Message ID | 1620828254-25545-1-git-send-email-herbert.tencent@gmail.com |
---|---|
Headers | show |
Series | crypto: add eddsa support for x509 | expand |
On Wed, May 12, 2021 at 10:04:07PM +0800, Hongbo Li wrote: > From: Hongbo Li <herberthbli@tencent.com> > > This series of patches add support for x509 cert signed by eddsa, > which is described in RFC8032 [1], currently ed25519 only. It would be helpful to explain how this is related to the kernel's existing Curve25519 support. - Eric
On Thu, May 13, 2021 at 02:44:07PM +0000, herberthbli(李弘博) wrote: > 在 2021/5/13 3:12, Eric Biggers 写道: > > On Wed, May 12, 2021 at 10:04:07PM +0800, Hongbo Li wrote: > > > From: Hongbo Li <herberthbli@tencent.com><mailto:herberthbli@tencent.com> > > This series of patches add support for x509 cert signed by eddsa, > which is described in RFC8032 [1], currently ed25519 only. > > > > It would be helpful to explain how this is related to the kernel's existing > Curve25519 support. > > - Eric > > > Curve25519 is an elliptic curve used for key agreement(ECDH). It is a Montgomery curve. > > Edwards25519 is a twisted Edwards curve and birationally equivalent to Curve25519, the > birational maps are described in rfc7748 section 4.1. > https://datatracker.ietf.org/doc/html/rfc7748#section-4.1 > > > Ed25519 is a Digital Signature Algorithm over Edwards25519. > Sure, but what does that mean in terms of code. Can you reuse any of the code, and if not why not? I *think* the answer is no, but this is a common point of confusion, so it would be helpful to properly explain this... - Eric
Tianjia Zhang <tianjia.zhang@linux.alibaba.com> 于2021年5月14日周五 下午12:52写道: > > Hi Hongbo, > > On 5/12/21 10:04 PM, Hongbo Li wrote: > > From: Hongbo Li <herberthbli@tencent.com> > > > > SM2 module alloc ec->Q in sm2_set_pub_key(), when doing alg test in > > test_akcipher_one(), it will set public key for every test vector, > > and don't free ec->Q. This will cause a memory leak. > > > > This patch alloc ec->Q in sm2_ec_ctx_init(). > > > > Signed-off-by: Hongbo Li <herberthbli@tencent.com> > > --- > > crypto/sm2.c | 24 ++++++++++-------------- > > 1 file changed, 10 insertions(+), 14 deletions(-) > > > > diff --git a/crypto/sm2.c b/crypto/sm2.c > > index b21addc..db8a4a2 100644 > > --- a/crypto/sm2.c > > +++ b/crypto/sm2.c > > @@ -79,10 +79,17 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec) > > goto free; > > > > rc = -ENOMEM; > > + > > + ec->Q = mpi_point_new(0); > > + if (!ec->Q) > > + goto free; > > + > > /* mpi_ec_setup_elliptic_curve */ > > ec->G = mpi_point_new(0); > > - if (!ec->G) > > + if (!ec->G) { > > + mpi_point_release(ec->Q); > > goto free; > > + } > > > > mpi_set(ec->G->x, x); > > mpi_set(ec->G->y, y); > > @@ -91,6 +98,7 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec) > > rc = -EINVAL; > > ec->n = mpi_scanval(ecp->n); > > if (!ec->n) { > > + mpi_point_release(ec->Q); > > mpi_point_release(ec->G); > > goto free; > > } > > @@ -386,27 +394,15 @@ static int sm2_set_pub_key(struct crypto_akcipher *tfm, > > MPI a; > > int rc; > > > > - ec->Q = mpi_point_new(0); > > - if (!ec->Q) > > - return -ENOMEM; > > - > > /* include the uncompressed flag '0x04' */ > > - rc = -ENOMEM; > > a = mpi_read_raw_data(key, keylen); > > if (!a) > > - goto error; > > + return -ENOMEM; > > > > mpi_normalize(a); > > rc = sm2_ecc_os2ec(ec->Q, a); > > mpi_free(a); > > - if (rc) > > - goto error; > > - > > - return 0; > > > > -error: > > - mpi_point_release(ec->Q); > > - ec->Q = NULL; > > return rc; > > } > > > > > > Thanks a lot for fixing this issue. > > Reviewed-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> > > Also added: > > Cc: stable@vger.kernel.org # v5.10+ > > Best regards, > Tianjia Thank you for your review! Regards, Hongbo
