crypto: seqiv - flag instantiations as FIPS compliant

nefigtut · kerneltoast · commit 6a04345b766b · 2025-09-15T15:39:05.000-07:00
JIRA: https://issues.redhat.com/browse/RHEL-54183 Upstream Status: RHEL only Forwardport of 45e87c3 ("crypto: seqiv - flag instantiations as FIPS compliant") from C9S. This patch has no chances to be accepted upstream, see the commit message below. Author: Nicolai Stange <nstange@suse.de> crypto: seqiv - flag instantiations as FIPS compliant For gcm(aes) with external IV generation, FIPS 140-3 requires the verification of all external IV generation operations in order to ensure the uniqueness of the IV (see IG C.H). This is being deemed unfeasible and thus, only internal IV generation, i.e. wrapping gcm(aes) with seqiv(), can effectively be considered as approved. The standard approach would be to disallow plain gcm(aes) and to only allow seqiv(gcm(aes)) in FIPS mode. However, there are quite some plain gcm(aes) usage sites in the kernel: a quick grep reveals samba, macsec, ceph, mac80211, tipc, tls, etc. and breaking these in FIPS mode would be highly undesirable. It might perhaps be possible to convert some of these to seqiv(gcm(aes)), but for some others it might be entirely impossible due to e.g. protocol constraints. For the time being, an alternative approach has been proposed as a workaround: make seqiv() set a new flag, CRYPTO_TFM_FIPS_COMPLIANCE, on the transforms and document that in the particular case of gcm(aes), callers must check for this flag in order to determine FIPS compliance. Implement this. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
diff --git a/crypto/seqiv.c b/crypto/seqiv.c
@@ -132,6 +132,19 @@ static int seqiv_aead_decrypt(struct aead_request *req)
 	return crypto_aead_decrypt(subreq);
 }
 
+static int aead_init_seqiv(struct crypto_aead *aead)
+{
+	int err;
+
+	err = aead_init_geniv(aead);
+	if (err)
+		return err;
+
+	crypto_aead_set_flags(aead, CRYPTO_TFM_FIPS_COMPLIANCE);
+
+	return 0;
+}
+
 static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb)
 {
 	struct aead_instance *inst;
@@ -149,7 +162,7 @@ static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb)
 	inst->alg.encrypt = seqiv_aead_encrypt;
 	inst->alg.decrypt = seqiv_aead_decrypt;
 
-	inst->alg.init = aead_init_geniv;
+	inst->alg.init = aead_init_seqiv;
 	inst->alg.exit = aead_exit_geniv;
 
 	inst->alg.base.cra_ctxsize = sizeof(struct aead_geniv_ctx);
diff --git a/include/linux/crypto.h b/include/linux/crypto.h
@@ -135,6 +135,8 @@
 #define CRYPTO_TFM_REQ_MAY_BACKLOG	0x00000400
 #define CRYPTO_TFM_REQ_NEED_RESEED	0x00000800
 
+#define CRYPTO_TFM_FIPS_COMPLIANCE	0x80000000
+
 /*
  * Miscellaneous stuff.
  */
