path: root/crypto/ecc.c
AgeCommit message (Collapse)Author
2021-03-26crypto: ecc - Correct an error in the commentsMeng Yu
Remove repeated word 'bit' in comments. Signed-off-by: Meng Yu <> Signed-off-by: Herbert Xu <>
2021-03-26Merge branch 'ecc'Herbert Xu
This pulls in the NIST P384/256/192 x509 changes.
2021-03-26crypto: ecc - Add math to support fast NIST P384Saulo Alessandre
Add the math needed for NIST P384 and adapt certain functions' parameters so that the ecc_curve is passed to vli_mmod_fast. This allows to identify the curve by its name prefix and the appropriate function for fast mmod calculation can be used. Summary of changes: * crypto/ecc.c - add vli_mmod_fast_384 - change some routines to pass ecc_curve forward until vli_mmod_fast * crypto/ecc.h - add ECC_CURVE_NIST_P384_DIGITS - change ECC_MAX_DIGITS to P384 size Signed-off-by: Saulo Alessandre <> Tested-by: Stefan Berger <> Signed-off-by: Herbert Xu <>
2021-03-26crypto: ecc - Add NIST P384 curve parametersSaulo Alessandre
Add the parameters for the NIST P384 curve and define a new curve ID for it. Make the curve available in ecc_get_curve. Summary of changes: * crypto/ecc_curve_defs.h - add nist_p384 params * include/crypto/ecdh.h - add ECC_CURVE_NIST_P384 * crypto/ecc.c - change ecc_get_curve to accept nist_p384 Signed-off-by: Saulo Alessandre <> Tested-by: Stefan Berger <> Acked-by: Jarkko Sakkinen <> Signed-off-by: Herbert Xu <>
2021-03-26crypto: ecdsa - Add support for ECDSA signature verificationStefan Berger
Add support for parsing the parameters of a NIST P256 or NIST P192 key. Enable signature verification using these keys. The new module is enabled with CONFIG_ECDSA: Elliptic Curve Digital Signature Algorithm (NIST P192, P256 etc.) is A NIST cryptographic standard algorithm. Only signature verification is implemented. Cc: Herbert Xu <> Cc: "David S. Miller" <> Cc: Signed-off-by: Stefan Berger <> Signed-off-by: Herbert Xu <>
2021-03-13crypto: ecc - add curve25519 params and expose themMeng Yu
1. Add curve 25519 parameters in 'crypto/ecc_curve_defs.h'; 2. Add curve25519 interface 'ecc_get_curve25519_param' in 'include/crypto/ecc_curve.h', to make its parameters be exposed to everyone in kernel tree. Signed-off-by: Meng Yu <> Reviewed-by: Zaibo Xu <> Signed-off-by: Herbert Xu <>
2021-03-13crypto: ecc - expose ecc curvesMeng Yu
Move 'ecc_get_curve' to 'include/crypto/ecc_curve.h', so everyone in kernel tree can easily get ecc curve params; Signed-off-by: Meng Yu <> Reviewed-by: Zaibo Xu <> Signed-off-by: Herbert Xu <>
2020-08-07mm, treewide: rename kzfree() to kfree_sensitive()Waiman Long
As said by Linus: A symmetric naming is only helpful if it implies symmetries in use. Otherwise it's actively misleading. In "kzalloc()", the z is meaningful and an important part of what the caller wants. In "kzfree()", the z is actively detrimental, because maybe in the future we really _might_ want to use that "memfill(0xdeadbeef)" or something. The "zero" part of the interface isn't even _relevant_. The main reason that kzfree() exists is to clear sensitive information that should not be leaked to other future users of the same memory objects. Rename kzfree() to kfree_sensitive() to follow the example of the recently added kvfree_sensitive() and make the intention of the API more explicit. In addition, memzero_explicit() is used to clear the memory to make sure that it won't get optimized away by the compiler. The renaming is done by using the command sequence: git grep -w --name-only kzfree |\ xargs sed -i 's/kzfree/kfree_sensitive/' followed by some editing of the kfree_sensitive() kerneldoc and adding a kzfree backward compatibility macro in slab.h. [ fs/crypto/inline_crypt.c needs linux/slab.h] [ fix fs/crypto/inline_crypt.c some more] Suggested-by: Joe Perches <> Signed-off-by: Waiman Long <> Signed-off-by: Andrew Morton <> Acked-by: David Howells <> Acked-by: Michal Hocko <> Acked-by: Johannes Weiner <> Cc: Jarkko Sakkinen <> Cc: James Morris <> Cc: "Serge E. Hallyn" <> Cc: Joe Perches <> Cc: Matthew Wilcox <> Cc: David Rientjes <> Cc: Dan Carpenter <> Cc: "Jason A . Donenfeld" <> Link: Signed-off-by: Linus Torvalds <>
2020-07-31crypto: ecc - SP800-56A rev 3 local public key validationStephan Müller
After the generation of a local public key, SP800-56A rev 3 section mandates a validation of that key with a full validation compliant to section Only if the full validation passes, the key is allowed to be used. The patch adds the full key validation compliant to and performs the required check on the generated public key. Signed-off-by: Stephan Mueller <> Signed-off-by: Herbert Xu <>
2020-07-31crypto: ecdh - check validity of Z before exportStephan Müller
SP800-56A rev3 section step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. Thus, the export function and the validity check functions are reversed. In addition, the sensitive variables of priv and rand_z are zeroized. Signed-off-by: Stephan Mueller <> Reviewed-by: Vitaly Chikunov <> Acked-by: Neil Horman <> Signed-off-by: Herbert Xu <>
2020-07-23crypto: Replace HTTP links with HTTPS onesAlexander A. Klimov
Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <> Signed-off-by: Herbert Xu <>
2019-11-17int128: move __uint128_t compiler test to KconfigArd Biesheuvel
In order to use 128-bit integer arithmetic in C code, the architecture needs to have declared support for it by setting ARCH_SUPPORTS_INT128, and it requires a version of the toolchain that supports this at build time. This is why all existing tests for ARCH_SUPPORTS_INT128 also test whether __SIZEOF_INT128__ is defined, since this is only the case for compilers that can support 128-bit integers. Let's fold this additional test into the Kconfig declaration of ARCH_SUPPORTS_INT128 so that we can also use the symbol in Makefiles, e.g., to decide whether a certain object needs to be included in the first place. Cc: Masahiro Yamada <> Signed-off-by: Ard Biesheuvel <> Signed-off-by: Herbert Xu <>
2019-11-01crypto: ecdh - fix big endian bug in ECC libraryArd Biesheuvel
The elliptic curve arithmetic library used by the EC-DH KPP implementation assumes big endian byte order, and unconditionally reverses the byte and word order of multi-limb quantities. On big endian systems, the byte reordering is not necessary, while the word ordering needs to be retained. So replace the __swab64() invocation with a call to be64_to_cpu() which should do the right thing for both little and big endian builds. Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support") Cc: <> # v4.9+ Signed-off-by: Ard Biesheuvel <> Signed-off-by: Herbert Xu <>
2019-04-18crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithmVitaly Chikunov
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since 2018 the CIS countries) cryptographic standard algorithms (called GOST algorithms). Only signature verification is supported, with intent to be used in the IMA. Summary of the changes: * crypto/Kconfig: - EC-RDSA is added into Public-key cryptography section. * crypto/Makefile: - ecrdsa objects are added. * crypto/asymmetric_keys/x509_cert_parser.c: - Recognize EC-RDSA and Streebog OIDs. * include/linux/oid_registry.h: - EC-RDSA OIDs are added to the enum. Also, a two currently not implemented curve OIDs are added for possible extension later (to not change numbering and grouping). * crypto/ecc.c: - Kenneth MacKay copyright date is updated to 2014, because vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his code from micro-ecc. - Functions needed for ecrdsa are EXPORT_SYMBOL'ed. - New functions: vli_is_negative - helper to determine sign of vli; vli_from_be64 - unpack big-endian array into vli (used for a signature); vli_from_le64 - unpack little-endian array into vli (used for a public key); vli_uadd, vli_usub - add/sub u64 value to/from vli (used for increment/decrement); mul_64_64 - optimized to use __int128 where appropriate, this speeds up point multiplication (and as a consequence signature verification) by the factor of 1.5-2; vli_umult - multiply vli by a small value (speeds up point multiplication by another factor of 1.5-2, depending on vli sizes); vli_mmod_special - module reduction for some form of Pseudo-Mersenne primes (used for the curves A); vli_mmod_special2 - module reduction for another form of Pseudo-Mersenne primes (used for the curves B); vli_mmod_barrett - module reduction using pre-computed value (used for the curve C); vli_mmod_slow - more general module reduction which is much slower (used when the modulus is subgroup order); vli_mod_mult_slow - modular multiplication; ecc_point_add - add two points; ecc_point_mult_shamir - add two points multiplied by scalars in one combined multiplication (this gives speed up by another factor 2 in compare to two separate multiplications). ecc_is_pubkey_valid_partial - additional samity check is added. - Updated vli_mmod_fast with non-strict heuristic to call optimal module reduction function depending on the prime value; - All computations for the previously defined (two NIST) curves should not unaffected. * crypto/ecc.h: - Newly exported functions are documented. * crypto/ecrdsa_defs.h - Five curves are defined. * crypto/ecrdsa.c: - Signature verification is implemented. * crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1: - Templates for BER decoder for EC-RDSA parameters and public key. Cc: Signed-off-by: Vitaly Chikunov <> Signed-off-by: Herbert Xu <>
2019-04-18crypto: ecc - make ecc into separate moduleVitaly Chikunov
ecc.c have algorithms that could be used togeter by ecdh and ecrdsa. Make it separate module. Add CRYPTO_ECC into Kconfig. EXPORT_SYMBOL and document to what seems appropriate. Move structs ecc_point and ecc_curve from ecc_curve_defs.h into ecc.h. No code changes. Signed-off-by: Vitaly Chikunov <> Signed-off-by: Herbert Xu <>
2018-11-16crypto: ecc - regularize scalar for scalar multiplicationVitaly Chikunov
ecc_point_mult is supposed to be used with a regularized scalar, otherwise, it's possible to deduce the position of the top bit of the scalar with timing attack. This is important when the scalar is a private key. ecc_point_mult is already using a regular algorithm (i.e. having an operation flow independent of the input scalar) but regularization step is not implemented. Arrange scalar to always have fixed top bit by adding a multiple of the curve order (n). References: The constant time regularization step is based on micro-ecc by Kenneth MacKay and also referenced in the literature (Bernstein, D. J., & Lange, T. (2017). Montgomery curves and the Montgomery ladder. (Cryptology ePrint Archive; Vol. 2017/293). s.l.: IACR. Chapter 4.6.2.) Signed-off-by: Vitaly Chikunov <> Cc: Signed-off-by: Herbert Xu <>
2018-11-16crypto: ecc - check for invalid values in the key verification testVitaly Chikunov
Currently used scalar multiplication algorithm (Matthieu Rivain, 2011) have invalid values for scalar == 1, n-1, and for regularized version n-2, which was previously not checked. Verify that they are not used as private keys. Signed-off-by: Vitaly Chikunov <> Signed-off-by: Herbert Xu <>
2018-07-09crypto: ecdh - add public key verification testStephan Mueller
According to SP800-56A section, the public key to be processed for the ECDH operation shall be checked for appropriateness. When the public key is considered to be an ephemeral key, the partial validation test as defined in SP800-56A section can be applied. The partial verification test requires the presence of the field elements of a and b. For the implemented NIST curves, b is defined in FIPS 186-4 appendix D.1.2. The element a is implicitly given with the Weierstrass equation given in D.1.2 where a = p - 3. Without the test, the NIST ACVP testing fails. After adding this check, the NIST ACVP testing passes. Signed-off-by: Stephan Mueller <> Signed-off-by: Herbert Xu <>
2018-04-21crypto: ecc - Actually remove stack VLA usageKees Cook
On the quest to remove all VLAs from the kernel[1], this avoids VLAs by just using the maximum allocation size (4 bytes) for stack arrays. All the VLAs in ecc were either 3 or 4 bytes (or a multiple), so just make it 4 bytes all the time. Initialization routines are adjusted to check that ndigits does not end up larger than the arrays. This includes a removal of the earlier attempt at this fix from commit a963834b4742 ("crypto/ecc: Remove stack VLA usage") [1] Signed-off-by: Kees Cook <> Signed-off-by: Herbert Xu <>
2018-03-16crypto: ecc - Remove stack VLA usageKees Cook
On the quest to remove all VLAs from the kernel[1], this switches to a pair of kmalloc regions instead of using the stack. This also moves the get_random_bytes() after all allocations (and drops the needless "nbytes" variable). [1] Signed-off-by: Kees Cook <> Reviewed-by: Tudor Ambarus <> Signed-off-by: Herbert Xu <>
2017-11-29crypto: ecc - Fix NULL pointer deref. on no default_rngPierre
If crypto_get_default_rng returns an error, the function ecc_gen_privkey should return an error. Instead, it currently tries to use the default_rng nevertheless, thus creating a kernel panic with a NULL pointer dereference. Returning the error directly, as was supposedly intended when looking at the code, fixes this. Signed-off-by: Pierre Ducroquet <> Reviewed-by: PrasannaKumar Muralidharan <> Signed-off-by: Herbert Xu <>
2017-06-10crypto: ecdh - add privkey generation supportTudor-Dan Ambarus
Add support for generating ecc private keys. Generation of ecc private keys is helpful in a user-space to kernel ecdh offload because the keys are not revealed to user-space. Private key generation is also helpful to implement forward secrecy. If the user provides a NULL ecc private key, the kernel will generate it and further use it for ecdh. Move ecdh's object files below drbg's. drbg must be present in the kernel at the time of calling. Signed-off-by: Tudor Ambarus <> Reviewed-by: Stephan Müller <> Signed-off-by: Herbert Xu <>
2017-06-10crypto: ecc - rename ecdh_make_pub_key()Tudor-Dan Ambarus
Rename ecdh_make_pub_key() to ecc_make_pub_key(). ecdh_make_pub_key() is not dh specific and the reference to dh is wrong. Signed-off-by: Tudor Ambarus <> Signed-off-by: Herbert Xu <>
2017-06-10crypto: ecc - remove unnecessary castsTudor-Dan Ambarus
ecc software implementation works with chunks of u64 data. There were some unnecessary casts to u8 and then back to u64 for the ecc keys. This patch removes the unnecessary casts. Signed-off-by: Tudor Ambarus <> Signed-off-by: Herbert Xu <>
2017-06-10crypto: ecc - remove unused function argumentsTudor-Dan Ambarus
Signed-off-by: Tudor Ambarus <> Signed-off-by: Herbert Xu <>
2016-06-24crypto: ecdh - make ecdh_shared_secret uniqueStephen Rothwell
There is another ecdh_shared_secret in net/bluetooth/ecc.c Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support") Signed-off-by: Stephen Rothwell <> Signed-off-by: Herbert Xu <>
2016-06-23crypto: ecdh - Add ECDH software supportSalvatore Benedetto
* Implement ECDH under kpp API * Provide ECC software support for curve P-192 and P-256. * Add kpp test for ECDH with data generated by OpenSSL Signed-off-by: Salvatore Benedetto <> Signed-off-by: Herbert Xu <>