diff mbox

[3/5] KEYS: DH: don't feed uninitialized result memory into KDF

Message ID 20170420054633.14572-4-ebiggers3@gmail.com (mailing list archive)
State Not Applicable
Delegated to: Herbert Xu
Headers show

Commit Message

Eric Biggers April 20, 2017, 5:46 a.m. UTC
From: Eric Biggers <ebiggers@google.com>

The result of the Diffie-Hellman computation may be shorter than the
input prime number.  Only calculate the KDF over the actual result;
don't include additional uninitialized memory.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/dh.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

Comments

Stephan Mueller April 20, 2017, 1:27 p.m. UTC | #1
Am Donnerstag, 20. April 2017, 07:46:31 CEST schrieb Eric Biggers:

Hi Eric,

> From: Eric Biggers <ebiggers@google.com>
> 
> The result of the Diffie-Hellman computation may be shorter than the
> input prime number.  Only calculate the KDF over the actual result;
> don't include additional uninitialized memory.

Thank you for catching that (and all the rest). But I think this patch is not 
correct. If the DH operation results in a shorter value, the trailing part 
must be set to null and the KDF calculated over the entire prime length.

Thus, if the DH result is shorter than the prime, the memory should look like 
DH result || 0x00 <as often as needed to make it prime length> || otherinfo.

Thus, instead of this patch, I would think that the kmalloc call should be 
changed to a kzalloc.
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  security/keys/dh.c | 22 ++++++++++------------
>  1 file changed, 10 insertions(+), 12 deletions(-)
> 
> diff --git a/security/keys/dh.c b/security/keys/dh.c
> index 1c1cac677041..a3a8607107f5 100644
> --- a/security/keys/dh.c
> +++ b/security/keys/dh.c
> @@ -313,17 +313,6 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user
> *params, goto error4;
>  	}
> 
> -	/*
> -	 * Concatenate SP800-56A otherinfo past DH shared secret -- the
> -	 * input to the KDF is (DH shared secret || otherinfo)
> -	 */
> -	if (kdfcopy &&
> -	    copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
> -			   kdfcopy->otherinfolen) != 0) {
> -		ret = -EFAULT;
> -		goto error5;
> -	}
> -
>  	ret = do_dh(result, base, private, prime);
>  	if (ret)
>  		goto error5;
> @@ -333,8 +322,17 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user
> *params, goto error5;
> 
>  	if (kdfcopy) {
> +		/*
> +		 * Concatenate SP800-56A otherinfo past DH shared secret -- the
> +		 * input to the KDF is (DH shared secret || otherinfo)
> +		 */
> +		if (copy_from_user(kbuf + nbytes, kdfcopy->otherinfo,
> +				   kdfcopy->otherinfolen) != 0) {
> +			ret = -EFAULT;
> +			goto error5;
> +		}
>  		ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, kbuf,
> -					    resultlen + kdfcopy->otherinfolen);
> +					    nbytes + kdfcopy->otherinfolen);
>  	} else {
>  		ret = nbytes;
>  		if (copy_to_user(buffer, kbuf, nbytes) != 0)



Ciao
Stephan
Eric Biggers April 20, 2017, 5:46 p.m. UTC | #2
Hi Stephan,

On Thu, Apr 20, 2017 at 03:27:17PM +0200, Stephan Müller wrote:
> Am Donnerstag, 20. April 2017, 07:46:31 CEST schrieb Eric Biggers:
> 
> Hi Eric,
> 
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > The result of the Diffie-Hellman computation may be shorter than the
> > input prime number.  Only calculate the KDF over the actual result;
> > don't include additional uninitialized memory.
> 
> Thank you for catching that (and all the rest). But I think this patch is not 
> correct. If the DH operation results in a shorter value, the trailing part 
> must be set to null and the KDF calculated over the entire prime length.
> 
> Thus, if the DH result is shorter than the prime, the memory should look like 
> DH result || 0x00 <as often as needed to make it prime length> || otherinfo.
> 
> Thus, instead of this patch, I would think that the kmalloc call should be 
> changed to a kzalloc.
> > 

Is this in the standard?  And is it the user-specified length of the prime
number, or the length after stripping leading zeroes?  Also, note that the
numbers are being represented in big endian format; is that required, or just
coincidental?  With big endian numbers leading zeroes go at the beginning, not
the end, otherwise their value will be changed...

By the way: do we really need this in the kernel at all, given that it's just
doing some math on data which userspace has access to?

- Eric
Stephan Mueller April 20, 2017, 6:38 p.m. UTC | #3
Am Donnerstag, 20. April 2017, 19:46:02 CEST schrieb Eric Biggers:

Hi Eric,

> Hi Stephan,
> 
> On Thu, Apr 20, 2017 at 03:27:17PM +0200, Stephan Müller wrote:
> > Am Donnerstag, 20. April 2017, 07:46:31 CEST schrieb Eric Biggers:
> > 
> > Hi Eric,
> > 
> > > From: Eric Biggers <ebiggers@google.com>
> > > 
> > > The result of the Diffie-Hellman computation may be shorter than the
> > > input prime number.  Only calculate the KDF over the actual result;
> > > don't include additional uninitialized memory.
> > 
> > Thank you for catching that (and all the rest). But I think this patch is
> > not correct. If the DH operation results in a shorter value, the trailing
> > part must be set to null and the KDF calculated over the entire prime
> > length.
> > 
> > Thus, if the DH result is shorter than the prime, the memory should look
> > like DH result || 0x00 <as often as needed to make it prime length> ||
> > otherinfo.
> > 
> > Thus, instead of this patch, I would think that the kmalloc call should be
> > changed to a kzalloc.
> 
> Is this in the standard? 

That is the gotcha that is not explicitly written in the standard. However, 
based on my experience with other implementations and tests like ECDSA and RSA 
CAVS testing, the standards seem to always interpreted to use the full allowed 
length. If the mathematical result is shorter than the defined length, it 
should be zero-padded.

> And is it the user-specified length of the prime
> number, or the length after stripping leading zeroes?

It should be the length of the prime used for the DH operation. As the prime 
is given with the DH parameters, the DH parameter set defines the length of 
the prime.

I cannot say about the stripping of leading zeros of user-provided primes 
because I have no idea where that is defined.

I would need to do some further research on this matter and check with the 
authors of the standard.

> Also, note that the
> numbers are being represented in big endian format; is that required, or
> just coincidental?  With big endian numbers leading zeroes go at the
> beginning, not the end, otherwise their value will be changed...

The numbers are MPI and are therefore big endian formats. Also the counter in 
the KDF is a big endian format which is mandated in the spec.

You are right that the zeros go to the beginning of the number and I made a 
wrong statement in my initial remark regarding the zero value.
> 
> - Ericinning and my initial remark regarding where the zeros are is wrong. 
Yet, IMHO we should not stip the zeros before applying the KDF as this would 
imply that the KDF result is different.
> 
> By the way: do we really need this in the kernel at all, given that it's
> just doing some math on data which userspace has access to?

It is the question about how we want the keys subsystem to operate. The DH 
shared secret shall not be used as a key. But the DH operation is part of the 
key subsystem. If there is never a case where the result of the DH operation 
is used in the kernel, then the KDF can be removed and my patches could be 
reverted. However, in this case, the entire DH business could be questioned as 
this can easily be done in user space as well.

Ciao
Stephan
Eric Biggers April 21, 2017, 3:44 a.m. UTC | #4
Hi Stephan,

On Thu, Apr 20, 2017 at 08:38:30PM +0200, Stephan Müller wrote:
> > 
> > By the way: do we really need this in the kernel at all, given that it's
> > just doing some math on data which userspace has access to?
> 
> It is the question about how we want the keys subsystem to operate. The DH 
> shared secret shall not be used as a key. But the DH operation is part of the 
> key subsystem. If there is never a case where the result of the DH operation 
> is used in the kernel, then the KDF can be removed and my patches could be 
> reverted. However, in this case, the entire DH business could be questioned as 
> this can easily be done in user space as well.
> 

Well, who exactly is asking for Diffie-Hellman in the kernel at all?  If it can
be done in userspace then it should be done there.  Having it in the kernel
means having yet another API that's callable by unprivileged users and needs to
be audited for security vulnerabilities.  Just because the kernel can support
doing hashes or has an arbitrary-precision arithmetic library or whatever
doesn't mean it's the right place to do random crypto stuff.

- Eric
David Howells April 27, 2017, 3:15 p.m. UTC | #5
Eric Biggers <ebiggers3@gmail.com> wrote:

> > > By the way: do we really need this in the kernel at all, given that it's
> > > just doing some math on data which userspace has access to?
> > 
> > It is the question about how we want the keys subsystem to operate. The DH
> > shared secret shall not be used as a key. But the DH operation is part of
> > the key subsystem. If there is never a case where the result of the DH
> > operation is used in the kernel, then the KDF can be removed and my
> > patches could be reverted. However, in this case, the entire DH business
> > could be questioned as this can easily be done in user space as well.
> > 
> 
> Well, who exactly is asking for Diffie-Hellman in the kernel at all?  If it
> can be done in userspace then it should be done there.  Having it in the
> kernel means having yet another API that's callable by unprivileged users
> and needs to be audited for security vulnerabilities.  Just because the
> kernel can support doing hashes or has an arbitrary-precision arithmetic
> library or whatever doesn't mean it's the right place to do random crypto
> stuff.

I understood that there is the possibility of offloading this to hardware.

David
Eric Biggers April 28, 2017, 5:26 a.m. UTC | #6
On Thu, Apr 27, 2017 at 04:15:19PM +0100, David Howells wrote:
> Eric Biggers <ebiggers3@gmail.com> wrote:
> 
> > > > By the way: do we really need this in the kernel at all, given that it's
> > > > just doing some math on data which userspace has access to?
> > > 
> > > It is the question about how we want the keys subsystem to operate. The DH
> > > shared secret shall not be used as a key. But the DH operation is part of
> > > the key subsystem. If there is never a case where the result of the DH
> > > operation is used in the kernel, then the KDF can be removed and my
> > > patches could be reverted. However, in this case, the entire DH business
> > > could be questioned as this can easily be done in user space as well.
> > > 
> > 
> > Well, who exactly is asking for Diffie-Hellman in the kernel at all?  If it
> > can be done in userspace then it should be done there.  Having it in the
> > kernel means having yet another API that's callable by unprivileged users
> > and needs to be audited for security vulnerabilities.  Just because the
> > kernel can support doing hashes or has an arbitrary-precision arithmetic
> > library or whatever doesn't mean it's the right place to do random crypto
> > stuff.
> 
> I understood that there is the possibility of offloading this to hardware.
> 

Okay, but where is this hardware, where are drivers for it, and how do we know
this API is actually going to be compatible with it?  Will it be just for
performance, or for other reasons too?  None of this seems to have been
explained.

Eric
diff mbox

Patch

diff --git a/security/keys/dh.c b/security/keys/dh.c
index 1c1cac677041..a3a8607107f5 100644
--- a/security/keys/dh.c
+++ b/security/keys/dh.c
@@ -313,17 +313,6 @@  long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
 		goto error4;
 	}
 
-	/*
-	 * Concatenate SP800-56A otherinfo past DH shared secret -- the
-	 * input to the KDF is (DH shared secret || otherinfo)
-	 */
-	if (kdfcopy &&
-	    copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
-			   kdfcopy->otherinfolen) != 0) {
-		ret = -EFAULT;
-		goto error5;
-	}
-
 	ret = do_dh(result, base, private, prime);
 	if (ret)
 		goto error5;
@@ -333,8 +322,17 @@  long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
 		goto error5;
 
 	if (kdfcopy) {
+		/*
+		 * Concatenate SP800-56A otherinfo past DH shared secret -- the
+		 * input to the KDF is (DH shared secret || otherinfo)
+		 */
+		if (copy_from_user(kbuf + nbytes, kdfcopy->otherinfo,
+				   kdfcopy->otherinfolen) != 0) {
+			ret = -EFAULT;
+			goto error5;
+		}
 		ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, kbuf,
-					    resultlen + kdfcopy->otherinfolen);
+					    nbytes + kdfcopy->otherinfolen);
 	} else {
 		ret = nbytes;
 		if (copy_to_user(buffer, kbuf, nbytes) != 0)