Re: [RFC PATCH 5/8] KEYS: Provide software public key query function [ver 3]

[Tadeusz Struk]

On 05/11/2016 04:50 PM, Mat Martineau wrote:
> 
>> +len = crypto_akcipher_maxsize(tfm);
>> +info->key_size = len * 8;
>> +info->max_data_size = len;
>> +info->max_sig_size = len;
>> +info->max_enc_size = len;
>> +info->max_dec_size = len;
> 
> If len > UINT16_MAX, should UINT16_MAX be reported as the max size? Similar 
> question for len*8 and key_size.

Hi Mat,
Since all the operations performed are mod key->n the output will never be 
bigger
than size of pkey->n, which is the return value from 
crypto_akcipher_maxsize(tfm)
for a given key.
Thanks,
-- 
TS
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 8/8] KEYS: Implement PKCS#8 RSA Private Key parser [ver 3]

[Mat Martineau]

On Wed, 11 May 2016, David Howells wrote:


diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 6516855bec18..417035a53e98 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -34,6 +34,19 @@ clean-files  += x509_akid-asn1.c x509_akid-asn1.h
#
# PKCS#7 message handling


Update to PKCS#8


#
+obj-$(CONFIG_PKCS8_PRIVATE_KEY_PARSER) += pkcs8_key_parser.o
+pkcs8_key_parser-y := \
+   pkcs8-asn1.o \
+   pkcs8_parser.o
+
+$(obj)/pkcs8_parser.o: $(obj)/pkcs8-asn1.h
+$(obj)/pkcs8-asn1.o: $(obj)/pkcs8-asn1.c $(obj)/pkcs8-asn1.h
+
+clean-files+= pkcs8-asn1.c pkcs8-asn1.h



--
Mat Martineau
Intel OTC
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 5/8] KEYS: Provide software public key query function [ver 3]

[Mat Martineau]

On Wed, 11 May 2016, David Howells wrote:


Provide a query function for the software public key implementation.  This
permits information about such a key to be obtained using
query_asymmetric_key() or KEYCTL_PKEY_QUERY.

Signed-off-by: David Howells 
---

crypto/asymmetric_keys/public_key.c |   96 ++-
1 file changed, 82 insertions(+), 14 deletions(-)

diff --git a/crypto/asymmetric_keys/public_key.c 
b/crypto/asymmetric_keys/public_key.c
index 96983906d2a2..e9967e5a2c25 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
+static int software_key_query(const struct kernel_pkey_params *params,
+ struct kernel_pkey_query *info)
+{

...

+   len = crypto_akcipher_maxsize(tfm);
+   info->key_size = len * 8;
+   info->max_data_size = len;
+   info->max_sig_size = len;
+   info->max_enc_size = len;
+   info->max_dec_size = len;


If len > UINT16_MAX, should UINT16_MAX be reported as the max size? 
Similar question for len*8 and key_size.


--
Mat Martineau
Intel OTC

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 2/8] KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver 3]

[Mat Martineau]

On Wed, 11 May 2016, David Howells wrote:


diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index ca72b70a24b9..01c2ae28a8c0 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
+ If the key needs to be unlocked with a password, a logon-type key that
+ holds the password may be given as the password argument

...

+ If the key must be unlocked with a password before it can be used,
+ password_id should point to a logon-type key that holds this.


It should be noted that the password_id should be 0 if no password is to 
be used.



diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
new file mode 100644
index ..7f51db984aaa
--- /dev/null
+++ b/security/keys/keyctl_pkey.c
+long keyctl_pkey_e_d_s(int op,

...

+   ret = params.key->type->asym_eds_op(, in, out);


Need to check for NULL asym_eds_op before calling.


Regards,

--
Mat Martineau
Intel OTC

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: RSA/MPI handling issues and keyctl access to public key keyrings

[Tadeusz Struk]

On 05/11/2016 06:55 AM, David Howells wrote:
> Tadeusz Struk  wrote:
> 
>>>  (2) rsa-pkcs1pad needs to indicate what the maximum content size is, given
>>>  the minimum possible padding for the specified hash type (ie. a
>>>  particular OID).
>>
>> The user needs to use crypto_akcipher_maxsize(tfm) to get the required buffer
>> size for a given key.
>> We do check if the buffer if big enough to accommodate padding and hash info.
>> This is needed in sign and encrypt operations, and in both cases we check it,
>> sign:
>> https://git.kernel.org/cgit/linux/kernel/git/herbert/cryptodev-2.6.git/tree/crypto/rsa-pkcs1pad.c#n434
>> and encrypt:
>> https://git.kernel.org/cgit/linux/kernel/git/herbert/cryptodev-2.6.git/tree/crypto/rsa-pkcs1pad.c#n252
> 
> Can you supply a way to find out the reduced size from the padding?
> 

Hi David,
What exactly do you want to do? For the verify operation we don't know the
reduced size before the operation. We only figure it out after we decrypt
the message and then the req->dst_len gets the actual size of the message
without padding.
Thanks,
-- 
TS
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] crypto: qat: remove unused vairable.

[Tadeusz Struk]

On 05/11/2016 12:28 PM, Muhammad Falak R Wani wrote:
> Remove the unused variable ret, and return 0 explicitly.

Thanks for the patch. In this case it will be even better
to change the adf_ctl_stop_devices() to a void function.
---8<---
Subject: [PATCH] crypto: qat - change the adf_ctl_stop_devices to void

Change the adf_ctl_stop_devices to a void function.

Signed-off-by: Tadeusz Struk 
---
 drivers/crypto/qat/qat_common/adf_ctl_drv.c | 9 +++--
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/crypto/qat/qat_common/adf_ctl_drv.c 
b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
index db21b49..abc7a7f 100644
--- a/drivers/crypto/qat/qat_common/adf_ctl_drv.c
+++ b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
@@ -270,10 +270,9 @@ static int adf_ctl_is_device_in_use(int id)
return 0;
 }
 
-static int adf_ctl_stop_devices(uint32_t id)
+static void adf_ctl_stop_devices(uint32_t id)
 {
struct adf_accel_dev *accel_dev;
-   int ret = 0;
 
list_for_each_entry(accel_dev, adf_devmgr_get_head(), list) {
if (id == accel_dev->accel_id || id == ADF_CFG_ALL_DEVICES) {
@@ -298,7 +297,6 @@ static int adf_ctl_stop_devices(uint32_t id)
adf_dev_shutdown(accel_dev);
}
}
-   return ret;
 }
 
 static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd,
@@ -327,9 +325,8 @@ static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned 
int cmd,
pr_info("QAT: Stopping acceleration device qat_dev%d.\n",
ctl_data->device_id);
 
-   ret = adf_ctl_stop_devices(ctl_data->device_id);
-   if (ret)
-   pr_err("QAT: failed to stop device.\n");
+   adf_ctl_stop_devices(ctl_data->device_id);
+
 out:
kfree(ctl_data);
return ret;

Thanks,
-- 
TS
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] crypto: qat: remove unused vairable.

[Muhammad Falak R Wani]

Remove the unused variable ret, and return 0 explicitly.

Signed-off-by: Muhammad Falak R Wani 
---
 drivers/crypto/qat/qat_common/adf_ctl_drv.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/crypto/qat/qat_common/adf_ctl_drv.c 
b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
index db21b49..0f0677f 100644
--- a/drivers/crypto/qat/qat_common/adf_ctl_drv.c
+++ b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
@@ -273,7 +273,6 @@ static int adf_ctl_is_device_in_use(int id)
 static int adf_ctl_stop_devices(uint32_t id)
 {
struct adf_accel_dev *accel_dev;
-   int ret = 0;
 
list_for_each_entry(accel_dev, adf_devmgr_get_head(), list) {
if (id == accel_dev->accel_id || id == ADF_CFG_ALL_DEVICES) {
@@ -298,7 +297,7 @@ static int adf_ctl_stop_devices(uint32_t id)
adf_dev_shutdown(accel_dev);
}
}
-   return ret;
+   return 0;
 }
 
 static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd,
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 8/8] KEYS: Implement PKCS#8 RSA Private Key parser [ver 3]

[David Woodhouse]

On Wed, 2016-05-11 at 15:22 +0100, David Howells wrote:
> Implement PKCS#8 RSA Private Key format [RFC 5208] parser for the
> asymmetric key type.  For the moment, this will only support unencrypted
> DER blobs.  PEM and decryption can be added later.

I would recommend *not* adding PEM and decryption support. That can
live in userspace. You don't want to end up with the whole set of
handlers for all the weird formats, from PKCS#12 to OpenSSL's non-
standard encrypted PEM files.

Trust me, I implemented a whole bunch of that for OpenConnect. You
don't want it. Just mandate unencrypted binary PKCS#8 (or PKCS#1).

