mbox series

[v2,00/14] Add support for NIST P521 to ecdsa and ecdh

Message ID 20240215231414.3857320-1-stefanb@linux.ibm.com
Headers show
Series Add support for NIST P521 to ecdsa and ecdh | expand

Message

Stefan Berger Feb. 15, 2024, 11:13 p.m. UTC
This series of patches adds support for the NIST P521 curve to ecdsa and
ecdh. Test cases for NIST P521 are added to both modules.

An issue with the current code in ecdsa and ecdh is that it assumes that
input arrays providing key coordinates for example, are arrays of digits
(a 'digit' is a 'u64'). This works well for all currently supported
curves, such as NIST P192/256/384, but does not work for NIST P521 where
coordinates are 8 digits + 2 bytes long. So some of the changes deal with
converting byte arrays to digits and digits to byte arrays.


Regards,
   Stefan

v2:
 - Reformulated some patch descriptions
 - Fixed issue detected by krobot
 - Some other small changes to the code

Stefan Berger (14):
  crypto: ecdsa - Convert byte arrays with key coordinates to digits
  crypto: ecdsa - Adjust tests on length of key parameters
  crypto: ecdsa - Extend res.x mod n calculation for NIST P521
  crypto: ecc - Implement vli_mmod_fast_521 for NIST p521
  crypto: ecc - For NIST P521 use vli_num_bits to get number of bits
  crypto: ecc - Add NIST P521 curve parameters
  crypto: ecdsa - Register NIST P521 and extend test suite
  x509: Add OID for NIST P521 and extend parser for it
  crypto: ecdh - Use properly formatted digits to check for valid key
  crypto: ecc - Implement ecc_digits_to_bytes to convert digits to byte
    array
  crypto: Add nbits field to ecc_curve structure
  crypto: ecc - Implement and use ecc_curve_get_nbytes to get curve's
    nbytes
  crypto: ecdh - Use functions to copy digits from and to byte array
  crypto: ecdh - Add support for NIST P521 and add test case

 crypto/asymmetric_keys/x509_cert_parser.c |   3 +
 crypto/ecc.c                              |  71 +++++--
 crypto/ecc_curve_defs.h                   |  45 +++++
 crypto/ecdh.c                             |  59 +++++-
 crypto/ecdsa.c                            |  48 ++++-
 crypto/testmgr.c                          |  14 ++
 crypto/testmgr.h                          | 225 ++++++++++++++++++++++
 include/crypto/ecc_curve.h                |   3 +
 include/crypto/ecdh.h                     |   1 +
 include/crypto/internal/ecc.h             |  61 +++++-
 include/linux/oid_registry.h              |   1 +
 11 files changed, 495 insertions(+), 36 deletions(-)

Comments

Stefan Berger Feb. 16, 2024, 7:03 p.m. UTC | #1
On 2/16/24 13:48, Elliott, Robert (Servers) wrote:
>> -----Original Message-----
>> From: Stefan Berger <stefanb@linux.ibm.com>
>> Sent: Thursday, February 15, 2024 5:14 PM
>> Subject: [PATCH v2 06/14] crypto: ecc - Add NIST P521 curve parameters
>>
>> Add the parameters for the NIST P521 curve and define a new curve ID
>> for it. Make the curve available in ecc_get_curve.
>>
> ...
>> diff --git a/crypto/ecc_curve_defs.h b/crypto/ecc_curve_defs.h
> ...
>> +static struct ecc_curve nist_p521 = {
>> +	.name = "nist_521",
> 
> Are the name fields in the ecc_curve structures used anywhere or
> exposed to userspace?
> 
> It'd be nice if the strings for the nist_p192, nist_p256, and nist_p384
> structures and this new nist_p521 structure included "p" before
> the number, better matching all the code and the NIST FIPS 186-4 names:
>      .name = "nist_p192"
>      .name = "nist_p256"
>      .name = "nist_p384"
>      .name = "nist_p521"
> 
> 

This is what is exposed:

