Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp57210ybh;
        Mon, 20 Jul 2020 10:12:26 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwoHUQnoQhmegUyGZqhxMoB+eXY3pA9eUmJ4Ipd8HDzKILe+7twoDqI8JWMPZRrfDTzoGvu
X-Received: by 2002:aa7:c606:: with SMTP id h6mr22394368edq.363.1595265146481;
        Mon, 20 Jul 2020 10:12:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595265146; cv=none;
        d=google.com; s=arc-20160816;
        b=t5WJjtAN7mT2JYv17vzXPITSsxWQcj09wW4utp2QEvzBUsQZwvskIuZt8UJJlCMrsT
         ceriA+kXQd6EjxfejtEZyVfu/iYLT6pIkiVT86yr4j6VMC+HEseO1YdONBcPGOrG5rrk
         1vHKLmHXRAnjZ8BKAbHzmSxcJ4RNcl0lfZr2DrpWHbvi1OTNdyFfNeAOtc838bMZHieG
         uh+uJIR90+a/yyHY4uCx+TnxFSBoFKNFfK4dptRgVwqWey/tnU30f0OkZfwxM/tCsqzI
         4dvwf90IyWqXBPqh2wSrbQ4ioHCqFSleor5aAKwgGbwbEf1OGdciWC14/uoQOpGZbv6C
         tdsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=rt6PTRApr0yAQz5sJ1wzaRBKf0EMTUCrILlJclvyH1Y=;
        b=YBYgKe9m/JncxAuDabJp55qN9R1j4fGvvH4XBOV787iJuDIPLgHTCsOV3UXa+N73cw
         NhzprWfm8fSmFONHtnlsJZ4gvZfIQ0Gh1HTz+iEJ0kXiyZdiPSGEPPC+Ved5pa2hHRqc
         ZyeVP36s7oY7WFZ82U3jy/MUn0pWIXsi9sO9pBbooxzkANdmyQOuVFIQGXaCs1S4apWt
         zllRvGIV4sGqACnw2tClDXwdiMkbEOlIaOVVu+dP7AmeTNe65Z5E5HnyfkfzfZEDIgTW
         Gph6sppALnHWvh/kA48EswTfbOPp0Bz5rZSUe5x5sBv2Sg4u2bqI5F91EYu4C78PwJLC
         dwbw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=qzy0iHNe;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b30si11002466edj.204.2020.07.20.10.11.59;
        Mon, 20 Jul 2020 10:12:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=qzy0iHNe;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726989AbgGTRKO (ORCPT <rfc822;rajesh.android@gmail.com>
        + 99 others); Mon, 20 Jul 2020 13:10:14 -0400
Received: from mo4-p02-ob.smtp.rzone.de ([81.169.146.170]:15566 "EHLO
        mo4-p02-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730135AbgGTRKN (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 20 Jul 2020 13:10:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1595265011;
        s=strato-dkim-0002; d=chronox.de;
        h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:
        X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender;
        bh=rt6PTRApr0yAQz5sJ1wzaRBKf0EMTUCrILlJclvyH1Y=;
        b=qzy0iHNeQCsnAQC/nefzyaWZBRrSo/jUdVa7kTLD5xvpilDu4orioCwtqJnirzSGcn
        NPpN9j/ZMqVPFr/b1GN6o7E9GjyOpOsAhWr7vJi4jnV2CMLImo/wEvlXLJYdbDyOURoT
        zKNjaTLmzsv7iR/POeJpNheSzYLtb/qetVnP27oWaSwMPadG8o3aBSYwCdubz3VKmgTQ
        HlWmF2JJ82Ovu/u6sEDlqAok50gbkxHonOkESmB4o6gfm0ib7HWeTUMV2SwGqCi9ro8E
        PbMitkS7kYuQFyS15v0jaXO2oEJO2RwGyEUV0YMJIeTOFyMr8eolb9lPg7LtHijMt4Db
        3nEg==
X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXPZJPScHiDh"
X-RZG-CLASS-ID: mo00
Received: from positron.chronox.de
        by smtp.strato.de (RZmta 46.10.5 DYNA|AUTH)
        with ESMTPSA id y0546bw6KH9uULN
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits))
        (Client did not present a certificate);
        Mon, 20 Jul 2020 19:09:56 +0200 (CEST)
From:   Stephan =?ISO-8859-1?Q?M=FCller?= <smueller@chronox.de>
To:     herbert@gondor.apana.org.au
Cc:     linux-crypto@vger.kernel.org,
        Marcelo Cerri <marcelo.cerri@canonical.com>,
        Tianjia Zhang <tianjia.zhang@linux.alibaba.com>,
        ard.biesheuvel@linaro.org, nhorman@redhat.com, simo@redhat.com
Subject: [PATCH v3 1/5] crypto: ECDH - check validity of Z before export
Date:   Mon, 20 Jul 2020 19:07:48 +0200
Message-ID: <1759349.tdWV9SEqCh@positron.chronox.de>
In-Reply-To: <2544426.mvXUDI8C0e@positron.chronox.de>
References: <2543601.mvXUDI8C0e@positron.chronox.de> <5722559.lOV4Wx5bFT@positron.chronox.de> <2544426.mvXUDI8C0e@positron.chronox.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. Thus, the export function and the validity check functions are
reversed. In addition, the sensitive variables of priv and rand_z are
zeroized.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/ecc.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 02d35be7702b..52e2d49262f2 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1495,11 +1495,16 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
 
 	ecc_point_mult(product, pk, priv, rand_z, curve, ndigits);
 
-	ecc_swap_digits(product->x, secret, ndigits);
-
-	if (ecc_point_is_zero(product))
+	if (ecc_point_is_zero(product)) {
 		ret = -EFAULT;
+		goto err_validity;
+	}
+
+	ecc_swap_digits(product->x, secret, ndigits);
 
+err_validity:
+	memzero_explicit(priv, sizeof(priv));
+	memzero_explicit(rand_z, sizeof(rand_z));
 	ecc_free_point(product);
 err_alloc_product:
 	ecc_free_point(pk);
-- 
2.26.2