lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZpfuqeSVC47jqme2@wunner.de>
Date: Wed, 17 Jul 2024 18:17:45 +0200
From: Lukas Wunner <lukas@...ner.de>
To: Stefan Berger <stefanb@...ux.ibm.com>
Cc: keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
	davem@...emloft.net, herbert@...dor.apana.org.au,
	dhowells@...hat.com, zohar@...ux.ibm.com, jarkko@...nel.org,
	linux-integrity@...r.kernel.org,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
	patrick@...terwijk.org
Subject: Re: [PATCH v12 02/10] crypto: Add support for ECDSA signature
 verification

Hi Stefan,

On Tue, Mar 16, 2021 at 05:07:32PM -0400, Stefan Berger wrote:
> +/*
> + * Get the r and s components of a signature from the X509 certificate.
> + */
> +static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag,
> +				  const void *value, size_t vlen, unsigned int ndigits)
> +{
> +	size_t keylen = ndigits * sizeof(u64);
> +	ssize_t diff = vlen - keylen;
> +	const char *d = value;
> +	u8 rs[ECC_MAX_BYTES];
> +
> +	if (!value || !vlen)
> +		return -EINVAL;
> +
> +	/* diff = 0: 'value' has exacly the right size
> +	 * diff > 0: 'value' has too many bytes; one leading zero is allowed that
> +	 *           makes the value a positive integer; error on more
> +	 * diff < 0: 'value' is missing leading zeros, which we add
> +	 */
> +	if (diff > 0) {
> +		/* skip over leading zeros that make 'value' a positive int */
> +		if (*d == 0) {
> +			vlen -= 1;
> +			diff--;
> +			d++;
> +		}
> +		if (diff)
> +			return -EINVAL;
> +	}
> +	if (-diff >= keylen)
> +		return -EINVAL;

I'm in the process of creating a crypto_template for decoding an x962
signature as requested by Herbert:

https://lore.kernel.org/all/ZoHXyGwRzVvYkcTP@gondor.apana.org.au/

I intend to move the above code to the template and to do so I'm
trying to understand what it's doing.

There's an oddity in the above-quoted function.  The check ...

+	if (-diff >= keylen)
+		return -EINVAL;

... seems superfluous. diff is assigned the following value at the
top of the function:

+	ssize_t diff = vlen - keylen;

This means that:  -diff == keylen - vlen.

Now, if vlen is zero, -diff would equal keylen and then the
"-diff >= keylen" check would be true.  However at the top of
the function, there's already a !vlen check.  No need to check
the same thing again!

Next, I'm asking myself if -diff can ever be greater than keylen.
I don't think it can.  For that to be true, vlen would have to be
negative.  But vlen is of unsigned type size_t!

I just wanted to double-check with you whether ...

+	if (-diff >= keylen)
+		return -EINVAL;

... is indeed superfluous as I suspect or whether I'm missing
something.  I'm guessing that the check might be some kind of
safety net to avoid an out-of-bounds access in the memset()
and memcpy() calls that follow further down in the function,
in case sig->curve->g.ndigits was neglected to be set by the
programmer.  But there doesn't seem to be any real need for
the check, so I'm leaning towards not carrying it over to the
x962 template.

The check was already present in v1 of your ecdsa patch set:

https://lore.kernel.org/all/20210126170359.363969-2-stefanb@linux.vnet.ibm.com/

Thanks,

Lukas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