Commit 10faa8c0 authored by Stephan Mueller's avatar Stephan Mueller Committed by Herbert Xu

crypto: FIPS - allow tests to be disabled in FIPS mode

In FIPS mode, additional restrictions may apply. If these restrictions
are violated, the kernel will panic(). This patch allows test vectors
for symmetric ciphers to be marked as to be skipped in FIPS mode.

Together with the patch, the XTS test vectors where the AES key is
identical to the tweak key is disabled in FIPS mode. This test vector
violates the FIPS requirement that both keys must be different.
Reported-by: default avatarTapas Sarangi <TSarangi@trustwave.com>
Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 93ba73fe
...@@ -1008,6 +1008,9 @@ static int test_cipher(struct crypto_cipher *tfm, int enc, ...@@ -1008,6 +1008,9 @@ static int test_cipher(struct crypto_cipher *tfm, int enc,
if (template[i].np) if (template[i].np)
continue; continue;
if (fips_enabled && template[i].fips_skip)
continue;
j++; j++;
ret = -EINVAL; ret = -EINVAL;
...@@ -1112,6 +1115,9 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc, ...@@ -1112,6 +1115,9 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc,
if (template[i].np && !template[i].also_non_np) if (template[i].np && !template[i].also_non_np)
continue; continue;
if (fips_enabled && template[i].fips_skip)
continue;
if (template[i].iv) if (template[i].iv)
memcpy(iv, template[i].iv, ivsize); memcpy(iv, template[i].iv, ivsize);
else else
...@@ -1198,6 +1204,9 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc, ...@@ -1198,6 +1204,9 @@ static int __test_skcipher(struct crypto_skcipher *tfm, int enc,
if (!template[i].np) if (!template[i].np)
continue; continue;
if (fips_enabled && template[i].fips_skip)
continue;
if (template[i].iv) if (template[i].iv)
memcpy(iv, template[i].iv, ivsize); memcpy(iv, template[i].iv, ivsize);
else else
......
...@@ -59,6 +59,7 @@ struct hash_testvec { ...@@ -59,6 +59,7 @@ struct hash_testvec {
* @tap: How to distribute data in @np SGs * @tap: How to distribute data in @np SGs
* @also_non_np: if set to 1, the test will be also done without * @also_non_np: if set to 1, the test will be also done without
* splitting data in @np SGs * splitting data in @np SGs
* @fips_skip: Skip the test vector in FIPS mode
*/ */
struct cipher_testvec { struct cipher_testvec {
...@@ -75,6 +76,7 @@ struct cipher_testvec { ...@@ -75,6 +76,7 @@ struct cipher_testvec {
unsigned char klen; unsigned char klen;
unsigned short ilen; unsigned short ilen;
unsigned short rlen; unsigned short rlen;
bool fips_skip;
}; };
struct aead_testvec { struct aead_testvec {
...@@ -18224,6 +18226,7 @@ static struct cipher_testvec aes_xts_enc_tv_template[] = { ...@@ -18224,6 +18226,7 @@ static struct cipher_testvec aes_xts_enc_tv_template[] = {
"\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00", "\x00\x00\x00\x00\x00\x00\x00\x00",
.klen = 32, .klen = 32,
.fips_skip = 1,
.iv = "\x00\x00\x00\x00\x00\x00\x00\x00" .iv = "\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00", "\x00\x00\x00\x00\x00\x00\x00\x00",
.input = "\x00\x00\x00\x00\x00\x00\x00\x00" .input = "\x00\x00\x00\x00\x00\x00\x00\x00"
...@@ -18566,6 +18569,7 @@ static struct cipher_testvec aes_xts_dec_tv_template[] = { ...@@ -18566,6 +18569,7 @@ static struct cipher_testvec aes_xts_dec_tv_template[] = {
"\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00", "\x00\x00\x00\x00\x00\x00\x00\x00",
.klen = 32, .klen = 32,
.fips_skip = 1,
.iv = "\x00\x00\x00\x00\x00\x00\x00\x00" .iv = "\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00", "\x00\x00\x00\x00\x00\x00\x00\x00",
.input = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" .input = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment