crypto: dh - check validity of Z before export

SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. This patch adds the validation check.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Acked-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/dh.c b/crypto/dh.c
index 566f624..f84fd50 100644 (file)
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -9,6 +9,7 @@
 #include <crypto/internal/kpp.h>
 #include <crypto/kpp.h>
 #include <crypto/dh.h>
+#include <linux/fips.h>
 #include <linux/mpi.h>
 
 struct dh_ctx {
@@ -179,6 +180,34 @@ static int dh_compute_value(struct kpp_request *req)
        if (ret)
                goto err_free_base;
 
+       /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
+       if (fips_enabled && req->src) {
+               MPI pone;
+
+               /* z <= 1 */
+               if (mpi_cmp_ui(val, 1) < 1) {
+                       ret = -EBADMSG;
+                       goto err_free_base;
+               }
+
+               /* z == p - 1 */
+               pone = mpi_alloc(0);
+
+               if (!pone) {
+                       ret = -ENOMEM;
+                       goto err_free_base;
+               }
+
+               ret = mpi_sub_ui(pone, ctx->p, 1);
+               if (!ret && !mpi_cmp(pone, val))
+                       ret = -EBADMSG;
+
+               mpi_free(pone);
+
+               if (ret)
+                       goto err_free_base;
+       }
+
        ret = mpi_write_to_sgl(val, req->dst, req->dst_len, &sign);
        if (ret)
                goto err_free_base;