[PATCH v3 00/15] crypto: dh - infrastructure for NVM in-band auth and FIPS conformance
From: Nicolai Stange
Date: Wed Feb 02 2022 - 05:41:30 EST
Hi all,
first of all, to the people primarily interested in security/keys/, there's
a rather trivial change to security/keys/dh.c in patch 4/15. It would be
great to get ACKs for that...
This is a complete rework of the v2 patchset to be found at [1]. Most
notably, the ffdheXYZ groups are now made accessible by means of templates
wrapping the generic dh: ffdhe2048(dh) ffdhe3072(dh), etc, rather than by
that fixed enum dh_group_id as before. For your reference, this change has
been suggested at [2].
Plain "dh" usage will be disallowed in FIPS mode now, which will break
keyctl(KEYCTL_DH_COMPUTE) functionality in FIPS mode. As per the
discussion from [2], this is acceptable or perhaps even desirable.
The only motivation to include the RFC 3526 MODP groups in the previous v2
had been to keep keyctl(KEYCTL_DH_COMPUTE) somewhat workable in FIPS mode.
These groups have been dropped accordingly now and this patchset only
introduces support for the RFC 7919 FFDHE groups, which is what is needed
by NVM in-band authentication.
In order to be able to restrict plain "dh" usage in FIPS mode while
still allowing the usage of those new ffdheXYZ(dh) instantiations, I
incorporated a modified version of the patch posted by Herbert at
[3] ("crypto: api - Disallow sha1 in FIPS-mode while allowing hmac(sha1)")
into this series here as [12/15] ("crypto: api - allow algs only in
specific constructions in FIPS mode"). There had been two changes worth
mentioning:
- An attempt to make it more generic by having crypto_grab_spawn()
to include FIPS_INTERNAL in the lookup and also, to let
crypto_register_instance() to propagate this flag from the
child spawns into the instance to be registered.
- To skip the actual self-test executions for !->fips_allowed algorithms,
just as before. The rationale for this can be found in the discussion to
[3].
With these changes, all breakage is to blame on me and thus, I assumed
authorship of this patch. I reflected the fact that this is heavily based
on Herbert's work by means of an Originally-by tag and sincerely hope this
is an appropriate way of recording the patch's history.
This series has been tested on x86_64 and s390x (big endian) with FIPS mode
both enabled and disabled each.
Thanks!
Nicolai
[1] https://lore.kernel.org/r/20211209090358.28231-1-nstange@xxxxxxx
[2] https://lore.kernel.org/r/20211217055227.GA20698@xxxxxxxxxxxxxxxxxxx
[3] https://lore.kernel.org/r/Yd0gInht+V+Kcsw2@xxxxxxxxxxxxxxxxxxx
Nicolai Stange (15):
crypto: kpp - provide support for KPP template instances
crypto: kpp - provide support for KPP spawns
crypto: dh - remove struct dh's ->q member
crypto: dh - constify struct dh's pointer members
crypto: dh - split out deserialization code from crypto_dh_decode()
crypto: dh - introduce common code for built-in safe-prime group
support
crypto: dh - implement ffdheXYZ(dh) templates
crypto: testmgr - add known answer tests for ffdheXYZ(dh) templates
crypto: dh - implement private key generation primitive for
ffdheXYZ(dh)
crypto: testmgr - add keygen tests for ffdheXYZ(dh) templates
crypto: dh - allow for passing NULL to the ffdheXYZ(dh)s'
->set_secret()
crypto: api - allow algs only in specific constructions in FIPS mode
crypto: dh - disallow plain "dh" usage in FIPS mode
lib/mpi: export mpi_rshift
crypto: dh - calculate Q from P for the full public key verification
crypto/Kconfig | 8 +
crypto/algapi.c | 18 +-
crypto/api.c | 19 +-
crypto/dh.c | 687 +++++++++++++++-
crypto/dh_helper.c | 44 +-
crypto/kpp.c | 29 +
crypto/tcrypt.c | 4 +-
crypto/testmgr.c | 61 +-
crypto/testmgr.h | 1445 ++++++++++++++++++++++++++++++++-
include/crypto/dh.h | 26 +-
include/crypto/internal/kpp.h | 158 ++++
include/linux/crypto.h | 9 +
lib/mpi/mpi-bit.c | 1 +
security/keys/dh.c | 2 +-
14 files changed, 2443 insertions(+), 68 deletions(-)
--
2.26.2