1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * RSA padding templates. 4 * 5 * Copyright (c) 2015 Intel Corporation 6 */ 7 8 #include <crypto/algapi.h> 9 #include <crypto/akcipher.h> 10 #include <crypto/internal/akcipher.h> 11 #include <crypto/internal/rsa.h> 12 #include <linux/err.h> 13 #include <linux/init.h> 14 #include <linux/kernel.h> 15 #include <linux/module.h> 16 #include <linux/random.h> 17 #include <linux/scatterlist.h> 18 19 struct pkcs1pad_ctx { 20 struct crypto_akcipher *child; 21 unsigned int key_size; 22 }; 23 24 struct pkcs1pad_inst_ctx { 25 struct crypto_akcipher_spawn spawn; 26 }; 27 28 struct pkcs1pad_request { 29 struct scatterlist in_sg[2], out_sg[1]; 30 uint8_t *in_buf, *out_buf; 31 struct akcipher_request child_req; 32 }; 33 34 static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key, 35 unsigned int keylen) 36 { 37 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 38 39 return rsa_set_key(ctx->child, &ctx->key_size, RSA_PUB, key, keylen); 40 } 41 42 static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key, 43 unsigned int keylen) 44 { 45 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 46 47 return rsa_set_key(ctx->child, &ctx->key_size, RSA_PRIV, key, keylen); 48 } 49 50 static unsigned int pkcs1pad_get_max_size(struct crypto_akcipher *tfm) 51 { 52 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 53 54 /* 55 * The maximum destination buffer size for the encrypt operation 56 * will be the same as for RSA, even though it's smaller for 57 * decrypt. 58 */ 59 60 return ctx->key_size; 61 } 62 63 static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len, 64 struct scatterlist *next) 65 { 66 int nsegs = next ? 2 : 1; 67 68 sg_init_table(sg, nsegs); 69 sg_set_buf(sg, buf, len); 70 71 if (next) 72 sg_chain(sg, nsegs, next); 73 } 74 75 static int pkcs1pad_encrypt_complete(struct akcipher_request *req, int err) 76 { 77 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 78 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 79 struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 80 unsigned int pad_len; 81 unsigned int len; 82 u8 *out_buf; 83 84 if (err) 85 goto out; 86 87 len = req_ctx->child_req.dst_len; 88 pad_len = ctx->key_size - len; 89 90 /* Four billion to one */ 91 if (likely(!pad_len)) 92 goto out; 93 94 out_buf = kzalloc(ctx->key_size, GFP_ATOMIC); 95 err = -ENOMEM; 96 if (!out_buf) 97 goto out; 98 99 sg_copy_to_buffer(req->dst, sg_nents_for_len(req->dst, len), 100 out_buf + pad_len, len); 101 sg_copy_from_buffer(req->dst, 102 sg_nents_for_len(req->dst, ctx->key_size), 103 out_buf, ctx->key_size); 104 kfree_sensitive(out_buf); 105 106 out: 107 req->dst_len = ctx->key_size; 108 109 kfree(req_ctx->in_buf); 110 111 return err; 112 } 113 114 static void pkcs1pad_encrypt_complete_cb(void *data, int err) 115 { 116 struct akcipher_request *req = data; 117 118 if (err == -EINPROGRESS) 119 goto out; 120 121 err = pkcs1pad_encrypt_complete(req, err); 122 123 out: 124 akcipher_request_complete(req, err); 125 } 126 127 static int pkcs1pad_encrypt(struct akcipher_request *req) 128 { 129 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 130 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 131 struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 132 int err; 133 unsigned int i, ps_end; 134 135 if (!ctx->key_size) 136 return -EINVAL; 137 138 if (req->src_len > ctx->key_size - 11) 139 return -EOVERFLOW; 140 141 if (req->dst_len < ctx->key_size) { 142 req->dst_len = ctx->key_size; 143 return -EOVERFLOW; 144 } 145 146 req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len, 147 GFP_KERNEL); 148 if (!req_ctx->in_buf) 149 return -ENOMEM; 150 151 ps_end = ctx->key_size - req->src_len - 2; 152 req_ctx->in_buf[0] = 0x02; 153 for (i = 1; i < ps_end; i++) 154 req_ctx->in_buf[i] = get_random_u32_inclusive(1, 255); 155 req_ctx->in_buf[ps_end] = 0x00; 156 157 pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf, 158 ctx->key_size - 1 - req->src_len, req->src); 159 160 akcipher_request_set_tfm(&req_ctx->child_req, ctx->child); 161 akcipher_request_set_callback(&req_ctx->child_req, req->base.flags, 162 pkcs1pad_encrypt_complete_cb, req); 163 164 /* Reuse output buffer */ 165 akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg, 166 req->dst, ctx->key_size - 1, req->dst_len); 167 168 err = crypto_akcipher_encrypt(&req_ctx->child_req); 169 if (err != -EINPROGRESS && err != -EBUSY) 170 return pkcs1pad_encrypt_complete(req, err); 171 172 return err; 173 } 174 175 static int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err) 176 { 177 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 178 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 179 struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 180 unsigned int dst_len; 181 unsigned int pos; 182 u8 *out_buf; 183 184 if (err) 185 goto done; 186 187 err = -EINVAL; 188 dst_len = req_ctx->child_req.dst_len; 189 if (dst_len < ctx->key_size - 1) 190 goto done; 191 192 out_buf = req_ctx->out_buf; 193 if (dst_len == ctx->key_size) { 194 if (out_buf[0] != 0x00) 195 /* Decrypted value had no leading 0 byte */ 196 goto done; 197 198 dst_len--; 199 out_buf++; 200 } 201 202 if (out_buf[0] != 0x02) 203 goto done; 204 205 for (pos = 1; pos < dst_len; pos++) 206 if (out_buf[pos] == 0x00) 207 break; 208 if (pos < 9 || pos == dst_len) 209 goto done; 210 pos++; 211 212 err = 0; 213 214 if (req->dst_len < dst_len - pos) 215 err = -EOVERFLOW; 216 req->dst_len = dst_len - pos; 217 218 if (!err) 219 sg_copy_from_buffer(req->dst, 220 sg_nents_for_len(req->dst, req->dst_len), 221 out_buf + pos, req->dst_len); 222 223 done: 224 kfree_sensitive(req_ctx->out_buf); 225 226 return err; 227 } 228 229 static void pkcs1pad_decrypt_complete_cb(void *data, int err) 230 { 231 struct akcipher_request *req = data; 232 233 if (err == -EINPROGRESS) 234 goto out; 235 236 err = pkcs1pad_decrypt_complete(req, err); 237 238 out: 239 akcipher_request_complete(req, err); 240 } 241 242 static int pkcs1pad_decrypt(struct akcipher_request *req) 243 { 244 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); 245 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 246 struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); 247 int err; 248 249 if (!ctx->key_size || req->src_len != ctx->key_size) 250 return -EINVAL; 251 252 req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL); 253 if (!req_ctx->out_buf) 254 return -ENOMEM; 255 256 pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf, 257 ctx->key_size, NULL); 258 259 akcipher_request_set_tfm(&req_ctx->child_req, ctx->child); 260 akcipher_request_set_callback(&req_ctx->child_req, req->base.flags, 261 pkcs1pad_decrypt_complete_cb, req); 262 263 /* Reuse input buffer, output to a new buffer */ 264 akcipher_request_set_crypt(&req_ctx->child_req, req->src, 265 req_ctx->out_sg, req->src_len, 266 ctx->key_size); 267 268 err = crypto_akcipher_decrypt(&req_ctx->child_req); 269 if (err != -EINPROGRESS && err != -EBUSY) 270 return pkcs1pad_decrypt_complete(req, err); 271 272 return err; 273 } 274 275 static int pkcs1pad_init_tfm(struct crypto_akcipher *tfm) 276 { 277 struct akcipher_instance *inst = akcipher_alg_instance(tfm); 278 struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst); 279 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 280 struct crypto_akcipher *child_tfm; 281 282 child_tfm = crypto_spawn_akcipher(&ictx->spawn); 283 if (IS_ERR(child_tfm)) 284 return PTR_ERR(child_tfm); 285 286 ctx->child = child_tfm; 287 288 akcipher_set_reqsize(tfm, sizeof(struct pkcs1pad_request) + 289 crypto_akcipher_reqsize(child_tfm)); 290 291 return 0; 292 } 293 294 static void pkcs1pad_exit_tfm(struct crypto_akcipher *tfm) 295 { 296 struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); 297 298 crypto_free_akcipher(ctx->child); 299 } 300 301 static void pkcs1pad_free(struct akcipher_instance *inst) 302 { 303 struct pkcs1pad_inst_ctx *ctx = akcipher_instance_ctx(inst); 304 struct crypto_akcipher_spawn *spawn = &ctx->spawn; 305 306 crypto_drop_akcipher(spawn); 307 kfree(inst); 308 } 309 310 static int pkcs1pad_create(struct crypto_template *tmpl, struct rtattr **tb) 311 { 312 u32 mask; 313 struct akcipher_instance *inst; 314 struct pkcs1pad_inst_ctx *ctx; 315 struct akcipher_alg *rsa_alg; 316 int err; 317 318 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AKCIPHER, &mask); 319 if (err) 320 return err; 321 322 inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); 323 if (!inst) 324 return -ENOMEM; 325 326 ctx = akcipher_instance_ctx(inst); 327 328 err = crypto_grab_akcipher(&ctx->spawn, akcipher_crypto_instance(inst), 329 crypto_attr_alg_name(tb[1]), 0, mask); 330 if (err) 331 goto err_free_inst; 332 333 rsa_alg = crypto_spawn_akcipher_alg(&ctx->spawn); 334 335 if (strcmp(rsa_alg->base.cra_name, "rsa") != 0) { 336 err = -EINVAL; 337 goto err_free_inst; 338 } 339 340 err = -ENAMETOOLONG; 341 if (snprintf(inst->alg.base.cra_name, 342 CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s)", 343 rsa_alg->base.cra_name) >= CRYPTO_MAX_ALG_NAME) 344 goto err_free_inst; 345 346 if (snprintf(inst->alg.base.cra_driver_name, 347 CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s)", 348 rsa_alg->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 349 goto err_free_inst; 350 351 inst->alg.base.cra_priority = rsa_alg->base.cra_priority; 352 inst->alg.base.cra_ctxsize = sizeof(struct pkcs1pad_ctx); 353 354 inst->alg.init = pkcs1pad_init_tfm; 355 inst->alg.exit = pkcs1pad_exit_tfm; 356 357 inst->alg.encrypt = pkcs1pad_encrypt; 358 inst->alg.decrypt = pkcs1pad_decrypt; 359 inst->alg.set_pub_key = pkcs1pad_set_pub_key; 360 inst->alg.set_priv_key = pkcs1pad_set_priv_key; 361 inst->alg.max_size = pkcs1pad_get_max_size; 362 363 inst->free = pkcs1pad_free; 364 365 err = akcipher_register_instance(tmpl, inst); 366 if (err) { 367 err_free_inst: 368 pkcs1pad_free(inst); 369 } 370 return err; 371 } 372 373 struct crypto_template rsa_pkcs1pad_tmpl = { 374 .name = "pkcs1pad", 375 .create = pkcs1pad_create, 376 .module = THIS_MODULE, 377 }; 378 379 MODULE_ALIAS_CRYPTO("pkcs1pad"); 380