162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * RSA padding templates. 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Copyright (c) 2015 Intel Corporation 662306a36Sopenharmony_ci */ 762306a36Sopenharmony_ci 862306a36Sopenharmony_ci#include <crypto/algapi.h> 962306a36Sopenharmony_ci#include <crypto/akcipher.h> 1062306a36Sopenharmony_ci#include <crypto/internal/akcipher.h> 1162306a36Sopenharmony_ci#include <crypto/internal/rsa.h> 1262306a36Sopenharmony_ci#include <linux/err.h> 1362306a36Sopenharmony_ci#include <linux/init.h> 1462306a36Sopenharmony_ci#include <linux/kernel.h> 1562306a36Sopenharmony_ci#include <linux/module.h> 1662306a36Sopenharmony_ci#include <linux/random.h> 1762306a36Sopenharmony_ci#include <linux/scatterlist.h> 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ci/* 2062306a36Sopenharmony_ci * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. 2162306a36Sopenharmony_ci */ 2262306a36Sopenharmony_cistatic const u8 rsa_digest_info_md5[] = { 2362306a36Sopenharmony_ci 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 2462306a36Sopenharmony_ci 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */ 2562306a36Sopenharmony_ci 0x05, 0x00, 0x04, 0x10 2662306a36Sopenharmony_ci}; 2762306a36Sopenharmony_ci 2862306a36Sopenharmony_cistatic const u8 rsa_digest_info_sha1[] = { 2962306a36Sopenharmony_ci 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 3062306a36Sopenharmony_ci 0x2b, 0x0e, 0x03, 0x02, 0x1a, 3162306a36Sopenharmony_ci 0x05, 0x00, 0x04, 0x14 3262306a36Sopenharmony_ci}; 3362306a36Sopenharmony_ci 3462306a36Sopenharmony_cistatic const u8 rsa_digest_info_rmd160[] = { 3562306a36Sopenharmony_ci 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 3662306a36Sopenharmony_ci 0x2b, 0x24, 0x03, 0x02, 0x01, 3762306a36Sopenharmony_ci 0x05, 0x00, 0x04, 0x14 3862306a36Sopenharmony_ci}; 3962306a36Sopenharmony_ci 4062306a36Sopenharmony_cistatic const u8 rsa_digest_info_sha224[] = { 4162306a36Sopenharmony_ci 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 4262306a36Sopenharmony_ci 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 4362306a36Sopenharmony_ci 0x05, 0x00, 0x04, 0x1c 4462306a36Sopenharmony_ci}; 4562306a36Sopenharmony_ci 4662306a36Sopenharmony_cistatic const u8 rsa_digest_info_sha256[] = { 4762306a36Sopenharmony_ci 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 4862306a36Sopenharmony_ci 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 4962306a36Sopenharmony_ci 0x05, 0x00, 0x04, 0x20 5062306a36Sopenharmony_ci}; 5162306a36Sopenharmony_ci 5262306a36Sopenharmony_cistatic const u8 rsa_digest_info_sha384[] = { 5362306a36Sopenharmony_ci 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 5462306a36Sopenharmony_ci 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 5562306a36Sopenharmony_ci 0x05, 0x00, 0x04, 0x30 5662306a36Sopenharmony_ci}; 5762306a36Sopenharmony_ci 5862306a36Sopenharmony_cistatic const u8 rsa_digest_info_sha512[] = { 5962306a36Sopenharmony_ci 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 6062306a36Sopenharmony_ci 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 6162306a36Sopenharmony_ci 0x05, 0x00, 0x04, 0x40 6262306a36Sopenharmony_ci}; 6362306a36Sopenharmony_ci 6462306a36Sopenharmony_cistatic const struct rsa_asn1_template { 6562306a36Sopenharmony_ci const char *name; 6662306a36Sopenharmony_ci const u8 *data; 6762306a36Sopenharmony_ci size_t size; 6862306a36Sopenharmony_ci} rsa_asn1_templates[] = { 6962306a36Sopenharmony_ci#define _(X) { #X, rsa_digest_info_##X, sizeof(rsa_digest_info_##X) } 7062306a36Sopenharmony_ci _(md5), 7162306a36Sopenharmony_ci _(sha1), 7262306a36Sopenharmony_ci _(rmd160), 7362306a36Sopenharmony_ci _(sha256), 7462306a36Sopenharmony_ci _(sha384), 7562306a36Sopenharmony_ci _(sha512), 7662306a36Sopenharmony_ci _(sha224), 7762306a36Sopenharmony_ci { NULL } 7862306a36Sopenharmony_ci#undef _ 7962306a36Sopenharmony_ci}; 8062306a36Sopenharmony_ci 8162306a36Sopenharmony_cistatic const struct rsa_asn1_template *rsa_lookup_asn1(const char *name) 8262306a36Sopenharmony_ci{ 8362306a36Sopenharmony_ci const struct rsa_asn1_template *p; 8462306a36Sopenharmony_ci 8562306a36Sopenharmony_ci for (p = rsa_asn1_templates; p->name; p++) 8662306a36Sopenharmony_ci if (strcmp(name, p->name) == 0) 8762306a36Sopenharmony_ci return p; 8862306a36Sopenharmony_ci return NULL; 8962306a36Sopenharmony_ci} 9062306a36Sopenharmony_ci 9162306a36Sopenharmony_cistruct pkcs1pad_ctx { 9262306a36Sopenharmony_ci struct crypto_akcipher *child; 9362306a36Sopenharmony_ci unsigned int key_size; 9462306a36Sopenharmony_ci}; 9562306a36Sopenharmony_ci 9662306a36Sopenharmony_cistruct pkcs1pad_inst_ctx { 9762306a36Sopenharmony_ci struct crypto_akcipher_spawn spawn; 9862306a36Sopenharmony_ci const struct rsa_asn1_template *digest_info; 9962306a36Sopenharmony_ci}; 10062306a36Sopenharmony_ci 10162306a36Sopenharmony_cistruct pkcs1pad_request { 10262306a36Sopenharmony_ci struct scatterlist in_sg[2], out_sg[1]; 10362306a36Sopenharmony_ci uint8_t *in_buf, *out_buf; 10462306a36Sopenharmony_ci struct akcipher_request child_req; 10562306a36Sopenharmony_ci}; 10662306a36Sopenharmony_ci 10762306a36Sopenharmony_cistatic int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key, 10862306a36Sopenharmony_ci unsigned int keylen) 10962306a36Sopenharmony_ci{ 11062306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 11162306a36Sopenharmony_ci int err; 11262306a36Sopenharmony_ci 11362306a36Sopenharmony_ci ctx->key_size = 0; 11462306a36Sopenharmony_ci 11562306a36Sopenharmony_ci err = crypto_akcipher_set_pub_key(ctx->child, key, keylen); 11662306a36Sopenharmony_ci if (err) 11762306a36Sopenharmony_ci return err; 11862306a36Sopenharmony_ci 11962306a36Sopenharmony_ci /* Find out new modulus size from rsa implementation */ 12062306a36Sopenharmony_ci err = crypto_akcipher_maxsize(ctx->child); 12162306a36Sopenharmony_ci if (err > PAGE_SIZE) 12262306a36Sopenharmony_ci return -ENOTSUPP; 12362306a36Sopenharmony_ci 12462306a36Sopenharmony_ci ctx->key_size = err; 12562306a36Sopenharmony_ci return 0; 12662306a36Sopenharmony_ci} 12762306a36Sopenharmony_ci 12862306a36Sopenharmony_cistatic int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key, 12962306a36Sopenharmony_ci unsigned int keylen) 13062306a36Sopenharmony_ci{ 13162306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 13262306a36Sopenharmony_ci int err; 13362306a36Sopenharmony_ci 13462306a36Sopenharmony_ci ctx->key_size = 0; 13562306a36Sopenharmony_ci 13662306a36Sopenharmony_ci err = crypto_akcipher_set_priv_key(ctx->child, key, keylen); 13762306a36Sopenharmony_ci if (err) 13862306a36Sopenharmony_ci return err; 13962306a36Sopenharmony_ci 14062306a36Sopenharmony_ci /* Find out new modulus size from rsa implementation */ 14162306a36Sopenharmony_ci err = crypto_akcipher_maxsize(ctx->child); 14262306a36Sopenharmony_ci if (err > PAGE_SIZE) 14362306a36Sopenharmony_ci return -ENOTSUPP; 14462306a36Sopenharmony_ci 14562306a36Sopenharmony_ci ctx->key_size = err; 14662306a36Sopenharmony_ci return 0; 14762306a36Sopenharmony_ci} 14862306a36Sopenharmony_ci 14962306a36Sopenharmony_cistatic unsigned int pkcs1pad_get_max_size(struct crypto_akcipher *tfm) 15062306a36Sopenharmony_ci{ 15162306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 15262306a36Sopenharmony_ci 15362306a36Sopenharmony_ci /* 15462306a36Sopenharmony_ci * The maximum destination buffer size for the encrypt/sign operations 15562306a36Sopenharmony_ci * will be the same as for RSA, even though it's smaller for 15662306a36Sopenharmony_ci * decrypt/verify. 15762306a36Sopenharmony_ci */ 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci return ctx->key_size; 16062306a36Sopenharmony_ci} 16162306a36Sopenharmony_ci 16262306a36Sopenharmony_cistatic void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len, 16362306a36Sopenharmony_ci struct scatterlist *next) 16462306a36Sopenharmony_ci{ 16562306a36Sopenharmony_ci int nsegs = next ? 2 : 1; 16662306a36Sopenharmony_ci 16762306a36Sopenharmony_ci sg_init_table(sg, nsegs); 16862306a36Sopenharmony_ci sg_set_buf(sg, buf, len); 16962306a36Sopenharmony_ci 17062306a36Sopenharmony_ci if (next) 17162306a36Sopenharmony_ci sg_chain(sg, nsegs, next); 17262306a36Sopenharmony_ci} 17362306a36Sopenharmony_ci 17462306a36Sopenharmony_cistatic int pkcs1pad_encrypt_sign_complete(struct akcipher_request *req, int err) 17562306a36Sopenharmony_ci{ 17662306a36Sopenharmony_ci struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 17762306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 17862306a36Sopenharmony_ci struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 17962306a36Sopenharmony_ci unsigned int pad_len; 18062306a36Sopenharmony_ci unsigned int len; 18162306a36Sopenharmony_ci u8 *out_buf; 18262306a36Sopenharmony_ci 18362306a36Sopenharmony_ci if (err) 18462306a36Sopenharmony_ci goto out; 18562306a36Sopenharmony_ci 18662306a36Sopenharmony_ci len = req_ctx->child_req.dst_len; 18762306a36Sopenharmony_ci pad_len = ctx->key_size - len; 18862306a36Sopenharmony_ci 18962306a36Sopenharmony_ci /* Four billion to one */ 19062306a36Sopenharmony_ci if (likely(!pad_len)) 19162306a36Sopenharmony_ci goto out; 19262306a36Sopenharmony_ci 19362306a36Sopenharmony_ci out_buf = kzalloc(ctx->key_size, GFP_ATOMIC); 19462306a36Sopenharmony_ci err = -ENOMEM; 19562306a36Sopenharmony_ci if (!out_buf) 19662306a36Sopenharmony_ci goto out; 19762306a36Sopenharmony_ci 19862306a36Sopenharmony_ci sg_copy_to_buffer(req->dst, sg_nents_for_len(req->dst, len), 19962306a36Sopenharmony_ci out_buf + pad_len, len); 20062306a36Sopenharmony_ci sg_copy_from_buffer(req->dst, 20162306a36Sopenharmony_ci sg_nents_for_len(req->dst, ctx->key_size), 20262306a36Sopenharmony_ci out_buf, ctx->key_size); 20362306a36Sopenharmony_ci kfree_sensitive(out_buf); 20462306a36Sopenharmony_ci 20562306a36Sopenharmony_ciout: 20662306a36Sopenharmony_ci req->dst_len = ctx->key_size; 20762306a36Sopenharmony_ci 20862306a36Sopenharmony_ci kfree(req_ctx->in_buf); 20962306a36Sopenharmony_ci 21062306a36Sopenharmony_ci return err; 21162306a36Sopenharmony_ci} 21262306a36Sopenharmony_ci 21362306a36Sopenharmony_cistatic void pkcs1pad_encrypt_sign_complete_cb(void *data, int err) 21462306a36Sopenharmony_ci{ 21562306a36Sopenharmony_ci struct akcipher_request *req = data; 21662306a36Sopenharmony_ci 21762306a36Sopenharmony_ci if (err == -EINPROGRESS) 21862306a36Sopenharmony_ci goto out; 21962306a36Sopenharmony_ci 22062306a36Sopenharmony_ci err = pkcs1pad_encrypt_sign_complete(req, err); 22162306a36Sopenharmony_ci 22262306a36Sopenharmony_ciout: 22362306a36Sopenharmony_ci akcipher_request_complete(req, err); 22462306a36Sopenharmony_ci} 22562306a36Sopenharmony_ci 22662306a36Sopenharmony_cistatic int pkcs1pad_encrypt(struct akcipher_request *req) 22762306a36Sopenharmony_ci{ 22862306a36Sopenharmony_ci struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 22962306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 23062306a36Sopenharmony_ci struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 23162306a36Sopenharmony_ci int err; 23262306a36Sopenharmony_ci unsigned int i, ps_end; 23362306a36Sopenharmony_ci 23462306a36Sopenharmony_ci if (!ctx->key_size) 23562306a36Sopenharmony_ci return -EINVAL; 23662306a36Sopenharmony_ci 23762306a36Sopenharmony_ci if (req->src_len > ctx->key_size - 11) 23862306a36Sopenharmony_ci return -EOVERFLOW; 23962306a36Sopenharmony_ci 24062306a36Sopenharmony_ci if (req->dst_len < ctx->key_size) { 24162306a36Sopenharmony_ci req->dst_len = ctx->key_size; 24262306a36Sopenharmony_ci return -EOVERFLOW; 24362306a36Sopenharmony_ci } 24462306a36Sopenharmony_ci 24562306a36Sopenharmony_ci req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len, 24662306a36Sopenharmony_ci GFP_KERNEL); 24762306a36Sopenharmony_ci if (!req_ctx->in_buf) 24862306a36Sopenharmony_ci return -ENOMEM; 24962306a36Sopenharmony_ci 25062306a36Sopenharmony_ci ps_end = ctx->key_size - req->src_len - 2; 25162306a36Sopenharmony_ci req_ctx->in_buf[0] = 0x02; 25262306a36Sopenharmony_ci for (i = 1; i < ps_end; i++) 25362306a36Sopenharmony_ci req_ctx->in_buf[i] = get_random_u32_inclusive(1, 255); 25462306a36Sopenharmony_ci req_ctx->in_buf[ps_end] = 0x00; 25562306a36Sopenharmony_ci 25662306a36Sopenharmony_ci pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf, 25762306a36Sopenharmony_ci ctx->key_size - 1 - req->src_len, req->src); 25862306a36Sopenharmony_ci 25962306a36Sopenharmony_ci akcipher_request_set_tfm(&req_ctx->child_req, ctx->child); 26062306a36Sopenharmony_ci akcipher_request_set_callback(&req_ctx->child_req, req->base.flags, 26162306a36Sopenharmony_ci pkcs1pad_encrypt_sign_complete_cb, req); 26262306a36Sopenharmony_ci 26362306a36Sopenharmony_ci /* Reuse output buffer */ 26462306a36Sopenharmony_ci akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg, 26562306a36Sopenharmony_ci req->dst, ctx->key_size - 1, req->dst_len); 26662306a36Sopenharmony_ci 26762306a36Sopenharmony_ci err = crypto_akcipher_encrypt(&req_ctx->child_req); 26862306a36Sopenharmony_ci if (err != -EINPROGRESS && err != -EBUSY) 26962306a36Sopenharmony_ci return pkcs1pad_encrypt_sign_complete(req, err); 27062306a36Sopenharmony_ci 27162306a36Sopenharmony_ci return err; 27262306a36Sopenharmony_ci} 27362306a36Sopenharmony_ci 27462306a36Sopenharmony_cistatic int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err) 27562306a36Sopenharmony_ci{ 27662306a36Sopenharmony_ci struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 27762306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 27862306a36Sopenharmony_ci struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 27962306a36Sopenharmony_ci unsigned int dst_len; 28062306a36Sopenharmony_ci unsigned int pos; 28162306a36Sopenharmony_ci u8 *out_buf; 28262306a36Sopenharmony_ci 28362306a36Sopenharmony_ci if (err) 28462306a36Sopenharmony_ci goto done; 28562306a36Sopenharmony_ci 28662306a36Sopenharmony_ci err = -EINVAL; 28762306a36Sopenharmony_ci dst_len = req_ctx->child_req.dst_len; 28862306a36Sopenharmony_ci if (dst_len < ctx->key_size - 1) 28962306a36Sopenharmony_ci goto done; 29062306a36Sopenharmony_ci 29162306a36Sopenharmony_ci out_buf = req_ctx->out_buf; 29262306a36Sopenharmony_ci if (dst_len == ctx->key_size) { 29362306a36Sopenharmony_ci if (out_buf[0] != 0x00) 29462306a36Sopenharmony_ci /* Decrypted value had no leading 0 byte */ 29562306a36Sopenharmony_ci goto done; 29662306a36Sopenharmony_ci 29762306a36Sopenharmony_ci dst_len--; 29862306a36Sopenharmony_ci out_buf++; 29962306a36Sopenharmony_ci } 30062306a36Sopenharmony_ci 30162306a36Sopenharmony_ci if (out_buf[0] != 0x02) 30262306a36Sopenharmony_ci goto done; 30362306a36Sopenharmony_ci 30462306a36Sopenharmony_ci for (pos = 1; pos < dst_len; pos++) 30562306a36Sopenharmony_ci if (out_buf[pos] == 0x00) 30662306a36Sopenharmony_ci break; 30762306a36Sopenharmony_ci if (pos < 9 || pos == dst_len) 30862306a36Sopenharmony_ci goto done; 30962306a36Sopenharmony_ci pos++; 31062306a36Sopenharmony_ci 31162306a36Sopenharmony_ci err = 0; 31262306a36Sopenharmony_ci 31362306a36Sopenharmony_ci if (req->dst_len < dst_len - pos) 31462306a36Sopenharmony_ci err = -EOVERFLOW; 31562306a36Sopenharmony_ci req->dst_len = dst_len - pos; 31662306a36Sopenharmony_ci 31762306a36Sopenharmony_ci if (!err) 31862306a36Sopenharmony_ci sg_copy_from_buffer(req->dst, 31962306a36Sopenharmony_ci sg_nents_for_len(req->dst, req->dst_len), 32062306a36Sopenharmony_ci out_buf + pos, req->dst_len); 32162306a36Sopenharmony_ci 32262306a36Sopenharmony_cidone: 32362306a36Sopenharmony_ci kfree_sensitive(req_ctx->out_buf); 32462306a36Sopenharmony_ci 32562306a36Sopenharmony_ci return err; 32662306a36Sopenharmony_ci} 32762306a36Sopenharmony_ci 32862306a36Sopenharmony_cistatic void pkcs1pad_decrypt_complete_cb(void *data, int err) 32962306a36Sopenharmony_ci{ 33062306a36Sopenharmony_ci struct akcipher_request *req = data; 33162306a36Sopenharmony_ci 33262306a36Sopenharmony_ci if (err == -EINPROGRESS) 33362306a36Sopenharmony_ci goto out; 33462306a36Sopenharmony_ci 33562306a36Sopenharmony_ci err = pkcs1pad_decrypt_complete(req, err); 33662306a36Sopenharmony_ci 33762306a36Sopenharmony_ciout: 33862306a36Sopenharmony_ci akcipher_request_complete(req, err); 33962306a36Sopenharmony_ci} 34062306a36Sopenharmony_ci 34162306a36Sopenharmony_cistatic int pkcs1pad_decrypt(struct akcipher_request *req) 34262306a36Sopenharmony_ci{ 34362306a36Sopenharmony_ci struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 34462306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 34562306a36Sopenharmony_ci struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 34662306a36Sopenharmony_ci int err; 34762306a36Sopenharmony_ci 34862306a36Sopenharmony_ci if (!ctx->key_size || req->src_len != ctx->key_size) 34962306a36Sopenharmony_ci return -EINVAL; 35062306a36Sopenharmony_ci 35162306a36Sopenharmony_ci req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL); 35262306a36Sopenharmony_ci if (!req_ctx->out_buf) 35362306a36Sopenharmony_ci return -ENOMEM; 35462306a36Sopenharmony_ci 35562306a36Sopenharmony_ci pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf, 35662306a36Sopenharmony_ci ctx->key_size, NULL); 35762306a36Sopenharmony_ci 35862306a36Sopenharmony_ci akcipher_request_set_tfm(&req_ctx->child_req, ctx->child); 35962306a36Sopenharmony_ci akcipher_request_set_callback(&req_ctx->child_req, req->base.flags, 36062306a36Sopenharmony_ci pkcs1pad_decrypt_complete_cb, req); 36162306a36Sopenharmony_ci 36262306a36Sopenharmony_ci /* Reuse input buffer, output to a new buffer */ 36362306a36Sopenharmony_ci akcipher_request_set_crypt(&req_ctx->child_req, req->src, 36462306a36Sopenharmony_ci req_ctx->out_sg, req->src_len, 36562306a36Sopenharmony_ci ctx->key_size); 36662306a36Sopenharmony_ci 36762306a36Sopenharmony_ci err = crypto_akcipher_decrypt(&req_ctx->child_req); 36862306a36Sopenharmony_ci if (err != -EINPROGRESS && err != -EBUSY) 36962306a36Sopenharmony_ci return pkcs1pad_decrypt_complete(req, err); 37062306a36Sopenharmony_ci 37162306a36Sopenharmony_ci return err; 37262306a36Sopenharmony_ci} 37362306a36Sopenharmony_ci 37462306a36Sopenharmony_cistatic int pkcs1pad_sign(struct akcipher_request *req) 37562306a36Sopenharmony_ci{ 37662306a36Sopenharmony_ci struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 37762306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 37862306a36Sopenharmony_ci struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 37962306a36Sopenharmony_ci struct akcipher_instance *inst = akcipher_alg_instance(tfm); 38062306a36Sopenharmony_ci struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst); 38162306a36Sopenharmony_ci const struct rsa_asn1_template *digest_info = ictx->digest_info; 38262306a36Sopenharmony_ci int err; 38362306a36Sopenharmony_ci unsigned int ps_end, digest_info_size = 0; 38462306a36Sopenharmony_ci 38562306a36Sopenharmony_ci if (!ctx->key_size) 38662306a36Sopenharmony_ci return -EINVAL; 38762306a36Sopenharmony_ci 38862306a36Sopenharmony_ci if (digest_info) 38962306a36Sopenharmony_ci digest_info_size = digest_info->size; 39062306a36Sopenharmony_ci 39162306a36Sopenharmony_ci if (req->src_len + digest_info_size > ctx->key_size - 11) 39262306a36Sopenharmony_ci return -EOVERFLOW; 39362306a36Sopenharmony_ci 39462306a36Sopenharmony_ci if (req->dst_len < ctx->key_size) { 39562306a36Sopenharmony_ci req->dst_len = ctx->key_size; 39662306a36Sopenharmony_ci return -EOVERFLOW; 39762306a36Sopenharmony_ci } 39862306a36Sopenharmony_ci 39962306a36Sopenharmony_ci req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len, 40062306a36Sopenharmony_ci GFP_KERNEL); 40162306a36Sopenharmony_ci if (!req_ctx->in_buf) 40262306a36Sopenharmony_ci return -ENOMEM; 40362306a36Sopenharmony_ci 40462306a36Sopenharmony_ci ps_end = ctx->key_size - digest_info_size - req->src_len - 2; 40562306a36Sopenharmony_ci req_ctx->in_buf[0] = 0x01; 40662306a36Sopenharmony_ci memset(req_ctx->in_buf + 1, 0xff, ps_end - 1); 40762306a36Sopenharmony_ci req_ctx->in_buf[ps_end] = 0x00; 40862306a36Sopenharmony_ci 40962306a36Sopenharmony_ci if (digest_info) 41062306a36Sopenharmony_ci memcpy(req_ctx->in_buf + ps_end + 1, digest_info->data, 41162306a36Sopenharmony_ci digest_info->size); 41262306a36Sopenharmony_ci 41362306a36Sopenharmony_ci pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf, 41462306a36Sopenharmony_ci ctx->key_size - 1 - req->src_len, req->src); 41562306a36Sopenharmony_ci 41662306a36Sopenharmony_ci akcipher_request_set_tfm(&req_ctx->child_req, ctx->child); 41762306a36Sopenharmony_ci akcipher_request_set_callback(&req_ctx->child_req, req->base.flags, 41862306a36Sopenharmony_ci pkcs1pad_encrypt_sign_complete_cb, req); 41962306a36Sopenharmony_ci 42062306a36Sopenharmony_ci /* Reuse output buffer */ 42162306a36Sopenharmony_ci akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg, 42262306a36Sopenharmony_ci req->dst, ctx->key_size - 1, req->dst_len); 42362306a36Sopenharmony_ci 42462306a36Sopenharmony_ci err = crypto_akcipher_decrypt(&req_ctx->child_req); 42562306a36Sopenharmony_ci if (err != -EINPROGRESS && err != -EBUSY) 42662306a36Sopenharmony_ci return pkcs1pad_encrypt_sign_complete(req, err); 42762306a36Sopenharmony_ci 42862306a36Sopenharmony_ci return err; 42962306a36Sopenharmony_ci} 43062306a36Sopenharmony_ci 43162306a36Sopenharmony_cistatic int pkcs1pad_verify_complete(struct akcipher_request *req, int err) 43262306a36Sopenharmony_ci{ 43362306a36Sopenharmony_ci struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 43462306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 43562306a36Sopenharmony_ci struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 43662306a36Sopenharmony_ci struct akcipher_instance *inst = akcipher_alg_instance(tfm); 43762306a36Sopenharmony_ci struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst); 