From 5ce3e312ec5c11abce13215be70700778bf601f0 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Wed, 31 Aug 2011 14:05:16 +0300 Subject: crypto: GnuPG based MPI lib - header files (part 2) Adds the multi-precision-integer maths library which was originally taken from GnuPG and ported to the kernel by (among others) David Howells. This version is taken from Fedora kernel 2.6.32-71.14.1.el6. The difference is that checkpatch reported errors and warnings have been fixed. This library is used to implemenet RSA digital signature verification used in IMA/EVM integrity protection subsystem. Due to patch size limitation, the patch is divided into 4 parts. Signed-off-by: Dmitry Kasatkin --- include/linux/mpi.h | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 include/linux/mpi.h (limited to 'include/linux') diff --git a/include/linux/mpi.h b/include/linux/mpi.h new file mode 100644 index 000000000000..06f88994ccaa --- /dev/null +++ b/include/linux/mpi.h @@ -0,0 +1,146 @@ +/* mpi.h - Multi Precision Integers + * Copyright (C) 1994, 1996, 1998, 1999, + * 2000, 2001 Free Software Foundation, Inc. + * + * This file is part of GNUPG. + * + * GNUPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GNUPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * + * Note: This code is heavily based on the GNU MP Library. + * Actually it's the same code with only minor changes in the + * way the data is stored; this is to support the abstraction + * of an optional secure memory allocation which may be used + * to avoid revealing of sensitive data due to paging etc. + * The GNU MP Library itself is published under the LGPL; + * however I decided to publish this code under the plain GPL. + */ + +#ifndef G10_MPI_H +#define G10_MPI_H + +#include + +/* DSI defines */ + +#define SHA1_DIGEST_LENGTH 20 + +/*end of DSI defines */ + +#define BYTES_PER_MPI_LIMB (BITS_PER_LONG / 8) +#define BITS_PER_MPI_LIMB BITS_PER_LONG + +typedef unsigned long int mpi_limb_t; +typedef signed long int mpi_limb_signed_t; + +struct gcry_mpi { + int alloced; /* array size (# of allocated limbs) */ + int nlimbs; /* number of valid limbs */ + int nbits; /* the real number of valid bits (info only) */ + int sign; /* indicates a negative number */ + unsigned flags; /* bit 0: array must be allocated in secure memory space */ + /* bit 1: not used */ + /* bit 2: the limb is a pointer to some m_alloced data */ + mpi_limb_t *d; /* array with the limbs */ +}; + +typedef struct gcry_mpi *MPI; + +#define MPI_NULL NULL + +#define mpi_get_nlimbs(a) ((a)->nlimbs) +#define mpi_is_neg(a) ((a)->sign) + +/*-- mpiutil.c --*/ +MPI mpi_alloc(unsigned nlimbs); +MPI mpi_alloc_secure(unsigned nlimbs); +MPI mpi_alloc_like(MPI a); +void mpi_free(MPI a); +int mpi_resize(MPI a, unsigned nlimbs); +int mpi_copy(MPI *copy, const MPI a); +void mpi_clear(MPI a); +int mpi_set(MPI w, MPI u); +int mpi_set_ui(MPI w, ulong u); +MPI mpi_alloc_set_ui(unsigned long u); +void mpi_m_check(MPI a); +void mpi_swap(MPI a, MPI b); + +/*-- mpicoder.c --*/ +MPI do_encode_md(const void *sha_buffer, unsigned nbits); +MPI mpi_read_from_buffer(const void *buffer, unsigned *ret_nread); +int mpi_fromstr(MPI val, const char *str); +u32 mpi_get_keyid(MPI a, u32 *keyid); +void *mpi_get_buffer(MPI a, unsigned *nbytes, int *sign); +void *mpi_get_secure_buffer(MPI a, unsigned *nbytes, int *sign); +int mpi_set_buffer(MPI a, const void *buffer, unsigned nbytes, int sign); + +#define log_mpidump g10_log_mpidump + +/*-- mpi-add.c --*/ +int mpi_add_ui(MPI w, MPI u, ulong v); +int mpi_add(MPI w, MPI u, MPI v); +int mpi_addm(MPI w, MPI u, MPI v, MPI m); +int mpi_sub_ui(MPI w, MPI u, ulong v); +int mpi_sub(MPI w, MPI u, MPI v); +int mpi_subm(MPI w, MPI u, MPI v, MPI m); + +/*-- mpi-mul.c --*/ +int mpi_mul_ui(MPI w, MPI u, ulong v); +int mpi_mul_2exp(MPI w, MPI u, ulong cnt); +int mpi_mul(MPI w, MPI u, MPI v); +int mpi_mulm(MPI w, MPI u, MPI v, MPI m); + +/*-- mpi-div.c --*/ +ulong mpi_fdiv_r_ui(MPI rem, MPI dividend, ulong divisor); +int mpi_fdiv_r(MPI rem, MPI dividend, MPI divisor); +int mpi_fdiv_q(MPI quot, MPI dividend, MPI divisor); +int mpi_fdiv_qr(MPI quot, MPI rem, MPI dividend, MPI divisor); +int mpi_tdiv_r(MPI rem, MPI num, MPI den); +int mpi_tdiv_qr(MPI quot, MPI rem, MPI num, MPI den); +int mpi_tdiv_q_2exp(MPI w, MPI u, unsigned count); +int mpi_divisible_ui(const MPI dividend, ulong divisor); + +/*-- mpi-gcd.c --*/ +int mpi_gcd(MPI g, const MPI a, const MPI b); + +/*-- mpi-pow.c --*/ +int mpi_pow(MPI w, MPI u, MPI v); +int mpi_powm(MPI res, MPI base, MPI exp, MPI mod); + +/*-- mpi-mpow.c --*/ +int mpi_mulpowm(MPI res, MPI *basearray, MPI *exparray, MPI mod); + +/*-- mpi-cmp.c --*/ +int mpi_cmp_ui(MPI u, ulong v); +int mpi_cmp(MPI u, MPI v); + +/*-- mpi-scan.c --*/ +int mpi_getbyte(MPI a, unsigned idx); +void mpi_putbyte(MPI a, unsigned idx, int value); +unsigned mpi_trailing_zeros(MPI a); + +/*-- mpi-bit.c --*/ +void mpi_normalize(MPI a); +unsigned mpi_get_nbits(MPI a); +int mpi_test_bit(MPI a, unsigned n); +int mpi_set_bit(MPI a, unsigned n); +int mpi_set_highbit(MPI a, unsigned n); +void mpi_clear_highbit(MPI a, unsigned n); +void mpi_clear_bit(MPI a, unsigned n); +int mpi_rshift(MPI x, MPI a, unsigned n); + +/*-- mpi-inv.c --*/ +int mpi_invm(MPI x, MPI u, MPI v); + +#endif /*G10_MPI_H */ -- cgit v1.2.3 From 051dbb918c7fb7da8e64a2cd0d804ba73399709f Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Fri, 14 Oct 2011 15:25:16 +0300 Subject: crypto: digital signature verification support This patch implements RSA digital signature verification using GnuPG library. The format of the signature and the public key is defined by their respective headers. The signature header contains version information, algorithm, and keyid, which was used to generate the signature. The key header contains version and algorythim type. The payload of the signature and the key are multi-precision integers. The signing and key management utilities evm-utils provide functionality to generate signatures and load keys into the kernel keyring. When the key is added to the kernel keyring, the keyid defines the name of the key. Signed-off-by: Dmitry Kasatkin Acked-by: Mimi Zohar --- include/linux/digsig.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 include/linux/digsig.h (limited to 'include/linux') diff --git a/include/linux/digsig.h b/include/linux/digsig.h new file mode 100644 index 000000000000..efae755017d7 --- /dev/null +++ b/include/linux/digsig.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2011 Nokia Corporation + * Copyright (C) 2011 Intel Corporation + * + * Author: + * Dmitry Kasatkin + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + * + */ + +#ifndef _DIGSIG_H +#define _DIGSIG_H + +#include + +enum pubkey_algo { + PUBKEY_ALGO_RSA, + PUBKEY_ALGO_MAX, +}; + +enum digest_algo { + DIGEST_ALGO_SHA1, + DIGEST_ALGO_SHA256, + DIGEST_ALGO_MAX +}; + +struct pubkey_hdr { + uint8_t version; /* key format version */ + time_t timestamp; /* key made, always 0 for now */ + uint8_t algo; + uint8_t nmpi; + char mpi[0]; +} __packed; + +struct signature_hdr { + uint8_t version; /* signature format version */ + time_t timestamp; /* signature made */ + uint8_t algo; + uint8_t hash; + uint8_t keyid[8]; + uint8_t nmpi; + char mpi[0]; +} __packed; + +#if defined(CONFIG_DIGSIG) || defined(CONFIG_DIGSIG_MODULE) + +int digsig_verify(struct key *keyring, const char *sig, int siglen, + const char *digest, int digestlen); + +#else + +static inline int digsig_verify(struct key *keyring, const char *sig, + int siglen, const char *digest, int digestlen) +{ + return -EOPNOTSUPP; +} + +#endif /* CONFIG_DIGSIG */ + +#endif /* _DIGSIG_H */ -- cgit v1.2.3