summaryrefslogtreecommitdiffstats
path: root/crypto/ecc.c
diff options
context:
space:
mode:
authorStephan Müller <smueller@chronox.de>2020-07-20 19:07:48 +0200
committerHerbert Xu <herbert@gondor.apana.org.au>2020-07-31 10:08:58 +0200
commite7d2b41e5c773c1e00f0f30519b9790ba7e4a58c (patch)
treeccf050a858e5391e96a11fc5c25c7d4d29a0d7c0 /crypto/ecc.c
parentcrypto: x86 - Put back integer parts of include/asm/inst.h (diff)
downloadlinux-e7d2b41e5c773c1e00f0f30519b9790ba7e4a58c.tar.xz
linux-e7d2b41e5c773c1e00f0f30519b9790ba7e4a58c.zip
crypto: ecdh - check validity of Z before export
SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. Thus, the export function and the validity check functions are reversed. In addition, the sensitive variables of priv and rand_z are zeroized. Signed-off-by: Stephan Mueller <smueller@chronox.de> Reviewed-by: Vitaly Chikunov <vt@altlinux.org> Acked-by: Neil Horman <nhorman@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/ecc.c')
-rw-r--r--crypto/ecc.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/crypto/ecc.c b/crypto/ecc.c
index 86c324936a2b..c8b259e59704 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1495,11 +1495,16 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
ecc_point_mult(product, pk, priv, rand_z, curve, ndigits);
- ecc_swap_digits(product->x, secret, ndigits);
-
- if (ecc_point_is_zero(product))
+ if (ecc_point_is_zero(product)) {
ret = -EFAULT;
+ goto err_validity;
+ }
+
+ ecc_swap_digits(product->x, secret, ndigits);
+err_validity:
+ memzero_explicit(priv, sizeof(priv));
+ memzero_explicit(rand_z, sizeof(rand_z));
ecc_free_point(product);
err_alloc_product:
ecc_free_point(pk);