From 6e55f87c2c9de433be73a0a8ed3afb391edb0604 Mon Sep 17 00:00:00 2001
From: Nicolai Stange <nstange@suse.de>
Date: Tue, 30 Nov 2021 16:51:12 +0100
Subject: [PATCH] crypto: dh - implement FIPS PCT
References: jsc#SLE-21132,bsc#1191256,bsc#1207184
Patch-mainline: Never, not upstreamable

SP800-56Arev3, 5.6.2.1.4 ("Owner Assurance of Pair-wise Consistency")
requires that a pair-wise consistency check needs to be conducted on a
keypair. A pair-wise consistency test (PCT) is meant to ensure that a
some provided public key is indeed associated with the given private one.
As the kernel's DH implementation always computes the public key from the
private one, this is guaranteed already as per the API. However, in the
course of the certification process, there had been a lengthy discussion
regarding this topic, with the result that a PCT is nonetheless mandatory.
Simply implement a PCT for DH and move on. As mandated by SP800-56Arev3,
5.6.2.1.4, the PCT involves recomputing the public key and comparing it
against the one under test.

Signed-off-by: Nicolai Stange <nstange@suse.de>
---
 crypto/dh.c |   25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -245,10 +245,35 @@ static int dh_compute_value(struct kpp_r
 
 		/* SP800-56A rev 3 5.6.2.1.3 key check */
 		} else {
+			MPI val_pct;
+
 			if (dh_is_pubkey_valid(ctx, val)) {
 				ret = -EAGAIN;
 				goto err_free_val;
 			}
+
+			/*
+			 * SP800-56Arev3, 5.6.2.1.4: ("Owner Assurance
+			 * of Pair-wise Consistency"): recompute the
+			 * public key and check if the results match.
+			 */
+			val_pct = mpi_alloc(0);
+			if (!val_pct) {
+				ret = -ENOMEM;
+				goto err_free_val;
+			}
+
+			ret = _compute_val(ctx, base, val_pct);
+			if (ret) {
+				mpi_free(val_pct);
+				goto err_free_val;
+			}
+
+			if (mpi_cmp(val, val_pct) != 0) {
+				mpi_free(val_pct);
+				panic("DH PCT failed in FIPS mode");
+			}
+			mpi_free(val_pct);
 		}
 	}