[PATCH 0/2] ecdsa: Use ecc_digits_from_bytes to simplify code

[PATCH 0/2] ecdsa: Use ecc_digits_from_bytes to simplify code

[Stefan Berger]

Simplify two functions that were using temporary byte arrays for
converting too-short input byte arrays to digits. Use ecc_digits_from_bytes
since this function can now handle an input byte array that provides
less bytes than what a coordinate of a curve requires - the function
provides zeros for the missing (leading) bytes.

See: c6ab5c915da4 ("crypto: ecc - Prevent ecc_digits_from_bytes from reading too many bytes")

Regards,
   Stefan

Stefan Berger (2):
  crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array
  crypto: ecdsa - Use ecc_digits_from_bytes to convert signature

 crypto/ecdsa.c | 29 ++++++-----------------------
 1 file changed, 6 insertions(+), 23 deletions(-)

-- 
2.43.0

[PATCH 1/2] crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array

[Stefan Berger]

Since ecc_digits_from_bytes will provide zeros when an insufficient number
of bytes are passed in the input byte array, use it to create the hash
digits directly from the input byte array. This avoids going through an
intermediate byte array (rawhash) that has the first few bytes filled with
zeros.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 crypto/ecdsa.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
index 258fffbf623d..fa029f36110b 100644
--- a/crypto/ecdsa.c
+++ b/crypto/ecdsa.c
@@ -142,10 +142,8 @@ static int ecdsa_verify(struct akcipher_request *req)
 	struct ecdsa_signature_ctx sig_ctx = {
 		.curve = ctx->curve,
 	};
-	u8 rawhash[ECC_MAX_BYTES];
 	u64 hash[ECC_MAX_DIGITS];
 	unsigned char *buffer;
-	ssize_t diff;
 	int ret;
 
 	if (unlikely(!ctx->pub_key_set))
@@ -164,18 +162,11 @@ static int ecdsa_verify(struct akcipher_request *req)
 	if (ret < 0)
 		goto error;
 
-	/* if the hash is shorter then we will add leading zeros to fit to ndigits */
-	diff = bufsize - req->dst_len;
-	if (diff >= 0) {
-		if (diff)
-			memset(rawhash, 0, diff);
-		memcpy(&rawhash[diff], buffer + req->src_len, req->dst_len);
-	} else if (diff < 0) {
-		/* given hash is longer, we take the left-most bytes */
-		memcpy(&rawhash, buffer + req->src_len, bufsize);
-	}
+	if (bufsize > req->dst_len)
+		bufsize = req->dst_len;
 
-	ecc_swap_digits((u64 *)rawhash, hash, ctx->curve->g.ndigits);
+	ecc_digits_from_bytes(buffer + req->src_len, bufsize,
+			      hash, ctx->curve->g.ndigits);
 
 	ret = _ecdsa_verify(ctx, hash, sig_ctx.r, sig_ctx.s);
 
-- 
2.43.0

[PATCH 2/2] crypto: ecdsa - Use ecc_digits_from_bytes to convert signature

[Stefan Berger]

Since ecc_digits_from_bytes will provide zeros when an insufficient number
of bytes are passed in the input byte array, use it to convert the r and s
components of the signature to digits directly from the input byte
array. This avoids going through an intermediate byte array that has the
first few bytes filled with zeros.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 crypto/ecdsa.c | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
index fa029f36110b..941cdc2b889b 100644
--- a/crypto/ecdsa.c
+++ b/crypto/ecdsa.c
@@ -38,7 +38,6 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
 	size_t bufsize = ndigits * sizeof(u64);
 	ssize_t diff = vlen - bufsize;
 	const char *d = value;
-	u8 rs[ECC_MAX_BYTES];
 
 	if (!value || !vlen)
 		return -EINVAL;
@@ -46,7 +45,7 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
 	/* diff = 0: 'value' has exacly the right size
 	 * diff > 0: 'value' has too many bytes; one leading zero is allowed that
 	 *           makes the value a positive integer; error on more
-	 * diff < 0: 'value' is missing leading zeros, which we add
+	 * diff < 0: 'value' is missing leading zeros
 	 */
 	if (diff > 0) {
 		/* skip over leading zeros that make 'value' a positive int */
@@ -61,14 +60,7 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
 	if (-diff >= bufsize)
 		return -EINVAL;
 
