv.a, rsa_key->dp.len,
102 rsa_key->dp.data);
103 nettle_mpz_init_set_str_256_u(rsa->priv.b, rsa_key->dq.len,
104 rsa_key->dq.data);
105 nettle_mpz_init_set_str_256_u(rsa->priv.c, rsa_key->u.len, rsa_key->u.data);
107 if (!rsa_public_key_prepare(&rsa->pub)) {
108 error_setg(errp, "Failed to check RSA key");
109 return -1;
110 }
112 /**
113 * Since in the kernel's unit test, the p, q, a, b, c of some
114 * private keys is 0, only the simplest length check is done here
115 */
116 if (rsa_key->p.len > 1 &&
117 rsa_key->q.len > 1 &&
118 rsa_key->dp.len > 1 &&
119 rsa_key->dq.len > 1 &&
120 rsa_key->u.len > 1) {
121 if (!rsa_private_key_prepare(&rsa->priv)) {
122 error_setg(errp, "Failed to check RSA key");
123 return -1;
124 }
125 } else {
126 rsa->priv.size = rsa->pub.size;
127 }
128 qcrypto_nettle_rsa_set_akcipher_size(
129 (QCryptoAkCipher *)rsa, rsa->priv.size);
131 return 0;
132 }
134 static int qcrypt_nettle_parse_rsa_public_key(QCryptoNettleRSA *rsa,
135 const uint8_t *key,
136 size_t keylen,
137 Error **errp)
138 {
139 g_autoptr(QCryptoAkCipherRSAKey) rsa_key = qcrypto_akcipher_rsakey_parse(
140 QCRYPTO_AKCIPHER_KEY_TYPE_PUBLIC, key, keylen, errp);
142 if (!rsa_key) {
143 return -1;
144 }
145 nettle_mpz_init_set_str_256_u(rsa->pub.n, rsa_key->n.len, rsa_key->n.data);
146 nettle_mpz_init_set_str_256_u(rsa->pub.e, rsa_key->e.len, rsa_key->e.data);
148 if (!rsa_public_key_prepare(&rsa->pub)) {
149 error_setg(errp, "Failed to check RSA key");
150 return -1;
151 }
152 qcrypto_nettle_rsa_set_akcipher_size(
153 (QCryptoAkCipher *)rsa, rsa->pub.size);
155 return 0;
156 }
158 static void wrap_nettle_random_func(void *ctx, size_t len, uint8_t *out)
159 {
160 qcrypto_random_bytes(out, len, &error_abort);
161 }
163 static int qcrypto_nettle_rsa_encrypt(QCryptoAkCipher *akcipher,
164 const void *data, size_t data_len,
165 void *enc, size_t enc_len,
166 Error **errp)
167 {
169 QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
170 mpz_t c;
171 int ret = -1;
173 if (data_len > rsa->pub.size) {
174 error_setg(errp, "Plaintext length %zu is greater than key size: %zu",
175 data_len, rsa->pub.size);
176 return ret;
177 }
179 if (enc_len < rsa->pub.size) {
180 error_setg(errp, "Ciphertext buffer length %zu is less than "
181 "key size: %zu", enc_len, rsa->pub.size);
182 return ret;
183 }
185 /* Nettle do not support RSA encryption without any padding */
186 switch (rsa->padding_alg) {
187 case QCRYPTO_RSA_PADDING_ALG_RAW:
188 error_setg(errp, "RSA with raw padding is not supported");
189 break;
191 case QCRYPTO_RSA_PADDING_ALG_PKCS1:
192 mpz_init(c);
193 if (rsa_encrypt(&rsa->pub, NULL, wrap_nettle_random_func,
194 data_len, (uint8_t *)data, c) != 1) {
195 error_setg(errp, "Failed to encrypt");
196 } else {
197 nettle_mpz_get_str_256(enc_len, (uint8_t *)enc, c);
198 ret = nettle_mpz_sizeinbase_256_u(c);
199 }
200 mpz_clear(c);
201 break;
203 default:
204 error_setg(errp, "Unknown padding");
205 }
207 return ret;
208 }
210 static int qcrypto_nettle_rsa_decrypt(QCryptoAkCipher *akcipher,
211 const void *enc, size_t enc_len,
212 void *data, size_t data_len,
213 Error **errp)
214 {
215 QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
216 mpz_t c;
217 int ret = -1;
219 if (enc_len > rsa->priv.size) {
220 error_setg(errp, "Ciphertext length %zu is greater than key size: %zu",
221 enc_len, rsa->priv.size);
222 return ret;
223 }
225 switch (rsa->padding_alg) {
226 case QCRYPTO_RSA_PADDING_ALG_RAW:
227 error_setg(errp, "RSA with raw padding is not supported");
228 break;
230 case QCRYPTO_RSA_PADDING_ALG_PKCS1:
231 nettle_mpz_init_set_str_256_u(c, enc_len, enc);
232 if (!rsa_decrypt(&rsa->priv, &data_len, (uint8_t *)data, c)) {
233 error_setg(errp, "Failed to decrypt");
234 } else {
235 ret = data_len;
236 }
238 mpz_clear(c);
239 break;
241 default:
242 error_setg(errp, "Unknown padding algorithm: %d", rsa->padding_alg);
243 }
245 return ret;
246 }
248 static int qcrypto_nettle_rsa_sign(QCryptoAkCipher *akcipher,
249 const void *data, size_t data_len,
250 void *sig, size_t sig_len, Error **errp)
251 {
252 QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
253 int ret = -1, rv;
254 mpz_t s;
256 /**
257 * The RSA algorithm cannot be used for signature/verification
258 * without padding.
259 */
260 if (rsa->padding_alg == QCRYPTO_RSA_PADDING_ALG_RAW) {
261 error_setg(errp, "Try to make signature without padding");
262 return ret;
263 }
265 if (data_len > rsa->priv.size) {
266 error_setg(errp, "Data length %zu is greater than key size: %zu",
267 data_len, rsa->priv.size);
268 return ret;
269 }
271 if (sig_len < rsa->priv.size) {
272 error_setg(errp, "Signature buffer length %zu is less than "
273 "key size: %zu", sig_len, rsa->priv.size);
274 return ret;
275 }
277 mpz_init(s);
278 switch (rsa->hash_alg) {
279 case QCRYPTO_HASH_ALG_MD5:
280 rv = rsa_md5_sign_digest(&rsa->priv, data, s);
281 break;
283 case QCRYPTO_HASH_ALG_SHA1:
284 rv = rsa_sha1_sign_digest(&rsa->priv, data, s);
285 break;
287 case QCRYPTO_HASH_ALG_SHA256:
288 rv = rsa_sha256_sign_digest(&rsa->priv, data, s);
289 break;
291 case QCRYPTO_HASH_ALG_SHA512:
292 rv = rsa_sha512_sign_digest(&rsa->priv, data, s);
293 break;
295 default:
296 error_setg(errp, "Unknown hash algorithm: %d", rsa->hash_alg);
297 goto cleanup;
298 }
300 if (rv != 1) {
301 error_setg(errp, "Failed to make signature");
302 goto cleanup;
303 }
304 nettle_mpz_get_str_256(sig_len, (uint8_t *)sig, s);
305 ret = nettle_mpz_sizeinbase_256_u(s);
307 cleanup:
308 mpz_clear(s);
310 return ret;
311 }
313 static int qcrypto_nettle_rsa_verify(QCryptoAkCipher *akcipher,
314 const void *sig, size_t sig_len,
315 const void *data, size_t data_len,
316 Error **errp)
317 {
318 QCryptoNettleRSA *rsa = (QCryptoNettleRSA *)akcipher;
320 int ret = -1, rv;
321 mpz_t s;
323 /**
324 * The RSA algorithm cannot be used for signature/verification
325 * without padding.
326 */
327 if (rsa->padding_alg == QCRYPTO_RSA_PADDING_ALG_RAW) {
328 error_setg(errp, "Try to verify signature without padding");
329 return ret;
330 }
331 if (data_len > rsa->pub.size) {
332 error_setg(errp, "Data length %zu is greater than key size: %zu",
333 data_len, rsa->pub.size);
334 return ret;
335 }
336 if (sig_len < rsa->pub.size) {
337 error_setg(errp, "Signature length %zu is greater than key size: %zu",
338 sig_len, rsa->pub.size);
339 return ret;
340 }
342 nettle_mpz_init_set_str_256_u(s, sig_len, sig);
343 switch (rsa->hash_alg) {
344 case QCRYPTO_HASH_ALG_MD5:
345 rv = rsa_md5_verify_digest(&rsa->pub, data, s);
346 break;
348 case QCRYPTO_HASH_ALG_SHA1:
349 rv = rsa_sha1_verify_digest(&rsa->pub, data, s);
350 break;
352 case QCRYPTO_HASH_ALG_SHA256:
353 rv = rsa_sha256_verify_digest(&rsa->pub, data, s);
354 break;
356 case QCRYPTO_HASH_ALG_SHA512:
357 rv = rsa_sha512_verify_digest(&rsa->pub, data, s);
358 break;
360 default:
361 error_setg(errp, "Unsupported hash algorithm: %d", rsa->hash_alg);
362 goto cleanup;
363 }
365 if (rv != 1) {
366 error_setg(errp, "Failed to verify signature");
367 goto cleanup;
368 }
369 ret = 0;
371 cleanup:
372 mpz_clear(s);
374 return ret;
375 }
377 QCryptoAkCipherDriver nettle_rsa = {
378 .encrypt = qcrypto_nettle_rsa_encrypt,
379 .decrypt = qcrypto_nettle_rsa_decrypt,
380 .sign = qcrypto_nettle_rsa_sign,
381 .verify = qcrypto_nettle_rsa_verify,
382 .free = qcrypto_nettle_rsa_free,
383 };
385 static QCryptoAkCipher *qcrypto_nettle_rsa_new(
386 const QCryptoAkCipherOptionsRSA *opt,
387 QCryptoAkCipherKeyType type,
388 const uint8_t *key, size_t keylen,
389 Error **errp)
390 {
391 QCryptoNettleRSA *rsa = g_new0(QCryptoNettleRSA, 1);
393 rsa->padding_alg = opt->padding_alg;
394 rsa->hash_alg = opt->hash_alg;
395 rsa->akcipher.driver = &nettle_rsa;
396 rsa_public_key_init(&rsa->pub);
397 rsa_private_key_init(&rsa->priv);
399 switch (type) {
400 case QCRYPTO_AKCIPHER_KEY_TYPE_PRIVATE:
401 if (qcrypt_nettle_parse_rsa_private_key(rsa, key, keylen, errp) != 0) {
402 goto error;
403 }
404 break;
406 case QCRYPTO_AKCIPHER_KEY_TYPE_PUBLIC:
407 if (qcrypt_nettle_parse_rsa_public_key(rsa, key, keylen, errp) != 0) {
408 goto error;
409 }
410 break;
412 default:
413 error_setg(errp, "Unknown akcipher key type %d", type);
414 goto error;
415 }
417 return (QCryptoAkCipher *)rsa;
419 error:
420 qcrypto_nettle_rsa_free((QCryptoAkCipher *)rsa);
421 return NULL;
422 }
425 bool qcrypto_akcipher_supports(QCryptoAkCipherOptions *opts)
426 {
427 switch (opts->alg) {
428 case QCRYPTO_AKCIPHER_ALG_RSA:
429 switch (opts->u.rsa.padding_alg) {
430 case QCRYPTO_RSA_PADDING_ALG_PKCS1:
431 switch (opts->u.rsa.hash_alg) {
432 case QCRYPTO_HASH_ALG_MD5:
433 case QCRYPTO_HASH_ALG_SHA1:
434 case QCRYPTO_HASH_ALG_SHA256:
435 case QCRYPTO_HASH_ALG_SHA512:
436 return true;
438 default:
439 return false;
440 }
442 case QCRYPTO_RSA_PADDING_ALG_RAW:
443 default:
444 return false;
445 }
446 break;
448 default:
449 return false;
450 }
451 }