On 2/21/22 13:10, Nicolai Stange wrote:
> SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity")
> asserts that an implementation needs to verify domain paramtere validity,
> which boils down to either
> - the domain parameters corresponding to some known safe-prime group
> explicitly listed to be approved in the document or
> - for parameters conforming to a "FIPS 186-type parameter-size set",
> that the implementation needs to perform an explicit domain parameter
> verification, which would require access to the "seed" and "counter"
> values used in their generation.
>
> The latter is not easily feasible and moreover, SP800-56Arev3 states that
> safe-prime groups are preferred and that FIPS 186-type parameter sets
> should only be supported for backward compatibility, if it all.
>
> Mark "dh" as not fips_allowed in testmgr. Note that the safe-prime
> ffdheXYZ(dh) wrappers are not affected by this change: as these enforce
> some approved safe-prime group each, their usage is still allowed in FIPS
> mode.
>
> This change will effectively render the keyctl(KEYCTL_DH_COMPUTE) syscall
> unusable in FIPS mode, but it has been brought up that this might even be
> a good thing ([1]).
>
> [1] https://lore.kernel.org/r/[email protected]
>
> Signed-off-by: Nicolai Stange <[email protected]>
> ---
> crypto/testmgr.c | 1 -
> 1 file changed, 1 deletion(-)
>
Reviewed-by: Hannes Reinecke <[email protected]>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
[email protected] +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer