crypto: seqiv - flag instantiations as FIPS compliant

feature FIPS enablement
commit-author Vladis Dronov <vdronov@redhat.com>
commit e3a5a100a7dcd102b45f6b402f3d8b6a3ceabc1c
commit-source https://gitlab.com/cki-project/kernel-ark.git

JIRA: https://issues.redhat.com/browse/RHEL-54183
Upstream Status: RHEL only

Forwardport of 45e87c3 ("crypto: seqiv - flag instantiations as FIPS
compliant") from C9S. This patch has no chances to be accepted upstream,
see the commit message below.

Author: Nicolai Stange <nstange@suse.de>

    crypto: seqiv - flag instantiations as FIPS compliant

    For gcm(aes) with external IV generation, FIPS 140-3 requires the
    verification of all external IV generation operations in order to ensure
    the uniqueness of the IV (see IG C.H). This is being deemed unfeasible and
    thus, only internal IV generation, i.e. wrapping gcm(aes) with seqiv(),
    can effectively be considered as approved.

    The standard approach would be to disallow plain gcm(aes) and to only
    allow seqiv(gcm(aes)) in FIPS mode. However, there are quite some plain
    gcm(aes) usage sites in the kernel: a quick grep reveals samba, macsec,
    ceph, mac80211, tipc, tls, etc. and breaking these in FIPS mode would be
    highly undesirable. It might perhaps be possible to convert some of these
    to seqiv(gcm(aes)), but for some others it might be entirely impossible due
    to e.g. protocol constraints.

    For the time being, an alternative approach has been proposed as a
    workaround: make seqiv() set a new flag, CRYPTO_TFM_FIPS_COMPLIANCE, on the
    transforms and document that in the particular case of gcm(aes), callers
    must check for this flag in order to determine FIPS compliance.

    Implement this.

    Signed-off-by: Nicolai Stange <nstange@suse.de>

	Signed-off-by: Vladis Dronov <vdronov@redhat.com>
(cherry picked from commit e3a5a100a7dcd102b45f6b402f3d8b6a3ceabc1c)
	Signed-off-by: Sultan Alsawaf <sultan@ciq.com>

Author: kerneltoast

crypto/seqiv.c

@@ -132,6 +132,19 @@ static int seqiv_aead_decrypt(struct aead_request *req)
 	return crypto_aead_decrypt(subreq);
 }
 
+static int aead_init_seqiv(struct crypto_aead *aead)
+{
+	int err;
+
+	err = aead_init_geniv(aead);
+	if (err)
+		return err;
+
+	crypto_aead_set_flags(aead, CRYPTO_TFM_FIPS_COMPLIANCE);
+
+	return 0;
+}
+
 static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb)
 {
 	struct aead_instance *inst;
@@ -149,7 +162,7 @@ static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb)
 	inst->alg.encrypt = seqiv_aead_encrypt;
 	inst->alg.decrypt = seqiv_aead_decrypt;
 
-	inst->alg.init = aead_init_geniv;
+	inst->alg.init = aead_init_seqiv;
 	inst->alg.exit = aead_exit_geniv;
 
 	inst->alg.base.cra_ctxsize = sizeof(struct aead_geniv_ctx);

include/linux/crypto.h

@@ -135,6 +135,8 @@
 #define CRYPTO_TFM_REQ_MAY_BACKLOG	0x00000400
 #define CRYPTO_TFM_REQ_NEED_RESEED	0x00000800
 
+#define CRYPTO_TFM_FIPS_COMPLIANCE	0x80000000
+
 /*
  * Miscellaneous stuff.
  */