xref: /openbmc/linux/crypto/rsa-pkcs1pad.c (revision 239480ab)
1 /*
2  * RSA padding templates.
3  *
4  * Copyright (c) 2015  Intel Corporation
5  *
6  * This program is free software; you can redistribute it and/or modify it
7  * under the terms of the GNU General Public License as published by the Free
8  * Software Foundation; either version 2 of the License, or (at your option)
9  * any later version.
10  */
11 
12 #include <crypto/algapi.h>
13 #include <crypto/akcipher.h>
14 #include <crypto/internal/akcipher.h>
15 #include <linux/err.h>
16 #include <linux/init.h>
17 #include <linux/kernel.h>
18 #include <linux/module.h>
19 #include <linux/random.h>
20 
21 /*
22  * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
23  */
24 static const u8 rsa_digest_info_md5[] = {
25 	0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
26 	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */
27 	0x05, 0x00, 0x04, 0x10
28 };
29 
30 static const u8 rsa_digest_info_sha1[] = {
31 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
32 	0x2b, 0x0e, 0x03, 0x02, 0x1a,
33 	0x05, 0x00, 0x04, 0x14
34 };
35 
36 static const u8 rsa_digest_info_rmd160[] = {
37 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
38 	0x2b, 0x24, 0x03, 0x02, 0x01,
39 	0x05, 0x00, 0x04, 0x14
40 };
41 
42 static const u8 rsa_digest_info_sha224[] = {
43 	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
44 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
45 	0x05, 0x00, 0x04, 0x1c
46 };
47 
48 static const u8 rsa_digest_info_sha256[] = {
49 	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
50 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
51 	0x05, 0x00, 0x04, 0x20
52 };
53 
54 static const u8 rsa_digest_info_sha384[] = {
55 	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
56 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
57 	0x05, 0x00, 0x04, 0x30
58 };
59 
60 static const u8 rsa_digest_info_sha512[] = {
61 	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
62 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
63 	0x05, 0x00, 0x04, 0x40
64 };
65 
66 static const struct rsa_asn1_template {
67 	const char	*name;
68 	const u8	*data;
69 	size_t		size;
70 } rsa_asn1_templates[] = {
71 #define _(X) { #X, rsa_digest_info_##X, sizeof(rsa_digest_info_##X) }
72 	_(md5),
73 	_(sha1),
74 	_(rmd160),
75 	_(sha256),
76 	_(sha384),
77 	_(sha512),
78 	_(sha224),
79 	{ NULL }
80 #undef _
81 };
82 
83 static const struct rsa_asn1_template *rsa_lookup_asn1(const char *name)
84 {
85 	const struct rsa_asn1_template *p;
86 
87 	for (p = rsa_asn1_templates; p->name; p++)
88 		if (strcmp(name, p->name) == 0)
89 			return p;
90 	return NULL;
91 }
92 
93 struct pkcs1pad_ctx {
94 	struct crypto_akcipher *child;
95 	unsigned int key_size;
96 };
97 
98 struct pkcs1pad_inst_ctx {
99 	struct crypto_akcipher_spawn spawn;
100 	const struct rsa_asn1_template *digest_info;
101 };
102 
103 struct pkcs1pad_request {
104 	struct scatterlist in_sg[2], out_sg[1];
105 	uint8_t *in_buf, *out_buf;
106 	struct akcipher_request child_req;
107 };
108 
109 static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key,
110 		unsigned int keylen)
111 {
112 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
113 	int err;
114 
115 	ctx->key_size = 0;
116 
117 	err = crypto_akcipher_set_pub_key(ctx->child, key, keylen);
118 	if (err)
119 		return err;
120 
121 	/* Find out new modulus size from rsa implementation */
122 	err = crypto_akcipher_maxsize(ctx->child);
123 	if (err < 0)
124 		return err;
125 
126 	if (err > PAGE_SIZE)
127 		return -ENOTSUPP;
128 
129 	ctx->key_size = err;
130 	return 0;
131 }
132 
133 static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key,
134 		unsigned int keylen)
135 {
136 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
137 	int err;
138 
139 	ctx->key_size = 0;
140 
141 	err = crypto_akcipher_set_priv_key(ctx->child, key, keylen);
142 	if (err)
143 		return err;
144 
145 	/* Find out new modulus size from rsa implementation */
146 	err = crypto_akcipher_maxsize(ctx->child);
147 	if (err < 0)
148 		return err;
149 
150 	if (err > PAGE_SIZE)
151 		return -ENOTSUPP;
152 
153 	ctx->key_size = err;
154 	return 0;
155 }
156 
157 static int pkcs1pad_get_max_size(struct crypto_akcipher *tfm)
158 {
159 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
160 
161 	/*
162 	 * The maximum destination buffer size for the encrypt/sign operations
163 	 * will be the same as for RSA, even though it's smaller for
164 	 * decrypt/verify.
165 	 */
166 
167 	return ctx->key_size ?: -EINVAL;
168 }
169 
170 static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len,
171 		struct scatterlist *next)
172 {
173 	int nsegs = next ? 2 : 1;
174 
175 	sg_init_table(sg, nsegs);
176 	sg_set_buf(sg, buf, len);
177 
178 	if (next)
179 		sg_chain(sg, nsegs, next);
180 }
181 
182 static int pkcs1pad_encrypt_sign_complete(struct akcipher_request *req, int err)
183 {
184 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
185 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
186 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
187 	unsigned int pad_len;
188 	unsigned int len;
189 	u8 *out_buf;
190 
191 	if (err)
192 		goto out;
193 
194 	len = req_ctx->child_req.dst_len;
195 	pad_len = ctx->key_size - len;
196 
197 	/* Four billion to one */
198 	if (likely(!pad_len))
199 		goto out;
200 
201 	out_buf = kzalloc(ctx->key_size, GFP_ATOMIC);
202 	err = -ENOMEM;
203 	if (!out_buf)
204 		goto out;
205 
206 	sg_copy_to_buffer(req->dst, sg_nents_for_len(req->dst, len),
207 			  out_buf + pad_len, len);
208 	sg_copy_from_buffer(req->dst,
209 			    sg_nents_for_len(req->dst, ctx->key_size),
210 			    out_buf, ctx->key_size);
211 	kzfree(out_buf);
212 
213 out:
214 	req->dst_len = ctx->key_size;
215 
216 	kfree(req_ctx->in_buf);
217 
218 	return err;
219 }
220 
221 static void pkcs1pad_encrypt_sign_complete_cb(
222 		struct crypto_async_request *child_async_req, int err)
223 {
224 	struct akcipher_request *req = child_async_req->data;
225 	struct crypto_async_request async_req;
226 
227 	if (err == -EINPROGRESS)
228 		return;
229 
230 	async_req.data = req->base.data;
231 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
232 	async_req.flags = child_async_req->flags;
233 	req->base.complete(&async_req,
234 			pkcs1pad_encrypt_sign_complete(req, err));
235 }
236 
237 static int pkcs1pad_encrypt(struct akcipher_request *req)
238 {
239 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
240 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
241 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
242 	int err;
243 	unsigned int i, ps_end;
244 
245 	if (!ctx->key_size)
246 		return -EINVAL;
247 
248 	if (req->src_len > ctx->key_size - 11)
249 		return -EOVERFLOW;
250 
251 	if (req->dst_len < ctx->key_size) {
252 		req->dst_len = ctx->key_size;
253 		return -EOVERFLOW;
254 	}
255 
256 	req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len,
257 				  GFP_KERNEL);
258 	if (!req_ctx->in_buf)
259 		return -ENOMEM;
260 
261 	ps_end = ctx->key_size - req->src_len - 2;
262 	req_ctx->in_buf[0] = 0x02;
263 	for (i = 1; i < ps_end; i++)
264 		req_ctx->in_buf[i] = 1 + prandom_u32_max(255);
265 	req_ctx->in_buf[ps_end] = 0x00;
266 
267 	pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf,
268 			ctx->key_size - 1 - req->src_len, req->src);
269 
270 	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
271 	if (!req_ctx->out_buf) {
272 		kfree(req_ctx->in_buf);
273 		return -ENOMEM;
274 	}
275 
276 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
277 			ctx->key_size, NULL);
278 
279 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
280 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
281 			pkcs1pad_encrypt_sign_complete_cb, req);
282 
283 	/* Reuse output buffer */
284 	akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg,
285 				   req->dst, ctx->key_size - 1, req->dst_len);
286 
287 	err = crypto_akcipher_encrypt(&req_ctx->child_req);
288 	if (err != -EINPROGRESS &&
289 			(err != -EBUSY ||
290 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
291 		return pkcs1pad_encrypt_sign_complete(req, err);
292 
293 	return err;
294 }
295 
296 static int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err)
297 {
298 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
299 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
300 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
301 	unsigned int dst_len;
302 	unsigned int pos;
303 	u8 *out_buf;
304 
305 	if (err)
306 		goto done;
307 
308 	err = -EINVAL;
309 	dst_len = req_ctx->child_req.dst_len;
310 	if (dst_len < ctx->key_size - 1)
311 		goto done;
312 
313 	out_buf = req_ctx->out_buf;
314 	if (dst_len == ctx->key_size) {
315 		if (out_buf[0] != 0x00)
316 			/* Decrypted value had no leading 0 byte */
317 			goto done;
318 
319 		dst_len--;
320 		out_buf++;
321 	}
322 
323 	if (out_buf[0] != 0x02)
324 		goto done;
325 
326 	for (pos = 1; pos < dst_len; pos++)
327 		if (out_buf[pos] == 0x00)
328 			break;
329 	if (pos < 9 || pos == dst_len)
330 		goto done;
331 	pos++;
332 
333 	err = 0;
334 
335 	if (req->dst_len < dst_len - pos)
336 		err = -EOVERFLOW;
337 	req->dst_len = dst_len - pos;
338 
339 	if (!err)
340 		sg_copy_from_buffer(req->dst,
341 				sg_nents_for_len(req->dst, req->dst_len),
342 				out_buf + pos, req->dst_len);
343 
344 done:
345 	kzfree(req_ctx->out_buf);
346 
347 	return err;
348 }
349 
350 static void pkcs1pad_decrypt_complete_cb(
351 		struct crypto_async_request *child_async_req, int err)
352 {
353 	struct akcipher_request *req = child_async_req->data;
354 	struct crypto_async_request async_req;
355 
356 	if (err == -EINPROGRESS)
357 		return;
358 
359 	async_req.data = req->base.data;
360 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
361 	async_req.flags = child_async_req->flags;
362 	req->base.complete(&async_req, pkcs1pad_decrypt_complete(req, err));
363 }
364 
365 static int pkcs1pad_decrypt(struct akcipher_request *req)
366 {
367 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
368 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
369 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
370 	int err;
371 
372 	if (!ctx->key_size || req->src_len != ctx->key_size)
373 		return -EINVAL;
374 
375 	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
376 	if (!req_ctx->out_buf)
377 		return -ENOMEM;
378 
379 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
380 			    ctx->key_size, NULL);
381 
382 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
383 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
384 			pkcs1pad_decrypt_complete_cb, req);
385 
386 	/* Reuse input buffer, output to a new buffer */
387 	akcipher_request_set_crypt(&req_ctx->child_req, req->src,
388 				   req_ctx->out_sg, req->src_len,
389 				   ctx->key_size);
390 
391 	err = crypto_akcipher_decrypt(&req_ctx->child_req);
392 	if (err != -EINPROGRESS &&
393 			(err != -EBUSY ||
394 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
395 		return pkcs1pad_decrypt_complete(req, err);
396 
397 	return err;
398 }
399 
400 static int pkcs1pad_sign(struct akcipher_request *req)
401 {
402 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
403 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
404 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
405 	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
406 	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
407 	const struct rsa_asn1_template *digest_info = ictx->digest_info;
408 	int err;
409 	unsigned int ps_end, digest_size = 0;
410 
411 	if (!ctx->key_size)
412 		return -EINVAL;
413 
414 	digest_size = digest_info->size;
415 
416 	if (req->src_len + digest_size > ctx->key_size - 11)
417 		return -EOVERFLOW;
418 
419 	if (req->dst_len < ctx->key_size) {
420 		req->dst_len = ctx->key_size;
421 		return -EOVERFLOW;
422 	}
423 
424 	req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len,
425 				  GFP_KERNEL);
426 	if (!req_ctx->in_buf)
427 		return -ENOMEM;
428 
429 	ps_end = ctx->key_size - digest_size - req->src_len - 2;
430 	req_ctx->in_buf[0] = 0x01;
431 	memset(req_ctx->in_buf + 1, 0xff, ps_end - 1);
432 	req_ctx->in_buf[ps_end] = 0x00;
433 
434 	memcpy(req_ctx->in_buf + ps_end + 1, digest_info->data,
435 	       digest_info->size);
436 
437 	pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf,
438 			ctx->key_size - 1 - req->src_len, req->src);
439 
440 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
441 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
