linuxkm/lkcapi_dh_glue.c: never install DH/FFDHE on kernel <5.18 -- DH secrets have a different format before that version, and FFDHE (CONFIG_CRYPTO_DH_RFC7919_GROUPS) was introduced in 5.18 and is the only FIPS-allowed DH variant.

pull/8773/head
Daniel Pouzzner 2025-05-14 15:37:12 -05:00
parent 49d9bfa160
commit f0f4084f94
2 changed files with 17 additions and 2 deletions

View File

@ -56,6 +56,7 @@ CONFIG_CRYPTO_AES
CONFIG_CRYPTO_CBC
CONFIG_CRYPTO_CTR
CONFIG_CRYPTO_DH
CONFIG_CRYPTO_DH_RFC7919_GROUPS
CONFIG_CRYPTO_ECB
CONFIG_CRYPTO_ECDH
CONFIG_CRYPTO_ECDSA

View File

@ -56,10 +56,24 @@
#undef LINUXKM_LKCAPI_REGISTER_DH
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0)
/* Support for FFDHE was added in kernel 5.18, and generic DH support
* pre-5.18 used a different binary format for the secret (an additional
* slot for q).
*
* LTS backports of FFDHE go as far back as 4.14.236, using the pre-5.18
* binary layout, but other backports, e.g. RHEL 9.5 on kernel
* 5.14.0-503.40.1, have the 5.18+ layout. Best to disable on all pre-5.18
* and triage as/if necessary.
*/
#undef LINUXKM_LKCAPI_REGISTER_DH
#endif
#if defined(LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG) && \
defined(CONFIG_CRYPTO_DH) && \
(defined(CONFIG_CRYPTO_DH) || defined(CONFIG_CRYPTO_DH_RFC7919_GROUPS)) && \
!defined(LINUXKM_LKCAPI_REGISTER_DH)
#error Config conflict: target kernel has CONFIG_CRYPTO_DH, but module is missing LINUXKM_LKCAPI_REGISTER_DH.
#error Config conflict: target kernel has CONFIG_CRYPTO_DH and/or \
_DH_RFC7919_GROUPS, but module is missing LINUXKM_LKCAPI_REGISTER_DH.
#endif
#if defined(LINUXKM_LKCAPI_REGISTER_DH)