crypto: dh - check validity of Z before export (90fa9ae5) · Commits · 戴 / test

SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. This patch adds the validation check. Signed-off-by:

Stephan Mueller <smueller@chronox.de> Acked-by:

Neil Horman <nhorman@redhat.com> Signed-off-by:

Herbert Xu <herbert@gondor.apana.org.au>

crypto/dh.c

+29 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,7 @@
		#include <crypto/internal/kpp.h>
		#include <crypto/kpp.h>
		#include <crypto/dh.h>
		#include <linux/fips.h>
		#include <linux/mpi.h>

		struct dh_ctx {
		@@ -179,6 +180,34 @@ static int dh_compute_value(struct kpp_request *req)
		if (ret)
		goto err_free_base;

		/* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
		if (fips_enabled && req->src) {
		MPI pone;

		/* z <= 1 */
		if (mpi_cmp_ui(val, 1) < 1) {
		ret = -EBADMSG;
		goto err_free_base;
		}

		/* z == p - 1 */
		pone = mpi_alloc(0);

		if (!pone) {
		ret = -ENOMEM;
		goto err_free_base;
		}

		ret = mpi_sub_ui(pone, ctx->p, 1);
		if (!ret && !mpi_cmp(pone, val))
		ret = -EBADMSG;

		mpi_free(pone);

		if (ret)
		goto err_free_base;
		}

		ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
		if (ret)
		goto err_free_base;

Admin message