| 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
|---|---|
| 2 | /* |
| 3 | * RSA padding templates. |
| 4 | * |
| 5 | * Copyright (c) 2015 Intel Corporation |
| 6 | */ |
| 7 | |
| 8 | #include <crypto/algapi.h> |
| 9 | #include <crypto/akcipher.h> |
| 10 | #include <crypto/internal/akcipher.h> |
| 11 | #include <crypto/internal/rsa.h> |
| 12 | #include <linux/err.h> |
| 13 | #include <linux/init.h> |
| 14 | #include <linux/kernel.h> |
| 15 | #include <linux/module.h> |
| 16 | #include <linux/random.h> |
| 17 | #include <linux/scatterlist.h> |
| 18 | |
| 19 | struct pkcs1pad_ctx { |
| 20 | struct crypto_akcipher *child; |
| 21 | unsigned int key_size; |
| 22 | }; |
| 23 | |
| 24 | struct pkcs1pad_inst_ctx { |
| 25 | struct crypto_akcipher_spawn spawn; |
| 26 | }; |
| 27 | |
| 28 | struct pkcs1pad_request { |
| 29 | struct scatterlist in_sg[2], out_sg[1]; |
| 30 | uint8_t *in_buf, *out_buf; |
| 31 | struct akcipher_request child_req; |
| 32 | }; |
| 33 | |
| 34 | static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key, |
| 35 | unsigned int keylen) |
| 36 | { |
| 37 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 38 | |
| 39 | return rsa_set_key(child: ctx->child, key_size: &ctx->key_size, RSA_PUB, key, keylen); |
| 40 | } |
| 41 | |
| 42 | static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key, |
| 43 | unsigned int keylen) |
| 44 | { |
| 45 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 46 | |
| 47 | return rsa_set_key(child: ctx->child, key_size: &ctx->key_size, RSA_PRIV, key, keylen); |
| 48 | } |
| 49 | |
| 50 | static unsigned int pkcs1pad_get_max_size(struct crypto_akcipher *tfm) |
| 51 | { |
| 52 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 53 | |
| 54 | /* |
| 55 | * The maximum destination buffer size for the encrypt operation |
| 56 | * will be the same as for RSA, even though it's smaller for |
| 57 | * decrypt. |
| 58 | */ |
| 59 | |
| 60 | return ctx->key_size; |
| 61 | } |
| 62 | |
| 63 | static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len, |
| 64 | struct scatterlist *next) |
| 65 | { |
| 66 | int nsegs = next ? 2 : 1; |
| 67 | |
| 68 | sg_init_table(sg, nsegs); |
| 69 | sg_set_buf(sg, buf, buflen: len); |
| 70 | |
| 71 | if (next) |
| 72 | sg_chain(prv: sg, prv_nents: nsegs, sgl: next); |
| 73 | } |
| 74 | |
| 75 | static int pkcs1pad_encrypt_complete(struct akcipher_request *req, int err) |
| 76 | { |
| 77 | struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); |
| 78 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 79 | struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); |
| 80 | unsigned int pad_len; |
| 81 | unsigned int len; |
| 82 | u8 *out_buf; |
| 83 | |
| 84 | if (err) |
| 85 | goto out; |
| 86 | |
| 87 | len = req_ctx->child_req.dst_len; |
| 88 | pad_len = ctx->key_size - len; |
| 89 | |
| 90 | /* Four billion to one */ |
| 91 | if (likely(!pad_len)) |
| 92 | goto out; |
| 93 | |
| 94 | out_buf = kzalloc(ctx->key_size, GFP_ATOMIC); |
| 95 | err = -ENOMEM; |
| 96 | if (!out_buf) |
| 97 | goto out; |
| 98 | |
| 99 | sg_copy_to_buffer(sgl: req->dst, nents: sg_nents_for_len(sg: req->dst, len), |
| 100 | buf: out_buf + pad_len, buflen: len); |
| 101 | sg_copy_from_buffer(sgl: req->dst, |
