On Wed, Oct 14, 2020 at 9:37 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> The KEYCTL_DH_COMPUTE key payloads are interpreted as MPI-formatted
> numbers. Even though the generic DH algorithm implementation doesn't
> look at the actual values when setting the parameters (and probably only
> validates them later when doing the actual operation), this isn't
> necessarily true for other implementations. Specifically, the Intel QAT
> driver checks if the prime size is one of 1536, 2048, 3072, or 4096
> bits, causing the KEYCTL_DH_COMPUTE operation to fail with -EINVAL.
>
> While it is questionable if the QAT implementation should reject unusual
> prime sizes (it should use a fallback to generic instead), let's just
> make sure we pass valid numbers to avoid similar validation errors.
>
> I verified on a machine with an Intel QAT device that this patch makes
> the testsuite pass there.
>
> Fixes: 2d7aad8a1f8c ("selinux-testsuite: Add keys tests")
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
I have now applied this patch:
https://github.com/SELinuxProject/selinux-testsuite/commit/19b43c07d87278023b8637eba1be83eb73f22606
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
