Commit e7d2b41e authored by Stephan Müller's avatar Stephan Müller Committed by Herbert Xu

crypto: ecdh - check validity of Z before export

SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. Thus, the export function and the validity check functions are
reversed. In addition, the sensitive variables of priv and rand_z are
zeroized.
Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
Reviewed-by: default avatarVitaly Chikunov <vt@altlinux.org>
Acked-by: default avatarNeil Horman <nhorman@redhat.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent ef19f826
...@@ -1495,11 +1495,16 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, ...@@ -1495,11 +1495,16 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
ecc_point_mult(product, pk, priv, rand_z, curve, ndigits); ecc_point_mult(product, pk, priv, rand_z, curve, ndigits);
ecc_swap_digits(product->x, secret, ndigits); if (ecc_point_is_zero(product)) {
if (ecc_point_is_zero(product))
ret = -EFAULT; ret = -EFAULT;
goto err_validity;
}
ecc_swap_digits(product->x, secret, ndigits);
err_validity:
memzero_explicit(priv, sizeof(priv));
memzero_explicit(rand_z, sizeof(rand_z));
ecc_free_point(product); ecc_free_point(product);
err_alloc_product: err_alloc_product:
ecc_free_point(pk); ecc_free_point(pk);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment