diff options
author | Stephan Müller <smueller@chronox.de> | 2020-07-20 19:08:32 +0200 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2020-07-31 10:08:59 +0200 |
commit | 90fa9ae51c1f2fa932bfa0a4d19163d49f0c1c46 (patch) | |
tree | a1dd10ae32d75c383b00094163c8999fd79e002b /crypto | |
parent | lib/mpi: Add mpi_sub_ui() (diff) | |
download | linux-90fa9ae51c1f2fa932bfa0a4d19163d49f0c1c46.tar.xz linux-90fa9ae51c1f2fa932bfa0a4d19163d49f0c1c46.zip |
crypto: dh - check validity of Z before export
SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. This patch adds the validation check.
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Acked-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/dh.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/crypto/dh.c b/crypto/dh.c index 566f624a2de2..f84fd50ec79b 100644 --- a/crypto/dh.c +++ b/crypto/dh.c @@ -9,6 +9,7 @@ #include <crypto/internal/kpp.h> #include <crypto/kpp.h> #include <crypto/dh.h> +#include <linux/fips.h> #include <linux/mpi.h> struct dh_ctx { @@ -179,6 +180,34 @@ static int dh_compute_value(struct kpp_request *req) if (ret) goto err_free_base; + /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */ + if (fips_enabled && req->src) { + MPI pone; + + /* z <= 1 */ + if (mpi_cmp_ui(val, 1) < 1) { + ret = -EBADMSG; + goto err_free_base; + } + + /* z == p - 1 */ + pone = mpi_alloc(0); + + if (!pone) { + ret = -ENOMEM; + goto err_free_base; + } + + ret = mpi_sub_ui(pone, ctx->p, 1); + if (!ret && !mpi_cmp(pone, val)) + ret = -EBADMSG; + + mpi_free(pone); + + if (ret) + goto err_free_base; + } + ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign); if (ret) goto err_free_base; |