From: Nicolai Stange <nstange@suse.de>
To: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: "Stephan Müller" <smueller@chronox.de>,
"Hannes Reinecke" <hare@suse.de>, "Torsten Duwe" <duwe@suse.de>,
"Zaibo Xu" <xuzaibo@huawei.com>,
"Giovanni Cabiddu" <giovanni.cabiddu@intel.com>,
"David Howells" <dhowells@redhat.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
qat-linux@intel.com, keyrings@vger.kernel.org,
"Nicolai Stange" <nstange@suse.de>
Subject: [PATCH v2 16/18] crypto: dh - calculate Q from P for the full public key verification
Date: Thu, 9 Dec 2021 10:03:56 +0100 [thread overview]
Message-ID: <20211209090358.28231-17-nstange@suse.de> (raw)
In-Reply-To: <20211209090358.28231-1-nstange@suse.de>
As the ->q in struct dh_ctx gets never set anywhere, the code
in dh_is_pubkey_valid() for doing the full public key validation in
accordance to SP800-56Arev3 is effectively dead.
However, for safe-prime groups, Q = (P - 1)/2 by definition and this
enables dh_is_pubkey_valid() to calculate Q on the fly for these groups.
Implement this.
With this change, the last code accessing struct dh_ctx's ->q is now gone.
Remove this member from struct dh_ctx.
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
---
crypto/dh.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/crypto/dh.c b/crypto/dh.c
index 38547c5301da..bd3ea51fbeb0 100644
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -15,7 +15,6 @@
struct dh_ctx {
enum dh_group_id group_id;
MPI p; /* Value is guaranteed to be set. */
- MPI q; /* Value is optional. */
MPI g; /* Value is guaranteed to be set. */
MPI xa; /* Value is guaranteed to be set. */
};
@@ -23,7 +22,6 @@ struct dh_ctx {
static void dh_clear_ctx(struct dh_ctx *ctx)
{
mpi_free(ctx->p);
- mpi_free(ctx->q);
mpi_free(ctx->g);
mpi_free(ctx->xa);
memset(ctx, 0, sizeof(*ctx));
@@ -114,11 +112,12 @@ static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
/*
* SP800-56A public key verification:
*
- * * If Q is provided as part of the domain paramenters, a full validation
- * according to SP800-56A section 5.6.2.3.1 is performed.
+ * * For safe-prime groups, Q can be computed trivially from P and a
+ * full validation according to SP800-56A section 5.6.2.3.1 is
+ * performed.
*
- * * If Q is not provided, a partial validation according to SP800-56A section
- * 5.6.2.3.2 is performed.
+ * * For all other sets of group parameters, only a partial validation
+ * according to SP800-56A section 5.6.2.3.2 is performed.
*/
static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
{
@@ -129,21 +128,40 @@ static int dh_is_pubkey_valid(struct dh_ctx *ctx, MPI y)
* Step 1: Verify that 2 <= y <= p - 2.
*
* The upper limit check is actually y < p instead of y < p - 1
- * as the mpi_sub_ui function is yet missing.
+ * in order to save one mpi_sub_ui() invocation here. Note that
+ * p - 1 is the non-trivial element of the subgroup of order 2 and
+ * thus, the check on y^q below would fail if y == p - 1.
*/
if (mpi_cmp_ui(y, 1) < 1 || mpi_cmp(y, ctx->p) >= 0)
return -EINVAL;
- /* Step 2: Verify that 1 = y^q mod p */
- if (ctx->q) {
- MPI val = mpi_alloc(0);
+ /*
+ * Step 2: Verify that 1 = y^q mod p
+ *
+ * For the safe-prime groups q = (p - 1)/2.
+ */
+ if (ctx->group_id != DH_GROUP_ID_UNKNOWN) {
+ MPI val, q;
int ret;
+ val = mpi_alloc(0);
if (!val)
return -ENOMEM;
- ret = mpi_powm(val, y, ctx->q, ctx->p);
+ q = mpi_alloc(mpi_get_nlimbs(ctx->p));
+ if (!q) {
+ mpi_free(val);
+ return -ENOMEM;
+ }
+
+ /*
+ * ->p is odd, so no need to explicitly subtract one
+ * from it before shifting to the right.
