From: Lukas Wunner <lukas@wunner.de>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
davem@davemloft.net, herbert@gondor.apana.org.au,
dhowells@redhat.com, zohar@linux.ibm.com, jarkko@kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, patrick@puiterwijk.org
Subject: Re: [PATCH v12 02/10] crypto: Add support for ECDSA signature verification
Date: Wed, 17 Jul 2024 18:17:45 +0200 [thread overview]
Message-ID: <ZpfuqeSVC47jqme2@wunner.de> (raw)
In-Reply-To: <20210316210740.1592994-3-stefanb@linux.ibm.com>
Hi Stefan,
On Tue, Mar 16, 2021 at 05:07:32PM -0400, Stefan Berger wrote:
> +/*
> + * Get the r and s components of a signature from the X509 certificate.
> + */
> +static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
> + const void *value, size_t vlen, unsigned int ndigits)
> +{
> + size_t keylen = ndigits * sizeof(u64);
> + ssize_t diff = vlen - keylen;
> + const char *d = value;
> + u8 rs[ECC_MAX_BYTES];
> +
> + if (!value || !vlen)
> + return -EINVAL;
> +
> + /* diff = 0: 'value' has exacly the right size
> + * diff > 0: 'value' has too many bytes; one leading zero is allowed that
> + * makes the value a positive integer; error on more
> + * diff < 0: 'value' is missing leading zeros, which we add
> + */
> + if (diff > 0) {
> + /* skip over leading zeros that make 'value' a positive int */
> + if (*d == 0) {
> + vlen -= 1;
> + diff--;
> + d++;
> + }
> + if (diff)
> + return -EINVAL;
> + }
> + if (-diff >= keylen)
> + return -EINVAL;
I'm in the process of creating a crypto_template for decoding an x962
signature as requested by Herbert:
https://lore.kernel.org/all/ZoHXyGwRzVvYkcTP@gondor.apana.org.au/
I intend to move the above code to the template and to do so I'm
trying to understand what it's doing.
There's an oddity in the above-quoted function. The check ...
+ if (-diff >= keylen)
+ return -EINVAL;
... seems superfluous. diff is assigned the following value at the
top of the function:
+ ssize_t diff = vlen - keylen;
This means that: -diff == keylen - vlen.
Now, if vlen is zero, -diff would equal keylen and then the
"-diff >= keylen" check would be true. However at the top of
the function, there's already a !vlen check. No need to check
the same thing again!
Next, I'm asking myself if -diff can ever be greater than keylen.
I don't think it can. For that to be true, vlen would have to be
negative. But vlen is of unsigned type size_t!
I just wanted to double-check with you whether ...
+ if (-diff >= keylen)
+ return -EINVAL;
... is indeed superfluous as I suspect or whether I'm missing
something. I'm guessing that the check might be some kind of
safety net to avoid an out-of-bounds access in the memset()
and memcpy() calls that follow further down in the function,
in case sig->curve->g.ndigits was neglected to be set by the
programmer. But there doesn't seem to be any real need for
the check, so I'm leaning towards not carrying it over to the
x962 template.
The check was already present in v1 of your ecdsa patch set:
https://lore.kernel.org/all/20210126170359.363969-2-stefanb@linux.vnet.ibm.com/
Thanks,
Lukas
next prev parent reply other threads:[~2024-07-17 16:25 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 21:07 [PATCH v12 00/10] Add support for x509 certs with NIST P384/256/192 keys Stefan Berger
2021-03-16 21:07 ` [PATCH v12 01/10] oid_registry: Add OIDs for ECDSA with SHA224/256/384/512 Stefan Berger
2021-03-16 21:07 ` [PATCH v12 02/10] crypto: Add support for ECDSA signature verification Stefan Berger
2024-07-17 16:17 ` Lukas Wunner [this message]
2024-07-22 12:19 ` Stefan Berger
2024-07-22 13:17 ` Lukas Wunner
2021-03-16 21:07 ` [PATCH v12 03/10] crypto: Add NIST P384 curve parameters Stefan Berger
2021-03-16 21:07 ` [PATCH v12 04/10] crypto: Add math to support fast NIST P384 Stefan Berger
2021-03-16 21:07 ` [PATCH v12 05/10] ecdsa: Register NIST P384 and extend test suite Stefan Berger
2021-03-16 21:07 ` [PATCH v12 06/10] x509: Detect sm2 keys by their parameters OID Stefan Berger
2021-03-16 21:07 ` [PATCH v12 07/10] x509: Add support for parsing x509 certs with ECDSA keys Stefan Berger
2021-03-16 21:07 ` [PATCH v12 08/10] ima: Support EC keys for signature verification Stefan Berger
2021-03-16 21:07 ` [PATCH v12 09/10] x509: Add OID for NIST P384 and extend parser for it Stefan Berger
2021-03-16 21:07 ` [PATCH v12 10/10] certs: Add support for using elliptic curve keys for signing modules Stefan Berger
2021-03-16 21:16 ` [PATCH v12 00/10] Add support for x509 certs with NIST P384/256/192 keys Stefan Berger
2021-03-26 9:30 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZpfuqeSVC47jqme2@wunner.de \
--to=lukas@wunner.de \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=patrick@puiterwijk.org \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).