1 // SPDX-License-Identifier: GPL-2.0-or-later
3  * RSA Signature Scheme with Appendix - PKCS #1 v1.5 (RFC 8017 sec 8.2)
5  * https://www.rfc-editor.org/rfc/rfc8017#section-8.2
7  * Copyright (c) 2015 - 2024 Intel Corporation
21  * Full Hash Prefix for EMSA-PKCS1-v1_5 encoding method (RFC 9580 table 24)
27  * https://www.rfc-editor.org/rfc/rfc9580#table-24
107 #define _(X) { "sha3-" #X, hash_prefix_sha3_##X, sizeof(hash_prefix_sha3_##X) }
109 	_(384),
117 	const struct hash_prefix *p;  in rsassa_pkcs1_find_hash_prefix()  local
119 	for (p = hash_prefixes; p->name; p++)  in rsassa_pkcs1_find_hash_prefix()
120 		if (strcmp(name, p->name) == 0)  in rsassa_pkcs1_find_hash_prefix()
121 			return p;  in rsassa_pkcs1_find_hash_prefix()
126 					  const struct hash_prefix *p)  in rsassa_pkcs1_invalid_hash_len()  argument
133 	if (p->data == hash_prefix_none)  in rsassa_pkcs1_invalid_hash_len()
145 	return len != p->data[p->size - 1];  in rsassa_pkcs1_invalid_hash_len()
164 	const struct hash_prefix *hash_prefix = ictx->hash_prefix;  in rsassa_pkcs1_sign()
172 	if (!ctx->key_size)  in rsassa_pkcs1_sign()
173 		return -EINVAL;  in rsassa_pkcs1_sign()
175 	if (dlen < ctx->key_size)  in rsassa_pkcs1_sign()
176 		return -EOVERFLOW;  in rsassa_pkcs1_sign()
179 		return -EINVAL;  in rsassa_pkcs1_sign()
181 	if (slen + hash_prefix->size > ctx->key_size - 11)  in rsassa_pkcs1_sign()
182 		return -EOVERFLOW;  in rsassa_pkcs1_sign()
184 	pad_len = ctx->key_size - slen - hash_prefix->size - 1;  in rsassa_pkcs1_sign()
186 	/* RFC 8017 sec 8.2.1 step 1 - EMSA-PKCS1-v1_5 encoding generation */  in rsassa_pkcs1_sign()
188 	memmove(in_buf + pad_len + hash_prefix->size, src, slen);  in rsassa_pkcs1_sign()
189 	memcpy(in_buf + pad_len, hash_prefix->data, hash_prefix->size);  in rsassa_pkcs1_sign()
191 	ps_end = pad_len - 1;  in rsassa_pkcs1_sign()
193 	memset(in_buf + 1, 0xff, ps_end - 1);  in rsassa_pkcs1_sign()
197 	/* RFC 8017 sec 8.2.1 step 2 - RSA signature */  in rsassa_pkcs1_sign()
198 	err = crypto_akcipher_sync_decrypt(ctx->child, in_buf,  in rsassa_pkcs1_sign()
199 					   ctx->key_size - 1, in_buf,  in rsassa_pkcs1_sign()
200 					   ctx->key_size);  in rsassa_pkcs1_sign()
205 	pad_len = ctx->key_size - len;  in rsassa_pkcs1_sign()
222 	const struct hash_prefix *hash_prefix = ictx->hash_prefix;  in rsassa_pkcs1_verify()
224 	unsigned int child_reqsize = crypto_akcipher_reqsize(ctx->child);  in rsassa_pkcs1_verify()
233 	/* RFC 8017 sec 8.2.2 step 1 - length checking */  in rsassa_pkcs1_verify()
234 	if (!ctx->key_size ||  in rsassa_pkcs1_verify()
235 	    slen != ctx->key_size ||  in rsassa_pkcs1_verify()
237 		return -EINVAL;  in rsassa_pkcs1_verify()
239 	/* RFC 8017 sec 8.2.2 step 2 - RSA verification */  in rsassa_pkcs1_verify()
240 	child_req = kmalloc(sizeof(*child_req) + child_reqsize + ctx->key_size,  in rsassa_pkcs1_verify()
243 		return -ENOMEM;  in rsassa_pkcs1_verify()
250 	akcipher_request_set_tfm(child_req, ctx->child);  in rsassa_pkcs1_verify()
260 	/* RFC 8017 sec 8.2.2 step 3 - EMSA-PKCS1-v1_5 encoding verification */  in rsassa_pkcs1_verify()
261 	dst_len = child_req->dst_len;  in rsassa_pkcs1_verify()
262 	if (dst_len < ctx->key_size - 1)  in rsassa_pkcs1_verify()
263 		return -EINVAL;  in rsassa_pkcs1_verify()
265 	if (dst_len == ctx->key_size) {  in rsassa_pkcs1_verify()
268 			return -EINVAL;  in rsassa_pkcs1_verify()
270 		dst_len--;  in rsassa_pkcs1_verify()
275 		return -EBADMSG;  in rsassa_pkcs1_verify()
282 		return -EBADMSG;  in rsassa_pkcs1_verify()
285 	if (hash_prefix->size > dst_len - pos)  in rsassa_pkcs1_verify()
286 		return -EBADMSG;  in rsassa_pkcs1_verify()
287 	if (crypto_memneq(out_buf + pos, hash_prefix->data, hash_prefix->size))  in rsassa_pkcs1_verify()
288 		return -EBADMSG;  in rsassa_pkcs1_verify()
289 	pos += hash_prefix->size;  in rsassa_pkcs1_verify()
291 	/* RFC 8017 sec 8.2.2 step 4 - comparison of digest with out_buf */  in rsassa_pkcs1_verify()
292 	if (dlen != dst_len - pos)  in rsassa_pkcs1_verify()
293 		return -EKEYREJECTED;  in rsassa_pkcs1_verify()
295 		return -EKEYREJECTED;  in rsassa_pkcs1_verify()
304 	return ctx->key_size;  in rsassa_pkcs1_key_size()
312 	return rsa_set_key(ctx->child, &ctx->key_size, RSA_PUB, key, keylen);  in rsassa_pkcs1_set_pub_key()
320 	return rsa_set_key(ctx->child, &ctx->key_size, RSA_PRIV, key, keylen);  in rsassa_pkcs1_set_priv_key()
330 	child_tfm = crypto_spawn_akcipher(&ictx->spawn);  in rsassa_pkcs1_init_tfm()
334 	ctx->child = child_tfm;  in rsassa_pkcs1_init_tfm()
343 	crypto_free_akcipher(ctx->child);  in rsassa_pkcs1_exit_tfm()
349 	struct crypto_akcipher_spawn *spawn = &ctx->spawn;  in rsassa_pkcs1_free()
370 		return -ENOMEM;  in rsassa_pkcs1_create()
374 	err = crypto_grab_akcipher(&ctx->spawn, sig_crypto_instance(inst),  in rsassa_pkcs1_create()
379 	rsa_alg = crypto_spawn_akcipher_alg(&ctx->spawn);  in rsassa_pkcs1_create()
381 	if (strcmp(rsa_alg->base.cra_name, "rsa") != 0) {  in rsassa_pkcs1_create()
382 		err = -EINVAL;  in rsassa_pkcs1_create()
392 	ctx->hash_prefix = rsassa_pkcs1_find_hash_prefix(hash_name);  in rsassa_pkcs1_create()
393 	if (!ctx->hash_prefix) {  in rsassa_pkcs1_create()
394 		err = -EINVAL;  in rsassa_pkcs1_create()
398 	err = -ENAMETOOLONG;  in rsassa_pkcs1_create()
399 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,  in rsassa_pkcs1_create()
400 		     "pkcs1(%s,%s)", rsa_alg->base.cra_name,  in rsassa_pkcs1_create()
404 	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,  in rsassa_pkcs1_create()
405 		     "pkcs1(%s,%s)", rsa_alg->base.cra_driver_name,  in rsassa_pkcs1_create()
409 	inst->alg.base.cra_priority = rsa_alg->base.cra_priority;  in rsassa_pkcs1_create()
410 	inst->alg.base.cra_ctxsize = sizeof(struct rsassa_pkcs1_ctx);  in rsassa_pkcs1_create()
412 	inst->alg.init = rsassa_pkcs1_init_tfm;  in rsassa_pkcs1_create()
413 	inst->alg.exit = rsassa_pkcs1_exit_tfm;  in rsassa_pkcs1_create()
415 	inst->alg.sign = rsassa_pkcs1_sign;  in rsassa_pkcs1_create()
416 	inst->alg.verify = rsassa_pkcs1_verify;  in rsassa_pkcs1_create()
417 	inst->alg.key_size = rsassa_pkcs1_key_size;  in rsassa_pkcs1_create()
418 	inst->alg.set_pub_key = rsassa_pkcs1_set_pub_key;  in rsassa_pkcs1_create()
419 	inst->alg.set_priv_key = rsassa_pkcs1_set_priv_key;  in rsassa_pkcs1_create()
421 	inst->free = rsassa_pkcs1_free;  in rsassa_pkcs1_create()