crypto: sm2 - introduce OSCCA SM2 asymmetric cipher algorithm

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This new module implement the SM2 public key algorithm. It was
published by State Encryption Management Bureau, China.
List of specifications for SM2 elliptic curve public key cryptography:

* GM/T 0003.1-2012
* GM/T 0003.2-2012
* GM/T 0003.3-2012
* GM/T 0003.4-2012
* GM/T 0003.5-2012

IETF: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
oscca: http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
scctc: http://www.gmbz.org.cn/main/bzlb.html

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Tested-by: Xufeng Zhang <yunbo.xufeng@linux.alibaba.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Tianjia Zhang and committed by

Herbert Xu 5 years ago ea7ecb66 d58bb7e5

+535

5 changed files

expand all

crypto

Kconfig

Makefile

sm2.c

sm2signature.asn1

include

crypto

sm2.h

+17

crypto/Kconfig

··· 260 260 standard algorithms (called GOST algorithms). Only signature verification 261 261 is implemented. 262 262 263 + config CRYPTO_SM2 264 + tristate "SM2 algorithm" 265 + select CRYPTO_SM3 266 + select CRYPTO_AKCIPHER 267 + select CRYPTO_MANAGER 268 + select MPILIB 269 + select ASN1 270 + help 271 + Generic implementation of the SM2 public key algorithm. It was 272 + published by State Encryption Management Bureau, China. 273 + as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012. 274 + 275 + References: 276 + https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 277 + http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml 278 + http://www.gmbz.org.cn/main/bzlb.html 279 + 263 280 config CRYPTO_CURVE25519 264 281 tristate "Curve25519 algorithm" 265 282 select CRYPTO_KPP

crypto/Makefile

··· 42 42 rsa_generic-y += rsa-pkcs1pad.o 43 43 obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o 44 44 45 + $(obj)/sm2signature.asn1.o: $(obj)/sm2signature.asn1.c $(obj)/sm2signature.asn1.h 46 + $(obj)/sm2.o: $(obj)/sm2signature.asn1.h 47 + 48 + sm2_generic-y += sm2signature.asn1.o 49 + sm2_generic-y += sm2.o 50 + 51 + obj-$(CONFIG_CRYPTO_SM2) += sm2_generic.o 52 + 45 53 crypto_acompress-y := acompress.o 46 54 crypto_acompress-y += scompress.o 47 55 obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o

