From: Jarod Wilson <jarod@redhat.com> Date: Tue, 12 May 2009 11:43:29 -0400 Subject: [crypto] block use of non-fips algs in fips mode Message-id: 200905121143.29366.jarod@redhat.com O-Subject: [RHEL5.4 PATCH 2/3] crypto: block use of non-fips algs in fips mode Bugzilla: 499646 RH-Acked-by: Neil Horman <nhorman@redhat.com> On Tuesday 12 May 2009 11:37:56 Jarod Wilson wrote: > Bugzilla #499646: [FIPS140-2] add parameter to tcrypt self test module > to only allow testing of approved supported algorithms > https://bugzilla.redhat.com/show_bug.cgi?id=499646 Block the use of any non-fips-allowed algorithms in fips mode by returning an -EINVAL when their self-tests attempt to run. diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 38a238f..5b19049 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -1520,6 +1520,9 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask) if (i < 0) goto notest; + if (fips_enabled && !alg_test_descs[i].fips_allowed) + goto non_fips_alg; + rc = alg_test_cipher(alg_test_descs + i, driver, type, mask); goto test_done; } @@ -1528,6 +1531,9 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask) if (i < 0) goto notest; + if (fips_enabled && !alg_test_descs[i].fips_allowed) + goto non_fips_alg; + rc = alg_test_descs[i].test(alg_test_descs + i, driver, type, mask); test_done: @@ -1543,6 +1549,8 @@ test_done: notest: printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver); return 0; +non_fips_alg: + return -EINVAL; } EXPORT_SYMBOL_GPL(alg_test); diff --git a/crypto/testmgr_digest.c b/crypto/testmgr_digest.c index 2a94541..39f79f0 100644 --- a/crypto/testmgr_digest.c +++ b/crypto/testmgr_digest.c @@ -283,6 +283,7 @@ int digest_test(const char *driver, const char *alg) { int start = 0; int end = ARRAY_SIZE(digest_test_descs); + int rc; while (start < end) { int i = (start + end) / 2; @@ -298,12 +299,21 @@ int digest_test(const char *driver, const char *alg) continue; } - return digest_test_descs[i].test(digest_test_descs + i, driver, - 0, 0); + if (fips_enabled && !digest_test_descs[i].fips_allowed) + goto non_fips_alg; + + rc = digest_test_descs[i].test(digest_test_descs + i, driver, + 0, 0); + if (fips_enabled && rc) + panic("%s: %s alg test failed in fips mode!\n", driver, alg); + + return rc; } printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver); return 0; +non_fips_alg: + return -EINVAL; } EXPORT_SYMBOL_GPL(digest_test);