提交 2eb4942b 编写于 作者: V Vitaly Chikunov 提交者: Herbert Xu

crypto: ecc - check for invalid values in the key verification test

Currently used scalar multiplication algorithm (Matthieu Rivain, 2011)
have invalid values for scalar == 1, n-1, and for regularized version
n-2, which was previously not checked. Verify that they are not used as
private keys.
Signed-off-by: NVitaly Chikunov <vt@altlinux.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
上级 196ad604
...@@ -904,30 +904,43 @@ static inline void ecc_swap_digits(const u64 *in, u64 *out, ...@@ -904,30 +904,43 @@ static inline void ecc_swap_digits(const u64 *in, u64 *out,
out[i] = __swab64(in[ndigits - 1 - i]); out[i] = __swab64(in[ndigits - 1 - i]);
} }
int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, static int __ecc_is_key_valid(const struct ecc_curve *curve,
const u64 *private_key, unsigned int private_key_len) const u64 *private_key, unsigned int ndigits)
{ {
int nbytes; u64 one[ECC_MAX_DIGITS] = { 1, };
const struct ecc_curve *curve = ecc_get_curve(curve_id); u64 res[ECC_MAX_DIGITS];
if (!private_key) if (!private_key)
return -EINVAL; return -EINVAL;
nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; if (curve->g.ndigits != ndigits)
if (private_key_len != nbytes)
return -EINVAL; return -EINVAL;
if (vli_is_zero(private_key, ndigits)) /* Make sure the private key is in the range [2, n-3]. */
if (vli_cmp(one, private_key, ndigits) != -1)
return -EINVAL; return -EINVAL;
vli_sub(res, curve->n, one, ndigits);
/* Make sure the private key is in the range [1, n-1]. */ vli_sub(res, res, one, ndigits);
if (vli_cmp(curve->n, private_key, ndigits) != 1) if (vli_cmp(res, private_key, ndigits) != 1)
return -EINVAL; return -EINVAL;
return 0; return 0;
} }
int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
const u64 *private_key, unsigned int private_key_len)
{
int nbytes;
const struct ecc_curve *curve = ecc_get_curve(curve_id);
nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
if (private_key_len != nbytes)
return -EINVAL;
return __ecc_is_key_valid(curve, private_key, ndigits);
}
/* /*
* ECC private keys are generated using the method of extra random bits, * ECC private keys are generated using the method of extra random bits,
* equivalent to that described in FIPS 186-4, Appendix B.4.1. * equivalent to that described in FIPS 186-4, Appendix B.4.1.
...@@ -971,11 +984,8 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) ...@@ -971,11 +984,8 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
if (err) if (err)
return err; return err;
if (vli_is_zero(priv, ndigits)) /* Make sure the private key is in the valid range. */
return -EINVAL; if (__ecc_is_key_valid(curve, priv, ndigits))
/* Make sure the private key is in the range [1, n-1]. */
if (vli_cmp(curve->n, priv, ndigits) != 1)
return -EINVAL; return -EINVAL;
ecc_swap_digits(priv, privkey, ndigits); ecc_swap_digits(priv, privkey, ndigits);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册