Eric Biggers <ebiggers@kernel.org> 于2021年5月18日周二 上午5:21写道: > > On Thu, May 13, 2021 at 02:44:07PM +0000, herberthbli(李弘博) wrote: > > 在 2021/5/13 3:12, Eric Biggers 写道: > > > > On Wed, May 12, 2021 at 10:04:07PM +0800, Hongbo Li wrote: > > > > > > From: Hongbo Li <herberthbli@tencent.com><mailto:herberthbli@tencent.com> > > > > This series of patches add support for x509 cert signed by eddsa, > > which is described in RFC8032 [1], currently ed25519 only. > > > > > > > > It would be helpful to explain how this is related to the kernel's existing > > Curve25519 support. > > > > - Eric > > > > > > Curve25519 is an elliptic curve used for key agreement(ECDH). It is a Montgomery curve. > > > > Edwards25519 is a twisted Edwards curve and birationally equivalent to Curve25519, the > > birational maps are described in rfc7748 section 4.1. > > https://datatracker.ietf.org/doc/html/rfc7748#section-4.1 > > > > > > Ed25519 is a Digital Signature Algorithm over Edwards25519. > > > > Sure, but what does that mean in terms of code. Can you reuse any of the code, > and if not why not? I *think* the answer is no, but this is a common point of > confusion, so it would be helpful to properly explain this... > > - Eric Thank you for your review. No, the eddsa can't reuse the code of curve25519. I'll also explain this in the next version of patches. Regards, Hongbo
From: Hongbo Li <herberthbli@tencent.com> This series of patches add support for x509 cert signed by eddsa, which is described in RFC8032 [1], currently ed25519 only. According to RFC8032 section 4 [2], there're two variants: PureEdDSA and HashEdDSA. These patches support PureEdDSA which named Ed25519. Patch1 fix a memory leak bug in sm2. Patch2 fix a mpi_resize bug, this bug will cause eddsa verification failed. Patch3 exports some mpi common functions. Patch4 makes x509 layer support eddsa. Patch5 moves some common code in sm2 to separate files. These code is also used by eddsa. Patch6 is the implementation of eddsa verification according to RFC8032 section 5.1.7 [3]. Patch7 adds test vector for eddsa. Test by the following script: keyctl newring test @u while :; do certfile="cert.der" openssl req \ -x509 \ -newkey ED25519 \ -keyout key.pem \ -days 365 \ -subj '/CN=test' \ -nodes \ -outform der \ -out ${certfile} 2>/dev/null exp=0 id=$(keyctl padd asymmetric testkey %keyring:test < "${certfile}") rc=$? if [ $rc -ne $exp ]; then case "$exp" in 0) echo "Error: Could not load ed25519 certificate $certfile!"; esac exit 1 else case "$rc" in 0) printf "load ed25519 cert keyid: %-10s\n" $id; esac fi done Best Regards Hongbo [1] https://datatracker.ietf.org/doc/html/rfc8032 [2] https://datatracker.ietf.org/doc/html/rfc8032#section-4 [3] https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7 Hongbo Li (7): crypto: fix a memory leak in sm2 lib/mpi: use kcalloc in mpi_resize lib/mpi: export some common function x509: add support for eddsa crypto: move common code in sm2 to ec_mpi.c and ec_mpi.h crypto: support ed25519 x509 cert crypto: add eddsa test vector crypto/Kconfig | 15 ++++ crypto/Makefile | 4 + crypto/asymmetric_keys/public_key.c | 73 +++++++++++++-- crypto/asymmetric_keys/x509_cert_parser.c | 14 ++- crypto/asymmetric_keys/x509_public_key.c | 4 +- crypto/sm2.c | 104 +--------------------- crypto/testmgr.c | 6 ++ crypto/testmgr.h | 32 +++++++ include/linux/oid_registry.h | 1 + lib/mpi/mpi-add.c | 4 +- lib/mpi/mpiutil.c | 2 +- 11 files changed, 146 insertions(+), 113 deletions(-)