From patchwork Wed Jun 12 15:18:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 13695193 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B299A1649DB; Wed, 12 Jun 2024 15:19:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718205576; cv=none; b=u6NYOIerAAmYO5LVmzd4w9D3yMr4kRL7fUYuIsFH7AkvSchziVIXC0GHJJW4KJEc6ShlyE+yvP+9UW3A/Iz2KpqUAW6bLXBFa4smr6UJ5o/SXhBsjrTFIk91pzgrwXP6Upjnb6BVt2ct1AxEfqIkyTZl9fLOFO8Q32MGVA0aKRI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718205576; c=relaxed/simple; bh=cNg9KJP9TCvb066cqNRlsJS4i+R5DweD6nIVXFzJlOU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qw0Z9vpK1Zkn6SFGE+IyO0A9W7cVAVgaAWw09CNSAUCdmLnIU/Jx7P3fsi27n/z3vHXnt9HEZMv8P1LuAFwkN8esdmJ/OtgYUR2dLizTCv6yzDc9U3vT15IrftuT/mfKt6tTbacJSN/AhFe3aWxwmz/Q9FfmO0EvCiTs3nVt4JM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=WQFLhLjx; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="WQFLhLjx" Received: from pps.filterd (m0353723.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45CEvEW4019404; Wed, 12 Jun 2024 15:19:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from :to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=pp1; bh=qFuvSRf6Wm9F+ 796itw4tivKW6u8kIcp1dcfEG+Df+4=; b=WQFLhLjx91yVZlW25SQqtgvkDB/nQ CLp9SwhdIIeZgETYwQLx0LGk3UaIsDxpWIG/qobo6MQ03NiRXNHyO5+l837PGtSw 2tBdUB78ARQoXi3TKJVcD+60DCYlVmbA7P6I6olRTgq6xd4K/kvqLEs1gwZAF5Ej pKn1XOsWXFa3PbtJ2FZAgbZLgiVCK3Jin7DMZxyUrjGALQPNoCPF7LDKcqfpN325 xCUZWUVWi5Uh4sRnb/LjyKGPRxJX2tjYP8URMBwagUTYdkrqZI5b9El0nk8trIdt lOtLRSy4kjdxWIK4QJ5WQFjdAuNFOJLYgZWC2JosbQzEzUgQ58jC94nwg== Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3yqdj0g340-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 12 Jun 2024 15:19:25 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 45CEuYjW028716; Wed, 12 Jun 2024 15:19:24 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 3yn1muf59s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 12 Jun 2024 15:19:24 +0000 Received: from smtpav01.wdc07v.mail.ibm.com (smtpav01.wdc07v.mail.ibm.com [10.39.53.228]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 45CFJLGO8520254 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 12 Jun 2024 15:19:23 GMT Received: from smtpav01.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B58E258055; Wed, 12 Jun 2024 15:19:21 +0000 (GMT) Received: from smtpav01.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F2ADF58059; Wed, 12 Jun 2024 15:19:20 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.wdc07v.mail.ibm.com (Postfix) with ESMTP; Wed, 12 Jun 2024 15:19:20 +0000 (GMT) From: Stefan Berger To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au, davem@davemloft.net Cc: linux-kernel@vger.kernel.org, saulo.alessandre@tse.jus.br, ardb@kernel.org, Stefan Berger Subject: [RFC PATCH 1/3] crypto: ecc - Implement ecc_digits_to_bytes to convert digits to byte array Date: Wed, 12 Jun 2024 11:18:58 -0400 Message-ID: <20240612151900.895156-2-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240612151900.895156-1-stefanb@linux.ibm.com> References: <20240612151900.895156-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: keyrings@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: RlvygaBQzjpfHmR8G0g6vGmrSgAtcOWf X-Proofpoint-ORIG-GUID: RlvygaBQzjpfHmR8G0g6vGmrSgAtcOWf X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-12_08,2024-06-12_02,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 priorityscore=1501 phishscore=0 mlxlogscore=809 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 clxscore=1015 malwarescore=0 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405170001 definitions=main-2406120106 Implement ecc_digits_to_bytes to convert an array of digits into an nbytes-sized byte array. The first byte in the byte array holds the most significant bits of the large integer. Signed-off-by: Stefan Berger --- crypto/ecc.c | 22 ++++++++++++++++++++++ include/crypto/internal/ecc.h | 13 +++++++++++++ 2 files changed, 35 insertions(+) diff --git a/crypto/ecc.c b/crypto/ecc.c index af698f8852fb..1cdb5df3aa5d 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -90,6 +90,28 @@ void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes, } EXPORT_SYMBOL(ecc_digits_from_bytes); +void ecc_digits_to_bytes(const u64 *in, unsigned int ndigits, + u8 *out, unsigned int nbytes) +{ + unsigned int o = nbytes & 7; + __be64 msd; + int i; + + if (o) { + msd = cpu_to_be64(in[--ndigits]); + memcpy(out, (u8 *)&msd + sizeof(msd) - o, o); + out += o; + nbytes -= o; + } + + for (i = ndigits - 1; i >= 0 && nbytes > 0; i--) { + put_unaligned_be64(in[i], out); + out += sizeof(u64); + nbytes -= sizeof(u64); + } +} +EXPORT_SYMBOL(ecc_digits_to_bytes); + static u64 *ecc_alloc_digits_space(unsigned int ndigits) { size_t len = ndigits * sizeof(u64); diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h index 0717a53ae732..b18297aaff08 100644 --- a/include/crypto/internal/ecc.h +++ b/include/crypto/internal/ecc.h @@ -70,6 +70,19 @@ static inline void ecc_swap_digits(const void *in, u64 *out, unsigned int ndigit void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes, u64 *out, unsigned int ndigits); +/** + * ecc_digits_to_bytes() - Copy digits into a byte array of size nbytes + * @in: Input digits array + * @ndigits: Number of digits in input digits array + * @out: Output byte array + * @nbytes: Number of bytes to copy into byte array + * + * The first byte in the byte array will have the most significant bits of the + * large integer. + */ +void ecc_digits_to_bytes(const u64 *in, unsigned int ndigits, + u8 *out, unsigned int nbytes); + /** * ecc_is_key_valid() - Validate a given ECDH private key * From patchwork Wed Jun 12 15:18:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 13695194 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4632216F278; Wed, 12 Jun 2024 15:19:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718205577; cv=none; b=PZDzw4RqjaSmmwHEgi7QtulwAFD5ZEcOb8IL4yHehvr0QavDyiwGXlRKn/KxKA9vBBUSlhwkEKeIyXmzxvIpFOvoKqN9mMLYAQqHgLhsBiOo1ZtuhqCSUBVVeJORaqnSV3O752au0GegsHdT4q8Xew9D1zFUlWgivbss8ygsP1g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718205577; c=relaxed/simple; bh=WJ2rI4LRNfmpPQZ/rrMvTKlCFRyc5RpGb1ltt6w3l4I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CZs+P+LYxHcoP905YQAK1r6WitHlqCKL26klffbsJDnSpBPHq1mSyHjsjhENN+tIYXa/4EFZx8WbqlFI++lFMs0XfQa8hpHVSDCYYNOhRxL6GYOnpucY/043/bZr5DUqljAgtRr1ZPbNSmVnHFI9WLJCD1ZlTwqomrDWa0QvHO4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=drl40EG7; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="drl40EG7" Received: from pps.filterd (m0353723.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45CEvcWS020546; Wed, 12 Jun 2024 15:19:26 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from :to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=pp1; bh=kSAC4NA5rJm4U X+nu4R9X6pFVEKToIjD2wN8Z+LMTl4=; b=drl40EG7U761fPbrCIhoI72vANrb9 ZliaLH2JiSr+COX5oot1GKdwpcgrXuTloZ24RUWClo554+1E8lAeYjpPGX5XxMeX CauSq9xQD+wZiUDJIcwM2fbaIsF13APNMfln32kIogGAyCqTEStn2Q8+B6y6nIdK Bkk6s/uExdf72EZj6+rgHnzt4LVb1ex41d0gI5bzvRcUC/FisZY0poy0VovQfNIR lBtg26eELuAsvE2OleEWJaAfnS8B7CSBGZBNS8HMbheJzYg+pIt2PDU8QBfAoYpF IA9Lp/Q4UJNgUZBpIQ69gvRI1jA+gShNxLKnXgCIIgxpHoFmpGBEQqDpA== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3yqdj0g343-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 12 Jun 2024 15:19:26 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 45CECZIB020048; Wed, 12 Jun 2024 15:19:25 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3yn34n6utf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 12 Jun 2024 15:19:25 +0000 Received: from smtpav01.wdc07v.mail.ibm.com (smtpav01.wdc07v.mail.ibm.com [10.39.53.228]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 45CFJMWl43188978 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 12 Jun 2024 15:19:25 GMT Received: from smtpav01.