13 Dec, 2019
1 commit
-
commit f398243e9fd6a3a059c1ea7b380c40628dbf0c61 upstream.
The elliptic curve arithmetic library used by the EC-DH KPP implementation
assumes big endian byte order, and unconditionally reverses the byte
and word order of multi-limb quantities. On big endian systems, the byte
reordering is not necessary, while the word ordering needs to be retained.So replace the __swab64() invocation with a call to be64_to_cpu() which
should do the right thing for both little and big endian builds.Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
Cc: # v4.9+
Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
Signed-off-by: Greg Kroah-Hartman
18 Apr, 2019
2 commits
-
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.* crypto/Makefile:
- ecrdsa objects are added.* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.* crypto/ecc.h:
- Newly exported functions are documented.* crypto/ecrdsa_defs.h
- Five curves are defined.* crypto/ecrdsa.c:
- Signature verification is implemented.* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov
Signed-off-by: Herbert Xu -
ecc.c have algorithms that could be used togeter by ecdh and ecrdsa.
Make it separate module. Add CRYPTO_ECC into Kconfig. EXPORT_SYMBOL and
document to what seems appropriate. Move structs ecc_point and ecc_curve
from ecc_curve_defs.h into ecc.h.No code changes.
Signed-off-by: Vitaly Chikunov
Signed-off-by: Herbert Xu
16 Nov, 2018
2 commits
-
ecc_point_mult is supposed to be used with a regularized scalar,
otherwise, it's possible to deduce the position of the top bit of the
scalar with timing attack. This is important when the scalar is a
private key.ecc_point_mult is already using a regular algorithm (i.e. having an
operation flow independent of the input scalar) but regularization step
is not implemented.Arrange scalar to always have fixed top bit by adding a multiple of the
curve order (n).References:
The constant time regularization step is based on micro-ecc by Kenneth
MacKay and also referenced in the literature (Bernstein, D. J., & Lange,
T. (2017). Montgomery curves and the Montgomery ladder. (Cryptology
ePrint Archive; Vol. 2017/293). s.l.: IACR. Chapter 4.6.2.)Signed-off-by: Vitaly Chikunov
Cc: kernel-hardening@lists.openwall.com
Signed-off-by: Herbert Xu -
Currently used scalar multiplication algorithm (Matthieu Rivain, 2011)
have invalid values for scalar == 1, n-1, and for regularized version
n-2, which was previously not checked. Verify that they are not used as
private keys.Signed-off-by: Vitaly Chikunov
Signed-off-by: Herbert Xu
09 Jul, 2018
1 commit
-
According to SP800-56A section 5.6.2.1, the public key to be processed
for the ECDH operation shall be checked for appropriateness. When the
public key is considered to be an ephemeral key, the partial validation
test as defined in SP800-56A section 5.6.2.3.4 can be applied.The partial verification test requires the presence of the field
elements of a and b. For the implemented NIST curves, b is defined in
FIPS 186-4 appendix D.1.2. The element a is implicitly given with the
Weierstrass equation given in D.1.2 where a = p - 3.Without the test, the NIST ACVP testing fails. After adding this check,
the NIST ACVP testing passes.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
21 Apr, 2018
1 commit
-
On the quest to remove all VLAs from the kernel[1], this avoids VLAs
by just using the maximum allocation size (4 bytes) for stack arrays.
All the VLAs in ecc were either 3 or 4 bytes (or a multiple), so just
make it 4 bytes all the time. Initialization routines are adjusted to
check that ndigits does not end up larger than the arrays.This includes a removal of the earlier attempt at this fix from
commit a963834b4742 ("crypto/ecc: Remove stack VLA usage")[1] https://lkml.org/lkml/2018/3/7/621
Signed-off-by: Kees Cook
Signed-off-by: Herbert Xu
16 Mar, 2018
1 commit
-
On the quest to remove all VLAs from the kernel[1], this switches to
a pair of kmalloc regions instead of using the stack. This also moves
the get_random_bytes() after all allocations (and drops the needless
"nbytes" variable).[1] https://lkml.org/lkml/2018/3/7/621
Signed-off-by: Kees Cook
Reviewed-by: Tudor Ambarus
Signed-off-by: Herbert Xu
29 Nov, 2017
1 commit
-
If crypto_get_default_rng returns an error, the
function ecc_gen_privkey should return an error.
Instead, it currently tries to use the default_rng
nevertheless, thus creating a kernel panic with a
NULL pointer dereference.
Returning the error directly, as was supposedly
intended when looking at the code, fixes this.Signed-off-by: Pierre Ducroquet
Reviewed-by: PrasannaKumar Muralidharan
Signed-off-by: Herbert Xu
10 Jun, 2017
4 commits
-
Add support for generating ecc private keys.
Generation of ecc private keys is helpful in a user-space to kernel
ecdh offload because the keys are not revealed to user-space. Private
key generation is also helpful to implement forward secrecy.If the user provides a NULL ecc private key, the kernel will generate it
and further use it for ecdh.Move ecdh's object files below drbg's. drbg must be present in the kernel
at the time of calling.Signed-off-by: Tudor Ambarus
Reviewed-by: Stephan Müller
Signed-off-by: Herbert Xu -
Rename ecdh_make_pub_key() to ecc_make_pub_key().
ecdh_make_pub_key() is not dh specific and the reference
to dh is wrong.Signed-off-by: Tudor Ambarus
Signed-off-by: Herbert Xu -
ecc software implementation works with chunks of u64 data. There were some
unnecessary casts to u8 and then back to u64 for the ecc keys. This patch
removes the unnecessary casts.Signed-off-by: Tudor Ambarus
Signed-off-by: Herbert Xu -
Signed-off-by: Tudor Ambarus
Signed-off-by: Herbert Xu
24 Jun, 2016
1 commit
-
There is another ecdh_shared_secret in net/bluetooth/ecc.c
Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
Signed-off-by: Stephen Rothwell
Signed-off-by: Herbert Xu
23 Jun, 2016
1 commit
-
* Implement ECDH under kpp API
* Provide ECC software support for curve P-192 and
P-256.
* Add kpp test for ECDH with data generated by OpenSSLSigned-off-by: Salvatore Benedetto
Signed-off-by: Herbert Xu
