Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2442009rwd; Wed, 14 Jun 2023 02:57:04 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6Gk+onIQGf0e8xx5BZ33lbwxcFF0hFovF+OgDlhZVJVi+E//C9RPTYO16Ayd8cJz9Cyxfn X-Received: by 2002:a05:6a00:21c7:b0:638:abf4:d49c with SMTP id t7-20020a056a0021c700b00638abf4d49cmr15158877pfj.3.1686736624538; Wed, 14 Jun 2023 02:57:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686736624; cv=none; d=google.com; s=arc-20160816; b=YWbjYHcaGrlkpUYjSQdGW4oYAYT0t7CYyszKnD5tcZFZgwjaJ4mMnNfHPvwjjcdh6L hugHu589NtujOVWgyiRzFc6qz1Qaz2n/Dj1R8bGDorxVtwk3Fy0yBke06HocmET9O8b2 5S8gu07JeuGCNLMN2KT1k/1O1n+NcNfNEYN/+6HYcjNRi+XDa9G2+N+WYKNsPuExlLxA SD4K3Hlhg/LDdcE+UqxKmtUzysADLAk2YoOnyvDSpk6PFxENiK2CX+Ql+E0dKuHeLti8 ql3Pd3oq5z04OKco8cFmHVJZoFRQt5e+I5nckxaAIxP24229QD9sJKt6xOQFPVeECQqn 3wiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=k+8H6xLzW48YyXvVUmksCDZ85S4lKVbjqoJtQ3k1pX0=; b=jQUFH1ZyEyH2E5MJFS1KNxi9P20lXIGDJD1+Drfx/sHCJtC+QtOWLT70fkrdY8VGQP KWAEdYjgyhtBZ4kbA9/qNG7EczYriJb+58ZgmPKUbw4ZfHBv9TWS2YRXZroALTPIfPf4 mEEmkK7MT+9JrwJ1iHRfmStzaCIQMCZNzDLnWYUrWhwKgcxU8rGZTre9ufucKuHNcu7o 32SEZVztu4TokJzq9x8kv4PvCdgaKtmXvfdbGZA0hjCMqX4u5E9U0LBCMNtZuIsuubXS DX0oz+MNmCW5szhmoCcai4kSeDEbRiGaDuBxoUuvGglL47CiAyQlh8jJfS68hOWKmcS4 UmAA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t6-20020a63b706000000b0054fe2dfaab0si8550pgf.893.2023.06.14.02.56.52; Wed, 14 Jun 2023 02:57:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243504AbjFNJvK (ORCPT + 99 others); Wed, 14 Jun 2023 05:51:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51020 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241748AbjFNJvI (ORCPT ); Wed, 14 Jun 2023 05:51:08 -0400 Received: from 167-179-156-38.a7b39c.syd.nbn.aussiebb.net (167-179-156-38.a7b39c.syd.nbn.aussiebb.net [167.179.156.38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3314B19F; Wed, 14 Jun 2023 02:51:02 -0700 (PDT) Received: from loth.rohan.me.apana.org.au ([192.168.167.2]) by formenos.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1q9N9Q-002ond-3C; Wed, 14 Jun 2023 17:50:53 +0800 Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation); Wed, 14 Jun 2023 17:50:52 +0800 Date: Wed, 14 Jun 2023 17:50:52 +0800 From: Herbert Xu To: Mahmoud Adam Cc: davem@davemloft.net, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Stephan Mueller Subject: Re: [PATCH] crypto: rsa - allow only odd e and restrict value in FIPS mode Message-ID: References: <20230613161731.74081-1-mngyadam@amazon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230613161731.74081-1-mngyadam@amazon.com> X-Spam-Status: No, score=2.7 required=5.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2, PDS_RDNS_DYNAMIC_FP,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_PASS,TVD_RCVD_IP, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Jun 13, 2023 at 04:17:31PM +0000, Mahmoud Adam wrote: > check if rsa public exponent is odd and check its value is between > 2^16 < e < 2^256. > > FIPS 186-5 DSS (page 35)[1] specify that: > 1. The public exponent e shall be selected with the following constraints: > (a) The public verification exponent e shall be selected prior to > generating the primes, p and q, and the private signature exponent > d. > (b) The exponent e shall be an odd positive integer such that: > 2^16 < e < 2^256. > > [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf > > Signed-off-by: Mahmoud Adam > --- > crypto/rsa.c | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/crypto/rsa.c b/crypto/rsa.c > index c50f2d2a4d06..c79613cdce6e 100644 > --- a/crypto/rsa.c > +++ b/crypto/rsa.c > @@ -205,6 +205,32 @@ static int rsa_check_key_length(unsigned int len) > return -EINVAL; > } > > +static int rsa_check_exponent_fips(MPI e) > +{ > + MPI e_max = NULL; > + > + /* check if odd */ > + if (!mpi_test_bit(e, 0)) { > + return -EINVAL; > + } > + > + /* check if 2^16 < e < 2^256. */ > + if (mpi_cmp_ui(e, 65536) <= 0) { > + return -EINVAL; > + } > + > + e_max = mpi_alloc(0); > + mpi_set_bit(e_max, 256); > + > + if (mpi_cmp(e, e_max) >= 0) { > + mpi_free(e_max); > + return -EINVAL; > + } > + > + mpi_free(e_max); > + return 0; > +} > + > static int rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key, > unsigned int keylen) > { > @@ -232,6 +258,11 @@ static int rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key, > return -EINVAL; > } > > + if (fips_enabled && rsa_check_exponent_fips(mpi_key->e)) { > + rsa_free_mpi_key(mpi_key); > + return -EINVAL; > + } > + > return 0; > > err: > @@ -290,6 +321,11 @@ static int rsa_set_priv_key(struct crypto_akcipher *tfm, const void *key, > return -EINVAL; > } > > + if (fips_enabled && rsa_check_exponent_fips(mpi_key->e)) { > + rsa_free_mpi_key(mpi_key); > + return -EINVAL; > + } > + > return 0; > > err: > -- > 2.40.1 Cc Stephan Mueller -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt