| Message ID | 20220221121101.1615-14-nstange@suse.de (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | crypto: dh - infrastructure for NVM in-band auth and FIPS conformance | expand |
On 2/21/22 13:10, Nicolai Stange wrote: > SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity") > asserts that an implementation needs to verify domain paramtere validity, > which boils down to either > - the domain parameters corresponding to some known safe-prime group > explicitly listed to be approved in the document or > - for parameters conforming to a "FIPS 186-type parameter-size set", > that the implementation needs to perform an explicit domain parameter > verification, which would require access to the "seed" and "counter" > values used in their generation. > > The latter is not easily feasible and moreover, SP800-56Arev3 states that > safe-prime groups are preferred and that FIPS 186-type parameter sets > should only be supported for backward compatibility, if it all. > > Mark "dh" as not fips_allowed in testmgr. Note that the safe-prime > ffdheXYZ(dh) wrappers are not affected by this change: as these enforce > some approved safe-prime group each, their usage is still allowed in FIPS > mode. > > This change will effectively render the keyctl(KEYCTL_DH_COMPUTE) syscall > unusable in FIPS mode, but it has been brought up that this might even be > a good thing ([1]). > > [1] https://lore.kernel.org/r/20211217055227.GA20698@gondor.apana.org.au > > Signed-off-by: Nicolai Stange <nstange@suse.de> > --- > crypto/testmgr.c | 1 - > 1 file changed, 1 deletion(-) > Reviewed-by: Hannes Reinecke <hare@suse.de> Cheers, Hannes
diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 5fabd7bbfba5..2d632a285869 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4650,7 +4650,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "dh", .test = alg_test_kpp, - .fips_allowed = 1, .suite = { .kpp = __VECS(dh_tv_template) }
SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity") asserts that an implementation needs to verify domain paramtere validity, which boils down to either - the domain parameters corresponding to some known safe-prime group explicitly listed to be approved in the document or - for parameters conforming to a "FIPS 186-type parameter-size set", that the implementation needs to perform an explicit domain parameter verification, which would require access to the "seed" and "counter" values used in their generation. The latter is not easily feasible and moreover, SP800-56Arev3 states that safe-prime groups are preferred and that FIPS 186-type parameter sets should only be supported for backward compatibility, if it all. Mark "dh" as not fips_allowed in testmgr. Note that the safe-prime ffdheXYZ(dh) wrappers are not affected by this change: as these enforce some approved safe-prime group each, their usage is still allowed in FIPS mode. This change will effectively render the keyctl(KEYCTL_DH_COMPUTE) syscall unusable in FIPS mode, but it has been brought up that this might even be a good thing ([1]). [1] https://lore.kernel.org/r/20211217055227.GA20698@gondor.apana.org.au Signed-off-by: Nicolai Stange <nstange@suse.de> --- crypto/testmgr.c | 1 - 1 file changed, 1 deletion(-)