442 			pkcs1pad_encrypt_sign_complete_cb, req);
443 
444 	/* Reuse output buffer */
445 	akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg,
446 				   req->dst, ctx->key_size - 1, req->dst_len);
447 
448 	err = crypto_akcipher_sign(&req_ctx->child_req);
449 	if (err != -EINPROGRESS &&
450 			(err != -EBUSY ||
451 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
452 		return pkcs1pad_encrypt_sign_complete(req, err);
453 
454 	return err;
455 }
456 
457 static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
458 {
459 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
460 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
461 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
462 	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
463 	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
464 	const struct rsa_asn1_template *digest_info = ictx->digest_info;
465 	unsigned int dst_len;
466 	unsigned int pos;
467 	u8 *out_buf;
468 
469 	if (err)
470 		goto done;
471 
472 	err = -EINVAL;
473 	dst_len = req_ctx->child_req.dst_len;
474 	if (dst_len < ctx->key_size - 1)
475 		goto done;
476 
477 	out_buf = req_ctx->out_buf;
478 	if (dst_len == ctx->key_size) {
479 		if (out_buf[0] != 0x00)
480 			/* Decrypted value had no leading 0 byte */
481 			goto done;
482 
483 		dst_len--;
484 		out_buf++;
485 	}
486 
487 	err = -EBADMSG;
488 	if (out_buf[0] != 0x01)
489 		goto done;
490 
491 	for (pos = 1; pos < dst_len; pos++)
492 		if (out_buf[pos] != 0xff)
493 			break;
494 
495 	if (pos < 9 || pos == dst_len || out_buf[pos] != 0x00)
496 		goto done;
497 	pos++;
498 
499 	if (memcmp(out_buf + pos, digest_info->data, digest_info->size))
500 		goto done;
501 
502 	pos += digest_info->size;
503 
504 	err = 0;
505 
506 	if (req->dst_len < dst_len - pos)
507 		err = -EOVERFLOW;
508 	req->dst_len = dst_len - pos;
509 
510 	if (!err)
511 		sg_copy_from_buffer(req->dst,
512 				sg_nents_for_len(req->dst, req->dst_len),
513 				out_buf + pos, req->dst_len);
514 done:
515 	kzfree(req_ctx->out_buf);
516 
517 	return err;
518 }
519 
520 static void pkcs1pad_verify_complete_cb(
521 		struct crypto_async_request *child_async_req, int err)
522 {
523 	struct akcipher_request *req = child_async_req->data;
524 	struct crypto_async_request async_req;
525 
526 	if (err == -EINPROGRESS)
527 		return;
528 
529 	async_req.data = req->base.data;
530 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
531 	async_req.flags = child_async_req->flags;
532 	req->base.complete(&async_req, pkcs1pad_verify_complete(req, err));
533 }
534 
535 /*
536  * The verify operation is here for completeness similar to the verification
537  * defined in RFC2313 section 10.2 except that block type 0 is not accepted,
538  * as in RFC2437.  RFC2437 section 9.2 doesn't define any operation to
539  * retrieve the DigestInfo from a signature, instead the user is expected
540  * to call the sign operation to generate the expected signature and compare
541  * signatures instead of the message-digests.
542  */
543 static int pkcs1pad_verify(struct akcipher_request *req)
544 {
545 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
546 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
547 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
548 	int err;
549 
550 	if (!ctx->key_size || req->src_len < ctx->key_size)
551 		return -EINVAL;
552 
553 	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
554 	if (!req_ctx->out_buf)
555 		return -ENOMEM;
556 
557 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
558 			    ctx->key_size, NULL);
559 
560 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
561 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
562 			pkcs1pad_verify_complete_cb, req);
563 
564 	/* Reuse input buffer, output to a new buffer */
565 	akcipher_request_set_crypt(&req_ctx->child_req, req->src,
566 				   req_ctx->out_sg, req->src_len,
567 				   ctx->key_size);
568 
569 	err = crypto_akcipher_verify(&req_ctx->child_req);
570 	if (err != -EINPROGRESS &&
571 			(err != -EBUSY ||
572 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
573 		return pkcs1pad_verify_complete(req, err);
574 
575 	return err;
576 }
577 
578 static int pkcs1pad_init_tfm(struct crypto_akcipher *tfm)
579 {
580 	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
581 	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
582 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
583 	struct crypto_akcipher *child_tfm;
584 
585 	child_tfm = crypto_spawn_akcipher(&ictx->spawn);
586 	if (IS_ERR(child_tfm))
587 		return PTR_ERR(child_tfm);
588 
589 	ctx->child = child_tfm;
590 	return 0;
591 }
592 
593 static void pkcs1pad_exit_tfm(struct crypto_akcipher *tfm)
594 {
595 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
596 
597 	crypto_free_akcipher(ctx->child);
598 }
599 
600 static void pkcs1pad_free(struct akcipher_instance *inst)
601 {
602 	struct pkcs1pad_inst_ctx *ctx = akcipher_instance_ctx(inst);
603 	struct crypto_akcipher_spawn *spawn = &ctx->spawn;
604 
605 	crypto_drop_akcipher(spawn);
606 	kfree(inst);
607 }
608 
609 static int pkcs1pad_create(struct crypto_template *tmpl, struct rtattr **tb)
610 {
611 	const struct rsa_asn1_template *digest_info;
612 	struct crypto_attr_type *algt;
613 	struct akcipher_instance *inst;
614 	struct pkcs1pad_inst_ctx *ctx;
615 	struct crypto_akcipher_spawn *spawn;
616 	struct akcipher_alg *rsa_alg;
617 	const char *rsa_alg_name;
618 	const char *hash_name;
619 	int err;
620 
621 	algt = crypto_get_attr_type(tb);
622 	if (IS_ERR(algt))
623 		return PTR_ERR(algt);
624 
625 	if ((algt->type ^ CRYPTO_ALG_TYPE_AKCIPHER) & algt->mask)
626 		return -EINVAL;
627 
628 	rsa_alg_name = crypto_attr_alg_name(tb[1]);
629 	if (IS_ERR(rsa_alg_name))
630 		return PTR_ERR(rsa_alg_name);
631 
632 	hash_name = crypto_attr_alg_name(tb[2]);
633 	if (IS_ERR(hash_name))
634 		return PTR_ERR(hash_name);
635 
636 	digest_info = rsa_lookup_asn1(hash_name);
637 	if (!digest_info)
638 		return -EINVAL;
639 
640 	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
641 	if (!inst)
642 		return -ENOMEM;
643 
644 	ctx = akcipher_instance_ctx(inst);
645 	spawn = &ctx->spawn;
646 	ctx->digest_info = digest_info;
647 
648 	crypto_set_spawn(&spawn->base, akcipher_crypto_instance(inst));
649 	err = crypto_grab_akcipher(spawn, rsa_alg_name, 0,
650 			crypto_requires_sync(algt->type, algt->mask));
651 	if (err)
652 		goto out_free_inst;
653 
654 	rsa_alg = crypto_spawn_akcipher_alg(spawn);
655 
656 	err = -ENAMETOOLONG;
657 
658 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
659 		     "pkcs1pad(%s,%s)", rsa_alg->base.cra_name, hash_name) >=
660 	    CRYPTO_MAX_ALG_NAME ||
661 	    snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
662 		     "pkcs1pad(%s,%s)",
663 		     rsa_alg->base.cra_driver_name, hash_name) >=
664 	    CRYPTO_MAX_ALG_NAME)
665 		goto out_drop_alg;
666 
667 	inst->alg.base.cra_flags = rsa_alg->base.cra_flags & CRYPTO_ALG_ASYNC;
668 	inst->alg.base.cra_priority = rsa_alg->base.cra_priority;
669 	inst->alg.base.cra_ctxsize = sizeof(struct pkcs1pad_ctx);
670 
671 	inst->alg.init = pkcs1pad_init_tfm;
672 	inst->alg.exit = pkcs1pad_exit_tfm;
673 
674 	inst->alg.encrypt = pkcs1pad_encrypt;
675 	inst->alg.decrypt = pkcs1pad_decrypt;
676 	inst->alg.sign = pkcs1pad_sign;
677 	inst->alg.verify = pkcs1pad_verify;
678 	inst->alg.set_pub_key = pkcs1pad_set_pub_key;
679 	inst->alg.set_priv_key = pkcs1pad_set_priv_key;
680 	inst->alg.max_size = pkcs1pad_get_max_size;
681 	inst->alg.reqsize = sizeof(struct pkcs1pad_request) + rsa_alg->reqsize;
682 
683 	inst->free = pkcs1pad_free;
684 
685 	err = akcipher_register_instance(tmpl, inst);
686 	if (err)
687 		goto out_drop_alg;
688 
689 	return 0;
690 
691 out_drop_alg:
692 	crypto_drop_akcipher(spawn);
693 out_free_inst:
694 	kfree(inst);
695 	return err;
696 }
697 
698 struct crypto_template rsa_pkcs1pad_tmpl = {
699 	.name = "pkcs1pad",
700 	.create = pkcs1pad_create,
701 	.module = THIS_MODULE,
702 };
703