fixes for F-3325:

wolfcrypt/src/aes.c: enforce AES-XTS K1!=K2 constraint in wc_AesXtsSetKeyNoInit() unless WC_AES_XTS_ALLOW_DUPLICATE_KEYS and !HAVE_FIPS:

tests/api/test_aes.c: add negative tests to test_wc_AesXtsSetKey() for K1==K2;

wolfcrypt/test/test.c: fix keys in aes_xts_128_inplace_test() and aes_xts_192_inplace_test() so that K1!=K2, update test vectors, and remove associated !HAVE_FIPS gating;

linuxkm/lkcapi_aes_glue.c: synchronize aes_xts_128_test() test of ciphertext stealing in-place with wolfcrypt/test/test.c.

wrapper/rust/wolfssl-wolfcrypt/src/aes.rs: synchronize XTS streaming test with wolfcrypt/test/test.c.

linuxkm/: refactor self-test sensing with version-gated setup in linuxkm_wc_port.h and refactored gates in lkcapi_glue.c.
This commit is contained in:
Daniel Pouzzner
2026-06-11 15:38:28 -05:00
parent bd78a42e9a
commit 0097739dd8
8 changed files with 80 additions and 60 deletions
+1
View File
@@ -80,6 +80,7 @@ CONFIG_CRYPTO_GCM
CONFIG_CRYPTO_HMAC
CONFIG_CRYPTO_MANAGER
CONFIG_CRYPTO_RSA
CONFIG_CRYPTO_SELFTESTS
CONFIG_CRYPTO_SELFTESTS_FULL
CONFIG_CRYPTO_SHA1
CONFIG_CRYPTO_SHA256
+23
View File
@@ -371,6 +371,29 @@
#include <linux/kernel.h>
#include <linux/ctype.h>
#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 16, 0)
#if defined(CONFIG_CRYPTO_MANAGER) && !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
#define WC_LINUXKM_HAVE_SELFTEST
#endif
#if defined(WC_LINUXKM_HAVE_SELFTEST) && defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS)
#define WC_LINUXKM_HAVE_SELFTEST_FULL
#endif
#else
/* see Linux 698de822780f */
#if defined(CONFIG_CRYPTO_MANAGER) && defined(CONFIG_CRYPTO_SELFTESTS)
#define WC_LINUXKM_HAVE_SELFTEST
#endif
/* see Linux ac90aad0e9 */
#if defined(WC_LINUXKM_HAVE_SELFTEST) && defined(CONFIG_CRYPTO_SELFTESTS_FULL)
#define WC_LINUXKM_HAVE_SELFTEST_FULL
#endif
#endif
/* Kernel non-FIPS self-test ("testmgr") has a KAT with all-zeros keys. */
#if defined(WC_LINUXKM_HAVE_SELFTEST) && !defined(HAVE_FIPS)
#define WC_AES_XTS_ALLOW_DUPLICATE_KEYS
#endif
#if defined(CONFIG_FORTIFY_SOURCE) || defined(DEBUG_LINUXKM_FORTIFY_OVERLAY)
#ifdef WC_CONTAINERIZE_THIS
/* the inline definitions in fortify-string.h use non-inline
+6 -12
View File
@@ -3832,12 +3832,11 @@ static int aes_xts_128_test(void)
0xff, 0x8d, 0xbc, 0x1d, 0x9f, 0x7f, 0xc8, 0x22
};
#ifndef HAVE_FIPS /* FIPS requires different keys for main and tweak. */
static const unsigned char k3[] = {
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x21,
};
static const unsigned char i3[] = {
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
@@ -3851,13 +3850,12 @@ static int aes_xts_128_test(void)
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20
};
static const unsigned char c3[] = {
0xA2, 0x07, 0x47, 0x76, 0x3F, 0xEC, 0x0C, 0x23,
0x1B, 0xD0, 0xBD, 0x46, 0x9A, 0x27, 0x38, 0x12,
0x95, 0x02, 0x3D, 0x5D, 0xC6, 0x94, 0x51, 0x36,
0xA0, 0x85, 0xD2, 0x69, 0x6E, 0x87, 0x0A, 0xBF,
0xB5, 0x5A, 0xDD, 0xCB, 0x80, 0xE0, 0xFC, 0xCD
0x39, 0x06, 0xE7, 0xF3, 0x33, 0x0B, 0x1B, 0x1D,
0x2B, 0x11, 0xB0, 0xB7, 0xAF, 0x43, 0xB1, 0x8F,
0xE6, 0xBE, 0x79, 0x34, 0xBD, 0x31, 0x64, 0x3D,
0xA1, 0x16, 0xB5, 0xF0, 0x9B, 0x1D, 0x41, 0xF2,
0x3F, 0xED, 0x11, 0x37, 0xCB, 0x4D, 0xAD, 0xA4
};
#endif /* HAVE_FIPS */
if ((aes = (XtsAes *)XMALLOC(sizeof(*aes), NULL, DYNAMIC_TYPE_AES))
== NULL)
@@ -4048,8 +4046,6 @@ static int aes_xts_128_test(void)
goto out;
}
#ifndef HAVE_FIPS
/* Test ciphertext stealing in-place. */
XMEMCPY(buf, p3, sizeof(p3));
ret = wc_AesXtsSetKeyNoInit(aes, k3, sizeof(k3), AES_ENCRYPTION);
@@ -4075,8 +4071,6 @@ static int aes_xts_128_test(void)
goto out;
}
#endif /* HAVE_FIPS */
{
#define LARGE_XTS_SZ 1024
int i;
+11 -22
View File
@@ -31,8 +31,7 @@
#error LINUXKM_LKCAPI_REGISTER is supported only on Linux kernel versions >= 5.4.0.
#endif
#if defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
#ifdef WC_LINUXKM_HAVE_SELFTEST
/* kernel crypto self-test includes test setups that have different expected
* results FIPS vs non-FIPS, and the required kernel exported symbol
* "fips_enabled" is only available in CONFIG_CRYPTO_FIPS kernels (otherwise
@@ -65,8 +64,7 @@
#define WOLFSSL_LINUXKM_LKCAPI_PRIORITY 100000
#endif
#if defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) || \
defined(CONFIG_CRYPTO_SELFTESTS_FULL)
#ifdef WC_LINUXKM_HAVE_SELFTEST_FULL
static int disable_setkey_warnings = 0;
#else
#define disable_setkey_warnings 0
@@ -227,8 +225,7 @@ static wolfSSL_Atomic_Int linuxkm_lkcapi_registering_now = WOLFSSL_ATOMIC_INITIA
static int linuxkm_lkcapi_register(void);
static int linuxkm_lkcapi_unregister(void);
#if defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
#if defined(HAVE_FIPS) && defined(WC_LINUXKM_HAVE_SELFTEST)
static int enabled_fips = 0;
#endif
@@ -271,8 +268,7 @@ static ssize_t deinstall_algs_handler(struct kobject *kobj, struct kobj_attribut
if (ret != 0)
return ret;
#if defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
#if defined(HAVE_FIPS) && defined(WC_LINUXKM_HAVE_SELFTEST)
if (enabled_fips) {
pr_info("wolfCrypt: restoring fips_enabled to off.\n");
enabled_fips = fips_enabled = 0;
@@ -343,8 +339,7 @@ static int linuxkm_lkcapi_register(void)
if (ret)
goto out;
#if defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) || \
defined(CONFIG_CRYPTO_SELFTESTS_FULL)
#ifdef WC_LINUXKM_HAVE_SELFTEST_FULL
/* temporarily disable warnings around setkey failures, which are expected
* from the crypto fuzzer in FIPS configs, and potentially in others.
* unexpected setkey failures are fatal errors returned by the fuzzer.
@@ -352,8 +347,7 @@ static int linuxkm_lkcapi_register(void)
disable_setkey_warnings = 1;
#endif
#if !defined(LINUXKM_DONT_FORCE_FIPS_ENABLED) && \
defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
defined(HAVE_FIPS) && defined(WC_LINUXKM_HAVE_SELFTEST)
if (! fips_enabled) {
/* assert system-wide FIPS status, to disable FIPS-forbidden
* test vectors and fuzzing from the CRYPTO_MANAGER.
@@ -397,8 +391,7 @@ static int linuxkm_lkcapi_register(void)
} \
} while (0)
#if defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
#if defined(HAVE_FIPS) && defined(WC_LINUXKM_HAVE_SELFTEST)
/* Same as above, but allow for option to skip problematic algs that are
* not consistently labeled fips_allowed in crypto/testmgr.c, and hence
* may be rejected by the kernel at runtime if is_fips is true. */
@@ -560,8 +553,7 @@ static int linuxkm_lkcapi_register(void)
#ifdef LINUXKM_LKCAPI_REGISTER_ECDSA
#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)) && \
defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \
defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
defined(WC_LINUXKM_HAVE_SELFTEST)
/*
* ecdsa was not recognized as fips_allowed before linux v6.3
* in kernel crypto/testmgr.c.
@@ -601,8 +593,7 @@ static int linuxkm_lkcapi_register(void)
#if (LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)) && \
defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \
defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
defined(WC_LINUXKM_HAVE_SELFTEST)
#endif
#endif /* LINUXKM_LKCAPI_REGISTER_ECDSA */
@@ -624,8 +615,7 @@ static int linuxkm_lkcapi_register(void)
* enabled. Failures because of !fips_allowed are skipped over.
*/
#if defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \
defined(CONFIG_CRYPTO_MANAGER) && \
!defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
defined(WC_LINUXKM_HAVE_SELFTEST)
#if defined(LINUXKM_ECC192)
REGISTER_ALG_OPTIONAL(ecdh_nist_p192, kpp, linuxkm_test_ecdh_nist_p192);
#endif /* LINUXKM_ECC192 */
@@ -724,8 +714,7 @@ static int linuxkm_lkcapi_register(void)
#undef REGISTER_ALG
#undef REGISTER_ALG_OPTIONAL
#if defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) || \
defined(CONFIG_CRYPTO_SELFTESTS_FULL)
#ifdef WC_LINUXKM_HAVE_SELFTEST_FULL
disable_setkey_warnings = 0;
#endif
+19
View File
@@ -5132,6 +5132,9 @@ int test_wc_AesXtsSetKey(void)
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65
};
#if defined(HAVE_FIPS) || !defined(WC_AES_XTS_ALLOW_DUPLICATE_KEYS)
static const byte dupKey32[AES_256_KEY_SIZE * 2] = { 0 };
#endif
byte* key;
word32 keyLen;
@@ -5177,6 +5180,22 @@ int test_wc_AesXtsSetKey(void)
AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(WC_KEY_SIZE_E));
ExpectIntEQ(wc_AesXtsSetKey(&aes, key, keyLen, -2, NULL, INVALID_DEVID),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#if defined(HAVE_FIPS) || !defined(WC_AES_XTS_ALLOW_DUPLICATE_KEYS)
#ifdef WOLFSSL_AES_128
ExpectIntEQ(wc_AesXtsSetKey(&aes, dupKey32, AES_128_KEY_SIZE * 2,
AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
#if defined(WOLFSSL_AES_192) && !defined(HAVE_FIPS)
ExpectIntEQ(wc_AesXtsSetKey(&aes, dupKey32, AES_192_KEY_SIZE * 2,
AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
#ifdef WOLFSSL_AES_256
ExpectIntEQ(wc_AesXtsSetKey(&aes, dupKey32, AES_256_KEY_SIZE * 2,
AES_ENCRYPTION, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
#endif /* HAVE_FIPS || !WC_AES_XTS_ALLOW_DUPLICATE_KEYS */
#endif
return EXPECT_RESULT();
} /* END test_wc_AesXtsSetKey */
+2 -2
View File
@@ -15517,9 +15517,9 @@ int wc_AesXtsSetKeyNoInit(XtsAes* aes, const byte* key, word32 len, int dir)
keySz = len/2;
#ifdef HAVE_FIPS
#if defined(HAVE_FIPS) || !defined(WC_AES_XTS_ALLOW_DUPLICATE_KEYS)
if (XMEMCMP(key, key + keySz, keySz) == 0) {
WOLFSSL_MSG("FIPS AES-XTS main and tweak keys must differ");
WOLFSSL_MSG("AES-XTS main and tweak keys must differ");
return BAD_FUNC_ARG;
}
#endif
+12 -18
View File
@@ -16604,7 +16604,6 @@ static wc_test_ret_t aes_xts_partial_test_common(XtsAes *aes,
* structurally identical and only differ in the key constants and expected
* ciphertext.
*/
#ifndef HAVE_FIPS
static wc_test_ret_t aes_xts_inplace_test_common(XtsAes *aes,
const unsigned char *k3, word32 k3Sz,
const unsigned char *i3, word32 i3Sz,
@@ -16707,7 +16706,6 @@ static wc_test_ret_t aes_xts_inplace_test_common(XtsAes *aes,
out:
return ret;
}
#endif /* !HAVE_FIPS */
/* test vectors from http://csrc.nist.gov/groups/STM/cavp/block-cipher-modes.html */
#ifdef WOLFSSL_AES_128
@@ -16933,14 +16931,13 @@ static wc_test_ret_t aes_xts_128_partial_test(XtsAes *aes)
p2, sizeof(p2), c2, sizeof(c2));
}
#ifndef HAVE_FIPS
static wc_test_ret_t aes_xts_128_inplace_test(XtsAes *aes)
{
WOLFSSL_SMALL_STACK_STATIC const unsigned char k3[] = {
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x21
};
WOLFSSL_SMALL_STACK_STATIC const unsigned char i3[] = {
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
@@ -16954,17 +16951,16 @@ static wc_test_ret_t aes_xts_128_inplace_test(XtsAes *aes)
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20
};
WOLFSSL_SMALL_STACK_STATIC const unsigned char c3[] = {
0xA2, 0x07, 0x47, 0x76, 0x3F, 0xEC, 0x0C, 0x23,
0x1B, 0xD0, 0xBD, 0x46, 0x9A, 0x27, 0x38, 0x12,
0x95, 0x02, 0x3D, 0x5D, 0xC6, 0x94, 0x51, 0x36,
0xA0, 0x85, 0xD2, 0x69, 0x6E, 0x87, 0x0A, 0xBF,
0xB5, 0x5A, 0xDD, 0xCB, 0x80, 0xE0, 0xFC, 0xCD
0x39, 0x06, 0xE7, 0xF3, 0x33, 0x0B, 0x1B, 0x1D,
0x2B, 0x11, 0xB0, 0xB7, 0xAF, 0x43, 0xB1, 0x8F,
0xE6, 0xBE, 0x79, 0x34, 0xBD, 0x31, 0x64, 0x3D,
0xA1, 0x16, 0xB5, 0xF0, 0x9B, 0x1D, 0x41, 0xF2,
0x3F, 0xED, 0x11, 0x37, 0xCB, 0x4D, 0xAD, 0xA4
};
return aes_xts_inplace_test_common(aes,
k3, sizeof(k3), i3, sizeof(i3),
p3, sizeof(p3), c3, sizeof(c3));
}
#endif /* !HAVE_FIPS */
#if !defined(BENCH_EMBEDDED) && !defined(HAVE_CAVIUM) && \
!defined(WOLFSSL_AFALG)
@@ -17047,11 +17043,9 @@ static wc_test_ret_t aes_xts_128_test(void)
if (ret != 0)
ERROR_OUT(ret, out);
#ifndef HAVE_FIPS
ret = aes_xts_128_inplace_test(aes);
if (ret != 0)
ERROR_OUT(ret, out);
#endif /* !HAVE_FIPS */
#if !defined(BENCH_EMBEDDED) && !defined(HAVE_CAVIUM) && \
!defined(WOLFSSL_AFALG)
@@ -17313,7 +17307,7 @@ static wc_test_ret_t aes_xts_192_inplace_test(XtsAes *aes)
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x21
};
WOLFSSL_SMALL_STACK_STATIC const unsigned char i3[] = {
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
@@ -17327,11 +17321,11 @@ static wc_test_ret_t aes_xts_192_inplace_test(XtsAes *aes)
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20
};
WOLFSSL_SMALL_STACK_STATIC const unsigned char c3[] = {
0xa4, 0xf2, 0x71, 0x5d, 0x80, 0x60, 0x68, 0xa0,
0x80, 0x61, 0xd7, 0xc1, 0x55, 0xc8, 0x3a, 0x2e,
0xd7, 0xf4, 0x62, 0xaf, 0xbd, 0x2d, 0xf9, 0x5f,
0xe8, 0xc5, 0x99, 0x3d, 0x58, 0x3c, 0xeb, 0xba,
0x86, 0xea, 0x2c, 0x7e, 0x1f, 0xba, 0x81, 0xde
0x72, 0x7A, 0xBC, 0x25, 0x37, 0x20, 0x65, 0x1E,
0xF8, 0x45, 0xB0, 0x16, 0xE7, 0xEE, 0xDA, 0x36,
0xAB, 0x4F, 0xF4, 0xDB, 0x3C, 0xFB, 0x75, 0x19,
0xA3, 0x01, 0x74, 0x28, 0xD5, 0x92, 0x09, 0x7A,
0xDB, 0x0D, 0x96, 0x9F, 0xB7, 0xA2, 0xB7, 0x57
};
return aes_xts_inplace_test_common(aes,
k3, sizeof(k3), i3, sizeof(i3),
+6 -6
View File
@@ -2725,7 +2725,7 @@ impl Drop for XTS {
/// 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
/// 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
/// 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
/// 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
/// 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x21,
/// ];
/// let tweak: [u8; 16] = [
/// 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
@@ -2739,11 +2739,11 @@ impl Drop for XTS {
/// 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20
/// ];
/// let expected_cipher: [u8; 40] = [
/// 0xA2, 0x07, 0x47, 0x76, 0x3F, 0xEC, 0x0C, 0x23,
/// 0x1B, 0xD0, 0xBD, 0x46, 0x9A, 0x27, 0x38, 0x12,
/// 0x95, 0x02, 0x3D, 0x5D, 0xC6, 0x94, 0x51, 0x36,
/// 0xA0, 0x85, 0xD2, 0x69, 0x6E, 0x87, 0x0A, 0xBF,
/// 0xB5, 0x5A, 0xDD, 0xCB, 0x80, 0xE0, 0xFC, 0xCD
/// 0x39, 0x06, 0xE7, 0xF3, 0x33, 0x0B, 0x1B, 0x1D,
/// 0x2B, 0x11, 0xB0, 0xB7, 0xAF, 0x43, 0xB1, 0x8F,
/// 0xE6, 0xBE, 0x79, 0x34, 0xBD, 0x31, 0x64, 0x3D,
/// 0xA1, 0x16, 0xB5, 0xF0, 0x9B, 0x1D, 0x41, 0xF2,
/// 0x3F, 0xED, 0x11, 0x37, 0xCB, 0x4D, 0xAD, 0xA4
/// ];
///
/// let mut xtsstream = XTSStream::new().expect("Failed to create XTSStream");