ctrliq · jallisonciq · Sep 22, 2025 · Sep 20, 2025 · Sep 20, 2025
diff --git a/crypto/dh.c b/crypto/dh.c
@@ -227,10 +227,35 @@ static int dh_compute_value(struct kpp_request *req)
 
 		/* SP800-56A rev 3 5.6.2.1.3 key check */
 		} else {
+			MPI val_pct;
+
 			if (dh_is_pubkey_valid(ctx, val)) {
 				ret = -EAGAIN;
 				goto err_free_val;
 			}
+
+			/*
+			 * SP800-56Arev3, 5.6.2.1.4: ("Owner Assurance
+			 * of Pair-wise Consistency"): recompute the
+			 * public key and check if the results match.
+			 */
+			val_pct = mpi_alloc(0);
+			if (!val_pct) {
+				ret = -ENOMEM;
+				goto err_free_val;
+			}
+
+			ret = _compute_val(ctx, base, val_pct);
+			if (ret) {
+				mpi_free(val_pct);
+				goto err_free_val;
+			}
+
+			if (mpi_cmp(val, val_pct) != 0) {
+				fips_fail_notify();
+				panic("dh: pair-wise consistency test failed\n");
+			}
+			mpi_free(val_pct);
 		}
 	}
 

diff --git a/crypto/seqiv.c b/crypto/seqiv.c
@@ -132,6 +132,19 @@ static int seqiv_aead_decrypt(struct aead_request *req)
 	return crypto_aead_decrypt(subreq);
 }
 
+static int aead_init_seqiv(struct crypto_aead *aead)
+{
+	int err;
+
+	err = aead_init_geniv(aead);
+	if (err)
+		return err;
+
+	crypto_aead_set_flags(aead, CRYPTO_TFM_FIPS_COMPLIANCE);
+
+	return 0;
+}
+
 static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb)
 {
 	struct aead_instance *inst;
@@ -149,7 +162,7 @@ static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb)
 	inst->alg.encrypt = seqiv_aead_encrypt;
 	inst->alg.decrypt = seqiv_aead_decrypt;
 
-	inst->alg.init = aead_init_geniv;
+	inst->alg.init = aead_init_seqiv;
 	inst->alg.exit = aead_exit_geniv;
 
 	inst->alg.base.cra_ctxsize = sizeof(struct aead_geniv_ctx);

diff --git a/include/linux/crypto.h b/include/linux/crypto.h
@@ -135,6 +135,8 @@
 #define CRYPTO_TFM_REQ_MAY_BACKLOG	0x00000400
 #define CRYPTO_TFM_REQ_NEED_RESEED	0x00000800
 
+#define CRYPTO_TFM_FIPS_COMPLIANCE	0x80000000
+
 /*
  * Miscellaneous stuff.
  */