diff mbox series

[10/18] crypto: dh - introduce support for ephemeral key generation to dh-generic

Message ID 20211201004858.19831-11-nstange@suse.de (mailing list archive)
State Superseded
Delegated to: Herbert Xu
Headers show
Series crypto: dh - infrastructure for NVM in-band auth and FIPS conformance | expand

Commit Message

Nicolai Stange Dec. 1, 2021, 12:48 a.m. UTC
The support for NVME in-band authentication currently in the works ([1])
needs to generate ephemeral DH keys. Make dh-generic's ->set_secret()
to generate an ephemeral key via the recently added crypto_dh_gen_privkey()
in case the input ->key_size is zero. Note that this behaviour is in
analogy to ecdh's ->set_secret().

[1] https://lkml.kernel.org/r/20211122074727.25988-4-hare@suse.de

Signed-off-by: Nicolai Stange <nstange@suse.de>
---
 crypto/dh.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

Comments

Hannes Reinecke Dec. 1, 2021, 7:29 a.m. UTC | #1
On 12/1/21 1:48 AM, Nicolai Stange wrote:
> The support for NVME in-band authentication currently in the works ([1])
> needs to generate ephemeral DH keys. Make dh-generic's ->set_secret()
> to generate an ephemeral key via the recently added crypto_dh_gen_privkey()
> in case the input ->key_size is zero. Note that this behaviour is in
> analogy to ecdh's ->set_secret().
> 
> [1] https://lkml.kernel.org/r/20211122074727.25988-4-hare@suse.de
> 
> Signed-off-by: Nicolai Stange <nstange@suse.de>
> ---
>   crypto/dh.c | 24 ++++++++++++++++++++----
>   1 file changed, 20 insertions(+), 4 deletions(-)
> 
Reviewed-by: Hannes Reinecke <hare@suse.de>

Cheers,

Hannes
Stephan Mueller Dec. 5, 2021, 6:11 a.m. UTC | #2
Am Mittwoch, 1. Dezember 2021, 01:48:50 CET schrieb Nicolai Stange:

Hi Nicolai,

> The support for NVME in-band authentication currently in the works ([1])
> needs to generate ephemeral DH keys. Make dh-generic's ->set_secret()
> to generate an ephemeral key via the recently added crypto_dh_gen_privkey()
> in case the input ->key_size is zero. Note that this behaviour is in
> analogy to ecdh's ->set_secret().
> 
> [1] https://lkml.kernel.org/r/20211122074727.25988-4-hare@suse.de
> 
> Signed-off-by: Nicolai Stange <nstange@suse.de>
> ---
>  crypto/dh.c | 24 ++++++++++++++++++++----
>  1 file changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/crypto/dh.c b/crypto/dh.c
> index 131b80064cb1..2e49b114e038 100644
> --- a/crypto/dh.c
> +++ b/crypto/dh.c
> @@ -71,25 +71,41 @@ static int dh_set_secret(struct crypto_kpp *tfm, const
> void *buf, {
>  	struct dh_ctx *ctx = dh_get_ctx(tfm);
>  	struct dh params;
> +	char key[CRYPTO_DH_MAX_PRIVKEY_SIZE];
> +	int err;
> 
>  	/* Free the old MPI key if any */
>  	dh_clear_ctx(ctx);
> 
> -	if (crypto_dh_decode_key(buf, len, &params) < 0)
> +	err = crypto_dh_decode_key(buf, len, &params);
> +	if (err)
>  		goto err_clear_ctx;
> 
> -	if (dh_set_params(ctx, &params) < 0)
> +	if (!params.key_size) {

As this params data may come from user space, shouldn't we use the same logic 
as in ecdh's set_key function:

if (!params.key || !params.key_size)

?


> +		err = crypto_dh_gen_privkey(params.group_id, key,
> +					    &params.key_size);
> +		if (err)
> +			goto err_clear_ctx;
> +		params.key = key;
> +	}
> +
> +	err = dh_set_params(ctx, &params);
> +	if (err)
>  		goto err_clear_ctx;
> 
>  	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
> -	if (!ctx->xa)
> +	if (!ctx->xa) {
> +		err = -EINVAL;
>  		goto err_clear_ctx;
> +	}
> +
> +	memzero_explicit(key, sizeof(key));
> 
>  	return 0;
> 
>  err_clear_ctx:
>  	dh_clear_ctx(ctx);
> -	return -EINVAL;
> +	return err;
>  }
> 
>  /*


Ciao
Stephan
Nicolai Stange Dec. 8, 2021, 6:32 a.m. UTC | #3
Stephan Müller <smueller@chronox.de> writes:

> Am Mittwoch, 1. Dezember 2021, 01:48:50 CET schrieb Nicolai Stange:
>
> Hi Nicolai,
>
>> The support for NVME in-band authentication currently in the works ([1])
>> needs to generate ephemeral DH keys. Make dh-generic's ->set_secret()
>> to generate an ephemeral key via the recently added crypto_dh_gen_privkey()
>> in case the input ->key_size is zero. Note that this behaviour is in
>> analogy to ecdh's ->set_secret().
>> 
>> [1] https://lkml.kernel.org/r/20211122074727.25988-4-hare@suse.de
>> 
>> Signed-off-by: Nicolai Stange <nstange@suse.de>
>> ---
>>  crypto/dh.c | 24 ++++++++++++++++++++----
>>  1 file changed, 20 insertions(+), 4 deletions(-)
>> 
>> diff --git a/crypto/dh.c b/crypto/dh.c
>> index 131b80064cb1..2e49b114e038 100644
>> --- a/crypto/dh.c
>> +++ b/crypto/dh.c
>> @@ -71,25 +71,41 @@ static int dh_set_secret(struct crypto_kpp *tfm, const
>> void *buf, {
>>  	struct dh_ctx *ctx = dh_get_ctx(tfm);
>>  	struct dh params;
>> +	char key[CRYPTO_DH_MAX_PRIVKEY_SIZE];
>> +	int err;
>> 
>>  	/* Free the old MPI key if any */
>>  	dh_clear_ctx(ctx);
>> 
>> -	if (crypto_dh_decode_key(buf, len, &params) < 0)
>> +	err = crypto_dh_decode_key(buf, len, &params);
>> +	if (err)
>>  		goto err_clear_ctx;
>> 
>> -	if (dh_set_params(ctx, &params) < 0)
>> +	if (!params.key_size) {
>
> As this params data may come from user space, shouldn't we use the same logic 
> as in ecdh's set_key function:
>
> if (!params.key || !params.key_size)

crypto_dh_decode_key() always leaves params.key set even for
!params.key_size, so checking for !params.key wouldn't buy anything
here. FWIW, it seems like it's actually the same for
crypto_ecdh_decode_key().

I'd personally prefer to not add the !params.key check, because it would
suggest that there are code paths which can lead to the condition
params.key_size && !params.key. I would find this confusing when reading
the code, but OTOH I don't have strong objections, so if you insist on
adding the !params.key check, I'd be Ok with it.

Thanks,

Nicolai

>
> ?
>
>
>> +		err = crypto_dh_gen_privkey(params.group_id, key,
>> +					    &params.key_size);
>> +		if (err)
>> +			goto err_clear_ctx;
>> +		params.key = key;
>> +	}
>> +
>> +	err = dh_set_params(ctx, &params);
>> +	if (err)
>>  		goto err_clear_ctx;
>> 
>>  	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
>> -	if (!ctx->xa)
>> +	if (!ctx->xa) {
>> +		err = -EINVAL;
>>  		goto err_clear_ctx;
>> +	}
>> +
>> +	memzero_explicit(key, sizeof(key));
>> 
>>  	return 0;
>> 
>>  err_clear_ctx:
>>  	dh_clear_ctx(ctx);
>> -	return -EINVAL;
>> +	return err;
>>  }
>> 
>>  /*
>
>
> Ciao
> Stephan
>
>
diff mbox series

Patch

diff --git a/crypto/dh.c b/crypto/dh.c
index 131b80064cb1..2e49b114e038 100644
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -71,25 +71,41 @@  static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
 {
 	struct dh_ctx *ctx = dh_get_ctx(tfm);
 	struct dh params;
+	char key[CRYPTO_DH_MAX_PRIVKEY_SIZE];
+	int err;
 
 	/* Free the old MPI key if any */
 	dh_clear_ctx(ctx);
 
-	if (crypto_dh_decode_key(buf, len, &params) < 0)
+	err = crypto_dh_decode_key(buf, len, &params);
+	if (err)
 		goto err_clear_ctx;
 
-	if (dh_set_params(ctx, &params) < 0)
+	if (!params.key_size) {
+		err = crypto_dh_gen_privkey(params.group_id, key,
+					    &params.key_size);
+		if (err)
+			goto err_clear_ctx;
+		params.key = key;
+	}
+
+	err = dh_set_params(ctx, &params);
+	if (err)
 		goto err_clear_ctx;
 
 	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
-	if (!ctx->xa)
+	if (!ctx->xa) {
+		err = -EINVAL;
 		goto err_clear_ctx;
+	}
+
+	memzero_explicit(key, sizeof(key));
 
 	return 0;
 
 err_clear_ctx:
 	dh_clear_ctx(ctx);
-	return -EINVAL;
+	return err;
 }
 
 /*