1 /* SPDX-License-Identifier: GPL-2.0-or-later */
3 * SM2 asymmetric public-key algorithm
4 * as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012 SM2 and
5 * described at https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
7 * Copyright (c) 2020, Alibaba Group.
8 * Authors: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
11 #include <linux/module.h>
12 #include <linux/mpi.h>
13 #include <crypto/internal/akcipher.h>
14 #include <crypto/akcipher.h>
15 #include <crypto/hash.h>
16 #include <crypto/sm3_base.h>
17 #include <crypto/rng.h>
18 #include <crypto/sm2.h>
19 #include "sm2signature.asn1.h"
21 #define MPI_NBYTES(m) ((mpi_get_nbits(m) + 7) / 8)
23 struct ecc_domain_parms {
24 const char *desc; /* Description of the curve. */
25 unsigned int nbits; /* Number of bits. */
26 unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */
28 /* The model describing this curve. This is mainly used to select
31 enum gcry_mpi_ec_models model;
33 /* The actual ECC dialect used. This is used for curve specific
34 * optimizations and to select encodings etc.
36 enum ecc_dialects dialect;
38 const char *p; /* The prime defining the field. */
39 const char *a, *b; /* The coefficients. For Twisted Edwards
40 * Curves b is used for d. For Montgomery
41 * Curves (a,b) has ((A-2)/4,B^-1).
43 const char *n; /* The order of the base point. */
44 const char *g_x, *g_y; /* Base point. */
45 unsigned int h; /* Cofactor. */
48 static const struct ecc_domain_parms sm2_ecp = {
52 .model = MPI_EC_WEIERSTRASS,
53 .dialect = ECC_DIALECT_STANDARD,
54 .p = "0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff",
55 .a = "0xfffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc",
56 .b = "0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93",
57 .n = "0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123",
58 .g_x = "0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7",
59 .g_y = "0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0",
63 static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
65 const struct ecc_domain_parms *ecp = &sm2_ecp;
70 p = mpi_scanval(ecp->p);
71 a = mpi_scanval(ecp->a);
72 b = mpi_scanval(ecp->b);
76 x = mpi_scanval(ecp->g_x);
77 y = mpi_scanval(ecp->g_y);
82 /* mpi_ec_setup_elliptic_curve */
83 ec->G = mpi_point_new(0);
89 mpi_set_ui(ec->G->z, 1);
92 ec->n = mpi_scanval(ecp->n);
94 mpi_point_release(ec->G);
100 mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);
115 static void sm2_ec_ctx_deinit(struct mpi_ec_ctx *ec)
119 memset(ec, 0, sizeof(*ec));
122 /* RESULT must have been initialized and is set on success to the
123 * point given by VALUE.
125 static int sm2_ecc_os2ec(MPI_POINT result, MPI value)
132 n = MPI_NBYTES(value);
133 buf = kmalloc(n, GFP_KERNEL);
137 rc = mpi_print(GCRYMPI_FMT_USG, buf, n, &n, value);
142 if (n < 1 || ((n - 1) % 2))
144 /* No support for point compression */
150 x = mpi_read_raw_data(buf + 1, n);
153 y = mpi_read_raw_data(buf + 1 + n, n);
159 mpi_set(result->x, x);
160 mpi_set(result->y, y);
161 mpi_set_ui(result->z, 1);
173 struct sm2_signature_ctx {
178 int sm2_get_signature_r(void *context, size_t hdrlen, unsigned char tag,
179 const void *value, size_t vlen)
181 struct sm2_signature_ctx *sig = context;
186 sig->sig_r = mpi_read_raw_data(value, vlen);
193 int sm2_get_signature_s(void *context, size_t hdrlen, unsigned char tag,
194 const void *value, size_t vlen)
196 struct sm2_signature_ctx *sig = context;
201 sig->sig_s = mpi_read_raw_data(value, vlen);
208 static int sm2_z_digest_update(struct shash_desc *desc,
209 MPI m, unsigned int pbytes)
211 static const unsigned char zero[32];
215 in = mpi_get_buffer(m, &inlen, NULL);
219 if (inlen < pbytes) {
220 /* padding with zero */
221 crypto_sm3_update(desc, zero, pbytes - inlen);
222 crypto_sm3_update(desc, in, inlen);
223 } else if (inlen > pbytes) {
224 /* skip the starting zero */
225 crypto_sm3_update(desc, in + inlen - pbytes, pbytes);
227 crypto_sm3_update(desc, in, inlen);
234 static int sm2_z_digest_update_point(struct shash_desc *desc,
235 MPI_POINT point, struct mpi_ec_ctx *ec, unsigned int pbytes)
243 if (!mpi_ec_get_affine(x, y, point, ec) &&
244 !sm2_z_digest_update(desc, x, pbytes) &&
245 !sm2_z_digest_update(desc, y, pbytes))
253 int sm2_compute_z_digest(struct crypto_akcipher *tfm,
254 const unsigned char *id, size_t id_len,
255 unsigned char dgst[SM3_DIGEST_SIZE])
257 struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
259 unsigned char entl[2];
260 SHASH_DESC_ON_STACK(desc, NULL);
263 if (id_len > (USHRT_MAX / 8) || !ec->Q)
266 bits_len = (uint16_t)(id_len * 8);
267 entl[0] = bits_len >> 8;
268 entl[1] = bits_len & 0xff;
270 pbytes = MPI_NBYTES(ec->p);
272 /* ZA = H256(ENTLA | IDA | a | b | xG | yG | xA | yA) */
274 crypto_sm3_update(desc, entl, 2);
275 crypto_sm3_update(desc, id, id_len);
277 if (sm2_z_digest_update(desc, ec->a, pbytes) ||
278 sm2_z_digest_update(desc, ec->b, pbytes) ||
279 sm2_z_digest_update_point(desc, ec->G, ec, pbytes) ||
280 sm2_z_digest_update_point(desc, ec->Q, ec, pbytes))
283 crypto_sm3_final(desc, dgst);
286 EXPORT_SYMBOL(sm2_compute_z_digest);
288 static int _sm2_verify(struct mpi_ec_ctx *ec, MPI hash, MPI sig_r, MPI sig_s)
291 struct gcry_mpi_point sG, tP;
293 MPI x1 = NULL, y1 = NULL;
301 /* r, s in [1, n-1] */
302 if (mpi_cmp_ui(sig_r, 1) < 0 || mpi_cmp(sig_r, ec->n) > 0 ||
303 mpi_cmp_ui(sig_s, 1) < 0 || mpi_cmp(sig_s, ec->n) > 0) {
307 /* t = (r + s) % n, t == 0 */
308 mpi_addm(t, sig_r, sig_s, ec->n);
309 if (mpi_cmp_ui(t, 0) == 0)
312 /* sG + tP = (x1, y1) */
314 mpi_ec_mul_point(&sG, sig_s, ec->G, ec);
315 mpi_ec_mul_point(&tP, t, ec->Q, ec);
316 mpi_ec_add_points(&sG, &sG, &tP, ec);
317 if (mpi_ec_get_affine(x1, y1, &sG, ec))
320 /* R = (e + x1) % n */
321 mpi_addm(t, hash, x1, ec->n);
325 if (mpi_cmp(t, sig_r))
331 mpi_point_free_parts(&sG);
332 mpi_point_free_parts(&tP);
340 static int sm2_verify(struct akcipher_request *req)
342 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
343 struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
344 unsigned char *buffer;
345 struct sm2_signature_ctx sig;
349 if (unlikely(!ec->Q))
352 buffer = kmalloc(req->src_len + req->dst_len, GFP_KERNEL);
356 sg_pcopy_to_buffer(req->src,
357 sg_nents_for_len(req->src, req->src_len + req->dst_len),
358 buffer, req->src_len + req->dst_len, 0);
362 ret = asn1_ber_decoder(&sm2signature_decoder, &sig,
363 buffer, req->src_len);
368 hash = mpi_read_raw_data(buffer + req->src_len, req->dst_len);
372 ret = _sm2_verify(ec, hash, sig.sig_r, sig.sig_s);
382 static int sm2_set_pub_key(struct crypto_akcipher *tfm,
383 const void *key, unsigned int keylen)
385 struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
389 ec->Q = mpi_point_new(0);
393 /* include the uncompressed flag '0x04' */
395 a = mpi_read_raw_data(key, keylen);
400 rc = sm2_ecc_os2ec(ec->Q, a);
408 mpi_point_release(ec->Q);
413 static unsigned int sm2_max_size(struct crypto_akcipher *tfm)
415 /* Unlimited max size */
419 static int sm2_init_tfm(struct crypto_akcipher *tfm)
421 struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
423 return sm2_ec_ctx_init(ec);
426 static void sm2_exit_tfm(struct crypto_akcipher *tfm)
428 struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
430 sm2_ec_ctx_deinit(ec);
433 static struct akcipher_alg sm2 = {
434 .verify = sm2_verify,
435 .set_pub_key = sm2_set_pub_key,
436 .max_size = sm2_max_size,
437 .init = sm2_init_tfm,
438 .exit = sm2_exit_tfm,
441 .cra_driver_name = "sm2-generic",
443 .cra_module = THIS_MODULE,
444 .cra_ctxsize = sizeof(struct mpi_ec_ctx),
448 static int sm2_init(void)
450 return crypto_register_akcipher(&sm2);
453 static void sm2_exit(void)
455 crypto_unregister_akcipher(&sm2);
458 subsys_initcall(sm2_init);
459 module_exit(sm2_exit);
461 MODULE_LICENSE("GPL");
462 MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>");
463 MODULE_DESCRIPTION("SM2 generic algorithm");
464 MODULE_ALIAS_CRYPTO("sm2-generic");
projects / linux-2.6-microblaze.git / blob