43862306a36Sopenharmony_ci const struct rsa_asn1_template *digest_info = ictx->digest_info; 43962306a36Sopenharmony_ci const unsigned int sig_size = req->src_len; 44062306a36Sopenharmony_ci const unsigned int digest_size = req->dst_len; 44162306a36Sopenharmony_ci unsigned int dst_len; 44262306a36Sopenharmony_ci unsigned int pos; 44362306a36Sopenharmony_ci u8 *out_buf; 44462306a36Sopenharmony_ci 44562306a36Sopenharmony_ci if (err) 44662306a36Sopenharmony_ci goto done; 44762306a36Sopenharmony_ci 44862306a36Sopenharmony_ci err = -EINVAL; 44962306a36Sopenharmony_ci dst_len = req_ctx->child_req.dst_len; 45062306a36Sopenharmony_ci if (dst_len < ctx->key_size - 1) 45162306a36Sopenharmony_ci goto done; 45262306a36Sopenharmony_ci 45362306a36Sopenharmony_ci out_buf = req_ctx->out_buf; 45462306a36Sopenharmony_ci if (dst_len == ctx->key_size) { 45562306a36Sopenharmony_ci if (out_buf[0] != 0x00) 45662306a36Sopenharmony_ci /* Decrypted value had no leading 0 byte */ 45762306a36Sopenharmony_ci goto done; 45862306a36Sopenharmony_ci 45962306a36Sopenharmony_ci dst_len--; 46062306a36Sopenharmony_ci out_buf++; 46162306a36Sopenharmony_ci } 46262306a36Sopenharmony_ci 46362306a36Sopenharmony_ci err = -EBADMSG; 46462306a36Sopenharmony_ci if (out_buf[0] != 0x01) 46562306a36Sopenharmony_ci goto done; 46662306a36Sopenharmony_ci 46762306a36Sopenharmony_ci for (pos = 1; pos < dst_len; pos++) 46862306a36Sopenharmony_ci if (out_buf[pos] != 0xff) 46962306a36Sopenharmony_ci break; 47062306a36Sopenharmony_ci 47162306a36Sopenharmony_ci if (pos < 9 || pos == dst_len || out_buf[pos] != 0x00) 47262306a36Sopenharmony_ci goto done; 47362306a36Sopenharmony_ci pos++; 47462306a36Sopenharmony_ci 47562306a36Sopenharmony_ci if (digest_info) { 47662306a36Sopenharmony_ci if (digest_info->size > dst_len - pos) 47762306a36Sopenharmony_ci goto done; 47862306a36Sopenharmony_ci if (crypto_memneq(out_buf + pos, digest_info->data, 47962306a36Sopenharmony_ci digest_info->size)) 48062306a36Sopenharmony_ci goto done; 48162306a36Sopenharmony_ci 48262306a36Sopenharmony_ci pos += digest_info->size; 48362306a36Sopenharmony_ci } 48462306a36Sopenharmony_ci 48562306a36Sopenharmony_ci err = 0; 48662306a36Sopenharmony_ci 48762306a36Sopenharmony_ci if (digest_size != dst_len - pos) { 48862306a36Sopenharmony_ci err = -EKEYREJECTED; 48962306a36Sopenharmony_ci req->dst_len = dst_len - pos; 49062306a36Sopenharmony_ci goto done; 49162306a36Sopenharmony_ci } 49262306a36Sopenharmony_ci /* Extract appended digest. */ 49362306a36Sopenharmony_ci sg_pcopy_to_buffer(req->src, 49462306a36Sopenharmony_ci sg_nents_for_len(req->src, sig_size + digest_size), 49562306a36Sopenharmony_ci req_ctx->out_buf + ctx->key_size, 49662306a36Sopenharmony_ci digest_size, sig_size); 49762306a36Sopenharmony_ci /* Do the actual verification step. */ 49862306a36Sopenharmony_ci if (memcmp(req_ctx->out_buf + ctx->key_size, out_buf + pos, 49962306a36Sopenharmony_ci digest_size) != 0) 50062306a36Sopenharmony_ci err = -EKEYREJECTED; 50162306a36Sopenharmony_cidone: 50262306a36Sopenharmony_ci kfree_sensitive(req_ctx->out_buf); 50362306a36Sopenharmony_ci 50462306a36Sopenharmony_ci return err; 50562306a36Sopenharmony_ci} 50662306a36Sopenharmony_ci 50762306a36Sopenharmony_cistatic void pkcs1pad_verify_complete_cb(void *data, int err) 50862306a36Sopenharmony_ci{ 50962306a36Sopenharmony_ci struct akcipher_request *req = data; 51062306a36Sopenharmony_ci 51162306a36Sopenharmony_ci if (err == -EINPROGRESS) 51262306a36Sopenharmony_ci goto out; 51362306a36Sopenharmony_ci 51462306a36Sopenharmony_ci err = pkcs1pad_verify_complete(req, err); 51562306a36Sopenharmony_ci 51662306a36Sopenharmony_ciout: 51762306a36Sopenharmony_ci akcipher_request_complete(req, err); 51862306a36Sopenharmony_ci} 51962306a36Sopenharmony_ci 52062306a36Sopenharmony_ci/* 52162306a36Sopenharmony_ci * The verify operation is here for completeness similar to the verification 52262306a36Sopenharmony_ci * defined in RFC2313 section 10.2 except that block type 0 is not accepted, 52362306a36Sopenharmony_ci * as in RFC2437. RFC2437 section 9.2 doesn't define any operation to 52462306a36Sopenharmony_ci * retrieve the DigestInfo from a signature, instead the user is expected 52562306a36Sopenharmony_ci * to call the sign operation to generate the expected signature and compare 52662306a36Sopenharmony_ci * signatures instead of the message-digests. 