libica/libica-03-fips-update-Dynamically-update-service-indicator-based-on-IV-usage.patch

45 lines
1.6 KiB
Diff

From 6823004d49fad72ccc5a8933cbf8443f08371584 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 Nov 2024 13:12:11 +0100
Subject: [PATCH] fips update: Dynamically update service indicator based on IV
usage
Fix handling to differentiate if the call to AES-GCM encryption API was approved
or not. If the IV was set externally, it's non-approved, otherwise with internal
IV it's approved.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
src/s390_crypto.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/s390_crypto.c b/src/s390_crypto.c
index 623864b..29f2b29 100644
--- a/src/s390_crypto.c
+++ b/src/s390_crypto.c
@@ -30,6 +30,8 @@
#include "init.h"
#include "s390_crypto.h"
+extern int ica_external_gcm_iv_in_fips_mode_allowed;
+
unsigned long long facility_bits[3];
unsigned int sha1_switch, sha256_switch, sha512_switch, sha3_switch, des_switch,
tdes_switch, aes128_switch, aes192_switch, aes256_switch,
@@ -814,6 +816,15 @@ int s390_get_fips_indicator(libica_fips_indicator_element *indicator_list,
indicator_list[i].mech_mode_id = icaList[i].mech_mode_id;
indicator_list[i].fips_approved = fips_approved(icaList[i].mech_mode_id);
indicator_list[i].fips_override = fips_override(icaList[i].mech_mode_id);
+ if (icaList[i].mech_mode_id == AES_GCM || icaList[i].mech_mode_id == AES_GCM_KMA) {
+ if (ica_external_gcm_iv_in_fips_mode_allowed) {
+ indicator_list[i].fips_approved = 0;
+ indicator_list[i].fips_override = 1;
+ } else {
+ indicator_list[i].fips_approved = 1;
+ indicator_list[i].fips_override = 0;
+ }
+ }
}
return 0;