Add Signing Tool with Verified implementations for RSA as well as ECDSA with P-256 and P-384

.github/workflows/crypto-test-harness.yml

@@ -3,7 +3,6 @@ name: Linux
 
 on:
   pull_request:
-    branches: ["cf-zeta"]
   workflow_dispatch:
 
 jobs:

Makefile

@@ -857,9 +857,9 @@ ifdef CONFIG_READABLE_ASM
 KBUILD_CFLAGS += -fno-reorder-blocks -fno-ipa-cp-clone -fno-partial-inlining
 endif
 
-ifneq ($(CONFIG_FRAME_WARN),0)
-KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
-endif
+#ifneq ($(CONFIG_FRAME_WARN),0)
+#KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
+#endif
 
 stackp-flags-y                                    := -fno-stack-protector
 stackp-flags-$(CONFIG_STACKPROTECTOR)             := -fstack-protector

crypto/Kconfig

@@ -254,6 +254,25 @@ config CRYPTO_RSA
 	help
 	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
 
+config CRYPTO_RSA_GENERIC
+	tristate "RSA (Rivest-Shamir-Adleman)"
+	select CRYPTO_AKCIPHER
+	select CRYPTO_MANAGER
+	select MPILIB
+	select ASN1
+	help
+	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
+
+config CRYPTO_RSA_HACL
+	tristate "RSA (Rivest-Shamir-Adleman)"
+	select CRYPTO_AKCIPHER
+	select CRYPTO_MANAGER
+	select MPILIB
+	select ASN1
+	help
+	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017) from HACL*
+
+
 config CRYPTO_DH
 	tristate "DH (Diffie-Hellman)"
 	select CRYPTO_KPP
@@ -290,13 +309,22 @@ config CRYPTO_ECDSA
 	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
 	select CRYPTO_ECC
 	select CRYPTO_AKCIPHER
+	select CRYPTO_DRBG_HMAC
 	select ASN1
 	help
 	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
 	  ISO/IEC 14888-3)
 	  using curves P-192, P-256, and P-384
 
-	  Only signature verification is implemented.
+config CRYPTO_ECDSA_HACL
+	tristate "Use HACL* for ECDSA"
+  depends on CRYPTO_ECDSA
+	select CRYPTO_ECC
+	select CRYPTO_AKCIPHER
+	select CRYPTO_DRBG_HMAC
+	select ASN1
+	help
+	  Use verified implementations from HACL* for ECDSA with P-256 and P-384
 
 config CRYPTO_ECRDSA
 	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
@@ -1026,6 +1054,12 @@ config CRYPTO_SHA256
 	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
 
+config CRYPTO_SHA2_HACL
+	tristate "SHA-224 and SHA-256 and SHA-384 and SHA-512"
+	select CRYPTO_HASH
+	help
+	  SHA-2 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) from HACL*
+
 config CRYPTO_SHA512
 	tristate "SHA-384 and SHA-512"
 	select CRYPTO_HASH
@@ -1038,6 +1072,12 @@ config CRYPTO_SHA3
 	help
 	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
 
+config CRYPTO_SHA3_HACL
+	tristate "SHA-3"
+	select CRYPTO_HASH
+	help
+	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3) from HACL*
+
 config CRYPTO_SM3
 	tristate
 

crypto/Makefile

@@ -38,10 +38,19 @@ $(obj)/rsa_helper.o: $(obj)/rsapubkey.asn1.h $(obj)/rsaprivkey.asn1.h
 
 rsa_generic-y := rsapubkey.asn1.o
 rsa_generic-y += rsaprivkey.asn1.o
-rsa_generic-y += rsa.o
 rsa_generic-y += rsa_helper.o
+rsa_generic-y += rsa.o
 rsa_generic-y += rsa-pkcs1pad.o
-obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o
+obj-$(CONFIG_CRYPTO_RSA_GENERIC) += rsa_generic.o
+
+rsa_hacl-y := rsapubkey.asn1.o
+rsa_hacl-y += rsaprivkey.asn1.o
+rsa_hacl-y += hacl_bignum.o
+rsa_hacl-y += rsa-hacl-generated.o
+rsa_hacl-y += rsa_helper.o
+rsa_hacl-y += rsa-hacl.o
+rsa_hacl-y += rsa-pkcs1pad.o
+obj-$(CONFIG_CRYPTO_RSA_HACL) += rsa_hacl.o
 
 $(obj)/sm2signature.asn1.o: $(obj)/sm2signature.asn1.c $(obj)/sm2signature.asn1.h
 $(obj)/sm2.o: $(obj)/sm2signature.asn1.h
@@ -51,12 +60,18 @@ sm2_generic-y += sm2.o
 
 obj-$(CONFIG_CRYPTO_SM2) += sm2_generic.o
 
+$(obj)/ecprivkey.asn1.o: $(obj)/ecprivkey.asn1.c $(obj)/ecprivkey.asn1.h
 $(obj)/ecdsasignature.asn1.o: $(obj)/ecdsasignature.asn1.c $(obj)/ecdsasignature.asn1.h
-$(obj)/ecdsa.o: $(obj)/ecdsasignature.asn1.h
+$(obj)/ecdsa.o: $(obj)/ecdsasignature.asn1.h $(obj)/ecprivkey.asn1.h
 ecdsa_generic-y += ecdsa.o
+ecdsa_generic-y += ecprivkey.asn1.o
 ecdsa_generic-y += ecdsasignature.asn1.o
 obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o
 
+ecdsa_hacl-y += p256-hacl-generated.o
+ecdsa_hacl-y += p384-hacl-generated.o
+obj-$(CONFIG_CRYPTO_ECDSA_HACL) += ecdsa_hacl.o
+
 crypto_acompress-y := acompress.o
 crypto_acompress-y += scompress.o
 obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o
@@ -77,8 +92,10 @@ obj-$(CONFIG_CRYPTO_MD5) += md5.o
 obj-$(CONFIG_CRYPTO_RMD160) += rmd160.o
 obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o
 obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o
+obj-$(CONFIG_CRYPTO_SHA2_HACL) += sha2-hacl-generated.o sha2-hacl.o
 obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o
 obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o
+obj-$(CONFIG_CRYPTO_SHA3_HACL) += sha3-hacl-generated.o sha3-hacl.o
 obj-$(CONFIG_CRYPTO_SM3) += sm3.o
 obj-$(CONFIG_CRYPTO_SM3_GENERIC) += sm3_generic.o
 obj-$(CONFIG_CRYPTO_STREEBOG) += streebog_generic.o

crypto/asymmetric_keys/pkcs8.asn1

@@ -20,5 +20,5 @@ Attribute ::= ANY
 
 AlgorithmIdentifier ::= SEQUENCE {
 	algorithm   OBJECT IDENTIFIER ({ pkcs8_note_OID }),
-	parameters  ANY OPTIONAL
+	parameters  ANY OPTIONAL ({ pkcs8_note_algo_parameter })
 }

crypto/asymmetric_keys/pkcs8_parser.c

@@ -21,9 +21,10 @@ struct pkcs8_parse_context {
 	struct public_key *pub;
 	unsigned long	data;			/* Start of data */
 	enum OID	last_oid;		/* Last OID encountered */
-	enum OID	algo_oid;		/* Algorithm OID */
 	u32		key_size;
 	const void	*key;
+	const void	*algo_param;
+	u32		algo_param_len;
 };
 
 /*
@@ -47,6 +48,17 @@ int pkcs8_note_OID(void *context, size_t hdrlen,
 	return 0;
 }
 
+int pkcs8_note_algo_parameter(void *context, size_t hdrlen,
+			      unsigned char tag,
+			      const void *value, size_t vlen)
+{
+	struct pkcs8_parse_context *ctx = context;
+
+	ctx->algo_param = value;
+	ctx->algo_param_len = vlen;
+	return 0;
+}
+
 /*
  * Note the version number of the ASN.1 blob.
  */
@@ -70,12 +82,39 @@ int pkcs8_note_algo(void *context, size_t hdrlen,
 {
 	struct pkcs8_parse_context *ctx = context;
 
