1/*
  2 * RSA padding templates.
  3 *
  4 * Copyright (c) 2015  Intel Corporation
  5 *
  6 * This program is free software; you can redistribute it and/or modify it
  7 * under the terms of the GNU General Public License as published by the Free
  8 * Software Foundation; either version 2 of the License, or (at your option)
  9 * any later version.
 10 */
 11
 12#include <crypto/algapi.h>
 13#include <crypto/akcipher.h>
 14#include <crypto/internal/akcipher.h>
 15#include <linux/err.h>
 16#include <linux/init.h>
 17#include <linux/kernel.h>
 18#include <linux/module.h>
 19#include <linux/random.h>
 20
 21/*
 22 * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
 23 */
 24static const u8 rsa_digest_info_md5[] = {
 25	0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
 26	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, /* OID */
 27	0x05, 0x00, 0x04, 0x10
 28};
 29
 30static const u8 rsa_digest_info_sha1[] = {
 31	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
 32	0x2b, 0x0e, 0x03, 0x02, 0x1a,
 33	0x05, 0x00, 0x04, 0x14
 34};
 35
 36static const u8 rsa_digest_info_rmd160[] = {
 37	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
 38	0x2b, 0x24, 0x03, 0x02, 0x01,
 39	0x05, 0x00, 0x04, 0x14
 40};
 41
 42static const u8 rsa_digest_info_sha224[] = {
 43	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
 44	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
 45	0x05, 0x00, 0x04, 0x1c
 46};
 47
 48static const u8 rsa_digest_info_sha256[] = {
 49	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
 50	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
 51	0x05, 0x00, 0x04, 0x20
 52};
 53
 54static const u8 rsa_digest_info_sha384[] = {
 55	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
 56	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
 57	0x05, 0x00, 0x04, 0x30
 58};
 59
 60static const u8 rsa_digest_info_sha512[] = {
 61	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
 62	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
 63	0x05, 0x00, 0x04, 0x40
 64};
 65
 66static const struct rsa_asn1_template {
 67	const char	*name;
 68	const u8	*data;
 69	size_t		size;
 70} rsa_asn1_templates[] = {
 71#define _(X) { #X, rsa_digest_info_##X, sizeof(rsa_digest_info_##X) }
 72	_(md5),
 73	_(sha1),
 74	_(rmd160),
 75	_(sha256),
 76	_(sha384),
 77	_(sha512),
 78	_(sha224),
 79	{ NULL }
 80#undef _
 81};
 82
 83static const struct rsa_asn1_template *rsa_lookup_asn1(const char *name)
 84{
 85	const struct rsa_asn1_template *p;
 86
 87	for (p = rsa_asn1_templates; p->name; p++)
 88		if (strcmp(name, p->name) == 0)
 89			return p;
 90	return NULL;
 91}
 92
 93struct pkcs1pad_ctx {
 94	struct crypto_akcipher *child;
 95	unsigned int key_size;
 96};
 97
 98struct pkcs1pad_inst_ctx {
 99	struct crypto_akcipher_spawn spawn;
100	const struct rsa_asn1_template *digest_info;
101};
102
103struct pkcs1pad_request {
104	struct scatterlist in_sg[2], out_sg[1];
105	uint8_t *in_buf, *out_buf;
106	struct akcipher_request child_req;
107};
108
109static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key,
110		unsigned int keylen)
111{
112	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
113	int err;
114
115	ctx->key_size = 0;
116
117	err = crypto_akcipher_set_pub_key(ctx->child, key, keylen);
118	if (err)
119		return err;
120
121	/* Find out new modulus size from rsa implementation */
122	err = crypto_akcipher_maxsize(ctx->child);
123	if (err < 0)
124		return err;
125
126	if (err > PAGE_SIZE)
127		return -ENOTSUPP;
128
129	ctx->key_size = err;
130	return 0;
131}
132
133static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key,
134		unsigned int keylen)
135{
136	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
137	int err;
138
139	ctx->key_size = 0;
140
141	err = crypto_akcipher_set_priv_key(ctx->child, key, keylen);
142	if (err)
143		return err;
144
145	/* Find out new modulus size from rsa implementation */
146	err = crypto_akcipher_maxsize(ctx->child);
147	if (err < 0)
148		return err;
149
150	if (err > PAGE_SIZE)
151		return -ENOTSUPP;
152
153	ctx->key_size = err;
154	return 0;
155}
156
157static int pkcs1pad_get_max_size(struct crypto_akcipher *tfm)
158{
159	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
160
161	/*
162	 * The maximum destination buffer size for the encrypt/sign operations
163	 * will be the same as for RSA, even though it's smaller for
164	 * decrypt/verify.
165	 */
166
167	return ctx->key_size ?: -EINVAL;
168}
169
170static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len,
171		struct scatterlist *next)
172{
173	int nsegs = next ? 2 : 1;
174
175	sg_init_table(sg, nsegs);
176	sg_set_buf(sg, buf, len);
177
178	if (next)
179		sg_chain(sg, nsegs, next);
180}
181
182static int pkcs1pad_encrypt_sign_complete(struct akcipher_request *req, int err)
183{
184	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
185	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
186	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
187	unsigned int pad_len;
188	unsigned int len;
189	u8 *out_buf;
190
191	if (err)
192		goto out;
193
194	len = req_ctx->child_req.dst_len;
195	pad_len = ctx->key_size - len;
196
197	/* Four billion to one */
198	if (likely(!pad_len))
199		goto out;
200
201	out_buf = kzalloc(ctx->key_size, GFP_ATOMIC);
202	err = -ENOMEM;
203	if (!out_buf)
204		goto out;
205
206	sg_copy_to_buffer(req->dst, sg_nents_for_len(req->dst, len),
207			  out_buf + pad_len, len);
208	sg_copy_from_buffer(req->dst,
209			    sg_nents_for_len(req->dst, ctx->key_size),
210			    out_buf, ctx->key_size);
211	kzfree(out_buf);
212
213out:
214	req->dst_len = ctx->key_size;
215
216	kfree(req_ctx->in_buf);
217
218	return err;
219}
220
221static void pkcs1pad_encrypt_sign_complete_cb(
222		struct crypto_async_request *child_async_req, int err)
223{
224	struct akcipher_request *req = child_async_req->data;
225	struct crypto_async_request async_req;
226
227	if (err == -EINPROGRESS)
228		return;
229
230	async_req.data = req->base.data;
231	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
232	async_req.flags = child_async_req->flags;
233	req->base.complete(&async_req,
234			pkcs1pad_encrypt_sign_complete(req, err));
235}
236
237static int pkcs1pad_encrypt(struct akcipher_request *req)
238{
239	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
240	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
241	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
242	int err;
243	unsigned int i, ps_end;
244
245	if (!ctx->key_size)
246		return -EINVAL;
247
248	if (req->src_len > ctx->key_size - 11)
249		return -EOVERFLOW;
250
251	if (req->dst_len < ctx->key_size) {
252		req->dst_len = ctx->key_size;
253		return -EOVERFLOW;
254	}
255
256	req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len,
257				  GFP_KERNEL);
258	if (!req_ctx->in_buf)
259		return -ENOMEM;
260
261	ps_end = ctx->key_size - req->src_len - 2;
262	req_ctx->in_buf[0] = 0x02;
263	for (i = 1; i < ps_end; i++)
264		req_ctx->in_buf[i] = 1 + prandom_u32_max(255);
265	req_ctx->in_buf[ps_end] = 0x00;
266
267	pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf,
268			ctx->key_size - 1 - req->src_len, req->src);
269
270	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
271	if (!req_ctx->out_buf) {
272		kfree(req_ctx->in_buf);
273		return -ENOMEM;
274	}
275
276	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
277			ctx->key_size, NULL);
278
279	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
280	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
281			pkcs1pad_encrypt_sign_complete_cb, req);
282
283	/* Reuse output buffer */
284	akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg,
285				   req->dst, ctx->key_size - 1, req->dst_len);
286
287	err = crypto_akcipher_encrypt(&req_ctx->child_req);
288	if (err != -EINPROGRESS &&
289			(err != -EBUSY ||
290			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
291		return pkcs1pad_encrypt_sign_complete(req, err);
292
293	return err;
294}
295
296static int pkcs1pad_decrypt_complete(struct akcipher_request *req, int err)
297{
298	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
299	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
300	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
301	unsigned int dst_len;
302	unsigned int pos;
303	u8 *out_buf;
304
305	if (err)
