xref: /openbmc/linux/crypto/rsa-pkcs1pad.c (revision 7587eb18)
1 /*
2  * RSA padding templates.
3  *
4  * Copyright (c) 2015  Intel Corporation
5  *
6  * This program is free software; you can redistribute it and/or modify it
7  * under the terms of the GNU General Public License as published by the Free
8  * Software Foundation; either version 2 of the License, or (at your option)
9  * any later version.
10  */
11 
12 #include <crypto/algapi.h>
13 #include <crypto/akcipher.h>
14 #include <crypto/internal/akcipher.h>
15 #include <linux/err.h>
16 #include <linux/init.h>
17 #include <linux/kernel.h>
18 #include <linux/module.h>
19 #include <linux/random.h>
20 
21 /*
22  * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
23  */
24 static const u8 rsa_digest_info_md5[] = {
25 	0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
26 	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */
27 	0x05, 0x00, 0x04, 0x10
28 };
29 
30 static const u8 rsa_digest_info_sha1[] = {
31 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
32 	0x2b, 0x0e, 0x03, 0x02, 0x1a,
33 	0x05, 0x00, 0x04, 0x14
34 };
35 
36 static const u8 rsa_digest_info_rmd160[] = {
37 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
38 	0x2b, 0x24, 0x03, 0x02, 0x01,
39 	0x05, 0x00, 0x04, 0x14
40 };
41 
42 static const u8 rsa_digest_info_sha224[] = {
43 	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
44 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
45 	0x05, 0x00, 0x04, 0x1c
46 };
47 
48 static const u8 rsa_digest_info_sha256[] = {
49 	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
50 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
51 	0x05, 0x00, 0x04, 0x20
52 };
53 
54 static const u8 rsa_digest_info_sha384[] = {
55 	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
56 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
57 	0x05, 0x00, 0x04, 0x30
58 };
59 
60 static const u8 rsa_digest_info_sha512[] = {
61 	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
62 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
63 	0x05, 0x00, 0x04, 0x40
64 };
65 
66 static const struct rsa_asn1_template {
67 	const char	*name;
68 	const u8	*data;
69 	size_t		size;
70 } rsa_asn1_templates[] = {
71 #define _(X) { #X, rsa_digest_info_##X, sizeof(rsa_digest_info_##X) }
72 	_(md5),
73 	_(sha1),
74 	_(rmd160),
75 	_(sha256),
76 	_(sha384),
77 	_(sha512),
78 	_(sha224),
79 	{ NULL }
80 #undef _
81 };
82 
83 static const struct rsa_asn1_template *rsa_lookup_asn1(const char *name)
84 {
85 	const struct rsa_asn1_template *p;
86 
87 	for (p = rsa_asn1_templates; p->name; p++)
88 		if (strcmp(name, p->name) == 0)
89 			return p;
90 	return NULL;
91 }
92 
93 struct pkcs1pad_ctx {
94 	struct crypto_akcipher *child;
95 	const char *hash_name;
96 	unsigned int key_size;
97 };
98 
99 struct pkcs1pad_inst_ctx {
100 	struct crypto_akcipher_spawn spawn;
101 	const char *hash_name;
102 };
103 
104 struct pkcs1pad_request {
105 	struct akcipher_request child_req;
106 
107 	struct scatterlist in_sg[3], out_sg[2];
108 	uint8_t *in_buf, *out_buf;
109 };
110 
111 static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key,
112 		unsigned int keylen)
113 {
114 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
115 	int err, size;
116 
117 	err = crypto_akcipher_set_pub_key(ctx->child, key, keylen);
118 
119 	if (!err) {
120 		/* Find out new modulus size from rsa implementation */
121 		size = crypto_akcipher_maxsize(ctx->child);
122 
123 		ctx->key_size = size > 0 ? size : 0;
124 		if (size <= 0)
125 			err = size;
126 	}
127 
128 	return err;
129 }
130 
131 static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key,
132 		unsigned int keylen)
133 {
134 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
135 	int err, size;
136 
137 	err = crypto_akcipher_set_priv_key(ctx->child, key, keylen);
138 
139 	if (!err) {
140 		/* Find out new modulus size from rsa implementation */
141 		size = crypto_akcipher_maxsize(ctx->child);
142 
143 		ctx->key_size = size > 0 ? size : 0;
144 		if (size <= 0)
145 			err = size;
146 	}
147 
148 	return err;
149 }
150 
151 static int pkcs1pad_get_max_size(struct crypto_akcipher *tfm)
152 {
153 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
154 
155 	/*
156 	 * The maximum destination buffer size for the encrypt/sign operations
157 	 * will be the same as for RSA, even though it's smaller for
158 	 * decrypt/verify.
