| Message ID | 20220202104012.4193-1-nstange@suse.de (mailing list archive) |
|---|---|
| Headers | show |
| Series | crypto: dh - infrastructure for NVM in-band auth and FIPS conformance | expand |
Am Mittwoch, 2. Februar 2022, 11:39:57 CET schrieb Nicolai Stange: Hi Nicolai, > Hi all, > > first of all, to the people primarily interested in security/keys/, there's > a rather trivial change to security/keys/dh.c in patch 4/15. It would be > great to get ACKs for that... > > This is a complete rework of the v2 patchset to be found at [1]. Most > notably, the ffdheXYZ groups are now made accessible by means of templates > wrapping the generic dh: ffdhe2048(dh) ffdhe3072(dh), etc, rather than by > that fixed enum dh_group_id as before. For your reference, this change has > been suggested at [2]. > > Plain "dh" usage will be disallowed in FIPS mode now, which will break > keyctl(KEYCTL_DH_COMPUTE) functionality in FIPS mode. As per the > discussion from [2], this is acceptable or perhaps even desirable. > > The only motivation to include the RFC 3526 MODP groups in the previous v2 > had been to keep keyctl(KEYCTL_DH_COMPUTE) somewhat workable in FIPS mode. > These groups have been dropped accordingly now and this patchset only > introduces support for the RFC 7919 FFDHE groups, which is what is needed > by NVM in-band authentication. > > In order to be able to restrict plain "dh" usage in FIPS mode while > still allowing the usage of those new ffdheXYZ(dh) instantiations, I > incorporated a modified version of the patch posted by Herbert at > [3] ("crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1)") > into this series here as [12/15] ("crypto: api - allow algs only in > specific constructions in FIPS mode"). There had been two changes worth > mentioning: > - An attempt to make it more generic by having crypto_grab_spawn() > to include FIPS_INTERNAL in the lookup and also, to let > crypto_register_instance() to propagate this flag from the > child spawns into the instance to be registered. > - To skip the actual self-test executions for !->fips_allowed algorithms, > just as before. The rationale for this can be found in the discussion to > [3]. > With these changes, all breakage is to blame on me and thus, I assumed > authorship of this patch. I reflected the fact that this is heavily based > on Herbert's work by means of an Originally-by tag and sincerely hope this > is an appropriate way of recording the patch's history. > > This series has been tested on x86_64 and s390x (big endian) with FIPS mode > both enabled and disabled each. Using the NIST ACVP reference implementation, shared secret computation and key generation was successfully tested. Tested-by: Stephan Mueller <smueller@chronox.de> Ciao Stephan
Hi all, first of all, to the people primarily interested in security/keys/, there's a rather trivial change to security/keys/dh.c in patch 4/15. It would be great to get ACKs for that... This is a complete rework of the v2 patchset to be found at [1]. Most notably, the ffdheXYZ groups are now made accessible by means of templates wrapping the generic dh: ffdhe2048(dh) ffdhe3072(dh), etc, rather than by that fixed enum dh_group_id as before. For your reference, this change has been suggested at [2]. Plain "dh" usage will be disallowed in FIPS mode now, which will break keyctl(KEYCTL_DH_COMPUTE) functionality in FIPS mode. As per the discussion from [2], this is acceptable or perhaps even desirable. The only motivation to include the RFC 3526 MODP groups in the previous v2 had been to keep keyctl(KEYCTL_DH_COMPUTE) somewhat workable in FIPS mode. These groups have been dropped accordingly now and this patchset only introduces support for the RFC 7919 FFDHE groups, which is what is needed by NVM in-band authentication. In order to be able to restrict plain "dh" usage in FIPS mode while still allowing the usage of those new ffdheXYZ(dh) instantiations, I incorporated a modified version of the patch posted by Herbert at [3] ("crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1)") into this series here as [12/15] ("crypto: api - allow algs only in specific constructions in FIPS mode"). There had been two changes worth mentioning: - An attempt to make it more generic by having crypto_grab_spawn() to include FIPS_INTERNAL in the lookup and also, to let crypto_register_instance() to propagate this flag from the child spawns into the instance to be registered. - To skip the actual self-test executions for !->fips_allowed algorithms, just as before. The rationale for this can be found in the discussion to [3]. With these changes, all breakage is to blame on me and thus, I assumed authorship of this patch. I reflected the fact that this is heavily based on Herbert's work by means of an Originally-by tag and sincerely hope this is an appropriate way of recording the patch's history. This series has been tested on x86_64 and s390x (big endian) with FIPS mode both enabled and disabled each. Thanks! Nicolai [1] https://lore.kernel.org/r/20211209090358.28231-1-nstange@suse.de [2] https://lore.kernel.org/r/20211217055227.GA20698@gondor.apana.org.au [3] https://lore.kernel.org/r/Yd0gInht+V+Kcsw2@gondor.apana.org.au Nicolai Stange (15): crypto: kpp - provide support for KPP template instances crypto: kpp - provide support for KPP spawns crypto: dh - remove struct dh's ->q member crypto: dh - constify struct dh's pointer members crypto: dh - split out deserialization code from crypto_dh_decode() crypto: dh - introduce common code for built-in safe-prime group support crypto: dh - implement ffdheXYZ(dh) templates crypto: testmgr - add known answer tests for ffdheXYZ(dh) templates crypto: dh - implement private key generation primitive for ffdheXYZ(dh) crypto: testmgr - add keygen tests for ffdheXYZ(dh) templates crypto: dh - allow for passing NULL to the ffdheXYZ(dh)s' ->set_secret() crypto: api - allow algs only in specific constructions in FIPS mode crypto: dh - disallow plain "dh" usage in FIPS mode lib/mpi: export mpi_rshift crypto: dh - calculate Q from P for the full public key verification crypto/Kconfig | 8 + crypto/algapi.c | 18 +- crypto/api.c | 19 +- crypto/dh.c | 687 +++++++++++++++- crypto/dh_helper.c | 44 +- crypto/kpp.c | 29 + crypto/tcrypt.c | 4 +- crypto/testmgr.c | 61 +- crypto/testmgr.h | 1445 ++++++++++++++++++++++++++++++++- include/crypto/dh.h | 26 +- include/crypto/internal/kpp.h | 158 ++++ include/linux/crypto.h | 9 + lib/mpi/mpi-bit.c | 1 + security/keys/dh.c | 2 +- 14 files changed, 2443 insertions(+), 68 deletions(-)