Skip to content

Commit 5950e1e

Browse files
AkendoAkendo
authored
Merge pull request #260 from gardenlinux/feature/FIPS-PCT-for-ECDH
Feature/fips pct for ecdh
2 parents e5dba57 + 71bc133 commit 5950e1e

2 files changed

Lines changed: 68 additions & 0 deletions

File tree

upstream_patches/0003-implement-FIPS-PCT-for-ECDH.patch

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
diff -urN b/crypto/ecdh.c a/crypto/ecdh.c
2+
--- b/crypto/ecdh.c 2026-02-27 14:37:11
3+
+++ a/crypto/ecdh.c 2026-03-02 14:19:40
4+
@@ -4,7 +4,7 @@
5+
* Copyright (c) 2016, Intel Corporation
6+
* Authors: Salvator Benedetto <[email protected]>
7+
*/
8+
-
9+
+#include <linux/fips.h>
10+
#include <linux/module.h>
11+
#include <crypto/internal/ecc.h>
12+
#include <crypto/internal/kpp.h>
13+
@@ -57,6 +57,7 @@
14+
struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
15+
struct ecdh_ctx *ctx = ecdh_get_ctx(tfm);
16+
u64 *public_key;
17+
+ u64 *val_pct = NULL;
18+
u64 *shared_secret = NULL;
19+
void *buf;
20+
size_t copied, nbytes, public_key_sz;
21+
@@ -104,6 +105,33 @@
22+
if (ret < 0)
23+
goto free_all;
24+
25+
+ if (fips_enabled) {
26+
+ if (!req->src) {
27+
+ /*
28+
+ * SP800-56Arev3, 5.6.2.1.4: ("Owner Assurance
29+
+ * of Pair-wise Consistency"): recompute the
30+
+ * public key and check if the results match.
31+
+ */
32+
+ val_pct = kmalloc(public_key_sz, GFP_KERNEL);
33+
+ if (!val_pct) {
34+
+ ret = -ENOMEM;
35+
+ goto free_all;
36+
+ }
37+
+
38+
+ ret = ecc_make_pub_key(ctx->curve_id, ctx->ndigits,
39+
+ ctx->private_key, val_pct);
40+
+
41+
+ if (ret < 0) {
42+
+ goto free_all;
43+
+ }
44+
+
45+
+ if (crypto_memneq(public_key, val_pct, public_key_sz)) {
46+
+ fips_fail_notify();
47+
+ panic("ecdh: pair-wise consistency test failed\n");
48+
+ }
49+
+ }
50+
+ }
51+
+
52+
/* might want less than we've got */
53+
nbytes = min_t(size_t, nbytes, req->dst_len);
54+
copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
55+
@@ -115,9 +143,10 @@
56+
/* fall through */
57+
free_all:
58+
kfree_sensitive(shared_secret);
59+
+ kfree(val_pct);
60+
free_pubkey:
61+
kfree(public_key);
62+
- return ret;
63+
+ return ret;
64+
}
65+
66+
static unsigned int ecdh_max_size(struct crypto_kpp *tfm)
67+

upstream_patches/series

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
11
0001-disable-sha1-for-fips.patch
22
0002-implement-FIPS-PCT-for-DH.patch
3+
0003-implement-FIPS-PCT-for-ECDH.patch
34
0004-flag-instantiations-as-FIPS_compliant.patch

0 commit comments

Comments
 (0)