159 	 */
160 
161 	return ctx->key_size ?: -EINVAL;
162 }
163 
164 static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len,
165 		struct scatterlist *next)
166 {
167 	int nsegs = next ? 1 : 0;
168 
169 	if (offset_in_page(buf) + len <= PAGE_SIZE) {
170 		nsegs += 1;
171 		sg_init_table(sg, nsegs);
172 		sg_set_buf(sg, buf, len);
173 	} else {
174 		nsegs += 2;
175 		sg_init_table(sg, nsegs);
176 		sg_set_buf(sg + 0, buf, PAGE_SIZE - offset_in_page(buf));
177 		sg_set_buf(sg + 1, buf + PAGE_SIZE - offset_in_page(buf),
178 				offset_in_page(buf) + len - PAGE_SIZE);
179 	}
180 
181 	if (next)
182 		sg_chain(sg, nsegs, next);
183 }
184 
185 static int pkcs1pad_encrypt_sign_complete(struct akcipher_request *req, int err)
186 {
187 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
188 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
189 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
190 	size_t pad_len = ctx->key_size - req_ctx->child_req.dst_len;
191 	size_t chunk_len, pad_left;
192 	struct sg_mapping_iter miter;
193 
194 	if (!err) {
195 		if (pad_len) {
196 			sg_miter_start(&miter, req->dst,
197 					sg_nents_for_len(req->dst, pad_len),
198 					SG_MITER_ATOMIC | SG_MITER_TO_SG);
199 
200 			pad_left = pad_len;
201 			while (pad_left) {
202 				sg_miter_next(&miter);
203 
204 				chunk_len = min(miter.length, pad_left);
205 				memset(miter.addr, 0, chunk_len);
206 				pad_left -= chunk_len;
207 			}
208 
209 			sg_miter_stop(&miter);
210 		}
211 
212 		sg_pcopy_from_buffer(req->dst,
213 				sg_nents_for_len(req->dst, ctx->key_size),
214 				req_ctx->out_buf, req_ctx->child_req.dst_len,
215 				pad_len);
216 	}
217 	req->dst_len = ctx->key_size;
218 
219 	kfree(req_ctx->in_buf);
220 	kzfree(req_ctx->out_buf);
221 
222 	return err;
223 }
224 
225 static void pkcs1pad_encrypt_sign_complete_cb(
226 		struct crypto_async_request *child_async_req, int err)
227 {
228 	struct akcipher_request *req = child_async_req->data;
229 	struct crypto_async_request async_req;
230 
231 	if (err == -EINPROGRESS)
232 		return;
233 
234 	async_req.data = req->base.data;
235 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
236 	async_req.flags = child_async_req->flags;
237 	req->base.complete(&async_req,
238 			pkcs1pad_encrypt_sign_complete(req, err));
239 }
240 
241 static int pkcs1pad_encrypt(struct akcipher_request *req)
242 {
243 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
244 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
245 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
246 	int err;
247 	unsigned int i, ps_end;
248 
249 	if (!ctx->key_size)
250 		return -EINVAL;
251 
252 	if (req->src_len > ctx->key_size - 11)
253 		return -EOVERFLOW;
254 
255 	if (req->dst_len < ctx->key_size) {
256 		req->dst_len = ctx->key_size;
257 		return -EOVERFLOW;
258 	}
259 
260 	if (ctx->key_size > PAGE_SIZE)
261 		return -ENOTSUPP;
262 
263 	/*
264 	 * Replace both input and output to add the padding in the input and
265 	 * the potential missing leading zeros in the output.
266 	 */
267 	req_ctx->child_req.src = req_ctx->in_sg;
268 	req_ctx->child_req.src_len = ctx->key_size - 1;
269 	req_ctx->child_req.dst = req_ctx->out_sg;
270 	req_ctx->child_req.dst_len = ctx->key_size;
271 
272 	req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len,
273 			(req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
274 			GFP_KERNEL : GFP_ATOMIC);
275 	if (!req_ctx->in_buf)
276 		return -ENOMEM;
277 
278 	ps_end = ctx->key_size - req->src_len - 2;
279 	req_ctx->in_buf[0] = 0x02;
280 	for (i = 1; i < ps_end; i++)
281 		req_ctx->in_buf[i] = 1 + prandom_u32_max(255);
282 	req_ctx->in_buf[ps_end] = 0x00;
283 
284 	pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf,
285 			ctx->key_size - 1 - req->src_len, req->src);
286 
287 	req_ctx->out_buf = kmalloc(ctx->key_size,
288 			(req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
289 			GFP_KERNEL : GFP_ATOMIC);
290 	if (!req_ctx->out_buf) {
291 		kfree(req_ctx->in_buf);
292 		return -ENOMEM;
293 	}
294 
295 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
296 			ctx->key_size, NULL);
297 
298 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
299 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
300 			pkcs1pad_encrypt_sign_complete_cb, req);
301 
302 	err = crypto_akcipher_encrypt(&req_ctx->child_req);
303 	if (err != -EINPROGRESS &&
304 			(err != -EBUSY ||
305 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
306 		return pkcs1pad_encrypt_sign_complete(req, err);
307 
308 	return err;
309 }
310 
311 static int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err)
312 {
313 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
314 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
315 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
316 	unsigned int pos;
317 
318 	if (err == -EOVERFLOW)
319 		/* Decrypted value had no leading 0 byte */
320 		err = -EINVAL;
321 
322 	if (err)
323 		goto done;
324 
325 	if (req_ctx->child_req.dst_len != ctx->key_size - 1) {
326 		err = -EINVAL;
327 		goto done;
328 	}
329 
330 	if (req_ctx->out_buf[0] != 0x02) {
331 		err = -EINVAL;
332 		goto done;
333 	}
334 	for (pos = 1; pos < req_ctx->child_req.dst_len; pos++)
335 		if (req_ctx->out_buf[pos] == 0x00)
336 			break;
337 	if (pos < 9 || pos == req_ctx->child_req.dst_len) {
338 		err = -EINVAL;
339 		goto done;
340 	}
341 	pos++;
342 
343 	if (req->dst_len < req_ctx->child_req.dst_len - pos)
344 		err = -EOVERFLOW;
345 	req->dst_len = req_ctx->child_req.dst_len - pos;
346 
347 	if (!err)
348 		sg_copy_from_buffer(req->dst,
349 				sg_nents_for_len(req->dst, req->dst_len),
350 				req_ctx->out_buf + pos, req->dst_len);
351 
352 done:
353 	kzfree(req_ctx->out_buf);
354 
355 	return err;
356 }
357 
358 static void pkcs1pad_decrypt_complete_cb(
359 		struct crypto_async_request *child_async_req, int err)
360 {
361 	struct akcipher_request *req = child_async_req->data;
362 	struct crypto_async_request async_req;
363 
364 	if (err == -EINPROGRESS)
365 		return;
366 
367 	async_req.data = req->base.data;
368 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
369 	async_req.flags = child_async_req->flags;
370 	req->base.complete(&async_req, pkcs1pad_decrypt_complete(req, err));
371 }
372 
373 static int pkcs1pad_decrypt(struct akcipher_request *req)
374 {
375 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
376 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
377 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
378 	int err;
379 
380 	if (!ctx->key_size || req->src_len != ctx->key_size)
381 		return -EINVAL;
382 
383 	if (ctx->key_size > PAGE_SIZE)
384 		return -ENOTSUPP;
385 
386 	/* Reuse input buffer, output to a new buffer */
387 	req_ctx->child_req.src = req->src;
388 	req_ctx->child_req.src_len = req->src_len;
389 	req_ctx->child_req.dst = req_ctx->out_sg;
390 	req_ctx->child_req.dst_len = ctx->key_size ;