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation



smime.p7s
Description: S/MIME cryptographic signature

Re: [PATCH] crypto/ccp: remove rwlocks_types.h

[Tom Lendacky]

On 05/11/2016 05:06 AM, Sebastian Andrzej Siewior wrote:
> Users of rwlocks should include spinlock.h instead including this
> header file. The current users of rwlocks_types.h are internal.
> 
> Signed-off-by: Sebastian Andrzej Siewior 

There's already been a patch submitted and accepted for this
in the cryptodev tree:

commit 7587c4075400 ("crypto: ccp - Fix RT breaking #include 
")

Thanks,
Tom

> ---
>  drivers/crypto/ccp/ccp-dev.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/crypto/ccp/ccp-dev.c b/drivers/crypto/ccp/ccp-dev.c
> index 4dbc18727235..2a8ad712a5f2 100644
> --- a/drivers/crypto/ccp/ccp-dev.c
> +++ b/drivers/crypto/ccp/ccp-dev.c
> @@ -16,7 +16,6 @@
>  #include 
>  #include 
>  #include 
> -#include 
>  #include 
>  #include 
>  #include 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH RESEND v5 0/6] crypto: algif - add akcipher

[David Howells]

Tadeusz Struk  wrote:

> This is the same v5 version as before rebased on top of
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-asym-keyctl

I've just reposted this.  The interface you're using should be the same, I
think, but the details underneath have changed.

Also, you can now supply private keys to the kernel if they're PKCS#8 encoded
and keyctls are supplied that do encryption, decryption, signing and
verifying, e.g.:

j=`openssl pkcs8 -in ~/pkcs7/firmwarekey2.priv -topk8 -nocrypt -outform 
DER | \
keyctl padd asymmetric foo @s`
echo -n abcdefghijklmnopqrst >/tmp/data
keyctl pkey_encrypt $j 0 /tmp/data enc=pkcs1 >/tmp/enc
keyctl pkey_decrypt $j 0 /tmp/enc enc=pkcs1 >/tmp/dec
cmp /tmp/data /tmp/dec
keyctl pkey_sign $j 0 /tmp/data enc=pkcs1 hash=sha1 >/tmp/sig
keyctl pkey_verify $j 0 /tmp/data /tmp/sig enc=pkcs1 hash=sha1

David
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC PATCH 2/8] KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver 3]

[David Howells]

Provide five keyctl functions that permit userspace to make use of the new
key type ops for accessing and driving asymmetric keys.

 (*) Query an asymmetric key.

long keyctl(KEYCTL_PKEY_QUERY,
key_serial_t key, key_serial_t password,
struct keyctl_pkey_query *info);

 Get information about an asymmetric key.  The information is returned
 in the keyctl_pkey_query struct:

__u32   supported_ops;

 A bit mask of flags indicating which ops are supported.  This is
 constructed from a bitwise-OR of:

KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}

__u32   key_size;

 The size in bits of the key.

__u16   max_data_size;
__u16   max_sig_size;
__u16   max_enc_size;
__u16   max_dec_size;

 The maximum sizes in bytes of a blob of data to be signed, a signature
 blob, a blob to be encrypted and a blob to be decypted.

 If the key needs to be unlocked with a password, a logon-type key that
 holds the password may be given as the password argument

 If successful, 0 is returned.  If the key is not an asymmetric key,
 EOPNOTSUPP is returned.


 (*) Encrypt, decrypt, sign or verify a blob using an asymmetric key.

long keyctl(KEYCTL_PKEY_ENCRYPT,
const struct keyctl_pkey_params *params,
const char *info,
const void *in,
void *out);

long keyctl(KEYCTL_PKEY_DECRYPT,
const struct keyctl_pkey_params *params,
const char *info,
const void *in,
void *out);

long keyctl(KEYCTL_PKEY_SIGN,
const struct keyctl_pkey_params *params,
const char *info,
const void *in,
void *out);

long keyctl(KEYCTL_PKEY_VERIFY,
const struct keyctl_pkey_params *params,
const char *info,
const void *in,
const void *in2);

 Use an asymmetric key to perform a public-key cryptographic operation
 a blob of data.

 The parameter block pointed to by params contains a number of integer
 values:

__s32   key_id;
__s32   password_id;
__u32   in_len;
__u32   out_len;
__u32   in2_len;

 For a given operation, the in and out buffers are used as follows:

Operation IDin,in_len   out,out_len in2,in2_len
=== === === ===
KEYCTL_PKEY_ENCRYPT Raw dataEncrypted data  -
KEYCTL_PKEY_DECRYPT Encrypted data  Raw data-
KEYCTL_PKEY_SIGNRaw dataSignature   -
KEYCTL_PKEY_VERIFY  Raw data-   Signature

 If the key must be unlocked with a password before it can be used,
 password_id should point to a logon-type key that holds this.

 info is a string of key=value pairs that supply supplementary
 information.

 If successful, encrypt, decrypt and sign all return the amount of data
 written into the output buffer.  Verification returns 0 on success.

Signed-off-by: David Howells 
---

 Documentation/security/keys.txt |  111 +
 include/uapi/linux/keyctl.h |   26 +++
 security/keys/Makefile  |1 
 security/keys/compat.c  |   15 ++
 security/keys/internal.h|   39 +
 security/keys/keyctl.c  |   23 +++
 security/keys/keyctl_pkey.c |  335 +++
 7 files changed, 550 insertions(+)
 create mode 100644 security/keys/keyctl_pkey.c

diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index ca72b70a24b9..01c2ae28a8c0 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -854,6 +854,117 @@ The keyctl syscall functions are:
  supported, error ENOKEY if the key could not be found, or error
  EACCES if the key is not readable by the caller.
 
+
+ (*) Query an asymmetric key.
+
+   long keyctl(KEYCTL_PKEY_QUERY,
+   key_serial_t key, key_serial_t password,
+   struct keyctl_pkey_query *info);
+
+ Get information about an asymmetric key.  The information is returned in
+ the keyctl_pkey_query struct:
+
+   __u32   supported_ops;
+
+ A bit mask of flags indicating which ops are supported.  This is
+ constructed from a bitwise-OR of:
+
+   KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}
+
+   __u32   key_size;
+
+ The size in bits of the key.
+
+   __u16   max_data_size;
+   __u16   max_sig_size;
+   __u16   max_enc_size;
+   __u16   max_dec_size;
+
+ The maximum sizes in bytes of a blob of data to be signed, a signature
+ blob, a blob 

[RFC PATCH 4/8] KEYS: Make the X.509 and PKCS7 parsers supply the sig encoding type [ver 3]

[David Howells]

Make the X.509 and PKCS7 parsers fill in the signature encoding type field
recently added to the public_key_signature struct.

Signed-off-by: David Howells 
---

 crypto/asymmetric_keys/pkcs7_parser.c |1 +
 crypto/asymmetric_keys/x509_cert_parser.c |   21 +
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/crypto/asymmetric_keys/pkcs7_parser.c 
b/crypto/asymmetric_keys/pkcs7_parser.c
index af4cd8649117..5f0c6755a55b 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -261,6 +261,7 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
switch (ctx->last_oid) {
case OID_rsaEncryption:
ctx->sinfo->sig->pkey_algo = "rsa";
+   ctx->sinfo->sig->encoding = "pkcs1";
break;
default:
printk("Unsupported pkey algo: %u\n", ctx->last_oid);
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c 
b/crypto/asymmetric_keys/x509_cert_parser.c
index 865f46ea724f..1f1899d5ab43 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -199,35 +199,32 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
 
case OID_md4WithRSAEncryption:
ctx->cert->sig->hash_algo = "md4";
-   ctx->cert->sig->pkey_algo = "rsa";
-   break;
+   goto rsa_pkcs1;
 
case OID_sha1WithRSAEncryption:
ctx->cert->sig->hash_algo = "sha1";
-   ctx->cert->sig->pkey_algo = "rsa";
-   break;
+   goto rsa_pkcs1;
 
case OID_sha256WithRSAEncryption:
ctx->cert->sig->hash_algo = "sha256";
-   ctx->cert->sig->pkey_algo = "rsa";
-   break;
+   goto rsa_pkcs1;
 
case OID_sha384WithRSAEncryption:
ctx->cert->sig->hash_algo = "sha384";
-   ctx->cert->sig->pkey_algo = "rsa";
-   break;
+   goto rsa_pkcs1;
 
case OID_sha512WithRSAEncryption:
ctx->cert->sig->hash_algo = "sha512";
-   ctx->cert->sig->pkey_algo = "rsa";
-   break;
+   goto rsa_pkcs1;
 
case OID_sha224WithRSAEncryption:
ctx->cert->sig->hash_algo = "sha224";
-   ctx->cert->sig->pkey_algo = "rsa";
-   break;
+   goto rsa_pkcs1;
}
 
+rsa_pkcs1:
+   ctx->cert->sig->pkey_algo = "rsa";
+   ctx->cert->sig->encoding = "pkcs1";
ctx->algo_oid = ctx->last_oid;
return 0;
 }

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC PATCH 1/8] KEYS: Provide key type operations for asymmetric key ops [ver 3]

[David Howells]

Provide five new operations in the key_type struct that can be used to
provide access to asymmetric key operations.  These will be implemented for
the asymmetric key type in a later patch and may refer to a key retained in
RAM by the kernel or a key retained in crypto hardware.

 int (*asym_query)(const struct key *key, const struct key *password,
   struct kernel_pkey_query *info);
 int (*asym_eds_op)(struct kernel_pkey_params *params,
const void *in, void *out);
 int (*asym_verify_signature)(struct kernel_pkey_params *params,
  const void *in, const void *in2);

Since encrypt, decrypt and sign are identical in their interfaces, they're
rolled together in the asym_eds_op() operation and there's an operation ID
in the params argument to distinguish them.

Verify is different in that we supply the data and the signature instead
and get an error value (or 0) as the only result on the expectation that
this may well be how a hardware crypto device may work.

