From patchwork Thu May 27 13:53:29 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hongbo Li <herbert.tencent@gmail.com>
X-Patchwork-Id: 449581
Return-Path: <linux-crypto-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT
 autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 52B0CC4708A
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:35 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 36799613BF
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:35 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S236649AbhE0N4F (ORCPT <rfc822; linux-crypto@archiver.kernel.org>);
 Thu, 27 May 2021 09:56:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40814 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S236644AbhE0N4E (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Thu, 27 May 2021 09:56:04 -0400
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com
 [IPv6:2607:f8b0:4864:20::534])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F165C061574;
 Thu, 27 May 2021 06:54:31 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id v14so3744634pgi.6;
 Thu, 27 May 2021 06:54:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=VBTc6GrR5fsw1SZ888oXO0FealYGM7xDUiPSmTCnIlY=;
 b=OEELm/BdHHWKdbGzsyyxOAk0JElA8Ei4SqvYVVOB0t2O/sI2xUP9FaKaoLC4nzHab9
 0Nk4v7YzQ326Oz+E4hLmVGZO7lRNlS2w6bT8EOK02C9yp6Rkiiu2HOg6HbY/t6T+63jr
 +BDLyhEpCVKmF6Tn7fFQAWzUyfopXQ3lKqTqs1hf6J9gQ2qHJEhez7UCwCmh7FxeAN2w
 5YToDOofqPoliIsKL3aHLzQ6Ct+mV2tZrVAkm8SgCPh2ado0RYdxQwZdBNFHwkYgQLmL
 mC7YPGqcfBVEN22DuWyh5qY0F5985lC3LJcBjlJtsj96PSIQPylW96X0PeJ8qmsQeWn/
 ahaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=VBTc6GrR5fsw1SZ888oXO0FealYGM7xDUiPSmTCnIlY=;
 b=HfnOau9V3uHsFcfv4Qf5js+Mc+WhVZBCpYVTHW5o7FGmim92AvJ6YbHxGv4DFrU2yY
 RiQMj2t6hZ7XzutmnutROOnI05xvesXut/07BDERwTsom1uSF7FssmX+g/TbKDRdIJ18
 7sZHT/c3SnVeoBKNvDBY11prRnvl9x6RGTgMOkTfZiQ9REahTmAf02/RpEx90UiiaFLy
 QrxczH0oQ2FxPNP27d2c0fqAJJjd0ejnPKSLNsP9JMxAJWOvQYRI/Q/KOCA4+TlDWSk/
 TkXECyoSoA6mO/rXjkXr0JjoowkjslBhm8XeS9vWaYPlrXIp1DXHL9O0hC2tbAaSLQwf
 rbSA==
X-Gm-Message-State: AOAM533V2esGC3VPwbgFql4yJIJHXbQf1WTNUTt5pw3Alhhsq9nuY0bo
 y6uCJgwakj12VwDmLY9j6GpnColDVus=
X-Google-Smtp-Source: ABdhPJxxZeJ3yFKMK22o612/p4HcRQyAMzNsSJFAnv37EwlM7RSRqNiOMaQrT2EsAdbp90b67VkiPw==
X-Received: by 2002:aa7:829a:0:b029:2e9:e53:198d with SMTP id
 s26-20020aa7829a0000b02902e90e53198dmr3906269pfm.72.1622123670544;
 Thu, 27 May 2021 06:54:30 -0700 (PDT)
Received: from localhost.localdomain ([203.205.141.39])
 by smtp.gmail.com with ESMTPSA id
 10sm2163387pgl.39.2021.05.27.06.54.27
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 27 May 2021 06:54:30 -0700 (PDT)
From: Hongbo Li <herbert.tencent@gmail.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
 herbert@gondor.apana.org.au, ebiggers@kernel.org,
 dhowells@redhat.com, jarkko@kernel.org,
 tianjia.zhang@linux.alibaba.com, herberthbli@tencent.com
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH v2 1/7] crypto: fix a memory leak in sm2
Date: Thu, 27 May 2021 21:53:29 +0800
Message-Id: <1622123615-15517-2-git-send-email-herbert.tencent@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
References: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Hongbo Li <herberthbli@tencent.com>

SM2 module alloc ec->Q in sm2_set_pub_key(), when doing alg test in
test_akcipher_one(), it will set public key for every test vector,
and don't free ec->Q. This will cause a memory leak.

This patch alloc ec->Q in sm2_ec_ctx_init().

Fixes: ea7ecb66440b ("crypto: sm2 - introduce OSCCA SM2 asymmetric cipher algorithm")
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
Reviewed-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 crypto/sm2.c | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/crypto/sm2.c b/crypto/sm2.c
index b21addc3ac06..db8a4a265669 100644
--- a/crypto/sm2.c
+++ b/crypto/sm2.c
@@ -79,10 +79,17 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
 		goto free;
 
 	rc = -ENOMEM;
+
+	ec->Q = mpi_point_new(0);
+	if (!ec->Q)
+		goto free;
+
 	/* mpi_ec_setup_elliptic_curve */
 	ec->G = mpi_point_new(0);
-	if (!ec->G)
+	if (!ec->G) {
+		mpi_point_release(ec->Q);
 		goto free;
+	}
 
 	mpi_set(ec->G->x, x);
 	mpi_set(ec->G->y, y);
@@ -91,6 +98,7 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
 	rc = -EINVAL;
 	ec->n = mpi_scanval(ecp->n);
 	if (!ec->n) {
+		mpi_point_release(ec->Q);
 		mpi_point_release(ec->G);
 		goto free;
 	}
@@ -386,27 +394,15 @@ static int sm2_set_pub_key(struct crypto_akcipher *tfm,
 	MPI a;
 	int rc;
 
-	ec->Q = mpi_point_new(0);
-	if (!ec->Q)
-		return -ENOMEM;
-
 	/* include the uncompressed flag '0x04' */
-	rc = -ENOMEM;
 	a = mpi_read_raw_data(key, keylen);
 	if (!a)
-		goto error;
+		return -ENOMEM;
 
 	mpi_normalize(a);
 	rc = sm2_ecc_os2ec(ec->Q, a);
 	mpi_free(a);
-	if (rc)
-		goto error;
-
-	return 0;
 
-error:
-	mpi_point_release(ec->Q);
-	ec->Q = NULL;
 	return rc;
 }
 

From patchwork Thu May 27 13:53:30 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hongbo Li <herbert.tencent@gmail.com>
X-Patchwork-Id: 448940
Return-Path: <linux-crypto-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT
 autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id D3D06C4708A
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:40 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id B887B613CC
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S236665AbhE0N4K (ORCPT <rfc822; linux-crypto@archiver.kernel.org>);
 Thu, 27 May 2021 09:56:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40828 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S236656AbhE0N4H (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Thu, 27 May 2021 09:56:07 -0400
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com
 [IPv6:2607:f8b0:4864:20::533])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC28CC061760;
 Thu, 27 May 2021 06:54:33 -0700 (PDT)
Received: by mail-pg1-x533.google.com with SMTP id 29so3731650pgu.11;
 Thu, 27 May 2021 06:54:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=NpcfhByCWLnkIfQzL/uOONDYsb5SWspN5/XaKvO0A8E=;
 b=HkZR1KP0VzPl8524VMWcpeo7UIIGFYkPyIqTFdVHKpe4VK4R1P2/u6pnBdq/gzk2Bu
 RuTwtUs9OobB0PMZI0ewPry/EeZY5cXsH08I0WGKeQ32xWcdLEf6K3u+L7K9b7esxcQu
 eYKA9zz8BzRWUpZ1Kom4OYGZqZr2zR7LJyjdCP3unKWjIdwbe3LoVCtLJhcq7yxIBDyr
 K5CQ3EU/2U6F2mMxmnnpAJ+NCX/m2HDXlQq/5262fqQo7W0CEGT5zUgXPUcEDoYQq8c+
 ArqpgkJv8VmDtjISzf8aFQCvEt04sy0VLiNgEqhYycOzO8zw6b0VUMm6p/vxuJsV6c3q
 LeCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=NpcfhByCWLnkIfQzL/uOONDYsb5SWspN5/XaKvO0A8E=;
 b=dDI4hkhLUBbU/T5v5HwXOojpNbFxAdD9KJUVSaojo2GrPpV4hj7AqW7mfYwl5p0j5a
 4jRlJfjvX2eiRMaPKZBrmjjdBiS2Ob0B7IGefNKyTQj081iYNrqXaUSxTFRIU+lGQ4Hk
 y6bfF6DdxdikBZMV284LKqtrVN1vK63aZUkzdLKG3Xve33M9tqDqyZfCavom88E5r0lm
 QqcQZIYgQoz4hqF++p58VcBuAKkegfjGHMOvWabecGYY03KogTN2FYk8YSFwCGJRDzLf
 9tJM8OWTe6tUPw4YUluhD7Sk2+dnuv3o+aq7stKFxtBVni0Z4xT9NkPCH7KjyPZiCfQP
 P6TQ==
X-Gm-Message-State: AOAM530xepLBf63o2ajIBUVjeB7Z15LkN+aretveMxoXWIWKx98GxOeL
 qJk0Ag6NOihzqQdouC9fgNXnjTfeCt8=
X-Google-Smtp-Source: ABdhPJxfXmH/3BgN59PL8lFBTtFBaCP9siNZybveFB6s3OkRX4uE3lm9Cyr9pb79lZlATCRkuv8KtQ==
X-Received: by 2002:a63:471f:: with SMTP id u31mr3843233pga.85.1622123673170; 
 Thu, 27 May 2021 06:54:33 -0700 (PDT)
Received: from localhost.localdomain ([203.205.141.39])
 by smtp.gmail.com with ESMTPSA id
 10sm2163387pgl.39.2021.05.27.06.54.30
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 27 May 2021 06:54:32 -0700 (PDT)
From: Hongbo Li <herbert.tencent@gmail.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
 herbert@gondor.apana.org.au, ebiggers@kernel.org,
 dhowells@redhat.com, jarkko@kernel.org,
 tianjia.zhang@linux.alibaba.com, herberthbli@tencent.com
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH v2 2/7] lib/mpi: use kcalloc in mpi_resize
Date: Thu, 27 May 2021 21:53:30 +0800
Message-Id: <1622123615-15517-3-git-send-email-herbert.tencent@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
References: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Hongbo Li <herberthbli@tencent.com>

We should set the additional space to 0 in mpi_resize().
So use kcalloc() instead of kmalloc_array().

In lib/mpi/ec.c:
/****************
 * Resize the array of A to NLIMBS. the additional space is cleared
 * (set to 0) [done by m_realloc()]
 */
int mpi_resize(MPI a, unsigned nlimbs)

Like the comment of kernel's mpi_resize(), the additional space
need to set to 0, but when a->d is not NULL, it does not set.

The kernel's mpi lib is from libgcrypt, the mpi resize in libgcrypt
is _gcry_mpi_resize() which set the additional space to 0.

This bug may cause mpi api which use mpi_resize() get wrong result
under the condition of using the additional space without initiation.
If this condition is not met, the bug would not be triggered.
Currently in kernel, rsa, sm2 and dh use mpi lib, and they works well,
so the bug is not triggered in these cases. 

add_points_edwards() use the additional space directly, so it will
get a wrong result, and lead to a failed eddsa verification.

Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
 lib/mpi/mpiutil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/mpi/mpiutil.c b/lib/mpi/mpiutil.c
index 3c63710c20c6..e6c4b3180ab1 100644
--- a/lib/mpi/mpiutil.c
+++ b/lib/mpi/mpiutil.c
@@ -148,7 +148,7 @@ int mpi_resize(MPI a, unsigned nlimbs)
 		return 0;	/* no need to do it */
 
 	if (a->d) {
-		p = kmalloc_array(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
+		p = kcalloc(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
 		if (!p)
 			return -ENOMEM;
 		memcpy(p, a->d, a->alloced * sizeof(mpi_limb_t));

From patchwork Thu May 27 13:53:31 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hongbo Li <herbert.tencent@gmail.com>
X-Patchwork-Id: 449580
Return-Path: <linux-crypto-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT
 autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 8216DC4708C
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:43 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 697F6613CA
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S236674AbhE0N4O (ORCPT <rfc822; linux-crypto@archiver.kernel.org>);
 Thu, 27 May 2021 09:56:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40844 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S236662AbhE0N4L (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Thu, 27 May 2021 09:56:11 -0400
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com
 [IPv6:2607:f8b0:4864:20::62b])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 648EAC061760;
 Thu, 27 May 2021 06:54:36 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id 69so16643plc.5;
 Thu, 27 May 2021 06:54:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=E8dJXOXj/a5+ejIWizBsQbpMyEmF6R+/8OKq341nCHk=;
 b=GqGHIUxs6du8Fbom7M2nj7Seu+N0V2VDzDFE9PQSArT6DQUlI/qwWhhNRgrCQpOsbi
 aBWuvCXNvJTKpev+goFk9/3bq87zk+v+YW7lH9WQjE7Vg+fMa2eULanMKzrydnKk2lGg
 qQB7OlbHsH9a6Kf0pqzcm5FbDDnnls6IpLxyTAQhxT1VwyPLCnpZ/DiOx9z6PE+xl+DS
 Z5Esg7VQx+DwOpKnimR/5EtA/MwquQgTrL2N3ABFfFTCsshAUkCnZr59kvCgE03dvnRf
 jLp4v9FjTshRL5l8oKOcufqwFc9uZ9fxOrIPlquttlyZD/zuMzWY+F3sdtSleTRawJj7
 MW8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=E8dJXOXj/a5+ejIWizBsQbpMyEmF6R+/8OKq341nCHk=;
 b=dGSYU7EUGfvljLj+ZnyBonFbx3T+lloswY4CoWVxUSIh/HcNjP8JNFBGF2SnuKZqU0
 kkhluLhGuTKtIzNDFC8HR+wTGAJeenuXTheikmFTIxHTR31zhKBPIATzfq8AuIo5Cd8l
 gvRoCc6ToVR+BZucdLXGdFlEUeIVTgPWzze8vh8mbNi+Qghp+qsfo1cMLjC1QhBnVaUk
 kGh3RVU0/gVsqaX3STRjM9CYazNM5xO5zW08wO96OA/zvLRPyLlFce+pdCqcnFm0wbE2
 TC+cA8VuQ1OqtauzfQKolu0shCn/k5BL78JUZr8kAaRdiFBBWjoNSSQlxZdi1h5oPexb
 L+dA==
X-Gm-Message-State: AOAM530UcCzTiXcMl12OgWvQYaX4sdDeB/oVv7y0l7xHWeHbeIcEd0S2
 pIePdaUdMes5uzEy5CUNSbxdnEjozmc=
X-Google-Smtp-Source: ABdhPJz1VFFolGWKr9eopjNl2wVcrDJeBIJJEZ9s0D+6pEjHmkYIWTtEmJneqKndldoKrLSOGkDjCg==
X-Received: by 2002:a17:90a:cc06:: with SMTP id
 b6mr9750142pju.19.1622123675771; 
 Thu, 27 May 2021 06:54:35 -0700 (PDT)
Received: from localhost.localdomain ([203.205.141.39])
 by smtp.gmail.com with ESMTPSA id
 10sm2163387pgl.39.2021.05.27.06.54.33
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 27 May 2021 06:54:35 -0700 (PDT)
From: Hongbo Li <herbert.tencent@gmail.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
 herbert@gondor.apana.org.au, ebiggers@kernel.org,
 dhowells@redhat.com, jarkko@kernel.org,
 tianjia.zhang@linux.alibaba.com, herberthbli@tencent.com
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH v2 3/7] lib/mpi: export some common function
Date: Thu, 27 May 2021 21:53:31 +0800
Message-Id: <1622123615-15517-4-git-send-email-herbert.tencent@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
References: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Hongbo Li <herberthbli@tencent.com>

Export mpi_add_ui() and mpi_sub() that are used by the following
eddsa patch.

Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
 lib/mpi/mpi-add.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/mpi/mpi-add.c b/lib/mpi/mpi-add.c
index 2cdae54c1bd0..d34c6c1c6fab 100644
--- a/lib/mpi/mpi-add.c
+++ b/lib/mpi/mpi-add.c
@@ -62,7 +62,7 @@ void mpi_add_ui(MPI w, MPI u, unsigned long v)
 	w->nlimbs = wsize;
 	w->sign   = wsign;
 }
-
+EXPORT_SYMBOL_GPL(mpi_add_ui);
 
 void mpi_add(MPI w, MPI u, MPI v)
 {
@@ -138,7 +138,7 @@ void mpi_sub(MPI w, MPI u, MPI v)
 	mpi_add(w, u, vv);
 	mpi_free(vv);
 }
-
+EXPORT_SYMBOL_GPL(mpi_sub);
 
 void mpi_addm(MPI w, MPI u, MPI v, MPI m)
 {

From patchwork Thu May 27 13:53:32 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hongbo Li <herbert.tencent@gmail.com>
X-Patchwork-Id: 448939
Return-Path: <linux-crypto-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT
 autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 997A8C4708B
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:49 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 756FC613F1
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:49 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S236697AbhE0N4U (ORCPT <rfc822; linux-crypto@archiver.kernel.org>);
 Thu, 27 May 2021 09:56:20 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40862 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S236653AbhE0N4N (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Thu, 27 May 2021 09:56:13 -0400
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com
 [IPv6:2607:f8b0:4864:20::102e])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33BD7C061763;
 Thu, 27 May 2021 06:54:39 -0700 (PDT)
Received: by mail-pj1-x102e.google.com with SMTP id
 lx17-20020a17090b4b11b029015f3b32b8dbso2450645pjb.0; 
 Thu, 27 May 2021 06:54:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=2T7+K8oGUO1T079bIkP0Tplou2479bflLyNKtimMMrA=;
 b=f2tKuN9iN7vY1nctTMdWbdYog8r6y2QuGDtmIgB8+0KOEvCTCybN6zHkHNUJkMO/h/
 S7DXSrBUGCPP9IvjFkja54THd473mX3Rpvs4QrrR2LugEhTsDHfdejwtaj0LmxIehjUM
 U4ceTebypn7ByLRgZ0vb5BeWTaHD/j1FFUXxitXJjZPhIgphGsAw5C31ZNR8hAV3Ii4d
 1H/dPbYG53/m6EnI1Dr4FQZx1oI/EDhulpUbcuvoSEFGvkz4HqbPZwCxeM6GPsYk/3/U
 89IINeMln6T6RpGcH0PbywegHL24thotqZoDx7vllLBGamhpLDPaqQ/xDkMXyVXLNw45
 5PHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=2T7+K8oGUO1T079bIkP0Tplou2479bflLyNKtimMMrA=;
 b=P4tE4ULw+EVu7+eZN7/VLCXZeUScaIVxydML1pebImWa3BJXBEYfQKoUu/DmLh+GO5
 8n/1w81aeTeI8nunIwYHBhXBEMx6uk7zlBRnDq1CwGo/xdz/tPo4ef1mElk9xJgvmiOv
 cgJS9H3IKg1w7eBXE5cE3qfooAuK+QTN/ggHT7hHiH5s60w6dfhwsZ0qga4XQB8c1uaa
 HrcuXc1ePWdne7qmQnYPPpBVLwZNlxohYMbojK0zTrt+2m11/TkzANa74F5J64KWzAXn
 3ykWflJE+3gAglSPOLjFxZv7Q+KCUREU3yvYqPazsUhuarNzX5NXidX2xTuYgGx2AfMg
 Epqw==
X-Gm-Message-State: AOAM5302ScChAnlY57U3kz4msNIWYz14RfiixOSGCLnPMIR33GmVvX43
 E4PYVSelwl0viN/WS9u9S1cY51P0PR8=
X-Google-Smtp-Source: ABdhPJzPI2YwmaBgn4CNijVJcLS8ptspZ4fF3jgQ3fEEAnRHRG5LF3JDnk1CKHCmRKCtqjBFr2Cjxg==
X-Received: by 2002:a17:902:d4c4:b029:f7:af18:2bd9 with SMTP id
 o4-20020a170902d4c4b02900f7af182bd9mr3337677plg.75.1622123678359;
 Thu, 27 May 2021 06:54:38 -0700 (PDT)
Received: from localhost.localdomain ([203.205.141.39])
 by smtp.gmail.com with ESMTPSA id
 10sm2163387pgl.39.2021.05.27.06.54.35
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 27 May 2021 06:54:38 -0700 (PDT)
From: Hongbo Li <herbert.tencent@gmail.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
 herbert@gondor.apana.org.au, ebiggers@kernel.org,
 dhowells@redhat.com, jarkko@kernel.org,
 tianjia.zhang@linux.alibaba.com, herberthbli@tencent.com
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH v2 4/7] x509: add support for eddsa
Date: Thu, 27 May 2021 21:53:32 +0800
Message-Id: <1622123615-15517-5-git-send-email-herbert.tencent@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
References: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Hongbo Li <herberthbli@tencent.com>

This patch make x509 support eddsa(currently ed25519). According to
RFC8032 section 5.1.7[1], the digest is not on the original message,
but on a special formated message string:
	SHA512(dom2(F, C) || R || A || PH(M))

[1]: https://tools.ietf.org/html/rfc8032#section-5.1.7

Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
 crypto/asymmetric_keys/public_key.c       | 73 ++++++++++++++++++++---
 crypto/asymmetric_keys/x509_cert_parser.c | 14 ++++-
 crypto/asymmetric_keys/x509_public_key.c  |  4 +-
 include/linux/oid_registry.h              |  1 +
 4 files changed, 82 insertions(+), 10 deletions(-)

diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 4fefb219bfdc..c1236a8fb38e 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -251,8 +251,8 @@ static int software_key_eds_op(struct kernel_pkey_params *params,
 }
 
 #if IS_REACHABLE(CONFIG_CRYPTO_SM2)
-static int cert_sig_digest_update(const struct public_key_signature *sig,
-				  struct crypto_akcipher *tfm_pkey)
+static int sm2_cert_sig_digest_update(const struct public_key_signature *sig,
+				      struct crypto_akcipher *tfm_pkey)
 {
 	struct crypto_shash *tfm;
 	struct shash_desc *desc;
@@ -297,7 +297,7 @@ static int cert_sig_digest_update(const struct public_key_signature *sig,
 	return ret;
 }
 #else
-static inline int cert_sig_digest_update(
+static inline int sm2_cert_sig_digest_update(
 	const struct public_key_signature *sig,
 	struct crypto_akcipher *tfm_pkey)
 {
@@ -305,6 +305,58 @@ static inline int cert_sig_digest_update(
 }
 #endif /* ! IS_REACHABLE(CONFIG_CRYPTO_SM2) */
 
+static int eddsa_cert_sig_digest_update(const struct public_key *pub,
+					const struct public_key_signature *sig)
+{
+	struct crypto_shash *tfm = NULL;
+	struct shash_desc *desc = NULL;
+	int key_size, ret = 0;
+
+	if (strcmp(pub->pkey_algo, "eddsa-25519"))
+		return -ENOPKG;
+
+	tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
+	if (IS_ERR(tfm))
+		return PTR_ERR(tfm);
+
+	desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL);
+	if (!desc) {
+		ret = -ENOMEM;
+		goto free;
+	}
+
+	desc->tfm = tfm;
+
+	/* RFC8032 section 5.1.7
+	 * step 2. SHA512(dom2(F, C) || R || A || PH(M))
+	 */
+	key_size = 32;
+	if (sig->s_size != key_size * 2 ||
+	    pub->keylen != key_size) {
+		ret = -EINVAL;
+		goto free;
+	}
+
+	ret = crypto_shash_init(desc);
+	if (ret < 0)
+		goto free;
+
+	ret = crypto_shash_update(desc, sig->s, key_size);
+	if (ret < 0)
+		goto free;
+
+	ret = crypto_shash_update(desc, pub->key, key_size);
+	if (ret < 0)
+		goto free;
+
+	ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest);
+
+free:
+	kfree(desc);
+	crypto_free_shash(tfm);
+	return ret;
+}
+
 /*
  * Verify a signature using a public key.
  */
@@ -358,11 +410,16 @@ int public_key_verify_signature(const struct public_key *pkey,
 	if (ret)
 		goto error_free_key;
 
-	if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 &&
-	    sig->data_size) {
-		ret = cert_sig_digest_update(sig, tfm);
-		if (ret)
-			goto error_free_key;
+	if (sig->pkey_algo && sig->data_size) {
+		if (strcmp(sig->pkey_algo, "sm2") == 0) {
+			ret = sm2_cert_sig_digest_update(sig, tfm);
+			if (ret)
+				goto error_free_key;
+		} else if (strcmp(sig->pkey_algo, "eddsa") == 0) {
+			ret = eddsa_cert_sig_digest_update(pkey, sig);
+			if (ret)
+				goto error_free_key;
+		}
 	}
 
 	sg_init_table(src_sg, 2);
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 6d003096b5bc..3f60c57d8d76 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -258,6 +258,9 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
 	case OID_SM2_with_SM3:
 		ctx->cert->sig->hash_algo = "sm3";
 		goto sm2;
+	case OID_ed25519:
+		ctx->cert->sig->hash_algo = "sha512";
+		goto eddsa;
 	}
 
 rsa_pkcs1:
@@ -280,6 +283,11 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
 	ctx->cert->sig->encoding = "x962";
 	ctx->algo_oid = ctx->last_oid;
 	return 0;
+eddsa:
+	ctx->cert->sig->pkey_algo = "eddsa";
+	ctx->cert->sig->encoding = "raw";
+	ctx->algo_oid = ctx->last_oid;
+	return 0;
 }
 
 /*
@@ -302,7 +310,8 @@ int x509_note_signature(void *context, size_t hdrlen,
 	if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||
 	    strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||
 	    strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 ||
-	    strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) {
+	    strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0 ||
+	    strcmp(ctx->cert->sig->pkey_algo, "eddsa") == 0) {
 		/* Discard the BIT STRING metadata */
 		if (vlen < 1 || *(const u8 *)value != 0)
 			return -EBADMSG;
@@ -517,6 +526,9 @@ int x509_extract_key_data(void *context, size_t hdrlen,
 			return -ENOPKG;
 		}
 		break;
+	case OID_ed25519:
+		ctx->cert->pub->pkey_algo = "eddsa-25519";
+		break;
 	default:
 		return -ENOPKG;
 	}
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 3d45161b271a..a8fd3682695f 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -131,7 +131,9 @@ int x509_check_for_self_signed(struct x509_certificate *cert)
 	ret = -EKEYREJECTED;
 	if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&
 	    (strncmp(cert->pub->pkey_algo, "ecdsa-", 6) != 0 ||
-	     strcmp(cert->sig->pkey_algo, "ecdsa") != 0))
+	     strcmp(cert->sig->pkey_algo, "ecdsa") != 0) &&
+	    (strncmp(cert->pub->pkey_algo, "eddsa-", 6) != 0 ||
+	     strcmp(cert->sig->pkey_algo, "eddsa") != 0))
 		goto out;
 
 	ret = public_key_verify_signature(cert->pub, cert->sig);
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index cc64d9419746..d84bb867a1f9 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -64,6 +64,7 @@ enum OID {
 
 	OID_certAuthInfoAccess,		/* 1.3.6.1.5.5.7.1.1 */
 	OID_sha1,			/* 1.3.14.3.2.26 */
+	OID_ed25519,			/* 1.3.101.112 */
 	OID_id_ansip384r1,		/* 1.3.132.0.34 */
 	OID_sha256,			/* 2.16.840.1.101.3.4.2.1 */
 	OID_sha384,			/* 2.16.840.1.101.3.4.2.2 */

From patchwork Thu May 27 13:53:33 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hongbo Li <herbert.tencent@gmail.com>
X-Patchwork-Id: 449579
Return-Path: <linux-crypto-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT
 autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 490F3C4708D
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:52 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 2697B613CA
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:52 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S236657AbhE0N4W (ORCPT <rfc822; linux-crypto@archiver.kernel.org>);
 Thu, 27 May 2021 09:56:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40870 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S236678AbhE0N4P (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Thu, 27 May 2021 09:56:15 -0400
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com
 [IPv6:2607:f8b0:4864:20::629])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D4EABC0613CE;
 Thu, 27 May 2021 06:54:41 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id t21so24068plo.2;
 Thu, 27 May 2021 06:54:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=4n6zz9KSKw8/sugGUm2oSKx88caKtNeXkpuRKrDlH1M=;
 b=eyjPwFuC0WY1LPpbFF1t6hkHwjFsKaI5REAE9TugeO98o7Ham+iog3Epy7Ux9QrPe4
 k2IONP15HCDGBdsdUcXTC4IRgtTVu1HHiKDnjHhmqDLrAkdDq1GRWXeMg+bWhybh/HK8
 X9iq0cTeGdW/lJhTkvVwAxiXC0oh0PW5XGZMwMnkP6zeads15g/IU6PepVMryK7Dl6n8
 WloWxAjGHjAB3ZnXKQ8BdYLASz8SX69kRvj9GMxgVh1JSczafdHZl9Pz8GjKCVADDOqH
 C0eKlJkP7+Vwo2WzouhNC9UWeOrKvJBCnrkghK68E+DvTxAZ5NCDfo2qbFe+gDtWZ1ou
 e+Mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=4n6zz9KSKw8/sugGUm2oSKx88caKtNeXkpuRKrDlH1M=;
 b=oO3P0R/qOjkZVqeIF4cLi0Or+MODB8bVmQ6v+X/THAuvyBqQoyzeXNrFqhQY+aHbZH
 PpN5G4xZ28JB+QU7vuepbqlQ/ryBWJFbpwd3OSC+enGm5qcbNxcr5OezjseHgf0eq5DY
 r6ZD5JFBhhqD/CESq9tD2nOA6jc609Ok/3XP+dFzVn/MOQlnWiNEWlRmF5fIKtUH1Pwp
 tWNh561ZEG5OFcfkVDcC23uyOVsPRgk1dsTd3rjJLAfk0vjo3gqifuKnN4yHCbw3Soa1
 XFTyFlD5rp3w0mac3Ee5z6AI0N9X1xP6lgZdtYoZ8WJ3+j08VlWRqzcnptm1NDCbrLwd
 Pp0g==
X-Gm-Message-State: AOAM532HywZyiNMEswHC1+EZQWo/1T4FQwzvUJe12l05heA0rPD9GtZk
 vg39uhGajgTcWusbNGX6pnlb3h/LtSw=
X-Google-Smtp-Source: ABdhPJz/8Z/X5254r+Cza4yavOkHrT9GiI9pX20ue+cLJ+z2zMPsA7MLrgANhRwVEicE7TGhpckjFQ==
X-Received: by 2002:a17:90a:28a6:: with SMTP id
 f35mr3307959pjd.1.1622123681023; 
 Thu, 27 May 2021 06:54:41 -0700 (PDT)
Received: from localhost.localdomain ([203.205.141.39])
 by smtp.gmail.com with ESMTPSA id
 10sm2163387pgl.39.2021.05.27.06.54.38
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 27 May 2021 06:54:40 -0700 (PDT)
From: Hongbo Li <herbert.tencent@gmail.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
 herbert@gondor.apana.org.au, ebiggers@kernel.org,
 dhowells@redhat.com, jarkko@kernel.org,
 tianjia.zhang@linux.alibaba.com, herberthbli@tencent.com
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH v2 5/7] crypto: move common code in sm2 to ec_mpi.c and
 ec_mpi.h
Date: Thu, 27 May 2021 21:53:33 +0800
Message-Id: <1622123615-15517-6-git-send-email-herbert.tencent@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
References: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Hongbo Li <herberthbli@tencent.com>

Some structs and functions in sm2 are common codes, and could be
used by the following eddsa patch. So move them to common files:
ec_mpi.c and ec_mpi.h.

Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
 crypto/Kconfig  |  4 ++
 crypto/Makefile |  1 +
 crypto/ec_mpi.c | 82 +++++++++++++++++++++++++++++++++++++++++
 crypto/ec_mpi.h | 37 +++++++++++++++++++
 crypto/sm2.c    | 98 ++-----------------------------------------------
 5 files changed, 127 insertions(+), 95 deletions(-)
 create mode 100644 crypto/ec_mpi.c
 create mode 100644 crypto/ec_mpi.h

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 4a0d1876aadb..75ae7d3f6f92 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -265,6 +265,9 @@ config CRYPTO_ECRDSA
 	  standard algorithms (called GOST algorithms). Only signature verification
 	  is implemented.
 
+config CRYPTO_EC_MPI
+	tristate
+
 config CRYPTO_SM2
 	tristate "SM2 algorithm"
 	select CRYPTO_SM3
@@ -272,6 +275,7 @@ config CRYPTO_SM2
 	select CRYPTO_MANAGER
 	select MPILIB
 	select ASN1
+	select CRYPTO_EC_MPI
 	help
 	  Generic implementation of the SM2 public key algorithm. It was
 	  published by State Encryption Management Bureau, China.
diff --git a/crypto/Makefile b/crypto/Makefile
index 10526d4559b8..8afb39359776 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -177,6 +177,7 @@ obj-$(CONFIG_CRYPTO_OFB) += ofb.o
 obj-$(CONFIG_CRYPTO_ECC) += ecc.o
 obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o
 obj-$(CONFIG_CRYPTO_CURVE25519) += curve25519-generic.o
+obj-$(CONFIG_CRYPTO_EC_MPI) += ec_mpi.o
 
 ecdh_generic-y += ecdh.o
 ecdh_generic-y += ecdh_helper.o
diff --git a/crypto/ec_mpi.c b/crypto/ec_mpi.c
new file mode 100644
index 000000000000..a537e6fc713f
--- /dev/null
+++ b/crypto/ec_mpi.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * EC MPI common functions.
+ *
+ * Copyright (c) 2020, Alibaba Group.
+ * Authors: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+ */
+
+#include <linux/module.h>
+#include <linux/mpi.h>
+#include "ec_mpi.h"
+
+int ec_mpi_ctx_init(struct mpi_ec_ctx *ec, const struct ecc_domain_parms *ecp)
+{
+	MPI p, a, b;
+	MPI x, y;
+	int rc = -EINVAL;
+
+	p = mpi_scanval(ecp->p);
+	a = mpi_scanval(ecp->a);
+	b = mpi_scanval(ecp->b);
+	if (!p || !a || !b)
+		goto free_p;
+
+	x = mpi_scanval(ecp->g_x);
+	y = mpi_scanval(ecp->g_y);
+	if (!x || !y)
+		goto free;
+
+	rc = -ENOMEM;
+
+	ec->Q = mpi_point_new(0);
+	if (!ec->Q)
+		goto free;
+
+	/* mpi_ec_setup_elliptic_curve */
+	ec->G = mpi_point_new(0);
+	if (!ec->G) {
+		mpi_point_release(ec->Q);
+		goto free;
+	}
+
+	mpi_set(ec->G->x, x);
+	mpi_set(ec->G->y, y);
+	mpi_set_ui(ec->G->z, 1);
+
+	rc = -EINVAL;
+	ec->n = mpi_scanval(ecp->n);
+	if (!ec->n) {
+		mpi_point_release(ec->Q);
+		mpi_point_release(ec->G);
+		goto free;
+	}
+
+	ec->h = ecp->h;
+	ec->name = ecp->desc;
+	mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);
+
+	rc = 0;
+
+free:
+	mpi_free(x);
+	mpi_free(y);
+free_p:
+	mpi_free(p);
+	mpi_free(a);
+	mpi_free(b);
+
+	return rc;
+}
+EXPORT_SYMBOL(ec_mpi_ctx_init);
+
+void ec_mpi_ctx_deinit(struct mpi_ec_ctx *ec)
+{
+	mpi_ec_deinit(ec);
+
+	memset(ec, 0, sizeof(*ec));
+}
+EXPORT_SYMBOL(ec_mpi_ctx_deinit);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>");
diff --git a/crypto/ec_mpi.h b/crypto/ec_mpi.h
new file mode 100644
index 000000000000..e1f6d3aaeef9
--- /dev/null
+++ b/crypto/ec_mpi.h
@@ -0,0 +1,37 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * EC MPI common structs.
+ *
+ * Copyright (c) 2020, Alibaba Group.
+ * Authors: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+ */
+
+#include <linux/mpi.h>
+
+struct ecc_domain_parms {
+	const char *desc;           /* Description of the curve.  */
+	unsigned int nbits;         /* Number of bits.  */
+	unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */
+
+	/* The model describing this curve.  This is mainly used to select
+	 * the group equation.
+	 */
+	enum gcry_mpi_ec_models model;
+
+	/* The actual ECC dialect used.  This is used for curve specific
+	 * optimizations and to select encodings etc.
+	 */
+	enum ecc_dialects dialect;
+
+	const char *p;              /* The prime defining the field.  */
+	const char *a, *b;          /* The coefficients.  For Twisted Edwards
+				     * Curves b is used for d.  For Montgomery
+				     * Curves (a,b) has ((A-2)/4,B^-1).
+				     */
+	const char *n;              /* The order of the base point.  */
+	const char *g_x, *g_y;      /* Base point.  */
+	unsigned int h;             /* Cofactor.  */
+};
+
+int ec_mpi_ctx_init(struct mpi_ec_ctx *ec, const struct ecc_domain_parms *ecp);
+void ec_mpi_ctx_deinit(struct mpi_ec_ctx *ec);
diff --git a/crypto/sm2.c b/crypto/sm2.c
index db8a4a265669..ea1676ba1a9a 100644
--- a/crypto/sm2.c
+++ b/crypto/sm2.c
@@ -9,42 +9,17 @@
  */
 
 #include <linux/module.h>
-#include <linux/mpi.h>
 #include <crypto/internal/akcipher.h>
 #include <crypto/akcipher.h>
 #include <crypto/hash.h>
 #include <crypto/sm3_base.h>
 #include <crypto/rng.h>
 #include <crypto/sm2.h>
+#include "ec_mpi.h"
 #include "sm2signature.asn1.h"
 
 #define MPI_NBYTES(m)   ((mpi_get_nbits(m) + 7) / 8)
 
-struct ecc_domain_parms {
-	const char *desc;           /* Description of the curve.  */
-	unsigned int nbits;         /* Number of bits.  */
-	unsigned int fips:1; /* True if this is a FIPS140-2 approved curve */
-
-	/* The model describing this curve.  This is mainly used to select
-	 * the group equation.
-	 */
-	enum gcry_mpi_ec_models model;
-
-	/* The actual ECC dialect used.  This is used for curve specific
-	 * optimizations and to select encodings etc.
-	 */
-	enum ecc_dialects dialect;
-
-	const char *p;              /* The prime defining the field.  */
-	const char *a, *b;          /* The coefficients.  For Twisted Edwards
-				     * Curves b is used for d.  For Montgomery
-				     * Curves (a,b) has ((A-2)/4,B^-1).
-				     */
-	const char *n;              /* The order of the base point.  */
-	const char *g_x, *g_y;      /* Base point.  */
-	unsigned int h;             /* Cofactor.  */
-};
-
 static const struct ecc_domain_parms sm2_ecp = {
 	.desc = "sm2p256v1",
 	.nbits = 256,
@@ -60,73 +35,6 @@ static const struct ecc_domain_parms sm2_ecp = {
 	.h = 1
 };
 
-static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
-{
-	const struct ecc_domain_parms *ecp = &sm2_ecp;
-	MPI p, a, b;
-	MPI x, y;
-	int rc = -EINVAL;
-
-	p = mpi_scanval(ecp->p);
-	a = mpi_scanval(ecp->a);
-	b = mpi_scanval(ecp->b);
-	if (!p || !a || !b)
-		goto free_p;
-
-	x = mpi_scanval(ecp->g_x);
-	y = mpi_scanval(ecp->g_y);
-	if (!x || !y)
-		goto free;
-
-	rc = -ENOMEM;
-
-	ec->Q = mpi_point_new(0);
-	if (!ec->Q)
-		goto free;
-
-	/* mpi_ec_setup_elliptic_curve */
-	ec->G = mpi_point_new(0);
-	if (!ec->G) {
-		mpi_point_release(ec->Q);
-		goto free;
-	}
-
-	mpi_set(ec->G->x, x);
-	mpi_set(ec->G->y, y);
-	mpi_set_ui(ec->G->z, 1);
-
-	rc = -EINVAL;
-	ec->n = mpi_scanval(ecp->n);
-	if (!ec->n) {
-		mpi_point_release(ec->Q);
-		mpi_point_release(ec->G);
-		goto free;
-	}
-
-	ec->h = ecp->h;
-	ec->name = ecp->desc;
-	mpi_ec_init(ec, ecp->model, ecp->dialect, 0, p, a, b);
-
-	rc = 0;
-
-free:
-	mpi_free(x);
-	mpi_free(y);
-free_p:
-	mpi_free(p);
-	mpi_free(a);
-	mpi_free(b);
-
-	return rc;
-}
-
-static void sm2_ec_ctx_deinit(struct mpi_ec_ctx *ec)
-{
-	mpi_ec_deinit(ec);
-
-	memset(ec, 0, sizeof(*ec));
-}
-
 /* RESULT must have been initialized and is set on success to the
  * point given by VALUE.
  */
@@ -416,14 +324,14 @@ static int sm2_init_tfm(struct crypto_akcipher *tfm)
 {
 	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
 
-	return sm2_ec_ctx_init(ec);
+	return ec_mpi_ctx_init(ec, &sm2_ecp);
 }
 
 static void sm2_exit_tfm(struct crypto_akcipher *tfm)
 {
 	struct mpi_ec_ctx *ec = akcipher_tfm_ctx(tfm);
 
-	sm2_ec_ctx_deinit(ec);
+	ec_mpi_ctx_deinit(ec);
 }
 
 static struct akcipher_alg sm2 = {

From patchwork Thu May 27 13:53:34 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hongbo Li <herbert.tencent@gmail.com>
X-Patchwork-Id: 448938
Return-Path: <linux-crypto-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.9 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY,
 URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no
 version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 39E40C4708A
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:55 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 16554613DE
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:54:55 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S236651AbhE0N40 (ORCPT <rfc822; linux-crypto@archiver.kernel.org>);
 Thu, 27 May 2021 09:56:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40886 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S236686AbhE0N4S (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Thu, 27 May 2021 09:56:18 -0400
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com
 [IPv6:2607:f8b0:4864:20::52c])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 93970C06138C;
 Thu, 27 May 2021 06:54:44 -0700 (PDT)
Received: by mail-pg1-x52c.google.com with SMTP id m124so3735939pgm.13;
 Thu, 27 May 2021 06:54:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=ozCxvmeBVgQnSDCoXIGeDKtf4KqqpbzstHjSPKLgqHI=;
 b=SzmnbvJHX1QlA1Sqa0hHpHeKCgsVsh/11nBEdaVKL9KI4HSPmxV5bxes073Aj3TXNo
 YgnLdO+ZYmPqpkq4w8Rp+++0wwiBKXagRE8PjOIxLf2Wu4xztvUbqQqtodMHRHfbDSVz
 F6fKD5mI6DdUbIRH7s4T8Pd94VA6/p6vkxRMCHv5jQmNPvy3zovsIwTCjuFcwGI+dYcn
 C374dvBYSVkXoZDizQ9P6tbd+OULLdyqLQ8BYWZ6pzvnV9i7kPTIlCx2uZ8YAHV01YUb
 yN58W52DkL77MKzTb27eF6NTS8GleefUKINAuJ4mA58MVqywNbjLP1m1WTLYj3/o4ceM
 xzZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=ozCxvmeBVgQnSDCoXIGeDKtf4KqqpbzstHjSPKLgqHI=;
 b=bxAn3he3liN5kZBvs5QuGU41p4301VMe0FIAZMxivDPO1NNm4X9pbuZuiKe7a/32Q5
 Ecf+LBA1uiVOlXKflKeWSRVv8awxaxWhG/JnzMQ6Es2M4EuKN3D7YoKTyrYzaFeBhnDD
 LxMBqWcLUUhLZ1Hyd2NSvMsJHYFXkCy51g8KwxRjWmncMu7w51x3ARDL9AxAKFPQc00g
 0G6BtYlf1xAj/gNv2rkdM/iy60tcI3lfeRuRghlLJ0cg2UGwQXAndXZ74pduXGgIbdpX
 VbxTueorwYtxHqrQ2Al3iewwjUUTSOYVeJcsB/35fDkVtNgvR6d5dvV2MR4xhi4uFy6i
 PHzQ==
X-Gm-Message-State: AOAM530E6ENnkMrB7t5PXPhRTp6f9df7YsfOpB/vZR2HhbXF3O/7sBvy
 7QuAYMgPpc0wYUqj/hMUYjYPwCtfEJk=
X-Google-Smtp-Source: ABdhPJzd4RCq3GK76EQAaqZSZVBk2pVGe514HSxDNCX1MHFWqiRKs1hDmOmE5wyIgi/JVNkP+btp8A==
X-Received: by 2002:aa7:8491:0:b029:2dc:b1cc:5532 with SMTP id
 u17-20020aa784910000b02902dcb1cc5532mr3457069pfn.3.1622123683740;
 Thu, 27 May 2021 06:54:43 -0700 (PDT)
Received: from localhost.localdomain ([203.205.141.39])
 by smtp.gmail.com with ESMTPSA id
 10sm2163387pgl.39.2021.05.27.06.54.41
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 27 May 2021 06:54:43 -0700 (PDT)
From: Hongbo Li <herbert.tencent@gmail.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
 herbert@gondor.apana.org.au, ebiggers@kernel.org,
 dhowells@redhat.com, jarkko@kernel.org,
 tianjia.zhang@linux.alibaba.com, herberthbli@tencent.com
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH v2 6/7] crypto: ed25519 cert verification
Date: Thu, 27 May 2021 21:53:34 +0800
Message-Id: <1622123615-15517-7-git-send-email-herbert.tencent@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
References: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Hongbo Li <herberthbli@tencent.com>

This patch adds the support of eddsa(currently ed25519) verification
which is described in RFC8032 section 5.1.7 [1].

[1]: https://tools.ietf.org/html/rfc8032#section-5.1.7

Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
 crypto/Kconfig  |  11 ++
 crypto/Makefile |   3 +
 crypto/eddsa.c  | 326 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 340 insertions(+)
 create mode 100644 crypto/eddsa.c

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 75ae7d3f6f92..6463c85c8416 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -268,6 +268,17 @@ config CRYPTO_ECRDSA
 config CRYPTO_EC_MPI
 	tristate
 
+config CRYPTO_EDDSA
+	tristate "EDDSA (ed25519) algorithm"
+	select CRYPTO_ECC
+	select CRYPTO_EC_MPI
+	select CRYPTO_AKCIPHER
+	select ASN1
+	help
+	  Edwards-curve Digital Signature Algorithm (ed25519) is a variant
+	  of Schnorr's signature system with (possibly twisted) Edwards curves.
+	  Only signature verification is implemented.
+
 config CRYPTO_SM2
 	tristate "SM2 algorithm"
 	select CRYPTO_SM3
diff --git a/crypto/Makefile b/crypto/Makefile
index 8afb39359776..2bbdfada893c 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -56,6 +56,9 @@ ecdsa_generic-y += ecdsa.o
 ecdsa_generic-y += ecdsasignature.asn1.o
 obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o
 
+eddsa_generic-y += eddsa.o
+obj-$(CONFIG_CRYPTO_EDDSA) += eddsa_generic.o
+
 crypto_acompress-y := acompress.o
 crypto_acompress-y += scompress.o
 obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o
diff --git a/crypto/eddsa.c b/crypto/eddsa.c
new file mode 100644
index 000000000000..e9eec5574b67
--- /dev/null
+++ b/crypto/eddsa.c
@@ -0,0 +1,326 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * EDDSA generic algorithm.
+ *
+ * Copyright (c) 2021 Hongbo Li <herberthbli@tencent.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ */
+
+#include <linux/mpi.h>
+#include <linux/module.h>
+#include <linux/oid_registry.h>
+#include <crypto/hash.h>
+#include <crypto/sha2.h>
+#include <crypto/ecdh.h>
+#include <crypto/curve25519.h>
+#include <crypto/internal/akcipher.h>
+#include "ec_mpi.h"
+
+struct eddsa_ctx {
+	enum OID algo_oid;
+	struct mpi_ec_ctx ec_ctx;
+};
+
+static MPI p58;
+static MPI seven;
+static MPI m1;
+
+static const struct ecc_domain_parms ed25519_domain_params = {
+	.desc = "ed25519",
+	.nbits = 256,
+	.fips = 0,
+	.model = MPI_EC_EDWARDS,
+	.dialect = ECC_DIALECT_ED25519,
+	.p = "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+	.a = "-0x01",
+	.b = "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+	.n = "0x1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED",
+	.g_x = "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+	.g_y = "0x6666666666666666666666666666666666666666666666666666666666666658",
+	.h = 8,
+};
+
+static void reverse_buffer(u8 *buffer, u32 length)
+{
+	u32 tmp, i;
+
+	for (i = 0; i < length / 2; i++) {
+		tmp = buffer[i];
+		buffer[i] = buffer[length - 1 - i];
+		buffer[length - 1 - i] = tmp;
+	}
+}
+
+static int eddsa_encode_x_y(MPI x, MPI y, u8 *buf, u32 key_size)
+{
+	memcpy(buf, y->d, key_size);
+	if (mpi_test_bit(x, 0))
+		buf[key_size - 1] |= 0x80;
+
+	return 0;
+}
+
+static int ecc_eddsa_encodepoint(MPI_POINT point, struct mpi_ec_ctx *ec,
+				 MPI x, MPI y, u8 *buf, u32 key_size)
+{
+	if (mpi_ec_get_affine(x, y, point, ec))
+		return -EINVAL;
+
+	return eddsa_encode_x_y(x, y, buf, key_size);
+}
+
+/* Recover X from Y and SIGN (which actually is a parity bit).  */
+static int eddsa_recover_x(MPI x, MPI y, int sign, struct mpi_ec_ctx *ec)
+{
+	MPI u, v, v3, t;
+	int ret = 0;
+
+	if (ec->dialect != ECC_DIALECT_ED25519)
+		return -ENOPKG;
+
+	u = mpi_new(0);
+	v = mpi_new(0);
+	v3 = mpi_new(0);
+	t = mpi_new(0);
+
+	/* Compute u and v */
+	/* u = y^2 */
+	mpi_mulm(u, y, y, ec->p);
+	/* v = b*y^2 */
+	mpi_mulm(v, ec->b, u, ec->p);
+	/* u = y^2-1 */
+	mpi_sub_ui(u, u, 1);
+	/* v = b*y^2+1 */
+	mpi_add_ui(v, v, 1);
+
+	/* Compute sqrt(u/v) */
+	/* v3 = v^3 */
+	mpi_powm(v3, v, mpi_const(MPI_C_THREE), ec->p);
+	/* t = v3 * v3 * u * v = u * v^7 */
+	mpi_powm(t, v, seven, ec->p);
+	mpi_mulm(t, t, u, ec->p);
+	/* t = t^((p-5)/8) = (u * v^7)^((p-5)/8)  */
+	mpi_powm(t, t, p58, ec->p);
+	/* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */
+	mpi_mulm(t, t, u, ec->p);
+	mpi_mulm(x, t, v3, ec->p);
+
+	/* Adjust if needed. */
+	/* t = v * x^2 */
+	mpi_mulm(t, x, x, ec->p);
+	mpi_mulm(t, t, v, ec->p);
+	/* -t == u ? x = x * sqrt(-1) */
+	mpi_sub(t, ec->p, t);
+	if (!mpi_cmp(t, u)) {
+		mpi_mulm(x, x, m1, ec->p);
+		/* t = v * x^2 */
+		mpi_mulm(t, x, x, ec->p);
+		mpi_mulm(t, t, v, ec->p);
+		/* -t == u ? x = x * sqrt(-1) */
+		mpi_sub(t, ec->p, t);
+		if (!mpi_cmp(t, u))
+			ret = -EINVAL;
+	}
+
+	/* Choose the desired square root according to parity */
+	if (mpi_test_bit(x, 0) != !!sign)
+		mpi_sub(x, ec->p, x);
+
+	mpi_free(t);
+	mpi_free(v3);
+	mpi_free(v);
+	mpi_free(u);
+
+	return ret;
+}
+
+static int ecc_eddsa_decodepoint(const u8 *pk, int key_size,
+				 struct mpi_ec_ctx *ec, MPI_POINT result)
+{
+	MPI y;
+	u8 *rawmpi;
+	int sign, ret = 0;
+
+	rawmpi = kmalloc(key_size, GFP_KERNEL);
+	if (!rawmpi)
+		return -ENOMEM;
+	memcpy(rawmpi, pk, key_size);
+	reverse_buffer(rawmpi, key_size);
+
+	sign = !!(rawmpi[0] & 0x80);
+	rawmpi[0] &= 0x7f;
+
+	y = mpi_read_raw_data(rawmpi, key_size);
+	if (!y) {
+		ret = -EINVAL;
+		goto out;
+	}
+
+	mpi_normalize(y);
+	mpi_set(result->y, y);
+	mpi_free(y);
+
+	ret = eddsa_recover_x(result->x, result->y, sign, ec);
+	mpi_set_ui(result->z, 1);
+out:
+	kfree(rawmpi);
+	return ret;
+}
+
+static int eddsa_verify(struct akcipher_request *req)
+{
+	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
+	struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+	struct mpi_ec_ctx *ec = &ctx->ec_ctx;
+	struct gcry_mpi_point sb, ka;
+	MPI s = NULL;
+	MPI k = NULL;
+	u8 sig[CURVE25519_KEY_SIZE * 2],digest[SHA512_DIGEST_SIZE];
+	u8 *buf;
+	u32 key_size;
+	int ret = 0;
+
+	if (ctx->algo_oid != OID_ed25519)
+		return -ENOPKG;
+
+	key_size = CURVE25519_KEY_SIZE;
+
+	if (!ec->Q || req->src_len != key_size * 2)
+		return -EINVAL;
+
+	sg_copy_to_buffer(req->src, sg_nents_for_len(req->src, req->src_len),
+			  sig, req->src_len);
+
+	sg_pcopy_to_buffer(req->src,
+			   sg_nents_for_len(req->src,
+					    req->src_len + req->dst_len),
+			   digest, req->dst_len, req->src_len);
+
+	reverse_buffer(digest, SHA512_DIGEST_SIZE);
+	k = mpi_read_raw_data(digest, SHA512_DIGEST_SIZE);
+
+	reverse_buffer(sig + key_size, key_size);
+	s = mpi_read_raw_data(sig + key_size, key_size);
+
+	mpi_point_init(&sb);
+	mpi_point_init(&ka);
+
+	mpi_ec_mul_point(&sb, s, ec->G, ec);
+	mpi_ec_mul_point(&ka, k, ec->Q, ec);
+	mpi_sub(ka.x, ec->p, ka.x);
+	mpi_ec_add_points(&sb, &sb, &ka, ec);
+
+	buf = kmalloc(key_size, GFP_KERNEL);
+	if (!buf) {
+		ret = -ENOMEM;
+		goto out;
+	}
+
+	ret = ecc_eddsa_encodepoint(&sb, ec, s, k, buf, key_size);
+	if (ret)
+		goto out;
+
+	if (memcmp(buf, sig, key_size))
+		ret = -EKEYREJECTED;
+
+out:
+	mpi_point_free_parts(&sb);
+	mpi_point_free_parts(&ka);
+	mpi_free(k);
+	mpi_free(s);
+	kfree(buf);
+	return ret;
+}
+
+static int eddsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
+			     unsigned int keylen)
+{
+	struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+	struct mpi_ec_ctx *ec = &ctx->ec_ctx;
+	const u8 *pk = key;
+
+	if (ctx->algo_oid != OID_ed25519)
+		return -ENOPKG;
+
+	if (keylen != CURVE25519_KEY_SIZE)
+		return -EINVAL;
+
+	return ecc_eddsa_decodepoint(pk, keylen, ec, ec->Q);
+}
+
+static u32 eddsa_max_size(struct crypto_akcipher *tfm)
+{
+	struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+
+	if (ctx->algo_oid == OID_ed25519)
+		return CURVE25519_KEY_SIZE;
+
+	return 0;
+}
+
+static int eddsa_25519_init_tfm(struct crypto_akcipher *tfm)
+{
+	struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+
+	ctx->algo_oid = OID_ed25519;
+	p58 = mpi_scanval("0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD");
+	if (!p58)
+		return -ENOMEM;
+
+	m1 = mpi_scanval("2B8324804FC1DF0B2B4D00993DFBD7A72F431806AD2FE478C4EE1B274A0EA0B0");
+	if (!m1)
+		return -ENOMEM;
+
+	seven = mpi_set_ui(NULL, 7);
+
+	return ec_mpi_ctx_init(&ctx->ec_ctx, &ed25519_domain_params);
+}
+
+static void eddsa_exit_tfm(struct crypto_akcipher *tfm)
+{
+	struct eddsa_ctx *ctx = akcipher_tfm_ctx(tfm);
+
+	ec_mpi_ctx_deinit(&ctx->ec_ctx);
+	mpi_free(p58);
+	mpi_free(seven);
+	mpi_free(m1);
+}
+
+
+static struct akcipher_alg eddsa_25519 = {
+	.verify = eddsa_verify,
+	.set_pub_key = eddsa_set_pub_key,
+	.max_size = eddsa_max_size,
+	.init = eddsa_25519_init_tfm,
+	.exit = eddsa_exit_tfm,
+	.base = {
+		.cra_name = "eddsa-25519",
+		.cra_driver_name = "eddsa-25519-generic",
+		.cra_priority = 100,
+		.cra_module = THIS_MODULE,
+		.cra_ctxsize = sizeof(struct eddsa_ctx),
+	},
+};
+
+static int eddsa_mod_init(void)
+{
+	return crypto_register_akcipher(&eddsa_25519);
+}
+
+static void eddsa_mod_exit(void)
+{
+	crypto_unregister_akcipher(&eddsa_25519);
+}
+
+module_init(eddsa_mod_init);
+module_exit(eddsa_mod_exit);
+
+MODULE_LICENSE("GPL v2");
+MODULE_AUTHOR("Hongbo Li <herberthbli@tencent.com>");
+MODULE_ALIAS_CRYPTO("eddsa");
+MODULE_ALIAS_CRYPTO("eddsa-generic");
+MODULE_DESCRIPTION("EDDSA generic algorithm");

From patchwork Thu May 27 13:53:35 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hongbo Li <herbert.tencent@gmail.com>
X-Patchwork-Id: 449578
Return-Path: <linux-crypto-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT
 autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id A04FEC4708B
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:55:01 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 85788613CC
 for <linux-crypto@archiver.kernel.org>;
 Thu, 27 May 2021 13:55:01 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S236685AbhE0N4d (ORCPT <rfc822; linux-crypto@archiver.kernel.org>);
 Thu, 27 May 2021 09:56:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40898 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S236696AbhE0N4U (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Thu, 27 May 2021 09:56:20 -0400
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com
 [IPv6:2607:f8b0:4864:20::631])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20AA6C06138D;
 Thu, 27 May 2021 06:54:47 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id t21so24188plo.2;
 Thu, 27 May 2021 06:54:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=e2Q9Fi4+Y3HDr0p6x7AzX3U4YPXNdxuFZ7l9M0bi/AI=;
 b=qnB5RTc/6YtVrmIAgqR+Rr40dJeVcNVXbAQZVC8mLbmSj015v7oAcLdkklaMEt0zEa
 CkL1MEkQA5E38KMEYXb8XIz/6CY2KwU+3bqo1pu06CINeMlOz4LOQ9+lF1D+IV7hcGEx
 n9OUpJs4nr78QHJ06woTHGZahnmlfxZRAykB5wA8yJaG3GhPRRhoh56g+iN7J0szLGB6
 slPwUQY+Wf7VzsFyPE80N7QqOfkXzI+w5o+no6YCFa5HSfQuACesMYWvq32xirStu1YX
 iJWeLm1dT/pXwEsSZ6Twb8mMGpCftmw4ezSB30i7gvkieGakCIg23Bt83L06mdjzV5sk
 cbNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=e2Q9Fi4+Y3HDr0p6x7AzX3U4YPXNdxuFZ7l9M0bi/AI=;
 b=f2qrdaGap/BXqZ7i2sCKmLnVC8GOlaZ3xSHWiXaBQcZqqtcVMMsMKBdHMGsVtWyLCc
 Ua7hnrlzKwBftutRi+3jBR/ayHY1gj0Wae6jddfmrpS0r6dFzEYYjJOg4RQuLwSx/PSa
 fVQa6UMMyJrNoOWxvXok+Ww0QtUgnBWGEiUguK/uep5BydOPp8qgk4eNKx7mCW9NWWk6
 fK4T4IbAG3QhWu49R3h+pweQiGxqrCznrzWtyAxvJy+nxV8EoMP+OVFrxwmJN8Zp+H9o
 3Y36CJIvKOYQIAJGOkmcfXcRVwilDcXrGczI+sTfKMdvYESfg2dOywqQpyLm6PZLTMLS
 Bi+A==
X-Gm-Message-State: AOAM533P6afiH0o+ARUDHGJ8du+sm2c6FYqDPUc/sHjOMfl7ukvmFA32
 NMmW0tIfNvGrj/WQ9UxClXBBYIZaIy4=
X-Google-Smtp-Source: ABdhPJyQUMsBrYjMTZ9of8jWYyYdJXwXhPAvB1qiqKeQreJ0Iw3GmWjgpd3Mi4dsoJyq8wiUlxPWpg==
X-Received: by 2002:a17:90a:5309:: with SMTP id
 x9mr9483917pjh.111.1622123686351; 
 Thu, 27 May 2021 06:54:46 -0700 (PDT)
Received: from localhost.localdomain ([203.205.141.39])
 by smtp.gmail.com with ESMTPSA id
 10sm2163387pgl.39.2021.05.27.06.54.43
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 27 May 2021 06:54:46 -0700 (PDT)
From: Hongbo Li <herbert.tencent@gmail.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
 herbert@gondor.apana.org.au, ebiggers@kernel.org,
 dhowells@redhat.com, jarkko@kernel.org,
 tianjia.zhang@linux.alibaba.com, herberthbli@tencent.com
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH v2 7/7] crypto: add eddsa test vector
Date: Thu, 27 May 2021 21:53:35 +0800
Message-Id: <1622123615-15517-8-git-send-email-herbert.tencent@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
References: <1622123615-15517-1-git-send-email-herbert.tencent@gmail.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Hongbo Li <herberthbli@tencent.com>

This patch adds the test vector for ed25519.
The test vector is from RFC8032 section 7.1 [1]

[1]https://datatracker.ietf.org/doc/html/rfc8032#section-7.1

Signed-off-by: Hongbo Li <herberthbli@tencent.com>
---
 crypto/testmgr.c |  6 ++++++
 crypto/testmgr.h | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 10c5b3b01ec4..498d1866ef77 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4938,6 +4938,12 @@ static const struct alg_test_desc alg_test_descs[] = {
 		.suite = {
 			.akcipher = __VECS(ecrdsa_tv_template)
 		}
+	}, {
+		.alg = "eddsa-25519",
+		.test = alg_test_akcipher,
+		.suite = {
+			.akcipher = __VECS(eddsa_25519_tv_template)
+		}
 	}, {
 		.alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)",
 		.test = alg_test_aead,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 34e4a3db3991..11807a308ef9 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -1144,6 +1144,38 @@ static const struct akcipher_testvec ecrdsa_tv_template[] = {
 	},
 };
 
+/*
+ * EDDSA test vectors.
+ * From RFC8032 section 7.1
+ */
+static const struct akcipher_testvec eddsa_25519_tv_template[] = {
+	{
+	.key =
+	"\x3d\x40\x17\xc3\xe8\x43\x89\x5a\x92\xb7\x0a\xa7\x4d\x1b\x7e\xbc"
+	"\x9c\x98\x2c\xcf\x2e\xc4\x96\x8c\xc0\xcd\x55\xf1\x2a\xf4\x66\x0c",
+	.key_len = 32,
+	/*
+	 * RFC8032 section 5.1.7. m is SHA512(dom2(F, C) || R || A || PH(M))
+	 * M is 0x72
+	 */
+	.m =
+	"\xa2\x71\xdf\x0d\x2b\x0d\x03\xbd\x17\xb4\xed\x9a\x4b\x6a\xfd\xdf"
+	"\x2e\x73\x28\x7f\xd6\x30\xf1\xa1\x37\xd8\x7c\xe8\x73\xa5\x91\xcc"
+	"\x31\xb6\xdd\x85\x2a\x98\xb5\xdd\x12\x26\xfe\x99\x3d\x82\x28\x27"
+	"\x8c\xeb\xa2\x1f\x80\xb8\xfc\x95\x98\x6a\x70\xd7\x1e\xdf\x3f\xaf",
+	.m_size = 64,
+	.c =
+	"\x92\xa0\x09\xa9\xf0\xd4\xca\xb8\x72\x0e\x82\x0b\x5f\x64\x25\x40"
+	"\xa2\xb2\x7b\x54\x16\x50\x3f\x8f\xb3\x76\x22\x23\xeb\xdb\x69\xda"
+	"\x08\x5a\xc1\xe4\x3e\x15\x99\x6e\x45\x8f\x36\x13\xd0\xf1\x1d\x8c"
+	"\x38\x7b\x2e\xae\xb4\x30\x2a\xee\xb0\x0d\x29\x16\x12\xbb\x0c\x00",
+	.c_size = 64,
+	.algo = OID_ed25519,
+	.public_key_vec = true,
+	.siggen_sigver_test = true,
+	}
+};
+
 /*
  * PKCS#1 RSA test vectors. Obtained from CAVS testing.
  */