From: Nicolai Stange <nstange@suse.de>
Date: Thu, 29 Dec 2022 21:17:08 +0000 (+0100)
Subject: crypto: testmgr - disallow plain cbcmac(aes) in FIPS mode
X-Git-Tag: v6.3-rc1~163^2~140
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1ce94a8c2c3721be1d9bc85fd38fc8c520aa37d6;p=thirdparty%2Flinux.git

crypto: testmgr - disallow plain cbcmac(aes) in FIPS mode

cbcmac(aes) may be used only as part of the ccm(aes) construction in FIPS
mode. Since commit d6097b8d5d55 ("crypto: api - allow algs only in specific
constructions in FIPS mode") there's support for using spawns which by
itself are marked as non-approved from approved template instantiations.
So simply mark plain cbcmac(aes) as non-approved in testmgr to block any
attempts of direct instantiations in FIPS mode.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 4476ac97baa5e..562463a77a762 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4501,7 +4501,6 @@ static const struct alg_test_desc alg_test_descs[] = {
 	}, {
 #endif
 		.alg = "cbcmac(aes)",
-		.fips_allowed = 1,
 		.test = alg_test_hash,
 		.suite = {
 			.hash = __VECS(aes_cbcmac_tv_template)