52762306a36Sopenharmony_ci */ 52862306a36Sopenharmony_cistatic int pkcs1pad_verify(struct akcipher_request *req) 52962306a36Sopenharmony_ci{ 53062306a36Sopenharmony_ci struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 53162306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 53262306a36Sopenharmony_ci struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 53362306a36Sopenharmony_ci const unsigned int sig_size = req->src_len; 53462306a36Sopenharmony_ci const unsigned int digest_size = req->dst_len; 53562306a36Sopenharmony_ci int err; 53662306a36Sopenharmony_ci 53762306a36Sopenharmony_ci if (WARN_ON(req->dst) || WARN_ON(!digest_size) || 53862306a36Sopenharmony_ci !ctx->key_size || sig_size != ctx->key_size) 53962306a36Sopenharmony_ci return -EINVAL; 54062306a36Sopenharmony_ci 54162306a36Sopenharmony_ci req_ctx->out_buf = kmalloc(ctx->key_size + digest_size, GFP_KERNEL); 54262306a36Sopenharmony_ci if (!req_ctx->out_buf) 54362306a36Sopenharmony_ci return -ENOMEM; 54462306a36Sopenharmony_ci 54562306a36Sopenharmony_ci pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf, 54662306a36Sopenharmony_ci ctx->key_size, NULL); 54762306a36Sopenharmony_ci 54862306a36Sopenharmony_ci akcipher_request_set_tfm(&req_ctx->child_req, ctx->child); 54962306a36Sopenharmony_ci akcipher_request_set_callback(&req_ctx->child_req, req->base.flags, 55062306a36Sopenharmony_ci pkcs1pad_verify_complete_cb, req); 55162306a36Sopenharmony_ci 55262306a36Sopenharmony_ci /* Reuse input buffer, output to a new buffer */ 55362306a36Sopenharmony_ci akcipher_request_set_crypt(&req_ctx->child_req, req->src, 55462306a36Sopenharmony_ci req_ctx->out_sg, sig_size, ctx->key_size); 55562306a36Sopenharmony_ci 55662306a36Sopenharmony_ci err = crypto_akcipher_encrypt(&req_ctx->child_req); 55762306a36Sopenharmony_ci if (err != -EINPROGRESS && err != -EBUSY) 55862306a36Sopenharmony_ci return pkcs1pad_verify_complete(req, err); 55962306a36Sopenharmony_ci 56062306a36Sopenharmony_ci return err; 56162306a36Sopenharmony_ci} 56262306a36Sopenharmony_ci 56362306a36Sopenharmony_cistatic int pkcs1pad_init_tfm(struct crypto_akcipher *tfm) 56462306a36Sopenharmony_ci{ 56562306a36Sopenharmony_ci struct akcipher_instance *inst = akcipher_alg_instance(tfm); 56662306a36Sopenharmony_ci struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst); 56762306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 56862306a36Sopenharmony_ci struct crypto_akcipher *child_tfm; 56962306a36Sopenharmony_ci 57062306a36Sopenharmony_ci child_tfm = crypto_spawn_akcipher(&ictx->spawn); 57162306a36Sopenharmony_ci if (IS_ERR(child_tfm)) 57262306a36Sopenharmony_ci return PTR_ERR(child_tfm); 57362306a36Sopenharmony_ci 57462306a36Sopenharmony_ci ctx->child = child_tfm; 57562306a36Sopenharmony_ci 57662306a36Sopenharmony_ci akcipher_set_reqsize(tfm, sizeof(struct pkcs1pad_request) + 57762306a36Sopenharmony_ci crypto_akcipher_reqsize(child_tfm)); 57862306a36Sopenharmony_ci 57962306a36Sopenharmony_ci return 0; 58062306a36Sopenharmony_ci} 58162306a36Sopenharmony_ci 58262306a36Sopenharmony_cistatic void pkcs1pad_exit_tfm(struct crypto_akcipher *tfm) 58362306a36Sopenharmony_ci{ 58462306a36Sopenharmony_ci struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 58562306a36Sopenharmony_ci 58662306a36Sopenharmony_ci crypto_free_akcipher(ctx->child); 58762306a36Sopenharmony_ci} 58862306a36Sopenharmony_ci 58962306a36Sopenharmony_cistatic void pkcs1pad_free(struct akcipher_instance *inst) 59062306a36Sopenharmony_ci{ 59162306a36Sopenharmony_ci struct pkcs1pad_inst_ctx *ctx = akcipher_instance_ctx(inst); 59262306a36Sopenharmony_ci struct crypto_akcipher_spawn *spawn = &ctx->spawn; 59362306a36Sopenharmony_ci 59462306a36Sopenharmony_ci crypto_drop_akcipher(spawn); 59562306a36Sopenharmony_ci kfree(inst); 59662306a36Sopenharmony_ci} 59762306a36Sopenharmony_ci 59862306a36Sopenharmony_cistatic int pkcs1pad_create(struct crypto_template *tmpl, struct rtattr **tb) 59962306a36Sopenharmony_ci{ 60062306a36Sopenharmony_ci u32 mask; 60162306a36Sopenharmony_ci struct akcipher_instance *inst; 60262306a36Sopenharmony_ci struct pkcs1pad_inst_ctx *ctx; 60362306a36Sopenharmony_ci struct akcipher_alg *rsa_alg; 60462306a36Sopenharmony_ci const char *hash_name; 60562306a36Sopenharmony_ci int err; 60662306a36Sopenharmony_ci 