Skip to content

Commit 2eb4942

Browse files
vt-altherbertx
vt-alt
authored and
herbertx
committed
crypto: ecc - check for invalid values in the key verification test
Currently used scalar multiplication algorithm (Matthieu Rivain, 2011) have invalid values for scalar == 1, n-1, and for regularized version n-2, which was previously not checked. Verify that they are not used as private keys. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
1 parent 196ad60 commit 2eb4942

File tree

1 file changed

+26
-16
lines changed

1 file changed

+26
-16
lines changed

crypto/ecc.c

Lines changed: 26 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -904,30 +904,43 @@ static inline void ecc_swap_digits(const u64 *in, u64 *out,
904904
out[i] = __swab64(in[ndigits - 1 - i]);
905905
}
906906

907-
int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
908-
const u64 *private_key, unsigned int private_key_len)
907+
static int __ecc_is_key_valid(const struct ecc_curve *curve,
908+
const u64 *private_key, unsigned int ndigits)
909909
{
910-
int nbytes;
911-
const struct ecc_curve *curve = ecc_get_curve(curve_id);
910+
u64 one[ECC_MAX_DIGITS] = { 1, };
911+
u64 res[ECC_MAX_DIGITS];
912912

913913
if (!private_key)
914914
return -EINVAL;
915915

916-
nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
917-
918-
if (private_key_len != nbytes)
916+
if (curve->g.ndigits != ndigits)
919917
return -EINVAL;
920918

921-
if (vli_is_zero(private_key, ndigits))
919+
/* Make sure the private key is in the range [2, n-3]. */
920+
if (vli_cmp(one, private_key, ndigits) != -1)
922921
return -EINVAL;
923-
924-
/* Make sure the private key is in the range [1, n-1]. */
925-
if (vli_cmp(curve->n, private_key, ndigits) != 1)
922+
vli_sub(res, curve->n, one, ndigits);
923+
vli_sub(res, res, one, ndigits);
924+
if (vli_cmp(res, private_key, ndigits) != 1)
926925
return -EINVAL;
927926

928927
return 0;
929928
}
930929

930+
int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
931+
const u64 *private_key, unsigned int private_key_len)
932+
{
933+
int nbytes;
934+
const struct ecc_curve *curve = ecc_get_curve(curve_id);
935+
936+
nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
937+
938+
if (private_key_len != nbytes)
939+
return -EINVAL;
940+
941+
return __ecc_is_key_valid(curve, private_key, ndigits);
942+
}
943+
931944
/*
932945
* ECC private keys are generated using the method of extra random bits,
933946
* equivalent to that described in FIPS 186-4, Appendix B.4.1.
@@ -971,11 +984,8 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
971984
if (err)
972985
return err;
973986

974-
if (vli_is_zero(priv, ndigits))
975-
return -EINVAL;
976-
977-
/* Make sure the private key is in the range [1, n-1]. */
978-
if (vli_cmp(curve->n, priv, ndigits) != 1)
987+
/* Make sure the private key is in the valid range. */
988+
if (__ecc_is_key_valid(curve, priv, ndigits))
979989
return -EINVAL;
980990

981991
ecc_swap_digits(priv, privkey, ndigits);

0 commit comments

Comments
 (0)