| Message ID | 2134009.irdbgypaU6@positron.chronox.de (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | DH: SP800-56A rev 3 compliant validation checks | expand |
Reviewed-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> Tested-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> On Sun, Jul 12, 2020 at 06:40:20PM +0200, Stephan Müller wrote: > SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the > calculated shared secret is verified before the data is returned to the > caller. This patch adds the validation check. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > --- > crypto/dh.c | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/crypto/dh.c b/crypto/dh.c > index 566f624a2de2..f84fd50ec79b 100644 > --- a/crypto/dh.c > +++ b/crypto/dh.c > @@ -9,6 +9,7 @@ > #include <crypto/internal/kpp.h> > #include <crypto/kpp.h> > #include <crypto/dh.h> > +#include <linux/fips.h> > #include <linux/mpi.h> > > struct dh_ctx { > @@ -179,6 +180,34 @@ static int dh_compute_value(struct kpp_request *req) > if (ret) > goto err_free_base; > > + /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */ > + if (fips_enabled && req->src) { > + MPI pone; > + > + /* z <= 1 */ > + if (mpi_cmp_ui(val, 1) < 1) { > + ret = -EBADMSG; > + goto err_free_base; > + } > + > + /* z == p - 1 */ > + pone = mpi_alloc(0); > + > + if (!pone) { > + ret = -ENOMEM; > + goto err_free_base; > + } > + > + ret = mpi_sub_ui(pone, ctx->p, 1); > + if (!ret && !mpi_cmp(pone, val)) > + ret = -EBADMSG; > + > + mpi_free(pone); > + > + if (ret) > + goto err_free_base; > + } > + > ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign); > if (ret) > goto err_free_base; > -- > 2.26.2 > > > >
diff --git a/crypto/dh.c b/crypto/dh.c index 566f624a2de2..f84fd50ec79b 100644 --- a/crypto/dh.c +++ b/crypto/dh.c @@ -9,6 +9,7 @@ #include <crypto/internal/kpp.h> #include <crypto/kpp.h> #include <crypto/dh.h> +#include <linux/fips.h> #include <linux/mpi.h> struct dh_ctx { @@ -179,6 +180,34 @@ static int dh_compute_value(struct kpp_request *req) if (ret) goto err_free_base; + /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */ + if (fips_enabled && req->src) { + MPI pone; + + /* z <= 1 */ + if (mpi_cmp_ui(val, 1) < 1) { + ret = -EBADMSG; + goto err_free_base; + } + + /* z == p - 1 */ + pone = mpi_alloc(0); + + if (!pone) { + ret = -ENOMEM; + goto err_free_base; + } + + ret = mpi_sub_ui(pone, ctx->p, 1); + if (!ret && !mpi_cmp(pone, val)) + ret = -EBADMSG; + + mpi_free(pone); + + if (ret) + goto err_free_base; + } + ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign); if (ret) goto err_free_base;
SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. This patch adds the validation check. Signed-off-by: Stephan Mueller <smueller@chronox.de> --- crypto/dh.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)