306		goto done;
307
308	err = -EINVAL;
309	dst_len = req_ctx->child_req.dst_len;
310	if (dst_len < ctx->key_size - 1)
311		goto done;
312
313	out_buf = req_ctx->out_buf;
314	if (dst_len == ctx->key_size) {
315		if (out_buf[0] != 0x00)
316			/* Decrypted value had no leading 0 byte */
317			goto done;
318
319		dst_len--;
320		out_buf++;
321	}
322
323	if (out_buf[0] != 0x02)
324		goto done;
325
326	for (pos = 1; pos < dst_len; pos++)
327		if (out_buf[pos] == 0x00)
328			break;
329	if (pos < 9 || pos == dst_len)
330		goto done;
331	pos++;
332
333	err = 0;
334
335	if (req->dst_len < dst_len - pos)
336		err = -EOVERFLOW;
337	req->dst_len = dst_len - pos;
338
339	if (!err)
340		sg_copy_from_buffer(req->dst,
341				sg_nents_for_len(req->dst, req->dst_len),
342				out_buf + pos, req->dst_len);
343
344done:
345	kzfree(req_ctx->out_buf);
346
347	return err;
348}
349
350static void pkcs1pad_decrypt_complete_cb(
351		struct crypto_async_request *child_async_req, int err)
352{
353	struct akcipher_request *req = child_async_req->data;
354	struct crypto_async_request async_req;
355
356	if (err == -EINPROGRESS)
357		return;
358
359	async_req.data = req->base.data;
360	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
361	async_req.flags = child_async_req->flags;
362	req->base.complete(&async_req, pkcs1pad_decrypt_complete(req, err));
363}
364
365static int pkcs1pad_decrypt(struct akcipher_request *req)
366{
367	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
368	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
369	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
370	int err;
371
372	if (!ctx->key_size || req->src_len != ctx->key_size)
373		return -EINVAL;
374
375	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
376	if (!req_ctx->out_buf)
377		return -ENOMEM;
378
379	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
380			    ctx->key_size, NULL);
381
382	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
383	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
384			pkcs1pad_decrypt_complete_cb, req);
385
386	/* Reuse input buffer, output to a new buffer */
387	akcipher_request_set_crypt(&req_ctx->child_req, req->src,
388				   req_ctx->out_sg, req->src_len,
389				   ctx->key_size);
390
391	err = crypto_akcipher_decrypt(&req_ctx->child_req);
392	if (err != -EINPROGRESS &&
393			(err != -EBUSY ||
394			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
395		return pkcs1pad_decrypt_complete(req, err);
396
397	return err;
398}
399
400static int pkcs1pad_sign(struct akcipher_request *req)
401{
402	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
403	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
404	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
405	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
406	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
407	const struct rsa_asn1_template *digest_info = ictx->digest_info;
408	int err;
409	unsigned int ps_end, digest_size = 0;
410
411	if (!ctx->key_size)
412		return -EINVAL;
413
414	digest_size = digest_info->size;
415
416	if (req->src_len + digest_size > ctx->key_size - 11)
417		return -EOVERFLOW;
418
419	if (req->dst_len < ctx->key_size) {
420		req->dst_len = ctx->key_size;
421		return -EOVERFLOW;
422	}
423
424	req_ctx->in_buf = kmalloc(ctx->key_size - 1 - req->src_len,
425				  GFP_KERNEL);
426	if (!req_ctx->in_buf)
427		return -ENOMEM;
428
429	ps_end = ctx->key_size - digest_size - req->src_len - 2;
430	req_ctx->in_buf[0] = 0x01;
431	memset(req_ctx->in_buf + 1, 0xff, ps_end - 1);
432	req_ctx->in_buf[ps_end] = 0x00;
433
434	memcpy(req_ctx->in_buf + ps_end + 1, digest_info->data,
435	       digest_info->size);
436
437	pkcs1pad_sg_set_buf(req_ctx->in_sg, req_ctx->in_buf,
438			ctx->key_size - 1 - req->src_len, req->src);
439
440	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
441	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
442			pkcs1pad_encrypt_sign_complete_cb, req);
443
444	/* Reuse output buffer */
445	akcipher_request_set_crypt(&req_ctx->child_req, req_ctx->in_sg,
446				   req->dst, ctx->key_size - 1, req->dst_len);
447
448	err = crypto_akcipher_sign(&req_ctx->child_req);
449	if (err != -EINPROGRESS &&
450			(err != -EBUSY ||
451			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
452		return pkcs1pad_encrypt_sign_complete(req, err);
453
454	return err;
455}
456
457static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
458{
459	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
460	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
461	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
462	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
463	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
464	const struct rsa_asn1_template *digest_info = ictx->digest_info;
465	unsigned int dst_len;
466	unsigned int pos;
467	u8 *out_buf;
468
469	if (err)
470		goto done;
471
472	err = -EINVAL;
473	dst_len = req_ctx->child_req.dst_len;
474	if (dst_len < ctx->key_size - 1)
475		goto done;
476
477	out_buf = req_ctx->out_buf;
478	if (dst_len == ctx->key_size) {
479		if (out_buf[0] != 0x00)
480			/* Decrypted value had no leading 0 byte */
481			goto done;
482
483		dst_len--;
484		out_buf++;
485	}
486
487	err = -EBADMSG;
488	if (out_buf[0] != 0x01)
489		goto done;
490
491	for (pos = 1; pos < dst_len; pos++)
492		if (out_buf[pos] != 0xff)
493			break;
494
495	if (pos < 9 || pos == dst_len || out_buf[pos] != 0x00)
496		goto done;
497	pos++;
498
499	if (memcmp(out_buf + pos, digest_info->data, digest_info->size))
500		goto done;
501
502	pos += digest_info->size;
503
504	err = 0;
505
506	if (req->dst_len < dst_len - pos)
507		err = -EOVERFLOW;
508	req->dst_len = dst_len - pos;
509
510	if (!err)
511		sg_copy_from_buffer(req->dst,
512				sg_nents_for_len(req->dst, req->dst_len),
513				out_buf + pos, req->dst_len);
514done:
515	kzfree(req_ctx->out_buf);
516
517	return err;
518}
519
520static void pkcs1pad_verify_complete_cb(
521		struct crypto_async_request *child_async_req, int err)
522{
523	struct akcipher_request *req = child_async_req->data;
524	struct crypto_async_request async_req;
525
526	if (err == -EINPROGRESS)
527		return;
528
529	async_req.data = req->base.data;
530	async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req));
531	async_req.flags = child_async_req->flags;
532	req->base.complete(&async_req, pkcs1pad_verify_complete(req, err));
533}
534
535/*
536 * The verify operation is here for completeness similar to the verification
537 * defined in RFC2313 section 10.2 except that block type 0 is not accepted,
538 * as in RFC2437.  RFC2437 section 9.2 doesn't define any operation to
539 * retrieve the DigestInfo from a signature, instead the user is expected
540 * to call the sign operation to generate the expected signature and compare
541 * signatures instead of the message-digests.
542 */
543static int pkcs1pad_verify(struct akcipher_request *req)
544{
545	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
546	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
547	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
548	int err;
549
550	if (!ctx->key_size || req->src_len < ctx->key_size)
551		return -EINVAL;
552
553	req_ctx->out_buf = kmalloc(ctx->key_size, GFP_KERNEL);
554	if (!req_ctx->out_buf)
555		return -ENOMEM;
556
557	pkcs1pad_sg_set_buf(req_ctx->out_sg, req_ctx->out_buf,
558			    ctx->key_size, NULL);
559
560	akcipher_request_set_tfm(&req_ctx->child_req, ctx->child);
561	akcipher_request_set_callback(&req_ctx->child_req, req->base.flags,
562			pkcs1pad_verify_complete_cb, req);
563
564	/* Reuse input buffer, output to a new buffer */
565	akcipher_request_set_crypt(&req_ctx->child_req, req->src,
566				   req_ctx->out_sg, req->src_len,
567				   ctx->key_size);
568
569	err = crypto_akcipher_verify(&req_ctx->child_req);
570	if (err != -EINPROGRESS &&
571			(err != -EBUSY ||
572			 !(req->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)))
573		return pkcs1pad_verify_complete(req, err);
574
575	return err;
576}
577
578static int pkcs1pad_init_tfm(struct crypto_akcipher *tfm)
579{
580	struct akcipher_instance *inst = akcipher_alg_instance(tfm);
581	struct pkcs1pad_inst_ctx *ictx = akcipher_instance_ctx(inst);
582	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
583	struct crypto_akcipher *child_tfm;
584
585	child_tfm = crypto_spawn_akcipher(&ictx->spawn);
586	if (IS_ERR(child_tfm))
587		return PTR_ERR(child_tfm);
588
589	ctx->child = child_tfm;
590	return 0;
591}
592
593static void pkcs1pad_exit_tfm(struct crypto_akcipher *tfm)
594{
595	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
596
597	crypto_free_akcipher(ctx->child);
598}
599
600static void pkcs1pad_free(struct akcipher_instance *inst)
601{
602	struct pkcs1pad_inst_ctx *ctx = akcipher_instance_ctx(inst);
603	struct crypto_akcipher_spawn *spawn = &ctx->spawn;
604
605	crypto_drop_akcipher(spawn);
606	kfree(inst);
607}
608
609static int pkcs1pad_create(struct crypto_template *tmpl, struct rtattr **tb)
610{
611	const struct rsa_asn1_template *digest_info;
612	struct crypto_attr_type *algt;
613	struct akcipher_instance *inst;
614	struct pkcs1pad_inst_ctx *ctx;
615	struct crypto_akcipher_spawn *spawn;
616	struct akcipher_alg *rsa_alg;
617	const char *rsa_alg_name;
618	const char *hash_name;
619	int err;
620
621	algt = crypto_get_attr_type(tb);
622	if (IS_ERR(algt))
623		return PTR_ERR(algt);
624
625	if ((algt->type ^ CRYPTO_ALG_TYPE_AKCIPHER) & algt->mask)
626		return -EINVAL;
627
628	rsa_alg_name = crypto_attr_alg_name(tb[1]);
629	if (IS_ERR(rsa_alg_name))
630		return PTR_ERR(rsa_alg_name);
631
632	hash_name = crypto_attr_alg_name(tb[2]);
633	if (IS_ERR(hash_name))
634		return PTR_ERR(hash_name);
635
636	digest_info = rsa_lookup_asn1(hash_name);
637	if (!digest_info)
638		return -EINVAL;
639
640	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
641	if (!inst)
642		return -ENOMEM;
643
644	ctx = akcipher_instance_ctx(inst);
645	spawn = &ctx->spawn;
646	ctx->digest_info = digest_info;
647
648	crypto_set_spawn(&spawn->base, akcipher_crypto_instance(inst));
649	err = crypto_grab_akcipher(spawn, rsa_alg_name, 0,
650			crypto_requires_sync(algt->type, algt->mask));
651	if (err)
652		goto out_free_inst;
653
654	rsa_alg = crypto_spawn_akcipher_alg(spawn);
655
656	err = -ENAMETOOLONG;
657
658	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
659		     "pkcs1pad(%s,%s)", rsa_alg->base.cra_name, hash_name) >=
660	    CRYPTO_MAX_ALG_NAME ||
661	    snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
662		     "pkcs1pad(%s,%s)",
663		     rsa_alg->base.cra_driver_name, hash_name) >=
664	    CRYPTO_MAX_ALG_NAME)
665		goto out_drop_alg;
666
667	inst->alg.base.cra_flags = rsa_alg->base.cra_flags & CRYPTO_ALG_ASYNC;
668	inst->alg.base.cra_priority = rsa_alg->base.cra_priority;
669	inst->alg.base.cra_ctxsize = sizeof(struct pkcs1pad_ctx);
670
671	inst->alg.init = pkcs1pad_init_tfm;
672	inst->alg.exit = pkcs1pad_exit_tfm;
673
674	inst->alg.encrypt = pkcs1pad_encrypt;
675	inst->alg.decrypt = pkcs1pad_decrypt;
676	inst->alg.sign = pkcs1pad_sign;
677	inst->alg.verify = pkcs1pad_verify;
678	inst->alg.set_pub_key = pkcs1pad_set_pub_key;
679	inst->alg.set_priv_key = pkcs1pad_set_priv_key;
680	inst->alg.max_size = pkcs1pad_get_max_size;
681	inst->alg.reqsize = sizeof(struct pkcs1pad_request) + rsa_alg->reqsize;
682
683	inst->free = pkcs1pad_free;
684
685	err = akcipher_register_instance(tmpl, inst);
686	if (err)
687		goto out_drop_alg;
688
689	return 0;
690
691out_drop_alg:
692	crypto_drop_akcipher(spawn);
693out_free_inst:
694	kfree(inst);
695	return err;
696}
697
698struct crypto_template rsa_pkcs1pad_tmpl = {
699	.name = "pkcs1pad",
700	.create = pkcs1pad_create,
701	.module = THIS_MODULE,
702};