391 
392 	req_ctx->out_buf = kmalloc(ctx->key_size,
393 			(req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
394 			GFP_KERNEL : GFP_ATOMIC);
395 	if (!req_ctx->out_buf)
396 		return -ENOMEM;
397 
398 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
399 			    ctx->key_size, NULL);
400 
401 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
402 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
403 			pkcs1pad_decrypt_complete_cb, req);
404 
405 	err = crypto_akcipher_decrypt(&req_ctx->child_req);
406 	if (err != -EINPROGRESS &&
407 			(err != -EBUSY ||
408 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
409 		return pkcs1pad_decrypt_complete(req, err);
410 
411 	return err;
412 }
413 
414 static int pkcs1pad_sign(struct akcipher_request *req)
415 {
416 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
417 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
418 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
419 	const struct rsa_asn1_template *digest_info = NULL;
420 	int err;
421 	unsigned int ps_end, digest_size = 0;
422 
423 	if (!ctx->key_size)
424 		return -EINVAL;
425 
426 	if (ctx->hash_name) {
427 		digest_info = rsa_lookup_asn1(ctx->hash_name);
428 		if (!digest_info)
429 			return -EINVAL;
430 
431 		digest_size = digest_info->size;
432 	}
433 
434 	if (req->src_len + digest_size > ctx->key_size - 11)
435 		return -EOVERFLOW;
436 
437 	if (req->dst_len < ctx->key_size) {
438 		req->dst_len = ctx->key_size;
439 		return -EOVERFLOW;
440 	}
441 
442 	if (ctx->key_size > PAGE_SIZE)
443 		return -ENOTSUPP;
444 
445 	/*
446 	 * Replace both input and output to add the padding in the input and
447 	 * the potential missing leading zeros in the output.
448 	 */
449 	req_ctx->child_req.src = req_ctx->in_sg;
450 	req_ctx->child_req.src_len = ctx->key_size - 1;
451 	req_ctx->child_req.dst = req_ctx->out_sg;
452 	req_ctx->child_req.dst_len = ctx->key_size;
453 
454 	req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len,
455 			(req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
456 			GFP_KERNEL : GFP_ATOMIC);
457 	if (!req_ctx->in_buf)
458 		return -ENOMEM;
459 
460 	ps_end = ctx->key_size - digest_size - req->src_len - 2;
461 	req_ctx->in_buf[0] = 0x01;
462 	memset(req_ctx->in_buf + 1, 0xff, ps_end - 1);
463 	req_ctx->in_buf[ps_end] = 0x00;
464 
465 	if (digest_info) {
466 		memcpy(req_ctx->in_buf + ps_end + 1, digest_info->data,
467 		       digest_info->size);
468 	}
469 
470 	pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf,
471 			ctx->key_size - 1 - req->src_len, req->src);
472 
473 	req_ctx->out_buf = kmalloc(ctx->key_size,
474 			(req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
475 			GFP_KERNEL : GFP_ATOMIC);
476 	if (!req_ctx->out_buf) {
477 		kfree(req_ctx->in_buf);
478 		return -ENOMEM;
479 	}
480 
481 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
482 			ctx->key_size, NULL);
483 
484 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
485 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
486 			pkcs1pad_encrypt_sign_complete_cb, req);
487 
488 	err = crypto_akcipher_sign(&req_ctx->child_req);
489 	if (err != -EINPROGRESS &&
490 			(err != -EBUSY ||
491 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
492 		return pkcs1pad_encrypt_sign_complete(req, err);
493 
494 	return err;
495 }
496 
497 static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
498 {
499 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
500 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
501 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
502 	const struct rsa_asn1_template *digest_info;
503 	unsigned int pos;
504 
505 	if (err == -EOVERFLOW)
506 		/* Decrypted value had no leading 0 byte */
507 		err = -EINVAL;
508 
509 	if (err)
510 		goto done;
511 
512 	if (req_ctx->child_req.dst_len != ctx->key_size - 1) {
513 		err = -EINVAL;
514 		goto done;
515 	}
516 
517 	err = -EBADMSG;
518 	if (req_ctx->out_buf[0] != 0x01)
519 		goto done;
520 
521 	for (pos = 1; pos < req_ctx->child_req.dst_len; pos++)
522 		if (req_ctx->out_buf[pos] != 0xff)
523 			break;
524 
525 	if (pos < 9 || pos == req_ctx->child_req.dst_len ||
526 	    req_ctx->out_buf[pos] != 0x00)
527 		goto done;
528 	pos++;
529 
530 	if (ctx->hash_name) {
531 		digest_info = rsa_lookup_asn1(ctx->hash_name);
532 		if (!digest_info)
533 			goto done;
534 
535 		if (memcmp(req_ctx->out_buf + pos, digest_info->data,
536 			   digest_info->size))
537 			goto done;
538 
539 		pos += digest_info->size;
540 	}
541 
542 	err = 0;
543 
544 	if (req->dst_len < req_ctx->child_req.dst_len - pos)
545 		err = -EOVERFLOW;
546 	req->dst_len = req_ctx->child_req.dst_len - pos;
547 
548 	if (!err)
549 		sg_copy_from_buffer(req->dst,
550 				sg_nents_for_len(req->dst, req->dst_len),
551 				req_ctx->out_buf + pos, req->dst_len);
552 done:
553 	kzfree(req_ctx->out_buf);
554 
555 	return err;
556 }
557 
558 static void pkcs1pad_verify_complete_cb(
559 		struct crypto_async_request *child_async_req, int err)
560 {
561 	struct akcipher_request *req = child_async_req->data;
562 	struct crypto_async_request async_req;
563 
564 	if (err == -EINPROGRESS)
565 		return;
566 
567 	async_req.data = req->base.data;
568 	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
569 	async_req.flags = child_async_req->flags;
570 	req->base.complete(&async_req, pkcs1pad_verify_complete(req, err));
571 }
572 
573 /*
574  * The verify operation is here for completeness similar to the verification
575  * defined in RFC2313 section 10.2 except that block type 0 is not accepted,
576  * as in RFC2437.  RFC2437 section 9.2 doesn't define any operation to
577  * retrieve the DigestInfo from a signature, instead the user is expected
578  * to call the sign operation to generate the expected signature and compare
579  * signatures instead of the message-digests.
580  */
581 static int pkcs1pad_verify(struct akcipher_request *req)
582 {
583 	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
584 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
585 	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
586 	int err;
587 
588 	if (!ctx->key_size || req->src_len < ctx->key_size)
589 		return -EINVAL;
590 
591 	if (ctx->key_size > PAGE_SIZE)
592 		return -ENOTSUPP;
593 
594 	/* Reuse input buffer, output to a new buffer */
595 	req_ctx->child_req.src = req->src;
596 	req_ctx->child_req.src_len = req->src_len;
597 	req_ctx->child_req.dst = req_ctx->out_sg;
598 	req_ctx->child_req.dst_len = ctx->key_size;
599 
600 	req_ctx->out_buf = kmalloc(ctx->key_size,
601 			(req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
602 			GFP_KERNEL : GFP_ATOMIC);
603 	if (!req_ctx->out_buf)
604 		return -ENOMEM;
605 
606 	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
607 			    ctx->key_size, NULL);
608 
609 	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
610 	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
611 			pkcs1pad_verify_complete_cb, req);
612 
613 	err = crypto_akcipher_verify(&req_ctx->child_req);
614 	if (err != -EINPROGRESS &&
615 			(err != -EBUSY ||
616 			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
617 		return pkcs1pad_verify_complete(req, err);
618 
619 	return err;
620 }
621 
622 static int pkcs1pad_init_tfm(struct crypto_akcipher *tfm)
623 {
624 	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
625 	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
626 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
627 	struct crypto_akcipher *child_tfm;
628 
629 	child_tfm = crypto_spawn_akcipher(akcipher_instance_ctx(inst));
630 	if (IS_ERR(child_tfm))
631 		return PTR_ERR(child_tfm);
632 
633 	ctx->child = child_tfm;
