Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp419690ybt; Fri, 10 Jul 2020 03:20:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyFxuiQlvDJCCrP5YC+BWC4AO0PoCbmD/fMOQTaUmNVxY4jOouHc6o6m34vrr27BpUVMEua X-Received: by 2002:a05:6402:a43:: with SMTP id bt3mr65117484edb.332.1594376410148; Fri, 10 Jul 2020 03:20:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594376410; cv=none; d=google.com; s=arc-20160816; b=mqJPug6xCI9SKTMPFJERbdg+YCAjNdSIQ9iOBlfdGkPf9VmeVmogUcmORpNa/quYM2 aPlLnFkrVssLgBExcwH/out0LgSgOC4A0jX5fwELziJat3Pok2rre4MrTcCsDsAYBTN/ AbAqIN5MLf2qO90xor5Kv75Ie+GTwWS/TaVKddCF8wIYZ+x+jOj7ameWEUHaqe6qz7sP M5WNISNgmoAAWvXserKyPHOO7xDS6tr5SvyHw8UTWBWbvlcdKjCHsV5LsIc7NrepQDxb kPXLCSETLWAneOzJcc6OEXc/jG509ac42QjpUqGwed0WNQv+OjbpWtlLvh+Lm7geylxz f+0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=cqSabZtTyfR2LRXbEBKc1H6eXQPJIyQnzA6xyO6VggU=; b=BOL3e+sVLivYr0QquDm4XPSxrZfhqg/bqZo2N1dGjAOlPzw0DQQU9urc2lARmJP2B8 JFPKt3lG7bQ7+LfRqFJyrrabW0o3lpDLqU71kgyZ+zZmCSSXC8cAASPhaBoYrm8mc5+t 08+l5uxhAgoJOetLNoleytltSJDGH1ek3XXSAruN2uf2G7v4G3pjgKxKxfH7Oiuw6mVB Wq7mBC8R+6J3It0QzuxQ466Ar6UCq/Pbg1PKAB/0BPLNVKx7taNFIvbwz/fhpFujjva3 s6sh0px1Lby3hFHhEwlSc1yeOsLyE1wLqQHvZ8U0StFUpwpaIwW/WVwRYaR8YvGKUATS wwVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=DJlN6hfq; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l10si3596207ejh.673.2020.07.10.03.19.45; Fri, 10 Jul 2020 03:20:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=DJlN6hfq; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727828AbgGJKSs (ORCPT + 99 others); Fri, 10 Jul 2020 06:18:48 -0400 Received: from mo4-p01-ob.smtp.rzone.de ([85.215.255.54]:30721 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727865AbgGJKSr (ORCPT ); Fri, 10 Jul 2020 06:18:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1594376326; s=strato-dkim-0002; d=chronox.de; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=cqSabZtTyfR2LRXbEBKc1H6eXQPJIyQnzA6xyO6VggU=; b=DJlN6hfqWkZt1d/CTWvUbj6P29UvnijMl79S4eF/iTwP+XKz6nqSqWZYLNNAaIa+IR zktCPCwFJQoGD+7sHzjMzL4lGyOLeuqG29+EE9sx2SXIyoAwoEhLnGlmDSGF65y4yE0i Kc2sNEAYNwQMc7e0rHsWkmCk7AZUHvFBuei1JwYtZVLmgKn86p8wS+W79UFvccKGs+a5 KzSap9arOrrKufWnFLXwcDon7LpRzt0sJ/hDX9GPLLmDIunfTmS1DVv3ms0JGwDoedQZ FOphQVi0cr+5mxWhZbKZ59i780PjeU5cj968YRysAwFrp3BiYutyDc3RGrbNOWrpNFhM yQ2g== X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXPaIvSfHReW" X-RZG-CLASS-ID: mo00 Received: from positron.chronox.de by smtp.strato.de (RZmta 46.10.5 DYNA|AUTH) with ESMTPSA id y0546bw6AAGEZsi (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Fri, 10 Jul 2020 12:16:14 +0200 (CEST) From: Stephan =?ISO-8859-1?Q?M=FCller?= To: herbert@gondor.apana.org.au Cc: linux-crypto@vger.kernel.org, Marcelo Cerri , Tianjia Zhang Subject: [PATCH 1/3] crypto: ECDH - check validity of Z before export Date: Fri, 10 Jul 2020 12:10:07 +0200 Message-ID: <5377091.DvuYhMxLoT@positron.chronox.de> In-Reply-To: <2543601.mvXUDI8C0e@positron.chronox.de> References: <2543601.mvXUDI8C0e@positron.chronox.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From 5385865b3f44d331f91c6786a2e7f4e2fb4d8cb2 Mon Sep 17 00:00:00 2001 From: Stephan Mueller Date: Thu, 11 Jun 2020 08:12:54 +0200 Subject: SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. Thus, the export function and the validity check functions are reversed. In addition, the sensitive variables of priv and rand_z are zeroized. Signed-off-by: Stephan Mueller --- crypto/ecc.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/crypto/ecc.c b/crypto/ecc.c index 02d35be7702b..52e2d49262f2 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -1495,11 +1495,16 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, ecc_point_mult(product, pk, priv, rand_z, curve, ndigits); - ecc_swap_digits(product->x, secret, ndigits); - - if (ecc_point_is_zero(product)) + if (ecc_point_is_zero(product)) { ret = -EFAULT; + goto err_validity; + } + + ecc_swap_digits(product->x, secret, ndigits); +err_validity: + memzero_explicit(priv, sizeof(priv)); + memzero_explicit(rand_z, sizeof(rand_z)); ecc_free_point(product); err_alloc_product: ecc_free_point(pk); -- 2.26.2