| Message ID | 20211201004858.19831-1-nstange@suse.de |
|---|---|
| Headers | show |
| Series | crypto: dh - infrastructure for NVM in-band auth and FIPS conformance | expand |
On 12/1/21 1:48 AM, Nicolai Stange wrote: > SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity") > asserts that an implementation needs to verify domain paramtere validity, > which boils down to either > - the domain parameters corresponding to some known safe-prime group > explicitly listed to be approved in the document or > - for parameters conforming to a "FIPS 186-type parameter-size set", > that the implementation needs to perform an explicit domain parameter > verification, which would require access to the "seed" and "counter" > values used in their generation. > > The latter is not easily feasible and moreover, SP800-56Arev3 states that > safe-prime groups are preferred and that FIPS 186-type parameter sets > should only be supported for backward compatibility, if it all. > > Make the dh implementations reject any domain parameters which don't > correspond to any of the approved safe-prime groups in FIPS mode. The > approved safe-prime groups are the ones specified in RFC 7919 and RFC 3526, > and given that all possible values of enum dh_group_id correspond to > either groups from these RFCs or to dh_group_id_unknown, it suffices to > make crypto_dh_decode_key() to reject any parameter set where > ->group_id == dh_group_id_unknown. > > As this change will effectively render the dh implementation unusable in > FIPS mode if neither of the CRYPTO_DH_GROUPS_RFC7919 or > CRYPTO_DH_GROUPS_RFC3526 Kconfig options enabled, make CRYPTO_DH imply > these two if CRYPTO_FIPS is set. > > Signed-off-by: Nicolai Stange <nstange@suse.de> > --- > crypto/Kconfig | 2 ++ > crypto/dh_helper.c | 4 ++++ > 2 files changed, 6 insertions(+) > > diff --git a/crypto/Kconfig b/crypto/Kconfig > index 578711b02bb3..571f2271ad2e 100644 > --- a/crypto/Kconfig > +++ b/crypto/Kconfig > @@ -229,6 +229,8 @@ menuconfig CRYPTO_DH > select CRYPTO_KPP > select MPILIB > select CRYPTO_RNG_DEFAULT > + imply CRYPTO_DH_GROUPS_RFC7919 if CRYPTO_FIPS > + imply CRYPTO_DH_GROUPS_RFC3526 if CRYPTO_FIPS > help > Generic implementation of the Diffie-Hellman algorithm. > > diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c > index cf632beca65e..f30674df0d76 100644 > --- a/crypto/dh_helper.c > +++ b/crypto/dh_helper.c > @@ -7,6 +7,7 @@ > #include <linux/export.h> > #include <linux/err.h> > #include <linux/string.h> > +#include <linux/fips.h> > #include <crypto/dh.h> > #include <crypto/kpp.h> > #include <crypto/rng.h> > @@ -622,6 +623,9 @@ int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params) > params->g_size > params->p_size) > return -EINVAL; > > + /* Only safe-prime groups are allowed in FIPS mode. */ > + if (fips_enabled && params->group_id == dh_group_id_unknown) > + return -EINVAL; > > return 0; > } > That was cheap. Maybe merge it with the previous patch? Cheers, Hannes
Hi all, first of all, to the people primarily interested in security/keys/, there's a rather trivial change to security/keys/dh.c in patch 2/18. It would be great to get ACKs for that... Hannes' recent work on NVME in-band authentication ([1]) needs access to the RFC 7919 DH group parameters and also some means to generate ephemeral keys. He currently implements both as part of his patchset (patches 3/12 and 8/12). After some internal discussion, we decided to split off the bits needed from crypto/dh into a separate series, i.e. this one here: - for the RFC 7919 DH group parameters, it's undesirable from a performance POV to serialize the well-known domain parameters via crypto_dh_encode_key() just to deserialize them shortly after again, - from an architectural POV, it would be preferrable to have the key generation code in crypto/dh.c rather than in drivers/nvme/, just in analogy to how key generation is supported by crypto/ecdh.c already. Patches 1-13/18 implement all that is needed for the NVME in-band authentication support. Unfortunately, due to the lack of HW, I have not been able to test the changes to the QAT or HPRE drivers (other than mere compile tests). Yet I figured it would be a good idea to have them behave consistently with dh_generic, and so I chose to introduce support for privkey generation to these as well. By coincidence, NIST SP800-56Arev3 compliance effectively requires that the domain parameters are checked against an approved set, which happens to consists of those safe-prime group parameters specified in RFC 7919, among others. Thus, introducing the RFC 7919 parameters to the kernel allows for making the DH implementation to conform to SP800-56Arev3 with only little effort. I used the opportunity to work crypto/dh towards SP800-56Arev3 conformance with the rest of this patch series, i.e. patches 14-18/18. I can split these into another series on its own, if you like. But as they depend on the earlier patches 1-13/18, I sent them alongside for now. This patchset has been tested with and without fips_enabled on x86_64, ppc64le and s390x, the latter being a big endian machine, which is relevant for the new test vectors. Thanks, Nicolai [1] https://lkml.kernel.org/r/20211123123801.73197-1-hare@suse.de Nicolai Stange (18): crypto: dh - remove struct dh's ->q member crypto: dh - constify struct dh's pointer members crypto: dh - optimize domain parameter serialization for well-known groups crypto: dh - introduce RFC 7919 safe-prime groups crypto: testmgr - add DH RFC 7919 ffdhe2048 test vector crypto: dh - introduce RFC 3526 safe-prime groups crypto: testmgr - add DH RFC 3526 modp2048 test vector crypto: testmgr - run only subset of DH vectors based on config crypto: dh - implement private key generation primitive crypto: dh - introduce support for ephemeral key generation to dh-generic crypto: dh - introduce support for ephemeral key generation to hpre driver crypto: dh - introduce support for ephemeral key generation to qat driver crypto: testmgr - add DH test vectors for key generation lib/mpi: export mpi_rshift crypto: dh - store group id in dh-generic's dh_ctx crypto: dh - calculate Q from P for the full public key verification crypto: dh - try to match domain parameters to a known safe-prime group crypto: dh - accept only approved safe-prime groups in FIPS mode crypto/Kconfig | 20 +- crypto/dh.c | 73 +- crypto/dh_helper.c | 691 +++++++++++++++++- crypto/testmgr.h | 342 ++++++++- drivers/crypto/hisilicon/hpre/hpre_crypto.c | 11 + drivers/crypto/qat/qat_common/qat_asym_algs.c | 9 + include/crypto/dh.h | 52 +- lib/mpi/mpi-bit.c | 1 + security/keys/dh.c | 2 +- 9 files changed, 1141 insertions(+), 60 deletions(-)