crypto: ecdh - Initialize ctx->private_key in proper byte order

The private key in ctx->private_key is currently initialized in reverse
byte order in ecdh_set_secret and whenever the key is needed in proper
byte order the variable priv is introduced and the bytes from
ctx->private_key are copied into priv while being byte-swapped
(ecc_swap_digits). To get rid of the unnecessary byte swapping initialize
ctx->private_key in proper byte order and clean up all functions that were
previously using priv or were called with ctx->private_key:

- ecc_gen_privkey: Directly initialize the passed ctx->private_key with
  random bytes filling all the digits of the private key. Get rid of the
  priv variable. This function only has ecdh_set_secret as a caller to
  create NIST P192/256/384 private keys.

- crypto_ecdh_shared_secret: Called only from ecdh_compute_value with
  ctx->private_key. Get rid of the priv variable and work with the passed
  private_key directly.

- ecc_make_pub_key: Called only from ecdh_compute_value with
  ctx->private_key. Get rid of the priv variable and work with the passed
  private_key directly.

Cc: Salvatore Benedetto <salvatore.benedetto@intel.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 2e05387b9499e5ee2ae34a52e9ec6678522e971b..c1d2e884be1e99ed66458dc6524f7b75fd0d1cbb 100644 (file)
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1497,10 +1497,10 @@ EXPORT_SYMBOL(ecc_is_key_valid);
  * This method generates a private key uniformly distributed in the range
  * [2, n-3].
  */
-int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
+int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
+                   u64 *private_key)
 {
        const struct ecc_curve *curve = ecc_get_curve(curve_id);
-       u64 priv[ECC_MAX_DIGITS];
        unsigned int nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
        unsigned int nbits = vli_num_bits(curve->n, ndigits);
        int err;
@@ -1509,7 +1509,7 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
         * Step 1 & 2: check that N is included in Table 1 of FIPS 186-5,
         * section 6.1.1.
         */
-       if (nbits < 224 || ndigits > ARRAY_SIZE(priv))
+       if (nbits < 224)
                return -EINVAL;
 
        /*
@@ -1527,17 +1527,16 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey)
                return -EFAULT;
 
        /* Step 3: obtain N returned_bits from the DRBG. */
-       err = crypto_rng_get_bytes(crypto_default_rng, (u8 *)priv, nbytes);
+       err = crypto_rng_get_bytes(crypto_default_rng,
+                                  (u8 *)private_key, nbytes);
        crypto_put_default_rng();
        if (err)
                return err;
 
        /* Step 4: make sure the private key is in the valid range. */
-       if (__ecc_is_key_valid(curve, priv, ndigits))
+       if (__ecc_is_key_valid(curve, private_key, ndigits))
                return -EINVAL;
 
-       ecc_swap_digits(priv, privkey, ndigits);
-
        return 0;
 }
 EXPORT_SYMBOL(ecc_gen_privkey);
@@ -1547,23 +1546,20 @@ int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits,
 {
        int ret = 0;
        struct ecc_point *pk;
-       u64 priv[ECC_MAX_DIGITS];
        const struct ecc_curve *curve = ecc_get_curve(curve_id);
 
-       if (!private_key || ndigits > ARRAY_SIZE(priv)) {
+       if (!private_key) {
                ret = -EINVAL;
                goto out;
        }
 
-       ecc_swap_digits(private_key, priv, ndigits);
-
        pk = ecc_alloc_point(ndigits);
        if (!pk) {
                ret = -ENOMEM;
                goto out;
        }
 
-       ecc_point_mult(pk, &curve->g, priv, NULL, curve, ndigits);
+       ecc_point_mult(pk, &curve->g, private_key, NULL, curve, ndigits);
 
        /* SP800-56A rev 3 5.6.2.1.3 key check */
        if (ecc_is_pubkey_valid_full(curve, pk)) {
@@ -1647,13 +1643,11 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
 {
        int ret = 0;
        struct ecc_point *product, *pk;
-       u64 priv[ECC_MAX_DIGITS];
        u64 rand_z[ECC_MAX_DIGITS];
        unsigned int nbytes;
        const struct ecc_curve *curve = ecc_get_curve(curve_id);
 
-       if (!private_key || !public_key ||
-           ndigits > ARRAY_SIZE(priv) || ndigits > ARRAY_SIZE(rand_z)) {
+       if (!private_key || !public_key || ndigits > ARRAY_SIZE(rand_z)) {
                ret = -EINVAL;
                goto out;
        }
@@ -1674,15 +1668,13 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
        if (ret)
                goto err_alloc_product;
 
-       ecc_swap_digits(private_key, priv, ndigits);
-
        product = ecc_alloc_point(ndigits);
        if (!product) {
                ret = -ENOMEM;
                goto err_alloc_product;
        }
 
-       ecc_point_mult(product, pk, priv, rand_z, curve, ndigits);
+       ecc_point_mult(product, pk, private_key, rand_z, curve, ndigits);
 
        if (ecc_point_is_zero(product)) {
                ret = -EFAULT;
@@ -1692,7 +1684,6 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
        ecc_swap_digits(product->x, secret, ndigits);
 
 err_validity:
-       memzero_explicit(priv, sizeof(priv));
        memzero_explicit(rand_z, sizeof(rand_z));
        ecc_free_point(product);
 err_alloc_product:

diff --git a/crypto/ecdh.c b/crypto/ecdh.c
index c02c9a2b9682db720cd37730b557e0aaf7ffe9b2..72cfd159015632cb34bad1d9375d5a1e6b204099 100644 (file)
--- a/crypto/ecdh.c
+++ b/crypto/ecdh.c
@@ -27,7 +27,6 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
                           unsigned int len)
 {
        struct ecdh_ctx *ctx = ecdh_get_ctx(tfm);
-       u64 priv[ECC_MAX_DIGITS];
        struct ecdh params;
        int ret = 0;
 
@@ -41,15 +40,14 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
                return ecc_gen_privkey(ctx->curve_id, ctx->ndigits,
                                       ctx->private_key);
 
-       memcpy(ctx->private_key, params.key, params.key_size);
-       ecc_swap_digits(ctx->private_key, priv, ctx->ndigits);
+       ecc_digits_from_bytes(params.key, params.key_size,
+                             ctx->private_key, ctx->ndigits);
 
        if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits,
-                            priv, params.key_size) < 0) {
+                            ctx->private_key, params.key_size) < 0) {
                memzero_explicit(ctx->private_key, params.key_size);
                ret = -EINVAL;
        }
-       memzero_explicit(priv, sizeof(priv));
 
        return ret;
 }

diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h
index 4e2f5f938e91a82a2afd49c3326b502eaeb2f859..7ca1f463d1ecfb3478b0d6fb0136aff94f9b6a23 100644 (file)
--- a/include/crypto/internal/ecc.h
+++ b/include/crypto/internal/ecc.h
@@ -103,7 +103,8 @@ int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
  * Returns 0 if the private key was generated successfully, a negative value
  * if an error occurred.
  */
-int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey);
+int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits,
+                   u64 *private_key);
 
 /**
  * ecc_make_pub_key() - Compute an ECC public key