-	if (diff) {
-		/* leading zeros not given in 'value' */
-		memset(rs, 0, -diff);
-	}
-
-	memcpy(&rs[-diff], d, vlen);
-
-	ecc_swap_digits((u64 *)rs, dest, ndigits);
+	ecc_digits_from_bytes(d, vlen, dest, ndigits);
 
 	return 0;
 }
-- 
2.43.0

Re: [PATCH 0/2] ecdsa: Use ecc_digits_from_bytes to simplify code

[Jarkko Sakkinen]

On Thu May 30, 2024 at 2:08 AM EEST, Stefan Berger wrote:
> Simplify two functions that were using temporary byte arrays for
> converting too-short input byte arrays to digits. Use ecc_digits_from_bytes
> since this function can now handle an input byte array that provides
> less bytes than what a coordinate of a curve requires - the function
> provides zeros for the missing (leading) bytes.
>
> See: c6ab5c915da4 ("crypto: ecc - Prevent ecc_digits_from_bytes from reading too many bytes")
>
> Regards,
>    Stefan
>
> Stefan Berger (2):
>   crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array
>   crypto: ecdsa - Use ecc_digits_from_bytes to convert signature
>
>  crypto/ecdsa.c | 29 ++++++-----------------------
>  1 file changed, 6 insertions(+), 23 deletions(-)

BTW, would it make sense split ecdsa signature encoding to its own patch
in my next patch set version and name it ecdsa_* style and put it to
ecdsa.c?

Just asking this because the part should be the same same for any ECDSA
signature. It must scale also to all NIST variants before my patch set
can land.

BR, Jarkko

Re: [PATCH 1/2] crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array

[Jarkko Sakkinen]

On Thu May 30, 2024 at 2:08 AM EEST, Stefan Berger wrote:
> Since ecc_digits_from_bytes will provide zeros when an insufficient number
> of bytes are passed in the input byte array, use it to create the hash
> digits directly from the input byte array. This avoids going through an
> intermediate byte array (rawhash) that has the first few bytes filled with
> zeros.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  crypto/ecdsa.c | 17 ++++-------------
>  1 file changed, 4 insertions(+), 13 deletions(-)
>
> diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
> index 258fffbf623d..fa029f36110b 100644
> --- a/crypto/ecdsa.c
> +++ b/crypto/ecdsa.c
> @@ -142,10 +142,8 @@ static int ecdsa_verify(struct akcipher_request *req)
>  	struct ecdsa_signature_ctx sig_ctx = {
>  		.curve = ctx->curve,
>  	};
> -	u8 rawhash[ECC_MAX_BYTES];
>  	u64 hash[ECC_MAX_DIGITS];
>  	unsigned char *buffer;
> -	ssize_t diff;
>  	int ret;
>  
>  	if (unlikely(!ctx->pub_key_set))
> @@ -164,18 +162,11 @@ static int ecdsa_verify(struct akcipher_request *req)
>  	if (ret < 0)
>  		goto error;
>  
> -	/* if the hash is shorter then we will add leading zeros to fit to ndigits */
> -	diff = bufsize - req->dst_len;
> -	if (diff >= 0) {
> -		if (diff)
> -			memset(rawhash, 0, diff);
> -		memcpy(&rawhash[diff], buffer + req->src_len, req->dst_len);
> -	} else if (diff < 0) {
> -		/* given hash is longer, we take the left-most bytes */
> -		memcpy(&rawhash, buffer + req->src_len, bufsize);
> -	}
> +	if (bufsize > req->dst_len)
> +		bufsize = req->dst_len;
>  
> -	ecc_swap_digits((u64 *)rawhash, hash, ctx->curve->g.ndigits);
> +	ecc_digits_from_bytes(buffer + req->src_len, bufsize,
> +			      hash, ctx->curve->g.ndigits);
>  
>  	ret = _ecdsa_verify(ctx, hash, sig_ctx.r, sig_ctx.s);
>  

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

I don't think it'd be even nit-picking to say that the function
called would really need kdoc. I had to spend about 20 minutes
to reacall ecc_digits_from_bytes().

Like something to remind what, how and why... So that you can
recap quickly. Once I got grip of it (for the 2nd time) the
code itself was just fine, no complains on that.

