rsa-pkcs1pad.c source code [linux/crypto/rsa-pkcs1pad.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/*
3	* RSA padding templates.
4	*
5	* Copyright (c) 2015 Intel Corporation
6	*/
7
8	#include <crypto/algapi.h>
9	#include <crypto/akcipher.h>
10	#include <crypto/internal/akcipher.h>
11	#include <crypto/internal/rsa.h>
12	#include <linux/err.h>
13	#include <linux/init.h>
14	#include <linux/kernel.h>
15	#include <linux/module.h>
16	#include <linux/random.h>
17	#include <linux/scatterlist.h>
18
19	/*
20	* Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
21	*/
22	static const u8 rsa_digest_info_md5[] = {
23	`0x30`, `0x20`, `0x30`, `0x0c`, `0x06`, `0x08`,
24	`0x2a`, `0x86`, `0x48`, `0x86`, `0xf7`, `0x0d`, `0x02`, `0x05`, / OID /
25	`0x05`, `0x00`, `0x04`, `0x10`
26	};
27
28	static const u8 rsa_digest_info_sha1[] = {
29	`0x30`, `0x21`, `0x30`, `0x09`, `0x06`, `0x05`,
30	`0x2b`, `0x0e`, `0x03`, `0x02`, `0x1a`,
31	`0x05`, `0x00`, `0x04`, `0x14`
32	};
33
34	static const u8 rsa_digest_info_rmd160[] = {
35	`0x30`, `0x21`, `0x30`, `0x09`, `0x06`, `0x05`,
36	`0x2b`, `0x24`, `0x03`, `0x02`, `0x01`,
37	`0x05`, `0x00`, `0x04`, `0x14`
38	};
39
40	static const u8 rsa_digest_info_sha224[] = {
41	`0x30`, `0x2d`, `0x30`, `0x0d`, `0x06`, `0x09`,
42	`0x60`, `0x86`, `0x48`, `0x01`, `0x65`, `0x03`, `0x04`, `0x02`, `0x04`,
43	`0x05`, `0x00`, `0x04`, `0x1c`
44	};
45
46	static const u8 rsa_digest_info_sha256[] = {
47	`0x30`, `0x31`, `0x30`, `0x0d`, `0x06`, `0x09`,
48	`0x60`, `0x86`, `0x48`, `0x01`, `0x65`, `0x03`, `0x04`, `0x02`, `0x01`,
49	`0x05`, `0x00`, `0x04`, `0x20`
50	};
51
52	static const u8 rsa_digest_info_sha384[] = {
53	`0x30`, `0x41`, `0x30`, `0x0d`, `0x06`, `0x09`,
54	`0x60`, `0x86`, `0x48`, `0x01`, `0x65`, `0x03`, `0x04`, `0x02`, `0x02`,
55	`0x05`, `0x00`, `0x04`, `0x30`
56	};
57
58	static const u8 rsa_digest_info_sha512[] = {
59	`0x30`, `0x51`, `0x30`, `0x0d`, `0x06`, `0x09`,
60	`0x60`, `0x86`, `0x48`, `0x01`, `0x65`, `0x03`, `0x04`, `0x02`, `0x03`,
61	`0x05`, `0x00`, `0x04`, `0x40`
62	};
63
64	static const u8 rsa_digest_info_sha3_256[] = {
65	`0x30`, `0x31`, `0x30`, `0x0d`, `0x06`, `0x09`,
66	`0x60`, `0x86`, `0x48`, `0x01`, `0x65`, `0x03`, `0x04`, `0x02`, `0x08`,
67	`0x05`, `0x00`, `0x04`, `0x20`
68	};
69
70	static const u8 rsa_digest_info_sha3_384[] = {
71	`0x30`, `0x41`, `0x30`, `0x0d`, `0x06`, `0x09`,
72	`0x60`, `0x86`, `0x48`, `0x01`, `0x65`, `0x03`, `0x04`, `0x02`, `0x09`,
73	`0x05`, `0x00`, `0x04`, `0x30`
74	};
75
76	static const u8 rsa_digest_info_sha3_512[] = {
77	`0x30`, `0x51`, `0x30`, `0x0d`, `0x06`, `0x09`,
78	`0x60`, `0x86`, `0x48`, `0x01`, `0x65`, `0x03`, `0x04`, `0x02`, `0x0A`,
79	`0x05`, `0x00`, `0x04`, `0x40`
80	};
81
82	static const struct rsa_asn1_template {
83	const char *name;
84	const u8 *data;
85	size_t size;
86	} rsa_asn1_templates[] = {
87	#define _(X) { #X, rsa_digest_info_##X, sizeof(rsa_digest_info_##X) }
88	_(md5),
89	_(sha1),
90	_(rmd160),
91	_(sha256),
92	_(sha384),
93	_(sha512),
94	_(sha224),
95	#undef _
96	#define _(X) { "sha3-" #X, rsa_digest_info_sha3_##X, sizeof(rsa_digest_info_sha3_##X) }
97	_(`256`),
98	_(`384`),
99	_(`512`),
100	#undef _
101	{ NULL }
102	};
103
104	static const struct rsa_asn1_template rsa_lookup_asn1(const* char *name)
105	{
106	const struct rsa_asn1_template *p;
107
108	for (p = rsa_asn1_templates; p->name; p++)
109	if (strcmp(name, p->name) == `0`)
110	return p;
111	return NULL;
112	}
113
114	struct pkcs1pad_ctx {
115	struct crypto_akcipher *child;
116	unsigned int key_size;
117	};
118
119	struct pkcs1pad_inst_ctx {
120	struct crypto_akcipher_spawn spawn;
121	const struct rsa_asn1_template *digest_info;
122	};
123
124	struct pkcs1pad_request {
125	struct scatterlist in_sg[`2`], out_sg[`1`];
126	uint8_t in_buf, out_buf;
127	struct akcipher_request child_req;
128	};
129
130	static int pkcs1pad_set_pub_key(struct crypto_akcipher tfm, const* void *key,
131	unsigned int keylen)
132	{
133	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
134	int err;
135
136	ctx->key_size = `0`;
137
138	err = crypto_akcipher_set_pub_key(tfm: ctx->child, key, keylen);
139	if (err)
140	return err;
141
142	/ Find out new modulus size from rsa implementation /
143	err = crypto_akcipher_maxsize(tfm: ctx->child);
144	if (err > PAGE_SIZE)
145	return -ENOTSUPP;
146
147	ctx->key_size = err;
148	return `0`;
149	}
150
151	static int pkcs1pad_set_priv_key(struct crypto_akcipher tfm, const* void *key,
152	unsigned int keylen)
153	{
154	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
155	int err;
156
157	ctx->key_size = `0`;
158
159	err = crypto_akcipher_set_priv_key(tfm: ctx->child, key, keylen);
160	if (err)
161	return err;
162
163	/ Find out new modulus size from rsa implementation /
164	err = crypto_akcipher_maxsize(tfm: ctx->child);
165	if (err > PAGE_SIZE)
166	return -ENOTSUPP;
167
168	ctx->key_size = err;
169	return `0`;
170	}
171
172	static unsigned int pkcs1pad_get_max_size(struct crypto_akcipher *tfm)
173	{
174	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
175
176	/*
177	* The maximum destination buffer size for the encrypt/sign operations
178	* will be the same as for RSA, even though it's smaller for
179	* decrypt/verify.
180	*/
181
182	return ctx->key_size;
183	}
184
185	static void pkcs1pad_sg_set_buf(struct scatterlist sg, void* *buf, size_t len,
186	struct scatterlist *next)
187	{
188	int nsegs = next ? `2` : `1`;
189
190	sg_init_table(sg, nsegs);
191	sg_set_buf(sg, buf, buflen: len);
192
193	if (next)
194	sg_chain(prv: sg, prv_nents: nsegs, sgl: next);
195	}
196
197	static int pkcs1pad_encrypt_sign_complete(struct akcipher_request req, int* err)
198	{
199	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
200	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
201	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
202	unsigned int pad_len;
203	unsigned int len;
204	u8 *out_buf;
205
206	if (err)
207	goto out;
208
209	len = req_ctx->child_req.dst_len;
210	pad_len = ctx->key_size - len;
211
212	/ Four billion to one /
213	if (likely(!pad_len))
214	goto out;
215
216	out_buf = kzalloc(size: ctx->key_size, GFP_ATOMIC);
217	err = -ENOMEM;
218	if (!out_buf)
219	goto out;
220
221	sg_copy_to_buffer(sgl: req->dst, nents: sg_nents_for_len(sg: req->dst, len),
222	buf: out_buf + pad_len, buflen: len);
223	sg_copy_from_buffer(sgl: req->dst,
224	nents: sg_nents_for_len(sg: req->dst, len: ctx->key_size),
225	buf: out_buf, buflen: ctx->key_size);
226	kfree_sensitive(objp: out_buf);
227
228	out:
229	req->dst_len = ctx->key_size;
230
231	kfree(objp: req_ctx->in_buf);
232
233	return err;
234	}
235
236	static void pkcs1pad_encrypt_sign_complete_cb(void data, int* err)
237	{
238	struct akcipher_request *req = data;
239
240	if (err == -EINPROGRESS)
241	goto out;
242
243	err = pkcs1pad_encrypt_sign_complete(req, err);
244
245	out:
246	akcipher_request_complete(req, err);
247	}
248
249	static int pkcs1pad_encrypt(struct akcipher_request *req)
250	{
251	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
252	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
253	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
254	int err;
255	unsigned int i, ps_end;
256
257	if (!ctx->key_size)
258	return -EINVAL;
259
260	if (req->src_len > ctx->key_size - `11`)
261	return -EOVERFLOW;
262
263	if (req->dst_len < ctx->key_size) {
264	req->dst_len = ctx->key_size;
265	return -EOVERFLOW;
266	}
267
268	req_ctx->in_buf = kmalloc(size: ctx->key_size - `1` - req->src_len,
269	GFP_KERNEL);
270	if (!req_ctx->in_buf)
271	return -ENOMEM;
272
273	ps_end = ctx->key_size - req->src_len - `2`;
274	req_ctx->in_buf[`0`] = `0x02`;
275	for (i = `1`; i < ps_end; i++)
276	req_ctx->in_buf[i] = get_random_u32_inclusive(floor: `1`, ceil: `255`);
277	req_ctx->in_buf[ps_end] = `0x00`;
278
279	pkcs1pad_sg_set_buf(sg: req_ctx->in_sg, buf: req_ctx->in_buf,
280	len: ctx->key_size - `1` - req->src_len, next: req->src);
281
282	akcipher_request_set_tfm(req: &req_ctx->child_req, tfm: ctx->child);
283	akcipher_request_set_callback(req: &req_ctx->child_req, flgs: req->base.flags,
284	cmpl: pkcs1pad_encrypt_sign_complete_cb, data: req);
285
286	/ Reuse output buffer /
287	akcipher_request_set_crypt(req: &req_ctx->child_req, src: req_ctx->in_sg,
288	dst: req->dst, src_len: ctx->key_size - `1`, dst_len: req->dst_len);
289
290	err = crypto_akcipher_encrypt(req: &req_ctx->child_req);
291	if (err != -EINPROGRESS && err != -EBUSY)
292	return pkcs1pad_encrypt_sign_complete(req, err);
293
294	return err;
295	}
296
297	static int pkcs1pad_decrypt_complete(struct akcipher_request req, int* err)
298	{
299	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
300	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
301	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
302	unsigned int dst_len;
303	unsigned int pos;
