From f0f4084f94b3bc9f17e05328d0d6462f11a968f8 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 14 May 2025 15:37:12 -0500 Subject: [PATCH] linuxkm/lkcapi_dh_glue.c: never install DH/FFDHE on kernel <5.18 -- DH secrets have a different format before that version, and FFDHE (CONFIG_CRYPTO_DH_RFC7919_GROUPS) was introduced in 5.18 and is the only FIPS-allowed DH variant. --- .wolfssl_known_macro_extras | 1 + linuxkm/lkcapi_dh_glue.c | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 5099e72cd..dc86b99ef 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -56,6 +56,7 @@ CONFIG_CRYPTO_AES CONFIG_CRYPTO_CBC CONFIG_CRYPTO_CTR CONFIG_CRYPTO_DH +CONFIG_CRYPTO_DH_RFC7919_GROUPS CONFIG_CRYPTO_ECB CONFIG_CRYPTO_ECDH CONFIG_CRYPTO_ECDSA diff --git a/linuxkm/lkcapi_dh_glue.c b/linuxkm/lkcapi_dh_glue.c index a4ff71258..70f4e9923 100644 --- a/linuxkm/lkcapi_dh_glue.c +++ b/linuxkm/lkcapi_dh_glue.c @@ -56,10 +56,24 @@ #undef LINUXKM_LKCAPI_REGISTER_DH #endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 18, 0) + /* Support for FFDHE was added in kernel 5.18, and generic DH support + * pre-5.18 used a different binary format for the secret (an additional + * slot for q). + * + * LTS backports of FFDHE go as far back as 4.14.236, using the pre-5.18 + * binary layout, but other backports, e.g. RHEL 9.5 on kernel + * 5.14.0-503.40.1, have the 5.18+ layout. Best to disable on all pre-5.18 + * and triage as/if necessary. + */ + #undef LINUXKM_LKCAPI_REGISTER_DH +#endif + #if defined(LINUXKM_LKCAPI_REGISTER_ALL_KCONFIG) && \ - defined(CONFIG_CRYPTO_DH) && \ + (defined(CONFIG_CRYPTO_DH) || defined(CONFIG_CRYPTO_DH_RFC7919_GROUPS)) && \ !defined(LINUXKM_LKCAPI_REGISTER_DH) - #error Config conflict: target kernel has CONFIG_CRYPTO_DH, but module is missing LINUXKM_LKCAPI_REGISTER_DH. + #error Config conflict: target kernel has CONFIG_CRYPTO_DH and/or \ + _DH_RFC7919_GROUPS, but module is missing LINUXKM_LKCAPI_REGISTER_DH. #endif #if defined(LINUXKM_LKCAPI_REGISTER_DH)