| Message ID | 20240320114725.1644921-13-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v7,01/13] crypto: ecc - Use ECC_CURVE_NIST_P192/256/384_DIGITS where possible | expand |
On Wed Mar 20, 2024 at 1:47 PM EET, Stefan Berger wrote: > Adjust the calculation of the maximum signature size for support of > NIST P521. While existing curves may prepend a 0 byte to their coordinates > (to make the number positive), NIST P521 will not do this since only the > first bit in the most significant byte is used. > > If the encoding of the x & y coordinates requires at least 128 bytes then > an additional byte is needed for the encoding of the length. Take this into > account when calculating the maximum signature size. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > Reviewed-by: Lukas Wunner <lukas@wunner.de> > Tested-by: Lukas Wunner <lukas@wunner.de> > --- > crypto/asymmetric_keys/public_key.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c > index e5f22691febd..16cc0be28929 100644 > --- a/crypto/asymmetric_keys/public_key.c > +++ b/crypto/asymmetric_keys/public_key.c > @@ -233,6 +233,7 @@ static int software_key_query(const struct kernel_pkey_params *params, > info->key_size = len * 8; > > if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { > + int slen = len; > /* > * ECDSA key sizes are much smaller than RSA, and thus could > * operate on (hashed) inputs that are larger than key size. > @@ -246,8 +247,19 @@ static int software_key_query(const struct kernel_pkey_params *params, > * Verify takes ECDSA-Sig (described in RFC 5480) as input, > * which is actually 2 'key_size'-bit integers encoded in > * ASN.1. Account for the ASN.1 encoding overhead here. > + * > + * NIST P192/256/384 may prepend a '0' to a coordinate to > + * indicate a positive integer. NIST P521 never needs it. > */ > - info->max_sig_size = 2 * (len + 3) + 2; > + if (strcmp(pkey->pkey_algo, "ecdsa-nist-p521") != 0) > + slen += 1; > + /* Length of encoding the x & y coordinates */ > + slen = 2 * (slen + 2); > + /* > + * If coordinate encoding takes at least 128 bytes then an > + * additional byte for length encoding is needed. > + */ > + info->max_sig_size = 1 + (slen >= 128) + 1 + slen; > } else { > info->max_data_size = len; > info->max_sig_size = len; Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index e5f22691febd..16cc0be28929 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -233,6 +233,7 @@ static int software_key_query(const struct kernel_pkey_params *params, info->key_size = len * 8; if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { + int slen = len; /* * ECDSA key sizes are much smaller than RSA, and thus could * operate on (hashed) inputs that are larger than key size. @@ -246,8 +247,19 @@ static int software_key_query(const struct kernel_pkey_params *params, * Verify takes ECDSA-Sig (described in RFC 5480) as input, * which is actually 2 'key_size'-bit integers encoded in * ASN.1. Account for the ASN.1 encoding overhead here. + * + * NIST P192/256/384 may prepend a '0' to a coordinate to + * indicate a positive integer. NIST P521 never needs it. */ - info->max_sig_size = 2 * (len + 3) + 2; + if (strcmp(pkey->pkey_algo, "ecdsa-nist-p521") != 0) + slen += 1; + /* Length of encoding the x & y coordinates */ + slen = 2 * (slen + 2); + /* + * If coordinate encoding takes at least 128 bytes then an + * additional byte for length encoding is needed. + */ + info->max_sig_size = 1 + (slen >= 128) + 1 + slen; } else { info->max_data_size = len; info->max_sig_size = len;