| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Mar 2023 18:02:33 +0100
From: Vladis Dronov <vdronov@...hat.com>
To: Herbert Xu <herbert@...dor.apana.org.au>,
"David S . Miller" <davem@...emloft.net>,
Stephan Mueller <smueller@...onox.de>
Cc: Nicolai Stange <nstange@...e.de>, linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org, Vladis Dronov <vdronov@...hat.com>
Subject: [PATCH] crypto: jitter - panic on runtime health test failures in FIPS mode
A FIPS certification lab has noted that the kernel doesn't go to error
state upon failure of the RCT and APT health tests. Add a panic() call
in FIPS mode to jent_kcapi_random().
Revert b454fb702515 ("crypto: jitter - don't limit ->health_failure
check to FIPS mode") for this partially.
Signed-off-by: Vladis Dronov <vdronov@...hat.com>
---
crypto/jitterentropy-kcapi.c | 8 ++++++++
crypto/jitterentropy.h | 1 +
2 files changed, 9 insertions(+)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index 2d115bec15ae..9c692119d926 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -37,6 +37,7 @@
* DAMAGE.
*/
+#include <linux/fips.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/slab.h>
@@ -59,6 +60,11 @@ void jent_zfree(void *ptr)
kfree_sensitive(ptr);
}
+int jent_fips_enabled(void)
+{
+ return fips_enabled;
+}
+
void jent_panic(char *s)
{
panic("%s", s);
@@ -140,6 +146,8 @@ static int jent_kcapi_random(struct crypto_rng *tfm,
/* Return a permanent error in case we had too many resets in a row. */
if (rng->reset_cnt > (1<<10)) {
+ if (jent_fips_enabled())
+ jent_panic("jitterentropy: Too many RCT/APT health test failures\n");
ret = -EFAULT;
goto out;
}
diff --git a/crypto/jitterentropy.h b/crypto/jitterentropy.h
index b7397b617ef0..c83fff32d130 100644
--- a/crypto/jitterentropy.h
+++ b/crypto/jitterentropy.h
@@ -2,6 +2,7 @@
extern void *jent_zalloc(unsigned int len);
extern void jent_zfree(void *ptr);
+extern int jent_fips_enabled(void);
extern void jent_panic(char *s);
extern void jent_memcpy(void *dest, const void *src, unsigned int n);
extern void jent_get_nstime(__u64 *out);
--
2.39.2
Powered by blists - more mailing lists