634 	ctx->hash_name = ictx->hash_name;
635 	return 0;
636 }
637 
638 static void pkcs1pad_exit_tfm(struct crypto_akcipher *tfm)
639 {
640 	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
641 
642 	crypto_free_akcipher(ctx->child);
643 }
644 
645 static void pkcs1pad_free(struct akcipher_instance *inst)
646 {
647 	struct pkcs1pad_inst_ctx *ctx = akcipher_instance_ctx(inst);
648 	struct crypto_akcipher_spawn *spawn = &ctx->spawn;
649 
650 	crypto_drop_akcipher(spawn);
651 	kfree(ctx->hash_name);
652 	kfree(inst);
653 }
654 
655 static int pkcs1pad_create(struct crypto_template *tmpl, struct rtattr **tb)
656 {
657 	struct crypto_attr_type *algt;
658 	struct akcipher_instance *inst;
659 	struct pkcs1pad_inst_ctx *ctx;
660 	struct crypto_akcipher_spawn *spawn;
661 	struct akcipher_alg *rsa_alg;
662 	const char *rsa_alg_name;
663 	const char *hash_name;
664 	int err;
665 
666 	algt = crypto_get_attr_type(tb);
667 	if (IS_ERR(algt))
668 		return PTR_ERR(algt);
669 
670 	if ((algt->type ^ CRYPTO_ALG_TYPE_AKCIPHER) & algt->mask)
671 		return -EINVAL;
672 
673 	rsa_alg_name = crypto_attr_alg_name(tb[1]);
674 	if (IS_ERR(rsa_alg_name))
675 		return PTR_ERR(rsa_alg_name);
676 
677 	hash_name = crypto_attr_alg_name(tb[2]);
678 	if (IS_ERR(hash_name))
679 		hash_name = NULL;
680 
681 	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
682 	if (!inst)
683 		return -ENOMEM;
684 
685 	ctx = akcipher_instance_ctx(inst);
686 	spawn = &ctx->spawn;
687 	ctx->hash_name = hash_name ? kstrdup(hash_name, GFP_KERNEL) : NULL;
688 
689 	crypto_set_spawn(&spawn->base, akcipher_crypto_instance(inst));
690 	err = crypto_grab_akcipher(spawn, rsa_alg_name, 0,
691 			crypto_requires_sync(algt->type, algt->mask));
692 	if (err)
693 		goto out_free_inst;
694 
695 	rsa_alg = crypto_spawn_akcipher_alg(spawn);
696 
697 	err = -ENAMETOOLONG;
698 
699 	if (!hash_name) {
700 		if (snprintf(inst->alg.base.cra_name,
701 			     CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s)",
702 			     rsa_alg->base.cra_name) >=
703 					CRYPTO_MAX_ALG_NAME ||
704 		    snprintf(inst->alg.base.cra_driver_name,
705 			     CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s)",
706 			     rsa_alg->base.cra_driver_name) >=
707 					CRYPTO_MAX_ALG_NAME)
708 		goto out_drop_alg;
709 	} else {
710 		if (snprintf(inst->alg.base.cra_name,
711 			     CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s,%s)",
712 			     rsa_alg->base.cra_name, hash_name) >=
713 				CRYPTO_MAX_ALG_NAME ||
714 		    snprintf(inst->alg.base.cra_driver_name,
715 			     CRYPTO_MAX_ALG_NAME, "pkcs1pad(%s,%s)",
716 			     rsa_alg->base.cra_driver_name, hash_name) >=
717 					CRYPTO_MAX_ALG_NAME)
718 		goto out_free_hash;
719 	}
720 
721 	inst->alg.base.cra_flags = rsa_alg->base.cra_flags & CRYPTO_ALG_ASYNC;
722 	inst->alg.base.cra_priority = rsa_alg->base.cra_priority;
723 	inst->alg.base.cra_ctxsize = sizeof(struct pkcs1pad_ctx);
724 
725 	inst->alg.init = pkcs1pad_init_tfm;
726 	inst->alg.exit = pkcs1pad_exit_tfm;
727 
728 	inst->alg.encrypt = pkcs1pad_encrypt;
729 	inst->alg.decrypt = pkcs1pad_decrypt;
730 	inst->alg.sign = pkcs1pad_sign;
731 	inst->alg.verify = pkcs1pad_verify;
732 	inst->alg.set_pub_key = pkcs1pad_set_pub_key;
733 	inst->alg.set_priv_key = pkcs1pad_set_priv_key;
734 	inst->alg.max_size = pkcs1pad_get_max_size;
735 	inst->alg.reqsize = sizeof(struct pkcs1pad_request) + rsa_alg->reqsize;
736 
737 	inst->free = pkcs1pad_free;
738 
739 	err = akcipher_register_instance(tmpl, inst);
740 	if (err)
741 		goto out_free_hash;
742 
743 	return 0;
744 
745 out_free_hash:
746 	kfree(ctx->hash_name);
747 out_drop_alg:
748 	crypto_drop_akcipher(spawn);
749 out_free_inst:
750 	kfree(inst);
751 	return err;
752 }
753 
754 struct crypto_template rsa_pkcs1pad_tmpl = {
755 	.name = "pkcs1pad",
756 	.create = pkcs1pad_create,
757 	.module = THIS_MODULE,
758 };
759