lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210420114124.9684-15-varad.gautam@suse.com>
Date:   Tue, 20 Apr 2021 13:41:19 +0200
From:   Varad Gautam <varad.gautam@...e.com>
To:     linux-crypto@...r.kernel.org
CC:     varad.gautam@...e.com, dhowells@...hat.com,
        herbert@...dor.apana.org.au, davem@...emloft.net, vt@...linux.org,
        tianjia.zhang@...ux.alibaba.com, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org, jarkko@...nel.org
Subject: [PATCH v3 14/18] crypto: Implement MGF1 Mask Generation Function for RSASSA-PSS

This generates a "mask" byte array of size mask_len bytes as a
concatenation of digests, where each digest is calculated on a
concatenation of an input seed and a running counter to fill up
mask_len bytes - as described by RFC8017 sec B.2.1. "MGF1".

The mask is useful for RSA signing/verification process with
encoding RSASSA-PSS.

Reference: https://tools.ietf.org/html/rfc8017#appendix-B.2.1
Signed-off-by: Varad Gautam <varad.gautam@...e.com>
---
 crypto/rsa-psspad.c | 54 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/crypto/rsa-psspad.c b/crypto/rsa-psspad.c
index 0a9c0f9e9f0fe..990c2cda552a7 100644
--- a/crypto/rsa-psspad.c
+++ b/crypto/rsa-psspad.c
@@ -70,6 +70,60 @@ static int psspad_set_sig_params(struct crypto_akcipher *tfm,
 	return 0;
 }
 
+/* MGF1 per RFC8017 B.2.1. */
+static int pkcs1_mgf1(u8 *seed, unsigned int seed_len,
+		      struct shash_desc *desc,
+		      u8 *mask, unsigned int mask_len)
+{
+	unsigned int pos, h_len, i, c;
+	u8 *tmp;
+	int ret = 0;
+
+	h_len = crypto_shash_digestsize(desc->tfm);
+
+	pos = i = 0;
+	while ((i < (mask_len / h_len) + 1) && pos < mask_len) {
+		/* Compute T = T || Hash(mgfSeed || C) into mask at pos. */
+		c = cpu_to_be32(i);
+
+		ret = crypto_shash_init(desc);
+		if (ret < 0)
+			goto out_err;
+
+		ret = crypto_shash_update(desc, seed, seed_len);
+		if (ret < 0)
+			goto out_err;
+
+		ret = crypto_shash_update(desc, (u8 *) &c, sizeof(c));
+		if (ret < 0)
+			goto out_err;
+
+		if (mask_len - pos >= h_len) {
+			ret = crypto_shash_final(desc, mask + pos);
+			pos += h_len;
+		} else {
+			tmp = kzalloc(h_len, GFP_KERNEL);
+			if (!tmp) {
+				ret = -ENOMEM;
+				goto out_err;
+			}
+			ret = crypto_shash_final(desc, tmp);
+			/* copy the last hash */
+			memcpy(mask + pos, tmp, mask_len - pos);
+			kfree(tmp);
+			pos = mask_len;
+		}
+		if (ret < 0) {
+			goto out_err;
+		}
+
+		i++;
+	}
+
+out_err:
+	return ret;
+}
+
 static int psspad_s_v_e_d(struct akcipher_request *req)
 {
 	return -EOPNOTSUPP;
-- 
2.30.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