From a18a8ced2332e014c11e5ab994262ce66f7c5f55 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 1 May 2025 16:55:30 -0500 Subject: [PATCH 1/2] linuxkm/lkcapi_*_glue.c: in test harnesses, fix several out-of-order NULLing of PTR_ERR-type pointers in error paths. --- linuxkm/lkcapi_dh_glue.c | 4 ++-- linuxkm/lkcapi_ecdh_glue.c | 4 ++-- linuxkm/lkcapi_ecdsa_glue.c | 4 ++-- linuxkm/lkcapi_rsa_glue.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/linuxkm/lkcapi_dh_glue.c b/linuxkm/lkcapi_dh_glue.c index b081a48bf..bacbf345b 100644 --- a/linuxkm/lkcapi_dh_glue.c +++ b/linuxkm/lkcapi_dh_glue.c @@ -2821,11 +2821,11 @@ static int linuxkm_test_kpp_driver(const char * driver, if (IS_ERR(tfm)) { pr_err("error: allocating kpp algorithm %s failed: %ld\n", driver, PTR_ERR(tfm)); - tfm = NULL; if (PTR_ERR(tfm) == -ENOMEM) test_rc = MEMORY_E; else test_rc = BAD_FUNC_ARG; + tfm = NULL; goto test_kpp_end; } @@ -2833,11 +2833,11 @@ static int linuxkm_test_kpp_driver(const char * driver, if (IS_ERR(req)) { pr_err("error: allocating kpp request %s failed\n", driver); - req = NULL; if (PTR_ERR(req) == -ENOMEM) test_rc = MEMORY_E; else test_rc = BAD_FUNC_ARG; + req = NULL; goto test_kpp_end; } diff --git a/linuxkm/lkcapi_ecdh_glue.c b/linuxkm/lkcapi_ecdh_glue.c index f463c3d04..ecf4fb18a 100644 --- a/linuxkm/lkcapi_ecdh_glue.c +++ b/linuxkm/lkcapi_ecdh_glue.c @@ -804,11 +804,11 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, if (IS_ERR(tfm)) { pr_err("error: allocating kpp algorithm %s failed: %ld\n", driver, PTR_ERR(tfm)); - tfm = NULL; if (PTR_ERR(tfm) == -ENOMEM) test_rc = MEMORY_E; else test_rc = BAD_FUNC_ARG; + tfm = NULL; goto test_ecdh_nist_end; } @@ -816,11 +816,11 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, if (IS_ERR(req)) { pr_err("error: allocating kpp request %s failed\n", driver); - req = NULL; if (PTR_ERR(req) == -ENOMEM) test_rc = MEMORY_E; else test_rc = BAD_FUNC_ARG; + req = NULL; goto test_ecdh_nist_end; } diff --git a/linuxkm/lkcapi_ecdsa_glue.c b/linuxkm/lkcapi_ecdsa_glue.c index 3413387ba..f7a3c93bd 100644 --- a/linuxkm/lkcapi_ecdsa_glue.c +++ b/linuxkm/lkcapi_ecdsa_glue.c @@ -680,11 +680,11 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, if (IS_ERR(tfm)) { pr_err("error: allocating akcipher algorithm %s failed: %ld\n", driver, PTR_ERR(tfm)); - tfm = NULL; if (PTR_ERR(tfm) == -ENOMEM) test_rc = MEMORY_E; else test_rc = BAD_FUNC_ARG; + tfm = NULL; goto test_ecdsa_nist_end; } @@ -692,11 +692,11 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, if (IS_ERR(req)) { pr_err("error: allocating akcipher request %s failed\n", driver); - req = NULL; if (PTR_ERR(req) == -ENOMEM) test_rc = MEMORY_E; else test_rc = BAD_FUNC_ARG; + req = NULL; goto test_ecdsa_nist_end; } diff --git a/linuxkm/lkcapi_rsa_glue.c b/linuxkm/lkcapi_rsa_glue.c index ff3c5e617..f6cb63247 100644 --- a/linuxkm/lkcapi_rsa_glue.c +++ b/linuxkm/lkcapi_rsa_glue.c @@ -1653,11 +1653,11 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, if (IS_ERR(tfm)) { pr_err("error: allocating akcipher algorithm %s failed: %ld\n", driver, PTR_ERR(tfm)); - tfm = NULL; if (PTR_ERR(tfm) == -ENOMEM) test_rc = MEMORY_E; else test_rc = BAD_FUNC_ARG; + tfm = NULL; goto test_pkcs1_end; } @@ -1665,11 +1665,11 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, if (IS_ERR(req)) { pr_err("error: allocating akcipher request %s failed\n", driver); - req = NULL; if (PTR_ERR(req) == -ENOMEM) test_rc = MEMORY_E; else test_rc = BAD_FUNC_ARG; + req = NULL; goto test_pkcs1_end; } From fea5694e1d6e049027393fba535b37602fc23028 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 1 May 2025 16:57:55 -0500 Subject: [PATCH 2/2] linuxkm/lkcapi_glue.c: with kernels <6.3.0, disable kernel fips_enabled mode while registering FIPS ECDSA shims, to work around crypto manager bug (not recognized as FIPS-allowed algorithms). --- linuxkm/lkcapi_glue.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c index d21280e79..cb6d63f1b 100644 --- a/linuxkm/lkcapi_glue.c +++ b/linuxkm/lkcapi_glue.c @@ -238,15 +238,6 @@ WC_MAYBE_UNUSED static int check_shash_driver_masking(struct crypto_shash *tfm, * extra checks on kernel version, and ecc sizes. */ #if defined (LINUXKM_LKCAPI_REGISTER_ECDSA) - #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0) && \ - defined(CONFIG_CRYPTO_FIPS) && defined(CONFIG_CRYPTO_MANAGER) - /* - * note: ecdsa was not recognized as fips_allowed before linux v6.3 - * in kernel crypto/testmgr.c, and will not pass the tests. - */ - #undef LINUXKM_LKCAPI_REGISTER_ECDSA - #endif /* linux < 6.3.0 && CONFIG_CRYPTO_FIPS && CONFIG_CRYPTO_MANAGER */ - #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && \ ECC_MIN_KEY_SZ <= 192 && !defined(CONFIG_CRYPTO_FIPS) /* only register p192 if specifically enabled, and if not fips. */ @@ -562,6 +553,18 @@ static int linuxkm_lkcapi_register(void) #endif #ifdef LINUXKM_LKCAPI_REGISTER_ECDSA + + #if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)) && \ + defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \ + defined(CONFIG_CRYPTO_MANAGER) && \ + !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) + /* + * ecdsa was not recognized as fips_allowed before linux v6.3 + * in kernel crypto/testmgr.c. + */ + fips_enabled = 0; + #endif + #if defined(LINUXKM_ECC192) REGISTER_ALG(ecdsa_nist_p192, akcipher, linuxkm_test_ecdsa_nist_p192); @@ -577,6 +580,14 @@ static int linuxkm_lkcapi_register(void) REGISTER_ALG(ecdsa_nist_p521, akcipher, linuxkm_test_ecdsa_nist_p521); #endif /* HAVE_ECC521 */ + + #if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)) && \ + defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \ + defined(CONFIG_CRYPTO_MANAGER) && \ + !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) + fips_enabled = 1; + #endif + #endif /* LINUXKM_LKCAPI_REGISTER_ECDSA */ #ifdef LINUXKM_LKCAPI_REGISTER_ECDH