crypto: ecc - check for invalid values in the key verification test
[ Upstream commit 2eb4942b6609d35a4e835644a33203b0aef7443d ] Currently used scalar multiplication algorithm (Matthieu Rivain, 2011) have invalid values for scalar == 1, n-1, and for regularized version n-2, which was previously not checked. Verify that they are not used as private keys. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Vitaly Chikunov
Greg Kroah-Hartman
parent
f38b78cf6f
commit
a2b797bbec
1 changed files with 26 additions and 16 deletions
42
crypto/ecc.c
42
crypto/ecc.c
|
|
@ -912,28 +912,41 @@ static inline void ecc_swap_digits(const u64 *in, u64 *out,
|
||||||
out[i] = __swab64(in[ndigits - 1 - i]);
|
out[i] = __swab64(in[ndigits - 1 - i]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int __ecc_is_key_valid(const struct ecc_curve *curve,
|
||||||
|
const u64 *private_key, unsigned int ndigits)
|
||||||
|
{
|
||||||
|
u64 one[ECC_MAX_DIGITS] = { 1, };
|
||||||
|
u64 res[ECC_MAX_DIGITS];
|
||||||
|
|
||||||
|
if (!private_key)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
if (curve->g.ndigits != ndigits)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
/* Make sure the private key is in the range [2, n-3]. */
|
||||||
|
if (vli_cmp(one, private_key, ndigits) != -1)
|
||||||
|
return -EINVAL;
|
||||||
|
vli_sub(res, curve->n, one, ndigits);
|
||||||
|
vli_sub(res, res, one, ndigits);
|
||||||
|
if (vli_cmp(res, private_key, ndigits) != 1)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
|
int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
|
||||||
const u64 *private_key, unsigned int private_key_len)
|
const u64 *private_key, unsigned int private_key_len)
|
||||||
{
|
{
|
||||||
int nbytes;
|
int nbytes;
|
||||||
const struct ecc_curve *curve = ecc_get_curve(curve_id);
|
const struct ecc_curve *curve = ecc_get_curve(curve_id);
|
||||||
|
|
||||||
if (!private_key)
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
|
nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
|
||||||
|
|
||||||
if (private_key_len != nbytes)
|
if (private_key_len != nbytes)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
if (vli_is_zero(private_key, ndigits))
|
return __ecc_is_key_valid(curve, private_key, ndigits);
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
/* Make sure the private key is in the range [1, n-1]. */
|
|
||||||
if (vli_cmp(curve->n, private_key, ndigits) != 1)
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
@ -979,11 +992,8 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
|
||||||
if (err)
|
if (err)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
if (vli_is_zero(priv, ndigits))
|
/* Make sure the private key is in the valid range. */
|
||||||
return -EINVAL;
|
if (__ecc_is_key_valid(curve, priv, ndigits))
|
||||||
|
|
||||||
/* Make sure the private key is in the range [1, n-1]. */
|
|
||||||
if (vli_cmp(curve->n, priv, ndigits) != 1)
|
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
ecc_swap_digits(priv, privkey, ndigits);
|
ecc_swap_digits(priv, privkey, ndigits);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue