Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1464836rdb; Mon, 2 Oct 2023 10:12:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHYVV7ouy/Q1Gza5lsdsaY0WlLUjPSXr1frBuFxKjERJRP8qZzh7g6RGBTFAtoS/gyeGjWp X-Received: by 2002:a17:903:278f:b0:1c1:e7b2:27ad with SMTP id jw15-20020a170903278f00b001c1e7b227admr9611190plb.60.1696266767350; Mon, 02 Oct 2023 10:12:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696266767; cv=none; d=google.com; s=arc-20160816; b=z7lZH8e2an912jBpGINkXaki419crxQab/m9magT9GSJPWBx2FKm0GEezDEPKCiRqZ RcPVtU43/qafrA9DTCzzRBEvETdhDqMuwI4x+kkw+Szbj+VEwbaduPvr1olOa9e1wPD1 fJChUFFvRMaVKQNO9Ql6vfmnwc0qfZ7HspxP+izuOS0Yy1xyDpNnvYaX5nGYMb8M0z39 dwX6M5b4QRd7yLozRV/T2FfWdQvN81LhOLE63nRSj+9PjJ/LnVQEzRGRb3THuwVbHyG1 5Tv4M0gpl/5hmh1K1aQaDoNiKP/fgE8JJzybMFbFZysloK5QvgdEnk9waY6dbZ6R2qLa hpvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=K5w/ggOcP9DnRSIT/HEbH1sggCd/27EMe33soFqtSU4=; fh=VytaWnrtIe6rQzSTidyaXKVP21CYVB05Erb1vcNmZ/4=; b=WG2WRNETtAz7fvYCyM9arS4QO34vJy9TYAVipXKWc7NkVsv0e8XogFsVHDn23K+IXA fjks+LuV3KTKq89oL67p3khjMWzbCkC6Ww1hrXpdmRh11hcH+sfIBViNyBk04K//MAHh kKKU5uOXOovxE7nrjGq/+MgI7XPFRkXZRbD/FTUWdUtjnwtOPDBXfu4vuinskpmLM5+I NFxWEzuWPVE3k3k5NNMVmCdjje1RWbMaK7DQ6z3RAgeR74VHGJtm55ixJITkjg9mF8sJ HccLONcPpOeGQM8jT6bbKq1Ho7Qfaq5+RDMtlr9lO3hHHTQqygml6D34g1Uh5I3pBDiy jjgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id l6-20020a170902f68600b001c3fa9a1e3esi2066757plg.493.2023.10.02.10.12.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 10:12:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 56C50802D452; Mon, 2 Oct 2023 09:58:16 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238607AbjJBQ6O (ORCPT + 99 others); Mon, 2 Oct 2023 12:58:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59880 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238576AbjJBQ6I (ORCPT ); Mon, 2 Oct 2023 12:58:08 -0400 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77451C4; Mon, 2 Oct 2023 09:58:04 -0700 (PDT) Received: from lhrpeml500005.china.huawei.com (unknown [172.18.147.201]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4RznFY4SKmz6K7FC; Tue, 3 Oct 2023 00:57:53 +0800 (CST) Received: from localhost (10.202.227.76) by lhrpeml500005.china.huawei.com (7.191.163.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Mon, 2 Oct 2023 17:58:00 +0100 Date: Mon, 2 Oct 2023 17:57:59 +0100 From: Jonathan Cameron To: Lukas Wunner CC: Bjorn Helgaas , David Howells , David Woodhouse , Herbert Xu , "David S. Miller" , Alex Williamson , , , , , , , , David Box , Dan Williams , Dave Jiang , "Li, Ming" , Zhi Wang , Alistair Francis , Wilfred Mallawa , Alexey Kardashevskiy , Tom Lendacky , Sean Christopherson , Alexander Graf Subject: Re: [PATCH 06/12] crypto: ecdsa - Support P1363 signature encoding Message-ID: <20231002175759.00000e93@Huawei.com> In-Reply-To: <4f98bb7ee2e660a8b4513a94ed79f4f29d1ff379.1695921657.git.lukas@wunner.de> References: <4f98bb7ee2e660a8b4513a94ed79f4f29d1ff379.1695921657.git.lukas@wunner.de> Organization: Huawei Technologies Research and Development (UK) Ltd. X-Mailer: Claws Mail 4.1.0 (GTK 3.24.33; x86_64-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.202.227.76] X-ClientProxiedBy: lhrpeml500001.china.huawei.com (7.191.163.213) To lhrpeml500005.china.huawei.com (7.191.163.240) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Mon, 02 Oct 2023 09:58:16 -0700 (PDT) On Thu, 28 Sep 2023 19:32:36 +0200 Lukas Wunner wrote: > Alternatively to the X9.62 encoding of ecdsa signatures, which uses > ASN.1 and is already supported by the kernel, there's another common > encoding called P1363. It stores r and s as the concatenation of two > big endian, unsigned integers. The name originates from IEEE P1363. > > The Security Protocol and Data Model (SPDM) specification prescribes > that ecdsa signatures are encoded according to P1363: > > "For ECDSA signatures, excluding SM2, in SPDM, the signature shall be > the concatenation of r and s. The size of r shall be the size of > the selected curve. Likewise, the size of s shall be the size of > the selected curve. See BaseAsymAlgo in NEGOTIATE_ALGORITHMS for > the size of r and s. The byte order for r and s shall be in big > endian order. When placing ECDSA signatures into an SPDM signature > field, r shall come first followed by s." > > (SPDM 1.2.1 margin no 44, > https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.2.1.pdf) > > A subsequent commit introduces an SPDM library to enable PCI device > authentication, so add support for P1363 ecdsa signature verification. Ah good. The spec got updated. I remember playing guess with the format against libspdm which wasn't fun :) One trivial formatting note inline. > > Signed-off-by: Lukas Wunner Reviewed-by: Jonathan Cameron > --- > crypto/asymmetric_keys/public_key.c | 8 ++++++-- > crypto/ecdsa.c | 16 +++++++++++++--- > crypto/testmgr.h | 15 +++++++++++++++ > 3 files changed, 34 insertions(+), 5 deletions(-) > > diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c > index 7f96e8e501db..84c4ed02a270 100644 > --- a/crypto/asymmetric_keys/public_key.c > +++ b/crypto/asymmetric_keys/public_key.c > @@ -105,7 +105,8 @@ software_key_determine_akcipher(const struct public_key *pkey, > return -EINVAL; > *sig = false; > } else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { > - if (strcmp(encoding, "x962") != 0) > + if (strcmp(encoding, "x962") != 0 && > + strcmp(encoding, "p1363") != 0) > return -EINVAL; > /* > * ECDSA signatures are taken over a raw hash, so they don't > @@ -246,7 +247,10 @@ static int software_key_query(const struct kernel_pkey_params *params, > * which is actually 2 'key_size'-bit integers encoded in > * ASN.1. Account for the ASN.1 encoding overhead here. > */ > - info->max_sig_size = 2 * (len + 3) + 2; > + if (strcmp(params->encoding, "x962") == 0) > + info->max_sig_size = 2 * (len + 3) + 2; > + else if (strcmp(params->encoding, "p1363") == 0) > + info->max_sig_size = 2 * len; > } else { > info->max_data_size = len; > info->max_sig_size = len; > diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c > index fbd76498aba8..cc3082c6f67d 100644 > --- a/crypto/ecdsa.c > +++ b/crypto/ecdsa.c > @@ -159,10 +159,20 @@ static int ecdsa_verify(struct akcipher_request *req) > sg_nents_for_len(req->src, req->src_len + req->dst_len), > buffer, req->src_len + req->dst_len, 0); > > - ret = asn1_ber_decoder(&ecdsasignature_decoder, &sig_ctx, > - buffer, req->src_len); > - if (ret < 0) > + if (strcmp(req->enc, "x962") == 0) { > + ret = asn1_ber_decoder(&ecdsasignature_decoder, &sig_ctx, > + buffer, req->src_len); > + if (ret < 0) > + goto error; > + } else if (strcmp(req->enc, "p1363") == 0 && > + req->src_len == 2 * keylen) { > + ecc_swap_digits(buffer, sig_ctx.r, ctx->curve->g.ndigits); > + ecc_swap_digits(buffer + keylen, > + sig_ctx.s, ctx->curve->g.ndigits); Indent looks a little odd. > + } else { > + ret = -EINVAL; > goto error; > + } > > /* if the hash is shorter then we will add leading zeros to fit to ndigits */ > diff = keylen - req->dst_len; > diff --git a/crypto/testmgr.h b/crypto/testmgr.h > index ad57e7af2e14..f12f70818147 100644 > --- a/crypto/testmgr.h > +++ b/crypto/testmgr.h > @@ -674,6 +674,7 @@ static const struct akcipher_testvec ecdsa_nist_p192_tv_template[] = { > "\x68\x01\x9d\xba\xce\x83\x08\xef\x95\x52\x7b\xa0\x0f\xe4\x18\x86" > "\x80\x6f\xa5\x79\x77\xda\xd0", > .c_size = 55, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -698,6 +699,7 @@ static const struct akcipher_testvec ecdsa_nist_p192_tv_template[] = { > "\x4f\x53\x75\xc8\x02\x48\xeb\xc3\x92\x0f\x1e\x72\xee\xc4\xa3\xe3" > "\x5c\x99\xdb\x92\x5b\x36", > .c_size = 54, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -722,6 +724,7 @@ static const struct akcipher_testvec ecdsa_nist_p192_tv_template[] = { > "\x69\x43\xfd\x48\x19\x86\xcf\x32\xdd\x41\x74\x6a\x51\xc7\xd9\x7d" > "\x3a\x97\xd9\xcd\x1a\x6a\x49", > .c_size = 55, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -747,6 +750,7 @@ static const struct akcipher_testvec ecdsa_nist_p192_tv_template[] = { > "\xbc\x5a\x1f\x82\x96\x61\xd7\xd1\x01\x77\x44\x5d\x53\xa4\x7c\x93" > "\x12\x3b\x3b\x28\xfb\x6d\xe1", > .c_size = 55, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -773,6 +777,7 @@ static const struct akcipher_testvec ecdsa_nist_p192_tv_template[] = { > "\xb4\x22\x9a\x98\x73\x3c\x83\xa9\x14\x2a\x5e\xf5\xe5\xfb\x72\x28" > "\x6a\xdf\x97\xfd\x82\x76\x24", > .c_size = 55, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, > @@ -803,6 +808,7 @@ static const struct akcipher_testvec ecdsa_nist_p256_tv_template[] = { > "\x8a\xfa\x54\x93\x29\xa7\x70\x86\xf1\x03\x03\xf3\x3b\xe2\x73\xf7" > "\xfb\x9d\x8b\xde\xd4\x8d\x6f\xad", > .c_size = 72, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -829,6 +835,7 @@ static const struct akcipher_testvec ecdsa_nist_p256_tv_template[] = { > "\x4a\x77\x22\xec\xc8\x66\xbf\x50\x05\x58\x39\x0e\x26\x92\xce\xd5" > "\x2e\x8b\xde\x5a\x04\x0e", > .c_size = 70, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -855,6 +862,7 @@ static const struct akcipher_testvec ecdsa_nist_p256_tv_template[] = { > "\xa9\x81\xac\x4a\x50\xd0\x91\x0a\x6e\x1b\xc4\xaf\xe1\x83\xc3\x4f" > "\x2a\x65\x35\x23\xe3\x1d\xfa", > .c_size = 71, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -882,6 +890,7 @@ static const struct akcipher_testvec ecdsa_nist_p256_tv_template[] = { > "\x19\xfb\x5f\x92\xf4\xc9\x23\x37\x69\xf4\x3b\x4f\x47\xcf\x9b\x16" > "\xc0\x60\x11\x92\xdc\x17\x89\x12", > .c_size = 72, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -910,6 +919,7 @@ static const struct akcipher_testvec ecdsa_nist_p256_tv_template[] = { > "\x00\xdd\xab\xd4\xc0\x2b\xe6\x5c\xad\xc3\x78\x1c\xc2\xc1\x19\x76" > "\x31\x79\x4a\xe9\x81\x6a\xee", > .c_size = 71, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, > @@ -944,6 +954,7 @@ static const struct akcipher_testvec ecdsa_nist_p384_tv_template[] = { > "\x74\xa0\x0f\xbf\xaf\xc3\x36\x76\x4a\xa1\x59\xf1\x1c\xa4\x58\x26" > "\x79\x12\x2a\xb7\xc5\x15\x92\xc5", > .c_size = 104, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -974,6 +985,7 @@ static const struct akcipher_testvec ecdsa_nist_p384_tv_template[] = { > "\x4d\xd0\xc6\x6e\xb0\xe9\xfc\x14\x9f\x19\xd0\x42\x8b\x93\xc2\x11" > "\x88\x2b\x82\x26\x5e\x1c\xda\xfb", > .c_size = 104, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -1004,6 +1016,7 @@ static const struct akcipher_testvec ecdsa_nist_p384_tv_template[] = { > "\xc0\x75\x3e\x23\x5e\x36\x4f\x8d\xde\x1e\x93\x8d\x95\xbb\x10\x0e" > "\xf4\x1f\x39\xca\x4d\x43", > .c_size = 102, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -1035,6 +1048,7 @@ static const struct akcipher_testvec ecdsa_nist_p384_tv_template[] = { > "\x44\x92\x8c\x86\x99\x65\xb3\x97\x96\x17\x04\xc9\x05\x77\xf1\x8e" > "\xab\x8d\x4e\xde\xe6\x6d\x9b\x66", > .c_size = 104, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > }, { > @@ -1067,6 +1081,7 @@ static const struct akcipher_testvec ecdsa_nist_p384_tv_template[] = { > "\x5f\x8d\x7a\xf9\xfb\x34\xe4\x8b\x80\xa5\xb6\xda\x2c\x4e\x45\xcf" > "\x3c\x93\xff\x50\x5d", > .c_size = 101, > + .enc = "x962", > .public_key_vec = true, > .siggen_sigver_test = true, > },