Re: [PATCH v3 3/5] crypto: DH - check validity of Z before export

[Neil Horman]

On Mon, Jul 20, 2020 at 07:08:32PM +0200, Stephan Müller wrote:
> SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
> calculated shared secret is verified before the data is returned to the
> caller. This patch adds the validation check.
> 
> Signed-off-by: Stephan Mueller <smuel...@chronox.de>
> ---
>  crypto/dh.c | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/crypto/dh.c b/crypto/dh.c
> index 566f624a2de2..f84fd50ec79b 100644
> --- a/crypto/dh.c
> +++ b/crypto/dh.c
> @@ -9,6 +9,7 @@
>  #include <crypto/internal/kpp.h>
>  #include <crypto/kpp.h>
>  #include <crypto/dh.h>
> +#include <linux/fips.h>
>  #include <linux/mpi.h>
>  
>  struct dh_ctx {
> @@ -179,6 +180,34 @@ static int dh_compute_value(struct kpp_request *req)
>       if (ret)
>               goto err_free_base;
>  
> +     /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
> +     if (fips_enabled && req->src) {
> +             MPI pone;
> +
> +             /* z <= 1 */
> +             if (mpi_cmp_ui(val, 1) < 1) {
> +                     ret = -EBADMSG;
> +                     goto err_free_base;
> +             }
> +
> +             /* z == p - 1 */
> +             pone = mpi_alloc(0);
> +
> +             if (!pone) {
> +                     ret = -ENOMEM;
> +                     goto err_free_base;
> +             }
> +
> +             ret = mpi_sub_ui(pone, ctx->p, 1);
> +             if (!ret && !mpi_cmp(pone, val))
> +                     ret = -EBADMSG;
> +
> +             mpi_free(pone);
> +
> +             if (ret)
> +                     goto err_free_base;
> +     }
> +
>       ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
>       if (ret)
>               goto err_free_base;
> -- 
> 2.26.2
> 
> 
> 
> 
Acked-by: Neil Horman <nhor...@redhat.com>