From: Jarod Wilson <jarod@redhat.com> Date: Tue, 12 May 2009 11:41:41 -0400 Subject: [crypto] mark algs allowed in fips mode Message-id: 200905121141.41718.jarod@redhat.com O-Subject: [RHEL5.4 PATCH 1/3] crypto: mark algs allowed in fips mode Bugzilla: 499646 RH-Acked-by: Neil Horman <nhorman@redhat.com> On Tuesday 12 May 2009 11:37:56 Jarod Wilson wrote: > Bugzilla #499646: [FIPS140-2] add parameter to tcrypt self test module > to only allow testing of approved supported algorithms > https://bugzilla.redhat.com/show_bug.cgi?id=499646 Mark the algorithms that are allowed in fips mode. Note that des and crc32 aren't actually approved algs, but are both required for proper functionality of the system, and thus have to be allowed as well. crc32 is used by a number of drivers for basic integrity checks and blocking des would also prevent the approved des3_ede from being used, due to the way their shared driver is initialized. diff --git a/crypto/testmgr.c b/crypto/testmgr.c index f22fe86..38a238f 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -93,6 +93,7 @@ struct alg_test_desc { const char *alg; int (*test)(const struct alg_test_desc *desc, const char *driver, u32 type, u32 mask); + int fips_allowed; /* set if alg is allowed in fips mode */ union { struct aead_test_suite aead; @@ -1026,6 +1027,7 @@ static const struct alg_test_desc alg_test_descs[] = { { .alg = "ansi_cprng", .test = alg_test_cprng, + .fips_allowed = 1, .suite = { .cprng = { .vecs = ansi_cprng_aes_tv_template, @@ -1035,6 +1037,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "cbc(aes)", .test = alg_test_skcipher, + .fips_allowed = 1, .suite = { .cipher = { .enc = { @@ -1095,6 +1098,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "cbc(des3_ede)", .test = alg_test_skcipher, + .fips_allowed = 1, .suite = { .cipher = { .enc = { @@ -1125,6 +1129,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "ccm(aes)", .test = alg_test_aead, + .fips_allowed = 1, .suite = { .aead = { .enc = { @@ -1140,6 +1145,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "ctr(aes)", .test = alg_test_skcipher, + .fips_allowed = 1, .suite = { .cipher = { .enc = { @@ -1155,6 +1161,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "ecb(aes)", .test = alg_test_skcipher, + .fips_allowed = 1, .suite = { .cipher = { .enc = { @@ -1245,6 +1252,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "ecb(des)", .test = alg_test_skcipher, + .fips_allowed = 1, .suite = { .cipher = { .enc = { @@ -1260,6 +1268,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "ecb(des3_ede)", .test = alg_test_skcipher, + .fips_allowed = 1, .suite = { .cipher = { .enc = { @@ -1389,6 +1398,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "hmac(sha1)", .test = alg_test_hash, + .fips_allowed = 1, .suite = { .hash = { .vecs = hmac_sha1_tv_template, @@ -1398,6 +1408,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "hmac(sha256)", .test = alg_test_hash, + .fips_allowed = 1, .suite = { .hash = { .vecs = hmac_sha256_tv_template, @@ -1407,6 +1418,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "hmac(sha384)", .test = alg_test_hash, + .fips_allowed = 1, .suite = { .hash = { .vecs = hmac_sha384_tv_template, @@ -1416,6 +1428,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "hmac(sha512)", .test = alg_test_hash, + .fips_allowed = 1, .suite = { .hash = { .vecs = hmac_sha512_tv_template, @@ -1425,6 +1438,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "rfc3686(ctr(aes))", .test = alg_test_skcipher, + .fips_allowed = 1, .suite = { .cipher = { .enc = { @@ -1440,6 +1454,7 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "rfc4309(ccm(aes))", .test = alg_test_aead, + .fips_allowed = 1, .suite = { .aead = { .enc = { diff --git a/crypto/testmgr_digest.c b/crypto/testmgr_digest.c index 38b0516..2a94541 100644 --- a/crypto/testmgr_digest.c +++ b/crypto/testmgr_digest.c @@ -49,6 +49,7 @@ struct alg_test_desc { const char *alg; int (*test)(const struct alg_test_desc *desc, const char *driver, u32 type, u32 mask); + int fips_allowed; /* set if alg is allowed in fips mode */ union { struct hash_test_suite hash; @@ -184,6 +185,7 @@ static const struct alg_test_desc digest_test_descs[] = { }, { .alg = "sha1", .test = alg_test_digest, + .fips_allowed = 1, .suite = { .hash = { .vecs = sha1_tv_template, @@ -193,6 +195,7 @@ static const struct alg_test_desc digest_test_descs[] = { }, { .alg = "sha256", .test = alg_test_digest, + .fips_allowed = 1, .suite = { .hash = { .vecs = sha256_tv_template, @@ -202,6 +205,7 @@ static const struct alg_test_desc digest_test_descs[] = { }, { .alg = "sha384", .test = alg_test_digest, + .fips_allowed = 1, .suite = { .hash = { .vecs = sha384_tv_template, @@ -211,6 +215,7 @@ static const struct alg_test_desc digest_test_descs[] = { }, { .alg = "sha512", .test = alg_test_digest, + .fips_allowed = 1, .suite = { .hash = { .vecs = sha512_tv_template,