+481

crypto/sm2.c

··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * SM2 asymmetric public-key algorithm 4 + * as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012 SM2 and 5 + * described at https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 6 + * 7 + * Copyright (c) 2020, Alibaba Group. 8 + * Authors: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> 9 + */ 10 + 11 + #include <linux/module.h> 12 + #include <linux/mpi.h> 13 + #include <crypto/internal/akcipher.h> 14 + #include <crypto/akcipher.h> 15 + #include <crypto/hash.h> 16 + #include <crypto/sm3_base.h> 17 + #include <crypto/rng.h> 18 + #include <crypto/sm2.h> 19 + #include "sm2signature.asn1.h" 20 + 21 + #define MPI_NBYTES(m) ((mpi_get_nbits(m) + 7) / 8) 22 + 23 + struct ecc_domain_parms { 24 + const char *desc; /* Description of the curve. */ 25 + unsigned int nbits; /* Number of bits. */ 26 + unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */ 27 + 28 + /* The model describing this curve. This is mainly used to select 29 + * the group equation. 30 + */ 31 + enum gcry_mpi_ec_models model; 32 + 33 + /* The actual ECC dialect used. This is used for curve specific 34 + * optimizations and to select encodings etc. 35 + */ 36 + enum ecc_dialects dialect; 37 + 38 + const char *p; /* The prime defining the field. */ 39 + const char *a, *b; /* The coefficients. For Twisted Edwards 40 + * Curves b is used for d. For Montgomery 41 + * Curves (a,b) has ((A-2)/4,B^-1). 42 + */ 43 + const char *n; /* The order of the base point. */ 44 + const char *g_x, *g_y; /* Base point. */ 45 + unsigned int h; /* Cofactor. */ 46 + }; 47 + 48 + static const struct ecc_domain_parms sm2_ecp = { 49 + .desc = "sm2p256v1", 50 + .nbits = 256, 51 + .fips = 0, 52 + .model = MPI_EC_WEIERSTRASS, 53 + .dialect = ECC_DIALECT_STANDARD, 54 + .p = "0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff", 55 + .a = "0xfffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc", 56 + .b = "0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93", 57 + .n = "0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123", 58 + .g_x = "0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", 59 + .g_y = "0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", 60 + .h = 1 61 + }; 62 + 63 + static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec) 64 + { 65 + const struct ecc_domain_parms *ecp = &sm2_ecp; 66 + MPI p, a, b; 67 + MPI x, y; 68 + int rc = -EINVAL; 69 + 70 + p = mpi_scanval(ecp->p); 71 + a = mpi_scanval(ecp->a); 72 + b = mpi_scanval(ecp->b); 73 + if (!p || !a || !b) 74 + goto free_p; 75 + 76 + x = mpi_scanval(ecp->g_x); 77 + y = mpi_scanval(ecp->g_y); 78 + if (!x || !y) 79 + goto free; 80 + 81 + rc = -ENOMEM; 82 + /* mpi_ec_setup_elliptic_curve */ 83 + ec->G = mpi_point_new(0); 84 + if (!ec->G) 85 + goto free; 86 + 87 + mpi_set(ec->G->x, x); 88 + mpi_set(ec->G->y, y); 89 + mpi_set_ui(ec->G->z, 1); 90 + 91 + rc = -EINVAL; 92 + ec->n = mpi_scanval(ecp->n); 93 + if (!ec->n) { 94 + mpi_point_release(ec->G); 95 + goto free; 96 + } 97 + 98 + ec->h = ecp->h; 99 + ec->name = ecp->desc; 100 + mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b); 101 + 102 + rc = 0; 103 + 104 + free: 105 + mpi_free(x); 106 + mpi_free(y); 107 + free_p: 108 + mpi_free(p); 109 + mpi_free(a); 110 + mpi_free(b); 111 + 112 + return rc; 113 + } 114 + 115 + static void sm2_ec_ctx_deinit(struct mpi_ec_ctx *ec) 116 + { 117 + mpi_ec_deinit(ec); 118 + 119 + memset(ec, 0, sizeof(*ec)); 120 + } 121 + 122 + static int sm2_ec_ctx_reset(struct mpi_ec_ctx *ec) 123 + { 124 + sm2_ec_ctx_deinit(ec); 125 + return sm2_ec_ctx_init(ec); 126 + } 127 + 128 + /* RESULT must have been initialized and is set on success to the 129 + * point given by VALUE. 130 + */ 131 + static int sm2_ecc_os2ec(MPI_POINT result, MPI value) 132 + { 133 + int rc; 134 + size_t n; 135 + const unsigned char *buf; 136 + unsigned char *buf_memory; 137 + MPI x, y; 138 + 139 + n = (mpi_get_nbits(value)+7)/8; 140 + buf_memory = kmalloc(n, GFP_KERNEL); 141 + rc = mpi_print(GCRYMPI_FMT_USG, buf_memory, n, &n, value); 142 + if (rc) { 143 + kfree(buf_memory); 144 + return rc; 145 + } 146 + buf = buf_memory; 147 + 148 + if (n < 1) { 149 + kfree(buf_memory); 150 + return -EINVAL; 151 + } 152 + if (*buf != 4) { 153 + kfree(buf_memory); 154 + return -EINVAL; /* No support for point compression. */ 155 + } 156 + if (((n-1)%2)) { 157 + kfree(buf_memory); 158 + return -EINVAL; 159 + } 160 + n = (n-1)/2; 161 + x = mpi_read_raw_data(buf + 1, n); 162 + if (!x) { 163 + kfree(buf_memory); 164 + return -ENOMEM; 165 + } 166 + y = mpi_read_raw_data(buf + 1 + n, n); 167 + kfree(buf_memory); 168 + if (!y) { 169 + mpi_free(x); 170 + return -ENOMEM; 171 + } 172 + 173 + mpi_normalize(x); 174 + mpi_normalize(y); 175 + 176 + mpi_set(result->x, x); 177 + mpi_set(result->y, y); 178 + mpi_set_ui(result->z, 1); 179 + 180 + mpi_free(x); 181 + mpi_free(y); 182 + 183 + return 0; 184 + } 185 + 186 + struct sm2_signature_ctx { 187 + MPI sig_r; 188 + MPI sig_s; 189 + }; 190 + 191 + int sm2_get_signature_r(void *context, size_t hdrlen, unsigned char tag, 192 + const void *value, size_t vlen) 193 + { 194 + struct sm2_signature_ctx *sig = context; 195 + 196 + if (!value || !vlen) 197 + return -EINVAL; 198 + 199 + sig->sig_r = mpi_read_raw_data(value, vlen); 200 + if (!sig->sig_r) 201 + return -ENOMEM; 202 + 203 + return 0; 204 + } 205 + 206 + int sm2_get_signature_s(void *context, size_t hdrlen, unsigned char tag, 207 + const void *value, size_t vlen) 208 + { 209 + struct sm2_signature_ctx *sig = context; 210 + 211 + if (!value || !vlen) 212 + return -EINVAL; 213 + 214 + sig->sig_s = mpi_read_raw_data(value, vlen); 215 + if (!sig->sig_s) 216 + return -ENOMEM; 217 + 218 + return 0; 219 + } 220 + 221 + static int sm2_z_digest_update(struct shash_desc *desc, 222 + MPI m, unsigned int pbytes) 223 + { 224 + static const unsigned char zero[32]; 225 + unsigned char *in; 226 + unsigned int inlen; 227 + 228 + in = mpi_get_buffer(m, &inlen, NULL); 229 + if (!in) 230 + return -EINVAL; 231 + 232 + if (inlen < pbytes) { 233 + /* padding with zero */ 234 + crypto_sm3_update(desc, zero, pbytes - inlen); 235 + crypto_sm3_update(desc, in, inlen); 236 + } else if (inlen > pbytes) { 237 + /* skip the starting zero */ 238 + crypto_sm3_update(desc, in + inlen - pbytes, pbytes); 239 + } else { 240 + crypto_sm3_update(desc, in, inlen); 241 + } 242 + 243 + kfree(in); 244 + return 0; 245 + } 246 + 247 + static int sm2_z_digest_update_point(struct shash_desc *desc, 248 + MPI_POINT point, struct mpi_ec_ctx *ec, unsigned int pbytes) 249 + { 250 + MPI x, y; 251 + int ret = -EINVAL; 252 + 253 + x = mpi_new(0); 254 + y = mpi_new(0); 255 + 256 + if (!mpi_ec_get_affine(x, y, point, ec) && 257 + !sm2_z_digest_update(desc, x, pbytes) && 258 + !sm2_z_digest_update(desc, y, pbytes)) 259 + ret = 0; 260 + 261 + mpi_free(x); 262 + mpi_free(y); 263 + return ret; 264 + } 265 + 266 + int sm2_compute_z_digest(struct crypto_akcipher *tfm, 267 + const unsigned char *id, size_t id_len, 268 + unsigned char dgst[SM3_DIGEST_SIZE]) 269 + { 270 + struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm); 271 + uint16_t bits_len; 272 + unsigned char entl[2]; 273 + SHASH_DESC_ON_STACK(desc, NULL); 274 + unsigned int pbytes; 275 + 276 + if (id_len > (USHRT_MAX / 8) || !ec->Q) 277 + return -EINVAL; 278 + 279 + bits_len = (uint16_t)(id_len * 8); 280 + entl[0] = bits_len >> 8; 281 + entl[1] = bits_len & 0xff; 282 + 283 + pbytes = MPI_NBYTES(ec->p); 284 + 285 + /* ZA = H256(ENTLA | IDA | a | b | xG | yG | xA | yA) */ 286 + sm3_base_init(desc); 287 + crypto_sm3_update(desc, entl, 2); 288 + crypto_sm3_update(desc, id, id_len); 289 + 290 + if (sm2_z_digest_update(desc, ec->a, pbytes) || 291 + sm2_z_digest_update(desc, ec->b, pbytes) || 292 + sm2_z_digest_update_point(desc, ec->G, ec, pbytes) || 293 + sm2_z_digest_update_point(desc, ec->Q, ec, pbytes)) 294 + return -EINVAL; 295 + 296 + crypto_sm3_final(desc, dgst); 297 + return 0; 298 + } 299 + EXPORT_SYMBOL(sm2_compute_z_digest); 300 + 301 + static int _sm2_verify(struct mpi_ec_ctx *ec, MPI hash, MPI sig_r, MPI sig_s) 302 + { 303 + int rc = -EINVAL; 304 + struct gcry_mpi_point sG, tP; 305 + MPI t = NULL; 306 + MPI x1 = NULL, y1 = NULL; 307 + 308 + mpi_point_init(&sG); 309 + mpi_point_init(&tP); 310 + x1 = mpi_new(0); 311 + y1 = mpi_new(0); 312 + t = mpi_new(0); 313 + 314 + /* r, s