HACL* Raw RSA Encryption and Decryption

.github/workflows/crypto-test-harness.yml

@@ -0,0 +1,44 @@
+---
+name: Linux
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  tcrypt:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y flex bison bc cpio busybox-static kmod
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Build kernel & Modules
+        run: |
+          cp zeta/test-artifacts/config-um .config
+          make olddefconfig ARCH=um
+          make -j$(nproc) ARCH=um all
+          mkdir initramfs
+          make modules_install INSTALL_MOD_PATH=./initramfs ARCH=um
+      - name: Prepare initramfs
+        run: |
+          mkdir initramfs/bin initramfs/proc
+          cp -p /bin/busybox initramfs/bin/busybox
+          cp -p zeta/test-artifacts/init initramfs/init
+          cp -p zeta/test-artifacts/test-script.sh initramfs/test-script.sh
+          cd initramfs
+          find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > ../uml-initramfs.cpio.gz
+          cd ..
+      - name: Run user-mode linux test harness
+        continue-on-error: true
+        run: |
+          sudo ./linux initrd=uml-initramfs.cpio.gz > tcrypt.out 2>&1
+          cat tcrypt.out
+      - name: Collect artifacts
+        uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: tcrypt_job
+          path: ./tcrypt.out

Makefile

@@ -857,9 +857,9 @@ ifdef CONFIG_READABLE_ASM
 KBUILD_CFLAGS += -fno-reorder-blocks -fno-ipa-cp-clone -fno-partial-inlining
 endif
 
-ifneq ($(CONFIG_FRAME_WARN),0)
-KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
-endif
+#ifneq ($(CONFIG_FRAME_WARN),0)
+#KBUILD_CFLAGS += -Wframe-larger-than=$(CONFIG_FRAME_WARN)
+#endif
 
 stackp-flags-y                                    := -fno-stack-protector
 stackp-flags-$(CONFIG_STACKPROTECTOR)             := -fstack-protector

crypto/Kconfig

@@ -254,6 +254,25 @@ config CRYPTO_RSA
 	help
 	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
 
+config CRYPTO_RSA_GENERIC
+	tristate "RSA (Rivest-Shamir-Adleman)"
+	select CRYPTO_AKCIPHER
+	select CRYPTO_MANAGER
+	select MPILIB
+	select ASN1
+	help
+	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017)
+
+config CRYPTO_RSA_HACL
+	tristate "RSA (Rivest-Shamir-Adleman)"
+	select CRYPTO_AKCIPHER
+	select CRYPTO_MANAGER
+	select MPILIB
+	select ASN1
+	help
+	  RSA (Rivest-Shamir-Adleman) public key algorithm (RFC8017) from HACL*
+
+
 config CRYPTO_DH
 	tristate "DH (Diffie-Hellman)"
 	select CRYPTO_KPP
@@ -290,13 +309,13 @@ config CRYPTO_ECDSA
 	tristate "ECDSA (Elliptic Curve Digital Signature Algorithm)"
 	select CRYPTO_ECC
 	select CRYPTO_AKCIPHER
+	select CRYPTO_DRBG_HMAC
 	select ASN1
 	help
 	  ECDSA (Elliptic Curve Digital Signature Algorithm) (FIPS 186,
 	  ISO/IEC 14888-3)
 	  using curves P-192, P-256, and P-384
-
-	  Only signature verification is implemented.
+	  P-256 uses formally a verified implementation from HACL* 
 
 config CRYPTO_ECRDSA
 	tristate "EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm)"
@@ -1026,6 +1045,12 @@ config CRYPTO_SHA256
 	  This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP).
 	  Used by the btrfs filesystem, Ceph, NFS, and SMB.
 
+config CRYPTO_SHA2_HACL
+	tristate "SHA-224 and SHA-256 and SHA-384 and SHA-512"
+	select CRYPTO_HASH
+	help
+	  SHA-2 secure hash algorithms (FIPS 180, ISO/IEC 10118-3) from HACL*
+
 config CRYPTO_SHA512
 	tristate "SHA-384 and SHA-512"
 	select CRYPTO_HASH
@@ -1038,6 +1063,12 @@ config CRYPTO_SHA3
 	help
 	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3)
 
+config CRYPTO_SHA3_HACL
+	tristate "SHA-3"
+	select CRYPTO_HASH
+	help
+	  SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3) from HACL*
+
 config CRYPTO_SM3
 	tristate
 

crypto/Makefile

@@ -38,10 +38,19 @@ $(obj)/rsa_helper.o: $(obj)/rsapubkey.asn1.h $(obj)/rsaprivkey.asn1.h
 
 rsa_generic-y := rsapubkey.asn1.o
 rsa_generic-y += rsaprivkey.asn1.o
-rsa_generic-y += rsa.o
 rsa_generic-y += rsa_helper.o
+rsa_generic-y += rsa.o
 rsa_generic-y += rsa-pkcs1pad.o
-obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o
+obj-$(CONFIG_CRYPTO_RSA_GENERIC) += rsa_generic.o
+
+rsa_hacl-y := rsapubkey.asn1.o
+rsa_hacl-y += rsaprivkey.asn1.o
+rsa_hacl-y += hacl_bignum.o
+rsa_hacl-y += rsa-hacl-generated.o
+rsa_hacl-y += rsa_helper.o
+rsa_hacl-y += rsa-hacl.o
+rsa_hacl-y += rsa-pkcs1pad.o
+obj-$(CONFIG_CRYPTO_RSA_HACL) += rsa_hacl.o
 
 $(obj)/sm2signature.asn1.o: $(obj)/sm2signature.asn1.c $(obj)/sm2signature.asn1.h
 $(obj)/sm2.o: $(obj)/sm2signature.asn1.h
@@ -51,9 +60,12 @@ sm2_generic-y += sm2.o
 
 obj-$(CONFIG_CRYPTO_SM2) += sm2_generic.o
 
+$(obj)/ecprivkey.asn1.o: $(obj)/ecprivkey.asn1.c $(obj)/ecprivkey.asn1.h
 $(obj)/ecdsasignature.asn1.o: $(obj)/ecdsasignature.asn1.c $(obj)/ecdsasignature.asn1.h
-$(obj)/ecdsa.o: $(obj)/ecdsasignature.asn1.h
+$(obj)/ecdsa.o: $(obj)/ecdsasignature.asn1.h $(obj)/ecprivkey.asn1.h
+ecdsa_generic-y += p256-hacl-generated.o
 ecdsa_generic-y += ecdsa.o
+ecdsa_generic-y += ecprivkey.asn1.o
 ecdsa_generic-y += ecdsasignature.asn1.o
 obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o
 
@@ -77,8 +89,10 @@ obj-$(CONFIG_CRYPTO_MD5) += md5.o
 obj-$(CONFIG_CRYPTO_RMD160) += rmd160.o
 obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o
 obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o
+obj-$(CONFIG_CRYPTO_SHA2_HACL) += sha2-hacl-generated.o sha2-hacl.o
 obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o
 obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o
+obj-$(CONFIG_CRYPTO_SHA3_HACL) += sha3-hacl-generated.o sha3-hacl.o
 obj-$(CONFIG_CRYPTO_SM3) += sm3.o
 obj-$(CONFIG_CRYPTO_SM3_GENERIC) += sm3_generic.o
 obj-$(CONFIG_CRYPTO_STREEBOG) += streebog_generic.o

crypto/asymmetric_keys/pkcs8.asn1

@@ -20,5 +20,5 @@ Attribute ::= ANY
 
 AlgorithmIdentifier ::= SEQUENCE {
 	algorithm   OBJECT IDENTIFIER ({ pkcs8_note_OID }),
-	parameters  ANY OPTIONAL
+	parameters  ANY OPTIONAL ({ pkcs8_note_algo_parameter })
 }

crypto/asymmetric_keys/pkcs8_parser.c

@@ -21,9 +21,10 @@ struct pkcs8_parse_context {
 	struct public_key *pub;
 	unsigned long	data;			/* Start of data */
 	enum OID	last_oid;		/* Last OID encountered */
-	enum OID	algo_oid;		/* Algorithm OID */
 	u32		key_size;
 	const void	*key;
+	const void	*algo_param;
+	u32		algo_param_len;
 };
 
 /*
@@ -47,6 +48,17 @@ int pkcs8_note_OID(void *context, size_t hdrlen,
 	return 0;
 }
 
+int pkcs8_note_algo_parameter(void *context, size_t hdrlen,
+			      unsigned char tag,
+			      const void *value, size_t vlen)
+{
+	struct pkcs8_parse_context *ctx = context;
+
+	ctx->algo_param = value;
+	ctx->algo_param_len = vlen;
+	return 0;
+}
+
 /*
  * Note the version number of the ASN.1 blob.
  */
@@ -70,12 +82,39 @@ int pkcs8_note_algo(void *context, size_t hdrlen,
 {
 	struct pkcs8_parse_context *ctx = context;
 
-	if (ctx->last_oid != OID_rsaEncryption)
-		return -ENOPKG;
-
-	ctx->pub->pkey_algo = "rsa";
-	return 0;
-}
+	enum OID curve_id;
+
+	switch (ctx->last_oid) {
+	case OID_id_ecPublicKey:
+		if (!ctx->algo_param || ctx->algo_param_len == 0)
+			return -EBADMSG;
+		curve_id = look_up_OID(ctx->algo_param, ctx->algo_param_len);
+
+		switch (curve_id) {
+		case OID_id_prime192v1:
+			ctx->pub->pkey_algo = "ecdsa-nist-p192";
+			break;
+		case OID_id_prime256v1:
+			ctx->pub->pkey_algo = "ecdsa-nist-p256";
+			break;
+		case OID_id_ansip384r1:
+			ctx->pub->pkey_algo = "ecdsa-nist-p384";
+			break;
+		default:
+			return -ENOPKG;
+		}
+		break;
+
+	case OID_rsaEncryption:
+		ctx->pub->pkey_algo = "rsa";
+		break;
+
+	default:
+ 		return -ENOPKG;
+	}
+
+ 	return 0;
+ }
 
 /*
  * Note the key data of the ASN.1 blob.

crypto/ecc.c

@@ -488,7 +488,7 @@ static void vli_square(u64 *result, const u64 *left, unsigned int ndigits)
 /* Computes result = (left + right) % mod.
  * Assumes that left < mod and right < mod, result != mod.
  */
-static void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
+void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
 			const u64 *mod, unsigned int ndigits)
 {
 	u64 carry;
@@ -501,6 +501,7 @@ static void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
 	if (carry || vli_cmp(result, mod, ndigits) >= 0)
 		vli_sub(result, result, mod, ndigits);
 }
+EXPORT_SYMBOL(vli_mod_add);
 
 /* Computes result = (left - right) % mod.
  * Assumes that left < mod and right < mod, result != mod.
@@ -963,14 +964,15 @@ void vli_mod_mult_slow(u64 *result, const u64 *left, const u64 *right,
 EXPORT_SYMBOL(vli_mod_mult_slow);
 
 /* Computes result = (left * right) % curve_prime. */
-static void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right,
+void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right,
 			      const struct ecc_curve *curve)
 {
 	u64 product[2 * ECC_MAX_DIGITS];
 
 	vli_mult(product, left, right, curve->g.ndigits);
 	vli_mmod_fast(result, product, curve);
 }
+EXPORT_SYMBOL(vli_mod_mult_fast);
 
 /* Computes result = left^2 % curve_prime. */
 static void vli_mod_square_fast(u64 *result, const u64 *left,
@@ -1277,7 +1279,7 @@ static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2,
 	vli_set(x1, t7, ndigits);
 }
 
-static void ecc_point_mult(struct ecc_point *result,
+void ecc_point_mult(struct ecc_point *result,
 			   const struct ecc_point *point, const u64 *scalar,
 			   u64 *initial_z, const struct ecc_curve *curve,
 			   unsigned int ndigits)
@@ -1335,6 +1337,7 @@ static void ecc_point_mult(struct ecc_point *result,
 	vli_set(result->x, rx[0], ndigits);
 	vli_set(result->y, ry[0], ndigits);
 }
+EXPORT_SYMBOL(ecc_point_mult);
 
 /* Computes R = P + Q mod p */
 static void ecc_point_add(const struct ecc_point *result,