Hi Stephan, On Thu, Apr 20, 2017 at 03:27:17PM +0200, Stephan Müller wrote: > Am Donnerstag, 20. April 2017, 07:46:31 CEST schrieb Eric Biggers: > > Hi Eric, > > > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > > > The result of the Diffie-Hellman computation may be shorter than the > > input prime number. Only calculate the KDF over the actual result; > > don't include additional uninitialized memory. > > Thank you for catching that (and all the rest). But I think this patch is not > correct. If the DH operation results in a shorter value, the trailing part > must be set to null and the KDF calculated over the entire prime length. > > Thus, if the DH result is shorter than the prime, the memory should look like > DH result || 0x00 <as often as needed to make it prime length> || otherinfo. > > Thus, instead of this patch, I would think that the kmalloc call should be > changed to a kzalloc. > > Is this in the standard? And is it the user-specified length of the prime number, or the length after stripping leading zeroes? Also, note that the numbers are being represented in big endian format; is that required, or just coincidental? With big endian numbers leading zeroes go at the beginning, not the end, otherwise their value will be changed... By the way: do we really need this in the kernel at all, given that it's just doing some math on data which userspace has access to? - Eric