| 102 | nents: sg_nents_for_len(sg: req->dst, len: ctx->key_size), |
| 103 | buf: out_buf, buflen: ctx->key_size); |
| 104 | kfree_sensitive(objp: out_buf); |
| 105 | |
| 106 | out: |
| 107 | req->dst_len = ctx->key_size; |
| 108 | |
| 109 | kfree(objp: req_ctx->in_buf); |
| 110 | |
| 111 | return err; |
| 112 | } |
| 113 | |
| 114 | static void pkcs1pad_encrypt_complete_cb(void *data, int err) |
| 115 | { |
| 116 | struct akcipher_request *req = data; |
| 117 | |
| 118 | if (err == -EINPROGRESS) |
| 119 | goto out; |
| 120 | |
| 121 | err = pkcs1pad_encrypt_complete(req, err); |
| 122 | |
| 123 | out: |
| 124 | akcipher_request_complete(req, err); |
| 125 | } |
| 126 | |
| 127 | static int pkcs1pad_encrypt(struct akcipher_request *req) |
| 128 | { |
| 129 | struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); |
| 130 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 131 | struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); |
| 132 | int err; |
| 133 | unsigned int i, ps_end; |
| 134 | |
| 135 | if (!ctx->key_size) |
| 136 | return -EINVAL; |
| 137 | |
| 138 | if (req->src_len > ctx->key_size - 11) |
| 139 | return -EOVERFLOW; |
| 140 | |
| 141 | if (req->dst_len < ctx->key_size) { |
| 142 | req->dst_len = ctx->key_size; |
| 143 | return -EOVERFLOW; |
| 144 | } |
| 145 | |
| 146 | req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len, |
| 147 | GFP_KERNEL); |
| 148 | if (!req_ctx->in_buf) |
| 149 | return -ENOMEM; |
| 150 | |
| 151 | ps_end = ctx->key_size - req->src_len - 2; |
| 152 | req_ctx->in_buf[0] = 0x02; |
| 153 | for (i = 1; i < ps_end; i++) |
| 154 | req_ctx->in_buf[i] = get_random_u32_inclusive(floor: 1, ceil: 255); |
| 155 | req_ctx->in_buf[ps_end] = 0x00; |
| 156 | |
| 157 | pkcs1pad_sg_set_buf(sg: req_ctx->in_sg, buf: req_ctx->in_buf, |
| 158 | len: ctx->key_size - 1 - req->src_len, next: req->src); |
| 159 | |
| 160 | akcipher_request_set_tfm(req: &req_ctx->child_req, tfm: ctx->child); |
| 161 | akcipher_request_set_callback(req: &req_ctx->child_req, flgs: req->base.flags, |
| 162 | cmpl: pkcs1pad_encrypt_complete_cb, data: req); |
| 163 | |
| 164 | /* Reuse output buffer */ |
| 165 | akcipher_request_set_crypt(req: &req_ctx->child_req, src: req_ctx->in_sg, |
| 166 | dst: req->dst, src_len: ctx->key_size - 1, dst_len: req->dst_len); |
| 167 | |
| 168 | err = crypto_akcipher_encrypt(req: &req_ctx->child_req); |
| 169 | if (err != -EINPROGRESS && err != -EBUSY) |
| 170 | return pkcs1pad_encrypt_complete(req, err); |
| 171 | |
| 172 | return err; |
| 173 | } |
| 174 | |
| 175 | static int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err) |
| 176 | { |
| 177 | struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); |
| 178 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 179 | struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); |
| 180 | unsigned int dst_len; |
| 181 | unsigned int pos; |
| 182 | u8 *out_buf; |
| 183 | |
| 184 | if (err) |
| 185 | goto done; |
| 186 | |
| 187 | err = -EINVAL; |
| 188 | dst_len = req_ctx->child_req.dst_len; |
| 189 | if (dst_len < ctx->key_size - 1) |
| 190 | goto done; |
| 191 | |
| 192 | out_buf = req_ctx->out_buf; |
| 193 | if (dst_len == ctx->key_size) { |
| 194 | if (out_buf[0] != 0x00) |