-	if (ctx->last_oid != OID_rsaEncryption)
-		return -ENOPKG;
-
-	ctx->pub->pkey_algo = "rsa";
-	return 0;
-}
+	enum OID curve_id;
+
+	switch (ctx->last_oid) {
+	case OID_id_ecPublicKey:
+		if (!ctx->algo_param || ctx->algo_param_len == 0)
+			return -EBADMSG;
+		curve_id = look_up_OID(ctx->algo_param, ctx->algo_param_len);
+
+		switch (curve_id) {
+		case OID_id_prime192v1:
+			ctx->pub->pkey_algo = "ecdsa-nist-p192";
+			break;
+		case OID_id_prime256v1:
+			ctx->pub->pkey_algo = "ecdsa-nist-p256";
+			break;
+		case OID_id_ansip384r1:
+			ctx->pub->pkey_algo = "ecdsa-nist-p384";
+			break;
+		default:
+			return -ENOPKG;
+		}
+		break;
+
+	case OID_rsaEncryption:
+		ctx->pub->pkey_algo = "rsa";
+		break;
+
+	default:
+ 		return -ENOPKG;
+	}
+
+ 	return 0;
+ }
 
 /*
  * Note the key data of the ASN.1 blob.

crypto/asymmetric_keys/public_key.c

@@ -309,10 +309,11 @@ static int software_key_eds_op(struct kernel_pkey_params *params,
 			goto error_free_key;
 		}
 
-		if (pkey->key_is_private)
+		if (pkey->key_is_private) {
 			ret = crypto_sig_set_privkey(sig, key, pkey->keylen);
-		else
+		} else {
 			ret = crypto_sig_set_pubkey(sig, key, pkey->keylen);
+		}
 		if (ret)
 			goto error_free_tfm;
 
@@ -324,10 +325,13 @@ static int software_key_eds_op(struct kernel_pkey_params *params,
 			goto error_free_key;
 		}
 
-		if (pkey->key_is_private)
-			ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen);
-		else
-			ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen);
+		if (pkey->key_is_private) {
+			ret = crypto_akcipher_set_priv_key(tfm, key,
+							   pkey->keylen);
+		} else {
+			ret = crypto_akcipher_set_pub_key(tfm, key,
+							  pkey->keylen);
+		}
 		if (ret)
 			goto error_free_tfm;
 

crypto/ecc.c

@@ -488,7 +488,7 @@ static void vli_square(u64 *result, const u64 *left, unsigned int ndigits)
 /* Computes result = (left + right) % mod.
  * Assumes that left < mod and right < mod, result != mod.
  */
-static void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
+void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
 			const u64 *mod, unsigned int ndigits)
 {
 	u64 carry;
@@ -501,6 +501,7 @@ static void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
 	if (carry || vli_cmp(result, mod, ndigits) >= 0)
 		vli_sub(result, result, mod, ndigits);
 }
+EXPORT_SYMBOL(vli_mod_add);
 
 /* Computes result = (left - right) % mod.
  * Assumes that left < mod and right < mod, result != mod.
@@ -963,14 +964,15 @@ void vli_mod_mult_slow(u64 *result, const u64 *left, const u64 *right,
 EXPORT_SYMBOL(vli_mod_mult_slow);
 
 /* Computes result = (left * right) % curve_prime. */
-static void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right,
+void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right,
 			      const struct ecc_curve *curve)
 {
 	u64 product[2 * ECC_MAX_DIGITS];
 
 	vli_mult(product, left, right, curve->g.ndigits);
 	vli_mmod_fast(result, product, curve);
 }
+EXPORT_SYMBOL(vli_mod_mult_fast);
 
 /* Computes result = left^2 % curve_prime. */
 static void vli_mod_square_fast(u64 *result, const u64 *left,
@@ -1277,7 +1279,7 @@ static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2,
 	vli_set(x1, t7, ndigits);
 }
 
-static void ecc_point_mult(struct ecc_point *result,
+void ecc_point_mult(struct ecc_point *result,
 			   const struct ecc_point *point, const u64 *scalar,
 			   u64 *initial_z, const struct ecc_curve *curve,
 			   unsigned int ndigits)
@@ -1335,6 +1337,7 @@ static void ecc_point_mult(struct ecc_point *result,
 	vli_set(result->x, rx[0], ndigits);
 	vli_set(result->y, ry[0], ndigits);
 }
+EXPORT_SYMBOL(ecc_point_mult);
 
 /* Computes R = P + Q mod p */
 static void ecc_point_add(const struct ecc_point *result,