[linux.git] / crypto / sm2.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * SM2 asymmetric public-key algorithm
 * as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012 SM2 and
 * described at https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
 *
 * Copyright (c) 2020, Alibaba Group.
 * Authors: Tianjia Zhang <[email protected]>
 */

#include <linux/module.h>
#include <linux/mpi.h>
#include <crypto/internal/akcipher.h>
#include <crypto/akcipher.h>
#include <crypto/hash.h>
#include <crypto/sm3.h>
#include <crypto/rng.h>
#include <crypto/sm2.h>
#include "sm2signature.asn1.h"

#define MPI_NBYTES(m)   ((mpi_get_nbits(m) + 7) / 8)

struct ecc_domain_parms {
	const char *desc;           /* Description of the curve.  */
	unsigned int nbits;         /* Number of bits.  */
	unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */

	/* The model describing this curve.  This is mainly used to select
	 * the group equation.
	 */
	enum gcry_mpi_ec_models model;

	/* The actual ECC dialect used.  This is used for curve specific
	 * optimizations and to select encodings etc.
	 */
	enum ecc_dialects dialect;

	const char *p;              /* The prime defining the field.  */
	const char *a, *b;          /* The coefficients.  For Twisted Edwards
				     * Curves b is used for d.  For Montgomery
				     * Curves (a,b) has ((A-2)/4,B^-1).
				     */
	const char *n;              /* The order of the base point.  */
	const char *g_x, *g_y;      /* Base point.  */
	unsigned int h;             /* Cofactor.  */
};

static const struct ecc_domain_parms sm2_ecp = {
	.desc = "sm2p256v1",
	.nbits = 256,
	.fips = 0,
	.model = MPI_EC_WEIERSTRASS,
	.dialect = ECC_DIALECT_STANDARD,
	.p   = "0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff",
	.a   = "0xfffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc",
	.b   = "0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93",
	.n   = "0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123",
	.g_x = "0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7",
	.g_y = "0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0",
	.h = 1
};

static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
{
	const struct ecc_domain_parms *ecp = &sm2_ecp;
	MPI p, a, b;
	MPI x, y;
	int rc = -EINVAL;

	p = mpi_scanval(ecp->p);
	a = mpi_scanval(ecp->a);
	b = mpi_scanval(ecp->b);
	if (!p || !a || !b)
		goto free_p;

	x = mpi_scanval(ecp->g_x);
	y = mpi_scanval(ecp->g_y);
	if (!x || !y)
		goto free;

	rc = -ENOMEM;

	ec->Q = mpi_point_new(0);
	if (!ec->Q)
		goto free;

	/* mpi_ec_setup_elliptic_curve */
	ec->G = mpi_point_new(0);
	if (!ec->G) {
		mpi_point_release(ec->Q);
		goto free;
	}

	mpi_set(ec->G->x, x);
	mpi_set(ec->G->y, y);
	mpi_set_ui(ec->G->z, 1);

	rc = -EINVAL;
	ec->n = mpi_scanval(ecp->n);
	if (!ec->n) {
		mpi_point_release(ec->Q);
		mpi_point_release(ec->G);
		goto free;
	}

	ec->h = ecp->h;
	ec->name = ecp->desc;
	mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);

	rc = 0;

free:
	mpi_free(x);
	mpi_free(y);
free_p:
	mpi_free(p);
	mpi_free(a);
	mpi_free(b);

	return rc;
}

static void sm2_ec_ctx_deinit(struct mpi_ec_ctx *ec)
{
	mpi_ec_deinit(ec);

	memset(ec, 0, sizeof(*ec));
}

/* RESULT must have been initialized and is set on success to the
 * point given by VALUE.
 */
static int sm2_ecc_os2ec(MPI_POINT result, MPI value)
{
	int rc;
	size_t n;
	unsigned char *buf;
	MPI x, y;

	n = MPI_NBYTES(value);
	buf = kmalloc(n, GFP_KERNEL);
	if (!buf)
		return -ENOMEM;

	rc = mpi_print(GCRYMPI_FMT_USG, buf, n, &n, value);
	if (rc)
		goto err_freebuf;

	rc = -EINVAL;
	if (n < 1 || ((n - 1) % 2))
		goto err_freebuf;
	/* No support for point compression */
	if (*buf != 0x4)
		goto err_freebuf;

	rc = -ENOMEM;
	n = (n - 1) / 2;
	x = mpi_read_raw_data(buf + 1, n);
	if (!x)
		goto err_freebuf;
	y = mpi_read_raw_data(buf + 1 + n, n);
	if (!y)
		goto err_freex;

	mpi_normalize(x);
	mpi_normalize(y);
	mpi_set(result->x, x);
	mpi_set(result->y, y);
	mpi_set_ui(result->z, 1);

	rc = 0;

	mpi_free(y);
err_freex:
	mpi_free(x);
err_freebuf:
	kfree(buf);
	return rc;
}

struct sm2_signature_ctx {
	MPI sig_r;
	MPI sig_s;
};

int sm2_get_signature_r(void *context, size_t hdrlen, unsigned char tag,
				const void *value, size_t vlen)
{
	struct sm2_signature_ctx *sig = context;

	if (!value || !vlen)
		return -EINVAL;

	sig->sig_r = mpi_read_raw_data(value, vlen);
	if (!sig->sig_r)
		return -ENOMEM;

	return 0;
}

int sm2_get_signature_s(void *context, size_t hdrlen, unsigned char tag,
				const void *value, size_t vlen)
{
	struct sm2_signature_ctx *sig = context;

	if (!value || !vlen)
		return -EINVAL;

	sig->sig_s = mpi_read_raw_data(value, vlen);
	if (!sig->sig_s)
		return -ENOMEM;

	return 0;
}

static int sm2_z_digest_update(struct sm3_state *sctx,
			MPI m, unsigned int pbytes)
{
	static const unsigned char zero[32];
	unsigned char *in;
	unsigned int inlen;

	in = mpi_get_buffer(m, &inlen, NULL);
	if (!in)
		return -EINVAL;

	if (inlen < pbytes) {
		/* padding with zero */
		sm3_update(sctx, zero, pbytes - inlen);
		sm3_update(sctx, in, inlen);
	} else if (inlen > pbytes) {
		/* skip the starting zero */
		sm3_update(sctx, in + inlen - pbytes, pbytes);
	} else {
		sm3_update(sctx, in, inlen);
	}

	kfree(in);
	return 0;
}

static int sm2_z_digest_update_point(struct sm3_state *sctx,
		MPI_POINT point, struct mpi_ec_ctx *ec, unsigned int pbytes)
{
	MPI x, y;
	int ret = -EINVAL;

	x = mpi_new(0);
	y = mpi_new(0);

	if (!mpi_ec_get_affine(x, y, point, ec) &&
	    !sm2_z_digest_update(sctx, x, pbytes) &&
	    !sm2_z_digest_update(sctx, y, pbytes))
		ret = 0;

	mpi_free(x);
	mpi_free(y);
	return ret;
}

int sm2_compute_z_digest(struct crypto_akcipher *tfm,
			const unsigned char *id, size_t id_len,
			unsigned char dgst[SM3_DIGEST_SIZE])
{
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	uint16_t bits_len;
	unsigned char entl[2];
	struct sm3_state sctx;
	unsigned int pbytes;

	if (id_len > (USHRT_MAX / 8) || !ec->Q)
		return -EINVAL;

	bits_len = (uint16_t)(id_len * 8);
	entl[0] = bits_len >> 8;
	entl[1] = bits_len & 0xff;

	pbytes = MPI_NBYTES(ec->p);

	/* ZA = H256(ENTLA | IDA | a | b | xG | yG | xA | yA) */
	sm3_init(&sctx);
	sm3_update(&sctx, entl, 2);
	sm3_update(&sctx, id, id_len);

	if (sm2_z_digest_update(&sctx, ec->a, pbytes) ||
	    sm2_z_digest_update(&sctx, ec->b, pbytes) ||
	    sm2_z_digest_update_point(&sctx, ec->G, ec, pbytes) ||
	    sm2_z_digest_update_point(&sctx, ec->Q, ec, pbytes))
		return -EINVAL;

	sm3_final(&sctx, dgst);
	return 0;
}
EXPORT_SYMBOL(sm2_compute_z_digest);

static int _sm2_verify(struct mpi_ec_ctx *ec, MPI hash, MPI sig_r, MPI sig_s)
{
	int rc = -EINVAL;
	struct gcry_mpi_point sG, tP;
	MPI t = NULL;
	MPI x1 = NULL, y1 = NULL;

	mpi_point_init(&sG);
	mpi_point_init(&tP);
	x1 = mpi_new(0);
	y1 = mpi_new(0);
	t = mpi_new(0);

	/* r, s in [1, n-1] */
	if (mpi_cmp_ui(sig_r, 1) < 0 || mpi_cmp(sig_r, ec->n) > 0 ||
		mpi_cmp_ui(sig_s, 1) < 0 || mpi_cmp(sig_s, ec->n) > 0) {
		goto leave;
	}

	/* t = (r + s) % n, t == 0 */
	mpi_addm(t, sig_r, sig_s, ec->n);
	if (mpi_cmp_ui(t, 0) == 0)
		goto leave;

	/* sG + tP = (x1, y1) */
	rc = -EBADMSG;
	mpi_ec_mul_point(&sG, sig_s, ec->G, ec);
	mpi_ec_mul_point(&tP, t, ec->Q, ec);
	mpi_ec_add_points(&sG, &sG, &tP, ec);
	if (mpi_ec_get_affine(x1, y1, &sG, ec))
		goto leave;

	/* R = (e + x1) % n */
	mpi_addm(t, hash, x1, ec->n);

	/* check R == r */
	rc = -EKEYREJECTED;
	if (mpi_cmp(t, sig_r))
		goto leave;

	rc = 0;

leave:
	mpi_point_free_parts(&sG);
	mpi_point_free_parts(&tP);
	mpi_free(x1);
	mpi_free(y1);
	mpi_free(t);

	return rc;
}

static int sm2_verify(struct akcipher_request *req)
{
	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	unsigned char *buffer;
	struct sm2_signature_ctx sig;
	MPI hash;
	int ret;

	if (unlikely(!ec->Q))
		return -EINVAL;

	buffer = kmalloc(req->src_len + req->dst_len, GFP_KERNEL);
	if (!buffer)
		return -ENOMEM;

	sg_pcopy_to_buffer(req->src,
		sg_nents_for_len(req->src, req->src_len + req->dst_len),
		buffer, req->src_len + req->dst_len, 0);

	sig.sig_r = NULL;
	sig.sig_s = NULL;
	ret = asn1_ber_decoder(&sm2signature_decoder, &sig,
				buffer, req->src_len);
	if (ret)
		goto error;

	ret = -ENOMEM;
	hash = mpi_read_raw_data(buffer + req->src_len, req->dst_len);
	if (!hash)
		goto error;

	ret = _sm2_verify(ec, hash, sig.sig_r, sig.sig_s);

	mpi_free(hash);
error:
	mpi_free(sig.sig_r);
	mpi_free(sig.sig_s);
	kfree(buffer);
	return ret;
}

static int sm2_set_pub_key(struct crypto_akcipher *tfm,
			const void *key, unsigned int keylen)
{
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	MPI a;
	int rc;

	/* include the uncompressed flag '0x04' */
	a = mpi_read_raw_data(key, keylen);
	if (!a)
		return -ENOMEM;

	mpi_normalize(a);
	rc = sm2_ecc_os2ec(ec->Q, a);
	mpi_free(a);

	return rc;
}

static unsigned int sm2_max_size(struct crypto_akcipher *tfm)
{
	/* Unlimited max size */
	return PAGE_SIZE;
}

static int sm2_init_tfm(struct crypto_akcipher *tfm)
{
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);

	return sm2_ec_ctx_init(ec);
}

static void sm2_exit_tfm(struct crypto_akcipher *tfm)
{
	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);

	sm2_ec_ctx_deinit(ec);
}

static struct akcipher_alg sm2 = {
	.verify = sm2_verify,
	.set_pub_key = sm2_set_pub_key,
	.max_size = sm2_max_size,
	.init = sm2_init_tfm,
	.exit = sm2_exit_tfm,
	.base = {
		.cra_name = "sm2",
		.cra_driver_name = "sm2-generic",
		.cra_priority = 100,
		.cra_module = THIS_MODULE,
		.cra_ctxsize = sizeof(struct mpi_ec_ctx),
	},
};

static int __init sm2_init(void)
{
	return crypto_register_akcipher(&sm2);
}

static void __exit sm2_exit(void)
{
	crypto_unregister_akcipher(&sm2);
}

subsys_initcall(sm2_init);
module_exit(sm2_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Tianjia Zhang <[email protected]>");
MODULE_DESCRIPTION("SM2 generic algorithm");
MODULE_ALIAS_CRYPTO("sm2-generic");
Commit	Line	Data
4920a4a7	1	// SPDX-License-Identifier: GPL-2.0-or-later
ea7ecb66 TZ	2	/*
	3	* SM2 asymmetric public-key algorithm
	4	* as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012 SM2 and
	5	* described at https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
	6	*
	7	* Copyright (c) 2020, Alibaba Group.
	8	* Authors: Tianjia Zhang <[email protected]>
	9	*/
	10
	11	#include <linux/module.h>
	12	#include <linux/mpi.h>
	13	#include <crypto/internal/akcipher.h>
	14	#include <crypto/akcipher.h>
	15	#include <crypto/hash.h>
11400469	16	#include <crypto/sm3.h>
ea7ecb66 TZ	17	#include <crypto/rng.h>
	18	#include <crypto/sm2.h>
	19	#include "sm2signature.asn1.h"
	20
	21	#define MPI_NBYTES(m) ((mpi_get_nbits(m) + 7) / 8)
	22
	23	struct ecc_domain_parms {
	24	const char desc; / Description of the curve. */
	25	unsigned int nbits; /* Number of bits. */
	26	unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */
	27
	28	/* The model describing this curve. This is mainly used to select
	29	* the group equation.
	30	*/
	31	enum gcry_mpi_ec_models model;
	32
	33	/* The actual ECC dialect used. This is used for curve specific
	34	* optimizations and to select encodings etc.
	35	*/
	36	enum ecc_dialects dialect;
	37
	38	const char p; / The prime defining the field. */
	39	const char a, b; /* The coefficients. For Twisted Edwards
	40	* Curves b is used for d. For Montgomery
	41	* Curves (a,b) has ((A-2)/4,B^-1).
	42	*/
	43	const char n; / The order of the base point. */
	44	const char g_x, g_y; /* Base point. */
	45	unsigned int h; /* Cofactor. */
	46	};
	47
	48	static const struct ecc_domain_parms sm2_ecp = {
	49	.desc = "sm2p256v1",
	50	.nbits = 256,
	51	.fips = 0,
	52	.model = MPI_EC_WEIERSTRASS,
	53	.dialect = ECC_DIALECT_STANDARD,
	54	.p = "0xfffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff",
	55	.a = "0xfffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc",
	56	.b = "0x28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93",
	57	.n = "0xfffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123",
	58	.g_x = "0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7",
	59	.g_y = "0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0",
	60	.h = 1
	61	};
	62
	63	static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
	64	{
	65	const struct ecc_domain_parms *ecp = &sm2_ecp;
	66	MPI p, a, b;
	67	MPI x, y;
	68	int rc = -EINVAL;
	69
	70	p = mpi_scanval(ecp->p);
	71	a = mpi_scanval(ecp->a);
	72	b = mpi_scanval(ecp->b);
	73	if (!p \|\| !a \|\| !b)
	74	goto free_p;
	75
	76	x = mpi_scanval(ecp->g_x);
	77	y = mpi_scanval(ecp->g_y);
	78	if (!x \|\| !y)
	79	goto free;
	80
81	rc = -ENOMEM;
5cd259ca HL	82
	83	ec->Q = mpi_point_new(0);
	84	if (!ec->Q)
	85	goto free;
	86
ea7ecb66 TZ	87	/* mpi_ec_setup_elliptic_curve */
ea7ecb66 TZ	88	ec->G = mpi_point_new(0);
5cd259ca HL	89	if (!ec->G) {
5cd259ca HL	90	mpi_point_release(ec->Q);
ea7ecb66	91	goto free;
5cd259ca	92	}
ea7ecb66 TZ	93
	94	mpi_set(ec->G->x, x);
	95	mpi_set(ec->G->y, y);
	96	mpi_set_ui(ec->G->z, 1);
	97
	98	rc = -EINVAL;
	99	ec->n = mpi_scanval(ecp->n);
	100	if (!ec->n) {
5cd259ca	101	mpi_point_release(ec->Q);
ea7ecb66 TZ	102	mpi_point_release(ec->G);
	103	goto free;
	104	}
	105
	106	ec->h = ecp->h;
	107	ec->name = ecp->desc;
	108	mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);
	109
	110	rc = 0;
	111
	112	free:
	113	mpi_free(x);
	114	mpi_free(y);
	115	free_p:
	116	mpi_free(p);
	117	mpi_free(a);
	118	mpi_free(b);
	119
	120	return rc;
	121	}
	122
	123	static void sm2_ec_ctx_deinit(struct mpi_ec_ctx *ec)
	124	{
	125	mpi_ec_deinit(ec);
	126
	127	memset(ec, 0, sizeof(*ec));
	128	}
	129
ea7ecb66 TZ	130	/* RESULT must have been initialized and is set on success to the
	131	* point given by VALUE.
	132	*/
	133	static int sm2_ecc_os2ec(MPI_POINT result, MPI value)
	134	{
	135	int rc;
	136	size_t n;
1bc608b4	137	unsigned char *buf;
ea7ecb66 TZ	138	MPI x, y;
ea7ecb66 TZ	139
1bc608b4 TZ	140	n = MPI_NBYTES(value);
	141	buf = kmalloc(n, GFP_KERNEL);
	142	if (!buf)
	143	return -ENOMEM;
ea7ecb66	144
1bc608b4 TZ	145	rc = mpi_print(GCRYMPI_FMT_USG, buf, n, &n, value);
	146	if (rc)
	147	goto err_freebuf;
	148
	149	rc = -EINVAL;
	150	if (n < 1 \|\| ((n - 1) % 2))
	151	goto err_freebuf;
	152	/* No support for point compression */
	153	if (*buf != 0x4)
	154	goto err_freebuf;
	155
	156	rc = -ENOMEM;
	157	n = (n - 1) / 2;
ea7ecb66	158	x = mpi_read_raw_data(buf + 1, n);
1bc608b4 TZ	159	if (!x)
1bc608b4 TZ	160	goto err_freebuf;
ea7ecb66	161	y = mpi_read_raw_data(buf + 1 + n, n);
1bc608b4 TZ	162	if (!y)
1bc608b4 TZ	163	goto err_freex;
ea7ecb66 TZ	164
	165	mpi_normalize(x);
	166	mpi_normalize(y);
ea7ecb66 TZ	167	mpi_set(result->x, x);
	168	mpi_set(result->y, y);
	169	mpi_set_ui(result->z, 1);
	170
1bc608b4	171	rc = 0;
ea7ecb66	172
1bc608b4 TZ	173	mpi_free(y);
	174	err_freex:
	175	mpi_free(x);
	176	err_freebuf:
	177	kfree(buf);
	178	return rc;
ea7ecb66 TZ	179	}
	180
	181	struct sm2_signature_ctx {
	182	MPI sig_r;
	183	MPI sig_s;
	184	};
	185
	186	int sm2_get_signature_r(void *context, size_t hdrlen, unsigned char tag,
	187	const void *value, size_t vlen)
	188	{
	189	struct sm2_signature_ctx *sig = context;
	190
	191	if (!value \|\| !vlen)
	192	return -EINVAL;
	193
	194	sig->sig_r = mpi_read_raw_data(value, vlen);
	195	if (!sig->sig_r)
	196	return -ENOMEM;
	197
	198	return 0;
	199	}
	200
	201	int sm2_get_signature_s(void *context, size_t hdrlen, unsigned char tag,
	202	const void *value, size_t vlen)
	203	{
	204	struct sm2_signature_ctx *sig = context;
	205
	206	if (!value \|\| !vlen)
	207	return -EINVAL;
	208
	209	sig->sig_s = mpi_read_raw_data(value, vlen);
	210	if (!sig->sig_s)
	211	return -ENOMEM;
	212
	213	return 0;
	214	}
	215
11400469	216	static int sm2_z_digest_update(struct sm3_state *sctx,
ea7ecb66 TZ	217	MPI m, unsigned int pbytes)
	218	{
	219	static const unsigned char zero[32];
	220	unsigned char *in;
	221	unsigned int inlen;
	222
	223	in = mpi_get_buffer(m, &inlen, NULL);
	224	if (!in)
	225	return -EINVAL;
	226
	227	if (inlen < pbytes) {
	228	/* padding with zero */
11400469 TZ	229	sm3_update(sctx, zero, pbytes - inlen);
11400469 TZ	230	sm3_update(sctx, in, inlen);
ea7ecb66 TZ	231	} else if (inlen > pbytes) {
ea7ecb66 TZ	232	/* skip the starting zero */
11400469	233	sm3_update(sctx, in + inlen - pbytes, pbytes);
ea7ecb66	234	} else {
11400469	235	sm3_update(sctx, in, inlen);
ea7ecb66 TZ	236	}
	237
	238	kfree(in);
	239	return 0;
	240	}
	241
11400469	242	static int sm2_z_digest_update_point(struct sm3_state *sctx,
ea7ecb66 TZ	243	MPI_POINT point, struct mpi_ec_ctx *ec, unsigned int pbytes)
	244	{
	245	MPI x, y;
	246	int ret = -EINVAL;
	247
	248	x = mpi_new(0);
	249	y = mpi_new(0);
	250
	251	if (!mpi_ec_get_affine(x, y, point, ec) &&
11400469 TZ	252	!sm2_z_digest_update(sctx, x, pbytes) &&
11400469 TZ	253	!sm2_z_digest_update(sctx, y, pbytes))
ea7ecb66 TZ	254	ret = 0;
	255
	256	mpi_free(x);
	257	mpi_free(y);
	258	return ret;
	259	}
	260
	261	int sm2_compute_z_digest(struct crypto_akcipher *tfm,
	262	const unsigned char *id, size_t id_len,
	263	unsigned char dgst[SM3_DIGEST_SIZE])
	264	{
	265	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	266	uint16_t bits_len;
	267	unsigned char entl[2];
11400469	268	struct sm3_state sctx;
ea7ecb66 TZ	269	unsigned int pbytes;
	270
	271	if (id_len > (USHRT_MAX / 8) \|\| !ec->Q)
	272	return -EINVAL;
	273
	274	bits_len = (uint16_t)(id_len * 8);
	275	entl[0] = bits_len >> 8;
	276	entl[1] = bits_len & 0xff;
	277
	278	pbytes = MPI_NBYTES(ec->p);
	279
	280	/* ZA = H256(ENTLA \| IDA \| a \| b \| xG \| yG \| xA \| yA) */
11400469 TZ	281	sm3_init(&sctx);
	282	sm3_update(&sctx, entl, 2);
	283	sm3_update(&sctx, id, id_len);
	284
	285	if (sm2_z_digest_update(&sctx, ec->a, pbytes) \|\|
	286	sm2_z_digest_update(&sctx, ec->b, pbytes) \|\|
	287	sm2_z_digest_update_point(&sctx, ec->G, ec, pbytes) \|\|
	288	sm2_z_digest_update_point(&sctx, ec->Q, ec, pbytes))
ea7ecb66 TZ	289	return -EINVAL;
ea7ecb66 TZ	290
11400469	291	sm3_final(&sctx, dgst);
ea7ecb66 TZ	292	return 0;
	293	}
	294	EXPORT_SYMBOL(sm2_compute_z_digest);
	295
	296	static int _sm2_verify(struct mpi_ec_ctx *ec, MPI hash, MPI sig_r, MPI sig_s)
	297	{
	298	int rc = -EINVAL;
	299	struct gcry_mpi_point sG, tP;
	300	MPI t = NULL;
	301	MPI x1 = NULL, y1 = NULL;
	302
	303	mpi_point_init(&sG);
	304	mpi_point_init(&tP);
	305	x1 = mpi_new(0);
	306	y1 = mpi_new(0);
	307	t = mpi_new(0);
	308
	309	/* r, s in [1, n-1] */
	310	if (mpi_cmp_ui(sig_r, 1) < 0 \|\| mpi_cmp(sig_r, ec->n) > 0 \|\|
	311	mpi_cmp_ui(sig_s, 1) < 0 \|\| mpi_cmp(sig_s, ec->n) > 0) {
	312	goto leave;
	313	}
	314
	315	/* t = (r + s) % n, t == 0 */
	316	mpi_addm(t, sig_r, sig_s, ec->n);
	317	if (mpi_cmp_ui(t, 0) == 0)
	318	goto leave;
	319
	320	/* sG + tP = (x1, y1) */
	321	rc = -EBADMSG;
	322	mpi_ec_mul_point(&sG, sig_s, ec->G, ec);
	323	mpi_ec_mul_point(&tP, t, ec->Q, ec);
	324	mpi_ec_add_points(&sG, &sG, &tP, ec);
	325	if (mpi_ec_get_affine(x1, y1, &sG, ec))
	326	goto leave;
	327
	328	/* R = (e + x1) % n */
	329	mpi_addm(t, hash, x1, ec->n);
	330
	331	/* check R == r */
	332	rc = -EKEYREJECTED;
	333	if (mpi_cmp(t, sig_r))
	334	goto leave;
	335
	336	rc = 0;
	337
	338	leave:
	339	mpi_point_free_parts(&sG);
	340	mpi_point_free_parts(&tP);
	341	mpi_free(x1);
	342	mpi_free(y1);
	343	mpi_free(t);
	344
	345	return rc;
	346	}
	347
	348	static int sm2_verify(struct akcipher_request *req)
	349	{
	350	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
	351	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	352	unsigned char *buffer;
	353	struct sm2_signature_ctx sig;
	354	MPI hash;
	355	int ret;
356
357	if (unlikely(!ec->Q))
358	return -EINVAL;
359
360	buffer = kmalloc(req->src_len + req->dst_len, GFP_KERNEL);
361	if (!buffer)
362	return -ENOMEM;
363
364	sg_pcopy_to_buffer(req->src,
365	sg_nents_for_len(req->src, req->src_len + req->dst_len),
366	buffer, req->src_len + req->dst_len, 0);
367
368	sig.sig_r = NULL;
369	sig.sig_s = NULL;
370	ret = asn1_ber_decoder(&sm2signature_decoder, &sig,
371	buffer, req->src_len);
372	if (ret)
373	goto error;
374
375	ret = -ENOMEM;
376	hash = mpi_read_raw_data(buffer + req->src_len, req->dst_len);
377	if (!hash)
378	goto error;
379
380	ret = _sm2_verify(ec, hash, sig.sig_r, sig.sig_s);
381
382	mpi_free(hash);
383	error:
384	mpi_free(sig.sig_r);
385	mpi_free(sig.sig_s);
386	kfree(buffer);
387	return ret;
388	}
389
390	static int sm2_set_pub_key(struct crypto_akcipher *tfm,
391	const void *key, unsigned int keylen)
392	{
393	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
394	MPI a;
395	int rc;
396
ea7ecb66	397	/* include the uncompressed flag '0x04' */
ea7ecb66 TZ	398	a = mpi_read_raw_data(key, keylen);
ea7ecb66 TZ	399	if (!a)
5cd259ca	400	return -ENOMEM;
ea7ecb66 TZ	401
	402	mpi_normalize(a);
	403	rc = sm2_ecc_os2ec(ec->Q, a);
	404	mpi_free(a);
ea7ecb66	405
ea7ecb66 TZ	406	return rc;
	407	}
	408
	409	static unsigned int sm2_max_size(struct crypto_akcipher *tfm)
	410	{
	411	/* Unlimited max size */
	412	return PAGE_SIZE;
	413	}
	414
	415	static int sm2_init_tfm(struct crypto_akcipher *tfm)
	416	{
	417	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	418
	419	return sm2_ec_ctx_init(ec);
	420	}
	421
	422	static void sm2_exit_tfm(struct crypto_akcipher *tfm)
	423	{
	424	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
	425
	426	sm2_ec_ctx_deinit(ec);
	427	}
	428
	429	static struct akcipher_alg sm2 = {
	430	.verify = sm2_verify,
	431	.set_pub_key = sm2_set_pub_key,
	432	.max_size = sm2_max_size,
	433	.init = sm2_init_tfm,
	434	.exit = sm2_exit_tfm,
	435	.base = {
	436	.cra_name = "sm2",
	437	.cra_driver_name = "sm2-generic",
	438	.cra_priority = 100,
	439	.cra_module = THIS_MODULE,
	440	.cra_ctxsize = sizeof(struct mpi_ec_ctx),
	441	},
	442	};
	443
33837be3	444	static int __init sm2_init(void)
ea7ecb66 TZ	445	{
	446	return crypto_register_akcipher(&sm2);
	447	}
	448
33837be3	449	static void __exit sm2_exit(void)
ea7ecb66 TZ	450	{
	451	crypto_unregister_akcipher(&sm2);
	452	}
	453
	454	subsys_initcall(sm2_init);
	455	module_exit(sm2_exit);
	456
	457	MODULE_LICENSE("GPL");
	458	MODULE_AUTHOR("Tianjia Zhang <[email protected]>");
	459	MODULE_DESCRIPTION("SM2 generic algorithm");
	460	MODULE_ALIAS_CRYPTO("sm2-generic");