crypto: testmgr - Restore sha384 and hmac_sha384 drbgs in FIPS mode

Set .fips_allowed in the following drbg alg_test_desc structs.

drbg_nopr_hmac_sha384
drbg_nopr_sha384
drbg_pr_hmac_sha384
drbg_pr_sha384

The sha384 and hmac_sha384 DRBGs with and without prediction resistance
were disallowed in an early version of the FIPS 140-3 Implementation
Guidance document. Hence, the fips_allowed flag in struct alg_test_desc
pertaining to the affected DRBGs was unset. The IG has been withdrawn
and they are allowed again.

Furthermore, when the DRBGs are configured, /proc/crypto shows that
drbg_*pr_sha384 and drbg_*pr_hmac_sha384 are fips-approved ("fips: yes")
but because their self-tests are not run (a consequence of unsetting
the fips_allowed flag), the drbgs won't load successfully with the seeming
contradictory "fips: yes" in /proc/crypto.

This series contains a single patch that sets the fips_allowed flag in
the sha384-impacted DRBGs, which restores the ability to load them in
FIPS mode.

Link: https://lore.kernel.org/linux-crypto/979f4f6f-bb74-4b93-8cbf-6ed653604f0e@jvdsn.com/
Link: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
To: Herbert Xu <herbert@gondor.apana.org.au>
To: David S. Miller <davem@davemloft.net>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Jeff Barnes <jeffbarnes@linux.microsoft.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index a4ad939e03c9eaccdadab76f3fd2d0fc55d7b757..196509c44d47a1af3d0e6ca0a195ec131a29f11d 100644 (file)
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4735,6 +4735,7 @@ static const struct alg_test_desc alg_test_descs[] = {
                 */
                .alg = "drbg_nopr_hmac_sha384",
                .test = alg_test_null,
+               .fips_allowed = 1
        }, {
                .alg = "drbg_nopr_hmac_sha512",
                .test = alg_test_drbg,
@@ -4753,6 +4754,7 @@ static const struct alg_test_desc alg_test_descs[] = {
                /* covered by drbg_nopr_sha256 test */
                .alg = "drbg_nopr_sha384",
                .test = alg_test_null,
+               .fips_allowed = 1
        }, {
                .alg = "drbg_nopr_sha512",
                .fips_allowed = 1,
@@ -4784,6 +4786,7 @@ static const struct alg_test_desc alg_test_descs[] = {
                /* covered by drbg_pr_hmac_sha256 test */
                .alg = "drbg_pr_hmac_sha384",
                .test = alg_test_null,
+               .fips_allowed = 1
        }, {
                .alg = "drbg_pr_hmac_sha512",
                .test = alg_test_null,
@@ -4799,6 +4802,7 @@ static const struct alg_test_desc alg_test_descs[] = {
                /* covered by drbg_pr_sha256 test */
                .alg = "drbg_pr_sha384",
                .test = alg_test_null,
+               .fips_allowed = 1
        }, {
                .alg = "drbg_pr_sha512",
                .fips_allowed = 1,