304	u8 *out_buf;
305
306	if (err)
307	goto done;
308
309	err = -EINVAL;
310	dst_len = req_ctx->child_req.dst_len;
311	if (dst_len < ctx->key_size - `1`)
312	goto done;
313
314	out_buf = req_ctx->out_buf;
315	if (dst_len == ctx->key_size) {
316	if (out_buf[`0`] != `0x00`)
317	/ Decrypted value had no leading 0 byte /
318	goto done;
319
320	dst_len--;
321	out_buf++;
322	}
323
324	if (out_buf[`0`] != `0x02`)
325	goto done;
326
327	for (pos = `1`; pos < dst_len; pos++)
328	if (out_buf[pos] == `0x00`)
329	break;
330	if (pos < `9` \|\| pos == dst_len)
331	goto done;
332	pos++;
333
334	err = `0`;
335
336	if (req->dst_len < dst_len - pos)
337	err = -EOVERFLOW;
338	req->dst_len = dst_len - pos;
339
340	if (!err)
341	sg_copy_from_buffer(sgl: req->dst,
342	nents: sg_nents_for_len(sg: req->dst, len: req->dst_len),
343	buf: out_buf + pos, buflen: req->dst_len);
344
345	done:
346	kfree_sensitive(objp: req_ctx->out_buf);
347
348	return err;
349	}
350
351	static void pkcs1pad_decrypt_complete_cb(void data, int* err)
352	{
353	struct akcipher_request *req = data;
354
355	if (err == -EINPROGRESS)
356	goto out;
357
358	err = pkcs1pad_decrypt_complete(req, err);
359
360	out:
361	akcipher_request_complete(req, err);
362	}
363
364	static int pkcs1pad_decrypt(struct akcipher_request *req)
365	{
366	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
367	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
368	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
369	int err;
370
371	if (!ctx->key_size \|\| req->src_len != ctx->key_size)
372	return -EINVAL;
373
374	req_ctx->out_buf = kmalloc(size: ctx->key_size, GFP_KERNEL);
375	if (!req_ctx->out_buf)
376	return -ENOMEM;
377
378	pkcs1pad_sg_set_buf(sg: req_ctx->out_sg, buf: req_ctx->out_buf,
379	len: ctx->key_size, NULL);
380
381	akcipher_request_set_tfm(req: &req_ctx->child_req, tfm: ctx->child);
382	akcipher_request_set_callback(req: &req_ctx->child_req, flgs: req->base.flags,
383	cmpl: pkcs1pad_decrypt_complete_cb, data: req);
384
385	/ Reuse input buffer, output to a new buffer /
386	akcipher_request_set_crypt(req: &req_ctx->child_req, src: req->src,
387	dst: req_ctx->out_sg, src_len: req->src_len,
388	dst_len: ctx->key_size);
389
390	err = crypto_akcipher_decrypt(req: &req_ctx->child_req);
391	if (err != -EINPROGRESS && err != -EBUSY)
392	return pkcs1pad_decrypt_complete(req, err);
393
394	return err;
395	}
396
397	static int pkcs1pad_sign(struct akcipher_request *req)
398	{
399	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
400	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
401	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
402	struct akcipher_instance *inst = akcipher_alg_instance(akcipher: tfm);
403	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
404	const struct rsa_asn1_template *digest_info = ictx->digest_info;
405	int err;
406	unsigned int ps_end, digest_info_size = `0`;
407
408	if (!ctx->key_size)
409	return -EINVAL;
410
411	if (digest_info)
412	digest_info_size = digest_info->size;
413
414	if (req->src_len + digest_info_size > ctx->key_size - `11`)
415	return -EOVERFLOW;
416
417	if (req->dst_len < ctx->key_size) {
418	req->dst_len = ctx->key_size;
419	return -EOVERFLOW;
420	}
421
422	req_ctx->in_buf = kmalloc(size: ctx->key_size - `1` - req->src_len,
423	GFP_KERNEL);
424	if (!req_ctx->in_buf)
425	return -ENOMEM;
426
427	ps_end = ctx->key_size - digest_info_size - req->src_len - `2`;
428	req_ctx->in_buf[`0`] = `0x01`;
429	memset(req_ctx->in_buf + `1`, `0xff`, ps_end - `1`);
430	req_ctx->in_buf[ps_end] = `0x00`;
431
432	if (digest_info)
433	memcpy(req_ctx->in_buf + ps_end + `1`, digest_info->data,
434	digest_info->size);
435
436	pkcs1pad_sg_set_buf(sg: req_ctx->in_sg, buf: req_ctx->in_buf,
437	len: ctx->key_size - `1` - req->src_len, next: req->src);
438
439	akcipher_request_set_tfm(req: &req_ctx->child_req, tfm: ctx->child);
440	akcipher_request_set_callback(req: &req_ctx->child_req, flgs: req->base.flags,
441	cmpl: pkcs1pad_encrypt_sign_complete_cb, data: req);
442
443	/ Reuse output buffer /
444	akcipher_request_set_crypt(req: &req_ctx->child_req, src: req_ctx->in_sg,
445	dst: req->dst, src_len: ctx->key_size - `1`, dst_len: req->dst_len);
446
447	err = crypto_akcipher_decrypt(req: &req_ctx->child_req);
448	if (err != -EINPROGRESS && err != -EBUSY)
449	return pkcs1pad_encrypt_sign_complete(req, err);
450
451	return err;
452	}
453
454	static int pkcs1pad_verify_complete(struct akcipher_request req, int* err)
455	{
456	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
457	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
458	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
459	struct akcipher_instance *inst = akcipher_alg_instance(akcipher: tfm);
460	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
461	const struct rsa_asn1_template *digest_info = ictx->digest_info;
462	const unsigned int sig_size = req->src_len;
463	const unsigned int digest_size = req->dst_len;
464	unsigned int dst_len;
465	unsigned int pos;
466	u8 *out_buf;
467
468	if (err)
469	goto done;
470
471	err = -EINVAL;
472	dst_len = req_ctx->child_req.dst_len;
473	if (dst_len < ctx->key_size - `1`)
474	goto done;
475
476	out_buf = req_ctx->out_buf;
477	if (dst_len == ctx->key_size) {
478	if (out_buf[`0`] != `0x00`)
479	/ Decrypted value had no leading 0 byte /
480	goto done;
481
482	dst_len--;
483	out_buf++;
484	}
485
486	err = -EBADMSG;
487	if (out_buf[`0`] != `0x01`)
488	goto done;
489
490	for (pos = `1`; pos < dst_len; pos++)
491	if (out_buf[pos] != `0xff`)
492	break;
493
494	if (pos < `9` \|\| pos == dst_len \|\| out_buf[pos] != `0x00`)
495	goto done;
496	pos++;
497
498	if (digest_info) {
499	if (digest_info->size > dst_len - pos)
500	goto done;
501	if (crypto_memneq(a: out_buf + pos, b: digest_info->data,
502	size: digest_info->size))
503	goto done;
504
505	pos += digest_info->size;
506	}
507
508	err = `0`;
509
510	if (digest_size != dst_len - pos) {
511	err = -EKEYREJECTED;
512	req->dst_len = dst_len - pos;
513	goto done;
514	}
515	/ Extract appended digest. /
516	sg_pcopy_to_buffer(sgl: req->src,
517	nents: sg_nents_for_len(sg: req->src, len: sig_size + digest_size),
518	buf: req_ctx->out_buf + ctx->key_size,
519	buflen: digest_size, skip: sig_size);
520	/ Do the actual verification step. /
521	if (memcmp(p: req_ctx->out_buf + ctx->key_size, q: out_buf + pos,
522	size: digest_size) != `0`)
523	err = -EKEYREJECTED;
524	done:
525	kfree_sensitive(objp: req_ctx->out_buf);
526
527	return err;
528	}
529
530	static void pkcs1pad_verify_complete_cb(void data, int* err)
531	{
532	struct akcipher_request *req = data;
533
534	if (err == -EINPROGRESS)
535	goto out;
536
537	err = pkcs1pad_verify_complete(req, err);
538
539	out:
540	akcipher_request_complete(req, err);
541	}
542
543	/*
544	* The verify operation is here for completeness similar to the verification
545	* defined in RFC2313 section 10.2 except that block type 0 is not accepted,
546	* as in RFC2437. RFC2437 section 9.2 doesn't define any operation to
547	* retrieve the DigestInfo from a signature, instead the user is expected
548	* to call the sign operation to generate the expected signature and compare
549	* signatures instead of the message-digests.
550	*/
551	static int pkcs1pad_verify(struct akcipher_request *req)
552	{
553	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
554	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
555	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
556	const unsigned int sig_size = req->src_len;
557	const unsigned int digest_size = req->dst_len;
558	int err;
559
560	if (WARN_ON(req->dst) \|\| WARN_ON(!digest_size) \|\|
561	!ctx->key_size \|\| sig_size != ctx->key_size)
562	return -EINVAL;
563
564	req_ctx->out_buf = kmalloc(size: ctx->key_size + digest_size, GFP_KERNEL);
565	if (!req_ctx->out_buf)
566	return -ENOMEM;
567
568	pkcs1pad_sg_set_buf(sg: req_ctx->out_sg, buf: req_ctx->out_buf,
569	len: ctx->key_size, NULL);
570
571	akcipher_request_set_tfm(req: &req_ctx->child_req, tfm: ctx->child);
572	akcipher_request_set_callback(req: &req_ctx->child_req, flgs: req->base.flags,
573	cmpl: pkcs1pad_verify_complete_cb, data: req);
574
575	/ Reuse input buffer, output to a new buffer /
576	akcipher_request_set_crypt(req: &req_ctx->child_req, src: req->src,
577	dst: req_ctx->out_sg, src_len: sig_size, dst_len: ctx->key_size);
578
579	err = crypto_akcipher_encrypt(req: &req_ctx->child_req);
580	if (err != -EINPROGRESS && err != -EBUSY)
581	return pkcs1pad_verify_complete(req, err);
582
583	return err;
584	}
585
586	static int pkcs1pad_init_tfm(struct crypto_akcipher *tfm)
587	{
588	struct akcipher_instance *inst = akcipher_alg_instance(akcipher: tfm);
589	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
590	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
591	struct crypto_akcipher *child_tfm;
592
593	child_tfm = crypto_spawn_akcipher(spawn: &ictx->spawn);
594	if (IS_ERR(ptr: child_tfm))
595	return PTR_ERR(ptr: child_tfm);
596
597	ctx->child = child_tfm;
598
599	akcipher_set_reqsize(akcipher: tfm, reqsize: sizeof(struct pkcs1pad_request) +
600	crypto_akcipher_reqsize(tfm: child_tfm));
601
602	return `0`;
603	}
604
605	static void pkcs1pad_exit_tfm(struct crypto_akcipher *tfm)
606	{
607	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
608
609	crypto_free_akcipher(tfm: ctx->child);
610	}
611
612	static void pkcs1pad_free(struct akcipher_instance *inst)
613	{
614	struct pkcs1pad_inst_ctx *ctx = akcipher_instance_ctx(inst);
615	struct crypto_akcipher_spawn *spawn = &ctx->spawn;
616
617	crypto_drop_akcipher(spawn);
618	kfree(objp: inst);
619	}
620
621	static int pkcs1pad_create(struct crypto_template tmpl, struct* rtattr **tb)
622	{
623	u32 mask;
624	struct akcipher_instance *inst;
625	struct pkcs1pad_inst_ctx *ctx;
626	struct akcipher_alg *rsa_alg;
627	const char *hash_name;
628	int err;
629
630	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AKCIPHER, mask_ret: &mask);
631	if (err)
632	return err;
633
634	inst = kzalloc(size: sizeof(inst) + sizeof(ctx), GFP_KERNEL);
635	if (!inst)
636	return -ENOMEM;
637
638	ctx = akcipher_instance_ctx(inst);
639
640	err = crypto_grab_akcipher(spawn: &ctx->spawn, inst: akcipher_crypto_instance(inst),
641	name: crypto_attr_alg_name(rta: tb[`1`]), type: `0`, mask);
642	if (err)
643	goto err_free_inst;
644
645	rsa_alg = crypto_spawn_akcipher_alg(spawn: &ctx->spawn);
646
647	if (strcmp(rsa_alg->base.cra_name, "rsa") != `0`) {
648	err = -EINVAL;
649	goto err_free_inst;
650	}
651
652	err = -ENAMETOOLONG;
653	hash_name = crypto_attr_alg_name(rta: tb[`2`]);
654	if (IS_ERR(ptr: hash_name)) {
655	if (snprintf(buf: inst->alg.base.cra_name,
656	CRYPTO_MAX_ALG_NAME, fmt: "pkcs1pad(%s)",
657	rsa_alg->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
658	goto err_free_inst;
659
660	if (snprintf(buf: inst->alg.base.cra_driver_name,
661	CRYPTO_MAX_ALG_NAME, fmt: "pkcs1pad(%s)",
662	rsa_alg->base.cra_driver_name) >=
663	CRYPTO_MAX_ALG_NAME)
664	goto err_free_inst;
665	} else {
666	ctx->digest_info = rsa_lookup_asn1(name: hash_name);
667	if (!ctx->digest_info) {
668	err = -EINVAL;
669	goto err_free_inst;
670	}
671
672	if (snprintf(buf: inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
673	fmt: "pkcs1pad(%s,%s)", rsa_alg->base.cra_name,
674	hash_name) >= CRYPTO_MAX_ALG_NAME)
675	goto err_free_inst;
676
677	if (snprintf(buf: inst->alg.base.cra_driver_name,
678	CRYPTO_MAX_ALG_NAME, fmt: "pkcs1pad(%s,%s)",
679	rsa_alg->base.cra_driver_name,
680	hash_name) >= CRYPTO_MAX_ALG_NAME)
681	goto err_free_inst;
682	}
683
684	inst->alg.base.cra_priority = rsa_alg->base.cra_priority;
685	inst->alg.base.cra_ctxsize = sizeof(struct pkcs1pad_ctx);
686
687	inst->alg.init = pkcs1pad_init_tfm;
688	inst->alg.exit = pkcs1pad_exit_tfm;
689
690	inst->alg.encrypt = pkcs1pad_encrypt;
691	inst->alg.decrypt = pkcs1pad_decrypt;
692	inst->alg.sign = pkcs1pad_sign;
693	inst->alg.verify = pkcs1pad_verify;
694	inst->alg.set_pub_key = pkcs1pad_set_pub_key;
695	inst->alg.set_priv_key = pkcs1pad_set_priv_key;
696	inst->alg.max_size = pkcs1pad_get_max_size;
697
698	inst->free = pkcs1pad_free;
699
700	err = akcipher_register_instance(tmpl, inst);
701	if (err) {
702	err_free_inst:
703	pkcs1pad_free(inst);
704	}
705	return err;
706	}
707
708	struct crypto_template rsa_pkcs1pad_tmpl = {
709	.name = "pkcs1pad",
710	.create = pkcs1pad_create,
711	.module = THIS_MODULE,
712	};
713
714	MODULE_ALIAS_CRYPTO("pkcs1pad");
715

source code of linux/crypto/rsa-pkcs1pad.c