aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJarod Wilson <jarod@redhat.com>2009-05-27 01:10:21 -0400
committerHerbert Xu <herbert@gondor.apana.org.au>2009-06-02 00:04:57 -0400
commit4e033a6bc70f094d36128c328f6ca725c6ca4b4c (patch)
treee400f6b98c48b4ec935e41ab070c1efbabe71068
parent3ce858cb04de8bc83449eac707c8012a1944daca (diff)
crypto: tcrypt - Do not exit on success in fips mode
At present, the tcrypt module always exits with an -EAGAIN upon successfully completing all the tests its been asked to run. In fips mode, integrity checking is done by running all self-tests from the initrd, and its much simpler to check the ret from modprobe for success than to scrape dmesg and/or /proc/crypto. Simply stay loaded, giving modprobe a retval of 0, if self-tests all pass and we're in fips mode. A side-effect of tracking success/failure for fips mode is that in non-fips mode, self-test failures will return the actual failure return codes, rather than always returning -EAGAIN, which seems more correct anyway. The tcrypt_test() portion of the patch is dependent on my earlier pair of patches that skip non-fips algs in fips mode, at least to achieve the fully intended behavior. Nb: testing this patch against the cryptodev tree revealed a test failure for sha384, which I have yet to look into... Signed-off-by: Jarod Wilson <jarod@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/tcrypt.c164
1 files changed, 90 insertions, 74 deletions
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index 9e4974eb7825..d59ba5079d14 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -27,6 +27,7 @@
27#include <linux/timex.h> 27#include <linux/timex.h>
28#include <linux/interrupt.h> 28#include <linux/interrupt.h>
29#include "tcrypt.h" 29#include "tcrypt.h"
30#include "internal.h"
30 31
31/* 32/*
32 * Need slab memory for testing (size in number of pages). 33 * Need slab memory for testing (size in number of pages).
@@ -468,248 +469,255 @@ static void test_available(void)
468 469
469static inline int tcrypt_test(const char *alg) 470static inline int tcrypt_test(const char *alg)
470{ 471{
471 return alg_test(alg, alg, 0, 0); 472 int ret;
473
474 ret = alg_test(alg, alg, 0, 0);
475 /* non-fips algs return -EINVAL in fips mode */
476 if (fips_enabled && ret == -EINVAL)
477 ret = 0;
478 return ret;
472} 479}
473 480
474static void do_test(int m) 481static int do_test(int m)
475{ 482{
476 int i; 483 int i;
484 int ret = 0;
477 485
478 switch (m) { 486 switch (m) {
479 case 0: 487 case 0:
480 for (i = 1; i < 200; i++) 488 for (i = 1; i < 200; i++)
481 do_test(i); 489 ret += do_test(i);
482 break; 490 break;
483 491
484 case 1: 492 case 1:
485 tcrypt_test("md5"); 493 ret += tcrypt_test("md5");
486 break; 494 break;
487 495
488 case 2: 496 case 2:
489 tcrypt_test("sha1"); 497 ret += tcrypt_test("sha1");
490 break; 498 break;
491 499
492 case 3: 500 case 3:
493 tcrypt_test("ecb(des)"); 501 ret += tcrypt_test("ecb(des)");
494 tcrypt_test("cbc(des)"); 502 ret += tcrypt_test("cbc(des)");
495 break; 503 break;
496 504
497 case 4: 505 case 4:
498 tcrypt_test("ecb(des3_ede)"); 506 ret += tcrypt_test("ecb(des3_ede)");
499 tcrypt_test("cbc(des3_ede)"); 507 ret += tcrypt_test("cbc(des3_ede)");
500 break; 508 break;
501 509
502 case 5: 510 case 5:
503 tcrypt_test("md4"); 511 ret += tcrypt_test("md4");
504 break; 512 break;
505 513
506 case 6: 514 case 6:
507 tcrypt_test("sha256"); 515 ret += tcrypt_test("sha256");
508 break; 516 break;
509 517
510 case 7: 518 case 7:
511 tcrypt_test("ecb(blowfish)"); 519 ret += tcrypt_test("ecb(blowfish)");
512 tcrypt_test("cbc(blowfish)"); 520 ret += tcrypt_test("cbc(blowfish)");
513 break; 521 break;
514 522
515 case 8: 523 case 8:
516 tcrypt_test("ecb(twofish)"); 524 ret += tcrypt_test("ecb(twofish)");
517 tcrypt_test("cbc(twofish)"); 525 ret += tcrypt_test("cbc(twofish)");
518 break; 526 break;
519 527
520 case 9: 528 case 9:
521 tcrypt_test("ecb(serpent)"); 529 ret += tcrypt_test("ecb(serpent)");
522 break; 530 break;
523 531
524 case 10: 532 case 10:
525 tcrypt_test("ecb(aes)"); 533 ret += tcrypt_test("ecb(aes)");
526 tcrypt_test("cbc(aes)"); 534 ret += tcrypt_test("cbc(aes)");
527 tcrypt_test("lrw(aes)"); 535 ret += tcrypt_test("lrw(aes)");
528 tcrypt_test("xts(aes)"); 536 ret += tcrypt_test("xts(aes)");
529 tcrypt_test("ctr(aes)"); 537 ret += tcrypt_test("ctr(aes)");
530 tcrypt_test("rfc3686(ctr(aes))"); 538 ret += tcrypt_test("rfc3686(ctr(aes))");
531 break; 539 break;
532 540
533 case 11: 541 case 11:
534 tcrypt_test("sha384"); 542 ret += tcrypt_test("sha384");
535 break; 543 break;
536 544
537 case 12: 545 case 12:
538 tcrypt_test("sha512"); 546 ret += tcrypt_test("sha512");
539 break; 547 break;
540 548
541 case 13: 549 case 13:
542 tcrypt_test("deflate"); 550 ret += tcrypt_test("deflate");
543 break; 551 break;
544 552
545 case 14: 553 case 14:
546 tcrypt_test("ecb(cast5)"); 554 ret += tcrypt_test("ecb(cast5)");
547 break; 555 break;
548 556
549 case 15: 557 case 15:
550 tcrypt_test("ecb(cast6)"); 558 ret += tcrypt_test("ecb(cast6)");
551 break; 559 break;
552 560
553 case 16: 561 case 16:
554 tcrypt_test("ecb(arc4)"); 562 ret += tcrypt_test("ecb(arc4)");
555 break; 563 break;
556 564
557 case 17: 565 case 17:
558 tcrypt_test("michael_mic"); 566 ret += tcrypt_test("michael_mic");
559 break; 567 break;
560 568
561 case 18: 569 case 18:
562 tcrypt_test("crc32c"); 570 ret += tcrypt_test("crc32c");
563 break; 571 break;
564 572
565 case 19: 573 case 19:
566 tcrypt_test("ecb(tea)"); 574 ret += tcrypt_test("ecb(tea)");
567 break; 575 break;
568 576
569 case 20: 577 case 20:
570 tcrypt_test("ecb(xtea)"); 578 ret += tcrypt_test("ecb(xtea)");
571 break; 579 break;
572 580
573 case 21: 581 case 21:
574 tcrypt_test("ecb(khazad)"); 582 ret += tcrypt_test("ecb(khazad)");
575 break; 583 break;
576 584
577 case 22: 585 case 22:
578 tcrypt_test("wp512"); 586 ret += tcrypt_test("wp512");
579 break; 587 break;
580 588
581 case 23: 589 case 23:
582 tcrypt_test("wp384"); 590 ret += tcrypt_test("wp384");
583 break; 591 break;
584 592
585 case 24: 593 case 24:
586 tcrypt_test("wp256"); 594 ret += tcrypt_test("wp256");
587 break; 595 break;
588 596
589 case 25: 597 case 25:
590 tcrypt_test("ecb(tnepres)"); 598 ret += tcrypt_test("ecb(tnepres)");
591 break; 599 break;
592 600
593 case 26: 601 case 26:
594 tcrypt_test("ecb(anubis)"); 602 ret += tcrypt_test("ecb(anubis)");
595 tcrypt_test("cbc(anubis)"); 603 ret += tcrypt_test("cbc(anubis)");
596 break; 604 break;
597 605
598 case 27: 606 case 27:
599 tcrypt_test("tgr192"); 607 ret += tcrypt_test("tgr192");
600 break; 608 break;
601 609
602 case 28: 610 case 28:
603 611
604 tcrypt_test("tgr160"); 612 ret += tcrypt_test("tgr160");
605 break; 613 break;
606 614
607 case 29: 615 case 29:
608 tcrypt_test("tgr128"); 616 ret += tcrypt_test("tgr128");
609 break; 617 break;
610 618
611 case 30: 619 case 30:
612 tcrypt_test("ecb(xeta)"); 620 ret += tcrypt_test("ecb(xeta)");
613 break; 621 break;
614 622
615 case 31: 623 case 31:
616 tcrypt_test("pcbc(fcrypt)"); 624 ret += tcrypt_test("pcbc(fcrypt)");
617 break; 625 break;
618 626
619 case 32: 627 case 32:
620 tcrypt_test("ecb(camellia)"); 628 ret += tcrypt_test("ecb(camellia)");
621 tcrypt_test("cbc(camellia)"); 629 ret += tcrypt_test("cbc(camellia)");
622 break; 630 break;
623 case 33: 631 case 33:
624 tcrypt_test("sha224"); 632 ret += tcrypt_test("sha224");
625 break; 633 break;
626 634
627 case 34: 635 case 34:
628 tcrypt_test("salsa20"); 636 ret += tcrypt_test("salsa20");
629 break; 637 break;
630 638
631 case 35: 639 case 35:
632 tcrypt_test("gcm(aes)"); 640 ret += tcrypt_test("gcm(aes)");
633 break; 641 break;
634 642
635 case 36: 643 case 36:
636 tcrypt_test("lzo"); 644 ret += tcrypt_test("lzo");
637 break; 645 break;
638 646
639 case 37: 647 case 37:
640 tcrypt_test("ccm(aes)"); 648 ret += tcrypt_test("ccm(aes)");
641 break; 649 break;
642 650
643 case 38: 651 case 38:
644 tcrypt_test("cts(cbc(aes))"); 652 ret += tcrypt_test("cts(cbc(aes))");
645 break; 653 break;
646 654
647 case 39: 655 case 39:
648 tcrypt_test("rmd128"); 656 ret += tcrypt_test("rmd128");
649 break; 657 break;
650 658
651 case 40: 659 case 40:
652 tcrypt_test("rmd160"); 660 ret += tcrypt_test("rmd160");
653 break; 661 break;
654 662
655 case 41: 663 case 41:
656 tcrypt_test("rmd256"); 664 ret += tcrypt_test("rmd256");
657 break; 665 break;
658 666
659 case 42: 667 case 42:
660 tcrypt_test("rmd320"); 668 ret += tcrypt_test("rmd320");
661 break; 669 break;
662 670
663 case 43: 671 case 43:
664 tcrypt_test("ecb(seed)"); 672 ret += tcrypt_test("ecb(seed)");
665 break; 673 break;
666 674
667 case 44: 675 case 44:
668 tcrypt_test("zlib"); 676 ret += tcrypt_test("zlib");
669 break; 677 break;
670 678
671 case 45: 679 case 45:
672 tcrypt_test("rfc4309(ccm(aes))"); 680 ret += tcrypt_test("rfc4309(ccm(aes))");
673 break; 681 break;
674 682
675 case 100: 683 case 100:
676 tcrypt_test("hmac(md5)"); 684 ret += tcrypt_test("hmac(md5)");
677 break; 685 break;
678 686
679 case 101: 687 case 101:
680 tcrypt_test("hmac(sha1)"); 688 ret += tcrypt_test("hmac(sha1)");
681 break; 689 break;
682 690
683 case 102: 691 case 102:
684 tcrypt_test("hmac(sha256)"); 692 ret += tcrypt_test("hmac(sha256)");
685 break; 693 break;
686 694
687 case 103: 695 case 103:
688 tcrypt_test("hmac(sha384)"); 696 ret += tcrypt_test("hmac(sha384)");
689 break; 697 break;
690 698
691 case 104: 699 case 104:
692 tcrypt_test("hmac(sha512)"); 700 ret += tcrypt_test("hmac(sha512)");
693 break; 701 break;
694 702
695 case 105: 703 case 105:
696 tcrypt_test("hmac(sha224)"); 704 ret += tcrypt_test("hmac(sha224)");
697 break; 705 break;
698 706
699 case 106: 707 case 106:
700 tcrypt_test("xcbc(aes)"); 708 ret += tcrypt_test("xcbc(aes)");
701 break; 709 break;
702 710
703 case 107: 711 case 107:
704 tcrypt_test("hmac(rmd128)"); 712 ret += tcrypt_test("hmac(rmd128)");
705 break; 713 break;
706 714
707 case 108: 715 case 108:
708 tcrypt_test("hmac(rmd160)"); 716 ret += tcrypt_test("hmac(rmd160)");
709 break; 717 break;
710 718
711 case 150: 719 case 150:
712 tcrypt_test("ansi_cprng"); 720 ret += tcrypt_test("ansi_cprng");
713 break; 721 break;
714 722
715 case 200: 723 case 200:
@@ -873,6 +881,8 @@ static void do_test(int m)
873 test_available(); 881 test_available();
874 break; 882 break;
875 } 883 }
884
885 return ret;
876} 886}
877 887
878static int __init tcrypt_mod_init(void) 888static int __init tcrypt_mod_init(void)
@@ -886,15 +896,21 @@ static int __init tcrypt_mod_init(void)
886 goto err_free_tv; 896 goto err_free_tv;
887 } 897 }
888 898
889 do_test(mode); 899 err = do_test(mode);
900 if (err) {
901 printk(KERN_ERR "tcrypt: one or more tests failed!\n");
902 goto err_free_tv;
903 }
890 904
891 /* We intentionaly return -EAGAIN to prevent keeping 905 /* We intentionaly return -EAGAIN to prevent keeping the module,
892 * the module. It does all its work from init() 906 * unless we're running in fips mode. It does all its work from
893 * and doesn't offer any runtime functionality 907 * init() and doesn't offer any runtime functionality, but in
908 * the fips case, checking for a successful load is helpful.
894 * => we don't need it in the memory, do we? 909 * => we don't need it in the memory, do we?
895 * -- mludvig 910 * -- mludvig
896 */ 911 */
897 err = -EAGAIN; 912 if (!fips_enabled)
913 err = -EAGAIN;
898 914
899err_free_tv: 915err_free_tv:
900 for (i = 0; i < TVMEMSIZE && tvmem[i]; i++) 916 for (i = 0; i < TVMEMSIZE && tvmem[i]; i++)