Hannes Reinecke <hare@xxxxxxx> writes:
> On 12/1/21 1:48 AM, Nicolai Stange wrote:
>> SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity")
>> asserts that an implementation needs to verify domain paramtere validity,
>> which boils down to either
>> - the domain parameters corresponding to some known safe-prime group
>> explicitly listed to be approved in the document or
>> - for parameters conforming to a "FIPS 186-type parameter-size set",
>> that the implementation needs to perform an explicit domain parameter
>> verification, which would require access to the "seed" and "counter"
>> values used in their generation.
>>
>> The latter is not easily feasible and moreover, SP800-56Arev3 states that
>> safe-prime groups are preferred and that FIPS 186-type parameter sets
>> should only be supported for backward compatibility, if it all.
>>
>> Make the dh implementations reject any domain parameters which don't
>> correspond to any of the approved safe-prime groups in FIPS mode. The
>> approved safe-prime groups are the ones specified in RFC 7919 and RFC 3526,
>> and given that all possible values of enum dh_group_id correspond to
>> either groups from these RFCs or to dh_group_id_unknown, it suffices to
>> make crypto_dh_decode_key() to reject any parameter set where
>> ->group_id == dh_group_id_unknown.
>>
>> As this change will effectively render the dh implementation unusable in
>> FIPS mode if neither of the CRYPTO_DH_GROUPS_RFC7919 or
>> CRYPTO_DH_GROUPS_RFC3526 Kconfig options enabled, make CRYPTO_DH imply
>> these two if CRYPTO_FIPS is set.
>>
>> Signed-off-by: Nicolai Stange <nstange@xxxxxxx>
>> ---
>> crypto/Kconfig | 2 ++
>> crypto/dh_helper.c | 4 ++++
>> 2 files changed, 6 insertions(+)
>>
>> diff --git a/crypto/Kconfig b/crypto/Kconfig
>> index 578711b02bb3..571f2271ad2e 100644
>> --- a/crypto/Kconfig
>> +++ b/crypto/Kconfig
>> @@ -229,6 +229,8 @@ menuconfig CRYPTO_DH
>> select CRYPTO_KPP
>> select MPILIB
>> select CRYPTO_RNG_DEFAULT
>> + imply CRYPTO_DH_GROUPS_RFC7919 if CRYPTO_FIPS
>> + imply CRYPTO_DH_GROUPS_RFC3526 if CRYPTO_FIPS
>> help
>> Generic implementation of the Diffie-Hellman algorithm.
>> diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c
>> index cf632beca65e..f30674df0d76 100644
>> --- a/crypto/dh_helper.c
>> +++ b/crypto/dh_helper.c
>> @@ -7,6 +7,7 @@
>> #include <linux/export.h>
>> #include <linux/err.h>
>> #include <linux/string.h>
>> +#include <linux/fips.h>
>> #include <crypto/dh.h>
>> #include <crypto/kpp.h>
>> #include <crypto/rng.h>
>> @@ -622,6 +623,9 @@ int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params)
>> params->g_size > params->p_size)
>> return -EINVAL;
>> + /* Only safe-prime groups are allowed in FIPS mode. */
>> + if (fips_enabled && params->group_id == dh_group_id_unknown)
>> + return -EINVAL;
>> return 0;
>> }
>>
> That was cheap.
> Maybe merge it with the previous patch?
FWIW, I kept this separate in v2: the code change is trivial for sure,
but as this is FIPS related, the premise might be controversial and I
don't want to hide it in a larger patch.
Thanks,
Nicolai
--
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg), GF: Ivo Totev
