crypto: ecdh - check validity of Z before export

SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. Thus, the export function and the validity check functions are reversed. In addition, the sensitive variables of priv and rand_z are zeroized. Signed-off-by: Stephan Mueller <smueller@chronox.de> Reviewed-by: Vitaly Chikunov <vt@altlinux.org> Acked-by: Neil Horman <nhorman@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

crypto: ecdh - check validity of Z before export
SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. Thus, the export function and the validity check functions are reversed. In addition, the sensitive variables of priv and rand_z are zeroized. Signed-off-by: Stephan Mueller <smueller@chronox.de> Reviewed-by: Vitaly Chikunov <vt@altlinux.org> Acked-by: Neil Horman <nhorman@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
e7d2b41e · Stephan Müller · Herbert Xu · ef19f826 · e7d2b41e
Commit e7d2b41e authored Jul 20, 2020 by Stephan Müller Committed by Herbert Xu Jul 31, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 3 deletions

crypto/ecc.c crypto/ecc.c +8 -3

No files found.
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1495,11 +1495,16 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,

 	ecc_point_mult(product, pk, priv, rand_z, curve, ndigits);

-	ecc_swap_digits(product->x, secret, ndigits);
-
-	if (ecc_point_is_zero(product))
+	if (ecc_point_is_zero(product)) {
 		ret = -EFAULT;
+		goto err_validity;
+	}
+
+	ecc_swap_digits(product->x, secret, ndigits);

+err_validity:
+	memzero_explicit(priv, sizeof(priv));
+	memzero_explicit(rand_z, sizeof(rand_z));
 	ecc_free_point(product);
 err_alloc_product:
 	ecc_free_point(pk);