Signed-off-by: David Howells 
---

 Documentation/security/keys.txt |  113 +++
 include/linux/key-type.h|   11 
 include/linux/keyctl.h  |   47 
 include/uapi/linux/keyctl.h |5 ++
 4 files changed, 176 insertions(+)
 create mode 100644 include/linux/keyctl.h

diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index 20d05719bceb..ca72b70a24b9 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -1429,6 +1429,119 @@ The structure has a number of fields, some of which are 
mandatory:
 The authorisation key.
 
 
+ (*) int (*asym_eds_op)(struct kernel_pkey_params *params,
+   const void *in, void *out);
+ int (*asym_verify_signature)(struct kernel_pkey_params *params,
+ const void *in, const void *in2);
+
+ These methods are optional.  If provided the first allows a key to be
+ used to encrypt, decrypt or sign a blob of data, and the second allows a
+ key to verify a signature.
+
+ In all cases, the following information is provided in the params block:
+
+   struct kernel_pkey_params {
+   struct key  *key;
+   struct key  *password;
+   const char  *encoding;
+   const char  *hash_algo;
+   char*info;
+   __u32   in_len;
+   union {
+   __u32   out_len;
+   __u32   in2_len;
+   };
+   enum kernel_pkey_operation op : 8;
+   };
+
+ This includes the key to be used; an optional second key that can be used
+ to provide a password (and must be of logon type); an optional string
+ indicating the encoding to use (for instance, "pkcs1" may be used with an
+ RSA key to indicate RSASSA-PKCS1-v1.5 or RSAES-PKCS1-v1.5 encoding); the
+ name of the hash algorithm used to generate the data for a signature (if
+ appropriate); the sizes of the input and output (or second input) buffers;
+ and the ID of the operation to be performed.
+
+ For a given operation ID, the input and output buffers are used as
+ follows:
+
+   Operation IDin,in_len   out,out_len in2,in2_len
+   === === === ===
+   kernel_pkey_encrypt Raw dataEncrypted data  -
+   kernel_pkey_decrypt Encrypted data  Raw data-
+   kernel_pkey_signRaw dataSignature   -
+   kernel_pkey_verify  Raw data-   Signature
+
+ asym_eds_op() deals with encryption, decryption and signature creation as
+ specified by params->op.  Note that params->op is also set for
+ asym_verify_signature().
+
+ Encrypting and signature creation both take raw data in the input buffer
+ and return the encrypted result in the output buffer.  Padding may have
+ been added if an encoding was set.  In the case of signature creation,
+ depending on the encoding, the padding created may need to indicate the
+ digest algorithm - the name of which should be supplied in hash_algo.
+
+ Decryption takes encrypted data in the input buffer and returns the raw
+ data in the output buffer.  Padding will get checked and stripped off if
+ an encoding was set.
+
+ Verification takes raw data in the input buffer and the signature in the
+ second input buffer and checks that the one matches the other.  Padding
+ will be validated.  Depending on the encoding, the digest algorithm used
+ to generate the raw data may need to be indicated in hash_algo.
+
+ If successful, asym_eds_op() should return the number of bytes written
+ into the output buffer.  asym_verify_signature() should return 0.

[RFC PATCH 3/8] KEYS: Provide missing asymmetric key subops for new key type ops [ver 3]

[David Howells]

Provide the missing asymmetric key subops for new key type ops.  This
include query, encrypt, decrypt and create signature.  Verify signature
already exists.  Also provided are accessor functions for this:

int query_asymmetric_key(const struct key *key,
 const struct key *password,
 struct kernel_pkey_query *info);

int encrypt_blob(struct kernel_pkey_params *params,
 const void *data, void *enc);
int decrypt_blob(struct kernel_pkey_params *params,
 const void *enc, void *data);
int create_signature(struct kernel_pkey_params *params,
 const void *data, void *enc);

The public_key_signature struct gains an encoding field to carry the
encoding for verify_signature() and that function gains an extra key
pointer that can be used to pass a pointer to a logon key carrying a
password to unlock the key.

Signed-off-by: David Howells 
---

 Documentation/crypto/asymmetric-keys.txt |   31 +++-
 crypto/asymmetric_keys/asymmetric_keys.h |3 +
 crypto/asymmetric_keys/asymmetric_type.c |   60 ++--
 crypto/asymmetric_keys/pkcs7_trust.c |2 -
 crypto/asymmetric_keys/public_key.c  |1 
 crypto/asymmetric_keys/restrict.c|2 -
 crypto/asymmetric_keys/signature.c   |  112 +-
 include/crypto/public_key.h  |   13 +++
 include/keys/asymmetric-subtype.h|   10 +++
 security/integrity/digsig_asymmetric.c   |2 -
 10 files changed, 216 insertions(+), 20 deletions(-)

diff --git a/Documentation/crypto/asymmetric-keys.txt 
b/Documentation/crypto/asymmetric-keys.txt
index 8c07e0ea6bc0..93a071714de7 100644
--- a/Documentation/crypto/asymmetric-keys.txt
+++ b/Documentation/crypto/asymmetric-keys.txt
@@ -123,6 +123,7 @@ An operation is provided to perform cryptographic signature 
verification, using
 an asymmetric key to provide or to provide access to the public key.
 
int verify_signature(const struct key *key,
+const struct key *password,
 const struct public_key_signature *sig);
 
 The caller must have already obtained the key from some source and can then use
@@ -148,6 +149,9 @@ In addition, the data must have been digested by the caller 
and the resulting
 hash must be pointed to by sig->digest and the size of the hash be placed in
 sig->digest_size.
 
+If the key needs to be unlocked with a passphrase, this can be passed in a
+logon key as the password argument.
+
 The function will return 0 upon success or -EKEYREJECTED if the signature
 doesn't match.
 
@@ -182,6 +186,10 @@ and looks like the following:
 
void (*describe)(const struct key *key, struct seq_file *m);
void (*destroy)(void *payload);
+   int (*query)(const struct kernel_pkey_params *params,
+struct kernel_pkey_query *info);
+   int (*eds_op)(struct kernel_pkey_params *params,
+ const void *in, void *out);
int (*verify_signature)(const struct key *key,
const struct public_key_signature *sig);
};
@@ -206,12 +214,25 @@ There are a number of operations defined by the subtype:
  asymmetric key will look after freeing the fingerprint and releasing the
  reference on the subtype module.
 
- (3) verify_signature().
+ (3) query().
+
+ Mandatory.  This is a function for querying the capabilities of a key.  A
+ password can be provided if the key needs unlocking.
+
+ (4) eds_op().
+
+ Optional.  This is the entry point for the encryption, decryption and
+ signature creation operations (which are distinguished by the operation ID
+ in the parameter struct).  The subtype may do anything it likes to
+ implement an operation, including offloading to hardware.  A password can
+ be provided if the key needs unlocking.
+
+ (5) verify_signature().
 
- Optional.  These are the entry points for the key usage operations.
- Currently there is only the one defined.  If not set, the caller will be
- given -ENOTSUPP.  The subtype may do anything it likes to implement an
- operation, including offloading to hardware.
+ Optional.  This is the entry point for signature verification.  The
+ subtype may do anything it likes to implement an operation, including
+ offloading to hardware.  A password can be provided if the key needs
+ unlocking.
 
 
 ==
diff --git a/crypto/asymmetric_keys/asymmetric_keys.h 
b/crypto/asymmetric_keys/asymmetric_keys.h
index ca8e9ac34ce6..7be1ccf4fa9f 100644
--- a/crypto/asymmetric_keys/asymmetric_keys.h
+++ b/crypto/asymmetric_keys/asymmetric_keys.h
@@ -16,3 +16,6 @@ extern struct asymmetric_key_id 
*asymmetric_key_hex_to_key_id(const char *id);
 extern 

[RFC PATCH 5/8] KEYS: Provide software public key query function [ver 3]

[David Howells]

Provide a query function for the software public key implementation.  This
permits information about such a key to be obtained using
query_asymmetric_key() or KEYCTL_PKEY_QUERY.

Signed-off-by: David Howells 
---

 crypto/asymmetric_keys/public_key.c |   96 ++-
 1 file changed, 82 insertions(+), 14 deletions(-)

diff --git a/crypto/asymmetric_keys/public_key.c 
b/crypto/asymmetric_keys/public_key.c
index 96983906d2a2..e9967e5a2c25 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -57,6 +57,81 @@ static void public_key_destroy(void *payload0, void 
*payload3)
public_key_signature_free(payload3);
 }
 