BR, Jarkko

Re: [PATCH 2/2] crypto: ecdsa - Use ecc_digits_from_bytes to convert signature

[Jarkko Sakkinen]

On Thu May 30, 2024 at 2:08 AM EEST, Stefan Berger wrote:
> Since ecc_digits_from_bytes will provide zeros when an insufficient number
> of bytes are passed in the input byte array, use it to convert the r and s
> components of the signature to digits directly from the input byte
> array. This avoids going through an intermediate byte array that has the
> first few bytes filled with zeros.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  crypto/ecdsa.c | 12 ++----------
>  1 file changed, 2 insertions(+), 10 deletions(-)
>
> diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
> index fa029f36110b..941cdc2b889b 100644
> --- a/crypto/ecdsa.c
> +++ b/crypto/ecdsa.c
> @@ -38,7 +38,6 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
>  	size_t bufsize = ndigits * sizeof(u64);
>  	ssize_t diff = vlen - bufsize;
>  	const char *d = value;
> -	u8 rs[ECC_MAX_BYTES];
>  
>  	if (!value || !vlen)
>  		return -EINVAL;
> @@ -46,7 +45,7 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
>  	/* diff = 0: 'value' has exacly the right size
>  	 * diff > 0: 'value' has too many bytes; one leading zero is allowed that
>  	 *           makes the value a positive integer; error on more
> -	 * diff < 0: 'value' is missing leading zeros, which we add
> +	 * diff < 0: 'value' is missing leading zeros
>  	 */
>  	if (diff > 0) {
>  		/* skip over leading zeros that make 'value' a positive int */
> @@ -61,14 +60,7 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
>  	if (-diff >= bufsize)
>  		return -EINVAL;
>  
> -	if (diff) {
> -		/* leading zeros not given in 'value' */
> -		memset(rs, 0, -diff);
> -	}
> -
> -	memcpy(&rs[-diff], d, vlen);
> -
> -	ecc_swap_digits((u64 *)rs, dest, ndigits);
> +	ecc_digits_from_bytes(d, vlen, dest, ndigits);
>  
>  	return 0;
>  }

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko

Re: [PATCH 0/2] ecdsa: Use ecc_digits_from_bytes to simplify code

[Stefan Berger]

On 5/30/24 01:08, Jarkko Sakkinen wrote:
> On Thu May 30, 2024 at 2:08 AM EEST, Stefan Berger wrote:
>> Simplify two functions that were using temporary byte arrays for
>> converting too-short input byte arrays to digits. Use ecc_digits_from_bytes
>> since this function can now handle an input byte array that provides
>> less bytes than what a coordinate of a curve requires - the function
>> provides zeros for the missing (leading) bytes.
>>
>> See: c6ab5c915da4 ("crypto: ecc - Prevent ecc_digits_from_bytes from reading too many bytes")
>>
>> Regards,
>>     Stefan
>>
>> Stefan Berger (2):
>>    crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array
>>    crypto: ecdsa - Use ecc_digits_from_bytes to convert signature
>>
>>   crypto/ecdsa.c | 29 ++++++-----------------------
>>   1 file changed, 6 insertions(+), 23 deletions(-)
> 
> BTW, would it make sense split ecdsa signature encoding to its own patch
> in my next patch set version and name it ecdsa_* style and put it to
> ecdsa.c?

I would only put it into ecdsa.c if functions inside this file (can) 
make use of it, otherwise leave it in your file.

> 
> Just asking this because the part should be the same same for any ECDSA
> signature. It must scale also to all NIST variants before my patch set
> can land.
> 
> BR, Jarkko
> 

Re: [PATCH 1/2] crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array

[Stefan Berger]

