Re: [PATCH v2 2/2] crypto: ecdh & ecc - Initialize ctx->private_key in proper byte order

Linux-Crypto Archive mirror
 help / color / mirror / Atom feed

From: "Jarkko Sakkinen" <jarkko@kernel.org>
To: "Stefan Berger" <stefanb@linux.ibm.com>,
	<linux-crypto@vger.kernel.org>, <herbert@gondor.apana.org.au>,
	<davem@davemloft.net>
Cc: <linux-kernel@vger.kernel.org>, <ardb@kernel.org>,
	<salvatore.benedetto@intel.com>, <git@jvdsn.com>
Subject: Re: [PATCH v2 2/2] crypto: ecdh & ecc - Initialize ctx->private_key in proper byte order
Date: Thu, 18 Apr 2024 01:43:35 +0300	[thread overview]
Message-ID: <D0MRF0NXMBZ4.1N89J0L8RWWBM@kernel.org> (raw)
In-Reply-To: <20240417162117.2752326-3-stefanb@linux.ibm.com>

On Wed Apr 17, 2024 at 7:21 PM EEST, Stefan Berger wrote:
> The private key in ctx->private_key is currently initialized in reverse
> byte order in ecdh_set_secret and whenever the key is needed in proper
> byte order the variable priv is introduced and the bytes from
> ctx->private_key are copied into priv while being byte-swapped
> (ecc_swap_digits). To get rid of the unnecessary byte swapping initialize
> ctx->private_key in proper byte order and clean up all functions that were
> previously using priv or were called with ctx->private_key:
>
> - ecc_gen_privkey: Directly initialize the passed ctx->private_key with
>   random bytes and get rid of the priv variable. This function only has
>   ecdh_set_secret as a caller.
>
> - crypto_ecdh_shared_secret: Called only from ecdh_compute_value with
>   ctx->private_key. Get rid of the priv variable and work with the passed
>   private_key directly.
>
> - ecc_make_pub_key: Called only from ecdh_compute_value with
>   ctx->private_key. Get rid of the priv variable and work with the passed
>   private_key directly.
>
> Cc: Salvatore Benedetto <salvatore.benedetto@intel.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  crypto/ecc.c                  | 29 ++++++++++-------------------
>  crypto/ecdh.c                 |  8 +++-----
>  include/crypto/internal/ecc.h |  3 ++-
>  3 files changed, 15 insertions(+), 25 deletions(-)
>
> diff --git a/crypto/ecc.c b/crypto/ecc.c
> index 2e05387b9499..c1d2e884be1e 100644
> --- a/crypto/ecc.c
> +++ b/crypto/ecc.c
> @@ -1497,10 +1497,10 @@ EXPORT_SYMBOL(ecc_is_key_valid);
>   * This method generates a private key uniformly distributed in the range
>   * [2, n-3].
>   */
> -int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
> +int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
> +		    u64 *private_key)
>  {
>  	const struct ecc_curve *curve = ecc_get_curve(curve_id);
> -	u64 priv[ECC_MAX_DIGITS];
>  	unsigned int nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
>  	unsigned int nbits = vli_num_bits(curve->n, ndigits);
>  	int err;
> @@ -1509,7 +1509,7 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
>  	 * Step 1 & 2: check that N is included in Table 1 of FIPS 186-5,
>  	 * section 6.1.1.
>  	 */
> -	if (nbits < 224 || ndigits > ARRAY_SIZE(priv))
> +	if (nbits < 224)
>  		return -EINVAL;
>  
>  	/*
> @@ -1527,17 +1527,16 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
>  		return -EFAULT;
>  
>  	/* Step 3: obtain N returned_bits from the DRBG. */
> -	err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)priv, nbytes);
> +	err = crypto_rng_get_bytes(crypto_default_rng,
> +				   (u8 *)private_key, nbytes);
>  	crypto_put_default_rng();
>  	if (err)
>  		return err;
>  
>  	/* Step 4: make sure the private key is in the valid range. */
> -	if (__ecc_is_key_valid(curve, priv, ndigits))
> +	if (__ecc_is_key_valid(curve, private_key, ndigits))
>  		return -EINVAL;
>  
> -	ecc_swap_digits(priv, privkey, ndigits);
> -
>  	return 0;
>  }
>  EXPORT_SYMBOL(ecc_gen_privkey);
> @@ -1547,23 +1546,20 @@ int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits,
>  {
>  	int ret = 0;
>  	struct ecc_point *pk;
> -	u64 priv[ECC_MAX_DIGITS];
>  	const struct ecc_curve *curve = ecc_get_curve(curve_id);
>  
> -	if (!private_key || ndigits > ARRAY_SIZE(priv)) {
> +	if (!private_key) {
>  		ret = -EINVAL;
>  		goto out;
>  	}
>  
> -	ecc_swap_digits(private_key, priv, ndigits);
> -
>  	pk = ecc_alloc_point(ndigits);
>  	if (!pk) {
>  		ret = -ENOMEM;
>  		goto out;
>  	}
>  
> -	ecc_point_mult(pk, &curve->g, priv, NULL, curve, ndigits);
> +	ecc_point_mult(pk, &curve->g, private_key, NULL, curve, ndigits);
>  
>  	/* SP800-56A rev 3 5.6.2.1.3 key check */
>  	if (ecc_is_pubkey_valid_full(curve, pk)) {
> @@ -1647,13 +1643,11 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
>  {
>  	int ret = 0;
>  	struct ecc_point *product, *pk;
> -	u64 priv[ECC_MAX_DIGITS];
>  	u64 rand_z[ECC_MAX_DIGITS];
>  	unsigned int nbytes;
>  	const struct ecc_curve *curve = ecc_get_curve(curve_id);
>  
> -	if (!private_key || !public_key ||
> -	    ndigits > ARRAY_SIZE(priv) || ndigits > ARRAY_SIZE(rand_z)) {
> +	if (!private_key || !public_key || ndigits > ARRAY_SIZE(rand_z)) {
>  		ret = -EINVAL;
>  		goto out;
>  	}
> @@ -1674,15 +1668,13 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
>  	if (ret)
>  		goto err_alloc_product;
>  
> -	ecc_swap_digits(private_key, priv, ndigits);
> -
>  	product = ecc_alloc_point(ndigits);
>  	if (!product) {
>  		ret = -ENOMEM;
>  		goto err_alloc_product;
>  	}
>  
> -	ecc_point_mult(product, pk, priv, rand_z, curve, ndigits);
> +	ecc_point_mult(product, pk, private_key, rand_z, curve, ndigits);
>  
>  	if (ecc_point_is_zero(product)) {
>  		ret = -EFAULT;
> @@ -1692,7 +1684,6 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
>  	ecc_swap_digits(product->x, secret, ndigits);
>  
>  err_validity:
> -	memzero_explicit(priv, sizeof(priv));
>  	memzero_explicit(rand_z, sizeof(rand_z));
>  	ecc_free_point(product);
>  err_alloc_product:
> diff --git a/crypto/ecdh.c b/crypto/ecdh.c
> index c02c9a2b9682..72cfd1590156 100644
> --- a/crypto/ecdh.c
> +++ b/crypto/ecdh.c
> @@ -27,7 +27,6 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
>  			   unsigned int len)
>  {
>  	struct ecdh_ctx *ctx = ecdh_get_ctx(tfm);
> -	u64 priv[ECC_MAX_DIGITS];
>  	struct ecdh params;
>  	int ret = 0;
>  
> @@ -41,15 +40,14 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
>  		return ecc_gen_privkey(ctx->curve_id, ctx->ndigits,
>  				       ctx->private_key);
>  
> -	memcpy(ctx->private_key, params.key, params.key_size);
> -	ecc_swap_digits(ctx->private_key, priv, ctx->ndigits);
> +	ecc_digits_from_bytes(params.key, params.key_size,
> +			      ctx->private_key, ctx->ndigits);
>  
>  	if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits,
> -			     priv, params.key_size) < 0) {
> +			     ctx->private_key, params.key_size) < 0) {
>  		memzero_explicit(ctx->private_key, params.key_size);
>  		ret = -EINVAL;
>  	}
> -	memzero_explicit(priv, sizeof(priv));
>  
>  	return ret;
>  }
> diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h
> index 4e2f5f938e91..7ca1f463d1ec 100644
> --- a/include/crypto/internal/ecc.h
> +++ b/include/crypto/internal/ecc.h
> @@ -103,7 +103,8 @@ int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
>   * Returns 0 if the private key was generated successfully, a negative value
>   * if an error occurred.
>   */
> -int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey);
> +int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
> +		    u64 *private_key);
>  
>  /**
>   * ecc_make_pub_key() - Compute an ECC public key

Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko

     prev parent reply	other threads:[~2024-04-17 22:43 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-17 16:21 [PATCH v2 0/2] crypto: ecdh & ecc: Fix private key byte ordering issues Stefan Berger
2024-04-17 16:21 ` [PATCH v2 1/2] crypto: ecdh - Pass private key in proper byte order to check valid key Stefan Berger
2024-04-17 22:42   ` Jarkko Sakkinen
2024-04-17 16:21 ` [PATCH v2 2/2] crypto: ecdh & ecc - Initialize ctx->private_key in proper byte order Stefan Berger
2024-04-17 22:43   ` Jarkko Sakkinen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=D0MRF0NXMBZ4.1N89J0L8RWWBM@kernel.org \
    --to=jarkko@kernel.org \
    --cc=ardb@kernel.org \
    --cc=davem@davemloft.net \
    --cc=git@jvdsn.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=salvatore.benedetto@intel.com \
    --cc=stefanb@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).