From: "Stephan Müller" <smueller@chronox.de>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
David Howells <dhowells@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
mathew.j.martineau@linux.intel.com,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH 3/5] KEYS: DH: don't feed uninitialized result memory into KDF
Date: Thu, 20 Apr 2017 20:38:30 +0200 [thread overview]
Message-ID: <2707352.sSpDZZo8GT@tauon.chronox.de> (raw)
In-Reply-To: <20170420174602.GA103004@gmail.com>
Am Donnerstag, 20. April 2017, 19:46:02 CEST schrieb Eric Biggers:
Hi Eric,
> Hi Stephan,
>
> On Thu, Apr 20, 2017 at 03:27:17PM +0200, Stephan Müller wrote:
> > Am Donnerstag, 20. April 2017, 07:46:31 CEST schrieb Eric Biggers:
> >
> > Hi Eric,
> >
> > > From: Eric Biggers <ebiggers@google.com>
> > >
> > > The result of the Diffie-Hellman computation may be shorter than the
> > > input prime number. Only calculate the KDF over the actual result;
> > > don't include additional uninitialized memory.
> >
> > Thank you for catching that (and all the rest). But I think this patch is
> > not correct. If the DH operation results in a shorter value, the trailing
> > part must be set to null and the KDF calculated over the entire prime
> > length.
> >
> > Thus, if the DH result is shorter than the prime, the memory should look
> > like DH result || 0x00 <as often as needed to make it prime length> ||
> > otherinfo.
> >
> > Thus, instead of this patch, I would think that the kmalloc call should be
> > changed to a kzalloc.
>
> Is this in the standard?
That is the gotcha that is not explicitly written in the standard. However,
based on my experience with other implementations and tests like ECDSA and RSA
CAVS testing, the standards seem to always interpreted to use the full allowed
length. If the mathematical result is shorter than the defined length, it
should be zero-padded.
> And is it the user-specified length of the prime
> number, or the length after stripping leading zeroes?
It should be the length of the prime used for the DH operation. As the prime
is given with the DH parameters, the DH parameter set defines the length of
the prime.
I cannot say about the stripping of leading zeros of user-provided primes
because I have no idea where that is defined.
I would need to do some further research on this matter and check with the
authors of the standard.
> Also, note that the
> numbers are being represented in big endian format; is that required, or
> just coincidental? With big endian numbers leading zeroes go at the
> beginning, not the end, otherwise their value will be changed...
The numbers are MPI and are therefore big endian formats. Also the counter in
the KDF is a big endian format which is mandated in the spec.
You are right that the zeros go to the beginning of the number and I made a
wrong statement in my initial remark regarding the zero value.
>
> - Ericinning and my initial remark regarding where the zeros are is wrong.
Yet, IMHO we should not stip the zeros before applying the KDF as this would
imply that the KDF result is different.
>
> By the way: do we really need this in the kernel at all, given that it's
> just doing some math on data which userspace has access to?
It is the question about how we want the keys subsystem to operate. The DH
shared secret shall not be used as a key. But the DH operation is part of the
key subsystem. If there is never a case where the result of the DH operation
is used in the kernel, then the KDF can be removed and my patches could be
reverted. However, in this case, the entire DH business could be questioned as
this can easily be done in user space as well.
Ciao
Stephan
next prev parent reply other threads:[~2017-04-20 18:38 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-20 5:46 [PATCH 0/5] KEYS: fixes for new keyctl_dh_compute() KDF extension Eric Biggers
2017-04-20 5:46 ` [PATCH 1/5] KEYS: DH: forbid using digest_null as the KDF hash Eric Biggers
2017-04-20 5:46 ` [PATCH 2/5] KEYS: DH: don't feed uninitialized "otherinfo" into KDF Eric Biggers
2017-04-20 5:46 ` [PATCH 3/5] KEYS: DH: don't feed uninitialized result memory " Eric Biggers
2017-04-20 13:27 ` Stephan Müller
2017-04-20 17:46 ` Eric Biggers
2017-04-20 18:38 ` Stephan Müller [this message]
2017-04-21 3:44 ` Eric Biggers
2017-04-27 15:15 ` David Howells
2017-04-28 5:26 ` Eric Biggers
2017-04-20 5:46 ` [PATCH 4/5] KEYS: DH: ensure the KDF counter is properly aligned Eric Biggers
2017-04-20 5:46 ` [PATCH 5/5] KEYS: DH: add __user annotations to keyctl_kdf_params Eric Biggers
2017-04-28 15:53 ` [PATCH 0/5] KEYS: fixes for new keyctl_dh_compute() KDF extension David Howells
2017-04-28 15:56 ` Stephan Müller
2017-05-01 14:52 ` Stephan Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2707352.sSpDZZo8GT@tauon.chronox.de \
--to=smueller@chronox.de \
--cc=dhowells@redhat.com \
--cc=ebiggers3@gmail.com \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).