feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

linuxkm/lkcapi_glue.c: for LINUXKM_LKCAPI_REGISTER_ECDH, always clear fips_enabled (see comment for details).

Browse Source
This commit is contained in:
Daniel Pouzzner
2025-05-08 12:13:06 -05:00
parent 7ff4ada692
commit ac7326d272
1 changed files with 19 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
linuxkm/lkcapi_glue.c
View File

@@ -499,15 +499,24 @@ static int linuxkm_lkcapi_register(void)
#ifdef LINUXKM_LKCAPI_REGISTER_ECDH #ifdef LINUXKM_LKCAPI_REGISTER_ECDH
#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) && \ /* In kernels before 5.13.0, ecdh-nist-p256 was not recognized as
defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \ * fips_allowed, and ecdh-nist-p384 was completely
defined(CONFIG_CRYPTO_MANAGER) && \ * missing before 5.14 and not fips_allowed before 5.15.
*
* RedHat also recently patched their crypto manager to mark ECDH
* !fips_allowed due the vagaries of their own certificate. (See 5074fb61f6,
* 2025-Mar-13.)
*
* Given the above, and given we're not actually relying on the crypto
* manager for FIPS self tests, and given the FIPS ECDH implementation passes
* the non-FIPS ECDH crypto manager tests, the pragmatic solution we settle
* on here for ECDH is to always clear fips_enabled in target kernels that
* have it.
*/
#if defined(CONFIG_CRYPTO_FIPS) && \
defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
/*
* In kernel crypto/testmgr.c, ecdh-nist-p256 was not recognized as
* fips_allowed before 5.13, and ecdh-nist-p384 was completely
* missing before 5.14 and not fips_allowed before 5.15.
*/
fips_enabled = 0; fips_enabled = 0;
#endif #endif
@@ -522,9 +531,8 @@ static int linuxkm_lkcapi_register(void)
REGISTER_ALG(ecdh_nist_p384, kpp, REGISTER_ALG(ecdh_nist_p384, kpp,
linuxkm_test_ecdh_nist_p384); linuxkm_test_ecdh_nist_p384);
#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) && \ #if defined(CONFIG_CRYPTO_FIPS) && \
defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \ defined(CONFIG_CRYPTO_MANAGER) && \
defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
fips_enabled = 1; fips_enabled = 1;
#endif #endif