From 6823004d49fad72ccc5a8933cbf8443f08371584 Mon Sep 17 00:00:00 2001 From: Joerg Schmidbauer Date: Wed, 6 Nov 2024 13:12:11 +0100 Subject: [PATCH] fips update: Dynamically update service indicator based on IV usage Fix handling to differentiate if the call to AES-GCM encryption API was approved or not. If the IV was set externally, it's non-approved, otherwise with internal IV it's approved. Signed-off-by: Joerg Schmidbauer --- src/s390_crypto.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/s390_crypto.c b/src/s390_crypto.c index 623864b..29f2b29 100644 --- a/src/s390_crypto.c +++ b/src/s390_crypto.c @@ -30,6 +30,8 @@ #include "init.h" #include "s390_crypto.h" +extern int ica_external_gcm_iv_in_fips_mode_allowed; + unsigned long long facility_bits[3]; unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch, tdes_switch, aes128_switch, aes192_switch, aes256_switch, @@ -814,6 +816,15 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list, indicator_list[i].mech_mode_id = icaList[i].mech_mode_id; indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id); indicator_list[i].fips_override = fips_override(icaList[i].mech_mode_id); + if (icaList[i].mech_mode_id == AES_GCM || icaList[i].mech_mode_id == AES_GCM_KMA) { + if (ica_external_gcm_iv_in_fips_mode_allowed) { + indicator_list[i].fips_approved = 0; + indicator_list[i].fips_override = 1; + } else { + indicator_list[i].fips_approved = 1; + indicator_list[i].fips_override = 0; + } + } } return 0;