$ cat /proc/crypto | grep nist
name         : ecdh-nist-p384
driver       : ecdh-nist-p384-generic
name         : ecdh-nist-p256
driver       : ecdh-nist-p256-generic
name         : ecdh-nist-p192
driver       : ecdh-nist-p192-generic
name         : ecdsa-nist-p384
driver       : ecdsa-nist-p384-generic
name         : ecdsa-nist-p256
driver       : ecdsa-nist-p256-generic
name         : ecdsa-nist-p192
driver       : ecdsa-nist-p192-generic
Simo Sorce Feb. 16, 2024, 7:27 p.m. UTC | #2
On Thu, 2024-02-15 at 18:13 -0500, Stefan Berger wrote:
> This series of patches adds support for the NIST P521 curve to ecdsa and
> ecdh. Test cases for NIST P521 are added to both modules.
> 
> An issue with the current code in ecdsa and ecdh is that it assumes that
> input arrays providing key coordinates for example, are arrays of digits
> (a 'digit' is a 'u64'). This works well for all currently supported
> curves, such as NIST P192/256/384, but does not work for NIST P521 where
> coordinates are 8 digits + 2 bytes long. So some of the changes deal with
> converting byte arrays to digits and digits to byte arrays.
> 
> 
> Regards,
>    Stefan
> 
> v2:
>  - Reformulated some patch descriptions
>  - Fixed issue detected by krobot
>  - Some other small changes to the code
> 
> Stefan Berger (14):
>   crypto: ecdsa - Convert byte arrays with key coordinates to digits
>   crypto: ecdsa - Adjust tests on length of key parameters
>   crypto: ecdsa - Extend res.x mod n calculation for NIST P521
>   crypto: ecc - Implement vli_mmod_fast_521 for NIST p521
>   crypto: ecc - For NIST P521 use vli_num_bits to get number of bits
>   crypto: ecc - Add NIST P521 curve parameters
>   crypto: ecdsa - Register NIST P521 and extend test suite
>   x509: Add OID for NIST P521 and extend parser for it
>   crypto: ecdh - Use properly formatted digits to check for valid key
>   crypto: ecc - Implement ecc_digits_to_bytes to convert digits to byte
>     array
>   crypto: Add nbits field to ecc_curve structure
>   crypto: ecc - Implement and use ecc_curve_get_nbytes to get curve's
>     nbytes
>   crypto: ecdh - Use functions to copy digits from and to byte array
>   crypto: ecdh - Add support for NIST P521 and add test case
> 
>  crypto/asymmetric_keys/x509_cert_parser.c |   3 +
>  crypto/ecc.c                              |  71 +++++--
>  crypto/ecc_curve_defs.h                   |  45 +++++
>  crypto/ecdh.c                             |  59 +++++-
>  crypto/ecdsa.c                            |  48 ++++-
>  crypto/testmgr.c                          |  14 ++
>  crypto/testmgr.h                          | 225 ++++++++++++++++++++++
>  include/crypto/ecc_curve.h                |   3 +
>  include/crypto/ecdh.h                     |   1 +
>  include/crypto/internal/ecc.h             |  61 +++++-
>  include/linux/oid_registry.h              |   1 +
>  11 files changed, 495 insertions(+), 36 deletions(-)

Hi Stefan,
what kind of side-channel testing was performed on this code?
And what is the use case you are adding it for?

Thanks,
Simo.
Stefan Berger Feb. 16, 2024, 7:32 p.m. UTC | #3
On 2/16/24 14:27, Simo Sorce wrote:
> On Thu, 2024-02-15 at 18:13 -0500, Stefan Berger wrote:
>> This series of patches adds support for the NIST P521 curve to ecdsa and
>> ecdh. Test cases for NIST P521 are added to both modules.
>>
>> An issue with the current code in ecdsa and ecdh is that it assumes that
>> input arrays providing key coordinates for example, are arrays of digits
>> (a 'digit' is a 'u64'). This works well for all currently supported
>> curves, such as NIST P192/256/384, but does not work for NIST P521 where
>> coordinates are 8 digits + 2 bytes long. So some of the changes deal with
>> converting byte arrays to digits and digits to byte arrays.
>>
>>
>> Regards,
>>     Stefan
>>
>> v2:
>>   - Reformulated some patch descriptions
>>   - Fixed issue detected by krobot
>>   - Some other small changes to the code
>>
>> Stefan Berger (14):
>>    crypto: ecdsa - Convert byte arrays with key coordinates to digits
>>    crypto: ecdsa - Adjust tests on length of key parameters
>>    crypto: ecdsa - Extend res.x mod n calculation for NIST P521
>>    crypto: ecc - Implement vli_mmod_fast_521 for NIST p521
>>    crypto: ecc - For NIST P521 use vli_num_bits to get number of bits
>>    crypto: ecc - Add NIST P521 curve parameters
>>    crypto: ecdsa - Register NIST P521 and extend test suite
>>    x509: Add OID for NIST P521 and extend parser for it
>>    crypto: ecdh - Use properly formatted digits to check for valid key
>>    crypto: ecc - Implement ecc_digits_to_bytes to convert digits to byte
>>      array
>>    crypto: Add nbits field to ecc_curve structure
>>    crypto: ecc - Implement and use ecc_curve_get_nbytes to get curve's
>>      nbytes
>>    crypto: ecdh - Use functions to copy digits from and to byte array
>>    crypto: ecdh - Add support for NIST P521 and add test case
>>
>>   crypto/asymmetric_keys/x509_cert_parser.c |   3 +
>>   crypto/ecc.c                              |  71 +++++--
>>   crypto/ecc_curve_defs.h                   |  45 +++++
>>   crypto/ecdh.c                             |  59 +++++-
>>   crypto/ecdsa.c                            |  48 ++++-
>>   crypto/testmgr.c                          |  14 ++
>>   crypto/testmgr.h                          | 225 ++++++++++++++++++++++
>>   include/crypto/ecc_curve.h                |   3 +
>>   include/crypto/ecdh.h                     |   1 +
>>   include/crypto/internal/ecc.h             |  61 +++++-
>>   include/linux/oid_registry.h              |   1 +
>>   11 files changed, 495 insertions(+), 36 deletions(-)
> 
> Hi Stefan,
> what kind of side-channel testing was performed on this code?
> And what is the use case you are adding it for?

We're using public keys for signature verification. I am not aware that
public key usage is critical to side channels.

The use case for adding it is primarily driven by closing a gap to 
complete the support for the common ECDSA NIST curves.

     Stefan

> 
> Thanks,
> Simo.
>
Simo Sorce Feb. 16, 2024, 7:40 p.m. UTC | #4
On Fri, 2024-02-16 at 14:32 -0500, Stefan Berger wrote:
> 
> On 2/16/24 14:27, Simo Sorce wrote:
> > On Thu, 2024-02-15 at 18:13 -0500, Stefan Berger wrote:
> > > This series of patches adds support for the NIST P521 curve to ecdsa and
> > > ecdh. Test cases for NIST P521 are added to both modules.
> > > 
> > > An issue with the current code in ecdsa and ecdh is that it assumes that
> > > input arrays providing key coordinates for example, are arrays of digits
> > > (a 'digit' is a 'u64'). This works well for all currently supported
> > > curves, such as NIST P192/256/384, but does not work for NIST P521 where
> > > coordinates are 8 digits + 2 bytes long. So some of the changes deal with
> > > converting byte arrays to digits and digits to byte arrays.
> > > 
> > > 
> > > Regards,
> > >     Stefan
> > > 
> > > v2:
> > >   - Reformulated some patch descriptions
> > >   - Fixed issue detected by krobot
> > >   - Some other small changes to the code
> > > 
> > > Stefan Berger (14):
> > >    crypto: ecdsa - Convert byte arrays with key coordinates to digits
> > >    crypto: ecdsa - Adjust tests on length of key parameters
> > >    crypto: ecdsa - Extend res.x mod n calculation for NIST P521
> > >    crypto: ecc - Implement vli_mmod_fast_521 for NIST p521
> > >    crypto: ecc - For NIST P521 use vli_num_bits to get number of bits
> > >    crypto: ecc - Add NIST P521 curve parameters
> > >    crypto: ecdsa - Register NIST P521 and extend test suite
> > >    x509: Add OID for NIST P521 and extend parser for it
> > >    crypto: ecdh - Use properly formatted digits to check for valid key
> > >    crypto: ecc - Implement ecc_digits_to_bytes to convert digits to byte
> > >      array
> > >    crypto: Add nbits field to ecc_curve structure
> > >    crypto: ecc - Implement and use ecc_curve_get_nbytes to get curve's
> > >      nbytes
> > >    crypto: ecdh - Use functions to copy digits from and to byte array
> > >    crypto: ecdh - Add support for NIST P521 and add test case
> > > 
> > >   crypto/asymmetric_keys/x509_cert_parser.c |   3 +
> > >   crypto/ecc.c                              |  71 +++++--
> > >   crypto/ecc_curve_defs.h                   |  45 +++++
> > >   crypto/ecdh.c                             |  59 +++++-
> > >   crypto/ecdsa.c                            |  48 ++++-
> > >   crypto/testmgr.c                          |  14 ++
> > >   crypto/testmgr.h                          | 225 ++++++++++++++++++++++
> > >   include/crypto/ecc_curve.h                |   3 +
> > >   include/crypto/ecdh.h                     |   1 +
> > >   include/crypto/internal/ecc.h             |  61 +++++-
> > >   include/linux/oid_registry.h              |   1 +
> > >   11 files changed, 495 insertions(+), 36 deletions(-)
> > 
> > Hi Stefan,
> > what kind of side-channel testing was performed on this code?
> > And what is the use case you are adding it for?
> 
> We're using public keys for signature verification. I am not aware that
> public key usage is critical to side channels.
> 
> The use case for adding it is primarily driven by closing a gap to 
> complete the support for the common ECDSA NIST curves.