in [1, n-1] */ 315 + if (mpi_cmp_ui(sig_r, 1) < 0 || mpi_cmp(sig_r, ec->n) > 0 || 316 + mpi_cmp_ui(sig_s, 1) < 0 || mpi_cmp(sig_s, ec->n) > 0) { 317 + goto leave; 318 + } 319 + 320 + /* t = (r + s) % n, t == 0 */ 321 + mpi_addm(t, sig_r, sig_s, ec->n); 322 + if (mpi_cmp_ui(t, 0) == 0) 323 + goto leave; 324 + 325 + /* sG + tP = (x1, y1) */ 326 + rc = -EBADMSG; 327 + mpi_ec_mul_point(&sG, sig_s, ec->G, ec); 328 + mpi_ec_mul_point(&tP, t, ec->Q, ec); 329 + mpi_ec_add_points(&sG, &sG, &tP, ec); 330 + if (mpi_ec_get_affine(x1, y1, &sG, ec)) 331 + goto leave; 332 + 333 + /* R = (e + x1) % n */ 334 + mpi_addm(t, hash, x1, ec->n); 335 + 336 + /* check R == r */ 337 + rc = -EKEYREJECTED; 338 + if (mpi_cmp(t, sig_r)) 339 + goto leave; 340 + 341 + rc = 0; 342 + 343 + leave: 344 + mpi_point_free_parts(&sG); 345 + mpi_point_free_parts(&tP); 346 + mpi_free(x1); 347 + mpi_free(y1); 348 + mpi_free(t); 349 + 350 + return rc; 351 + } 352 + 353 + static int sm2_verify(struct akcipher_request *req) 354 + { 355 + struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 356 + struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm); 357 + unsigned char *buffer; 358 + struct sm2_signature_ctx sig; 359 + MPI hash; 360 + int ret; 361 + 362 + if (unlikely(!ec->Q)) 363 + return -EINVAL; 364 + 365 + buffer = kmalloc(req->src_len + req->dst_len, GFP_KERNEL); 366 + if (!buffer) 367 + return -ENOMEM; 368 + 369 + sg_pcopy_to_buffer(req->src, 370 + sg_nents_for_len(req->src, req->src_len + req->dst_len), 371 + buffer, req->src_len + req->dst_len, 0); 372 + 373 + sig.sig_r = NULL; 374 + sig.sig_s = NULL; 375 + ret = asn1_ber_decoder(&sm2signature_decoder, &sig, 376 + buffer, req->src_len); 377 + if (ret) 378 + goto error; 379 + 380 + ret = -ENOMEM; 381 + hash = mpi_read_raw_data(buffer + req->src_len, req->dst_len); 382 + if (!hash) 383 + goto error; 384 + 385 + ret = _sm2_verify(ec, hash, sig.sig_r, sig.sig_s); 386 + 387 + mpi_free(hash); 388 + error: 389 + mpi_free(sig.sig_r); 390 + mpi_free(sig.sig_s); 391 + kfree(buffer); 392 + return ret; 393 + } 394 + 395 + static int sm2_set_pub_key(struct crypto_akcipher *tfm, 396 + const void *key, unsigned int keylen) 397 + { 398 + struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm); 399 + MPI a; 400 + int rc; 401 + 402 + rc = sm2_ec_ctx_reset(ec); 403 + if (rc) 404 + return rc; 405 + 406 + ec->Q = mpi_point_new(0); 407 + if (!ec->Q) 408 + return -ENOMEM; 409 + 410 + /* include the uncompressed flag '0x04' */ 411 + rc = -ENOMEM; 412 + a = mpi_read_raw_data(key, keylen); 413 + if (!a) 414 + goto error; 415 + 416 + mpi_normalize(a); 417 + rc = sm2_ecc_os2ec(ec->Q, a); 418 + mpi_free(a); 419 + if (rc) 420 + goto error; 421 + 422 + return 0; 423 + 424 + error: 425 + mpi_point_release(ec->Q); 426 + ec->Q = NULL; 427 + return rc; 428 + } 429 + 430 + static unsigned int sm2_max_size(struct crypto_akcipher *tfm) 431 + { 432 + /* Unlimited max size */ 433 + return PAGE_SIZE; 434 + } 435 + 436 + static int sm2_init_tfm(struct crypto_akcipher *tfm) 437 + { 438 + struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm); 439 + 440 + return sm2_ec_ctx_init(ec); 441 + } 442 + 443 + static void sm2_exit_tfm(struct crypto_akcipher *tfm) 444 + { 445 + struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm); 446 + 447 + sm2_ec_ctx_deinit(ec); 448 + } 449 + 450 + static struct akcipher_alg sm2 = { 451 + .verify = sm2_verify, 452 + .set_pub_key = sm2_set_pub_key, 453 + .max_size = sm2_max_size, 454 + .init = sm2_init_tfm, 455 + .exit = sm2_exit_tfm, 456 + .base = { 457 + .cra_name = "sm2", 458 + .cra_driver_name = "sm2-generic", 459 + .cra_priority = 100, 460 + .cra_module = THIS_MODULE, 461 + .cra_ctxsize = sizeof(struct mpi_ec_ctx), 462 + }, 463 + }; 464 + 465 + static int sm2_init(void) 466 + { 467 + return crypto_register_akcipher(&sm2); 468 + } 469 + 470 + static void sm2_exit(void) 471 + { 472 + crypto_unregister_akcipher(&sm2); 473 + } 474 + 475 + subsys_initcall(sm2_init); 476 + module_exit(sm2_exit); 477 + 478 + MODULE_LICENSE("GPL"); 479 + MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>"); 480 + MODULE_DESCRIPTION("SM2 generic algorithm"); 481 + MODULE_ALIAS_CRYPTO("sm2-generic");

crypto/sm2signature.asn1

··· 1 + Sm2Signature ::= SEQUENCE { 2 + sig_r INTEGER ({ sm2_get_signature_r }), 3 + sig_s INTEGER ({ sm2_get_signature_s }) 4 + }

+25

include/crypto/sm2.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * sm2.h - SM2 asymmetric public-key algorithm 4 + * as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012 SM2 and 5 + * described at https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 6 + * 7 + * Copyright (c) 2020, Alibaba Group. 8 + * Written by Tianjia Zhang <tianjia.zhang@linux.alibaba.com> 9 + */ 10 + 11 + #ifndef _CRYPTO_SM2_H 12 + #define _CRYPTO_SM2_H 13 + 14 + #include <crypto/sm3.h> 15 + #include <crypto/akcipher.h> 16 + 17 + /* The default user id as specified in GM/T 0009-2012 */ 18 + #define SM2_DEFAULT_USERID "1234567812345678" 19 + #define SM2_DEFAULT_USERID_LEN 16 20 + 21 + extern int sm2_compute_z_digest(struct crypto_akcipher *tfm, 22 + const unsigned char *id, size_t id_len, 23 + unsigned char dgst[SM3_DIGEST_SIZE]); 24 + 25 + #endif /* _CRYPTO_SM2_H */