* [PATCH 1/7] crypto: fix a memory leak in sm2
2021-05-12 14:04 [PATCH 0/7] crypto: add eddsa support for x509 Hongbo Li
@ 2021-05-12 14:04 ` Hongbo Li
2021-05-14 4:52 ` Tianjia Zhang
2021-05-12 14:04 ` [PATCH 2/7] lib/mpi: use kcalloc in mpi_resize Hongbo Li
` (6 subsequent siblings)
7 siblings, 1 reply; 17+ messages in thread
From: Hongbo Li @ 2021-05-12 14:04 UTC (permalink / raw)
To: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli
Cc: linux-kernel
From: Hongbo Li <herberthbli@tencent.com>
SM2 module alloc ec->Q in sm2_set_pub_key(), when doing alg test in
test_akcipher_one(), it will set public key for every test vector,
and don't free ec->Q. This will cause a memory leak.
This patch alloc ec->Q in sm2_ec_ctx_init().
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
crypto/sm2.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/crypto/sm2.c b/crypto/sm2.c
index b21addc..db8a4a2 100644
--- a/crypto/sm2.c
+++ b/crypto/sm2.c
@@ -79,10 +79,17 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
goto free;
rc = -ENOMEM;
+
+ ec->Q = mpi_point_new(0);
+ if (!ec->Q)
+ goto free;
+
/* mpi_ec_setup_elliptic_curve */
ec->G = mpi_point_new(0);
- if (!ec->G)
+ if (!ec->G) {
+ mpi_point_release(ec->Q);
goto free;
+ }
mpi_set(ec->G->x, x);
mpi_set(ec->G->y, y);
@@ -91,6 +98,7 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
rc = -EINVAL;
ec->n = mpi_scanval(ecp->n);
if (!ec->n) {
+ mpi_point_release(ec->Q);
mpi_point_release(ec->G);
goto free;
}
@@ -386,27 +394,15 @@ static int sm2_set_pub_key(struct crypto_akcipher *tfm,
MPI a;
int rc;
- ec->Q = mpi_point_new(0);
- if (!ec->Q)
- return -ENOMEM;
-
/* include the uncompressed flag '0x04' */
- rc = -ENOMEM;
a = mpi_read_raw_data(key, keylen);
if (!a)
- goto error;
+ return -ENOMEM;
mpi_normalize(a);
rc = sm2_ecc_os2ec(ec->Q, a);
mpi_free(a);
- if (rc)
- goto error;
-
- return 0;
-error:
- mpi_point_release(ec->Q);
- ec->Q = NULL;
return rc;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH 1/7] crypto: fix a memory leak in sm2
2021-05-12 14:04 ` [PATCH 1/7] crypto: fix a memory leak in sm2 Hongbo Li
@ 2021-05-14 4:52 ` Tianjia Zhang
2021-05-18 11:40 ` hongbo li
0 siblings, 1 reply; 17+ messages in thread
From: Tianjia Zhang @ 2021-05-14 4:52 UTC (permalink / raw)
To: Hongbo Li, keyrings, linux-crypto, herbert, dhowells, jarkko,
herberthbli, stable
Cc: linux-kernel
Hi Hongbo,
On 5/12/21 10:04 PM, Hongbo Li wrote:
> From: Hongbo Li <herberthbli@tencent.com>
>
> SM2 module alloc ec->Q in sm2_set_pub_key(), when doing alg test in
> test_akcipher_one(), it will set public key for every test vector,
> and don't free ec->Q. This will cause a memory leak.
>
> This patch alloc ec->Q in sm2_ec_ctx_init().
>
> Signed-off-by: Hongbo Li <herberthbli@tencent.com>
> ---
> crypto/sm2.c | 24 ++++++++++--------------
> 1 file changed, 10 insertions(+), 14 deletions(-)
>
> diff --git a/crypto/sm2.c b/crypto/sm2.c
> index b21addc..db8a4a2 100644
> --- a/crypto/sm2.c
> +++ b/crypto/sm2.c
> @@ -79,10 +79,17 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
> goto free;
>
> rc = -ENOMEM;
> +
> + ec->Q = mpi_point_new(0);
> + if (!ec->Q)
> + goto free;
> +
> /* mpi_ec_setup_elliptic_curve */
> ec->G = mpi_point_new(0);
> - if (!ec->G)
> + if (!ec->G) {
> + mpi_point_release(ec->Q);
> goto free;
> + }
>
> mpi_set(ec->G->x, x);
> mpi_set(ec->G->y, y);
> @@ -91,6 +98,7 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
> rc = -EINVAL;
> ec->n = mpi_scanval(ecp->n);
> if (!ec->n) {
> + mpi_point_release(ec->Q);
> mpi_point_release(ec->G);
> goto free;
> }
> @@ -386,27 +394,15 @@ static int sm2_set_pub_key(struct crypto_akcipher *tfm,
> MPI a;
> int rc;
>
> - ec->Q = mpi_point_new(0);
> - if (!ec->Q)
> - return -ENOMEM;
> -
> /* include the uncompressed flag '0x04' */
> - rc = -ENOMEM;
> a = mpi_read_raw_data(key, keylen);
> if (!a)
> - goto error;
> + return -ENOMEM;
>
> mpi_normalize(a);
> rc = sm2_ecc_os2ec(ec->Q, a);
> mpi_free(a);
> - if (rc)
> - goto error;
> -
> - return 0;
>
> -error:
> - mpi_point_release(ec->Q);
> - ec->Q = NULL;
> return rc;
> }
>
>
Thanks a lot for fixing this issue.
Reviewed-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Also added:
Cc: stable@vger.kernel.org # v5.10+
Best regards,
Tianjia
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/7] crypto: fix a memory leak in sm2
2021-05-14 4:52 ` Tianjia Zhang
@ 2021-05-18 11:40 ` hongbo li
0 siblings, 0 replies; 17+ messages in thread
From: hongbo li @ 2021-05-18 11:40 UTC (permalink / raw)
To: Tianjia Zhang
Cc: open list:ASYMMETRIC KEYS, linux-crypto, Herbert Xu,
David Howells, jarkko, herberthbli, stable, open list
Tianjia Zhang <tianjia.zhang@linux.alibaba.com> 于2021年5月14日周五 下午12:52写道:
>
> Hi Hongbo,
>
> On 5/12/21 10:04 PM, Hongbo Li wrote:
> > From: Hongbo Li <herberthbli@tencent.com>
> >
> > SM2 module alloc ec->Q in sm2_set_pub_key(), when doing alg test in
> > test_akcipher_one(), it will set public key for every test vector,
> > and don't free ec->Q. This will cause a memory leak.
> >
> > This patch alloc ec->Q in sm2_ec_ctx_init().
> >
> > Signed-off-by: Hongbo Li <herberthbli@tencent.com>
> > ---
> > crypto/sm2.c | 24 ++++++++++--------------
> > 1 file changed, 10 insertions(+), 14 deletions(-)
> >
> > diff --git a/crypto/sm2.c b/crypto/sm2.c
> > index b21addc..db8a4a2 100644
> > --- a/crypto/sm2.c
> > +++ b/crypto/sm2.c
> > @@ -79,10 +79,17 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
> > goto free;
> >
> > rc = -ENOMEM;
> > +
> > + ec->Q = mpi_point_new(0);
> > + if (!ec->Q)
> > + goto free;
> > +
> > /* mpi_ec_setup_elliptic_curve */
> > ec->G = mpi_point_new(0);
> > - if (!ec->G)
> > + if (!ec->G) {
> > + mpi_point_release(ec->Q);
> > goto free;
> > + }
> >
> > mpi_set(ec->G->x, x);
> > mpi_set(ec->G->y, y);
> > @@ -91,6 +98,7 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
> > rc = -EINVAL;
> > ec->n = mpi_scanval(ecp->n);
> > if (!ec->n) {
> > + mpi_point_release(ec->Q);
> > mpi_point_release(ec->G);
> > goto free;
> > }
> > @@ -386,27 +394,15 @@ static int sm2_set_pub_key(struct crypto_akcipher *tfm,
> > MPI a;
> > int rc;
> >
> > - ec->Q = mpi_point_new(0);
> > - if (!ec->Q)
> > - return -ENOMEM;
> > -
> > /* include the uncompressed flag '0x04' */
> > - rc = -ENOMEM;
> > a = mpi_read_raw_data(key, keylen);
> > if (!a)
> > - goto error;
> > + return -ENOMEM;
> >
> > mpi_normalize(a);
> > rc = sm2_ecc_os2ec(ec->Q, a);
> > mpi_free(a);
> > - if (rc)
> > - goto error;
> > -
> > - return 0;
> >
> > -error:
> > - mpi_point_release(ec->Q);
> > - ec->Q = NULL;
> > return rc;
> > }
> >
> >
>
> Thanks a lot for fixing this issue.
>
> Reviewed-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
>
> Also added:
>
> Cc: stable@vger.kernel.org # v5.10+
>
> Best regards,
> Tianjia
Thank you for your review!
Regards,
Hongbo
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 2/7] lib/mpi: use kcalloc in mpi_resize
2021-05-12 14:04 [PATCH 0/7] crypto: add eddsa support for x509 Hongbo Li
2021-05-12 14:04 ` [PATCH 1/7] crypto: fix a memory leak in sm2 Hongbo Li
@ 2021-05-12 14:04 ` Hongbo Li
2021-05-12 19:07 ` Eric Biggers
2021-05-12 14:04 ` [PATCH 3/7] lib/mpi: export some common function Hongbo Li
` (5 subsequent siblings)
7 siblings, 1 reply; 17+ messages in thread
From: Hongbo Li @ 2021-05-12 14:04 UTC (permalink / raw)
To: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli
Cc: linux-kernel
From: Hongbo Li <herberthbli@tencent.com>
We should set the additional space to 0 in mpi_resize().
So use kcalloc() instead of kmalloc_array().
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
lib/mpi/mpiutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/mpi/mpiutil.c b/lib/mpi/mpiutil.c
index 3c63710..e6c4b31 100644
--- a/lib/mpi/mpiutil.c
+++ b/lib/mpi/mpiutil.c
@@ -148,7 +148,7 @@ int mpi_resize(MPI a, unsigned nlimbs)
return 0; /* no need to do it */
if (a->d) {
- p = kmalloc_array(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
+ p = kcalloc(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
if (!p)
return -ENOMEM;
memcpy(p, a->d, a->alloced * sizeof(mpi_limb_t));
--
1.8.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH 2/7] lib/mpi: use kcalloc in mpi_resize
2021-05-12 14:04 ` [PATCH 2/7] lib/mpi: use kcalloc in mpi_resize Hongbo Li
@ 2021-05-12 19:07 ` Eric Biggers
[not found] ` <c12435701edb4f419b71bfa23be780db@tencent.com>
0 siblings, 1 reply; 17+ messages in thread
From: Eric Biggers @ 2021-05-12 19:07 UTC (permalink / raw)
To: Hongbo Li
Cc: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli, linux-kernel
On Wed, May 12, 2021 at 10:04:09PM +0800, Hongbo Li wrote:
> From: Hongbo Li <herberthbli@tencent.com>
>
> We should set the additional space to 0 in mpi_resize().
> So use kcalloc() instead of kmalloc_array().
>
> Signed-off-by: Hongbo Li <herberthbli@tencent.com>
Is this fixing something, and if so what?
- Eric
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 3/7] lib/mpi: export some common function
2021-05-12 14:04 [PATCH 0/7] crypto: add eddsa support for x509 Hongbo Li
2021-05-12 14:04 ` [PATCH 1/7] crypto: fix a memory leak in sm2 Hongbo Li
2021-05-12 14:04 ` [PATCH 2/7] lib/mpi: use kcalloc in mpi_resize Hongbo Li
@ 2021-05-12 14:04 ` Hongbo Li
2021-05-12 14:04 ` [PATCH 4/7] x509: add support for eddsa Hongbo Li
` (4 subsequent siblings)
7 siblings, 0 replies; 17+ messages in thread
From: Hongbo Li @ 2021-05-12 14:04 UTC (permalink / raw)
To: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli
Cc: linux-kernel
From: Hongbo Li <herberthbli@tencent.com>
Export mpi_add_ui() and mpi_sub() that are used by the following
eddsa patch.
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
lib/mpi/mpi-add.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/mpi/mpi-add.c b/lib/mpi/mpi-add.c
index 2cdae54..d34c6c1 100644
--- a/lib/mpi/mpi-add.c
+++ b/lib/mpi/mpi-add.c
@@ -62,7 +62,7 @@ void mpi_add_ui(MPI w, MPI u, unsigned long v)
w->nlimbs = wsize;
w->sign = wsign;
}
-
+EXPORT_SYMBOL_GPL(mpi_add_ui);
void mpi_add(MPI w, MPI u, MPI v)
{
@@ -138,7 +138,7 @@ void mpi_sub(MPI w, MPI u, MPI v)
mpi_add(w, u, vv);
mpi_free(vv);
}
-
+EXPORT_SYMBOL_GPL(mpi_sub);
void mpi_addm(MPI w, MPI u, MPI v, MPI m)
{
--
1.8.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 4/7] x509: add support for eddsa
2021-05-12 14:04 [PATCH 0/7] crypto: add eddsa support for x509 Hongbo Li
` (2 preceding siblings ...)
2021-05-12 14:04 ` [PATCH 3/7] lib/mpi: export some common function Hongbo Li
@ 2021-05-12 14:04 ` Hongbo Li
2021-05-12 14:04 ` [PATCH 5/7] crypto: move common code in sm2 to ec_mpi.c and ec_mpi.h Hongbo Li
` (3 subsequent siblings)
7 siblings, 0 replies; 17+ messages in thread
From: Hongbo Li @ 2021-05-12 14:04 UTC (permalink / raw)
To: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli
Cc: linux-kernel
From: Hongbo Li <herberthbli@tencent.com>
This patch make x509 support eddsa(currently ed25519). According to
RFC8032 section 5.1.7[1], the digest is not on the original message,
but on a special formated message string:
SHA512(dom2(F, C) || R || A || PH(M))
[1]: https://tools.ietf.org/html/rfc8032#section-5.1.7
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
crypto/asymmetric_keys/public_key.c | 73 +++++++++++++++++++++++++++----
crypto/asymmetric_keys/x509_cert_parser.c | 14 +++++-
crypto/asymmetric_keys/x509_public_key.c | 4 +-
include/linux/oid_registry.h | 1 +
4 files changed, 82 insertions(+), 10 deletions(-)
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 4fefb21..c1236a8 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -251,8 +251,8 @@ static int software_key_eds_op(struct kernel_pkey_params *params,
}
#if IS_REACHABLE(CONFIG_CRYPTO_SM2)
-static int cert_sig_digest_update(const struct public_key_signature *sig,
- struct crypto_akcipher *tfm_pkey)
+static int sm2_cert_sig_digest_update(const struct public_key_signature *sig,
+ struct crypto_akcipher *tfm_pkey)
{
struct crypto_shash *tfm;
struct shash_desc *desc;
@@ -297,7 +297,7 @@ static int cert_sig_digest_update(const struct public_key_signature *sig,
return ret;
}
#else
-static inline int cert_sig_digest_update(
+static inline int sm2_cert_sig_digest_update(
const struct public_key_signature *sig,
struct crypto_akcipher *tfm_pkey)
{
@@ -305,6 +305,58 @@ static inline int cert_sig_digest_update(
}
#endif /* ! IS_REACHABLE(CONFIG_CRYPTO_SM2) */
+static int eddsa_cert_sig_digest_update(const struct public_key *pub,
+ const struct public_key_signature *sig)
+{
+ struct crypto_shash *tfm = NULL;
+ struct shash_desc *desc = NULL;
+ int key_size, ret = 0;
+
+ if (strcmp(pub->pkey_algo, "eddsa-25519"))
+ return -ENOPKG;
+
+ tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+ desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL);
+ if (!desc) {
+ ret = -ENOMEM;
+ goto free;
+ }
+
+ desc->tfm = tfm;
+
+ /* RFC8032 section 5.1.7
+ * step 2. SHA512(dom2(F, C) || R || A || PH(M))
+ */
+ key_size = 32;
+ if (sig->s_size != key_size * 2 ||
+ pub->keylen != key_size) {
+ ret = -EINVAL;
+ goto free;
+ }
+
+ ret = crypto_shash_init(desc);
+ if (ret < 0)
+ goto free;
+
+ ret = crypto_shash_update(desc, sig->s, key_size);
+ if (ret < 0)
+ goto free;
+
+ ret = crypto_shash_update(desc, pub->key, key_size);
+ if (ret < 0)
+ goto free;
+
+ ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest);
+
+free:
+ kfree(desc);
+ crypto_free_shash(tfm);
+ return ret;
+}
+
/*
* Verify a signature using a public key.
*/
@@ -358,11 +410,16 @@ int public_key_verify_signature(const struct public_key *pkey,
if (ret)
goto error_free_key;
- if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 &&
- sig->data_size) {
- ret = cert_sig_digest_update(sig, tfm);
- if (ret)
- goto error_free_key;
+ if (sig->pkey_algo && sig->data_size) {
+ if (strcmp(sig->pkey_algo, "sm2") == 0) {
+ ret = sm2_cert_sig_digest_update(sig, tfm);
+ if (ret)
+ goto error_free_key;
+ } else if (strcmp(sig->pkey_algo, "eddsa") == 0) {
+ ret = eddsa_cert_sig_digest_update(pkey, sig);
+ if (ret)
+ goto error_free_key;
+ }
}
sg_init_table(src_sg, 2);
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 6d00309..3f60c57 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -258,6 +258,9 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
case OID_SM2_with_SM3:
ctx->cert->sig->hash_algo = "sm3";
goto sm2;
+ case OID_ed25519:
+ ctx->cert->sig->hash_algo = "sha512";
+ goto eddsa;
}
rsa_pkcs1:
@@ -280,6 +283,11 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
ctx->cert->sig->encoding = "x962";
ctx->algo_oid = ctx->last_oid;
return 0;
+eddsa:
+ ctx->cert->sig->pkey_algo = "eddsa";
+ ctx->cert->sig->encoding = "raw";
+ ctx->algo_oid = ctx->last_oid;
+ return 0;
}
/*
@@ -302,7 +310,8 @@ int x509_note_signature(void *context, size_t hdrlen,
if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||
strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||
strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 ||
- strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) {
+ strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0 ||
+ strcmp(ctx->cert->sig->pkey_algo, "eddsa") == 0) {
/* Discard the BIT STRING metadata */
if (vlen < 1 || *(const u8 *)value != 0)
return -EBADMSG;
@@ -517,6 +526,9 @@ int x509_extract_key_data(void *context, size_t hdrlen,
return -ENOPKG;
}
break;
+ case OID_ed25519:
+ ctx->cert->pub->pkey_algo = "eddsa-25519";
+ break;
default:
return -ENOPKG;
}
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 3d45161..a8fd368 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -131,7 +131,9 @@ int x509_check_for_self_signed(struct x509_certificate *cert)
ret = -EKEYREJECTED;
if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&
(strncmp(cert->pub->pkey_algo, "ecdsa-", 6) != 0 ||
- strcmp(cert->sig->pkey_algo, "ecdsa") != 0))
+ strcmp(cert->sig->pkey_algo, "ecdsa") != 0) &&
+ (strncmp(cert->pub->pkey_algo, "eddsa-", 6) != 0 ||
+ strcmp(cert->sig->pkey_algo, "eddsa") != 0))
goto out;
ret = public_key_verify_signature(cert->pub, cert->sig);
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index cc64d94..d84bb86 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -64,6 +64,7 @@ enum OID {
OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */
OID_sha1, /* 1.3.14.3.2.26 */
+ OID_ed25519, /* 1.3.101.112 */
OID_id_ansip384r1, /* 1.3.132.0.34 */
OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
OID_sha384, /* 2.16.840.1.101.3.4.2.2 */
--
1.8.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 5/7] crypto: move common code in sm2 to ec_mpi.c and ec_mpi.h
2021-05-12 14:04 [PATCH 0/7] crypto: add eddsa support for x509 Hongbo Li
` (3 preceding siblings ...)
2021-05-12 14:04 ` [PATCH 4/7] x509: add support for eddsa Hongbo Li
@ 2021-05-12 14:04 ` Hongbo Li
2021-05-12 14:04 ` [PATCH 6/7] crypto: ed25519 cert verification Hongbo Li
` (2 subsequent siblings)
7 siblings, 0 replies; 17+ messages in thread
From: Hongbo Li @ 2021-05-12 14:04 UTC (permalink / raw)
To: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli
Cc: linux-kernel
From: Hongbo Li <herberthbli@tencent.com>
Some structs and functions in sm2 are common codes, and could be
used by the following eddsa patch. So move them to common files:
ec_mpi.c and ec_mpi.h.
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
crypto/Kconfig | 4 +++
crypto/Makefile | 1 +
crypto/ec_mpi.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++
crypto/ec_mpi.h | 37 ++++++++++++++++++++++
crypto/sm2.c | 98 ++-------------------------------------------------------
5 files changed, 127 insertions(+), 95 deletions(-)
create mode 100644 crypto/ec_mpi.c
create mode 100644 crypto/ec_mpi.h
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 4a0d187..75ae7d3 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -265,6 +265,9 @@ config CRYPTO_ECRDSA
standard algorithms (called GOST algorithms). Only signature verification
is implemented.
+config CRYPTO_EC_MPI
+ tristate
+
config CRYPTO_SM2
tristate "SM2 algorithm"
select CRYPTO_SM3
@@ -272,6 +275,7 @@ config CRYPTO_SM2
select CRYPTO_MANAGER
select MPILIB
select ASN1
+ select CRYPTO_EC_MPI
help
Generic implementation of the SM2 public key algorithm. It was
published by State Encryption Management Bureau, China.
diff --git a/crypto/Makefile b/crypto/Makefile
index 10526d4..8afb393 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -177,6 +177,7 @@ obj-$(CONFIG_CRYPTO_OFB) += ofb.o
obj-$(CONFIG_CRYPTO_ECC) += ecc.o
obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o
obj-$(CONFIG_CRYPTO_CURVE25519) += curve25519-generic.o
+obj-$(CONFIG_CRYPTO_EC_MPI) += ec_mpi.o
ecdh_generic-y += ecdh.o
ecdh_generic-y += ecdh_helper.o
diff --git a/crypto/ec_mpi.c b/crypto/ec_mpi.c
new file mode 100644
index 0000000..a537e6f
--- /dev/null
+++ b/crypto/ec_mpi.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * EC MPI common functions.
+ *
+ * Copyright (c) 2020, Alibaba Group.
+ * Authors: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+ */
+
+#include <linux/module.h>
+#include <linux/mpi.h>
+#include "ec_mpi.h"
+
+int ec_mpi_ctx_init(struct mpi_ec_ctx *ec, const struct ecc_domain_parms *ecp)
+{
+ MPI p, a, b;
+ MPI x, y;
+ int rc = -EINVAL;
+
+ p = mpi_scanval(ecp->p);
+ a = mpi_scanval(ecp->a);
+ b = mpi_scanval(ecp->b);
+ if (!p || !a || !b)
+ goto free_p;
+
+ x = mpi_scanval(ecp->g_x);
+ y = mpi_scanval(ecp->g_y);
+ if (!x || !y)
+ goto free;
+
+ rc = -ENOMEM;
+
+ ec->Q = mpi_point_new(0);
+ if (!ec->Q)
+ goto free;
+
+ /* mpi_ec_setup_elliptic_curve */
+ ec->G = mpi_point_new(0);
+ if (!ec->G) {
+ mpi_point_release(ec->Q);
+ goto free;
+ }
+
+ mpi_set(ec->G->x, x);
+ mpi_set(ec->G->y, y);
+ mpi_set_ui(ec->G->z, 1);
+
+ rc = -EINVAL;
+ ec->n = mpi_scanval(ecp->n);
+ if (!ec->n) {
+ mpi_point_release(ec->Q);
+ mpi_point_release(ec->G);
+ goto free;
+ }
+
+ ec->h = ecp->h;
+ ec->name = ecp->desc;
+ mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);
+
+ rc = 0;
+
+free:
+ mpi_free(x);
+ mpi_free(y);
+free_p:
+ mpi_free(p);
+ mpi_free(a);
+ mpi_free(b);
+
+ return rc;
+}
+EXPORT_SYMBOL(ec_mpi_ctx_init);
+
+void ec_mpi_ctx_deinit(struct mpi_ec_ctx *ec)
+{
+ mpi_ec_deinit(ec);
+
+ memset(ec, 0, sizeof(*ec));
+}
+EXPORT_SYMBOL(ec_mpi_ctx_deinit);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>");
diff --git a/crypto/ec_mpi.h b/crypto/ec_mpi.h
new file mode 100644
index 0000000..e1f6d3aa
--- /dev/null
+++ b/crypto/ec_mpi.h
@@ -0,0 +1,37 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * EC MPI common structs.
+ *
+ * Copyright (c) 2020, Alibaba Group.
+ * Authors: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+ */
+
+#include <linux/mpi.h>
+
+struct ecc_domain_parms {
+ const char *desc; /* Description of the curve. */
+ unsigned int nbits; /* Number of bits. */
+ unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */
+
+ /* The model describing this curve. This is mainly used to select
+ * the group equation.
+ */
+ enum gcry_mpi_ec_models model;
+
+ /* The actual ECC dialect used. This is used for curve specific
+ * optimizations and to select encodings etc.
+ */
+ enum ecc_dialects dialect;
+
+ const char *p; /* The prime defining the field. */
+ const char *a, *b; /* The coefficients. For Twisted Edwards
+ * Curves b is used for d. For Montgomery
+ * Curves (a,b) has ((A-2)/4,B^-1).
+ */
+ const char *n; /* The order of the base point. */
+ const char *g_x, *g_y; /* Base point. */
+ unsigned int h; /* Cofactor. */
+};
+
+int ec_mpi_ctx_init(struct mpi_ec_ctx *ec, const struct ecc_domain_parms *ecp);
+void ec_mpi_ctx_deinit(struct mpi_ec_ctx *ec);
diff --git a/crypto/sm2.c b/crypto/sm2.c
index db8a4a2..ea1676b 100644
--- a/crypto/sm2.c
+++ b/crypto/sm2.c
@@ -9,42 +9,17 @@
*/
#include <linux/module.h>
-#include <linux/mpi.h>
#include <crypto/internal/akcipher.h>
#include <crypto/akcipher.h>
#include <crypto/hash.h>
#include <crypto/sm3_base.h>
#include <crypto/rng.h>
#include <crypto/sm2.h>
+#include "ec_mpi.h"
#include "sm2signature.asn1.h"
#define MPI_NBYTES(m) ((mpi_get_nbits(m) + 7) / 8)
-struct ecc_domain_parms {
- const char *desc; /* Description of the curve. */
- unsigned int nbits; /* Number of bits. */
- unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */
-
- /* The model describing this curve. This is mainly used to select
- * the group equation.
- */
- enum gcry_mpi_ec_models model;
-
- /* The actual ECC dialect used. This is used for curve specific
- * optimizations and to select encodings etc.
- */
- enum ecc_dialects dialect;
-
- const char *p; /* The prime defining the field. */
- const char *a, *b; /* The coefficients. For Twisted Edwards
- * Curves b is used for d. For Montgomery
- * Curves (a,b) has ((A-2)/4,B^-1).
- */
- const char *n; /* The order of the base point. */
- const char *g_x, *g_y; /* Base point. */
- unsigned int h; /* Cofactor. */
-};
-
static const struct ecc_domain_parms sm2_ecp = {
.desc = "sm2p256v1",
.nbits = 256,
@@ -60,73 +35,6 @@ struct ecc_domain_parms {
.h = 1
};
-static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
-{
- const struct ecc_domain_parms *ecp = &sm2_ecp;
- MPI p, a, b;
- MPI x, y;
- int rc = -EINVAL;
-
- p = mpi_scanval(ecp->p);
- a = mpi_scanval(ecp->a);
- b = mpi_scanval(ecp->b);
- if (!p || !a || !b)
- goto free_p;
-
- x = mpi_scanval(ecp->g_x);
- y = mpi_scanval(ecp->g_y);
- if (!x || !y)
- goto free;
-
- rc = -ENOMEM;
-
- ec->Q = mpi_point_new(0);
- if (!ec->Q)
- goto free;
-
- /* mpi_ec_setup_elliptic_curve */
- ec->G = mpi_point_new(0);
- if (!ec->G) {
- mpi_point_release(ec->Q);
- goto free;
- }
-
- mpi_set(ec->G->x, x);
- mpi_set(ec->G->y, y);
- mpi_set_ui(ec->G->z, 1);
-
- rc = -EINVAL;
- ec->n = mpi_scanval(ecp->n);
- if (!ec->n) {
- mpi_point_release(ec->Q);
- mpi_point_release(ec->G);
- goto free;
- }
-
- ec->h = ecp->h;
- ec->name = ecp->desc;
- mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);
-
- rc = 0;
-
-free:
- mpi_free(x);
- mpi_free(y);
-free_p:
- mpi_free(p);
- mpi_free(a);
- mpi_free(b);
-
- return rc;
-}
-
-static void sm2_ec_ctx_deinit(struct mpi_ec_ctx *ec)
-{
- mpi_ec_deinit(ec);
-
- memset(ec, 0, sizeof(*ec));
-}
-
/* RESULT must have been initialized and is set on success to the
* point given by VALUE.
*/
@@ -416,14 +324,14 @@ static int sm2_init_tfm(struct crypto_akcipher *tfm)
{
struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
- return sm2_ec_ctx_init(ec);
+ return ec_mpi_ctx_init(ec, &sm2_ecp);
}
static void sm2_exit_tfm(struct crypto_akcipher *tfm)
{
struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
- sm2_ec_ctx_deinit(ec);
+ ec_mpi_ctx_deinit(ec);
}
static struct akcipher_alg sm2 = {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 6/7] crypto: ed25519 cert verification
2021-05-12 14:04 [PATCH 0/7] crypto: add eddsa support for x509 Hongbo Li
` (4 preceding siblings ...)
2021-05-12 14:04 ` [PATCH 5/7] crypto: move common code in sm2 to ec_mpi.c and ec_mpi.h Hongbo Li
@ 2021-05-12 14:04 ` Hongbo Li
2021-05-12 18:39 ` kernel test robot
2021-05-12 14:04 ` [PATCH 7/7] crypto: add eddsa test vector Hongbo Li
2021-05-12 19:11 ` [PATCH 0/7] crypto: add eddsa support for x509 Eric Biggers
7 siblings, 1 reply; 17+ messages in thread
From: Hongbo Li @ 2021-05-12 14:04 UTC (permalink / raw)
To: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli
Cc: linux-kernel
From: Hongbo Li <herberthbli@tencent.com>
This patch adds the support of eddsa(currently ed25519) which is described
in RFC8032 section 5.1.7 [1].
[1]: https://tools.ietf.org/html/rfc8032#section-5.1.7
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
crypto/Kconfig | 11 ++
crypto/Makefile | 3 +
crypto/eddsa.c | 326 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 340 insertions(+)
create mode 100644 crypto/eddsa.c
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 75ae7d3..6463c85 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -268,6 +268,17 @@ config CRYPTO_ECRDSA
config CRYPTO_EC_MPI
tristate
+config CRYPTO_EDDSA
+ tristate "EDDSA (ed25519) algorithm"
+ select CRYPTO_ECC
+ select CRYPTO_EC_MPI
+ select CRYPTO_AKCIPHER
+ select ASN1
+ help
+ Edwards-curve Digital Signature Algorithm (ed25519) is a variant
+ of Schnorr's signature system with (possibly twisted) Edwards curves.
+ Only signature verification is implemented.
+
config CRYPTO_SM2
tristate "SM2 algorithm"
select CRYPTO_SM3
diff --git a/crypto/Makefile b/crypto/Makefile
index 8afb393..2bbdfad 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -56,6 +56,9 @@ ecdsa_generic-y += ecdsa.o
ecdsa_generic-y += ecdsasignature.asn1.o
obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o
+eddsa_generic-y += eddsa.o
+obj-$(CONFIG_CRYPTO_EDDSA) += eddsa_generic.o
+
crypto_acompress-y := acompress.o
crypto_acompress-y += scompress.o
obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o
diff --git a/crypto/eddsa.c b/crypto/eddsa.c
new file mode 100644
index 0000000..06e86be
--- /dev/null
+++ b/crypto/eddsa.c
@@ -0,0 +1,326 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * EDDSA generic algorithm.
+ *
+ * Copyright (c) 2021 Hongbo Li <herberthbli@tencent.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ */
+
+#include <linux/mpi.h>
+#include <linux/module.h>
+#include <linux/oid_registry.h>
+#include <crypto/hash.h>
+#include <crypto/sha2.h>
+#include <crypto/ecdh.h>
+#include <crypto/curve25519.h>
+#include <crypto/internal/akcipher.h>
+#include "ec_mpi.h"
+
+struct eddsa_ctx {
+ enum OID algo_oid;
+ struct mpi_ec_ctx ec_ctx;
+};
+
+static MPI p58;
+static MPI seven;
+static MPI m1;
+
+static const struct ecc_domain_parms ed25519_domain_params = {
+ .desc = "ed25519",
+ .nbits = 256,
+ .fips = 0,
+ .model = MPI_EC_EDWARDS,
+ .dialect = ECC_DIALECT_ED25519,
+ .p = "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+ .a = "-0x01",
+ .b = "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+ .n = "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED",
+ .g_x = "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+ .g_y = "0x6666666666666666666666666666666666666666666666666666666666666658",
+ .h = 8,
+};
+
+static void reverse_buffer(u8 *buffer, u32 length)
+{
+ u32 tmp, i;
+
+ for (i = 0; i < length / 2; i++) {
+ tmp = buffer[i];
+ buffer[i] = buffer[length - 1 - i];
+ buffer[length - 1 - i] = tmp;
+ }
+}
+
+static int eddsa_encode_x_y(MPI x, MPI y, u8 *buf, u32 key_size)
+{
+ memcpy(buf, y->d, key_size);
+ if (mpi_test_bit(x, 0))
+ buf[key_size - 1] |= 0x80;
+
+ return 0;
+}
+
+int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec,
+ MPI x, MPI y, u8 *buf, u32 key_size)
+{
+ if (mpi_ec_get_affine(x, y, point, ec))
+ return -EINVAL;
+
+ return eddsa_encode_x_y(x, y, buf, key_size);
+}
+
+/* Recover X from Y and SIGN (which actually is a parity bit). */
+static int eddsa_recover_x(MPI x, MPI y, int sign, struct mpi_ec_ctx *ec)
+{
+ MPI u, v, v3, t;
+ int ret = 0;
+
+ if (ec->dialect != ECC_DIALECT_ED25519)
+ return -ENOPKG;
+
+ u = mpi_new(0);
+ v = mpi_new(0);
+ v3 = mpi_new(0);
+ t = mpi_new(0);
+
+ /* Compute u and v */
+ /* u = y^2 */
+ mpi_mulm(u, y, y, ec->p);
+ /* v = b*y^2 */
+ mpi_mulm(v, ec->b, u, ec->p);
+ /* u = y^2-1 */
+ mpi_sub_ui(u, u, 1);
+ /* v = b*y^2+1 */
+ mpi_add_ui(v, v, 1);
+
+ /* Compute sqrt(u/v) */
+ /* v3 = v^3 */
+ mpi_powm(v3, v, mpi_const(MPI_C_THREE), ec->p);
+ /* t = v3 * v3 * u * v = u * v^7 */
+ mpi_powm(t, v, seven, ec->p);
+ mpi_mulm(t, t, u, ec->p);
+ /* t = t^((p-5)/8) = (u * v^7)^((p-5)/8) */
+ mpi_powm(t, t, p58, ec->p);
+ /* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */
+ mpi_mulm(t, t, u, ec->p);
+ mpi_mulm(x, t, v3, ec->p);
+
+ /* Adjust if needed. */
+ /* t = v * x^2 */
+ mpi_mulm(t, x, x, ec->p);
+ mpi_mulm(t, t, v, ec->p);
+ /* -t == u ? x = x * sqrt(-1) */
+ mpi_sub(t, ec->p, t);
+ if (!mpi_cmp(t, u)) {
+ mpi_mulm(x, x, m1, ec->p);
+ /* t = v * x^2 */
+ mpi_mulm(t, x, x, ec->p);
+ mpi_mulm(t, t, v, ec->p);
+ /* -t == u ? x = x * sqrt(-1) */
+ mpi_sub(t, ec->p, t);
+ if (!mpi_cmp(t, u))
+ ret = -EINVAL;
+ }
+
+ /* Choose the desired square root according to parity */
+ if (mpi_test_bit(x, 0) != !!sign)
+ mpi_sub(x, ec->p, x);
+
+ mpi_free(t);
+ mpi_free(v3);
+ mpi_free(v);
+ mpi_free(u);
+
+ return ret;
+}
+
+static int ecc_eddsa_decodepoint(const u8 *pk, int key_size,
+ struct mpi_ec_ctx *ec, MPI_POINT result)
+{
+ MPI y;
+ u8 *rawmpi;
+ int sign, ret = 0;
+
+ rawmpi = kmalloc(key_size, GFP_KERNEL);
+ if (!rawmpi)
+ return -ENOMEM;
+ memcpy(rawmpi, pk, key_size);
+ reverse_buffer(rawmpi, key_size);
+
+ sign = !!(rawmpi[0] & 0x80);
+ rawmpi[0] &= 0x7f;
+
+ y = mpi_read_raw_data(rawmpi, key_size);
+ if (!y) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ mpi_normalize(y);
+ mpi_set(result->y, y);
+ mpi_free(y);
+
+ ret = eddsa_recover_x(result->x, result->y, sign, ec);
+ mpi_set_ui(result->z, 1);
+out:
+ kfree(rawmpi);
+ return ret;
+}
+
+int eddsa_verify(struct akcipher_request *req)
+{
+ struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
+ struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+ struct mpi_ec_ctx *ec = &ctx->ec_ctx;
+ struct gcry_mpi_point sb, ka;
+ MPI s = NULL;
+ MPI k = NULL;
+ u8 sig[CURVE25519_KEY_SIZE * 2], digest[SHA512_DIGEST_SIZE];
+ u8 *buf;
+ u32 key_size;
+ int ret = 0;
+
+ if (ctx->algo_oid != OID_ed25519)
+ return -ENOPKG;
+
+ key_size = CURVE25519_KEY_SIZE;
+
+ if (!ec->Q || req->src_len != key_size * 2)
+ return -EINVAL;
+
+ sg_copy_to_buffer(req->src, sg_nents_for_len(req->src, req->src_len),
+ sig, req->src_len);
+
+ sg_pcopy_to_buffer(req->src,
+ sg_nents_for_len(req->src,
+ req->src_len + req->dst_len),
+ digest, req->dst_len, req->src_len);
+
+ reverse_buffer(digest, SHA512_DIGEST_SIZE);
+ k = mpi_read_raw_data(digest, SHA512_DIGEST_SIZE);
+
+ reverse_buffer(sig + key_size, key_size);
+ s = mpi_read_raw_data(sig + key_size, key_size);
+
+ mpi_point_init(&sb);
+ mpi_point_init(&ka);
+
+ mpi_ec_mul_point(&sb, s, ec->G, ec);
+ mpi_ec_mul_point(&ka, k, ec->Q, ec);
+ mpi_sub(ka.x, ec->p, ka.x);
+ mpi_ec_add_points(&sb, &sb, &ka, ec);
+
+ buf = kmalloc(key_size, GFP_KERNEL);
+ if (!buf) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ ret = ecc_eddsa_encodepoint(&sb, ec, s, k, buf, key_size);
+ if (ret)
+ goto out;
+
+ if (memcmp(buf, sig, key_size))
+ ret = -EKEYREJECTED;
+
+out:
+ mpi_point_free_parts(&sb);
+ mpi_point_free_parts(&ka);
+ mpi_free(k);
+ mpi_free(s);
+ kfree(buf);
+ return ret;
+}
+
+static int eddsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
+ unsigned int keylen)
+{
+ struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+ struct mpi_ec_ctx *ec = &ctx->ec_ctx;
+ const u8 *pk = key;
+
+ if (ctx->algo_oid != OID_ed25519)
+ return -ENOPKG;
+
+ if (keylen != CURVE25519_KEY_SIZE)
+ return -EINVAL;
+
+ return ecc_eddsa_decodepoint(pk, keylen, ec, ec->Q);
+}
+
+u32 eddsa_max_size(struct crypto_akcipher *tfm)
+{
+ struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+
+ if (ctx->algo_oid == OID_ed25519)
+ return CURVE25519_KEY_SIZE;
+
+ return 0;
+}
+
+static int eddsa_25519_init_tfm(struct crypto_akcipher *tfm)
+{
+ struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+
+ ctx->algo_oid = OID_ed25519;
+ p58 = mpi_scanval("0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD");
+ if (!p58)
+ return -ENOMEM;
+
+ m1 = mpi_scanval("2B8324804FC1DF0B2B4D00993DFBD7A72F431806AD2FE478C4EE1B274A0EA0B0");
+ if (!m1)
+ return -ENOMEM;
+
+ seven = mpi_set_ui(NULL, 7);
+
+ return ec_mpi_ctx_init(&ctx->ec_ctx, &ed25519_domain_params);
+}
+
+static void eddsa_exit_tfm(struct crypto_akcipher *tfm)
+{
+ struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+
+ ec_mpi_ctx_deinit(&ctx->ec_ctx);
+ mpi_free(p58);
+ mpi_free(seven);
+ mpi_free(m1);
+}
+
+
+static struct akcipher_alg eddsa_25519 = {
+ .verify = eddsa_verify,
+ .set_pub_key = eddsa_set_pub_key,
+ .max_size = eddsa_max_size,
+ .init = eddsa_25519_init_tfm,
+ .exit = eddsa_exit_tfm,
+ .base = {
+ .cra_name = "eddsa-25519",
+ .cra_driver_name = "eddsa-25519-generic",
+ .cra_priority = 100,
+ .cra_module = THIS_MODULE,
+ .cra_ctxsize = sizeof(struct eddsa_ctx),
+ },
+};
+
+static int eddsa_mod_init(void)
+{
+ return crypto_register_akcipher(&eddsa_25519);
+}
+
+static void eddsa_mod_exit(void)
+{
+ crypto_unregister_akcipher(&eddsa_25519);
+}
+
+module_init(eddsa_mod_init);
+module_exit(eddsa_mod_exit);
+
+MODULE_LICENSE("GPL v2");
+MODULE_AUTHOR("Hongbo Li <herberthbli@tencent.com>");
+MODULE_ALIAS_CRYPTO("eddsa");
+MODULE_ALIAS_CRYPTO("eddsa-generic");
+MODULE_DESCRIPTION("EDDSA generic algorithm");
--
1.8.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH 6/7] crypto: ed25519 cert verification
2021-05-12 14:04 ` [PATCH 6/7] crypto: ed25519 cert verification Hongbo Li
@ 2021-05-12 18:39 ` kernel test robot
0 siblings, 0 replies; 17+ messages in thread
From: kernel test robot @ 2021-05-12 18:39 UTC (permalink / raw)
To: Hongbo Li, keyrings, linux-crypto, herbert, dhowells, jarkko,
tianjia.zhang, herberthbli
Cc: kbuild-all, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 7917 bytes --]
Hi Hongbo,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on cryptodev/master]
[also build test WARNING on crypto/master linus/master v5.13-rc1 next-20210512]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Hongbo-Li/crypto-add-eddsa-support-for-x509/20210512-220722
base: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
config: arc-allyesconfig (attached as .config)
compiler: arceb-elf-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/f9de73b89d39483afde4fc9ba079b66dee2f05ab
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Hongbo-Li/crypto-add-eddsa-support-for-x509/20210512-220722
git checkout f9de73b89d39483afde4fc9ba079b66dee2f05ab
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross W=1 ARCH=arc
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> crypto/eddsa.c:67:5: warning: no previous prototype for 'ecc_eddsa_encodepoint' [-Wmissing-prototypes]
67 | int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec,
| ^~~~~~~~~~~~~~~~~~~~~
>> crypto/eddsa.c:174:5: warning: no previous prototype for 'eddsa_verify' [-Wmissing-prototypes]
174 | int eddsa_verify(struct akcipher_request *req)
| ^~~~~~~~~~~~
>> crypto/eddsa.c:255:5: warning: no previous prototype for 'eddsa_max_size' [-Wmissing-prototypes]
255 | u32 eddsa_max_size(struct crypto_akcipher *tfm)
| ^~~~~~~~~~~~~~
vim +/ecc_eddsa_encodepoint +67 crypto/eddsa.c
66
> 67 int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec,
68 MPI x, MPI y, u8 *buf, u32 key_size)
69 {
70 if (mpi_ec_get_affine(x, y, point, ec))
71 return -EINVAL;
72
73 return eddsa_encode_x_y(x, y, buf, key_size);
74 }
75
76 /* Recover X from Y and SIGN (which actually is a parity bit). */
77 static int eddsa_recover_x(MPI x, MPI y, int sign, struct mpi_ec_ctx *ec)
78 {
79 MPI u, v, v3, t;
80 int ret = 0;
81
82 if (ec->dialect != ECC_DIALECT_ED25519)
83 return -ENOPKG;
84
85 u = mpi_new(0);
86 v = mpi_new(0);
87 v3 = mpi_new(0);
88 t = mpi_new(0);
89
90 /* Compute u and v */
91 /* u = y^2 */
92 mpi_mulm(u, y, y, ec->p);
93 /* v = b*y^2 */
94 mpi_mulm(v, ec->b, u, ec->p);
95 /* u = y^2-1 */
96 mpi_sub_ui(u, u, 1);
97 /* v = b*y^2+1 */
98 mpi_add_ui(v, v, 1);
99
100 /* Compute sqrt(u/v) */
101 /* v3 = v^3 */
102 mpi_powm(v3, v, mpi_const(MPI_C_THREE), ec->p);
103 /* t = v3 * v3 * u * v = u * v^7 */
104 mpi_powm(t, v, seven, ec->p);
105 mpi_mulm(t, t, u, ec->p);
106 /* t = t^((p-5)/8) = (u * v^7)^((p-5)/8) */
107 mpi_powm(t, t, p58, ec->p);
108 /* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */
109 mpi_mulm(t, t, u, ec->p);
110 mpi_mulm(x, t, v3, ec->p);
111
112 /* Adjust if needed. */
113 /* t = v * x^2 */
114 mpi_mulm(t, x, x, ec->p);
115 mpi_mulm(t, t, v, ec->p);
116 /* -t == u ? x = x * sqrt(-1) */
117 mpi_sub(t, ec->p, t);
118 if (!mpi_cmp(t, u)) {
119 mpi_mulm(x, x, m1, ec->p);
120 /* t = v * x^2 */
121 mpi_mulm(t, x, x, ec->p);
122 mpi_mulm(t, t, v, ec->p);
123 /* -t == u ? x = x * sqrt(-1) */
124 mpi_sub(t, ec->p, t);
125 if (!mpi_cmp(t, u))
126 ret = -EINVAL;
127 }
128
129 /* Choose the desired square root according to parity */
130 if (mpi_test_bit(x, 0) != !!sign)
131 mpi_sub(x, ec->p, x);
132
133 mpi_free(t);
134 mpi_free(v3);
135 mpi_free(v);
136 mpi_free(u);
137
138 return ret;
139 }
140
141 static int ecc_eddsa_decodepoint(const u8 *pk, int key_size,
142 struct mpi_ec_ctx *ec, MPI_POINT result)
143 {
144 MPI y;
145 u8 *rawmpi;
146 int sign, ret = 0;
147
148 rawmpi = kmalloc(key_size, GFP_KERNEL);
149 if (!rawmpi)
150 return -ENOMEM;
151 memcpy(rawmpi, pk, key_size);
152 reverse_buffer(rawmpi, key_size);
153
154 sign = !!(rawmpi[0] & 0x80);
155 rawmpi[0] &= 0x7f;
156
157 y = mpi_read_raw_data(rawmpi, key_size);
158 if (!y) {
159 ret = -EINVAL;
160 goto out;
161 }
162
163 mpi_normalize(y);
164 mpi_set(result->y, y);
165 mpi_free(y);
166
167 ret = eddsa_recover_x(result->x, result->y, sign, ec);
168 mpi_set_ui(result->z, 1);
169 out:
170 kfree(rawmpi);
171 return ret;
172 }
173
> 174 int eddsa_verify(struct akcipher_request *req)
175 {
176 struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
177 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
178 struct mpi_ec_ctx *ec = &ctx->ec_ctx;
179 struct gcry_mpi_point sb, ka;
180 MPI s = NULL;
181 MPI k = NULL;
182 u8 sig[CURVE25519_KEY_SIZE * 2], digest[SHA512_DIGEST_SIZE];
183 u8 *buf;
184 u32 key_size;
185 int ret = 0;
186
187 if (ctx->algo_oid != OID_ed25519)
188 return -ENOPKG;
189
190 key_size = CURVE25519_KEY_SIZE;
191
192 if (!ec->Q || req->src_len != key_size * 2)
193 return -EINVAL;
194
195 sg_copy_to_buffer(req->src, sg_nents_for_len(req->src, req->src_len),
196 sig, req->src_len);
197
198 sg_pcopy_to_buffer(req->src,
199 sg_nents_for_len(req->src,
200 req->src_len + req->dst_len),
201 digest, req->dst_len, req->src_len);
202
203 reverse_buffer(digest, SHA512_DIGEST_SIZE);
204 k = mpi_read_raw_data(digest, SHA512_DIGEST_SIZE);
205
206 reverse_buffer(sig + key_size, key_size);
207 s = mpi_read_raw_data(sig + key_size, key_size);
208
209 mpi_point_init(&sb);
210 mpi_point_init(&ka);
211
212 mpi_ec_mul_point(&sb, s, ec->G, ec);
213 mpi_ec_mul_point(&ka, k, ec->Q, ec);
214 mpi_sub(ka.x, ec->p, ka.x);
215 mpi_ec_add_points(&sb, &sb, &ka, ec);
216
217 buf = kmalloc(key_size, GFP_KERNEL);
218 if (!buf) {
219 ret = -ENOMEM;
220 goto out;
221 }
222
223 ret = ecc_eddsa_encodepoint(&sb, ec, s, k, buf, key_size);
224 if (ret)
225 goto out;
226
227 if (memcmp(buf, sig, key_size))
228 ret = -EKEYREJECTED;
229
230 out:
231 mpi_point_free_parts(&sb);
232 mpi_point_free_parts(&ka);
233 mpi_free(k);
234 mpi_free(s);
235 kfree(buf);
236 return ret;
237 }
238
239 static int eddsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
240 unsigned int keylen)
241 {
242 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
243 struct mpi_ec_ctx *ec = &ctx->ec_ctx;
244 const u8 *pk = key;
245
246 if (ctx->algo_oid != OID_ed25519)
247 return -ENOPKG;
248
249 if (keylen != CURVE25519_KEY_SIZE)
250 return -EINVAL;
251
252 return ecc_eddsa_decodepoint(pk, keylen, ec, ec->Q);
253 }
254
> 255 u32 eddsa_max_size(struct crypto_akcipher *tfm)
256 {
257 struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
258
259 if (ctx->algo_oid == OID_ed25519)
260 return CURVE25519_KEY_SIZE;
261
262 return 0;
263 }
264
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 67468 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 7/7] crypto: add eddsa test vector
2021-05-12 14:04 [PATCH 0/7] crypto: add eddsa support for x509 Hongbo Li
` (5 preceding siblings ...)
2021-05-12 14:04 ` [PATCH 6/7] crypto: ed25519 cert verification Hongbo Li
@ 2021-05-12 14:04 ` Hongbo Li
2021-05-12 19:11 ` [PATCH 0/7] crypto: add eddsa support for x509 Eric Biggers
7 siblings, 0 replies; 17+ messages in thread
From: Hongbo Li @ 2021-05-12 14:04 UTC (permalink / raw)
To: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli
Cc: linux-kernel
From: Hongbo Li <herberthbli@tencent.com>
This patch adds the test vector for ed25519.
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
crypto/testmgr.c | 6 ++++++
crypto/testmgr.h | 32 ++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 10c5b3b..498d186 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4939,6 +4939,12 @@ static int alg_test_null(const struct alg_test_desc *desc,
.akcipher = __VECS(ecrdsa_tv_template)
}
}, {
+ .alg = "eddsa-25519",
+ .test = alg_test_akcipher,
+ .suite = {
+ .akcipher = __VECS(eddsa_25519_tv_template)
+ }
+ }, {
.alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)",
.test = alg_test_aead,
.fips_allowed = 1,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 34e4a3d..11807a3 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -1145,6 +1145,38 @@ struct kpp_testvec {
};
/*
+ * EDDSA test vectors.
+ * From RFC8032 section 7.1
+ */
+static const struct akcipher_testvec eddsa_25519_tv_template[] = {
+ {
+ .key =
+ "\x3d\x40\x17\xc3\xe8\x43\x89\x5a\x92\xb7\x0a\xa7\x4d\x1b\x7e\xbc"
+ "\x9c\x98\x2c\xcf\x2e\xc4\x96\x8c\xc0\xcd\x55\xf1\x2a\xf4\x66\x0c",
+ .key_len = 32,
+ /*
+ * RFC8032 section 5.1.7. m is SHA512(dom2(F, C) || R || A || PH(M))
+ * M is 0x72
+ */
+ .m =
+ "\xa2\x71\xdf\x0d\x2b\x0d\x03\xbd\x17\xb4\xed\x9a\x4b\x6a\xfd\xdf"
+ "\x2e\x73\x28\x7f\xd6\x30\xf1\xa1\x37\xd8\x7c\xe8\x73\xa5\x91\xcc"
+ "\x31\xb6\xdd\x85\x2a\x98\xb5\xdd\x12\x26\xfe\x99\x3d\x82\x28\x27"
+ "\x8c\xeb\xa2\x1f\x80\xb8\xfc\x95\x98\x6a\x70\xd7\x1e\xdf\x3f\xaf",
+ .m_size = 64,
+ .c =
+ "\x92\xa0\x09\xa9\xf0\xd4\xca\xb8\x72\x0e\x82\x0b\x5f\x64\x25\x40"
+ "\xa2\xb2\x7b\x54\x16\x50\x3f\x8f\xb3\x76\x22\x23\xeb\xdb\x69\xda"
+ "\x08\x5a\xc1\xe4\x3e\x15\x99\x6e\x45\x8f\x36\x13\xd0\xf1\x1d\x8c"
+ "\x38\x7b\x2e\xae\xb4\x30\x2a\xee\xb0\x0d\x29\x16\x12\xbb\x0c\x00",
+ .c_size = 64,
+ .algo = OID_ed25519,
+ .public_key_vec = true,
+ .siggen_sigver_test = true,
+ }
+};
+
+/*
* PKCS#1 RSA test vectors. Obtained from CAVS testing.
*/
static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH 0/7] crypto: add eddsa support for x509
2021-05-12 14:04 [PATCH 0/7] crypto: add eddsa support for x509 Hongbo Li
` (6 preceding siblings ...)
2021-05-12 14:04 ` [PATCH 7/7] crypto: add eddsa test vector Hongbo Li
@ 2021-05-12 19:11 ` Eric Biggers
[not found] ` <dade7666956c41718ce00e681156533e@tencent.com>
7 siblings, 1 reply; 17+ messages in thread
From: Eric Biggers @ 2021-05-12 19:11 UTC (permalink / raw)
To: Hongbo Li
Cc: keyrings, linux-crypto, herbert, dhowells, jarkko, tianjia.zhang,
herberthbli, linux-kernel
On Wed, May 12, 2021 at 10:04:07PM +0800, Hongbo Li wrote:
> From: Hongbo Li <herberthbli@tencent.com>
>
> This series of patches add support for x509 cert signed by eddsa,
> which is described in RFC8032 [1], currently ed25519 only.
It would be helpful to explain how this is related to the kernel's existing
Curve25519 support.
- Eric
^ permalink raw reply [flat|nested] 17+ messages in thread