On Mon, Dec 12, 2022 at 10:07:38AM +0100, Roberto Sassu wrote:
The problem is a misalignment between req->src_len (set to sig->s_size by akcipher_request_set_crypt()) and the length of the scatterlist (if we set the latter to sig->s_size + sig->digest_size).
When rsa_enc() calls mpi_read_raw_from_sgl(), it passes req->src_len as argument, and the latter allocates the MPI according to that. However, it does parsing depending on the length of the scatterlist.
If there are two scatterlists, it is not a problem, there is no misalignment. mpi_read_raw_from_sgl() picks the first. If there is just one, mpi_read_raw_from_sgl() parses all data there.
Thanks for the explanation. That's definitely a bug which should be fixed either in the RSA code or in MPI.
I'll look into it.
Cheers,