60762306a36Sopenharmony_ci err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AKCIPHER, &mask); 60862306a36Sopenharmony_ci if (err) 60962306a36Sopenharmony_ci return err; 61062306a36Sopenharmony_ci 61162306a36Sopenharmony_ci inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); 61262306a36Sopenharmony_ci if (!inst) 61362306a36Sopenharmony_ci return -ENOMEM; 61462306a36Sopenharmony_ci 61562306a36Sopenharmony_ci ctx = akcipher_instance_ctx(inst); 61662306a36Sopenharmony_ci 61762306a36Sopenharmony_ci err = crypto_grab_akcipher(&ctx->spawn, akcipher_crypto_instance(inst), 61862306a36Sopenharmony_ci crypto_attr_alg_name(tb[1]), 0, mask); 61962306a36Sopenharmony_ci if (err) 62062306a36Sopenharmony_ci goto err_free_inst; 62162306a36Sopenharmony_ci 62262306a36Sopenharmony_ci rsa_alg = crypto_spawn_akcipher_alg(&ctx->spawn); 62362306a36Sopenharmony_ci 62462306a36Sopenharmony_ci if (strcmp(rsa_alg->base.cra_name, "rsa") != 0) { 62562306a36Sopenharmony_ci err = -EINVAL; 62662306a36Sopenharmony_ci goto err_free_inst; 62762306a36Sopenharmony_ci } 62862306a36Sopenharmony_ci 62962306a36Sopenharmony_ci err = -ENAMETOOLONG; 63062306a36Sopenharmony_ci hash_name = crypto_attr_alg_name(tb[2]); 63162306a36Sopenharmony_ci if (IS_ERR(hash_name)) { 63262306a36Sopenharmony_ci if (snprintf(inst->alg.base.cra_name, 63362306a36Sopenharmony_ci CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s)", 63462306a36Sopenharmony_ci rsa_alg->base.cra_name) >= CRYPTO_MAX_ALG_NAME) 63562306a36Sopenharmony_ci goto err_free_inst; 63662306a36Sopenharmony_ci 63762306a36Sopenharmony_ci if (snprintf(inst->alg.base.cra_driver_name, 63862306a36Sopenharmony_ci CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s)", 63962306a36Sopenharmony_ci rsa_alg->base.cra_driver_name) >= 64062306a36Sopenharmony_ci CRYPTO_MAX_ALG_NAME) 64162306a36Sopenharmony_ci goto err_free_inst; 64262306a36Sopenharmony_ci } else { 64362306a36Sopenharmony_ci ctx->digest_info = rsa_lookup_asn1(hash_name); 64462306a36Sopenharmony_ci if (!ctx->digest_info) { 64562306a36Sopenharmony_ci err = -EINVAL; 64662306a36Sopenharmony_ci goto err_free_inst; 64762306a36Sopenharmony_ci } 64862306a36Sopenharmony_ci 64962306a36Sopenharmony_ci if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, 65062306a36Sopenharmony_ci "pkcs1pad(%s,%s)", rsa_alg->base.cra_name, 65162306a36Sopenharmony_ci hash_name) >= CRYPTO_MAX_ALG_NAME) 65262306a36Sopenharmony_ci goto err_free_inst; 65362306a36Sopenharmony_ci 65462306a36Sopenharmony_ci if (snprintf(inst->alg.base.cra_driver_name, 65562306a36Sopenharmony_ci CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s,%s)", 65662306a36Sopenharmony_ci rsa_alg->base.cra_driver_name, 65762306a36Sopenharmony_ci hash_name) >= CRYPTO_MAX_ALG_NAME) 65862306a36Sopenharmony_ci goto err_free_inst; 65962306a36Sopenharmony_ci } 66062306a36Sopenharmony_ci 66162306a36Sopenharmony_ci inst->alg.base.cra_priority = rsa_alg->base.cra_priority; 66262306a36Sopenharmony_ci inst->alg.base.cra_ctxsize = sizeof(struct pkcs1pad_ctx); 66362306a36Sopenharmony_ci 66462306a36Sopenharmony_ci inst->alg.init = pkcs1pad_init_tfm; 66562306a36Sopenharmony_ci inst->alg.exit = pkcs1pad_exit_tfm; 66662306a36Sopenharmony_ci 66762306a36Sopenharmony_ci inst->alg.encrypt = pkcs1pad_encrypt; 66862306a36Sopenharmony_ci inst->alg.decrypt = pkcs1pad_decrypt; 66962306a36Sopenharmony_ci inst->alg.sign = pkcs1pad_sign; 67062306a36Sopenharmony_ci inst->alg.verify = pkcs1pad_verify; 67162306a36Sopenharmony_ci inst->alg.set_pub_key = pkcs1pad_set_pub_key; 67262306a36Sopenharmony_ci inst->alg.set_priv_key = pkcs1pad_set_priv_key; 67362306a36Sopenharmony_ci inst->alg.max_size = pkcs1pad_get_max_size; 67462306a36Sopenharmony_ci 67562306a36Sopenharmony_ci inst->free = pkcs1pad_free; 67662306a36Sopenharmony_ci 67762306a36Sopenharmony_ci err = akcipher_register_instance(tmpl, inst); 67862306a36Sopenharmony_ci if (err) { 67962306a36Sopenharmony_cierr_free_inst: 68062306a36Sopenharmony_ci pkcs1pad_free(inst); 68162306a36Sopenharmony_ci } 68262306a36Sopenharmony_ci return err; 68362306a36Sopenharmony_ci} 68462306a36Sopenharmony_ci 68562306a36Sopenharmony_cistruct crypto_template rsa_pkcs1pad_tmpl = { 68662306a36Sopenharmony_ci .name = "pkcs1pad", 68762306a36Sopenharmony_ci .create = pkcs1pad_create, 68862306a36Sopenharmony_ci .module = THIS_MODULE, 68962306a36Sopenharmony_ci}; 690