From: David Howells <dhowells@redhat.com>
To: Lukas Wunner <lukas@wunner.de>, Ignat Korchagin <ignat@cloudflare.com>
Cc: David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Eric Biggers <ebiggers@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Daniel Gomez <da.gomez@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Stephan Mueller <smueller@chronox.de>,
linux-crypto@vger.kernel.org, keyrings@vger.kernel.org,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org,
Tadeusz Struk <tadeusz.struk@intel.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH v11 6/8] crypto: Add RSASSA-PSS support
Date: Mon, 5 Jan 2026 15:21:31 +0000 [thread overview]
Message-ID: <20260105152145.1801972-7-dhowells@redhat.com> (raw)
In-Reply-To: <20260105152145.1801972-1-dhowells@redhat.com>
Add support for RSASSA-PSS [RFC8017 sec 8.1] signature verification support
to the RSA driver in crypto/. Note that signing support is not provided.
The verification function requires an info string formatted as a
space-separated list of key=value pairs. The following parameters need to
be provided:
(1) sighash=<algo>
The hash algorithm to be used to digest the data.
(2) pss_mask=<type>,...
The mask generation function (MGF) and its parameters.
(3) pss_salt=<len>
The length of the salt used.
The only MGF currently supported is "mgf1". This takes an additional
parameter indicating the mask-generating hash (which need not be the same
as the data hash). E.g.:
"sighash=sha256 pss_mask=mgf1,sha256 pss_salt=32"
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Tadeusz Struk <tadeusz.struk@intel.com>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: David S. Miller <davem@davemloft.net>
cc: Lukas Wunner <lukas@wunner.de>
cc: Ignat Korchagin <ignat@cloudflare.com>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
---
crypto/Makefile | 1 +
crypto/rsa.c | 8 +
crypto/rsassa-pss.c | 397 ++++++++++++++++++++++++++++++++++
include/crypto/internal/rsa.h | 2 +
4 files changed, 408 insertions(+)
create mode 100644 crypto/rsassa-pss.c
diff --git a/crypto/Makefile b/crypto/Makefile
index 267d5403045b..5c91440d1751 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -50,6 +50,7 @@ rsa_generic-y += rsa.o
rsa_generic-y += rsa_helper.o
rsa_generic-y += rsa-pkcs1pad.o
rsa_generic-y += rsassa-pkcs1.o
+rsa_generic-y += rsassa-pss.o
obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o
$(obj)/ecdsasignature.asn1.o: $(obj)/ecdsasignature.asn1.c $(obj)/ecdsasignature.asn1.h
diff --git a/crypto/rsa.c b/crypto/rsa.c
index 6c7734083c98..189a09d54c16 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -10,6 +10,7 @@
#include <linux/mpi.h>
#include <crypto/internal/rsa.h>
#include <crypto/internal/akcipher.h>
+#include <crypto/internal/sig.h>
#include <crypto/akcipher.h>
#include <crypto/algapi.h>
@@ -414,8 +415,14 @@ static int __init rsa_init(void)
if (err)
goto err_unregister_rsa_pkcs1pad;
+ err = crypto_register_sig(&rsassa_pss_alg);
+ if (err)
+ goto err_rsassa_pss;
+
return 0;
+err_rsassa_pss:
+ crypto_unregister_template(&rsassa_pkcs1_tmpl);
err_unregister_rsa_pkcs1pad:
crypto_unregister_template(&rsa_pkcs1pad_tmpl);
err_unregister_rsa:
@@ -425,6 +432,7 @@ static int __init rsa_init(void)
static void __exit rsa_exit(void)
{
+ crypto_unregister_sig(&rsassa_pss_alg);
crypto_unregister_template(&rsassa_pkcs1_tmpl);
crypto_unregister_template(&rsa_pkcs1pad_tmpl);
crypto_unregister_akcipher(&rsa);
diff --git a/crypto/rsassa-pss.c b/crypto/rsassa-pss.c
new file mode 100644
index 000000000000..7f27e8fa6fa7
--- /dev/null
+++ b/crypto/rsassa-pss.c
@@ -0,0 +1,397 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * RSA Signature Scheme combined with EMSA-PSS encoding (RFC 8017 sec 8.2)
+ *
+ * https://www.rfc-editor.org/rfc/rfc8017#section-8.1
+ *
+ * Copyright (c) 2025 Red Hat
+ */
+
+#define pr_fmt(fmt) "RSAPSS: "fmt
+#include <linux/ctype.h>
+#include <linux/module.h>
+#include <linux/oid_registry.h>
+#include <linux/parser.h>
+#include <linux/scatterlist.h>
+#include <crypto/akcipher.h>
+#include <crypto/algapi.h>
+#include <crypto/hash.h>
+#include <crypto/sig.h>
+#include <crypto/internal/akcipher.h>
+#include <crypto/internal/rsa.h>
+#include <crypto/internal/sig.h>
+
+struct rsassa_pss_ctx {
+ struct crypto_akcipher *rsa;
+ unsigned int key_size;
+ unsigned int salt_len;
+ char *pss_hash;
+ char *mgf1_hash;
+};
+
+enum {
+ rsassa_pss_verify_hash_algo,
+ rsassa_pss_verify_pss_mask,
+ rsassa_pss_verify_pss_salt,
+};
+
+static const match_table_t rsassa_pss_verify_params = {
+ { rsassa_pss_verify_hash_algo, "sighash=%s" },
+ { rsassa_pss_verify_pss_mask, "pss_mask=%s" },
+ { rsassa_pss_verify_pss_salt, "pss_salt=%u" },
+ {}
+};
+
+/*
+ * Parse the signature parameters out of the info string.
+ */
+static int rsassa_pss_vinfo_parse(struct rsassa_pss_ctx *ctx,
+ char *info)
+{
+ substring_t args[MAX_OPT_ARGS];
+ char *p, *q;
+
+ ctx->pss_hash = NULL;
+ ctx->mgf1_hash = NULL;
+ ctx->salt_len = 0;
+
+ for (p = info; p && *p;) {
+ if (isspace(*p)) {
+ p++;
+ continue;
+ }
+ q = p++;
+ while (*p && !isspace(*p))
+ p++;
+
+ if (!*p)
+ p = NULL;
+ else
+ *p++ = 0;
+
+ switch (match_token(q, rsassa_pss_verify_params, args)) {
+ case rsassa_pss_verify_hash_algo:
+ *args[0].to = 0;
+ ctx->pss_hash = args[0].from;
+ break;
+ case rsassa_pss_verify_pss_mask:
+ if (memcmp(args[0].from, "mgf1", 4) != 0)
+ return -ENOPKG;
+ if (args[0].from[4] != ',')
+ return -EINVAL;
+ args[0].from += 5;
+ if (args[0].from >= args[0].to)
+ return -EINVAL;
+ *args[0].to = 0;
+ ctx->mgf1_hash = args[0].from;
+ break;
+ case rsassa_pss_verify_pss_salt:
+ if (match_uint(&args[0], &ctx->salt_len) < 0)
+ return -EINVAL;
+ break;
+ default:
+ pr_debug("Unknown info param\n");
+ return -EINVAL; /* Ignoring it might be better. */
+ }
+ }
+
+ if (!ctx->pss_hash ||
+ !ctx->mgf1_hash ||
+ !ctx->salt_len)
+ return -EINVAL;
+ return 0;
+}
+
+DEFINE_FREE(crypto_free_shash, struct crypto_shash*,
+ if (!IS_ERR_OR_NULL(_T)) { crypto_free_shash(_T); });
+
+/*
+ * Perform mask = MGF1(mgfSeed, masklen) - RFC8017 appendix B.2.1.
+ */
+static int MGF1(struct rsassa_pss_ctx *ctx,
+ const u8 *mgfSeed, unsigned int mgfSeed_len,
+ u8 *mask, unsigned int maskLen)
+{
+ struct crypto_shash *hash_tfm __free(crypto_free_shash) = NULL;
+ struct shash_desc *Hash __free(kfree) = NULL;
+ unsigned int counter, count_to, hLen, T_len;
+ __be32 *C;
+ int err;
+ u8 *T, *t, *to_hash;
+
+ hash_tfm = crypto_alloc_shash(ctx->mgf1_hash, 0, 0);
+ if (IS_ERR(hash_tfm))
+ return PTR_ERR(hash_tfm);
+
+ hLen = crypto_shash_digestsize(hash_tfm);
+ count_to = DIV_ROUND_UP(maskLen, hLen);
+ T_len = hLen * count_to;
+
+ Hash = kmalloc(roundup(sizeof(struct shash_desc) +
+ crypto_shash_descsize(hash_tfm), 64) +
+ roundup(T_len, 64) + /* T */
+ roundup(mgfSeed_len + 4, 64), /* mgfSeed||C */
+ GFP_KERNEL);
+ if (!Hash)
+ return -ENOMEM;
+
+ Hash->tfm = hash_tfm;
+
+ /* 2: Let T be the empty octet string. */
+ T = (void *)Hash +
+ roundup(sizeof(struct shash_desc) +
+ crypto_shash_descsize(hash_tfm), 64);
+
+ /* 3: Generate the mask. */
+ to_hash = T + roundup(T_len, 64);
+ memcpy(to_hash, mgfSeed, mgfSeed_len);
+ C = (__be32 *)(to_hash + mgfSeed_len);
+
+ t = T;
+ for (counter = 0; counter < count_to; counter++) {
+ /* 3A: C = I2OSP(counter, 4). */
+ put_unaligned_be32(counter, C);
+
+ /* 3B: T = T || Hash(mgfSeed || C). */
+ err = crypto_shash_digest(Hash, to_hash, mgfSeed_len + 4, t);
+ if (err < 0)
+ return err;
+
+ t += hLen;
+ }
+
+ /* 4: Output T to mask */
+ memcpy(mask, T, maskLen);
+ return 0;
+}
+
+/*
+ * Perform EMSA-PSS-VERIFY(M, EM, emBits) - RFC8017 sec 9.1.2.
+ */
+static int emsa_pss_verify(struct rsassa_pss_ctx *ctx,
+ const u8 *M, unsigned int M_len,
+ const u8 *EM, unsigned int emLen)
+{
+ struct crypto_shash *hash_tfm __free(crypto_free_shash);
+ struct shash_desc *Hash __free(kfree) = NULL;
+ unsigned int emBits, hLen, sLen, DB_len;
+ const u8 *maskedDB, *H;
+ u8 *mHash, *dbMask, *DB, *salt, *Mprime, *Hprime;
+ int err, i;
+
+ emBits = 8 - fls(EM[0]);
+ emBits = emLen * 8 - emBits;
+
+ hash_tfm = crypto_alloc_shash(ctx->pss_hash, 0, 0);
+ if (IS_ERR(hash_tfm))
+ return PTR_ERR(hash_tfm);
+
+ hLen = crypto_shash_digestsize(hash_tfm);
+ sLen = ctx->salt_len;
+
+ if (sLen > 65536 ||
+ emBits < 8 * (hLen + sLen) + 9)
+ return -EBADMSG;
+
+ DB_len = emLen - hLen - 1;
+
+ Hash = kmalloc(roundup(sizeof(struct shash_desc) +
+ crypto_shash_descsize(hash_tfm), 64) +
+ roundup(hLen, 64) + /* mHash */
+ roundup(DB_len, 64) + /* DB and dbMask */
+ roundup(8 + hLen + sLen, 64) + /* M' */
+ roundup(hLen, 64), /* H' */
+ GFP_KERNEL);
+ if (!Hash)
+ return -ENOMEM;
+
+ Hash->tfm = hash_tfm;
+
+ mHash = (void *)Hash +
+ roundup(sizeof(struct shash_desc) +
+ crypto_shash_descsize(hash_tfm), 64);
+ DB = dbMask = mHash + roundup(hLen, 64);
+ Mprime = dbMask + roundup(DB_len, 64);
+ Hprime = Mprime + roundup(8 + hLen + sLen, 64);
+
+ /* 1. Check len M against hash input limitation. */
+ /* The standard says ~2EiB for SHA1, so I think we can ignore this. */
+
+ /* 2. mHash = Hash(M).
+ * In theory, we would do:
+ * err = crypto_shash_digest(Hash, M, M_len, mHash);
+ * but the caller is assumed to already have done that for us.
+ */
+ if (M_len != hLen)
+ return -EINVAL;
+ memcpy(mHash, M, hLen);
+
+ /* 3. Check emLen against hLen + sLen + 2. */
+ if (emLen < hLen + sLen + 2)
+ return -EBADMSG;
+
+ /* 4. Validate EM. */
+ if (EM[emLen - 1] != 0xbc)
+ return -EKEYREJECTED;
+
+ /* 5. Pick maskedDB and H. */
+ maskedDB = EM;
+ H = EM + DB_len;
+
+ /* 6. Check leftmost 8emLen-emBits bits of maskedDB are 0. */
+ /* Can only find emBits by counting the zeros on the Left. */
+
+ /* 7. Let dbMask = MGF(H, emLen - hLen - 1). */
+ err = MGF1(ctx, H, hLen, dbMask, DB_len);
+ if (err < 0)
+ return err;
+
+ /* 8. Let DB = maskedDB XOR dbMask. */
+ for (i = 0; i < DB_len; i++)
+ DB[i] = maskedDB[i] ^ dbMask[i];
+
+ /* 9. Set leftmost bits in DB to zero. */
+ int z = 8 * emLen - emBits;
+ if (z > 0) {
+ if (z >= 8) {
+ DB[0] = 0;
+ } else {
+ z = 8 - z;
+ DB[0] &= (1 << z) - 1;
+ }
+ }
+
+ /* 10. Check the left part of DB is {0,0,...,1}. */
+ for (i = 0; i < emLen - hLen - sLen - 2; i++)
+ if (DB[i] != 0)
+ return -EKEYREJECTED;
+ if (DB[i] != 0x01)
+ return -EKEYREJECTED;
+
+ /* 11. Let salt be the last sLen octets of DB. */
+ salt = DB + DB_len - sLen;
+
+ /* 12. Let M' be 00 00 00 00 00 00 00 00 || mHash || salt. */
+ memset(Mprime, 0, 8);
+ memcpy(Mprime + 8, mHash, hLen);
+ memcpy(Mprime + 8 + hLen, salt, sLen);
+
+ /* 13. Let H' = Hash(M'). */
+ err = crypto_shash_digest(Hash, Mprime, 8 + hLen + sLen, Hprime);
+ if (err < 0)
+ return err;
+
+ /* 14. Check H = H'. */
+ if (memcmp(H, Hprime, hLen) != 0)
+ return -EKEYREJECTED;
+ return 0;
+}
+
+/*
+ * Perform RSASSA-PSS-VERIFY((n,e),M,S) - RFC8017 sec 8.1.2.
+ */
+static int rsassa_pss_verify(struct crypto_sig *tfm,
+ const void *src, unsigned int slen,
+ const void *digest, unsigned int dlen,
+ const char *info)
+{
+ struct akcipher_request *rsa_req __free(kfree) = NULL;
+ struct rsassa_pss_ctx *ctx = crypto_sig_ctx(tfm);
+ struct crypto_wait cwait;
+ struct scatterlist sg;
+ unsigned int rsa_reqsize = crypto_akcipher_reqsize(ctx->rsa);
+ char *str __free(kfree) = NULL;
+ u8 *EM;
+ int err;
+
+ if (!info)
+ return -EINVAL;
+
+ str = kstrdup(info, GFP_KERNEL);
+ if (!str)
+ return -ENOMEM;
+
+ err = rsassa_pss_vinfo_parse(ctx, str);
+ if (err < 0)
+ return err;
+
+ /* RFC8017 sec 8.1.2 step 1 - length checking */
+ if (!ctx->key_size || slen != ctx->key_size)
+ return -EINVAL;
+
+ /* RFC8017 sec 8.1.2 step 2 - RSA verification */
+ rsa_req = kmalloc(sizeof(*rsa_req) + rsa_reqsize + ctx->key_size,
+ GFP_KERNEL);
+ if (!rsa_req)
+ return -ENOMEM;
+
+ EM = (u8 *)(rsa_req + 1) + rsa_reqsize;
+ memcpy(EM, src, slen);
+
+ crypto_init_wait(&cwait);
+ sg_init_one(&sg, EM, slen);
+ akcipher_request_set_tfm(rsa_req, ctx->rsa);
+ akcipher_request_set_crypt(rsa_req, &sg, &sg, slen, slen);
+ akcipher_request_set_callback(rsa_req, CRYPTO_TFM_REQ_MAY_SLEEP,
+ crypto_req_done, &cwait);
+
+ err = crypto_akcipher_encrypt(rsa_req);
+ err = crypto_wait_req(err, &cwait);
+ if (err)
+ return err;
+
+ /* RFC 8017 sec 8.1.2 step 3 - EMSA-PSS(M, EM, modbits-1) */
+ return emsa_pss_verify(ctx, digest, dlen, EM, slen);
+}
+
+static unsigned int rsassa_pss_key_size(struct crypto_sig *tfm)
+{
+ struct rsassa_pss_ctx *ctx = crypto_sig_ctx(tfm);
+
+ return ctx->key_size * BITS_PER_BYTE;
+}
+
+static int rsassa_pss_set_pub_key(struct crypto_sig *tfm,
+ const void *key, unsigned int keylen)
+{
+ struct rsassa_pss_ctx *ctx = crypto_sig_ctx(tfm);
+
+ return rsa_set_key(ctx->rsa, &ctx->key_size, RSA_PUB, key, keylen);
+}
+
+static int rsassa_pss_init_tfm(struct crypto_sig *tfm)
+{
+ struct crypto_akcipher *rsa;
+ struct rsassa_pss_ctx *ctx = crypto_sig_ctx(tfm);
+
+ rsa = crypto_alloc_akcipher("rsa", 0, 0);
+ if (IS_ERR(rsa))
+ return PTR_ERR(rsa);
+
+ ctx->rsa = rsa;
+ return 0;
+}
+
+static void rsassa_pss_exit_tfm(struct crypto_sig *tfm)
+{
+ struct rsassa_pss_ctx *ctx = crypto_sig_ctx(tfm);
+
+ crypto_free_akcipher(ctx->rsa);
+}
+
+struct sig_alg rsassa_pss_alg = {
+ .verify = rsassa_pss_verify,
+ .set_pub_key = rsassa_pss_set_pub_key,
+ .key_size = rsassa_pss_key_size,
+ .init = rsassa_pss_init_tfm,
+ .exit = rsassa_pss_exit_tfm,
+ .base = {
+ .cra_name = "rsassa-pss",
+ .cra_driver_name = "rsassa-pss-generic",
+ .cra_priority = 100,
+ .cra_module = THIS_MODULE,
+ .cra_ctxsize = sizeof(struct rsassa_pss_ctx),
+ },
+};
+
+MODULE_ALIAS_CRYPTO("rsassa-pss");
diff --git a/include/crypto/internal/rsa.h b/include/crypto/internal/rsa.h
index 071a1951b992..d7f38a273949 100644
--- a/include/crypto/internal/rsa.h
+++ b/include/crypto/internal/rsa.h
@@ -83,4 +83,6 @@ static inline int rsa_set_key(struct crypto_akcipher *child,
extern struct crypto_template rsa_pkcs1pad_tmpl;
extern struct crypto_template rsassa_pkcs1_tmpl;
+extern struct sig_alg rsassa_pss_alg;
+
#endif
next prev parent reply other threads:[~2026-01-05 15:22 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-05 15:21 [PATCH v11 0/8] x509, pkcs7, crypto: Add ML-DSA and RSASSA-PSS signing David Howells
2026-01-05 15:21 ` [PATCH v11 1/8] crypto: Add ML-DSA crypto_sig support David Howells
2026-01-05 15:21 ` [PATCH v11 2/8] pkcs7: Allow the signing algo to calculate the digest itself David Howells
2026-01-05 20:19 ` Ignat Korchagin
2026-01-07 13:53 ` David Howells
2026-01-07 13:59 ` Ignat Korchagin
2026-01-08 12:59 ` David Howells
2026-01-05 15:21 ` [PATCH v11 3/8] pkcs7, x509: Add ML-DSA support David Howells
2026-01-06 8:02 ` Eric Biggers
2026-01-06 8:22 ` Eric Biggers
2026-01-06 9:37 ` David Howells
2026-01-08 14:38 ` David Howells
2026-01-05 15:21 ` [PATCH v11 4/8] modsign: Enable ML-DSA module signing David Howells
2026-01-06 8:10 ` Eric Biggers
2026-01-05 15:21 ` [PATCH v11 5/8] crypto: Add supplementary info param to asymmetric key signature verification David Howells
2026-01-07 14:23 ` Ignat Korchagin
2026-01-05 15:21 ` David Howells [this message]
2026-01-07 16:24 ` [PATCH v11 6/8] crypto: Add RSASSA-PSS support Ignat Korchagin
2026-01-08 11:29 ` David Howells
2026-01-08 13:15 ` Jarkko Sakkinen
2026-01-08 14:39 ` David Howells
2026-01-05 15:21 ` [PATCH v11 7/8] pkcs7, x509: " David Howells
2026-01-07 16:36 ` Ignat Korchagin
2026-01-08 11:53 ` David Howells
2026-01-05 15:21 ` [PATCH v11 8/8] modsign: Enable RSASSA-PSS module signing David Howells
2026-01-07 16:38 ` Ignat Korchagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260105152145.1801972-7-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=da.gomez@kernel.org \
--cc=davem@davemloft.net \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mcgrof@kernel.org \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=smueller@chronox.de \
--cc=tadeusz.struk@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).