[linux-block.git] / crypto / sm2.c

/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
 * SM2 asymmetric public-key algorithm
 * as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012 SM2 and
 * described at https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
 *
 * Copyright (c) 2020, Alibaba Group.
 * Authors: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
 */

#include <linux/module.h>
#include <linux/mpi.h>
#include <crypto/internal/akcipher.h>
#include <crypto/akcipher.h>
#include <crypto/hash.h>
#include <crypto/sm3_base.h>
#include <crypto/rng.h>
#include <crypto/sm2.h>
#include "sm2signature.asn1.h"

#define MPI_NBYTES(m)   ((mpi_get_nbits(m) + 7) / 8)

struct ecc_domain_parms {
	const char *desc;           /* Description of the curve.  */
	unsigned int nbits;         /* Number of bits.  */
	unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */

	/* The model describing this curve.  This is mainly used to select
	 * the group equation.
	 */
	enum gcry_mpi_ec_models model;

	/* The actual ECC dialect used.  This is used for curve specific
	 * optimizations and to select encodings etc.
	 */
	enum ecc_dialects dialect;

	const char *p;              /* The prime defining the field.  */
	const char *a, *b;          /* The coefficients.  For Twisted Edwards
				     * Curves b is used for d.  For Montgomery
				     * Curves (a,b) has ((A-2)/4,B^-1).
				     */
	const char *n;              /* The order of the base point.  */
	const char *g_x, *g_y;      /* Base point.  */
	unsigned int h;             /* Cofactor.  */
};

static const struct ecc_domain_parms sm2_ecp = {
	.desc = "sm2p256v1",
	.nbits = 256,
	.fips = 0,
	.model = MPI_EC_WEIERSTRASS,
	.dialect = ECC_DIALECT_STANDARD,
	.p   = "0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff",
	.a   = "0xfffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc",
	.b   = "0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93",
	.n   = "0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123",
	.g_x = "0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7",
	.g_y = "0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0",
	.h = 1
};

static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
{
	const struct ecc_domain_parms *ecp = &sm2_ecp;
	MPI p, a, b;
	MPI x, y;
	int rc = -EINVAL;

	p = mpi_scanval(ecp->p);
	a = mpi_scanval(ecp->a);
	b = mpi_scanval(ecp->b);
	if (!p || !a || !b)
		goto free_p;

	x = mpi_scanval(ecp->g_x);
	y = mpi_scanval(ecp->g_y);
	if (!x || !y)
		goto free;

	rc = -ENOMEM;
	/* mpi_ec_setup_elliptic_curve */
	ec->G = mpi_point_new(0);
	if (!ec->G)
		goto free;

	mpi_set(ec->G->x, x);
	mpi_set(ec->G->y, y);
	mpi_set_ui(ec->G->z, 1);

	rc = -EINVAL;
	ec->n = mpi_scanval(ecp->n);
	if (!ec->n) {
		mpi_point_release(ec->G);
		goto free;
	}

	ec->h = ecp->h;
	ec->name = ecp->desc;
	mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);

	rc = 0;

free:
	mpi_free(x);
	mpi_free(y);
free_p:
	mpi_free(p);
	mpi_free(a);
	mpi_free(b);

	return rc;
}

static void sm2_ec_ctx_deinit(struct mpi_ec_ctx *ec)
{
	mpi_ec_deinit(ec);

	memset(ec, 0, sizeof(*ec));
}

static int sm2_ec_ctx_reset(struct mpi_ec_ctx *ec)
{
	sm2_ec_ctx_deinit(ec);
	return sm2_ec_ctx_init(ec);
}

/* RESULT must have been initialized and is set on success to the
 * point given by VALUE.
 */
static int sm2_ecc_os2ec(MPI_POINT result, MPI value)
{
	int rc;
	size_t n;
	const unsigned char *buf;
	unsigned char *buf_memory;
	MPI x, y;

	n = (mpi_get_nbits(value)+7)/8;
	buf_memory = kmalloc(n, GFP_KERNEL);
	rc = mpi_print(GCRYMPI_FMT_USG, buf_memory, n, &n, value);
	if (rc) {
		kfree(buf_memory);
		return rc;
	}
	buf = buf_memory;

	if (n < 1) {
		kfree(buf_memory);
		return -EINVAL;
	}
	if (*buf != 4) {
		kfree(buf_memory);
		return -EINVAL; /* No support for point compression.  */
	}
	if (((n-1)%2)) {
		kfree(buf_memory);
		return -EINVAL;
	}
	n = (n-1)/2;
	x = mpi_read_raw_data(buf + 1, n);
	if (!x) {
		kfree(buf_memory);
		return -ENOMEM;
	}
	y = mpi_read_raw_data(buf + 1 + n, n);
	kfree(buf_memory);
	if (!y) {
		mpi_free(x);
		return -ENOMEM;
	}

	mpi_normalize(x);
	mpi_normalize(y);

	mpi_set(result->x, x);
	mpi_set(result->y, y);
	mpi_set_ui(result->z, 1);

	mpi_free(x);
	mpi_free(y);

	return 0;
}

struct sm2_signature_ctx {
	MPI sig_r;
	MPI sig_s;
};

int sm2_get_signature_r(void *context, size_t hdrlen, unsigned char tag,
				const void *value, size_t vlen)
{
	struct sm2_signature_ctx *sig = context;

	if (!value || !vlen)
		return -EINVAL;

	sig->sig_r = mpi_read_raw_data(value, vlen);
	if (!sig->sig_r)
		return -ENOMEM;

	return 0;
}

int sm2_get_signature_s(void *context, size_t hdrlen, unsigned char tag,
				const void *value, size_t vlen)
{
	struct sm2_signature_ctx *sig = context;

	if (!value || !vlen)
		return -EINVAL;

	sig->sig_s = mpi_read_raw_data(value, vlen);
	if (!sig->sig_s)
		return -ENOMEM;

	return 0;
}

static int sm2_z_digest_update(struct shash_desc *desc,
			MPI m, unsigned int pbytes)
{
	static const unsigned char zero[32];
	unsigned char *in;
	unsigned int inlen;

	in = mpi_get_buffer(m, &inlen, NULL);
	if (!in)
		return -EINVAL;

	if (inlen < pbytes) {
		/* padding with zero */
		crypto_sm3_update(desc, zero, pbytes - inlen);
		crypto_sm3_update(desc, in, inlen);
	} else if (inlen > pbytes) {
		/* skip the starting zero */
		crypto_sm3_update(desc, in + inlen - pbytes, pbytes);
	} else {
		crypto_sm3_update(desc, in, inlen);
	}

	kfree(in);
	return 0;
}

static int sm2_z_digest_update_point(struct shash_desc *desc,
		MPI_POINT point, struct mpi_ec_ctx *ec, unsigned int pbytes)
{
	MPI x, y;
	int ret = -EINVAL;

	x = mpi_new(0);
	y = mpi_new(0);

	if (!mpi_ec_get_affine(x, y, point, ec) &&
		!sm2_z_digest_update(desc, x, pbytes) &&
		!sm2_z_digest_update(desc, y, pbytes))
		ret = 0;

	mpi_free(x);
	mpi_free(y);
	return ret;
}

int sm2_compute_z_digest(struct crypto_akcipher *tfm,
			const unsigned char *id, size_t id_len,
			unsigned char dgst[SM3_DIGEST_SIZE])
{
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	uint16_t bits_len;
	unsigned char entl[2];
	SHASH_DESC_ON_STACK(desc, NULL);
	unsigned int pbytes;

	if (id_len > (USHRT_MAX / 8) || !ec->Q)
		return -EINVAL;

	bits_len = (uint16_t)(id_len * 8);
	entl[0] = bits_len >> 8;
	entl[1] = bits_len & 0xff;

	pbytes = MPI_NBYTES(ec->p);

	/* ZA = H256(ENTLA | IDA | a | b | xG | yG | xA | yA) */
	sm3_base_init(desc);
	crypto_sm3_update(desc, entl, 2);
	crypto_sm3_update(desc, id, id_len);

	if (sm2_z_digest_update(desc, ec->a, pbytes) ||
		sm2_z_digest_update(desc, ec->b, pbytes) ||
		sm2_z_digest_update_point(desc, ec->G, ec, pbytes) ||
		sm2_z_digest_update_point(desc, ec->Q, ec, pbytes))
		return -EINVAL;

	crypto_sm3_final(desc, dgst);
	return 0;
}
EXPORT_SYMBOL(sm2_compute_z_digest);

static int _sm2_verify(struct mpi_ec_ctx *ec, MPI hash, MPI sig_r, MPI sig_s)
{
	int rc = -EINVAL;
	struct gcry_mpi_point sG, tP;
	MPI t = NULL;
	MPI x1 = NULL, y1 = NULL;

	mpi_point_init(&sG);
	mpi_point_init(&tP);
	x1 = mpi_new(0);
	y1 = mpi_new(0);
	t = mpi_new(0);

	/* r, s in [1, n-1] */
	if (mpi_cmp_ui(sig_r, 1) < 0 || mpi_cmp(sig_r, ec->n) > 0 ||
		mpi_cmp_ui(sig_s, 1) < 0 || mpi_cmp(sig_s, ec->n) > 0) {
		goto leave;
	}

	/* t = (r + s) % n, t == 0 */
	mpi_addm(t, sig_r, sig_s, ec->n);
	if (mpi_cmp_ui(t, 0) == 0)
		goto leave;

	/* sG + tP = (x1, y1) */
	rc = -EBADMSG;
	mpi_ec_mul_point(&sG, sig_s, ec->G, ec);
	mpi_ec_mul_point(&tP, t, ec->Q, ec);
	mpi_ec_add_points(&sG, &sG, &tP, ec);
	if (mpi_ec_get_affine(x1, y1, &sG, ec))
		goto leave;

	/* R = (e + x1) % n */
	mpi_addm(t, hash, x1, ec->n);

	/* check R == r */
	rc = -EKEYREJECTED;
	if (mpi_cmp(t, sig_r))
		goto leave;

	rc = 0;

leave:
	mpi_point_free_parts(&sG);
	mpi_point_free_parts(&tP);
	mpi_free(x1);
	mpi_free(y1);
	mpi_free(t);

	return rc;
}

static int sm2_verify(struct akcipher_request *req)
{
	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	unsigned char *buffer;
	struct sm2_signature_ctx sig;
	MPI hash;
	int ret;

	if (unlikely(!ec->Q))
		return -EINVAL;

	buffer = kmalloc(req->src_len + req->dst_len, GFP_KERNEL);
	if (!buffer)
		return -ENOMEM;

	sg_pcopy_to_buffer(req->src,
		sg_nents_for_len(req->src, req->src_len + req->dst_len),
		buffer, req->src_len + req->dst_len, 0);

	sig.sig_r = NULL;
	sig.sig_s = NULL;
	ret = asn1_ber_decoder(&sm2signature_decoder, &sig,
				buffer, req->src_len);
	if (ret)
		goto error;

	ret = -ENOMEM;
	hash = mpi_read_raw_data(buffer + req->src_len, req->dst_len);
	if (!hash)
		goto error;

	ret = _sm2_verify(ec, hash, sig.sig_r, sig.sig_s);

	mpi_free(hash);
error:
	mpi_free(sig.sig_r);
	mpi_free(sig.sig_s);
	kfree(buffer);
	return ret;
}

static int sm2_set_pub_key(struct crypto_akcipher *tfm,
			const void *key, unsigned int keylen)
{
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	MPI a;
	int rc;

	rc = sm2_ec_ctx_reset(ec);
	if (rc)
		return rc;

	ec->Q = mpi_point_new(0);
	if (!ec->Q)
		return -ENOMEM;

	/* include the uncompressed flag '0x04' */
	rc = -ENOMEM;
	a = mpi_read_raw_data(key, keylen);
	if (!a)
		goto error;

	mpi_normalize(a);
	rc = sm2_ecc_os2ec(ec->Q, a);
	mpi_free(a);
	if (rc)
		goto error;

	return 0;

error:
	mpi_point_release(ec->Q);
	ec->Q = NULL;
	return rc;
}

static unsigned int sm2_max_size(struct crypto_akcipher *tfm)
{
	/* Unlimited max size */
	return PAGE_SIZE;
}

static int sm2_init_tfm(struct crypto_akcipher *tfm)
{
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);

	return sm2_ec_ctx_init(ec);
}

static void sm2_exit_tfm(struct crypto_akcipher *tfm)
{
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);

	sm2_ec_ctx_deinit(ec);
}

static struct akcipher_alg sm2 = {
	.verify = sm2_verify,
	.set_pub_key = sm2_set_pub_key,
	.max_size = sm2_max_size,
	.init = sm2_init_tfm,
	.exit = sm2_exit_tfm,
	.base = {
		.cra_name = "sm2",
		.cra_driver_name = "sm2-generic",
		.cra_priority = 100,
		.cra_module = THIS_MODULE,
		.cra_ctxsize = sizeof(struct mpi_ec_ctx),
	},
};

static int sm2_init(void)
{
	return crypto_register_akcipher(&sm2);
}

static void sm2_exit(void)
{
	crypto_unregister_akcipher(&sm2);
}

subsys_initcall(sm2_init);
module_exit(sm2_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>");
MODULE_DESCRIPTION("SM2 generic algorithm");
MODULE_ALIAS_CRYPTO("sm2-generic");
Commit	Line	Data
ea7ecb66 TZ	1	/* SPDX-License-Identifier: GPL-2.0-or-later */
	2	/*
	3	* SM2 asymmetric public-key algorithm
	4	* as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012 SM2 and
	5	* described at https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
	6	*
	7	* Copyright (c) 2020, Alibaba Group.
	8	* Authors: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
	9	*/
	10
	11	#include <linux/module.h>
	12	#include <linux/mpi.h>
	13	#include <crypto/internal/akcipher.h>
	14	#include <crypto/akcipher.h>
	15	#include <crypto/hash.h>
	16	#include <crypto/sm3_base.h>
	17	#include <crypto/rng.h>
	18	#include <crypto/sm2.h>
	19	#include "sm2signature.asn1.h"
	20
	21	#define MPI_NBYTES(m) ((mpi_get_nbits(m) + 7) / 8)
	22
	23	struct ecc_domain_parms {
	24	const char desc; / Description of the curve. */
	25	unsigned int nbits; /* Number of bits. */
	26	unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */
	27
	28	/* The model describing this curve. This is mainly used to select
	29	* the group equation.
	30	*/
	31	enum gcry_mpi_ec_models model;
	32
	33	/* The actual ECC dialect used. This is used for curve specific
	34	* optimizations and to select encodings etc.
	35	*/
	36	enum ecc_dialects dialect;
	37
	38	const char p; / The prime defining the field. */
	39	const char a, b; /* The coefficients. For Twisted Edwards
	40	* Curves b is used for d. For Montgomery
	41	* Curves (a,b) has ((A-2)/4,B^-1).
	42	*/
	43	const char n; / The order of the base point. */
	44	const char g_x, g_y; /* Base point. */
	45	unsigned int h; /* Cofactor. */
	46	};
	47
	48	static const struct ecc_domain_parms sm2_ecp = {
	49	.desc = "sm2p256v1",
	50	.nbits = 256,
	51	.fips = 0,
	52	.model = MPI_EC_WEIERSTRASS,
	53	.dialect = ECC_DIALECT_STANDARD,
	54	.p = "0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff",
	55	.a = "0xfffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc",
	56	.b = "0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93",
	57	.n = "0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123",
	58	.g_x = "0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7",
	59	.g_y = "0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0",
	60	.h = 1
	61	};
	62
	63	static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
	64	{
65	const struct ecc_domain_parms *ecp = &sm2_ecp;
66	MPI p, a, b;
67	MPI x, y;
68	int rc = -EINVAL;
69
70	p = mpi_scanval(ecp->p);
71	a = mpi_scanval(ecp->a);
72	b = mpi_scanval(ecp->b);
73	if (!p \|\| !a \|\| !b)
74	goto free_p;
75
76	x = mpi_scanval(ecp->g_x);
77	y = mpi_scanval(ecp->g_y);
78	if (!x \|\| !y)
79	goto free;
80
81	rc = -ENOMEM;
82	/* mpi_ec_setup_elliptic_curve */
83	ec->G = mpi_point_new(0);
84	if (!ec->G)
85	goto free;
86
87	mpi_set(ec->G->x, x);
88	mpi_set(ec->G->y, y);
89	mpi_set_ui(ec->G->z, 1);
90
91	rc = -EINVAL;
92	ec->n = mpi_scanval(ecp->n);
93	if (!ec->n) {
94	mpi_point_release(ec->G);
95	goto free;
96	}
97
98	ec->h = ecp->h;
99	ec->name = ecp->desc;
100	mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);
101
102	rc = 0;
103
104	free:
105	mpi_free(x);
106	mpi_free(y);
107	free_p:
108	mpi_free(p);
109	mpi_free(a);
110	mpi_free(b);
111
112	return rc;
113	}
114
115	static void sm2_ec_ctx_deinit(struct mpi_ec_ctx *ec)
116	{
117	mpi_ec_deinit(ec);
118
119	memset(ec, 0, sizeof(*ec));
120	}
121
122	static int sm2_ec_ctx_reset(struct mpi_ec_ctx *ec)
123	{
124	sm2_ec_ctx_deinit(ec);
125	return sm2_ec_ctx_init(ec);
126	}
127
128	/* RESULT must have been initialized and is set on success to the
129	* point given by VALUE.
130	*/
131	static int sm2_ecc_os2ec(MPI_POINT result, MPI value)
132	{
133	int rc;
134	size_t n;
135	const unsigned char *buf;
136	unsigned char *buf_memory;
137	MPI x, y;
138
139	n = (mpi_get_nbits(value)+7)/8;
140	buf_memory = kmalloc(n, GFP_KERNEL);
141	rc = mpi_print(GCRYMPI_FMT_USG, buf_memory, n, &n, value);
142	if (rc) {
143	kfree(buf_memory);
144	return rc;
145	}
146	buf = buf_memory;
147
148	if (n < 1) {
149	kfree(buf_memory);
150	return -EINVAL;
151	}
152	if (*buf != 4) {
153	kfree(buf_memory);
154	return -EINVAL; /* No support for point compression. */
155	}
156	if (((n-1)%2)) {
157	kfree(buf_memory);
158	return -EINVAL;
159	}
160	n = (n-1)/2;
161	x = mpi_read_raw_data(buf + 1, n);
162	if (!x) {
163	kfree(buf_memory);
164	return -ENOMEM;
165	}
166	y = mpi_read_raw_data(buf + 1 + n, n);
167	kfree(buf_memory);
168	if (!y) {
169	mpi_free(x);
170	return -ENOMEM;
171	}
172
173	mpi_normalize(x);
174	mpi_normalize(y);
175
176	mpi_set(result->x, x);
177	mpi_set(result->y, y);
178	mpi_set_ui(result->z, 1);
179
180	mpi_free(x);
181	mpi_free(y);
182
183	return 0;
184	}
185
186	struct sm2_signature_ctx {
187	MPI sig_r;
188	MPI sig_s;
189	};
190
191	int sm2_get_signature_r(void *context, size_t hdrlen, unsigned char tag,
192	const void *value, size_t vlen)
193	{
194	struct sm2_signature_ctx *sig = context;
195
196	if (!value \|\| !vlen)
197	return -EINVAL;
198
199	sig->sig_r = mpi_read_raw_data(value, vlen);
200	if (!sig->sig_r)
201	return -ENOMEM;
202
203	return 0;
204	}
205
206	int sm2_get_signature_s(void *context, size_t hdrlen, unsigned char tag,
207	const void *value, size_t vlen)
208	{
209	struct sm2_signature_ctx *sig = context;
210
211	if (!value \|\| !vlen)
212	return -EINVAL;
213
214	sig->sig_s = mpi_read_raw_data(value, vlen);
215	if (!sig->sig_s)
216	return -ENOMEM;
217
218	return 0;
219	}
220
221	static int sm2_z_digest_update(struct shash_desc *desc,
222	MPI m, unsigned int pbytes)
223	{
224	static const unsigned char zero[32];
225	unsigned char *in;
226	unsigned int inlen;
227
228	in = mpi_get_buffer(m, &inlen, NULL);
229	if (!in)
230	return -EINVAL;
231
232	if (inlen < pbytes) {
233	/* padding with zero */
234	crypto_sm3_update(desc, zero, pbytes - inlen);
235	crypto_sm3_update(desc, in, inlen);
236	} else if (inlen > pbytes) {
237	/* skip the starting zero */
238	crypto_sm3_update(desc, in + inlen - pbytes, pbytes);
239	} else {
240	crypto_sm3_update(desc, in, inlen);
241	}
242
243	kfree(in);
244	return 0;
245	}
246
247	static int sm2_z_digest_update_point(struct shash_desc *desc,
248	MPI_POINT point, struct mpi_ec_ctx *ec, unsigned int pbytes)
249	{
250	MPI x, y;
251	int ret = -EINVAL;
252
253	x = mpi_new(0);
254	y = mpi_new(0);
255
256	if (!mpi_ec_get_affine(x, y, point, ec) &&
257	!sm2_z_digest_update(desc, x, pbytes) &&
258	!sm2_z_digest_update(desc, y, pbytes))
259	ret = 0;
260
261	mpi_free(x);
262	mpi_free(y);
263	return ret;
264	}
265
266	int sm2_compute_z_digest(struct crypto_akcipher *tfm,
267	const unsigned char *id, size_t id_len,
268	unsigned char dgst[SM3_DIGEST_SIZE])
269	{
270	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
271	uint16_t bits_len;
272	unsigned char entl[2];
273	SHASH_DESC_ON_STACK(desc, NULL);
274	unsigned int pbytes;
275
276	if (id_len > (USHRT_MAX / 8) \|\| !ec->Q)
277	return -EINVAL;
278
279	bits_len = (uint16_t)(id_len * 8);
280	entl[0] = bits_len >> 8;
281	entl[1] = bits_len & 0xff;
282
283	pbytes = MPI_NBYTES(ec->p);
284
285	/* ZA = H256(ENTLA \| IDA \| a \| b \| xG \| yG \| xA \| yA) */
286	sm3_base_init(desc);
287	crypto_sm3_update(desc, entl, 2);
288	crypto_sm3_update(desc, id, id_len);
289
290	if (sm2_z_digest_update(desc, ec->a, pbytes) \|\|
291	sm2_z_digest_update(desc, ec->b, pbytes) \|\|
292	sm2_z_digest_update_point(desc, ec->G, ec, pbytes) \|\|
293	sm2_z_digest_update_point(desc, ec->Q, ec, pbytes))
294	return -EINVAL;
295
296	crypto_sm3_final(desc, dgst);
297	return 0;
298	}
299	EXPORT_SYMBOL(sm2_compute_z_digest);
300
301	static int _sm2_verify(struct mpi_ec_ctx *ec, MPI hash, MPI sig_r, MPI sig_s)
302	{
303	int rc = -EINVAL;
304	struct gcry_mpi_point sG, tP;
305	MPI t = NULL;
306	MPI x1 = NULL, y1 = NULL;
307
308	mpi_point_init(&sG);
309	mpi_point_init(&tP);
310	x1 = mpi_new(0);
311	y1 = mpi_new(0);
312	t = mpi_new(0);
313
314	/* r, s in [1, n-1] */
315	if (mpi_cmp_ui(sig_r, 1) < 0 \|\| mpi_cmp(sig_r, ec->n) > 0 \|\|
316	mpi_cmp_ui(sig_s, 1) < 0 \|\| mpi_cmp(sig_s, ec->n) > 0) {
317	goto leave;
318	}
319
320	/* t = (r + s) % n, t == 0 */
321	mpi_addm(t, sig_r, sig_s, ec->n);
322	if (mpi_cmp_ui(t, 0) == 0)
323	goto leave;
324
325	/* sG + tP = (x1, y1) */
326	rc = -EBADMSG;
327	mpi_ec_mul_point(&sG, sig_s, ec->G, ec);
328	mpi_ec_mul_point(&tP, t, ec->Q, ec);
329	mpi_ec_add_points(&sG, &sG, &tP, ec);
330	if (mpi_ec_get_affine(x1, y1, &sG, ec))
331	goto leave;
332
333	/* R = (e + x1) % n */
334	mpi_addm(t, hash, x1, ec->n);
335
336	/* check R == r */
337	rc = -EKEYREJECTED;
338	if (mpi_cmp(t, sig_r))
339	goto leave;
340
341	rc = 0;
342
343	leave:
344	mpi_point_free_parts(&sG);
345	mpi_point_free_parts(&tP);
346	mpi_free(x1);
347	mpi_free(y1);
348	mpi_free(t);
349
350	return rc;
351	}
352
353	static int sm2_verify(struct akcipher_request *req)
354	{
355	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
356	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
357	unsigned char *buffer;
358	struct sm2_signature_ctx sig;
359	MPI hash;
360	int ret;
361
362	if (unlikely(!ec->Q))
363	return -EINVAL;
364
365	buffer = kmalloc(req->src_len + req->dst_len, GFP_KERNEL);
366	if (!buffer)
367	return -ENOMEM;
368
369	sg_pcopy_to_buffer(req->src,
370	sg_nents_for_len(req->src, req->src_len + req->dst_len),
371	buffer, req->src_len + req->dst_len, 0);
372
373	sig.sig_r = NULL;
374	sig.sig_s = NULL;
375	ret = asn1_ber_decoder(&sm2signature_decoder, &sig,
376	buffer, req->src_len);
377	if (ret)
378	goto error;
379
380	ret = -ENOMEM;
381	hash = mpi_read_raw_data(buffer + req->src_len, req->dst_len);
382	if (!hash)
383	goto error;
384
385	ret = _sm2_verify(ec, hash, sig.sig_r, sig.sig_s);
386
387	mpi_free(hash);
388	error:
389	mpi_free(sig.sig_r);
390	mpi_free(sig.sig_s);
391	kfree(buffer);
392	return ret;
393	}
394
395	static int sm2_set_pub_key(struct crypto_akcipher *tfm,
396	const void *key, unsigned int keylen)
397	{
398	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
399	MPI a;
400	int rc;
401
402	rc = sm2_ec_ctx_reset(ec);
403	if (rc)
404	return rc;
405
406	ec->Q = mpi_point_new(0);
407	if (!ec->Q)
408	return -ENOMEM;
409
410	/* include the uncompressed flag '0x04' */
411	rc = -ENOMEM;
412	a = mpi_read_raw_data(key, keylen);
413	if (!a)
414	goto error;
415
416	mpi_normalize(a);
417	rc = sm2_ecc_os2ec(ec->Q, a);
418	mpi_free(a);
419	if (rc)
420	goto error;
421
422	return 0;
423
424	error:
425	mpi_point_release(ec->Q);
426	ec->Q = NULL;
427	return rc;
428	}
429
430	static unsigned int sm2_max_size(struct crypto_akcipher *tfm)
431	{
432	/* Unlimited max size */
433	return PAGE_SIZE;
434	}
435
436	static int sm2_init_tfm(struct crypto_akcipher *tfm)
437	{
438	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
439
440	return sm2_ec_ctx_init(ec);
441	}
442
443	static void sm2_exit_tfm(struct crypto_akcipher *tfm)
444	{
445	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
446
447	sm2_ec_ctx_deinit(ec);
448	}
449
450	static struct akcipher_alg sm2 = {
451	.verify = sm2_verify,
452	.set_pub_key = sm2_set_pub_key,
453	.max_size = sm2_max_size,
454	.init = sm2_init_tfm,
455	.exit = sm2_exit_tfm,
456	.base = {
457	.cra_name = "sm2",
458	.cra_driver_name = "sm2-generic",
459	.cra_priority = 100,
460	.cra_module = THIS_MODULE,
461	.cra_ctxsize = sizeof(struct mpi_ec_ctx),
462	},
463	};
464
465	static int sm2_init(void)
466	{
467	return crypto_register_akcipher(&sm2);
468	}
469
470	static void sm2_exit(void)
471	{
472	crypto_unregister_akcipher(&sm2);
473	}
474
475	subsys_initcall(sm2_init);
476	module_exit(sm2_exit);
477
478	MODULE_LICENSE("GPL");
479	MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>");
480	MODULE_DESCRIPTION("SM2 generic algorithm");
481	MODULE_ALIAS_CRYPTO("sm2-generic");