summaryrefslogtreecommitdiff
path: root/crypto
diff options
context:
space:
mode:
authorStephan Müller <smueller@chronox.de>2020-07-20 19:08:32 +0200
committerHerbert Xu <herbert@gondor.apana.org.au>2020-07-31 18:08:59 +1000
commit90fa9ae51c1f2fa932bfa0a4d19163d49f0c1c46 (patch)
treea1dd10ae32d75c383b00094163c8999fd79e002b /crypto
parent4278e9d99e38938a7611b927fa4d73e6c86cb4fc (diff)
crypto: dh - check validity of Z before export
SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the calculated shared secret is verified before the data is returned to the caller. This patch adds the validation check. Signed-off-by: Stephan Mueller <smueller@chronox.de> Acked-by: Neil Horman <nhorman@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto')
-rw-r--r--crypto/dh.c29
1 files changed, 29 insertions, 0 deletions
diff --git a/crypto/dh.c b/crypto/dh.c
index 566f624a2de2..f84fd50ec79b 100644
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -9,6 +9,7 @@
#include <crypto/internal/kpp.h>
#include <crypto/kpp.h>
#include <crypto/dh.h>
+#include <linux/fips.h>
#include <linux/mpi.h>
struct dh_ctx {
@@ -179,6 +180,34 @@ static int dh_compute_value(struct kpp_request *req)
if (ret)
goto err_free_base;
+ /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
+ if (fips_enabled && req->src) {
+ MPI pone;
+
+ /* z <= 1 */
+ if (mpi_cmp_ui(val, 1) < 1) {
+ ret = -EBADMSG;
+ goto err_free_base;
+ }
+
+ /* z == p - 1 */
+ pone = mpi_alloc(0);
+
+ if (!pone) {
+ ret = -ENOMEM;
+ goto err_free_base;
+ }
+
+ ret = mpi_sub_ui(pone, ctx->p, 1);
+ if (!ret && !mpi_cmp(pone, val))
+ ret = -EBADMSG;
+
+ mpi_free(pone);
+
+ if (ret)
+ goto err_free_base;
+ }
+
ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
if (ret)
goto err_free_base;