crypto: ecdh - Initialize ctx->private_key in proper byte order
The private key in ctx->private_key is currently initialized in reverse byte order in ecdh_set_secret and whenever the key is needed in proper byte order the variable priv is introduced and the bytes from ctx->private_key are copied into priv while being byte-swapped (ecc_swap_digits). To get rid of the unnecessary byte swapping initialize ctx->private_key in proper byte order and clean up all functions that were previously using priv or were called with ctx->private_key: - ecc_gen_privkey: Directly initialize the passed ctx->private_key with random bytes filling all the digits of the private key. Get rid of the priv variable. This function only has ecdh_set_secret as a caller to create NIST P192/256/384 private keys. - crypto_ecdh_shared_secret: Called only from ecdh_compute_value with ctx->private_key. Get rid of the priv variable and work with the passed private_key directly. - ecc_make_pub_key: Called only from ecdh_compute_value with ctx->private_key. Get rid of the priv variable and work with the passed private_key directly. Cc: Salvatore Benedetto <salvatore.benedetto@intel.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
parent
bd955a4e92
commit
01474b70a7
29
crypto/ecc.c
29
crypto/ecc.c
@ -1497,10 +1497,10 @@ EXPORT_SYMBOL(ecc_is_key_valid);
|
||||
* This method generates a private key uniformly distributed in the range
|
||||
* [2, n-3].
|
||||
*/
|
||||
int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
|
||||
int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
|
||||
u64 *private_key)
|
||||
{
|
||||
const struct ecc_curve *curve = ecc_get_curve(curve_id);
|
||||
u64 priv[ECC_MAX_DIGITS];
|
||||
unsigned int nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
|
||||
unsigned int nbits = vli_num_bits(curve->n, ndigits);
|
||||
int err;
|
||||
@ -1509,7 +1509,7 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
|
||||
* Step 1 & 2: check that N is included in Table 1 of FIPS 186-5,
|
||||
* section 6.1.1.
|
||||
*/
|
||||
if (nbits < 224 || ndigits > ARRAY_SIZE(priv))
|
||||
if (nbits < 224)
|
||||
return -EINVAL;
|
||||
|
||||
/*
|
||||
@ -1527,17 +1527,16 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
|
||||
return -EFAULT;
|
||||
|
||||
/* Step 3: obtain N returned_bits from the DRBG. */
|
||||
err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)priv, nbytes);
|
||||
err = crypto_rng_get_bytes(crypto_default_rng,
|
||||
(u8 *)private_key, nbytes);
|
||||
crypto_put_default_rng();
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
/* Step 4: make sure the private key is in the valid range. */
|
||||
if (__ecc_is_key_valid(curve, priv, ndigits))
|
||||
if (__ecc_is_key_valid(curve, private_key, ndigits))
|
||||
return -EINVAL;
|
||||
|
||||
ecc_swap_digits(priv, privkey, ndigits);
|
||||
|
||||
return 0;
|
||||
}
|
||||
EXPORT_SYMBOL(ecc_gen_privkey);
|
||||
@ -1547,23 +1546,20 @@ int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits,
|
||||
{
|
||||
int ret = 0;
|
||||
struct ecc_point *pk;
|
||||
u64 priv[ECC_MAX_DIGITS];
|
||||
const struct ecc_curve *curve = ecc_get_curve(curve_id);
|
||||
|
||||
if (!private_key || ndigits > ARRAY_SIZE(priv)) {
|
||||
if (!private_key) {
|
||||
ret = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ecc_swap_digits(private_key, priv, ndigits);
|
||||
|
||||
pk = ecc_alloc_point(ndigits);
|
||||
if (!pk) {
|
||||
ret = -ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ecc_point_mult(pk, &curve->g, priv, NULL, curve, ndigits);
|
||||
ecc_point_mult(pk, &curve->g, private_key, NULL, curve, ndigits);
|
||||
|
||||
/* SP800-56A rev 3 5.6.2.1.3 key check */
|
||||
if (ecc_is_pubkey_valid_full(curve, pk)) {
|
||||
@ -1647,13 +1643,11 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
|
||||
{
|
||||
int ret = 0;
|
||||
struct ecc_point *product, *pk;
|
||||
u64 priv[ECC_MAX_DIGITS];
|
||||
u64 rand_z[ECC_MAX_DIGITS];
|
||||
unsigned int nbytes;
|
||||
const struct ecc_curve *curve = ecc_get_curve(curve_id);
|
||||
|
||||
if (!private_key || !public_key ||
|
||||
ndigits > ARRAY_SIZE(priv) || ndigits > ARRAY_SIZE(rand_z)) {
|
||||
if (!private_key || !public_key || ndigits > ARRAY_SIZE(rand_z)) {
|
||||
ret = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
@ -1674,15 +1668,13 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
|
||||
if (ret)
|
||||
goto err_alloc_product;
|
||||
|
||||
ecc_swap_digits(private_key, priv, ndigits);
|
||||
|
||||
product = ecc_alloc_point(ndigits);
|
||||
if (!product) {
|
||||
ret = -ENOMEM;
|
||||
goto err_alloc_product;
|
||||
}
|
||||
|
||||
ecc_point_mult(product, pk, priv, rand_z, curve, ndigits);
|
||||
ecc_point_mult(product, pk, private_key, rand_z, curve, ndigits);
|
||||
|
||||
if (ecc_point_is_zero(product)) {
|
||||
ret = -EFAULT;
|
||||
@ -1692,7 +1684,6 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
|
||||
ecc_swap_digits(product->x, secret, ndigits);
|
||||
|
||||
err_validity:
|
||||
memzero_explicit(priv, sizeof(priv));
|
||||
memzero_explicit(rand_z, sizeof(rand_z));
|
||||
ecc_free_point(product);
|
||||
err_alloc_product:
|
||||
|
@ -27,7 +27,6 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
|
||||
unsigned int len)
|
||||
{
|
||||
struct ecdh_ctx *ctx = ecdh_get_ctx(tfm);
|
||||
u64 priv[ECC_MAX_DIGITS];
|
||||
struct ecdh params;
|
||||
int ret = 0;
|
||||
|
||||
@ -41,15 +40,14 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
|
||||
return ecc_gen_privkey(ctx->curve_id, ctx->ndigits,
|
||||
ctx->private_key);
|
||||
|
||||
memcpy(ctx->private_key, params.key, params.key_size);
|
||||
ecc_swap_digits(ctx->private_key, priv, ctx->ndigits);
|
||||
ecc_digits_from_bytes(params.key, params.key_size,
|
||||
ctx->private_key, ctx->ndigits);
|
||||
|
||||
if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits,
|
||||
priv, params.key_size) < 0) {
|
||||
ctx->private_key, params.key_size) < 0) {
|
||||
memzero_explicit(ctx->private_key, params.key_size);
|
||||
ret = -EINVAL;
|
||||
}
|
||||
memzero_explicit(priv, sizeof(priv));
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@ -103,7 +103,8 @@ int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
|
||||
* Returns 0 if the private key was generated successfully, a negative value
|
||||
* if an error occurred.
|
||||
*/
|
||||
int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey);
|
||||
int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
|
||||
u64 *private_key);
|
||||
|
||||
/**
|
||||
* ecc_make_pub_key() - Compute an ECC public key
|
||||
|
Loading…
Reference in New Issue
Block a user