Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp294338imu; Mon, 5 Nov 2018 00:37:42 -0800 (PST) X-Google-Smtp-Source: AJdET5cZgwCLZ8M1X6p/DgneIsjrqD9i4AGYsFYFHv5gKog7FniZyQZPAFiibq2C1wr1IoHpKxEd X-Received: by 2002:a17:902:5a2:: with SMTP id f31-v6mr20934568plf.320.1541407062496; Mon, 05 Nov 2018 00:37:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541407062; cv=none; d=google.com; s=arc-20160816; b=e03E2TIcRSzHq8ai5ewL6Jf28vt8PuwgNIYK2fLywPidD2YhL6P9cNY/qKo5mkUJff 4T1trC7+O5XESsnrYdBOg1yqbZ+gnqFB1qXjCD+dVGyV1kXVhzB2dE4nWeiM5NTOKs4a jKhjotrZ2xBkXPtJdXYcBlqgkXcpgolsWv4J162adifPhojWGDBFmhLXwS7QJO/c0Jke 0dS8O1Ujyc7LpXBnHWZB8KS3sf1HTHEuodsfYwCX2r91jIYLYSWdeu9W7g/d0mTR4PyF HKT1gBzMyvXHFRkasfr4QSTCliBj8g/UXZ02SM1YQxNFzeCpVZJ2Vy5iBD7J+Wt6wiDl UhTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=Z85ZGChKbfb/SDlHuHN+ZAoGh40keXG2H+2U9q+NQpY=; b=JQPLbzDiYNGcWE8s4yZJXfbwpDHkMomtjUKmPWCqIS3pwDRxWM9x3N5iw+yMj0jlHr KdvHd77cDbxfpD9Z/a8XciwZuEnD1yUMf/scz5w9kqpuuhn3yDoZoCmgeHS10MPO3fQ6 apHaHiQdscbAFs/LKBhswmCfeqGiXGELuLjv/IEZSLj0/LlUdPxrUMhmsQOCdljrElMi wjRZmUZkVV5GiEBoqu2XynxJSfaeWw7heHDE2s42q8HO4TbRfyK3Dq/dysyxCYy5VaC/ kY5hkRIz85Z+Ufe1MGwcgMVwrUy+nXAuP/+uIXWdxzq9ho9N8bTOGRzVzN6aWfPWguWn yntQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l64si29651545pge.168.2018.11.05.00.37.26; Mon, 05 Nov 2018 00:37:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727186AbeKERzO (ORCPT + 99 others); Mon, 5 Nov 2018 12:55:14 -0500 Received: from vmicros1.altlinux.org ([194.107.17.57]:37128 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726086AbeKERzO (ORCPT ); Mon, 5 Nov 2018 12:55:14 -0500 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 34C3372CC68; Mon, 5 Nov 2018 11:36:38 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id D00594A4A29; Mon, 5 Nov 2018 11:36:37 +0300 (MSK) From: Vitaly Chikunov To: Herbert Xu , "David S. Miller" , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Vitaly Chikunov Subject: [PATCH] crypto: ecc - check for invalid values in the key verification test Date: Mon, 5 Nov 2018 11:36:18 +0300 Message-Id: <20181105083618.29102-1-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently used scalar multiplication algorithm (Matthieu Rivain, 2011) have invalid values for scalar == 1, n-1, and for regularized version n-2, which was previously not checked. Verify that they are not used as private keys. Signed-off-by: Vitaly Chikunov --- crypto/ecc.c | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/crypto/ecc.c b/crypto/ecc.c index adcce310f646..ed1237115066 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -912,30 +912,43 @@ static inline void ecc_swap_digits(const u64 *in, u64 *out, out[i] = __swab64(in[ndigits - 1 - i]); } -int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, - const u64 *private_key, unsigned int private_key_len) +static int __ecc_is_key_valid(const struct ecc_curve *curve, + const u64 *private_key, unsigned int ndigits) { - int nbytes; - const struct ecc_curve *curve = ecc_get_curve(curve_id); + u64 one[ECC_MAX_DIGITS] = { 1, }; + u64 res[ECC_MAX_DIGITS]; if (!private_key) return -EINVAL; - nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; - - if (private_key_len != nbytes) + if (curve->g.ndigits != ndigits) return -EINVAL; - if (vli_is_zero(private_key, ndigits)) + /* Make sure the private key is in the range [2, n-3]. */ + if (vli_cmp(one, private_key, ndigits) != -1) return -EINVAL; - - /* Make sure the private key is in the range [1, n-1]. */ - if (vli_cmp(curve->n, private_key, ndigits) != 1) + vli_sub(res, curve->n, one, ndigits); + vli_sub(res, res, one, ndigits); + if (vli_cmp(res, private_key, ndigits) != 1) return -EINVAL; return 0; } +int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, + const u64 *private_key, unsigned int private_key_len) +{ + int nbytes; + const struct ecc_curve *curve = ecc_get_curve(curve_id); + + nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; + + if (private_key_len != nbytes) + return -EINVAL; + + return __ecc_is_key_valid(curve, private_key, ndigits); +} + /* * ECC private keys are generated using the method of extra random bits, * equivalent to that described in FIPS 186-4, Appendix B.4.1. @@ -979,11 +992,8 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) if (err) return err; - if (vli_is_zero(priv, ndigits)) - return -EINVAL; - - /* Make sure the private key is in the range [1, n-1]. */ - if (vli_cmp(curve->n, priv, ndigits) != 1) + /* Make sure the private key is in the valid range. */ + if (__ecc_is_key_valid(curve, priv, ndigits)) return -EINVAL; ecc_swap_digits(priv, privkey, ndigits); -- 2.11.0