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9CF4C58065; Wed, 12 Jun 2024 15:19:22 +0000 (GMT) Received: from smtpav01.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D9A6C5805B; Wed, 12 Jun 2024 15:19:21 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.wdc07v.mail.ibm.com (Postfix) with ESMTP; Wed, 12 Jun 2024 15:19:21 +0000 (GMT) From: Stefan Berger To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au, davem@davemloft.net Cc: linux-kernel@vger.kernel.org, saulo.alessandre@tse.jus.br, ardb@kernel.org, Stefan Berger Subject: [RFC PATCH 2/3] crypto: ecc - Implement and use ecc_curve_get_nbytes to get curve's nbytes Date: Wed, 12 Jun 2024 11:18:59 -0400 Message-ID: <20240612151900.895156-3-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240612151900.895156-1-stefanb@linux.ibm.com> References: <20240612151900.895156-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: keyrings@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: fGtCzLnGL-8p-KNRnfOsRaphSofn4ERi X-Proofpoint-ORIG-GUID: fGtCzLnGL-8p-KNRnfOsRaphSofn4ERi X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-12_08,2024-06-12_02,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 priorityscore=1501 phishscore=0 mlxlogscore=798 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 clxscore=1015 malwarescore=0 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405170001 definitions=main-2406120106 Implement ecc_curve_get_nbytes to get a curve's number of bytes (nbytes) derived from the nbits field of a curve. This function should be used where nbytes is currently derived from ndigits since it gives a precise number for all curves including those that do not use all bytes in the most significant digit, such as NIST P521. Neither of the modified functions have so far been used with the NIST P521 curve. Signed-off-by: Stefan Berger --- crypto/ecc.c | 4 +--- crypto/ecdh.c | 15 ++++++++++----- include/crypto/internal/ecc.h | 9 +++++++++ 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/crypto/ecc.c b/crypto/ecc.c index 1cdb5df3aa5d..7cc82c9eacc8 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -1522,10 +1522,8 @@ static int __ecc_is_key_valid(const struct ecc_curve *curve, int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, const u64 *private_key, unsigned int private_key_len) { - int nbytes; const struct ecc_curve *curve = ecc_get_curve(curve_id); - - nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; + unsigned int nbytes = ecc_curve_get_nbytes(curve); if (private_key_len != nbytes) return -EINVAL; diff --git a/crypto/ecdh.c b/crypto/ecdh.c index 72cfd1590156..55d140772da0 100644 --- a/crypto/ecdh.c +++ b/crypto/ecdh.c @@ -27,11 +27,13 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf, unsigned int len) { struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); + const struct ecc_curve *curve = ecc_get_curve(ctx->curve_id); + unsigned int nbytes = ecc_curve_get_nbytes(curve); struct ecdh params; int ret = 0; if (crypto_ecdh_decode_key(buf, len, ¶ms) < 0 || - params.key_size > sizeof(u64) * ctx->ndigits) + params.key_size > nbytes) return -EINVAL; memset(ctx->private_key, 0, sizeof(ctx->private_key)); @@ -56,13 +58,14 @@ static int ecdh_compute_value(struct kpp_request *req) { struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); + const struct ecc_curve *curve = ecc_get_curve(ctx->curve_id); + unsigned int nbytes = ecc_curve_get_nbytes(curve); u64 *public_key; u64 *shared_secret = NULL; void *buf; - size_t copied, nbytes, public_key_sz; + size_t copied, public_key_sz; int ret = -ENOMEM; - nbytes = ctx->ndigits << ECC_DIGITS_TO_BYTES_SHIFT; /* Public part is a point thus it has both coordinates */ public_key_sz = 2 * nbytes; @@ -123,9 +126,11 @@ static int ecdh_compute_value(struct kpp_request *req) static unsigned int ecdh_max_size(struct crypto_kpp *tfm) { struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); + const struct ecc_curve *curve = ecc_get_curve(ctx->curve_id); + unsigned int nbytes = ecc_curve_get_nbytes(curve); - /* Public key is made of two coordinates, add one to the left shift */ - return ctx->ndigits << (ECC_DIGITS_TO_BYTES_SHIFT + 1); + /* Public key is made of two coordinates */ + return nbytes * 2; } static int ecdh_nist_p192_init_tfm(struct crypto_kpp *tfm) diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h index b18297aaff08..d6e51e45fb3d 100644 --- a/include/crypto/internal/ecc.h +++ b/include/crypto/internal/ecc.h @@ -83,6 +83,15 @@ void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes, void ecc_digits_to_bytes(const u64 *in, unsigned int ndigits, u8 *out, unsigned int nbytes); +/* + * ecc_curve_get_nbytes() - Get the number of bytes the curve requires + * @curve: The curve + */ +static inline unsigned int ecc_curve_get_nbytes(const struct ecc_curve *curve) +{ + return DIV_ROUND_UP(curve->nbits, 8); +} + /** * ecc_is_key_valid() - Validate a given ECDH private key * From patchwork Wed Jun 12 15:19:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 13695195 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40D3B16EBED; Wed, 12 Jun 2024 15:19:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.156.1 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718205577; cv=none; b=Nj37JWw81dn9sD5jjGarpCkg02V/Yek7e3faVDwncH50HxNO+ICKr9qZ1ki5SJCk7LA1JPKOt6/d6mRp9kfILD8c9H9fo2ZgQJHeNWs1PShhdgSY2RYMakQ5zbnl5ucc0Xi2LnmvFYR2o4AAdjFctLDmaXUr3p0BgiS1n6JWrGI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718205577; c=relaxed/simple; bh=E3J421gPUHv01sCdByhzhWzNLTj7rOGIoerrd07tG8U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=s7ZEClxpCfEYHDy62p1HHjK6tLERKVhiAp1ERyROAqM/iQBdCvXilX5BuFA+S5id+Jq3rlHY4cUOQiBpOvfPuEOS3tKFSWB5R1alMZiBWwaduaQivPTRgAjDME98pocf7kdlyRwsUireYQQEdyuzj9oyFcgtx7nweFYRgGnbcPg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=tlf0xvUc; arc=none smtp.client-ip=148.163.156.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="tlf0xvUc" Received: from pps.filterd (m0353727.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45CEwe6e030749; Wed, 12 Jun 2024 15:19:27 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from :to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=pp1; bh=0YZLNFM5669Wu jAaymd1JKNgSaG3JN+n2/cBPGZTGZo=; b=tlf0xvUc7tQWQKo9taVobWMzmKzq0 VVGdQeEe+P/AvXoNduDmqMJ4GBqMhmDda+xVp1kAZia4D9tuGFyuYncXeP5RE/9k 2d2zPsj7+RInTqY3gbHsj8VTZBl9G8ly4QnY7uIXhjayPcXyeLHdPynZ6d0n1bHB jDofM8jHcGUotD66tbMn5Wxw1fOKniip7IyYRU+ZtQ85KcpqVRYztY7NFEXTrwlr 8kDtqa/AprSysn+GkrtzjP1ROowdN9et/YfkpEU4Wo8VFklR7/eHCDTf4V40m+0U VF6EjAx2V6rAam2OESTjaXnTT1i/JgBWhZabP75uY444+zi/dbG71GTzA== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3yqdwf01u9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 12 Jun 2024 15:19:27 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 45CECZIC020048; Wed, 12 Jun 2024 15:19:25 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3yn34n6utj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 12 Jun 2024 15:19:25 +0000 Received: from smtpav01.wdc07v.mail.ibm.com (smtpav01.wdc07v.mail.ibm.com [10.39.53.228]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 45CFJNWq55902694 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 12 Jun 2024 15:19:25 GMT Received: from smtpav01.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8492C58066; Wed, 12 Jun 2024 15:19:23 +0000 (GMT) Received: from smtpav01.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C173558059; Wed, 12 Jun 2024 15:19:22 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.wdc07v.mail.ibm.com (Postfix) with ESMTP; Wed, 12 Jun 2024 15:19:22 +0000 (GMT) From: Stefan Berger To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au, davem@davemloft.net Cc: linux-kernel@vger.kernel.org, saulo.alessandre@tse.jus.br, ardb@kernel.org, Stefan Berger Subject: [RFC PATCH 3/3] crypto: ecdh - Use functions to copy digits from and to byte arrays Date: Wed, 12 Jun 2024 11:19:00 -0400 Message-ID: <20240612151900.895156-4-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240612151900.895156-1-stefanb@linux.ibm.com> References: <20240612151900.895156-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: keyrings@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: FEd_k3G1nxaId23hT99Qh1LPPVmC3qS6 X-Proofpoint-ORIG-GUID: FEd_k3G1nxaId23hT99Qh1LPPVmC3qS6 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-12_08,2024-06-12_02,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 priorityscore=1501 adultscore=0 clxscore=1015 impostorscore=0 spamscore=0 malwarescore=0 phishscore=0 mlxscore=0 suspectscore=0 bulkscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405170001 definitions=main-2406120106 In ecdh_compute_value the public_key and shared_secret variables are not arrays of digits (u64 *) but byte buffers that are either copied into from the scatterlist req->src or copied out of to the scatterlist req->dst. Therefore, convert these variables to 'u8 *' and modify ecc_make_pub_key and crypto_ecdh_shared_secret to use ecc_digits_from_bytes to convert byte arrays to digits and ecc_digits_to_bytes to convert digits to byte arrays. This also prepares the code for usage with curves that do not use all bytes in the most significant digit, such as NIST P521, since these two functions can handle conversions between digits and byte arrays related to such curves. Signed-off-by: Stefan Berger --- crypto/ecc.c | 21 ++++++++++----------- crypto/ecdh.c | 9 +++++---- include/crypto/internal/ecc.h | 15 +++++++++------ 3 files changed, 24 insertions(+), 21 deletions(-) diff --git a/crypto/ecc.c b/crypto/ecc.c index 7cc82c9eacc8..3ad2d8ae41b9 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -1584,7 +1584,8 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, EXPORT_SYMBOL(ecc_gen_privkey); int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits, - const u64 *private_key, u64 *public_key) + const u64 *private_key, u8 *public_key, + unsigned int nbytes) { int ret = 0; struct ecc_point *pk; @@ -1609,8 +1610,8 @@ int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits, goto err_free_point; } - ecc_swap_digits(pk->x, public_key, ndigits); - ecc_swap_digits(pk->y, &public_key[ndigits], ndigits); + ecc_digits_to_bytes(pk->x, ndigits, public_key, nbytes); + ecc_digits_to_bytes(pk->y, ndigits, &public_key[nbytes], nbytes); err_free_point: ecc_free_point(pk); @@ -1680,13 +1681,12 @@ int ecc_is_pubkey_valid_full(const struct ecc_curve *curve, EXPORT_SYMBOL(ecc_is_pubkey_valid_full); int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, - const u64 *private_key, const u64 *public_key, - u64 *secret) + const u64 *private_key, const u8 *public_key, + unsigned int nbytes, u8 *secret) { int ret = 0; struct ecc_point *product, *pk; u64 rand_z[ECC_MAX_DIGITS]; - unsigned int nbytes; const struct ecc_curve *curve = ecc_get_curve(curve_id); if (!private_key || !public_key || ndigits > ARRAY_SIZE(rand_z)) { @@ -1694,8 +1694,6 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, goto out; } - nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; - get_random_bytes(rand_z, nbytes); pk = ecc_alloc_point(ndigits); @@ -1704,8 +1702,9 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, goto out; } - ecc_swap_digits(public_key, pk->x, ndigits); - ecc_swap_digits(&public_key[ndigits], pk->y, ndigits); + ecc_digits_from_bytes(public_key, nbytes, pk->x, ndigits); + ecc_digits_from_bytes(&public_key[nbytes], nbytes, pk->y, ndigits); + ret = ecc_is_pubkey_valid_partial(curve, pk); if (ret) goto err_alloc_product; @@ -1723,7 +1722,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, goto err_validity; } - ecc_swap_digits(product->x, secret, ndigits); + ecc_digits_to_bytes(product->x, ndigits, secret, nbytes); err_validity: memzero_explicit(rand_z, sizeof(rand_z)); diff --git a/crypto/ecdh.c b/crypto/ecdh.c index 55d140772da0..dfb5fa1a50d2 100644 --- a/crypto/ecdh.c +++ b/crypto/ecdh.c @@ -60,8 +60,8 @@ static int ecdh_compute_value(struct kpp_request *req) struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); const struct ecc_curve *curve = ecc_get_curve(ctx->curve_id); unsigned int nbytes = ecc_curve_get_nbytes(curve); - u64 *public_key; - u64 *shared_secret = NULL; + u8 *public_key; + u8 *shared_secret = NULL; void *buf; size_t copied, public_key_sz; int ret = -ENOMEM; @@ -94,12 +94,13 @@ static int ecdh_compute_value(struct kpp_request *req) ret = crypto_ecdh_shared_secret(ctx->curve_id, ctx->ndigits, ctx->private_key, public_key, - shared_secret); + nbytes, shared_secret); buf = shared_secret; } else { ret = ecc_make_pub_key(ctx->curve_id, ctx->ndigits, - ctx->private_key, public_key); + ctx->private_key, public_key, + nbytes); buf = public_key; nbytes = public_key_sz; } diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h index d6e51e45fb3d..19265394be48 100644 --- a/include/crypto/internal/ecc.h +++ b/include/crypto/internal/ecc.h @@ -126,13 +126,15 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, * @curve_id: id representing the curve to use * @ndigits: curve's number of digits * @private_key: pregenerated private key for the given curve - * @public_key: buffer for storing the generated public key + * @public_key: 2 * nbytes buffer for storing the generated public key + * @nbytes: size of one coordinate of the public key * * Returns 0 if the public key was generated successfully, a negative value * if an error occurred. */ int ecc_make_pub_key(const unsigned int curve_id, unsigned int ndigits, - const u64 *private_key, u64 *public_key); + const u64 *private_key, u8 *public_key, + unsigned int nbytes); /** * crypto_ecdh_shared_secret() - Compute a shared secret @@ -140,8 +142,9 @@ int ecc_make_pub_key(const unsigned int curve_id, unsigned int ndigits, * @curve_id: id representing the curve to use * @ndigits: curve's number of digits * @private_key: private key of part A - * @public_key: public key of counterpart B - * @secret: buffer for storing the calculated shared secret + * @public_key: 2 * nbytes buffer with public key of counterpart B + * @nbytes: size of one coordinate of the public key + * @secret: nbytes buffer for storing the calculated shared secret * * Note: It is recommended that you hash the result of crypto_ecdh_shared_secret * before using it for symmetric encryption or HMAC. @@ -150,8 +153,8 @@ int ecc_make_pub_key(const unsigned int curve_id, unsigned int ndigits, * if an error occurred. */ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, - const u64 *private_key, const u64 *public_key, - u64 *secret); + const u64 *private_key, const u8 *public_key, + unsigned int nbytes, u8 *secret); /** * ecc_is_pubkey_valid_partial() - Partial public key validation