summaryrefslogtreecommitdiff
path: root/crypto/rsa-pkcs1pad.c
AgeCommit message (Collapse)AuthorFilesLines
2017-06-20crypto: rsa-pkcs1pad - use constant time memory comparison for MACsJason A. Donenfeld1-1/+1
Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Suggested-by: Stephan Müller <smueller@chronox.de> Cc: stable@vger.kernel.org Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: linux-crypto@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-06-10crypto: pkcs1pad - comply with crypto_akcipher_maxsize()Tudor-Dan Ambarus1-8/+2
crypto_akcipher_maxsize() asks for the output buffer size without caring for errors. It allways assume that will be called after a valid setkey. Comply with it and return what he wants. crypto_akcipher_maxsize() now returns an unsigned int. Remove the unnecessary check. Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-09-22crypto: rsa-pkcs1pad - Handle leading zero for decryptionHerbert Xu1-17/+24
As the software RSA implementation now produces fixed-length output, we need to eliminate leading zeros in the calling code instead. This patch does just that for pkcs1pad decryption while signature verification was fixed in an earlier patch. Fixes: 9b45b7bba3d2 ("crypto: rsa - Generate fixed-length output") Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-07-19crypto: rsa-pkcs1pad - fix rsa-pkcs1pad request structTadeusz Struk1-2/+1
To allow for child request context the struct akcipher_request child_req needs to be at the end of the structure. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-07-03crypto: rsa-pkcs1pad - Fix regression from leading zerosHerbert Xu1-16/+22
As the software RSA implementation now produces fixed-length output, we need to eliminate leading zeros in the calling code instead. This patch does just that for pkcs1pad signature verification. Fixes: 9b45b7bba3d2 ("crypto: rsa - Generate fixed-length output") Reported-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-07-01crypto: rsa-pkcs1pad - Avoid copying output when possibleHerbert Xu1-67/+45
In the vast majority of cases (2^-32 on 32-bit and 2^-64 on 64-bit) cases, the result from encryption/signing will require no padding. This patch makes these two operations write their output directly to the final destination. Only in the exceedingly rare cases where fixup is needed to we copy it out and back to add the leading zeroes. This patch also makes use of the crypto_akcipher_set_crypt API instead of writing the akcipher request directly. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-07-01crypto: rsa-pkcs1pad - Move key size check to setkeyHerbert Xu1-30/+26
Rather than repeatedly checking the key size on each operation, we should be checking it once when the key is set. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-07-01crypto: rsa-pkcs1pad - Always use GFP_KERNELHerbert Xu1-16/+6
We don't currently support using akcipher in atomic contexts, so GFP_KERNEL should always be used. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-07-01crypto: rsa-pkcs1pad - Remove bogus page splittingHerbert Xu1-14/+5
The helper pkcs1pad_sg_set_buf tries to split a buffer that crosses a page boundary into two SG entries. This is unnecessary. This patch removes that. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-07-01crypto: rsa-pkcs1pad - Require hash to be presentHerbert Xu1-53/+30
The only user of rsa-pkcs1pad always uses the hash so there is no reason to support the case of not having a hash. This patch also changes the digest info lookup so that it is only done once during template instantiation rather than on each operation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-04-15crypto: rsa-pkcs1pad - fix dst lenTadeusz Struk1-6/+6
The output buffer length has to be at least as big as the key_size. It is then updated to the actual output size by the implementation. Cc: <stable@vger.kernel.org> Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-03-04crypto: Add hash param to pkcs1padTadeusz Struk1-26/+156
This adds hash param to pkcs1pad. The pkcs1pad template can work with or without the hash. When hash param is provided then the verify operation will also verify the output against the known digest. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-12-22crypto: rsa-pkcs1pad - don't allocate buffer on stackAndrzej Zaborowski1-8/+19
Avoid the s390 compile "warning: 'pkcs1pad_encrypt_sign_complete' uses dynamic stack allocation" reported by kbuild test robot. Don't use a flat zero-filled buffer, instead zero the contents of the SGL. Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-12-09crypto: rsa - RSA padding algorithmAndrzej Zaborowski1-0/+617
This patch adds PKCS#1 v1.5 standard RSA padding as a separate template. This way an RSA cipher with padding can be obtained by instantiating "pkcs1pad(rsa)". The reason for adding this is that RSA is almost never used without this padding (or OAEP) so it will be needed for either certificate work in the kernel or the userspace, and I also hear that it is likely implemented by hardware RSA in which case hardware implementations of the whole of pkcs1pad(rsa) can be provided. Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>