lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 21 Feb 2022 15:13:46 +0100
From:   Hannes Reinecke <hare@...e.de>
To:     Nicolai Stange <nstange@...e.de>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>
Cc:     Stephan Müller <smueller@...onox.de>,
        Torsten Duwe <duwe@...e.de>,
        David Howells <dhowells@...hat.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
        keyrings@...r.kernel.org
Subject: Re: [PATCH v4 05/15] crypto: dh - split out deserialization code from
 crypto_dh_decode()

On 2/21/22 13:10, Nicolai Stange wrote:
> A subsequent commit will introduce "dh" wrapping templates of the form
> "ffdhe2048(dh)", "ffdhe3072(dh)" and so on in order to provide built-in
> support for the well-known safe-prime ffdhe group parameters specified in
> RFC 7919.
> 
> Those templates' ->set_secret() will wrap the inner "dh" implementation's
> ->set_secret() and set the ->p and ->g group parameters as appropriate on
> the way inwards. More specifically,
> - A ffdheXYZ(dh) user would call crypto_dh_encode() on a struct dh instance
>    having ->p == ->g == NULL as well as ->p_size == ->g_size == 0 and pass
>    the resulting buffer to the outer ->set_secret().
> - This outer ->set_secret() would then decode the struct dh via
>    crypto_dh_decode_key(), set ->p, ->g, ->p_size as well as ->g_size as
>    appropriate for the group in question and encode the struct dh again
>    before passing it further down to the inner "dh"'s ->set_secret().
> 
> The problem is that crypto_dh_decode_key() implements some basic checks
> which would reject parameter sets with ->p_size == 0 and thus, the ffdheXYZ
> templates' ->set_secret() cannot use it as-is for decoding the passed
> buffer. As the inner "dh"'s ->set_secret() will eventually conduct said
> checks on the final parameter set anyway, the outer ->set_secret() really
> only needs the decoding functionality.
> 
> Split out the pure struct dh decoding part from crypto_dh_decode_key() into
> the new __crypto_dh_decode_key().
> 
> __crypto_dh_decode_key() gets defined in crypto/dh_helper.c, but will have
> to get called from crypto/dh.c and thus, its declaration must be somehow
> made available to the latter. Strictly speaking, __crypto_dh_decode_key()
> is internal to the dh_generic module, yet it would be a bit over the top
> to introduce a new header like e.g. include/crypto/internal/dh.h
> containing just a single prototype. Add the __crypto_dh_decode_key()
> declaration to include/crypto/dh.h instead.
> 
> Provide a proper kernel-doc annotation, even though
> __crypto_dh_decode_key() is purposedly not on the function list specified
> in Documentation/crypto/api-kpp.rst.
> 
> Signed-off-by: Nicolai Stange <nstange@...e.de>
> ---
>   crypto/dh_helper.c  | 27 +++++++++++++++++++--------
>   include/crypto/dh.h | 16 ++++++++++++++++
>   2 files changed, 35 insertions(+), 8 deletions(-)
> 
Reviewed-by: Hannes Reinecke <hare@...e.de>

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@...e.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