Hello,
While debugging an SELinux test that happens to use keyctl(2) with
KEYCTL_DH_COMPUTE, I noticed that mpi_read_raw_data() (used in
crypto/dh.c to import big numbers from byte strings) accepts any
number of leading zero bytes and discards them. This has a bad
implication for dh_set_params(), as it passes the original prime byte
string size to dh_check_params_length(), which means that it is
possible to get it to accept a prime of any size, simply by
left-padding it with zero bytes to the minimum accepted size.
I ran into this because the test was accidentally passing the prime
byte string with an extra zero byte at the beginning (an artifact from
the output of `openssl dhparam -text -2 2048`) and while this ran fine
when the generic "dh" implementation was used, it was failing on
machines where the intel_qat driver was used, which doesn't have this
validation bug.
For me the fix is simply to drop the extra zero byte from the test's
input, but I wanted to report this, so that someone with more vested
interest in the crypto subsystem can fix the prime length validation
issue as well.
Cheers,
Ondrej