]> www.infradead.org Git - users/hch/dma-mapping.git/commitdiff
crypto: dh - check validity of Z before export
authorStephan Müller <smueller@chronox.de>
Mon, 20 Jul 2020 17:08:32 +0000 (19:08 +0200)
committerHerbert Xu <herbert@gondor.apana.org.au>
Fri, 31 Jul 2020 08:08:59 +0000 (18:08 +1000)
SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. This patch adds the validation check.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Acked-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto/dh.c

index 566f624a2de2c45ea4672e1eda22174c65c2af23..f84fd50ec79b49ac570413c627c35d9f0f9bd664 100644 (file)
@@ -9,6 +9,7 @@
 #include <crypto/internal/kpp.h>
 #include <crypto/kpp.h>
 #include <crypto/dh.h>
+#include <linux/fips.h>
 #include <linux/mpi.h>
 
 struct dh_ctx {
@@ -179,6 +180,34 @@ static int dh_compute_value(struct kpp_request *req)
        if (ret)
                goto err_free_base;
 
+       /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
+       if (fips_enabled && req->src) {
+               MPI pone;
+
+               /* z <= 1 */
+               if (mpi_cmp_ui(val, 1) < 1) {
+                       ret = -EBADMSG;
+                       goto err_free_base;
+               }
+
+               /* z == p - 1 */
+               pone = mpi_alloc(0);
+
+               if (!pone) {
+                       ret = -ENOMEM;
+                       goto err_free_base;
+               }
+
+               ret = mpi_sub_ui(pone, ctx->p, 1);
+               if (!ret && !mpi_cmp(pone, val))
+                       ret = -EBADMSG;
+
+               mpi_free(pone);
+
+               if (ret)
+                       goto err_free_base;
+       }
+
        ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
        if (ret)
                goto err_free_base;