| Message ID | 20240301022007.344948-12-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | Add support for NIST P521 to ecdsa | expand |
On Thu, Feb 29, 2024 at 09:20:06PM -0500, Stefan Berger wrote: > Adjust the calculation of the maximum signature size for support of > NIST P521. While existing curves may prepend a 0 byte to their coordinates > (to make the number positive), NIST P521 will not do this since only the > first bit in the most significant byte is used. > > If the encoding of the x & y coordinates requires more than 128 bytes then > an additional byte is needed for the encoding of the length. Take this into > account when calculating the maximum signature size. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Lukas Wunner <lukas@wunner.de>
On 3/3/24 13:47, Lukas Wunner wrote: > On Thu, Feb 29, 2024 at 09:20:06PM -0500, Stefan Berger wrote: >> Adjust the calculation of the maximum signature size for support of >> NIST P521. While existing curves may prepend a 0 byte to their coordinates >> (to make the number positive), NIST P521 will not do this since only the >> first bit in the most significant byte is used. >> >> If the encoding of the x & y coordinates requires more than 128 bytes then >> an additional byte is needed for the encoding of the length. Take this into >> account when calculating the maximum signature size. >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > Reviewed-by: Lukas Wunner <lukas@wunner.de> > Thanks. I have to adjust the commit text and comment in the patch, though. It should be '... requires at least 128 bytes then ...'
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index e5f22691febd..247d42580f7c 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -233,6 +233,7 @@ static int software_key_query(const struct kernel_pkey_params *params, info->key_size = len * 8; if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { + int slen = len; /* * ECDSA key sizes are much smaller than RSA, and thus could * operate on (hashed) inputs that are larger than key size. @@ -246,8 +247,19 @@ static int software_key_query(const struct kernel_pkey_params *params, * Verify takes ECDSA-Sig (described in RFC 5480) as input, * which is actually 2 'key_size'-bit integers encoded in * ASN.1. Account for the ASN.1 encoding overhead here. + * + * NIST P192/256/384 may prepend a '0' to a coordinate to + * indicate a positive integer. NIST P521 never needs it. */ - info->max_sig_size = 2 * (len + 3) + 2; + if (strcmp(pkey->pkey_algo, "ecdsa-nist-p521") != 0) + slen += 1; + /* Length of encoding the x & y coordinates */ + slen = 2 * (slen + 2); + /* + * If coordinate encoding takes more than 128 bytes then an + * additional byte for length encoding is needed. + */ + info->max_sig_size = 1 + (slen >= 128) + 1 + slen; } else { info->max_data_size = len; info->max_sig_size = len;
Adjust the calculation of the maximum signature size for support of NIST P521. While existing curves may prepend a 0 byte to their coordinates (to make the number positive), NIST P521 will not do this since only the first bit in the most significant byte is used. If the encoding of the x & y coordinates requires more than 128 bytes then an additional byte is needed for the encoding of the length. Take this into account when calculating the maximum signature size. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- crypto/asymmetric_keys/public_key.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)