On 5/30/24 01:28, Jarkko Sakkinen wrote:
> On Thu May 30, 2024 at 2:08 AM EEST, Stefan Berger wrote:
>> Since ecc_digits_from_bytes will provide zeros when an insufficient number
>> of bytes are passed in the input byte array, use it to create the hash
>> digits directly from the input byte array. This avoids going through an
>> intermediate byte array (rawhash) that has the first few bytes filled with
>> zeros.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>>   crypto/ecdsa.c | 17 ++++-------------
>>   1 file changed, 4 insertions(+), 13 deletions(-)
>>
>> diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
>> index 258fffbf623d..fa029f36110b 100644
>> --- a/crypto/ecdsa.c
>> +++ b/crypto/ecdsa.c
>> @@ -142,10 +142,8 @@ static int ecdsa_verify(struct akcipher_request *req)
>>   	struct ecdsa_signature_ctx sig_ctx = {
>>   		.curve = ctx->curve,
>>   	};
>> -	u8 rawhash[ECC_MAX_BYTES];
>>   	u64 hash[ECC_MAX_DIGITS];
>>   	unsigned char *buffer;
>> -	ssize_t diff;
>>   	int ret;
>>   
>>   	if (unlikely(!ctx->pub_key_set))
>> @@ -164,18 +162,11 @@ static int ecdsa_verify(struct akcipher_request *req)
>>   	if (ret < 0)
>>   		goto error;
>>   
>> -	/* if the hash is shorter then we will add leading zeros to fit to ndigits */
>> -	diff = bufsize - req->dst_len;
>> -	if (diff >= 0) {
>> -		if (diff)
>> -			memset(rawhash, 0, diff);
>> -		memcpy(&rawhash[diff], buffer + req->src_len, req->dst_len);
>> -	} else if (diff < 0) {
>> -		/* given hash is longer, we take the left-most bytes */
>> -		memcpy(&rawhash, buffer + req->src_len, bufsize);
>> -	}
>> +	if (bufsize > req->dst_len)
>> +		bufsize = req->dst_len;
>>   
>> -	ecc_swap_digits((u64 *)rawhash, hash, ctx->curve->g.ndigits);
>> +	ecc_digits_from_bytes(buffer + req->src_len, bufsize,
>> +			      hash, ctx->curve->g.ndigits);
>>   
>>   	ret = _ecdsa_verify(ctx, hash, sig_ctx.r, sig_ctx.s);
>>   
> 
> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
> 
> I don't think it'd be even nit-picking to say that the function
> called would really need kdoc. I had to spend about 20 minutes
> to reacall ecc_digits_from_bytes().

Here's the file with all the kdocs: 
https://elixir.bootlin.com/linux/v6.10-rc1/source/include/crypto/internal/ecc.h#L67

> 
> Like something to remind what, how and why... So that you can
> recap quickly. Once I got grip of it (for the 2nd time) the
> code itself was just fine, no complains on that.

Do you want to find there that the input byte array starts with the most 
significant byte and the functions converts this byte array into an 
internal digits representation?



> 
> BR, Jarkko
> 

Re: [PATCH 0/2] ecdsa: Use ecc_digits_from_bytes to simplify code

[Jarkko Sakkinen]

On Thu May 30, 2024 at 3:16 PM EEST, Stefan Berger wrote:
>
>
> On 5/30/24 01:08, Jarkko Sakkinen wrote:
> > On Thu May 30, 2024 at 2:08 AM EEST, Stefan Berger wrote:
> >> Simplify two functions that were using temporary byte arrays for
> >> converting too-short input byte arrays to digits. Use ecc_digits_from_bytes
> >> since this function can now handle an input byte array that provides
> >> less bytes than what a coordinate of a curve requires - the function
> >> provides zeros for the missing (leading) bytes.
> >>
> >> See: c6ab5c915da4 ("crypto: ecc - Prevent ecc_digits_from_bytes from reading too many bytes")
> >>
> >> Regards,
> >>     Stefan
> >>
> >> Stefan Berger (2):
> >>    crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array
> >>    crypto: ecdsa - Use ecc_digits_from_bytes to convert signature
> >>
> >>   crypto/ecdsa.c | 29 ++++++-----------------------
> >>   1 file changed, 6 insertions(+), 23 deletions(-)
> > 
> > BTW, would it make sense split ecdsa signature encoding to its own patch
> > in my next patch set version and name it ecdsa_* style and put it to
> > ecdsa.c?
>
> I would only put it into ecdsa.c if functions inside this file (can) 
> make use of it, otherwise leave it in your file.

Yep, that specific part has no binding per se to anything related to
TPM2. It is also dead easy to detach.

Here I would suggest to take a similar angle as with CRYPTO_LIB_AES so
that it is easily and directly callable from either side with no fuss.

I'll mangle it that way at least for the next version and we can see
then how it looks like.

BR, Jarkko

Re: [PATCH 1/2] crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array

[Jarkko Sakkinen]

On Thu May 30, 2024 at 3:24 PM EEST, Stefan Berger wrote:
>
>
> On 5/30/24 01:28, Jarkko Sakkinen wrote:
> > On Thu May 30, 2024 at 2:08 AM EEST, Stefan Berger wrote:
> >> Since ecc_digits_from_bytes will provide zeros when an insufficient number
> >> of bytes are passed in the input byte array, use it to create the hash
> >> digits directly from the input byte array. This avoids going through an
> >> intermediate byte array (rawhash) that has the first few bytes filled with
> >> zeros.
> >>
> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >> ---
> >>   crypto/ecdsa.c | 17 ++++-------------
> >>   1 file changed, 4 insertions(+), 13 deletions(-)
> >>
> >> diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c
> >> index 258fffbf623d..fa029f36110b 100644
> >> --- a/crypto/ecdsa.c
> >> +++ b/crypto/ecdsa.c
> >> @@ -142,10 +142,8 @@ static int ecdsa_verify(struct akcipher_request *req)
> >>   	struct ecdsa_signature_ctx sig_ctx = {
> >>   		.curve = ctx->curve,
> >>   	};
> >> -	u8 rawhash[ECC_MAX_BYTES];
> >>   	u64 hash[ECC_MAX_DIGITS];
> >>   	unsigned char *buffer;
> >> -	ssize_t diff;
> >>   	int ret;
> >>   
> >>   	if (unlikely(!ctx->pub_key_set))
> >> @@ -164,18 +162,11 @@ static int ecdsa_verify(struct akcipher_request *req)
> >>   	if (ret < 0)
> >>   		goto error;
> >>   
> >> -	/* if the hash is shorter then we will add leading zeros to fit to ndigits */
> >> -	diff = bufsize - req->dst_len;
> >> -	if (diff >= 0) {
> >> -		if (diff)
> >> -			memset(rawhash, 0, diff);
> >> -		memcpy(&rawhash[diff], buffer + req->src_len, req->dst_len);
> >> -	} else if (diff < 0) {
> >> -		/* given hash is longer, we take the left-most bytes */
> >> -		memcpy(&rawhash, buffer + req->src_len, bufsize);
> >> -	}
> >> +	if (bufsize > req->dst_len)
> >> +		bufsize = req->dst_len;
> >>   
> >> -	ecc_swap_digits((u64 *)rawhash, hash, ctx->curve->g.ndigits);
> >> +	ecc_digits_from_bytes(buffer + req->src_len, bufsize,
> >> +			      hash, ctx->curve->g.ndigits);
> >>   
> >>   	ret = _ecdsa_verify(ctx, hash, sig_ctx.r, sig_ctx.s);
> >>   
> > 
> > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
> > 
> > I don't think it'd be even nit-picking to say that the function
> > called would really need kdoc. I had to spend about 20 minutes
> > to reacall ecc_digits_from_bytes().
>
> Here's the file with all the kdocs: 
> https://elixir.bootlin.com/linux/v6.10-rc1/source/include/crypto/internal/ecc.h#L67

LOL, sorry I forgot this. I think this was the 2nd time I complained
about this ;-) I'm sorry, yeah that WFM.

Just not used to this convention but I don't mind actually if it is
that way.

BR, Jarkko

Re: [PATCH 0/2] ecdsa: Use ecc_digits_from_bytes to simplify code

[Herbert Xu]

On Wed, May 29, 2024 at 07:08:25PM -0400, Stefan Berger wrote:
> Simplify two functions that were using temporary byte arrays for
> converting too-short input byte arrays to digits. Use ecc_digits_from_bytes
> since this function can now handle an input byte array that provides
> less bytes than what a coordinate of a curve requires - the function
> provides zeros for the missing (leading) bytes.
> 
> See: c6ab5c915da4 ("crypto: ecc - Prevent ecc_digits_from_bytes from reading too many bytes")
> 
> Regards,
>    Stefan
> 
> Stefan Berger (2):
>   crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array
>   crypto: ecdsa - Use ecc_digits_from_bytes to convert signature
> 
>  crypto/ecdsa.c | 29 ++++++-----------------------
>  1 file changed, 6 insertions(+), 23 deletions(-)
> 
> -- 
> 2.43.0

All applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt