45 lines
1.6 KiB
Diff
45 lines
1.6 KiB
Diff
|
From 6823004d49fad72ccc5a8933cbf8443f08371584 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||
|
|
Date: Wed, 6 Nov 2024 13:12:11 +0100
|
||
|
|
Subject: [PATCH] fips update: Dynamically update service indicator based on IV
|
||
|
|
usage
|
||
|
|
|
||
|
|
Fix handling to differentiate if the call to AES-GCM encryption API was approved
|
||
|
|
or not. If the IV was set externally, it's non-approved, otherwise with internal
|
||
|
|
IV it's approved.
|
||
|
|
|
||
|
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||
|
|
---
|
||
|
|
src/s390_crypto.c | 11 +++++++++++
|
||
|
|
1 file changed, 11 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/src/s390_crypto.c b/src/s390_crypto.c
|
||
|
|
index 623864b..29f2b29 100644
|
||
|
|
--- a/src/s390_crypto.c
|
||
|
|
+++ b/src/s390_crypto.c
|
||
|
|
@@ -30,6 +30,8 @@
|
||
|
|
#include "init.h"
|
||
|
|
#include "s390_crypto.h"
|
||
|
|
|
||
|
|
+extern int ica_external_gcm_iv_in_fips_mode_allowed;
|
||
|
|
+
|
||
|
|
unsigned long long facility_bits[3];
|
||
|
|
unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch,
|
||
|
|
tdes_switch, aes128_switch, aes192_switch, aes256_switch,
|
||
|
|
@@ -814,6 +816,15 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list,
|
||
|
|
indicator_list[i].mech_mode_id = icaList[i].mech_mode_id;
|
||
|
|
indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id);
|
||
|
|
indicator_list[i].fips_override = fips_override(icaList[i].mech_mode_id);
|
||
|
|
+ if (icaList[i].mech_mode_id == AES_GCM || icaList[i].mech_mode_id == AES_GCM_KMA) {
|
||
|
|
+ if (ica_external_gcm_iv_in_fips_mode_allowed) {
|
||
|
|
+ indicator_list[i].fips_approved = 0;
|
||
|
|
+ indicator_list[i].fips_override = 1;
|
||
|
|
+ } else {
|
||
|
|
+ indicator_list[i].fips_approved = 1;
|
||
|
|
+ indicator_list[i].fips_override = 0;
|
||
|
|
+ }
|
||
|
|
+ }
|
||
|
|
}
|
||
|
|
|
||
|
|
return 0;
|