On 12/9/21 10:03 AM, Nicolai Stange wrote:
> SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity")
> asserts that an implementation needs to verify domain paramtere validity,
> which boils down to either
> - the domain parameters corresponding to some known safe-prime group
> explicitly listed to be approved in the document or
> - for parameters conforming to a "FIPS 186-type parameter-size set",
> that the implementation needs to perform an explicit domain parameter
> verification, which would require access to the "seed" and "counter"
> values used in their generation.
>
> The latter is not easily feasible and moreover, SP800-56Arev3 states that
> safe-prime groups are preferred and that FIPS 186-type parameter sets
> should only be supported for backward compatibility, if it all.
>
> Make the dh implementations reject any domain parameters which don't
> correspond to any of the approved safe-prime groups in FIPS mode. The
> approved safe-prime groups are the ones specified in RFC 7919 and RFC 3526,
> and given that all possible values of enum dh_group_id correspond to
> either groups from these RFCs or to DH_GROUP_ID_UNKNOWN, it suffices to
> make crypto_dh_decode_key() to reject any parameter set where
> ->group_id == DH_GROUP_ID_UNKNOWN.
>
> As this change will effectively render the dh implementation unusable in
> FIPS mode if neither of the CRYPTO_DH_GROUPS_RFC7919 or
> CRYPTO_DH_GROUPS_RFC3526 Kconfig options enabled, make CRYPTO_DH imply
> these two if CRYPTO_FIPS is set.
>
> Signed-off-by: Nicolai Stange <nstange@xxxxxxx>
> ---
> crypto/Kconfig | 2 ++
> crypto/dh_helper.c | 4 ++++
> 2 files changed, 6 insertions(+)
>
Reviewed-by: Hannes Reinecke <hare@xxxxxxx>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@xxxxxxx +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer
