On 12/9/21 10:03 AM, Nicolai Stange wrote: > With the previous patches, the testmgr now has up to four test vectors for > DH which all test more or less the same thing: > - the two vectors from before this series, > - the vector for the ffdhe3072 group, enabled if > CONFIG_CRYPTO_DH_GROUPS_RFC7919 is set and > - the vector for the modp2048 group, similarly enabled if > CONFIG_CRYPTO_DH_GROUPS_RFC3526 is set. > > In order to avoid too much redundancy during DH testing, enable only a > subset of these depending on the kernel config: > - if CONFIG_CRYPTO_DH_GROUPS_RFC7919 is set, enable only the ffdhe3072 > vector, > - otherwise, if CONFIG_CRYPTO_DH_GROUPS_RFC3526 is set, enable only > the modp2048 vector and > - only enable the original two vectors if neither of these options > has been selected. > > Note that an upcoming patch will make the DH implementation to reject any > domain parameters not corresponding to some safe-prime group approved by > SP800-56Arev3 in FIPS mode. Thus, having CONFIG_FIPS enabled, but > both of CONFIG_CRYPTO_DH_GROUPS_RFC7919 and > CONFIG_CRYPTO_DH_GROUPS_RFC3526 unset wouldn't make much sense as it would > render the DH implementation unusable in FIPS mode. Conversely, any > reasonable configuration would ensure that the original, non-conforming > test vectors would not get to run in FIPS mode. > > Signed-off-by: Nicolai Stange <nstange@xxxxxxx> > --- > crypto/testmgr.h | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > Reviewed-by: Hannes Reinecke <hare@xxxxxxx> Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@xxxxxxx +49 911 74053 688 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), GF: Felix Imendörffer
