Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp502141ybh; Wed, 22 Jul 2020 06:12:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx5lr6FCXdWHFdL5uA/rH1uAIB31NtsC0OxiIhGpiXJMHPkVT2JJOSfULmc45wp6kFLGq2g X-Received: by 2002:aa7:ca05:: with SMTP id y5mr31361083eds.204.1595423522654; Wed, 22 Jul 2020 06:12:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595423522; cv=none; d=google.com; s=arc-20160816; b=w1gupPlqFYNbFyj1PnCQ3hLj2NFrhVslqNueevQMPEtOATRbsUOKwzSo0kutZx9XS6 ZY++aOso+DvmPti1cOqinGDr1Mr+ncWwnU3Qfn4Q1EF2Hwry1zfI/9+OVH+6y5ZI1HmR VI3Z8SX4ywcaYPTcBHyxyt8q10PAe5v6rp+p5n+QnSU9c84Vy6hRki6CMvM/rYV50blj zIEOKif4zJr3HGQiecsZ6NC7KmsRYqEnP4GbOUkxIjW6jdRnn1x1UohYYTklWwZM45ak 3TLqZDgyU8wZDh9dNMmVYB7w5QgTIeJtGhMlCHgQG4EiyLL2co1dlkLUxC3d9xf8jG3a 0OIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:mail-followup-to:message-id:subject:cc:to:from:date; bh=zu2u8Fx6uo+yrcOsOoXldQzdGCMC3WjvsjJoGyCvCdM=; b=LJAQAXwe/18JjsxE+i+gtNj4M/lZzxWP8hZDeZjGYp6viO0RQODD/CLpZyMLKmhgvL R8Qg7GXog+dUAggDl9ODcP+Ei9SCVEsUBLQyxdt/jX8QFkACeZYHawDe704w8pRMBp4z rxkdWggHMDt72JhmaNMswu4FGf9bGqjJkUA1swkEHGmYEB6RRUfgX+YBjSSry7jn0vyA vQnRLv4bAIwBnlEQOm/7sC6+/RfHsqkY3IRbO7GwEVO7j1hrTfxRsCQxdOYOWtFRi2Au DuK32stxSQfwCaeLIGvzXiBsJ64w1EGwMHa4L9JUiis52rvgJQHeWsMbRQd+FkYyOKyQ KB0g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b10si13738893ejv.385.2020.07.22.06.11.30; Wed, 22 Jul 2020 06:12:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726241AbgGVNL2 (ORCPT + 99 others); Wed, 22 Jul 2020 09:11:28 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:56360 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725878AbgGVNL2 (ORCPT ); Wed, 22 Jul 2020 09:11:28 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id AC5C872CCDC; Wed, 22 Jul 2020 16:11:24 +0300 (MSK) Received: from altlinux.org (sole.flsd.net [185.75.180.6]) by imap.altlinux.org (Postfix) with ESMTPSA id 854704A4AEE; Wed, 22 Jul 2020 16:11:24 +0300 (MSK) Date: Wed, 22 Jul 2020 16:11:24 +0300 From: Vitaly Chikunov To: herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, Marcelo Cerri , Tianjia Zhang , ard.biesheuvel@linaro.org, nhorman@redhat.com, simo@redhat.com Cc: Stephan =?utf-8?Q?M=C3=BCller?= Subject: Re: [PATCH v3 1/5] crypto: ECDH - check validity of Z before export Message-ID: <20200722131124.5m2jzuuhl2jc374u@altlinux.org> Mail-Followup-To: herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, Marcelo Cerri , Tianjia Zhang , ard.biesheuvel@linaro.org, nhorman@redhat.com, simo@redhat.com, Stephan =?utf-8?Q?M=C3=BCller?= References: <2543601.mvXUDI8C0e@positron.chronox.de> <5722559.lOV4Wx5bFT@positron.chronox.de> <2544426.mvXUDI8C0e@positron.chronox.de> <1759349.tdWV9SEqCh@positron.chronox.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1759349.tdWV9SEqCh@positron.chronox.de> User-Agent: NeoMutt/20171215-106-ac61c7 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Jul 20, 2020 at 07:07:48PM +0200, Stephan Müller wrote: > SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the > calculated shared secret is verified before the data is returned to the > caller. Thus, the export function and the validity check functions are > reversed. In addition, the sensitive variables of priv and rand_z are > zeroized. > > Signed-off-by: Stephan Mueller > --- > crypto/ecc.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) This patch seems not changed from v2, thus Reviewed-by: Vitaly Chikunov > > diff --git a/crypto/ecc.c b/crypto/ecc.c > index 02d35be7702b..52e2d49262f2 100644 > --- a/crypto/ecc.c > +++ b/crypto/ecc.c > @@ -1495,11 +1495,16 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, > > ecc_point_mult(product, pk, priv, rand_z, curve, ndigits); > > - ecc_swap_digits(product->x, secret, ndigits); > - > - if (ecc_point_is_zero(product)) > + if (ecc_point_is_zero(product)) { > ret = -EFAULT; > + goto err_validity; > + } > + > + ecc_swap_digits(product->x, secret, ndigits); > > +err_validity: > + memzero_explicit(priv, sizeof(priv)); > + memzero_explicit(rand_z, sizeof(rand_z)); > ecc_free_point(product); > err_alloc_product: > ecc_free_point(pk); > -- > 2.26.2 > > >