| 195 | /* Decrypted value had no leading 0 byte */ |
| 196 | goto done; |
| 197 | |
| 198 | dst_len--; |
| 199 | out_buf++; |
| 200 | } |
| 201 | |
| 202 | if (out_buf[0] != 0x02) |
| 203 | goto done; |
| 204 | |
| 205 | for (pos = 1; pos < dst_len; pos++) |
| 206 | if (out_buf[pos] == 0x00) |
| 207 | break; |
| 208 | if (pos < 9 || pos == dst_len) |
| 209 | goto done; |
| 210 | pos++; |
| 211 | |
| 212 | err = 0; |
| 213 | |
| 214 | if (req->dst_len < dst_len - pos) |
| 215 | err = -EOVERFLOW; |
| 216 | req->dst_len = dst_len - pos; |
| 217 | |
| 218 | if (!err) |
| 219 | sg_copy_from_buffer(sgl: req->dst, |
| 220 | nents: sg_nents_for_len(sg: req->dst, len: req->dst_len), |
| 221 | buf: out_buf + pos, buflen: req->dst_len); |
| 222 | |
| 223 | done: |
| 224 | kfree_sensitive(objp: req_ctx->out_buf); |
| 225 | |
| 226 | return err; |
| 227 | } |
| 228 | |
| 229 | static void pkcs1pad_decrypt_complete_cb(void *data, int err) |
| 230 | { |
| 231 | struct akcipher_request *req = data; |
| 232 | |
| 233 | if (err == -EINPROGRESS) |
| 234 | goto out; |
| 235 | |
| 236 | err = pkcs1pad_decrypt_complete(req, err); |
| 237 | |
| 238 | out: |
| 239 | akcipher_request_complete(req, err); |
| 240 | } |
| 241 | |
| 242 | static int pkcs1pad_decrypt(struct akcipher_request *req) |
| 243 | { |
| 244 | struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); |
| 245 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 246 | struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); |
| 247 | int err; |
| 248 | |
| 249 | if (!ctx->key_size || req->src_len != ctx->key_size) |
| 250 | return -EINVAL; |
| 251 | |
| 252 | req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL); |
| 253 | if (!req_ctx->out_buf) |
| 254 | return -ENOMEM; |
| 255 | |
| 256 | pkcs1pad_sg_set_buf(sg: req_ctx->out_sg, buf: req_ctx->out_buf, |
| 257 | len: ctx->key_size, NULL); |
| 258 | |
| 259 | akcipher_request_set_tfm(req: &req_ctx->child_req, tfm: ctx->child); |
| 260 | akcipher_request_set_callback(req: &req_ctx->child_req, flgs: req->base.flags, |
| 261 | cmpl: pkcs1pad_decrypt_complete_cb, data: req); |
| 262 | |
| 263 | /* Reuse input buffer, output to a new buffer */ |
| 264 | akcipher_request_set_crypt(req: &req_ctx->child_req, src: req->src, |
| 265 | dst: req_ctx->out_sg, src_len: req->src_len, |
| 266 | dst_len: ctx->key_size); |
| 267 | |
| 268 | err = crypto_akcipher_decrypt(req: &req_ctx->child_req); |
| 269 | if (err != -EINPROGRESS && err != -EBUSY) |
| 270 | return pkcs1pad_decrypt_complete(req, err); |
| 271 | |
| 272 | return err; |
| 273 | } |
| 274 | |
| 275 | static int pkcs1pad_init_tfm(struct crypto_akcipher *tfm) |
| 276 | { |
| 277 | struct akcipher_instance *inst = akcipher_alg_instance(akcipher: tfm); |
| 278 | struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst); |
| 279 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 280 | struct crypto_akcipher *child_tfm; |
| 281 | |
| 282 | child_tfm = crypto_spawn_akcipher(spawn: &ictx->spawn); |
| 283 | if (IS_ERR(ptr: child_tfm)) |
| 284 | return PTR_ERR(ptr: child_tfm); |
| 285 | |
| 286 | ctx->child = child_tfm; |
| 287 | |
| 288 | akcipher_set_reqsize(akcipher: tfm, reqsize: sizeof(struct pkcs1pad_request) + |
| 289 | crypto_akcipher_reqsize(tfm: child_tfm)); |
| 290 | |
| 291 | return 0; |
| 292 | } |
| 293 | |
| 294 | static void pkcs1pad_exit_tfm(struct crypto_akcipher *tfm) |
| 295 | { |
| 296 | struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); |
| 297 | |
| 298 | crypto_free_akcipher(tfm: ctx->child); |
| 299 | } |
| 300 | |
| 301 | static void pkcs1pad_free(struct akcipher_instance *inst) |
| 302 | { |
| 303 | struct pkcs1pad_inst_ctx *ctx = akcipher_instance_ctx(inst); |
| 304 | struct crypto_akcipher_spawn *spawn = &ctx->spawn; |
| 305 | |
| 306 | crypto_drop_akcipher(spawn); |
| 307 | kfree(objp: inst); |
| 308 | } |
| 309 | |
| 310 | static int pkcs1pad_create(struct crypto_template *tmpl, struct rtattr **tb) |
| 311 | { |
| 312 | u32 mask; |
| 313 | struct akcipher_instance *inst; |
| 314 | struct pkcs1pad_inst_ctx *ctx; |
| 315 | struct akcipher_alg *rsa_alg; |
| 316 | int err; |
| 317 | |
| 318 | err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AKCIPHER, mask_ret: &mask); |
| 319 | if (err) |
| 320 | return err; |
| 321 | |
| 322 | inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); |
| 323 | if (!inst) |
| 324 | return -ENOMEM; |
| 325 | |
| 326 | ctx = akcipher_instance_ctx(inst); |
| 327 | |
| 328 | err = crypto_grab_akcipher(spawn: &ctx->spawn, inst: akcipher_crypto_instance(inst), |
| 329 | name: crypto_attr_alg_name(rta: tb[1]), type: 0, mask); |
| 330 | if (err) |
| 331 | goto err_free_inst; |
| 332 | |
| 333 | rsa_alg = crypto_spawn_akcipher_alg(spawn: &ctx->spawn); |
| 334 | |
| 335 | if (strcmp(rsa_alg->base.cra_name, "rsa") != 0) { |
| 336 | err = -EINVAL; |
| 337 | goto err_free_inst; |
| 338 | } |
| 339 | |
| 340 | err = -ENAMETOOLONG; |
| 341 | if (snprintf(buf: inst->alg.base.cra_name, |
| 342 | CRYPTO_MAX_ALG_NAME, fmt: "pkcs1pad(%s)", |
| 343 | rsa_alg->base.cra_name) >= CRYPTO_MAX_ALG_NAME) |
| 344 | goto err_free_inst; |
| 345 | |
| 346 | if (snprintf(buf: inst->alg.base.cra_driver_name, |
| 347 | CRYPTO_MAX_ALG_NAME, fmt: "pkcs1pad(%s)", |
| 348 | rsa_alg->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME) |
| 349 | goto err_free_inst; |
| 350 | |
| 351 | inst->alg.base.cra_priority = rsa_alg->base.cra_priority; |
| 352 | inst->alg.base.cra_ctxsize = sizeof(struct pkcs1pad_ctx); |
| 353 | |
| 354 | inst->alg.init = pkcs1pad_init_tfm; |
| 355 | inst->alg.exit = pkcs1pad_exit_tfm; |
| 356 | |
| 357 | inst->alg.encrypt = pkcs1pad_encrypt; |
| 358 | inst->alg.decrypt = pkcs1pad_decrypt; |
| 359 | inst->alg.set_pub_key = pkcs1pad_set_pub_key; |
| 360 | inst->alg.set_priv_key = pkcs1pad_set_priv_key; |
| 361 | inst->alg.max_size = pkcs1pad_get_max_size; |
| 362 | |
| 363 | inst->free = pkcs1pad_free; |
| 364 | |
| 365 | err = akcipher_register_instance(tmpl, inst); |
| 366 | if (err) { |
| 367 | err_free_inst: |
| 368 | pkcs1pad_free(inst); |
| 369 | } |
| 370 | return err; |
| 371 | } |
| 372 | |
| 373 | struct crypto_template rsa_pkcs1pad_tmpl = { |
| 374 | .name = "pkcs1pad", |
| 375 | .create = pkcs1pad_create, |
| 376 | .module = THIS_MODULE, |
| 377 | }; |
| 378 | |
| 379 | MODULE_ALIAS_CRYPTO("pkcs1pad"); |
| 380 |
Generated on 2025-Oct-12 from project Linux revision 6.17.0 (67029a49db6c)
Powered by 
Code Browser 2.1
Generator usage only permitted with license.