Re: [RFC PATCH v2 1/4] crypto: ecc - add privkey generation support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, Stephan,

Thank you for the review. Please see inline.

On 28.05.2017 21:44, Stephan Müller wrote:
Am Mittwoch, 17. Mai 2017, 17:26:50 CEST schrieb Tudor Ambarus:

Hi Tudor,

Add support for generating ecc private keys.

Generation of ecc private keys is helpful in a user-space to kernel
ecdh offload because the keys are not revealed to user-space. Private
key generation is also helpful to implement forward secrecy.

Signed-off-by: Tudor Ambarus <tudor.ambarus@xxxxxxxxxxxxx>
---
  crypto/ecc.c | 20 ++++++++++++++++++++
  crypto/ecc.h | 14 ++++++++++++++
  2 files changed, 34 insertions(+)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 414c78a..a591907 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -927,6 +927,26 @@ int ecc_is_key_valid(unsigned int curve_id, unsigned
int ndigits, return 0;
  }

+int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64
*privkey) +{
+	const struct ecc_curve *curve = ecc_get_curve(curve_id);

Shouldn't there be a check that a curve is selected? I.e. a check for an error
should be added?

We already checked the curve_id before generating the key. The function
assumes that curve_id is checked before calling it, like ecc_is_key_valid() does.


+	u64 priv[ndigits];

Shouldn't there be a size check of ndigits?

Already checked when setting the secret. But FIPS 186-4, B.4.1
recommends to check the bit length of n. It should be greater or equal with 160. I will add this check, thanks.


+	unsigned int nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
+
+	get_random_bytes(priv, nbytes);

Can you please use crypto_get_default_rng / crypto_rng_get_bytes /
crypto_put_default_rng?

Actually I tried this and I encountered some problems, I'm currently
debugging it.

When using the default rng and the run-time self tests are enabled,
the kernel is in a blocking state. What's worse is that the kernel
blocks before the console has the chance to be enabled and I can't see
anything :).

I suspect that the kernel blocks because the rng does not have enough
entropy. Could you please give me some hints?

+
+	if (vli_is_zero(priv, ndigits))
+		return -EINVAL;
+
+	/* Make sure the private key is in the range [1, n-1]. */
+	if (vli_cmp(curve->n, priv, ndigits) != 1)
+		return -EINVAL;
+
+	ecc_swap_digits(priv, privkey, ndigits);

Is a byteswap faster than a copy operation by looping through priv/privkey and
simply assinging the value?

Maybe not, but I am consistent with the rest of the code. Can we change
this in a latter patch, if necessary?

Thanks,
ta



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux