lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Feb 2022 15:19:49 +0100 From: Hannes Reinecke <hare@...e.de> To: Nicolai Stange <nstange@...e.de>, Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net> Cc: Stephan Müller <smueller@...onox.de>, Torsten Duwe <duwe@...e.de>, David Howells <dhowells@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>, linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, keyrings@...r.kernel.org Subject: Re: [PATCH v4 13/15] crypto: dh - disallow plain "dh" usage in FIPS mode On 2/21/22 13:10, Nicolai Stange wrote: > SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity") > asserts that an implementation needs to verify domain paramtere validity, > which boils down to either > - the domain parameters corresponding to some known safe-prime group > explicitly listed to be approved in the document or > - for parameters conforming to a "FIPS 186-type parameter-size set", > that the implementation needs to perform an explicit domain parameter > verification, which would require access to the "seed" and "counter" > values used in their generation. > > The latter is not easily feasible and moreover, SP800-56Arev3 states that > safe-prime groups are preferred and that FIPS 186-type parameter sets > should only be supported for backward compatibility, if it all. > > Mark "dh" as not fips_allowed in testmgr. Note that the safe-prime > ffdheXYZ(dh) wrappers are not affected by this change: as these enforce > some approved safe-prime group each, their usage is still allowed in FIPS > mode. > > This change will effectively render the keyctl(KEYCTL_DH_COMPUTE) syscall > unusable in FIPS mode, but it has been brought up that this might even be > a good thing ([1]). > > [1] https://lore.kernel.org/r/20211217055227.GA20698@gondor.apana.org.au > > Signed-off-by: Nicolai Stange <nstange@...e.de> > --- > crypto/testmgr.c | 1 - > 1 file changed, 1 deletion(-) > Reviewed-by: Hannes Reinecke <hare@...e.de> Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@...e.de +49 911 74053 688 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), GF: Felix Imendörffer
Powered by blists - more mailing lists