+/*
+ * Determine the crypto algorithm name.
+ */
+static
+int software_key_determine_akcipher(const char *encoding,
+   const char *hash_algo,
+   const struct public_key *pkey,
+   char alg_name[CRYPTO_MAX_ALG_NAME])
+{
+   int n;
+
+   if (strcmp(encoding, "pkcs1") == 0) {
+   /* The data wangled by the RSA algorithm is typically padded
+* and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447
+* sec 8.2].
+*/
+   if (!hash_algo)
+   n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
+"pkcs1pad(%s)",
+pkey->pkey_algo);
+   else
+   n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
+"pkcs1pad(%s,%s)",
+pkey->pkey_algo, hash_algo);
+   return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;
+   }
+
+   if (strcmp(encoding, "raw") == 0) {
+   strcpy(alg_name, pkey->pkey_algo);
+   return 0;
+   }
+
+   return -ENOPKG;
+}
+
+/*
+ * Query information about a key.
+ */
+static int software_key_query(const struct kernel_pkey_params *params,
+ struct kernel_pkey_query *info)
+{
+   struct crypto_akcipher *tfm;
+   struct public_key *pkey = params->key->payload.data[asym_crypto];
+   char alg_name[CRYPTO_MAX_ALG_NAME];
+   int ret, len;
+
+   ret = software_key_determine_akcipher(params->encoding,
+ params->hash_algo,
+ pkey, alg_name);
+   if (ret < 0)
+   return ret;
+
+   tfm = crypto_alloc_akcipher(alg_name, 0, 0);
+   if (IS_ERR(tfm))
+   return PTR_ERR(tfm);
+
+   ret = crypto_akcipher_set_pub_key(tfm, pkey->key, pkey->keylen);
+   if (ret < 0)
+   goto error_free_tfm;
+
+   len = crypto_akcipher_maxsize(tfm);
+   info->key_size = len * 8;
+   info->max_data_size = len;
+   info->max_sig_size = len;
+   info->max_enc_size = len;
+   info->max_dec_size = len;
+   info->supported_ops = KEYCTL_SUPPORTS_VERIFY;
+   ret = 0;
+
+error_free_tfm:
+   crypto_free_akcipher(tfm);
+   pr_devel("<==%s() = %d\n", __func__, ret);
+   return ret;
+}
+
 struct public_key_completion {
struct completion completion;
int err;
@@ -83,8 +158,7 @@ int public_key_verify_signature(const struct public_key 
*pkey,
struct crypto_akcipher *tfm;
struct akcipher_request *req;
struct scatterlist sig_sg, digest_sg;
-   const char *alg_name;
-   char alg_name_buf[CRYPTO_MAX_ALG_NAME];
+   char alg_name[CRYPTO_MAX_ALG_NAME];
void *output;
unsigned int outlen;
int ret = -ENOMEM;
@@ -96,18 +170,11 @@ int public_key_verify_signature(const struct public_key 
*pkey,
BUG_ON(!sig->digest);
BUG_ON(!sig->s);
 
-   alg_name = sig->pkey_algo;
-   if (strcmp(sig->pkey_algo, "rsa") == 0) {
-   /* The data wangled by the RSA algorithm is typically padded
-* and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447
-* sec 8.2].
-*/
-   if (snprintf(alg_name_buf, CRYPTO_MAX_ALG_NAME,
-"pkcs1pad(rsa,%s)", sig->hash_algo
-) >= CRYPTO_MAX_ALG_NAME)
-   return -EINVAL;
-   alg_name = alg_name_buf;
-   }
+   ret = software_key_determine_akcipher(sig->encoding,
+ sig->hash_algo,
+ pkey, alg_name);
+   if (ret < 0)
+   return ret;
 
tfm = crypto_alloc_akcipher(alg_name, 0, 0);
if (IS_ERR(tfm))
@@ -180,6 +247,7 @@ struct asymmetric_key_subtype public_key_subtype = {
.name_len   = sizeof("public_key") - 1,
.describe   = public_key_describe,
.destroy= public_key_destroy,
+   .query

[RFC PATCH 6/8] KEYS: Allow the public_key struct to hold a private key [ver 3]

[David Howells]

Put a flag in the public_key struct to indicate if the structure is holding
a private key.  The private key must be held ASN.1 encoded in the format
specified in RFC 3447 A.1.2.  This is the form required by crypto/rsa.c.

The software encryption subtype's verification and query functions then
need to select the appropriate crypto function to set the key.

Signed-off-by: David Howells 
---

 crypto/asymmetric_keys/public_key.c |   14 --
 include/crypto/public_key.h |1 +
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/crypto/asymmetric_keys/public_key.c 
b/crypto/asymmetric_keys/public_key.c
index e9967e5a2c25..92997d4e8173 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -113,7 +113,12 @@ static int software_key_query(const struct 
kernel_pkey_params *params,
if (IS_ERR(tfm))
return PTR_ERR(tfm);
 
-   ret = crypto_akcipher_set_pub_key(tfm, pkey->key, pkey->keylen);
+   if (pkey->key_is_private)
+   ret = crypto_akcipher_set_priv_key(tfm,
+  pkey->key, pkey->keylen);
+   else
+   ret = crypto_akcipher_set_pub_key(tfm,
+ pkey->key, pkey->keylen);
if (ret < 0)
goto error_free_tfm;
 
@@ -184,7 +189,12 @@ int public_key_verify_signature(const struct public_key 
*pkey,
if (!req)
goto error_free_tfm;
 
-   ret = crypto_akcipher_set_pub_key(tfm, pkey->key, pkey->keylen);
+   if (pkey->key_is_private)
+   ret = crypto_akcipher_set_priv_key(tfm,
+  pkey->key, pkey->keylen);
+   else
+   ret = crypto_akcipher_set_pub_key(tfm,
+ pkey->key, pkey->keylen);
if (ret)
goto error_free_req;
 
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 1db6f1933dbd..a5096e72de5c 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -25,6 +25,7 @@
 struct public_key {
void *key;
u32 keylen;
+   bool key_is_private;
const char *id_type;
const char *pkey_algo;
 };

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC PATCH 8/8] KEYS: Implement PKCS#8 RSA Private Key parser [ver 3]

[David Howells]

Implement PKCS#8 RSA Private Key format [RFC 5208] parser for the
asymmetric key type.  For the moment, this will only support unencrypted
DER blobs.  PEM and decryption can be added later.

PKCS#8 keys can be loaded like this:

openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
  keyctl padd asymmetric foo @s

Signed-off-by: David Howells 
---

 Documentation/crypto/asymmetric-keys.txt |2 
 crypto/asymmetric_keys/Kconfig   |   10 ++
 crypto/asymmetric_keys/Makefile  |   13 ++
 crypto/asymmetric_keys/pkcs8.asn1|   24 
 crypto/asymmetric_keys/pkcs8_parser.c|  184 ++
 5 files changed, 233 insertions(+)
 create mode 100644 crypto/asymmetric_keys/pkcs8.asn1
 create mode 100644 crypto/asymmetric_keys/pkcs8_parser.c

diff --git a/Documentation/crypto/asymmetric-keys.txt 
b/Documentation/crypto/asymmetric-keys.txt
index 93a071714de7..45e50c5695bf 100644
--- a/Documentation/crypto/asymmetric-keys.txt
+++ b/Documentation/crypto/asymmetric-keys.txt
@@ -254,6 +254,8 @@ Examples of blob formats for which parsers could be 
implemented include:
  - X.509 ASN.1 stream.
  - Pointer to TPM key.
  - Pointer to UEFI key.
+ - PKCS#8 private key [RFC 5208].
+ - PKCS#5 encrypted private key [RFC 2898].
 
 During key instantiation each parser in the list is tried until one doesn't
 return -EBADMSG.
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index e28e912000a7..c145bdf88381 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -29,6 +29,16 @@ config X509_CERTIFICATE_PARSER
  data and provides the ability to instantiate a crypto key from a
  public key packet found inside the certificate.
 
+config PKCS8_PRIVATE_KEY_PARSER
+   tristate "PKCS#8 private key parser"
+   depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+   select ASN1
+   select OID_REGISTRY
+   help
+ This option provides support for parsing PKCS#8 format blobs for
+ private key data and provides the ability to instantiate a crypto key
+ from that data.
+
 config PKCS7_MESSAGE_PARSER
tristate "PKCS#7 message parser"
depends on X509_CERTIFICATE_PARSER
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 6516855bec18..417035a53e98 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -34,6 +34,19 @@ clean-files  += x509_akid-asn1.c x509_akid-asn1.h
 #
 # PKCS#7 message handling
 #
+obj-$(CONFIG_PKCS8_PRIVATE_KEY_PARSER) += pkcs8_key_parser.o
+pkcs8_key_parser-y := \
+   pkcs8-asn1.o \
+   pkcs8_parser.o
+
+$(obj)/pkcs8_parser.o: $(obj)/pkcs8-asn1.h
+$(obj)/pkcs8-asn1.o: $(obj)/pkcs8-asn1.c $(obj)/pkcs8-asn1.h
+
+clean-files+= pkcs8-asn1.c pkcs8-asn1.h
+
+#
+# PKCS#7 message handling
+#
 obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o
 pkcs7_message-y := \
pkcs7-asn1.o \
diff --git a/crypto/asymmetric_keys/pkcs8.asn1 
b/crypto/asymmetric_keys/pkcs8.asn1
new file mode 100644
index ..702c41a3c713
--- /dev/null
+++ b/crypto/asymmetric_keys/pkcs8.asn1
@@ -0,0 +1,24 @@
+--
+-- This is the unencrypted variant
+--
+PrivateKeyInfo ::= SEQUENCE {
+   version Version,
+   privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+   privateKey  PrivateKey,
+   attributes  [0] IMPLICIT Attributes OPTIONAL
+}
+
+Version ::= INTEGER  ({ pkcs8_note_version })
+
+PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier ({ pkcs8_note_algo })
+
+PrivateKey ::= OCTET STRING ({ pkcs8_note_key })
+
+Attributes ::= SET OF Attribute
+
+Attribute ::= ANY
+
+AlgorithmIdentifier ::= SEQUENCE {
+   algorithm   OBJECT IDENTIFIER ({ pkcs8_note_OID }),
+   parameters  ANY OPTIONAL
+}
diff --git a/crypto/asymmetric_keys/pkcs8_parser.c 
b/crypto/asymmetric_keys/pkcs8_parser.c
new file mode 100644
index ..26a73c0b7eef
--- /dev/null
+++ b/crypto/asymmetric_keys/pkcs8_parser.c
@@ -0,0 +1,184 @@
+/* PKCS#8 Private Key parser [RFC 5208].
+ *
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "PKCS8: "fmt
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include "pkcs8-asn1.h"
+
+struct pkcs8_parse_context {
+   struct public_key *pub;
+   unsigned long   data;   /* Start of data */
+   enum OIDlast_oid;   /* Last OID encountered */
+   enum OIDalgo_oid;   /* Algorithm OID */
+   u32 key_size;
+   const void  

[RFC PATCH 7/8] KEYS: Implement encrypt, decrypt and sign for software asymmetric key [ver 3]

[David Howells]

Implement the encrypt, decrypt and sign operations for the software
asymmetric key subtype.  This mostly involves offloading the call to the
crypto layer.

Note that the decrypt and sign operations require a private key to be
supplied.  Encrypt (and also verify) will work with either a public or a
private key.  A public key can be supplied with an X.509 certificate and a
private key can be supplied using a PKCS#8 blob:

# j=`openssl pkcs8 -in ~/pkcs7/firmwarekey2.priv -topk8 -nocrypt 
-outform DER | keyctl padd asymmetric foo @s`
# keyctl pkey_query $j - enc=pkcs1
key_size=4096
max_data_size=512
max_sig_size=512
max_enc_size=512
max_dec_size=512
encrypt=y
decrypt=y
sign=y
verify=y
# keyctl pkey_encrypt $j 0 data enc=pkcs1 >/tmp/enc
# keyctl pkey_decrypt $j 0 /tmp/enc enc=pkcs1 >/tmp/dec
# cmp data /tmp/dec
# keyctl pkey_sign $j 0 data enc=pkcs1 hash=sha1 >/tmp/sig
# keyctl pkey_verify $j 0 data /tmp/sig enc=pkcs1 hash=sha1
#

Signed-off-by: David Howells 
---

 crypto/asymmetric_keys/public_key.c |   89 ++-
 1 file changed, 86 insertions(+), 3 deletions(-)

diff --git a/crypto/asymmetric_keys/public_key.c 
b/crypto/asymmetric_keys/public_key.c
index 92997d4e8173..2bdb673cf074 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -128,7 +128,11 @@ static int software_key_query(const struct 
kernel_pkey_params *params,
info->max_sig_size = len;
info->max_enc_size = len;
info->max_dec_size = len;
-   info->supported_ops = KEYCTL_SUPPORTS_VERIFY;
+   info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT |
+  KEYCTL_SUPPORTS_VERIFY);
+   if (pkey->key_is_private)
+   info->supported_ops |= (KEYCTL_SUPPORTS_DECRYPT |
+   KEYCTL_SUPPORTS_SIGN);
ret = 0;
 
 error_free_tfm:
@@ -142,7 +146,7 @@ struct public_key_completion {
int err;
 };
 
-static void public_key_verify_done(struct crypto_async_request *req, int err)
+static void public_key_crypto_done(struct crypto_async_request *req, int err)
 {
struct public_key_completion *compl = req->data;
 
@@ -154,6 +158,84 @@ static void public_key_verify_done(struct 
crypto_async_request *req, int err)
 }
 
 /*
+ * Do encryption, decryption and signing ops.
+ */
+static int software_key_eds_op(struct kernel_pkey_params *params,
+  const void *in, void *out)
+{
+   struct public_key_completion compl;
+   const struct public_key *pkey = params->key->payload.data[asym_crypto];
+   struct akcipher_request *req;
+   struct crypto_akcipher *tfm;
+   struct scatterlist in_sg, out_sg;
+   char alg_name[CRYPTO_MAX_ALG_NAME];
+   int ret;
+
+   pr_devel("==>%s()\n", __func__);
+
+   ret = software_key_determine_akcipher(params->encoding,
+ params->hash_algo,
+ pkey, alg_name);
+   if (ret < 0)
+   return ret;
+
+   tfm = crypto_alloc_akcipher(alg_name, 0, 0);
+   if (IS_ERR(tfm))
+   return PTR_ERR(tfm);
+
+   req = akcipher_request_alloc(tfm, GFP_KERNEL);
+   if (!req)
+   goto error_free_tfm;
+
+   if (pkey->key_is_private)
+   ret = crypto_akcipher_set_priv_key(tfm,
+  pkey->key, pkey->keylen);
+   else
+   ret = crypto_akcipher_set_pub_key(tfm,
+ pkey->key, pkey->keylen);
+   if (ret)
+   goto error_free_req;
+
+   sg_init_one(_sg, in, params->in_len);
+   sg_init_one(_sg, out, params->out_len);
+   akcipher_request_set_crypt(req, _sg, _sg, params->in_len,
+  params->out_len);
+   init_completion();
+   akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
+ CRYPTO_TFM_REQ_MAY_SLEEP,
+ public_key_crypto_done, );
+
+   /* Perform the encryption calculation. */
+   switch (params->op) {
+   case kernel_pkey_encrypt:
+   ret = crypto_akcipher_encrypt(req);
+   break;
+   case kernel_pkey_decrypt:
+   ret = crypto_akcipher_decrypt(req);
+   break;
+   case kernel_pkey_sign:
+   ret = crypto_akcipher_sign(req);
+   break;
+   default:
+   BUG();
+   }
+   if (ret == -EINPROGRESS) {
+   wait_for_completion();
+   ret = compl.err;
+   }
+
+   if (ret == 0)
+   ret = req->dst_len;
+
+error_free_req:
+   akcipher_request_free(req);
+error_free_tfm:
+   crypto_free_akcipher(tfm);
+   

[RFC PATCH 0/8] KEYS: keyctl operations for asymmetric keys [ver 3]

[David Howells]

Here's a set of patches that provides keyctl access for asymmetric keys,
including a query function, and functions to do encryption, decryption,
signature creation and signature verification.

I've added a PKCS#8 asymmetric key parser so that you can load an RSA private
key into the kernel.  Currently only DER-encoded and unencrypted PKCS#8 is
supported.  Encryption and verification can use a public key from an X.509
cert, but signing and decryption require a private key, though encryption and
verification can use that too.

Example usage:

j=`openssl pkcs8 -in ~/pkcs7/firmwarekey2.priv -topk8 -nocrypt -outform 
DER | \
keyctl padd asymmetric foo @s`
echo -n abcdefghijklmnopqrst >/tmp/data
keyctl pkey_encrypt $j 0 /tmp/data enc=pkcs1 >/tmp/enc
keyctl pkey_decrypt $j 0 /tmp/enc enc=pkcs1 >/tmp/dec
cmp /tmp/data /tmp/dec
keyctl pkey_sign $j 0 /tmp/data enc=pkcs1 hash=sha1 >/tmp/sig
keyctl pkey_verify $j 0 /tmp/data /tmp/sig enc=pkcs1 hash=sha1

The kernel patches can be found here also:


http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-asym-keyctl

The keyutils changes needed can be found here:


http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/log/?h=pkey

David
---
David Howells (8):
  KEYS: Provide key type operations for asymmetric key ops
  KEYS: Provide keyctls to drive the new key type ops for asymmetric keys
  KEYS: Provide missing asymmetric key subops for new key type ops
  KEYS: Make the X.509 and PKCS7 parsers supply the sig encoding type
  KEYS: Provide software public key query function
  KEYS: Allow the public_key struct to hold a private key
  KEYS: Implement encrypt, decrypt and sign for software asymmetric key
  KEYS: Implement PKCS#8 RSA Private Key parser


 Documentation/crypto/asymmetric-keys.txt  |   33 ++-
 Documentation/security/keys.txt   |  224 +++
 crypto/asymmetric_keys/Kconfig|   10 +
 crypto/asymmetric_keys/Makefile   |   13 +
 crypto/asymmetric_keys/asymmetric_keys.h  |3 
 crypto/asymmetric_keys/asymmetric_type.c  |   60 +
 crypto/asymmetric_keys/pkcs7_parser.c |1 
 crypto/asymmetric_keys/pkcs7_trust.c  |2 
 crypto/asymmetric_keys/pkcs8.asn1 |   24 ++
 crypto/asymmetric_keys/pkcs8_parser.c |  184 
 crypto/asymmetric_keys/public_key.c   |  196 +++--
 crypto/asymmetric_keys/restrict.c |2 
 crypto/asymmetric_keys/signature.c|  112 ++
 crypto/asymmetric_keys/x509_cert_parser.c |   21 +-
 include/crypto/public_key.h   |   14 +
 include/keys/asymmetric-subtype.h |   10 +
 include/linux/key-type.h  |   11 +
 include/linux/keyctl.h|   47 
 include/uapi/linux/keyctl.h   |   31 +++
 security/integrity/digsig_asymmetric.c|2 
 security/keys/Makefile|1 
 security/keys/compat.c|   15 +
 security/keys/internal.h  |   39 +++
 security/keys/keyctl.c|   23 ++
 security/keys/keyctl_pkey.c   |  335 +
 25 files changed, 1364 insertions(+), 49 deletions(-)
 create mode 100644 crypto/asymmetric_keys/pkcs8.asn1
 create mode 100644 crypto/asymmetric_keys/pkcs8_parser.c
 create mode 100644 include/linux/keyctl.h
 create mode 100644 security/keys/keyctl_pkey.c

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: RSA/MPI handling issues and keyctl access to public key keyrings

[David Howells]

Tadeusz Struk  wrote:

> >  (2) rsa-pkcs1pad needs to indicate what the maximum content size is, given
> >  the minimum possible padding for the specified hash type (ie. a
> >  particular OID).
> 
> The user needs to use crypto_akcipher_maxsize(tfm) to get the required buffer
> size for a given key.
> We do check if the buffer if big enough to accommodate padding and hash info.
> This is needed in sign and encrypt operations, and in both cases we check it,
> sign:
> https://git.kernel.org/cgit/linux/kernel/git/herbert/cryptodev-2.6.git/tree/crypto/rsa-pkcs1pad.c#n434
> and encrypt:
> https://git.kernel.org/cgit/linux/kernel/git/herbert/cryptodev-2.6.git/tree/crypto/rsa-pkcs1pad.c#n252

Can you supply a way to find out the reduced size from the padding?

David
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] lib: asn1_decoder - add MODULE_LICENSE("GPL")

[David Howells]

Tudor Ambarus  wrote:

> A kernel taint results when loading the rsa_generic module:
> 
> root@(none):~# modprobe rsa_generic
> asn1_decoder: module license 'unspecified' taints kernel.
> Disabling lock debugging due to kernel taint
> 
> "Tainting" of the kernel is (usually) a way of indicating that
> a proprietary module has been inserted, which is not the case here.
> 
> Signed-off-by: Tudor Ambarus 

Applied.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: [PATCH v6 0/3] Key-agreement Protocol Primitives (KPP) API

[Benedetto, Salvatore]

Hi Stephan,

> -Original Message-
> From: linux-crypto-ow...@vger.kernel.org [mailto:linux-crypto-
> ow...@vger.kernel.org] On Behalf Of Stephan Mueller
> Sent: Wednesday, May 11, 2016 10:05 AM
> To: Benedetto, Salvatore 
> Cc: herb...@gondor.apana.org.au; linux-crypto@vger.kernel.org
> Subject: Re: [PATCH v6 0/3] Key-agreement Protocol Primitives (KPP) API
> 
> Am Mittwoch, 11. Mai 2016, 08:26:00 schrieb Salvatore Benedetto:
> 
> Hi Salvatore,
> 
> > Changes from v5:
> > * Fix ecdh loading in fips mode.
> 
> Thanks.
> 
> As I do not readily see how you solved the issue, may I ask for a pointer to
> the code that handles that?
>

Loading kpp ecdh was indeed calling panic() before because the P192 test was run
anyway. Now when fips=1 is passed and CONFIG_CRYPTO_FIPS is set the P192 is
not run.

Regards,
Salvatore  
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] crypto: caam: add backlogging support

[Herbert Xu]

On Wed, May 11, 2016 at 07:53:19AM +, Catalin Vasile wrote:
>
> Every request will be queued and eventually done.
> The hardware equipment has a constraint on the number of tfms it can have.
> Is there a requirement to support an infinite number of tfms on a device?
> 
> > You should use a software queue instead.> 

As I said you drivers are always supposed to have a software queue
in addition to any hardware queues.  There is no reason why your
driver should be special in this regard.

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: [PATCH] crypto: rsa - return raw integer for the ASN.1 parser

[Tudor-Dan Ambarus]

Hi Herbert,

> On Fri, Apr 29, 2016 at 03:51:46PM +0300, Tudor Ambarus wrote:
> >
> >  struct rsa_key {
> > +   u8 *n;
> > +   u8 *e;
> > +   u8 *d;
> > +   dma_addr_t dma_n;
> > +   dma_addr_t dma_e;
> > +   dma_addr_t dma_d;
> > +   size_t n_sz;
> > +   size_t e_sz;
> > +   bool coherent;
> > +   gfp_t flags;
> 
> Please don't put the DMA primitives in the generic helper.  They
> should stay in the driver for now.

If I move the DMA primitives to the driver context,
I can't assure software coherency enforcement in rsa helper.

If so, after the ANS.1 parsing, if a driver needs to enforce software
coherency, it will have to allocate coherent memory and copy
the ANS.1 parsed data there. Is this acceptable?

Thanks,
ta
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] crypto/ccp: remove rwlocks_types.h

[Sebastian Andrzej Siewior]

Users of rwlocks should include spinlock.h instead including this
header file. The current users of rwlocks_types.h are internal.

Signed-off-by: Sebastian Andrzej Siewior 
---
 drivers/crypto/ccp/ccp-dev.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/crypto/ccp/ccp-dev.c b/drivers/crypto/ccp/ccp-dev.c
index 4dbc18727235..2a8ad712a5f2 100644
--- a/drivers/crypto/ccp/ccp-dev.c
+++ b/drivers/crypto/ccp/ccp-dev.c
@@ -16,7 +16,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
-- 
2.8.1

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[patch V4 21/31] crypto: use parity functions in qat_hal

[zengzhaoxiu]

From: Zhaoxiu Zeng 

Signed-off-by: Zhaoxiu Zeng 
---
 drivers/crypto/qat/qat_common/qat_hal.c | 32 ++--
 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/drivers/crypto/qat/qat_common/qat_hal.c 
b/drivers/crypto/qat/qat_common/qat_hal.c
index 1e480f1..318558f 100644
--- a/drivers/crypto/qat/qat_common/qat_hal.c
+++ b/drivers/crypto/qat/qat_common/qat_hal.c
@@ -546,17 +546,6 @@ static void qat_hal_disable_ctx(struct 
icp_qat_fw_loader_handle *handle,
qat_hal_wr_ae_csr(handle, ae, CTX_ENABLES, ctx);
 }
 
-static uint64_t qat_hal_parity_64bit(uint64_t word)
-{
-   word ^= word >> 1;
-   word ^= word >> 2;
-   word ^= word >> 4;
-   word ^= word >> 8;
-   word ^= word >> 16;
-   word ^= word >> 32;
-   return word & 1;
-}
-
 static uint64_t qat_hal_set_uword_ecc(uint64_t uword)
 {
uint64_t bit0_mask = 0xff87fffULL, bit1_mask = 0x1f801ff801fULL,
@@ -566,13 +555,13 @@ static uint64_t qat_hal_set_uword_ecc(uint64_t uword)
 
/* clear the ecc bits */
uword &= ~(0x7fULL << 0x2C);
-   uword |= qat_hal_parity_64bit(bit0_mask & uword) << 0x2C;
-   uword |= qat_hal_parity_64bit(bit1_mask & uword) << 0x2D;
-   uword |= qat_hal_parity_64bit(bit2_mask & uword) << 0x2E;
-   uword |= qat_hal_parity_64bit(bit3_mask & uword) << 0x2F;
-   uword |= qat_hal_parity_64bit(bit4_mask & uword) << 0x30;
-   uword |= qat_hal_parity_64bit(bit5_mask & uword) << 0x31;
-   uword |= qat_hal_parity_64bit(bit6_mask & uword) << 0x32;
+   uword |= (uint64_t)parity64(bit0_mask & uword) << 0x2C;
+   uword |= (uint64_t)parity64(bit1_mask & uword) << 0x2D;
+   uword |= (uint64_t)parity64(bit2_mask & uword) << 0x2E;
+   uword |= (uint64_t)parity64(bit3_mask & uword) << 0x2F;
+   uword |= (uint64_t)parity64(bit4_mask & uword) << 0x30;
+   uword |= (uint64_t)parity64(bit5_mask & uword) << 0x31;
+   uword |= (uint64_t)parity64(bit6_mask & uword) << 0x32;
return uword;
 }
 
@@ -853,15 +842,14 @@ void qat_hal_wr_umem(struct icp_qat_fw_loader_handle 
*handle,
uaddr |= UA_ECS;
qat_hal_wr_ae_csr(handle, ae, USTORE_ADDRESS, uaddr);
for (i = 0; i < words_num; i++) {
-   unsigned int uwrd_lo, uwrd_hi, tmp;
+   unsigned int uwrd_lo, uwrd_hi;
 
uwrd_lo = ((data[i] & 0xfff) << 4) | (0x3 << 18) |
  ((data[i] & 0xff00) << 2) |
  (0x3 << 8) | (data[i] & 0xff);
uwrd_hi = (0xf << 4) | ((data[i] & 0xf000) >> 28);
-   uwrd_hi |= (hweight32(data[i] & 0x) & 0x1) << 8;
-   tmp = ((data[i] >> 0x10) & 0x);
-   uwrd_hi |= (hweight32(tmp) & 0x1) << 9;
+   uwrd_hi |= parity16(data[i]) << 8;
+   uwrd_hi |= parity16(data[i] >> 16) << 9;
qat_hal_wr_ae_csr(handle, ae, USTORE_DATA_LOWER, uwrd_lo);
qat_hal_wr_ae_csr(handle, ae, USTORE_DATA_UPPER, uwrd_hi);
}
-- 
2.7.4


--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[patch V4 30/31] crypto: use parity_long is sahara.c

[zengzhaoxiu]

From: Zhaoxiu Zeng 

Signed-off-by: Zhaoxiu Zeng 
---
 drivers/crypto/sahara.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
index c3f3d89..5c44a15 100644
--- a/drivers/crypto/sahara.c
+++ b/drivers/crypto/sahara.c
@@ -783,7 +783,7 @@ static u32 sahara_sha_init_hdr(struct sahara_dev *dev,
if (rctx->last)
hdr |= SAHARA_HDR_MDHA_PDATA;
 
-   if (hweight_long(hdr) % 2 == 0)
+   if (!parity_long(hdr))
hdr |= SAHARA_HDR_PARITY_BIT;
 
return hdr;
-- 
2.7.4


--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v6 0/3] Key-agreement Protocol Primitives (KPP) API

[Stephan Mueller]

Am Mittwoch, 11. Mai 2016, 08:26:00 schrieb Salvatore Benedetto:

Hi Salvatore,

> Changes from v5:
> * Fix ecdh loading in fips mode.

Thanks.

As I do not readily see how you solved the issue, may I ask for a pointer to 
the code that handles that?

Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] crypto: caam: add backlogging support

[Catalin Vasile]

> 

> 
> From: Herbert Xu 
> Sent: Tuesday, May 10, 2016 12:46 PM
> To: Catalin Vasile
> Cc: linux-crypto@vger.kernel.org; linux-crypto-ow...@vger.kernel.org; Horia 
> Ioan Geanta Neag; Alexandru Porosanu; Scott Wood; Catalin Vasile
> Subject: Re: [PATCH] crypto: caam: add backlogging support> 

> Catalin Vasile  wrote:
> > caam_jr_enqueue() function returns -EBUSY once there are no more slots
> > available in the JR, but it doesn't actually save the current request.
> > This breaks the functionality of users that expect that even if there is
> > no more space for the request, it is at least queued for later
> > execution. In other words, all crypto transformations that request
> > backlogging (i.e. have CRYPTO_TFM_REQ_MAY_BACKLOG set), will hang. Such
> > an example is dm-crypt. The current patch solves this issue by setting a
> > threshold after which caam_jr_enqueue() returns -EBUSY, but since the HW
> > job ring isn't actually full, the job is enqueued.
> >
> > Signed-off-by: Alexandru Porosanu 
> > Tested-by: Catalin Vasile > 

> This is not acceptable.  The request that triggers EBUSY must
> be allowed to queue.  As the number of tfms is unlimited you
> can't just put them onto the hardware queue and hope that it
> works out.>
Every request will be queued and eventually done.
The hardware equipment has a constraint on the number of tfms it can have.
Is there a requirement to support an infinite number of tfms on a device?

> You should use a software queue instead.> 

> Cheers,
> --
> Email: Herbert Xu 
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v6 3/3] crypto: kpp - Add ECDH software support

[Salvatore Benedetto]

 * Implement ECDH under kpp API
 * Provide ECC software support for curve P-192 and
   P-256.
 * Add kpp test for ECDH with data generated by OpenSSL

Signed-off-by: Salvatore Benedetto 
---
 crypto/Kconfig  |5 +
 crypto/Makefile |3 +
 crypto/ecc.c| 1016 +++
 crypto/ecc.h|   70 
 crypto/ecc_curve_defs.h |   57 +++
 crypto/ecdh.c   |  171 
 crypto/testmgr.c|  136 ++-
 crypto/testmgr.h|   78 
 include/crypto/ecdh.h   |   24 ++
 9 files changed, 1551 insertions(+), 9 deletions(-)
 create mode 100644 crypto/ecc.c
 create mode 100644 crypto/ecc.h
 create mode 100644 crypto/ecc_curve_defs.h
 create mode 100644 crypto/ecdh.c
 create mode 100644 include/crypto/ecdh.h

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 89db25c..08a1a3b 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -117,6 +117,11 @@ config CRYPTO_DH
help
  Generic implementation of the Diffie-Hellman algorithm.
 
+config CRYPTO_ECDH
+   tristate "ECDH algorithm"
+   select CRYTPO_KPP
+   help
+ Generic implementation of the ECDH algorithm
 
 config CRYPTO_MANAGER
tristate "Cryptographic algorithm manager"
diff --git a/crypto/Makefile b/crypto/Makefile
index 101f8fd..ba03079 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -33,6 +33,9 @@ obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
 obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
 
 obj-$(CONFIG_CRYPTO_DH) += dh.o
+ecdh_generic-y := ecc.o
+ecdh_generic-y += ecdh.o
+obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
 
 $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
 $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
diff --git a/crypto/ecc.c b/crypto/ecc.c
new file mode 100644
index 000..65b3134
--- /dev/null
+++ b/crypto/ecc.c
@@ -0,0 +1,1016 @@
+/*
+ * Copyright (c) 2013, Kenneth MacKay
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *  * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *  * Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "ecc.h"
+#include "ecc_curve_defs.h"
+
+#define MAX_TRIES 16
+
+typedef struct {
+   u64 m_low;
+   u64 m_high;
+} uint128_t;
+
+static inline const struct ecc_curve *ecc_get_curve(unsigned int curve_id)
+{
+   switch (curve_id) {
+   /* In FIPS mode only allow P256 and higher */
+   case ECC_CURVE_NIST_P192:
+   return fips_enabled ? NULL : _p192;
+   case ECC_CURVE_NIST_P256:
+   return _p256;
+   default:
+   return NULL;
+   }
+}
+
+static u64 *ecc_alloc_digits_space(unsigned int ndigits)
+{
+   size_t len = ndigits * sizeof(u64);
+
+   if (!len)
+   return NULL;
+
+   return kmalloc(len, GFP_KERNEL);
+}
+
+static void ecc_free_digits_space(u64 *space)
+{
+   kzfree(space);
+}
+
+static struct ecc_point *ecc_alloc_point(unsigned int ndigits)
+{
+   struct ecc_point *p = kmalloc(sizeof(*p), GFP_KERNEL);
+
+   if (!p)
+   return NULL;
+
+   p->x = ecc_alloc_digits_space(ndigits);
+   if (!p->x)
+   goto err_alloc_x;
+
+   p->y = ecc_alloc_digits_space(ndigits);
+   if (!p->y)
+   goto err_alloc_y;
+
+   p->ndigits = ndigits;
+
+   return p;
+
+err_alloc_y:
+   ecc_free_digits_space(p->x);
+err_alloc_x:
+   kfree(p);
+   return NULL;
+}
+
+static void ecc_free_point(struct ecc_point *p)
+{
+   if (!p)
+   return;
+
+   kzfree(p->x);
+   kzfree(p->y);
+   kzfree(p);
+}
+
+static void vli_clear(u64 *vli, unsigned int ndigits)
+{
+   int i;
+
+   for (i = 0; i < 

[PATCH v6 2/3] crypto: kpp - Add DH software implementation

[Salvatore Benedetto]

 * Implement MPI based Diffie-Hellman under kpp API
 * Test provided uses data generad by OpenSSL

Signed-off-by: Salvatore Benedetto 
---
 crypto/Kconfig  |   8 ++
 crypto/Makefile |   2 +
 crypto/dh.c | 224 
 crypto/testmgr.c| 157 
 crypto/testmgr.h| 208 
 include/crypto/dh.h |  23 ++
 6 files changed, 622 insertions(+)
 create mode 100644 crypto/dh.c
 create mode 100644 include/crypto/dh.h

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 31bf962..89db25c 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -110,6 +110,14 @@ config CRYPTO_RSA
help
  Generic implementation of the RSA public key algorithm.
 
+config CRYPTO_DH
+   tristate "Diffie-Hellman algorithm"
+   select CRYPTO_KPP
+   select MPILIB
+   help
+ Generic implementation of the Diffie-Hellman algorithm.
+
+
 config CRYPTO_MANAGER
tristate "Cryptographic algorithm manager"
select CRYPTO_MANAGER2
diff --git a/crypto/Makefile b/crypto/Makefile
index 5b60890..101f8fd 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -32,6 +32,8 @@ obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o
 obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
 obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
 
+obj-$(CONFIG_CRYPTO_DH) += dh.o
+
 $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
 $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
 clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
diff --git a/crypto/dh.c b/crypto/dh.c
new file mode 100644
index 000..06e4805
--- /dev/null
+++ b/crypto/dh.c
@@ -0,0 +1,224 @@
+/*  Diffie-Hellman Key Agreement Method [RFC2631]
+ *
+ * Copyright (c) 2016, Intel Corporation
+ * Authors: Salvatore Benedetto 
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+struct dh_ctx {
+   MPI p;
+   MPI g;
+   MPI xa;
+};
+
+static void dh_free_ctx(struct dh_ctx *ctx)
+{
+   mpi_free(ctx->p);
+   mpi_free(ctx->g);
+   mpi_free(ctx->xa);
+   ctx->p = NULL;
+   ctx->g = NULL;
+   ctx->xa = NULL;
+}
+
+/*
+ * Public key generation function [RFC2631 sec 2.1.1]
+ * ya = g^xa mod p;
+ */
+static int _generate_public_key(const struct dh_ctx *ctx, MPI ya)
+{
+   /* ya = g^xa mod p */
+   return mpi_powm(ya, ctx->g, ctx->xa, ctx->p);
+}
+
+/*
+ * ZZ generation function [RFC2631 sec 2.1.1]
+ * ZZ = yb^xa mod p;
+ */
+static int _compute_shared_secret(const struct dh_ctx *ctx, MPI yb,
+ MPI zz)
+{
+   /* ZZ = yb^xa mod p */
+   return mpi_powm(zz, yb, ctx->xa, ctx->p);
+}
+
+static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
+{
+   return kpp_tfm_ctx(tfm);
+}
+
+static int dh_check_params_length(unsigned int p_len)
+{
+   return (p_len < 1536) ? -EINVAL : 0;
+}
+
+static int dh_set_params(struct crypto_kpp *tfm, void *buffer,
+unsigned int len)
+{
+   struct dh_ctx *ctx = dh_get_ctx(tfm);
+   struct dh_params *params = (struct dh_params *)buffer;
+
+   if (unlikely(!buffer || !len))
+   return -EINVAL;
+
+   if (unlikely(!params->p || !params->g))
+   return -EINVAL;
+
+   if (dh_check_params_length(params->p_size << 3))
+   return -EINVAL;
+
+   ctx->p = mpi_read_raw_data(params->p, params->p_size);
+   if (!ctx->p)
+   return -EINVAL;
+
+   ctx->g = mpi_read_raw_data(params->g, params->g_size);
+   if (!ctx->g) {
+   mpi_free(ctx->p);
+   return -EINVAL;
+   }
+
+   return 0;
+}
+
+static int dh_set_secret(struct crypto_kpp *tfm, void *buffer,
+unsigned int len)
+{
+   struct dh_ctx *ctx = dh_get_ctx(tfm);
+
+   if (unlikely(!buffer || !len))
+   return -EINVAL;
+
+   ctx->xa = mpi_read_raw_data(buffer, len);
+
+   if (!ctx->xa)
+   return -EINVAL;
+
+   return 0;
+}
+
+static int dh_generate_public_key(struct kpp_request *req)
+{
+   struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
+   const struct dh_ctx *ctx = dh_get_ctx(tfm);
+   MPI ya = mpi_alloc(0);
+   int ret = 0;
+   int sign;
+
+   if (!ya)
+   return -ENOMEM;
+
+   if (unlikely(!ctx->p || !ctx->g || !ctx->xa)) {
+   ret = -EINVAL;
+   goto err_free_ya;
+   }
+   ret = _generate_public_key(ctx, ya);
+   if (ret)
+   goto err_free_ya;
+
+   ret = mpi_write_to_sgl(ya, req->dst, >dst_len, );
+   if (ret)
+ 

[PATCH v6 1/3] crypto: Key-agreement Protocol Primitives API (KPP)

[Salvatore Benedetto]

Add key-agreement protocol primitives (kpp) API which allows to
implement primitives required by protocols such as DH and ECDH.
The API is composed mainly by the following functions
 * set_params() - It allows the user to set the parameters known to
   both parties involved in the key-agreement session
 * set_secret() - It allows the user to set his secret, also
   referred to as his private key
 * generate_public_key() - It generates the public key to be sent to
   the other counterpart involved in the key-agreement session. The
   function has to be called after set_params() and set_secret()
 * generate_secret() - It generates the shared secret for the session

Other functions such as init() and exit() are provided for allowing
cryptographic hardware to be inizialized properly before use

Signed-off-by: Salvatore Benedetto 
---
 crypto/Kconfig  |  10 ++
 crypto/Makefile |   1 +
 crypto/crypto_user.c|  20 +++
 crypto/kpp.c| 123 +++
 include/crypto/internal/kpp.h   |  64 
 include/crypto/kpp.h| 333 
 include/linux/crypto.h  |   1 +
 include/uapi/linux/cryptouser.h |   5 +
 8 files changed, 557 insertions(+)
 create mode 100644 crypto/kpp.c
 create mode 100644 include/crypto/internal/kpp.h
 create mode 100644 include/crypto/kpp.h

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 93a1fdc..31bf962 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -93,6 +93,15 @@ config CRYPTO_AKCIPHER
select CRYPTO_AKCIPHER2
select CRYPTO_ALGAPI
 
+config CRYPTO_KPP2
+   tristate
+   select CRYPTO_ALGAPI2
+
+config CRYPTO_KPP
+   tristate
+   select CRYPTO_ALGAPI
+   select CRYPTO_KPP2
+
 config CRYPTO_RSA
tristate "RSA algorithm"
select CRYPTO_AKCIPHER
@@ -114,6 +123,7 @@ config CRYPTO_MANAGER2
select CRYPTO_HASH2
select CRYPTO_BLKCIPHER2
select CRYPTO_AKCIPHER2
+   select CRYPTO_KPP2
 
 config CRYPTO_USER
tristate "Userspace cryptographic algorithm configuration"
diff --git a/crypto/Makefile b/crypto/Makefile
index 4f4ef7e..5b60890 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -30,6 +30,7 @@ crypto_hash-y += shash.o
 obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o
 
 obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
+obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
 
 $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
 $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
index 43fe85f..d28513fb 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -28,6 +28,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "internal.h"
 
@@ -126,6 +127,21 @@ nla_put_failure:
return -EMSGSIZE;
 }
 
+static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg)
+{
+   struct crypto_report_kpp rkpp;
+
+   strncpy(rkpp.type, "kpp", sizeof(rkpp.type));
+
+   if (nla_put(skb, CRYPTOCFGA_REPORT_KPP,
+   sizeof(struct crypto_report_kpp), ))
+   goto nla_put_failure;
+   return 0;
+
+nla_put_failure:
+   return -EMSGSIZE;
+}
+
 static int crypto_report_one(struct crypto_alg *alg,
 struct crypto_user_alg *ualg, struct sk_buff *skb)
 {
@@ -176,6 +192,10 @@ static int crypto_report_one(struct crypto_alg *alg,
goto nla_put_failure;
 
break;
+   case CRYPTO_ALG_TYPE_KPP:
+   if (crypto_report_kpp(skb, alg))
+   goto nla_put_failure;
+   break;
}
 
 out:
diff --git a/crypto/kpp.c b/crypto/kpp.c
new file mode 100644
index 000..d36ce05
--- /dev/null
+++ b/crypto/kpp.c
@@ -0,0 +1,123 @@
+/*
+ * Key-agreement Protocol Primitives (KPP)
+ *
+ * Copyright (c) 2016, Intel Corporation
+ * Authors: Salvatore Benedetto 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include "internal.h"
+
+#ifdef CONFIG_NET
+static int crypto_kpp_report(struct sk_buff *skb, struct crypto_alg *alg)
+{
+   struct crypto_report_kpp rkpp;
+
+   strncpy(rkpp.type, "kpp", sizeof(rkpp.type));
+
+   if (nla_put(skb, CRYPTOCFGA_REPORT_KPP,
+   sizeof(struct crypto_report_kpp), ))
+   goto nla_put_failure;
+   return 0;
+
+nla_put_failure:
+   return -EMSGSIZE;
+}
+#else
+static int crypto_kpp_report(struct sk_buff *skb, struct crypto_alg *alg)
+{
+   return -ENOSYS;
+}
+#endif
+
+static void 

[PATCH v6 0/3] Key-agreement Protocol Primitives (KPP) API

[Salvatore Benedetto]

Hi Herb,

the following patchset introduces a new API for abstracting key-agreement
protocols such as DH and ECDH. It provides the primitives required for 
implementing
the protocol, thus the name KPP (Key-agreement Protocol Primitives).

Regards,
Salvatore

Changes from v5:
* Fix ecdh loading in fips mode.

Changes from v4:
* If fips_enabled is set allow only P256 (or higher) as Stephan suggested
* Pass ndigits as argument to ecdh_make_pub_key and ecdh_shared_secret
  so that VLA can be used like in the rest of the module

Changes from v3:
* Move curve ID definition to public header ecdh.h as users need to
  have access to those ids when selecting the curve

Changes from v2:
* Add support for ECDH (curve P192 and P256). I reused the ecc module
  already present in net/bluetooth and extended it in order to select
  different curves at runtime. Code for P192 was taken from tinycrypt.

Changes from v1:
* Change check in dh_check_params_length based on Stephan review


Salvatore Benedetto (3):
  crypto: Key-agreement Protocol Primitives API (KPP)
  crypto: kpp - Add DH software implementation
  crypto: kpp - Add ECDH software support

 crypto/Kconfig  |   23 +
 crypto/Makefile |6 +
 crypto/crypto_user.c|   20 +
 crypto/dh.c |  224 +
 crypto/ecc.c| 1016 +++
 crypto/ecc.h|   70 +++
 crypto/ecc_curve_defs.h |   57 +++
 crypto/ecdh.c   |  171 +++
 crypto/kpp.c|  123 +
 crypto/testmgr.c|  275 +++
 crypto/testmgr.h|  286 +++
 include/crypto/dh.h |   23 +
 include/crypto/ecdh.h   |   24 +
 include/crypto/internal/kpp.h   |   64 +++
 include/crypto/kpp.h|  333 +
 include/linux/crypto.h  |1 +
 include/uapi/linux/cryptouser.h |5 +
 17 files changed, 2721 insertions(+)
 create mode 100644 crypto/dh.c
 create mode 100644 crypto/ecc.c
 create mode 100644 crypto/ecc.h
 create mode 100644 crypto/ecc_curve_defs.h
 create mode 100644 crypto/ecdh.c
 create mode 100644 crypto/kpp.c
 create mode 100644 include/crypto/dh.h
 create mode 100644 include/crypto/ecdh.h
 create mode 100644 include/crypto/internal/kpp.h
 create mode 100644 include/crypto/kpp.h

-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html