lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aabe44df-0b6c-8550-0138-b08f90ef9233@suse.de>
Date:   Fri, 10 Dec 2021 12:38:31 +0100
From:   Hannes Reinecke <hare@...e.de>
To:     Nicolai Stange <nstange@...e.de>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>
Cc:     Stephan Müller <smueller@...onox.de>,
        Torsten Duwe <duwe@...e.de>, Zaibo Xu <xuzaibo@...wei.com>,
        Giovanni Cabiddu <giovanni.cabiddu@...el.com>,
        David Howells <dhowells@...hat.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
        qat-linux@...el.com, keyrings@...r.kernel.org
Subject: Re: [PATCH v2 00/18] crypto: dh - infrastructure for NVM in-band auth
 and FIPS conformance

On 12/9/21 10:03 AM, Nicolai Stange wrote:
> Hi all,
> 
> first of all, to the people primarily interested in security/keys/, there's
> a rather trivial change to security/keys/dh.c in patch 2/18. It would be
> great to get ACKs for that...
> 
> This is v2, v1 can be found at
> 
>   https://lore.kernel.org/r/20211201004858.19831-1-nstange@suse.de
> 
> For a list of changes, see below.
> 
> Quote from v1's cover letter:
> ===
> Hannes' recent work on NVME in-band authentication ([1]) needs access to
> the RFC 7919 DH group parameters and also some means to generate ephemeral
> keys. He currently implements both as part of his patchset (patches 3/12
> and 8/12). After some internal discussion, we decided to split off the bits
> needed from crypto/dh into a separate series, i.e. this one here:
>  - for the RFC 7919 DH group parameters, it's undesirable from a
>    performance POV to serialize the well-known domain parameters via
>    crypto_dh_encode_key() just to deserialize them shortly after again,
>  - from an architectural POV, it would be preferrable to have the key
>    generation code in crypto/dh.c rather than in drivers/nvme/,
>    just in analogy to how key generation is supported by crypto/ecdh.c
>    already.
> 
> Patches 1-13/18 implement all that is needed for the NVME in-band
> authentication support. 
> 
> Unfortunately, due to the lack of HW, I have not been able to test
> the changes to the QAT or HPRE drivers (other than mere compile tests).
> Yet I figured it would be a good idea to have them behave consistently with
> dh_generic, and so I chose to introduce support for privkey generation to
> these as well.
> 
> 
> By coincidence, NIST SP800-56Arev3 compliance effectively requires that
> the domain parameters are checked against an approved set, which happens
> to consists of those safe-prime group parameters specified in RFC 7919,
> among others. Thus, introducing the RFC 7919 parameters to the kernel
> allows for making the DH implementation to conform to SP800-56Arev3 with
> only little effort. I used the opportunity to work crypto/dh towards
> SP800-56Arev3 conformance with the rest of this patch series, i.e.
> patches 14-18/18. I can split these into another series on its own, if you
> like. But as they depend on the earlier patches 1-13/18, I sent them
> alongside for now.
> ===
> 
> This patchset has been tested with and without fips_enabled on x86_64,
> ppc64le and s390x, the latter being big endian.
> 
> 
> Changes v1 -> v2:
> - Throughout the patchset:
>   - Upcase enum group_id members and strip superfluous _RFCXYZ_ parts from
>     the names.
>   - Carry Hannes' Reviewed-bys from v1 over for those patches which
>     have not changed (except for that group_id member renaming)
> - [03/18] ("crypto: dh - optimize domain parameter serialization for
>             well-known groups"):
>   - For better portability, don't serialize/deserialize directly from/to
>     an enum group_id, but use an intermediate int for that.
> - [05/18] ("crypto: testmgr - add DH RFC 7919 ffdhe2048 test vector")
>   - Use ffdhe3072 TVs rather than ones for ffdhe2048. Requested by Hannes,
>     because "the NVMe spec mandates for its TLS profile the ffdhe3072
>     group".
> - [13/18] ("crypto: testmgr - add DH test vectors for key generation")
>   - Use ffdhe3072 in place of ffdhe2048 here as well.
>   - Rather than introducing completely new keypairs, reuse the ones
>     from the known answer test introduced previously in this patchset.
> 
> Thanks,
> 
> Nicolai
> 
> [1] https://lkml.kernel.org/r/20211123123801.73197-1-hare@suse.de
> 
> 
> Nicolai Stange (18):
>   crypto: dh - remove struct dh's ->q member
>   crypto: dh - constify struct dh's pointer members
>   crypto: dh - optimize domain parameter serialization for well-known
>     groups
>   crypto: dh - introduce RFC 7919 safe-prime groups
>   crypto: testmgr - add DH RFC 7919 ffdhe3072 test vector
>   crypto: dh - introduce RFC 3526 safe-prime groups
>   crypto: testmgr - add DH RFC 3526 modp2048 test vector
>   crypto: testmgr - run only subset of DH vectors based on config
>   crypto: dh - implement private key generation primitive
>   crypto: dh - introduce support for ephemeral key generation to
>     dh-generic
>   crypto: dh - introduce support for ephemeral key generation to hpre
>     driver
>   crypto: dh - introduce support for ephemeral key generation to qat
>     driver
>   crypto: testmgr - add DH test vectors for key generation
>   lib/mpi: export mpi_rshift
>   crypto: dh - store group id in dh-generic's dh_ctx
>   crypto: dh - calculate Q from P for the full public key verification
>   crypto: dh - try to match domain parameters to a known safe-prime
>     group
>   crypto: dh - accept only approved safe-prime groups in FIPS mode
> 
>  crypto/Kconfig                                |  20 +-
>  crypto/dh.c                                   |  73 +-
>  crypto/dh_helper.c                            | 691 +++++++++++++++++-
>  crypto/testmgr.h                              | 388 +++++++++-
>  drivers/crypto/hisilicon/hpre/hpre_crypto.c   |  11 +
>  drivers/crypto/qat/qat_common/qat_asym_algs.c |   9 +
>  include/crypto/dh.h                           |  52 +-
>  lib/mpi/mpi-bit.c                             |   1 +
>  security/keys/dh.c                            |   2 +-
>  9 files changed, 1189 insertions(+), 58 deletions(-)
> 
I have run this implementation against my NVMe In-band authentication
test suite and have found no issues.

Tested-by: Hannes Reinecke <hare@...e.de>

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@...e.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