30 Jul, 2021

1 commit

  • ecdsa_set_pub_key() makes an u64 pointer at 1 byte offset of the key.
    This results in an unaligned u64 pointer. This pointer is passed to
    ecc_swap_digits() which assumes natural alignment.

    This causes a kernel crash on an armv7 platform:
    [ 0.409022] Unhandled fault: alignment exception (0x001) at 0xc2a0a6a9
    ...
    [ 0.416982] PC is at ecdsa_set_pub_key+0xdc/0x120
    ...
    [ 0.491492] Backtrace:
    [ 0.492059] [] (ecdsa_set_pub_key) from [] (test_akcipher_one+0xf4/0x6c0)

    Handle unaligned input buffer in ecc_swap_digits() by replacing
    be64_to_cpu() to get_unaligned_be64(). Change type of in pointer to
    void to reflect it doesn’t necessarily need to be aligned.

    Fixes: 4e6602916bc6 ("crypto: ecdsa - Add support for ECDSA signature verification")
    Reported-by: Guillaume Gardet
    Suggested-by: Takashi Iwai
    Signed-off-by: Mian Yousaf Kaukab
    Tested-by: Stefan Berger
    Signed-off-by: Herbert Xu

    Mian Yousaf Kaukab
     

16 Apr, 2021

1 commit


26 Mar, 2021

3 commits

  • This pulls in the NIST P384/256/192 x509 changes.

    Herbert Xu
     
  • Add the math needed for NIST P384 and adapt certain functions'
    parameters so that the ecc_curve is passed to vli_mmod_fast. This
    allows to identify the curve by its name prefix and the appropriate
    function for fast mmod calculation can be used.

    Summary of changes:

    * crypto/ecc.c
    - add vli_mmod_fast_384
    - change some routines to pass ecc_curve forward until vli_mmod_fast

    * crypto/ecc.h
    - add ECC_CURVE_NIST_P384_DIGITS
    - change ECC_MAX_DIGITS to P384 size

    Signed-off-by: Saulo Alessandre
    Tested-by: Stefan Berger
    Signed-off-by: Herbert Xu

    Saulo Alessandre
     
  • Add support for parsing the parameters of a NIST P256 or NIST P192 key.
    Enable signature verification using these keys. The new module is
    enabled with CONFIG_ECDSA:
    Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.)
    is A NIST cryptographic standard algorithm. Only signature verification
    is implemented.

    Cc: Herbert Xu
    Cc: "David S. Miller"
    Cc: linux-crypto@vger.kernel.org
    Signed-off-by: Stefan Berger
    Signed-off-by: Herbert Xu

    Stefan Berger
     

12 Mar, 2021

1 commit


31 Jul, 2020

1 commit

  • After the generation of a local public key, SP800-56A rev 3 section
    5.6.2.1.3 mandates a validation of that key with a full validation
    compliant to section 5.6.2.3.3.

    Only if the full validation passes, the key is allowed to be used.

    The patch adds the full key validation compliant to 5.6.2.3.3 and
    performs the required check on the generated public key.

    Signed-off-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Stephan Müller
     

18 Apr, 2019

2 commits

  • Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
    34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
    2018 the CIS countries) cryptographic standard algorithms (called GOST
    algorithms). Only signature verification is supported, with intent to be
    used in the IMA.

    Summary of the changes:

    * crypto/Kconfig:
    - EC-RDSA is added into Public-key cryptography section.

    * crypto/Makefile:
    - ecrdsa objects are added.

    * crypto/asymmetric_keys/x509_cert_parser.c:
    - Recognize EC-RDSA and Streebog OIDs.

    * include/linux/oid_registry.h:
    - EC-RDSA OIDs are added to the enum. Also, a two currently not
    implemented curve OIDs are added for possible extension later (to
    not change numbering and grouping).

    * crypto/ecc.c:
    - Kenneth MacKay copyright date is updated to 2014, because
    vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
    code from micro-ecc.
    - Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
    - New functions:
    vli_is_negative - helper to determine sign of vli;
    vli_from_be64 - unpack big-endian array into vli (used for
    a signature);
    vli_from_le64 - unpack little-endian array into vli (used for
    a public key);
    vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
    increment/decrement);
    mul_64_64 - optimized to use __int128 where appropriate, this speeds
    up point multiplication (and as a consequence signature
    verification) by the factor of 1.5-2;
    vli_umult - multiply vli by a small value (speeds up point
    multiplication by another factor of 1.5-2, depending on vli sizes);
    vli_mmod_special - module reduction for some form of Pseudo-Mersenne
    primes (used for the curves A);
    vli_mmod_special2 - module reduction for another form of
    Pseudo-Mersenne primes (used for the curves B);
    vli_mmod_barrett - module reduction using pre-computed value (used
    for the curve C);
    vli_mmod_slow - more general module reduction which is much slower
    (used when the modulus is subgroup order);
    vli_mod_mult_slow - modular multiplication;
    ecc_point_add - add two points;
    ecc_point_mult_shamir - add two points multiplied by scalars in one
    combined multiplication (this gives speed up by another factor 2 in
    compare to two separate multiplications).
    ecc_is_pubkey_valid_partial - additional samity check is added.
    - Updated vli_mmod_fast with non-strict heuristic to call optimal
    module reduction function depending on the prime value;
    - All computations for the previously defined (two NIST) curves should
    not unaffected.

    * crypto/ecc.h:
    - Newly exported functions are documented.

    * crypto/ecrdsa_defs.h
    - Five curves are defined.

    * crypto/ecrdsa.c:
    - Signature verification is implemented.

    * crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
    - Templates for BER decoder for EC-RDSA parameters and public key.

    Cc: linux-integrity@vger.kernel.org
    Signed-off-by: Vitaly Chikunov
    Signed-off-by: Herbert Xu

    Vitaly Chikunov
     
  • ecc.c have algorithms that could be used togeter by ecdh and ecrdsa.
    Make it separate module. Add CRYPTO_ECC into Kconfig. EXPORT_SYMBOL and
    document to what seems appropriate. Move structs ecc_point and ecc_curve
    from ecc_curve_defs.h into ecc.h.

    No code changes.

    Signed-off-by: Vitaly Chikunov
    Signed-off-by: Herbert Xu

    Vitaly Chikunov
     

21 Apr, 2018

1 commit

  • On the quest to remove all VLAs from the kernel[1], this avoids VLAs
    by just using the maximum allocation size (4 bytes) for stack arrays.
    All the VLAs in ecc were either 3 or 4 bytes (or a multiple), so just
    make it 4 bytes all the time. Initialization routines are adjusted to
    check that ndigits does not end up larger than the arrays.

    This includes a removal of the earlier attempt at this fix from
    commit a963834b4742 ("crypto/ecc: Remove stack VLA usage")

    [1] https://lkml.org/lkml/2018/3/7/621

    Signed-off-by: Kees Cook
    Signed-off-by: Herbert Xu

    Kees Cook
     

10 Jun, 2017

5 commits


24 Jun, 2016

1 commit


23 Jun, 2016

1 commit