From: Varad Gautam <varad.gautam@suse.com>
To: linux-crypto@vger.kernel.org
Cc: varad.gautam@suse.com, dhowells@redhat.com,
herbert@gondor.apana.org.au, davem@davemloft.net,
vt@altlinux.org, tianjia.zhang@linux.alibaba.com,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
jarkko@kernel.org
Subject: [PATCH v3 16/18] crypto: rsa-psspad: Implement signature verify callback
Date: Tue, 20 Apr 2021 13:41:21 +0200 [thread overview]
Message-ID: <20210420114124.9684-17-varad.gautam@suse.com> (raw)
In-Reply-To: <20210420114124.9684-1-varad.gautam@suse.com>
The RSA output must be processed as per the EMSA-PSS-VERIFY operation
from RFC8017, which forms the core of the PSS signature verification.
Implement the verification callback, which operates on the RSA output
buffer.
Reference: https://tools.ietf.org/html/rfc8017#section-9.1.2
Signed-off-by: Varad Gautam <varad.gautam@suse.com>
---
crypto/rsa-psspad.c | 114 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 113 insertions(+), 1 deletion(-)
diff --git a/crypto/rsa-psspad.c b/crypto/rsa-psspad.c
index 4e8525d89172d..c6f8fb43cb01e 100644
--- a/crypto/rsa-psspad.c
+++ b/crypto/rsa-psspad.c
@@ -8,6 +8,7 @@
#include <crypto/hash.h>
#include <crypto/internal/akcipher.h>
+#include <crypto/internal/rsa.h>
#include <crypto/internal/rsa-common.h>
#include <crypto/public_key.h>
@@ -126,7 +127,118 @@ static int pkcs1_mgf1(u8 *seed, unsigned int seed_len,
static int psspad_verify_complete(struct akcipher_request *req, int err)
{
- return -EOPNOTSUPP;
+ struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
+ struct rsapad_tfm_ctx *ctx = akcipher_tfm_ctx(tfm);
+ struct rsapad_akciper_req_ctx *req_ctx = akcipher_request_ctx(req);
+ struct akcipher_instance *inst = akcipher_alg_instance(tfm);
+ struct rsapad_inst_ctx *ictx = akcipher_instance_ctx(inst);
+ const struct rsa_asn1_template *digest_info = ictx->digest_info;
+ struct crypto_shash *hash_tfm = NULL;
+ struct shash_desc *desc = NULL;
+ struct rsa_mpi_key *pkey = akcipher_tfm_ctx(ctx->child);
+
+ u8 *em, *h, *salt, *maskeddb;
+ unsigned int em_len, em_bits, h_len, s_len, maskeddb_len;
+ u8 *m_hash, *db_mask, *db, *h_;
+ static u8 zeroes[8] = { 0 };
+ unsigned int pos;
+
+ if (err)
+ goto out;
+
+ err = -EINVAL;
+ if (!digest_info)
+ goto out;
+
+ em = req_ctx->out_buf;
+ em_len = ctx->key_size;
+ em_bits = mpi_get_nbits(pkey->n) - 1;
+ if ((em_bits & 0x7) == 0) {
+ em_len--;
+ em++;
+ }
+
+ h_len = req->dst_len;
+ s_len = ictx->salt_len;
+
+ if (em_len < h_len + s_len + 2)
+ goto out;
+
+ if (em[em_len - 1] != 0xbc)
+ goto out;
+
+ maskeddb = em;
+ maskeddb_len = em_len - h_len - 1;
+ h = em + maskeddb_len;
+
+ if (em[0] & ~((u8) 0xff >> (8 * em_len - em_bits)))
+ goto out;
+
+ db_mask = kzalloc(maskeddb_len, GFP_KERNEL);
+ if (!db_mask) {
+ err = -ENOMEM;
+ goto out;
+ }
+
+ err = psspad_setup_shash(&hash_tfm, &desc, ictx->mgf_hash_algo);
+ if (err < 0)
+ goto out_db_mask;
+
+ err = pkcs1_mgf1(h, h_len, desc, db_mask, maskeddb_len);
+ if (err < 0)
+ goto out_shash;
+
+ for (pos = 0; pos < maskeddb_len; pos++)
+ maskeddb[pos] ^= db_mask[pos];
+ db = maskeddb;
+
+ db[0] &= ((u8) 0xff >> (8 * em_len - em_bits));
+
+ err = -EINVAL;
+ for (pos = 0; pos < em_len - h_len - s_len - 2; pos++) {
+ if (db[pos] != 0)
+ goto out_shash;
+ }
+ if (db[pos] != 0x01)
+ goto out_shash;
+
+ salt = db + (maskeddb_len - s_len);
+
+ m_hash = req_ctx->out_buf + ctx->key_size;
+ sg_pcopy_to_buffer(req->src,
+ sg_nents_for_len(req->src, req->src_len + req->dst_len),
+ m_hash,
+ req->dst_len, ctx->key_size);
+
+ if (strcmp(ictx->mgf_hash_algo, digest_info->name) != 0) {
+ psspad_free_shash(hash_tfm, desc);
+ err = psspad_setup_shash(&hash_tfm, &desc, digest_info->name);
+ if (err < 0)
+ goto out_db_mask;
+ }
+
+ err = crypto_shash_init(desc);
+ if (!err)
+ err = crypto_shash_update(desc, zeroes, 8);
+ if (!err)
+ err = crypto_shash_update(desc, m_hash, h_len);
+ if (!err)
+ err = crypto_shash_finup(desc, salt, s_len, m_hash);
+ if (err < 0)
+ goto out_shash;
+
+ h_ = m_hash;
+
+ if (memcmp(h_, h, h_len) != 0)
+ err = -EKEYREJECTED;
+
+out_shash:
+ psspad_free_shash(hash_tfm, desc);
+out_db_mask:
+ kfree(db_mask);
+out:
+ kfree_sensitive(req_ctx->out_buf);
+ return err;
}
static void psspad_verify_complete_cb(struct crypto_async_request *child_async_req,
--
2.30.2
next prev parent reply other threads:[~2021-04-20 11:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-20 11:41 [PATCH v3 00/18] Implement RSASSA-PSS signature verification Varad Gautam
2021-04-20 11:41 ` [PATCH v3 01/18] X.509: Parse RSASSA-PSS style certificates Varad Gautam
2021-04-20 11:41 ` [PATCH v3 02/18] crypto: rsa-pkcs1pad: Rename pkcs1pad-specific functions to rsapad Varad Gautam
2021-04-20 11:41 ` [PATCH v3 03/18] crypto: rsa-pkcs1pad: Extract pkcs1pad_create into a generic helper Varad Gautam
2021-04-20 11:41 ` [PATCH v3 04/18] crypto: rsa-pkcs1pad: Pull out child req processing code into helpers Varad Gautam
2021-04-20 11:41 ` [PATCH v3 05/18] crypto: rsa-pkcs1pad: Rename pkcs1pad_* structs to rsapad_* Varad Gautam
2021-04-20 11:41 ` [PATCH v3 06/18] crypto: rsa: Start moving RSA common code to rsa-common Varad Gautam
2021-04-20 11:41 ` [PATCH v3 07/18] crypto: rsa: Move more " Varad Gautam
2021-04-20 11:41 ` [PATCH v3 08/18] crypto: rsa: Move rsapad_akcipher_setup_child and callback " Varad Gautam
2021-04-20 11:41 ` [PATCH v3 09/18] crypto: Extend akcipher API to pass signature parameters Varad Gautam
2021-04-20 11:41 ` [PATCH v3 10/18] crypto: rsa: Move struct rsa_mpi_key definition to rsa.h Varad Gautam
2021-04-20 11:41 ` [PATCH v3 11/18] crypto: Scaffolding for RSA-PSS signature style Varad Gautam
2021-04-20 11:41 ` [PATCH v3 12/18] crypto: rsa-psspad: Introduce shash alloc/dealloc helpers Varad Gautam
2021-04-20 11:41 ` [PATCH v3 13/18] crypto: rsa-psspad: Get signature parameters from a given signature Varad Gautam
2021-05-14 10:45 ` Herbert Xu
2021-07-05 9:39 ` Varad Gautam
2023-09-20 17:12 ` Dimitri John Ledkov
2021-04-20 11:41 ` [PATCH v3 14/18] crypto: Implement MGF1 Mask Generation Function for RSASSA-PSS Varad Gautam
2021-04-20 11:41 ` [PATCH v3 15/18] crypto: rsa-psspad: Provide PSS signature verify operation Varad Gautam
2021-04-20 11:41 ` Varad Gautam [this message]
2021-04-20 11:41 ` [PATCH v3 17/18] crypto: Accept pss as valid encoding during signature verification Varad Gautam
2021-04-20 11:41 ` [PATCH v3 18/18] keyctl_pkey: Add pkey parameters saltlen and mgfhash for PSS Varad Gautam
2021-04-20 13:27 ` Ben Boeckel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210420114124.9684-17-varad.gautam@suse.com \
--to=varad.gautam@suse.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tianjia.zhang@linux.alibaba.com \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).