From patchwork Mon Jul 20 17:07:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephan Mueller X-Patchwork-Id: 11674337 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ABBB713B4 for ; Mon, 20 Jul 2020 17:10:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 93B9022B51 for ; Mon, 20 Jul 2020 17:10:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=chronox.de header.i=@chronox.de header.b="qzy0iHNe" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726989AbgGTRKO (ORCPT ); Mon, 20 Jul 2020 13:10:14 -0400 Received: from mo4-p02-ob.smtp.rzone.de ([81.169.146.170]:15566 "EHLO mo4-p02-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730135AbgGTRKN (ORCPT ); Mon, 20 Jul 2020 13:10:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1595265011; s=strato-dkim-0002; d=chronox.de; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=rt6PTRApr0yAQz5sJ1wzaRBKf0EMTUCrILlJclvyH1Y=; b=qzy0iHNeQCsnAQC/nefzyaWZBRrSo/jUdVa7kTLD5xvpilDu4orioCwtqJnirzSGcn NPpN9j/ZMqVPFr/b1GN6o7E9GjyOpOsAhWr7vJi4jnV2CMLImo/wEvlXLJYdbDyOURoT zKNjaTLmzsv7iR/POeJpNheSzYLtb/qetVnP27oWaSwMPadG8o3aBSYwCdubz3VKmgTQ HlWmF2JJ82Ovu/u6sEDlqAok50gbkxHonOkESmB4o6gfm0ib7HWeTUMV2SwGqCi9ro8E PbMitkS7kYuQFyS15v0jaXO2oEJO2RwGyEUV0YMJIeTOFyMr8eolb9lPg7LtHijMt4Db 3nEg== X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXPZJPScHiDh" X-RZG-CLASS-ID: mo00 Received: from positron.chronox.de by smtp.strato.de (RZmta 46.10.5 DYNA|AUTH) with ESMTPSA id y0546bw6KH9uULN (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Mon, 20 Jul 2020 19:09:56 +0200 (CEST) From: Stephan =?iso-8859-1?q?M=FCller?= To: herbert@gondor.apana.org.au Cc: linux-crypto@vger.kernel.org, Marcelo Cerri , Tianjia Zhang , ard.biesheuvel@linaro.org, nhorman@redhat.com, simo@redhat.com Subject: [PATCH v3 1/5] crypto: ECDH - check validity of Z before export Date: Mon, 20 Jul 2020 19:07:48 +0200 Message-ID: <1759349.tdWV9SEqCh@positron.chronox.de> In-Reply-To: <2544426.mvXUDI8C0e@positron.chronox.de> References: <2543601.mvXUDI8C0e@positron.chronox.de> <5722559.lOV4Wx5bFT@positron.chronox.de> <2544426.mvXUDI8C0e@positron.chronox.de> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. Thus, the export function and the validity check functions are reversed. In addition, the sensitive variables of priv and rand_z are zeroized. Signed-off-by: Stephan Mueller Reviewed-by: Vitaly Chikunov Acked-by: Neil Horman --- crypto/ecc.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/crypto/ecc.c b/crypto/ecc.c index 02d35be7702b..52e2d49262f2 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -1495,11 +1495,16 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, ecc_point_mult(product, pk, priv, rand_z, curve, ndigits); - ecc_swap_digits(product->x, secret, ndigits); - - if (ecc_point_is_zero(product)) + if (ecc_point_is_zero(product)) { ret = -EFAULT; + goto err_validity; + } + + ecc_swap_digits(product->x, secret, ndigits); +err_validity: + memzero_explicit(priv, sizeof(priv)); + memzero_explicit(rand_z, sizeof(rand_z)); ecc_free_point(product); err_alloc_product: ecc_free_point(pk);