crypto: dh - implement FIPS PCT

kerneltoast · jallisonciq · commit 1dee5d1540c2 · 2025-09-22T10:59:06.000-07:00
feature FIPS enablement commit-author Vladis Dronov <vdronov@redhat.com> commit 6030c378bf503f83af9d46e58d43e164fa49eaa5 commit-source https://gitlab.com/cki-project/kernel-ark.git JIRA: https://issues.redhat.com/browse/RHEL-54183 Upstream Status: RHEL only Forwardport of 8d6b650 ("crypto: dh - implement FIPS PCT") from C9S. The below patch from Nicolai is not going to be accepted upstream. Add a panic on a failed test per FIPS certification requirement. From: Nicolai Stange <nstange@suse.de> Date: Tue, 30 Nov 2021 16:51:12 +0100 Subject: [PATCH] crypto: dh - implement FIPS PCT References: jsc#SLE-21132,bsc#1191256 Patch-mainline: Never, not upstreamable SP800-56Arev3, 5.6.2.1.4 ("Owner Assurance of Pair-wise Consistency") requires that a pair-wise consistency check needs to be conducted on a keypair. A pair-wise consistency test (PCT) is meant to ensure that a some provided public key is indeed associated with the given private one. As the kernel's DH implementation always computes the public key from the private one, this is guaranteed already as per the API. However, in the course of the certification process, there had been a lengthy discussion regarding this topic, with the result that a PCT is nonetheless mandatory. Simply implement a PCT for DH and move on. As mandated by SP800-56Arev3, 5.6.2.1.4, the PCT involves recomputing the public key and comparing it against the one under test. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Vladis Dronov <vdronov@redhat.com> (cherry picked from commit 6030c378bf503f83af9d46e58d43e164fa49eaa5) Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
diff --git a/crypto/dh.c b/crypto/dh.c
@@ -227,10 +227,35 @@ static int dh_compute_value(struct kpp_request *req)
 
 		/* SP800-56A rev 3 5.6.2.1.3 key check */
 		} else {
+			MPI val_pct;
+
 			if (dh_is_pubkey_valid(ctx, val)) {
 				ret = -EAGAIN;
 				goto err_free_val;
 			}
+
+			/*
+			 * SP800-56Arev3, 5.6.2.1.4: ("Owner Assurance
+			 * of Pair-wise Consistency"): recompute the
+			 * public key and check if the results match.
+			 */
+			val_pct = mpi_alloc(0);
+			if (!val_pct) {
+				ret = -ENOMEM;
+				goto err_free_val;
+			}
+
+			ret = _compute_val(ctx, base, val_pct);
+			if (ret) {
+				mpi_free(val_pct);
+				goto err_free_val;
+			}
+
+			if (mpi_cmp(val, val_pct) != 0) {
+				fips_fail_notify();
+				panic("dh: pair-wise consistency test failed\n");
+			}
+			mpi_free(val_pct);
 		}
 	}
 