Is there an assumption the ECDH code uses exclusively ephemeral keys?

Simo.
Stefan Berger Feb. 19, 2024, 2:40 p.m. UTC | #5
On 2/16/24 14:40, Simo Sorce wrote:
> On Fri, 2024-02-16 at 14:32 -0500, Stefan Berger wrote:
>>
>> On 2/16/24 14:27, Simo Sorce wrote:
>>> On Thu, 2024-02-15 at 18:13 -0500, Stefan Berger wrote:
>>>> This series of patches adds support for the NIST P521 curve to ecdsa and
>>>> ecdh. Test cases for NIST P521 are added to both modules.
>>>>
>>>> An issue with the current code in ecdsa and ecdh is that it assumes that
>>>> input arrays providing key coordinates for example, are arrays of digits
>>>> (a 'digit' is a 'u64'). This works well for all currently supported
>>>> curves, such as NIST P192/256/384, but does not work for NIST P521 where
>>>> coordinates are 8 digits + 2 bytes long. So some of the changes deal with
>>>> converting byte arrays to digits and digits to byte arrays.
>>>>
>>>>
>>>> Regards,
>>>>      Stefan
>>>>
>>>> v2:
>>>>    - Reformulated some patch descriptions
>>>>    - Fixed issue detected by krobot
>>>>    - Some other small changes to the code
>>>>
>>>> Stefan Berger (14):
>>>>     crypto: ecdsa - Convert byte arrays with key coordinates to digits
>>>>     crypto: ecdsa - Adjust tests on length of key parameters
>>>>     crypto: ecdsa - Extend res.x mod n calculation for NIST P521
>>>>     crypto: ecc - Implement vli_mmod_fast_521 for NIST p521
>>>>     crypto: ecc - For NIST P521 use vli_num_bits to get number of bits
>>>>     crypto: ecc - Add NIST P521 curve parameters
>>>>     crypto: ecdsa - Register NIST P521 and extend test suite
>>>>     x509: Add OID for NIST P521 and extend parser for it
>>>>     crypto: ecdh - Use properly formatted digits to check for valid key
>>>>     crypto: ecc - Implement ecc_digits_to_bytes to convert digits to byte
>>>>       array
>>>>     crypto: Add nbits field to ecc_curve structure
>>>>     crypto: ecc - Implement and use ecc_curve_get_nbytes to get curve's
>>>>       nbytes
>>>>     crypto: ecdh - Use functions to copy digits from and to byte array
>>>>     crypto: ecdh - Add support for NIST P521 and add test case
>>>>
>>>>    crypto/asymmetric_keys/x509_cert_parser.c |   3 +
>>>>    crypto/ecc.c                              |  71 +++++--
>>>>    crypto/ecc_curve_defs.h                   |  45 +++++
>>>>    crypto/ecdh.c                             |  59 +++++-
>>>>    crypto/ecdsa.c                            |  48 ++++-
>>>>    crypto/testmgr.c                          |  14 ++
>>>>    crypto/testmgr.h                          | 225 ++++++++++++++++++++++
>>>>    include/crypto/ecc_curve.h                |   3 +
>>>>    include/crypto/ecdh.h                     |   1 +
>>>>    include/crypto/internal/ecc.h             |  61 +++++-
>>>>    include/linux/oid_registry.h              |   1 +
>>>>    11 files changed, 495 insertions(+), 36 deletions(-)
>>>
>>> Hi Stefan,
>>> what kind of side-channel testing was performed on this code?
>>> And what is the use case you are adding it for?
>>
>> We're using public keys for signature verification. I am not aware that
>> public key usage is critical to side channels.
>>
>> The use case for adding it is primarily driven by closing a gap to
>> complete the support for the common ECDSA NIST curves.
> 
> Is there an assumption the ECDH code uses exclusively ephemeral keys?
> 
It can use both, provided keys and ephemeral keys. I think at this point 
it's best to drop ecdh support from this series.

    Stefan

> Simo.
>