+ */
+ mpi_rshift(q, ctx->p, 1);
+ ret = mpi_powm(val, y, q, ctx->p);
+ mpi_free(q);
if (ret) {
mpi_free(val);
return ret;
--
2.26.2
next prev parent reply other threads:[~2021-12-09 9:05 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-09 9:03 [PATCH v2 00/18] crypto: dh - infrastructure for NVM in-band auth and FIPS conformance Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 01/18] crypto: dh - remove struct dh's ->q member Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 02/18] crypto: dh - constify struct dh's pointer members Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 03/18] crypto: dh - optimize domain parameter serialization for well-known groups Nicolai Stange
2021-12-10 11:33 ` Hannes Reinecke
2021-12-13 10:06 ` Nicolai Stange
2021-12-13 10:10 ` Hannes Reinecke
2021-12-17 5:52 ` Herbert Xu
2021-12-20 15:27 ` Nicolai Stange
2021-12-29 2:14 ` Herbert Xu
2022-01-06 14:30 ` Stephan Mueller
2022-01-07 2:44 ` Herbert Xu
2022-01-07 6:37 ` Nicolai Stange
2022-01-11 6:13 ` [PATCH] crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1) Herbert Xu
2022-01-11 7:50 ` Nicolai Stange
2022-01-11 10:34 ` Herbert Xu
2022-01-14 6:16 ` [v2 PATCH] " Herbert Xu
2022-01-14 9:09 ` Nicolai Stange
2022-01-14 10:55 ` Herbert Xu
2022-01-14 12:34 ` Nicolai Stange
2022-01-14 12:35 ` Stephan Mueller
2022-01-14 12:54 ` James Bottomley
2022-01-26 9:01 ` Stephan Mueller
2022-01-28 14:14 ` Nicolai Stange
2022-01-28 15:49 ` Stephan Mueller
2022-02-02 10:09 ` Nicolai Stange
2022-01-07 7:01 ` [PATCH v2 03/18] crypto: dh - optimize domain parameter serialization for well-known groups Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 04/18] crypto: dh - introduce RFC 7919 safe-prime groups Nicolai Stange
2021-12-10 11:34 ` Hannes Reinecke
2021-12-09 9:03 ` [PATCH v2 05/18] crypto: testmgr - add DH RFC 7919 ffdhe3072 test vector Nicolai Stange
2021-12-10 11:34 ` Hannes Reinecke
2021-12-09 9:03 ` [PATCH v2 06/18] crypto: dh - introduce RFC 3526 safe-prime groups Nicolai Stange
2021-12-10 11:35 ` Hannes Reinecke
2021-12-09 9:03 ` [PATCH v2 07/18] crypto: testmgr - add DH RFC 3526 modp2048 test vector Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 08/18] crypto: testmgr - run only subset of DH vectors based on config Nicolai Stange
2021-12-10 11:36 ` Hannes Reinecke
2021-12-09 9:03 ` [PATCH v2 09/18] crypto: dh - implement private key generation primitive Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 10/18] crypto: dh - introduce support for ephemeral key generation to dh-generic Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 11/18] crypto: dh - introduce support for ephemeral key generation to hpre driver Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 12/18] crypto: dh - introduce support for ephemeral key generation to qat driver Nicolai Stange
2021-12-15 21:54 ` Giovanni Cabiddu
2021-12-09 9:03 ` [PATCH v2 13/18] crypto: testmgr - add DH test vectors for key generation Nicolai Stange
2021-12-10 11:37 ` Hannes Reinecke
2021-12-09 9:03 ` [PATCH v2 14/18] lib/mpi: export mpi_rshift Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 15/18] crypto: dh - store group id in dh-generic's dh_ctx Nicolai Stange
2021-12-09 9:03 ` Nicolai Stange [this message]
2021-12-09 9:03 ` [PATCH v2 17/18] crypto: dh - try to match domain parameters to a known safe-prime group Nicolai Stange
2021-12-09 9:03 ` [PATCH v2 18/18] crypto: dh - accept only approved safe-prime groups in FIPS mode Nicolai Stange
2021-12-10 11:37 ` Hannes Reinecke
2021-12-10 7:56 ` [PATCH v2 00/18] crypto: dh - infrastructure for NVM in-band auth and FIPS conformance Stephan Mueller
2021-12-10 10:00 ` Nicolai Stange
2021-12-10 11:38 ` Hannes Reinecke
2021-12-13 10:12 ` Nicolai Stange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211209090358.28231-17-nstange@suse.de \
--to=nstange@suse.de \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=duwe@suse.de \
--cc=giovanni.cabiddu@intel.com \
--cc=hare@suse.de \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=qat-linux@intel.com \
--cc=smueller@chronox.de \
--cc=xuzaibo@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).