xref: /linux/crypto/rsa-pkcs1pad.c (revision 10accd2e6890b57db8e717e9aee91b791f90fe14)
1 /*
2  * RSA padding templates.
3  *
4  * Copyright (c) 2015  Intel Corporation
5  *
6  * This program is free software; you can redistribute it and/or modify it
7  * under the terms of the GNU General Public License as published by the Free
8  * Software Foundation; either version 2 of the License, or (at your option)
9  * any later version.
10  */
11 
12 #include <crypto/algapi.h>
13 #include <crypto/akcipher.h>
14 #include <crypto/internal/akcipher.h>
15 #include <linux/err.h>
16 #include <linux/init.h>
17 #include <linux/kernel.h>
18 #include <linux/module.h>
19 #include <linux/random.h>
20 
21 /*
22  * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
23  */
24 static const u8 rsa_digest_info_md5[] = {
25 	0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
26 	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */
27 	0x05, 0x00, 0x04, 0x10
28 };
29 
30 static const u8 rsa_digest_info_sha1[] = {
31 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
32 	0x2b, 0x0e, 0x03, 0x02, 0x1a,
33 	0x05, 0x00, 0x04, 0x14
34 };
35 
36 static const u8 rsa_digest_info_rmd160[] = {
37 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
38 	0x2b, 0x24, 0x03, 0x02, 0x01,
39 	0x05, 0x00, 0x04, 0x14
40 };
41 
42 static const u8 rsa_digest_info_sha224[] = {
43 	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
44 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
45 	0x05, 0x00, 0x04, 0x1c
46 };
47 
48 static const u8 rsa_digest_info_sha256[] = {
49 	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
50 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
51 	0x05, 0x00, 0x04, 0x20
52 };
53 
54 static const u8 rsa_digest_info_sha384[] = {
55 	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
56 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
57 	0x05, 0x00, 0x04, 0x30
58 };
59 
60 static const u8 rsa_digest_info_sha512[] = {
61 	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
62 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
63 	0x05, 0x00, 0x04, 0x40
64 };
65 
66 static const struct rsa_asn1_template {
67 	const char	*name;
68 	const u8	*data;
69 	size_t		size;
70 } rsa_asn1_templates[] = {
71 #define _(X) { #X, rsa_digest_info_##X, sizeof(rsa_digest_info_##X) }
72 	_(md5),
73 	_(sha1),
74 	_(rmd160),
75 	_(sha256),
76 	_(sha384),
77 	_(sha512),
78 	_(sha224),
79 	{ NULL }
80 #undef _
81 };
82 
83 static const struct rsa_asn1_template *rsa_lookup_asn1(const char *name)
84 {
85 	const struct rsa_asn1_template *p;
86 
87 	for (p = rsa_asn1_templates; p->name; p++)
88 		if (strcmp(name, p->name) == 0)
89 			return p;
90 	return NULL;
91 }
92 
93 struct pkcs1pad_ctx {
94 	struct crypto_akcipher *child;
95 	unsigned int key_size;
96 };
97 
98 struct pkcs1pad_inst_ctx {
99 	struct crypto_akcipher_spawn spawn;
100 	const struct rsa_asn1_template *digest_info;
101 };
102 
103 struct pkcs1pad_request {
104 	struct scatterlist in_sg[2], out_sg[1];
105 	uint8_t *in_buf, *out_buf;
106 	struct akcipher_request child_req;
107 };
108 
109 static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key,
110 		unsigned int keylen)
111 {
112 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
113 	int err;
114 
115 	ctx->key_size = 0;
116 
117 	err = crypto_akcipher_set_pub_key(ctx->child, key, keylen);
118 	if (err)
119 		return err;
120 
121 	/* Find out new modulus size from rsa implementation */
122 	err = crypto_akcipher_maxsize(ctx->child);
123 	if (err < 0)
124 		return err;
125 
126 	if (err > PAGE_SIZE)
127 		return -ENOTSUPP;
128 
129 	ctx->key_size = err;
130 	return 0;
131 }
132 
133 static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key,
134 		unsigned int keylen)
135 {
136 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
137 	int err;
138 
139 	ctx->key_size = 0;
140 
141 	err = crypto_akcipher_set_priv_key(ctx->child, key, keylen);
142 	if (err)
143 		return err;
144 
145 	/* Find out new modulus size from rsa implementation */
146 	err = crypto_akcipher_maxsize(ctx->child);
147 	if (err < 0)
148 		return err;
149 
150 	if (err > PAGE_SIZE)
151 		return -ENOTSUPP;
152 
153 	ctx->key_size = err;
154 	return 0;
155 }
156 
157 static int pkcs1pad_get_max_size(struct crypto_akcipher *tfm)
158 {
159 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
160 
161 	/*
162 	 * The maximum destination buffer size for the encrypt/sign operations
163 	 * will be the same as for RSA, even though it's smaller for
164 	 * decrypt/verify.
165 	 */
166 
167 	return ctx->key_size ?: -EINVAL;
168 }
169 
170 static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len,
171 		struct scatterlist *next)
172 {
173 	int nsegs = next ? 2 : 1;
174 
175 	sg_init_table(sg, nsegs);
176 	sg_set_buf(sg, buf, len);
177 
178 	if (next)
179 		sg_chain(sg, nsegs, next);
180 }
181 
182 static int pkcs1pad_encrypt_sign_complete(struct akcipher_request *req, int err)
183 {
184 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
185 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
186 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
187 	unsigned int pad_len;
188 	unsigned int len;
189 	u8 *out_buf;
190 
191 	if (err)
192 		goto out;
193 
194 	len = req_ctx->child_req.dst_len;
195 	pad_len = ctx->key_size - len;
196 
197 	/* Four billion to one */
198 	if (likely(!pad_len))
199 		goto out;
200 
201 	out_buf = kzalloc(ctx->key_size, GFP_ATOMIC);
202 	err = -ENOMEM;
203 	if (!out_buf)
204 		goto out;
205 
206 	sg_copy_to_buffer(req->dst, sg_nents_for_len(req->dst, len),
207 			  out_buf + pad_len, len);
208 	sg_copy_from_buffer(req->dst,
209 			    sg_nents_for_len(req->dst, ctx->key_size),
210 			    out_buf, ctx->key_size);
211 	kzfree(out_buf);
212 
213 out:
214 	req->dst_len = ctx->key_size;
215 
216 	kfree(req_ctx->in_buf);
217 
218 	return err;
219 }
220 
221 static void pkcs1pad_encrypt_sign_complete_cb(
222 		struct crypto_async_request *child_async_req, int err)
223 {
224 	struct akcipher_request *req = child_async_req->data;
225 	struct crypto_async_request async_req;
226 
227 	if (err == -EINPROGRESS)
228 		return;
229 
230 	async_req.data = req->base.data;
231 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
232 	async_req.flags = child_async_req->flags;
233 	req->base.complete(&async_req,
234 			pkcs1pad_encrypt_sign_complete(req, err));
235 }
236 
237 static int pkcs1pad_encrypt(struct akcipher_request *req)
238 {
239 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
240 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
241 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
242 	int err;
243 	unsigned int i, ps_end;
244 
245 	if (!ctx->key_size)
246 		return -EINVAL;
247 
248 	if (req->src_len > ctx->key_size - 11)
249 		return -EOVERFLOW;
250 
251 	if (req->dst_len < ctx->key_size) {
252 		req->dst_len = ctx->key_size;
253 		return -EOVERFLOW;
254 	}
255 
256 	req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len,
257 				  GFP_KERNEL);
258 	if (!req_ctx->in_buf)
259 		return -ENOMEM;
260 
261 	ps_end = ctx->key_size - req->src_len - 2;
262 	req_ctx->in_buf[0] = 0x02;
263 	for (i = 1; i < ps_end; i++)
264 		req_ctx->in_buf[i] = 1 + prandom_u32_max(255);
265 	req_ctx->in_buf[ps_end] = 0x00;
266 
267 	pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf,
268 			ctx->key_size - 1 - req->src_len, req->src);
269 
270 	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
271 	if (!req_ctx->out_buf) {
272 		kfree(req_ctx->in_buf);
273 		return -ENOMEM;
274 	}
275 
276 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
277 			ctx->key_size, NULL);
278 
279 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
280 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
281 			pkcs1pad_encrypt_sign_complete_cb, req);
282 
283 	/* Reuse output buffer */
284 	akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg,
285 				   req->dst, ctx->key_size - 1, req->dst_len);
286 
287 	err = crypto_akcipher_encrypt(&req_ctx->child_req);
288 	if (err != -EINPROGRESS &&
289 			(err != -EBUSY ||
290 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
291 		return pkcs1pad_encrypt_sign_complete(req, err);
292 
293 	return err;
294 }
295 
296 static int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err)
297 {
298 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
299 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
300 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
301 	unsigned int pos;
302 
303 	if (err == -EOVERFLOW)
304 		/* Decrypted value had no leading 0 byte */
305 		err = -EINVAL;
306 
307 	if (err)
308 		goto done;
309 
310 	if (req_ctx->child_req.dst_len != ctx->key_size - 1) {
311 		err = -EINVAL;
312 		goto done;
313 	}
314 
315 	if (req_ctx->out_buf[0] != 0x02) {
316 		err = -EINVAL;
317 		goto done;
318 	}
319 	for (pos = 1; pos < req_ctx->child_req.dst_len; pos++)
320 		if (req_ctx->out_buf[pos] == 0x00)
321 			break;
322 	if (pos < 9 || pos == req_ctx->child_req.dst_len) {
323 		err = -EINVAL;
324 		goto done;
325 	}
326 	pos++;
327 
328 	if (req->dst_len < req_ctx->child_req.dst_len - pos)
329 		err = -EOVERFLOW;
330 	req->dst_len = req_ctx->child_req.dst_len - pos;
331 
332 	if (!err)
333 		sg_copy_from_buffer(req->dst,
334 				sg_nents_for_len(req->dst, req->dst_len),
335 				req_ctx->out_buf + pos, req->dst_len);
336 
337 done:
338 	kzfree(req_ctx->out_buf);
339 
340 	return err;
341 }
342 
343 static void pkcs1pad_decrypt_complete_cb(
344 		struct crypto_async_request *child_async_req, int err)
345 {
346 	struct akcipher_request *req = child_async_req->data;
347 	struct crypto_async_request async_req;
348 
349 	if (err == -EINPROGRESS)
350 		return;
351 
352 	async_req.data = req->base.data;
353 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
354 	async_req.flags = child_async_req->flags;
355 	req->base.complete(&async_req, pkcs1pad_decrypt_complete(req, err));
356 }
357 
358 static int pkcs1pad_decrypt(struct akcipher_request *req)
359 {
360 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
361 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
362 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
363 	int err;
364 
365 	if (!ctx->key_size || req->src_len != ctx->key_size)
366 		return -EINVAL;
367 
368 	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
369 	if (!req_ctx->out_buf)
370 		return -ENOMEM;
371 
372 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
373 			    ctx->key_size, NULL);
374 
375 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
376 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
377 			pkcs1pad_decrypt_complete_cb, req);
378 
379 	/* Reuse input buffer, output to a new buffer */
380 	akcipher_request_set_crypt(&req_ctx->child_req, req->src,
381 				   req_ctx->out_sg, req->src_len,
382 				   ctx->key_size);
383 
384 	err = crypto_akcipher_decrypt(&req_ctx->child_req);
385 	if (err != -EINPROGRESS &&
386 			(err != -EBUSY ||
387 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
388 		return pkcs1pad_decrypt_complete(req, err);
389 
390 	return err;
391 }
392 
393 static int pkcs1pad_sign(struct akcipher_request *req)
394 {
395 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
396 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
397 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
398 	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
399 	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
400 	const struct rsa_asn1_template *digest_info = ictx->digest_info;
401 	int err;
402 	unsigned int ps_end, digest_size = 0;
403 
404 	if (!ctx->key_size)
405 		return -EINVAL;
406 
407 	digest_size = digest_info->size;
408 
409 	if (req->src_len + digest_size > ctx->key_size - 11)
410 		return -EOVERFLOW;
411 
412 	if (req->dst_len < ctx->key_size) {
413 		req->dst_len = ctx->key_size;
414 		return -EOVERFLOW;
415 	}
416 
417 	req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len,
418 				  GFP_KERNEL);
419 	if (!req_ctx->in_buf)
420 		return -ENOMEM;
421 
422 	ps_end = ctx->key_size - digest_size - req->src_len - 2;
423 	req_ctx->in_buf[0] = 0x01;
424 	memset(req_ctx->in_buf + 1, 0xff, ps_end - 1);
425 	req_ctx->in_buf[ps_end] = 0x00;
426 
427 	memcpy(req_ctx->in_buf + ps_end + 1, digest_info->data,
428 	       digest_info->size);
429 
430 	pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf,
431 			ctx->key_size - 1 - req->src_len, req->src);
432 
433 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
434 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
435 			pkcs1pad_encrypt_sign_complete_cb, req);
436 
437 	/* Reuse output buffer */
438 	akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg,
439 				   req->dst, ctx->key_size - 1, req->dst_len);
440 
441 	err = crypto_akcipher_sign(&req_ctx->child_req);
442 	if (err != -EINPROGRESS &&
443 			(err != -EBUSY ||
444 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
445 		return pkcs1pad_encrypt_sign_complete(req, err);
446 
447 	return err;
448 }
449 
450 static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
451 {
452 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
453 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
454 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
455 	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
456 	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
457 	const struct rsa_asn1_template *digest_info = ictx->digest_info;
458 	unsigned int dst_len;
459 	unsigned int pos;
460 	u8 *out_buf;
461 
462 	if (err)
463 		goto done;
464 
465 	err = -EINVAL;
466 	dst_len = req_ctx->child_req.dst_len;
467 	if (dst_len < ctx->key_size - 1)
468 		goto done;
469 
470 	out_buf = req_ctx->out_buf;
471 	if (dst_len == ctx->key_size) {
472 		if (out_buf[0] != 0x00)
473 			/* Decrypted value had no leading 0 byte */
474 			goto done;
475 
476 		dst_len--;
477 		out_buf++;
478 	}
479 
480 	err = -EBADMSG;
481 	if (out_buf[0] != 0x01)
482 		goto done;
483 
484 	for (pos = 1; pos < dst_len; pos++)
485 		if (out_buf[pos] != 0xff)
486 			break;
487 
488 	if (pos < 9 || pos == dst_len || out_buf[pos] != 0x00)
489 		goto done;
490 	pos++;
491 
492 	if (memcmp(out_buf + pos, digest_info->data, digest_info->size))
493 		goto done;
494 
495 	pos += digest_info->size;
496 
497 	err = 0;
498 
499 	if (req->dst_len < dst_len - pos)
500 		err = -EOVERFLOW;
501 	req->dst_len = dst_len - pos;
502 
503 	if (!err)
504 		sg_copy_from_buffer(req->dst,
505 				sg_nents_for_len(req->dst, req->dst_len),
506 				out_buf + pos, req->dst_len);
507 done:
508 	kzfree(req_ctx->out_buf);
509 
510 	return err;
511 }
512 
513 static void pkcs1pad_verify_complete_cb(
514 		struct crypto_async_request *child_async_req, int err)
515 {
516 	struct akcipher_request *req = child_async_req->data;
517 	struct crypto_async_request async_req;
518 
519 	if (err == -EINPROGRESS)
520 		return;
521 
522 	async_req.data = req->base.data;
523 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
524 	async_req.flags = child_async_req->flags;
525 	req->base.complete(&async_req, pkcs1pad_verify_complete(req, err));
526 }
527 
528 /*
529  * The verify operation is here for completeness similar to the verification
530  * defined in RFC2313 section 10.2 except that block type 0 is not accepted,
531  * as in RFC2437.  RFC2437 section 9.2 doesn't define any operation to
532  * retrieve the DigestInfo from a signature, instead the user is expected
533  * to call the sign operation to generate the expected signature and compare
534  * signatures instead of the message-digests.
535  */
536 static int pkcs1pad_verify(struct akcipher_request *req)
537 {
538 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
539 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
540 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
541 	int err;
542 
543 	if (!ctx->key_size || req->src_len < ctx->key_size)
544 		return -EINVAL;
545 
546 	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
547 	if (!req_ctx->out_buf)
548 		return -ENOMEM;
549 
550 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
551 			    ctx->key_size, NULL);
552 
553 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
554 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
555 			pkcs1pad_verify_complete_cb, req);
556 
557 	/* Reuse input buffer, output to a new buffer */
558 	akcipher_request_set_crypt(&req_ctx->child_req, req->src,
559 				   req_ctx->out_sg, req->src_len,
560 				   ctx->key_size);
561 
562 	err = crypto_akcipher_verify(&req_ctx->child_req);
563 	if (err != -EINPROGRESS &&
564 			(err != -EBUSY ||
565 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
566 		return pkcs1pad_verify_complete(req, err);
567 
568 	return err;
569 }
570 
571 static int pkcs1pad_init_tfm(struct crypto_akcipher *tfm)
572 {
573 	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
574 	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
575 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
576 	struct crypto_akcipher *child_tfm;
577 
578 	child_tfm = crypto_spawn_akcipher(&ictx->spawn);
579 	if (IS_ERR(child_tfm))
580 		return PTR_ERR(child_tfm);
581 
582 	ctx->child = child_tfm;
583 	return 0;
584 }
585 
586 static void pkcs1pad_exit_tfm(struct crypto_akcipher *tfm)
587 {
588 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
589 
590 	crypto_free_akcipher(ctx->child);
591 }
592 
593 static void pkcs1pad_free(struct akcipher_instance *inst)
594 {
595 	struct pkcs1pad_inst_ctx *ctx = akcipher_instance_ctx(inst);
596 	struct crypto_akcipher_spawn *spawn = &ctx->spawn;
597 
598 	crypto_drop_akcipher(spawn);
599 	kfree(inst);
600 }
601 
602 static int pkcs1pad_create(struct crypto_template *tmpl, struct rtattr **tb)
603 {
604 	const struct rsa_asn1_template *digest_info;
605 	struct crypto_attr_type *algt;
606 	struct akcipher_instance *inst;
607 	struct pkcs1pad_inst_ctx *ctx;
608 	struct crypto_akcipher_spawn *spawn;
609 	struct akcipher_alg *rsa_alg;
610 	const char *rsa_alg_name;
611 	const char *hash_name;
612 	int err;
613 
614 	algt = crypto_get_attr_type(tb);
615 	if (IS_ERR(algt))
616 		return PTR_ERR(algt);
617 
618 	if ((algt->type ^ CRYPTO_ALG_TYPE_AKCIPHER) & algt->mask)
619 		return -EINVAL;
620 
621 	rsa_alg_name = crypto_attr_alg_name(tb[1]);
622 	if (IS_ERR(rsa_alg_name))
623 		return PTR_ERR(rsa_alg_name);
624 
625 	hash_name = crypto_attr_alg_name(tb[2]);
626 	if (IS_ERR(hash_name))
627 		return PTR_ERR(hash_name);
628 
629 	digest_info = rsa_lookup_asn1(hash_name);
630 	if (!digest_info)
631 		return -EINVAL;
632 
633 	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
634 	if (!inst)
635 		return -ENOMEM;
636 
637 	ctx = akcipher_instance_ctx(inst);
638 	spawn = &ctx->spawn;
639 	ctx->digest_info = digest_info;
640 
641 	crypto_set_spawn(&spawn->base, akcipher_crypto_instance(inst));
642 	err = crypto_grab_akcipher(spawn, rsa_alg_name, 0,
643 			crypto_requires_sync(algt->type, algt->mask));
644 	if (err)
645 		goto out_free_inst;
646 
647 	rsa_alg = crypto_spawn_akcipher_alg(spawn);
648 
649 	err = -ENAMETOOLONG;
650 
651 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
652 		     "pkcs1pad(%s,%s)", rsa_alg->base.cra_name, hash_name) >=
653 	    CRYPTO_MAX_ALG_NAME ||
654 	    snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
655 		     "pkcs1pad(%s,%s)",
656 		     rsa_alg->base.cra_driver_name, hash_name) >=
657 	    CRYPTO_MAX_ALG_NAME)
658 		goto out_drop_alg;
659 
660 	inst->alg.base.cra_flags = rsa_alg->base.cra_flags & CRYPTO_ALG_ASYNC;
661 	inst->alg.base.cra_priority = rsa_alg->base.cra_priority;
662 	inst->alg.base.cra_ctxsize = sizeof(struct pkcs1pad_ctx);
663 
664 	inst->alg.init = pkcs1pad_init_tfm;
665 	inst->alg.exit = pkcs1pad_exit_tfm;
666 
667 	inst->alg.encrypt = pkcs1pad_encrypt;
668 	inst->alg.decrypt = pkcs1pad_decrypt;
669 	inst->alg.sign = pkcs1pad_sign;
670 	inst->alg.verify = pkcs1pad_verify;
671 	inst->alg.set_pub_key = pkcs1pad_set_pub_key;
672 	inst->alg.set_priv_key = pkcs1pad_set_priv_key;
673 	inst->alg.max_size = pkcs1pad_get_max_size;
674 	inst->alg.reqsize = sizeof(struct pkcs1pad_request) + rsa_alg->reqsize;
675 
676 	inst->free = pkcs1pad_free;
677 
678 	err = akcipher_register_instance(tmpl, inst);
679 	if (err)
680 		goto out_drop_alg;
681 
682 	return 0;
683 
684 out_drop_alg:
685 	crypto_drop_akcipher(spawn);
686 out_free_inst:
687 	kfree(inst);
688 	return err;
689 }
690 
691 struct crypto_template rsa_pkcs1pad_tmpl = {
692 	.name = "pkcs1pad",
693 	.create = pkcs1pad_create,
694 	.module = THIS_MODULE,
695 };
696