| Message ID | 20240417162117.2752326-3-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | crypto: ecdh & ecc: Fix private key byte ordering issues | expand |
On Wed Apr 17, 2024 at 7:21 PM EEST, Stefan Berger wrote: > The private key in ctx->private_key is currently initialized in reverse > byte order in ecdh_set_secret and whenever the key is needed in proper > byte order the variable priv is introduced and the bytes from > ctx->private_key are copied into priv while being byte-swapped > (ecc_swap_digits). To get rid of the unnecessary byte swapping initialize > ctx->private_key in proper byte order and clean up all functions that were > previously using priv or were called with ctx->private_key: > > - ecc_gen_privkey: Directly initialize the passed ctx->private_key with > random bytes and get rid of the priv variable. This function only has > ecdh_set_secret as a caller. > > - crypto_ecdh_shared_secret: Called only from ecdh_compute_value with > ctx->private_key. Get rid of the priv variable and work with the passed > private_key directly. > > - ecc_make_pub_key: Called only from ecdh_compute_value with > ctx->private_key. Get rid of the priv variable and work with the passed > private_key directly. > > Cc: Salvatore Benedetto <salvatore.benedetto@intel.com> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > crypto/ecc.c | 29 ++++++++++------------------- > crypto/ecdh.c | 8 +++----- > include/crypto/internal/ecc.h | 3 ++- > 3 files changed, 15 insertions(+), 25 deletions(-) > > diff --git a/crypto/ecc.c b/crypto/ecc.c > index 2e05387b9499..c1d2e884be1e 100644 > --- a/crypto/ecc.c > +++ b/crypto/ecc.c > @@ -1497,10 +1497,10 @@ EXPORT_SYMBOL(ecc_is_key_valid); > * This method generates a private key uniformly distributed in the range > * [2, n-3]. > */ > -int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) > +int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, > + u64 *private_key) > { > const struct ecc_curve *curve = ecc_get_curve(curve_id); > - u64 priv[ECC_MAX_DIGITS]; > unsigned int nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; > unsigned int nbits = vli_num_bits(curve->n, ndigits); > int err; > @@ -1509,7 +1509,7 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) > * Step 1 & 2: check that N is included in Table 1 of FIPS 186-5, > * section 6.1.1. > */ > - if (nbits < 224 || ndigits > ARRAY_SIZE(priv)) > + if (nbits < 224) > return -EINVAL; > > /* > @@ -1527,17 +1527,16 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) > return -EFAULT; > > /* Step 3: obtain N returned_bits from the DRBG. */ > - err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)priv, nbytes); > + err = crypto_rng_get_bytes(crypto_default_rng, > + (u8 *)private_key, nbytes); > crypto_put_default_rng(); > if (err) > return err; > > /* Step 4: make sure the private key is in the valid range. */ > - if (__ecc_is_key_valid(curve, priv, ndigits)) > + if (__ecc_is_key_valid(curve, private_key, ndigits)) > return -EINVAL; > > - ecc_swap_digits(priv, privkey, ndigits); > - > return 0; > } > EXPORT_SYMBOL(ecc_gen_privkey); > @@ -1547,23 +1546,20 @@ int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits, > { > int ret = 0; > struct ecc_point *pk; > - u64 priv[ECC_MAX_DIGITS]; > const struct ecc_curve *curve = ecc_get_curve(curve_id); > > - if (!private_key || ndigits > ARRAY_SIZE(priv)) { > + if (!private_key) { > ret = -EINVAL; > goto out; > } > > - ecc_swap_digits(private_key, priv, ndigits); > - > pk = ecc_alloc_point(ndigits); > if (!pk) { > ret = -ENOMEM; > goto out; > } > > - ecc_point_mult(pk, &curve->g, priv, NULL, curve, ndigits); > + ecc_point_mult(pk, &curve->g, private_key, NULL, curve, ndigits); > > /* SP800-56A rev 3 5.6.2.1.3 key check */ > if (ecc_is_pubkey_valid_full(curve, pk)) { > @@ -1647,13 +1643,11 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, > { > int ret = 0; > struct ecc_point *product, *pk; > - u64 priv[ECC_MAX_DIGITS]; > u64 rand_z[ECC_MAX_DIGITS]; > unsigned int nbytes; > const struct ecc_curve *curve = ecc_get_curve(curve_id); > > - if (!private_key || !public_key || > - ndigits > ARRAY_SIZE(priv) || ndigits > ARRAY_SIZE(rand_z)) { > + if (!private_key || !public_key || ndigits > ARRAY_SIZE(rand_z)) { > ret = -EINVAL; > goto out; > } > @@ -1674,15 +1668,13 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, > if (ret) > goto err_alloc_product; > > - ecc_swap_digits(private_key, priv, ndigits); > - > product = ecc_alloc_point(ndigits); > if (!product) { > ret = -ENOMEM; > goto err_alloc_product; > } > > - ecc_point_mult(product, pk, priv, rand_z, curve, ndigits); > + ecc_point_mult(product, pk, private_key, rand_z, curve, ndigits); > > if (ecc_point_is_zero(product)) { > ret = -EFAULT; > @@ -1692,7 +1684,6 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, > ecc_swap_digits(product->x, secret, ndigits); > > err_validity: > - memzero_explicit(priv, sizeof(priv)); > memzero_explicit(rand_z, sizeof(rand_z)); > ecc_free_point(product); > err_alloc_product: > diff --git a/crypto/ecdh.c b/crypto/ecdh.c > index c02c9a2b9682..72cfd1590156 100644 > --- a/crypto/ecdh.c > +++ b/crypto/ecdh.c > @@ -27,7 +27,6 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf, > unsigned int len) > { > struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); > - u64 priv[ECC_MAX_DIGITS]; > struct ecdh params; > int ret = 0; > > @@ -41,15 +40,14 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf, > return ecc_gen_privkey(ctx->curve_id, ctx->ndigits, > ctx->private_key); > > - memcpy(ctx->private_key, params.key, params.key_size); > - ecc_swap_digits(ctx->private_key, priv, ctx->ndigits); > + ecc_digits_from_bytes(params.key, params.key_size, > + ctx->private_key, ctx->ndigits); > > if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits, > - priv, params.key_size) < 0) { > + ctx->private_key, params.key_size) < 0) { > memzero_explicit(ctx->private_key, params.key_size); > ret = -EINVAL; > } > - memzero_explicit(priv, sizeof(priv)); > > return ret; > } > diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h > index 4e2f5f938e91..7ca1f463d1ec 100644 > --- a/include/crypto/internal/ecc.h > +++ b/include/crypto/internal/ecc.h > @@ -103,7 +103,8 @@ int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, > * Returns 0 if the private key was generated successfully, a negative value > * if an error occurred. > */ > -int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey); > +int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, > + u64 *private_key); > > /** > * ecc_make_pub_key() - Compute an ECC public key Acked-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko
diff --git a/crypto/ecc.c b/crypto/ecc.c index 2e05387b9499..c1d2e884be1e 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -1497,10 +1497,10 @@ EXPORT_SYMBOL(ecc_is_key_valid); * This method generates a private key uniformly distributed in the range * [2, n-3]. */ -int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) +int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, + u64 *private_key) { const struct ecc_curve *curve = ecc_get_curve(curve_id); - u64 priv[ECC_MAX_DIGITS]; unsigned int nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; unsigned int nbits = vli_num_bits(curve->n, ndigits); int err; @@ -1509,7 +1509,7 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) * Step 1 & 2: check that N is included in Table 1 of FIPS 186-5, * section 6.1.1. */ - if (nbits < 224 || ndigits > ARRAY_SIZE(priv)) + if (nbits < 224) return -EINVAL; /* @@ -1527,17 +1527,16 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) return -EFAULT; /* Step 3: obtain N returned_bits from the DRBG. */ - err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)priv, nbytes); + err = crypto_rng_get_bytes(crypto_default_rng, + (u8 *)private_key, nbytes); crypto_put_default_rng(); if (err) return err; /* Step 4: make sure the private key is in the valid range. */ - if (__ecc_is_key_valid(curve, priv, ndigits)) + if (__ecc_is_key_valid(curve, private_key, ndigits)) return -EINVAL; - ecc_swap_digits(priv, privkey, ndigits); - return 0; } EXPORT_SYMBOL(ecc_gen_privkey); @@ -1547,23 +1546,20 @@ int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits, { int ret = 0; struct ecc_point *pk; - u64 priv[ECC_MAX_DIGITS]; const struct ecc_curve *curve = ecc_get_curve(curve_id); - if (!private_key || ndigits > ARRAY_SIZE(priv)) { + if (!private_key) { ret = -EINVAL; goto out; } - ecc_swap_digits(private_key, priv, ndigits); - pk = ecc_alloc_point(ndigits); if (!pk) { ret = -ENOMEM; goto out; } - ecc_point_mult(pk, &curve->g, priv, NULL, curve, ndigits); + ecc_point_mult(pk, &curve->g, private_key, NULL, curve, ndigits); /* SP800-56A rev 3 5.6.2.1.3 key check */ if (ecc_is_pubkey_valid_full(curve, pk)) { @@ -1647,13 +1643,11 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, { int ret = 0; struct ecc_point *product, *pk; - u64 priv[ECC_MAX_DIGITS]; u64 rand_z[ECC_MAX_DIGITS]; unsigned int nbytes; const struct ecc_curve *curve = ecc_get_curve(curve_id); - if (!private_key || !public_key || - ndigits > ARRAY_SIZE(priv) || ndigits > ARRAY_SIZE(rand_z)) { + if (!private_key || !public_key || ndigits > ARRAY_SIZE(rand_z)) { ret = -EINVAL; goto out; } @@ -1674,15 +1668,13 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, if (ret) goto err_alloc_product; - ecc_swap_digits(private_key, priv, ndigits); - product = ecc_alloc_point(ndigits); if (!product) { ret = -ENOMEM; goto err_alloc_product; } - ecc_point_mult(product, pk, priv, rand_z, curve, ndigits); + ecc_point_mult(product, pk, private_key, rand_z, curve, ndigits); if (ecc_point_is_zero(product)) { ret = -EFAULT; @@ -1692,7 +1684,6 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, ecc_swap_digits(product->x, secret, ndigits); err_validity: - memzero_explicit(priv, sizeof(priv)); memzero_explicit(rand_z, sizeof(rand_z)); ecc_free_point(product); err_alloc_product: diff --git a/crypto/ecdh.c b/crypto/ecdh.c index c02c9a2b9682..72cfd1590156 100644 --- a/crypto/ecdh.c +++ b/crypto/ecdh.c @@ -27,7 +27,6 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf, unsigned int len) { struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); - u64 priv[ECC_MAX_DIGITS]; struct ecdh params; int ret = 0; @@ -41,15 +40,14 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf, return ecc_gen_privkey(ctx->curve_id, ctx->ndigits, ctx->private_key); - memcpy(ctx->private_key, params.key, params.key_size); - ecc_swap_digits(ctx->private_key, priv, ctx->ndigits); + ecc_digits_from_bytes(params.key, params.key_size, + ctx->private_key, ctx->ndigits); if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits, - priv, params.key_size) < 0) { + ctx->private_key, params.key_size) < 0) { memzero_explicit(ctx->private_key, params.key_size); ret = -EINVAL; } - memzero_explicit(priv, sizeof(priv)); return ret; } diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h index 4e2f5f938e91..7ca1f463d1ec 100644 --- a/include/crypto/internal/ecc.h +++ b/include/crypto/internal/ecc.h @@ -103,7 +103,8 @@ int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, * Returns 0 if the private key was generated successfully, a negative value * if an error occurred. */ -int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey); +int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, + u64 *private_key); /** * ecc_make_pub_key() - Compute an ECC public key
The private key in ctx->private_key is currently initialized in reverse byte order in ecdh_set_secret and whenever the key is needed in proper byte order the variable priv is introduced and the bytes from ctx->private_key are copied into priv while being byte-swapped (ecc_swap_digits). To get rid of the unnecessary byte swapping initialize ctx->private_key in proper byte order and clean up all functions that were previously using priv or were called with ctx->private_key: - ecc_gen_privkey: Directly initialize the passed ctx->private_key with random bytes and get rid of the priv variable. This function only has ecdh_set_secret as a caller. - crypto_ecdh_shared_secret: Called only from ecdh_compute_value with ctx->private_key. Get rid of the priv variable and work with the passed private_key directly. - ecc_make_pub_key: Called only from ecdh_compute_value with ctx->private_key. Get rid of the priv variable and work with the passed private_key directly. Cc: Salvatore Benedetto <salvatore.benedetto@intel.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- crypto/ecc.c | 29 ++++++++++------------------- crypto/ecdh.c | 8 +++----- include/crypto/internal/ecc.h | 3 ++- 3 files changed, 15 insertions(+), 25 deletions(-)