mirror of https://github.com/wolfSSL/wolfssl.git
linuxkm/lkcapi_dh_glue.c: never install DH/FFDHE on kernel <5.18 -- DH secrets have a different format before that version, and FFDHE (CONFIG_CRYPTO_DH_RFC7919_GROUPS) was introduced in 5.18 and is the only FIPS-allowed DH variant.
parent
49d9bfa160
commit
f0f4084f94
|
@ -56,6 +56,7 @@ CONFIG_CRYPTO_AES
|
|||
CONFIG_CRYPTO_CBC
|
||||
CONFIG_CRYPTO_CTR
|
||||
CONFIG_CRYPTO_DH
|
||||
CONFIG_CRYPTO_DH_RFC7919_GROUPS
|
||||
CONFIG_CRYPTO_ECB
|
||||
CONFIG_CRYPTO_ECDH
|
||||
CONFIG_CRYPTO_ECDSA
|
||||
|
|
|
@ -56,10 +56,24 @@
|
|||
#undef LINUXKM_LKCAPI_REGISTER_DH
|
||||
#endif
|
||||
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0)
|
||||
/* Support for FFDHE was added in kernel 5.18, and generic DH support
|
||||
* pre-5.18 used a different binary format for the secret (an additional
|
||||
* slot for q).
|
||||
*
|
||||
* LTS backports of FFDHE go as far back as 4.14.236, using the pre-5.18
|
||||
* binary layout, but other backports, e.g. RHEL 9.5 on kernel
|
||||
* 5.14.0-503.40.1, have the 5.18+ layout. Best to disable on all pre-5.18
|
||||
* and triage as/if necessary.
|
||||
*/
|
||||
#undef LINUXKM_LKCAPI_REGISTER_DH
|
||||
#endif
|
||||
|
||||
#if defined(LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG) && \
|
||||
defined(CONFIG_CRYPTO_DH) && \
|
||||
(defined(CONFIG_CRYPTO_DH) || defined(CONFIG_CRYPTO_DH_RFC7919_GROUPS)) && \
|
||||
!defined(LINUXKM_LKCAPI_REGISTER_DH)
|
||||
#error Config conflict: target kernel has CONFIG_CRYPTO_DH, but module is missing LINUXKM_LKCAPI_REGISTER_DH.
|
||||
#error Config conflict: target kernel has CONFIG_CRYPTO_DH and/or \
|
||||
_DH_RFC7919_GROUPS, but module is missing LINUXKM_LKCAPI_REGISTER_DH.
|
||||
#endif
|
||||
|
||||
#if defined(LINUXKM_LKCAPI_REGISTER_DH)
|
||||
|
|
Loading…
Reference in New Issue