From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 68EF8FC0340 for ; Thu, 23 Apr 2026 15:21:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Cc:To:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=2WGY0Xr4OWcuoDKIFjbEVHuS8imyUOJyUmF5Ad3Krqw=; b=qjfdLxs/5NmS8juoVTTKKfNNHi gUHlzZN89QNykxKASV83b3dYShmGJHGnFNbWOf81aQO7+Fozgqc4OgutdcZf8QKmkjnoC9HCln+Fc 9Xaos/BlpF906VXoo8N6qpVtQai+ltCh2arN+9ErDwXZFCVihDbrClqSH1hoFfD+rbREGq6xD9RkJ LHtRA+5G9wF3AWAV1HgroYZrE4jrPlkHWbhcoJycyfqYMMzGIvXKWYCd/ftCEcN0r+S+YmLuuMoUw 0QvhtvZCjF1+6/rFpDmIgUU31eINPKyBKWJ2UUJqG1znJlIMvITDHImi4aRNstVfyXyli1y7Ipq8i jFEoKQEg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1wFvsH-0000000BsMb-1IzX; Thu, 23 Apr 2026 15:21:53 +0000 Received: from linux.microsoft.com ([13.77.154.182]) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1wFvsD-0000000BsLj-1AkO for linux-arm-kernel@lists.infradead.org; Thu, 23 Apr 2026 15:21:52 +0000 Received: from [127.0.1.1] (unknown [52.177.6.131]) by linux.microsoft.com (Postfix) with ESMTPSA id 5914F20B7165; Thu, 23 Apr 2026 08:21:46 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 5914F20B7165 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1776957707; bh=2WGY0Xr4OWcuoDKIFjbEVHuS8imyUOJyUmF5Ad3Krqw=; h=From:Date:Subject:To:Cc:From; b=UfD9SlG8qmtSdJze3JZv8FkmAj1BKyxhCCKdbuCe+jgLX3FGKQkj3yQa5VtGB6Rj9 YoBSzF0PhML3dQ/4N/1UGK5MGtA/q5K+Wbwr+AbM8fCoqq49QTpiqC37sw8FLZ60ZX rQgSpSOY/8vAOJJcH2ny2gClneX0b9jQmL3LdZzs= From: Jeff Barnes Date: Thu, 23 Apr 2026 11:21:41 -0400 Subject: [PATCH v2] crypto: testmgr - disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260423-disallow_rsa_sha1_signing_in_fips_mode-v2-1-a5fe72dd8a71@linux.microsoft.com> X-B4-Tracking: v=1; b=H4sIAAQ56mkC/5WNSw6CMBRFt0I6toY+AcWR+zCk6RdeAi3pI6gh7 N3KDswdnTs4Z2PkEjpi92Jjya1IGEMGOBXMDCr0jqPNzKCEpqwAuEVS4xhfMpGSNCghCfuAoZc YpMeZ5BSt4zevdQPQKltXLMvm5Dy+j9CzyzwgLTF9ju4qfu/fiVXwvEvdanO1ldDuMaFJkaJfz iZOrNv3/Qt9rp+Z4AAAAA== To: Herbert Xu , "David S. Miller" , Maxime Coquelin , Alexandre Torgue Cc: linux-crypto@vger.kernel.org, linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Jeff Barnes X-Mailer: b4 0.13.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260423_082149_348635_074553B8 X-CRM114-Status: GOOD ( 13.14 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org When booted with fips=1, RSA signature generation using SHA-1 must not be available. However, pkcs1pad(rsa,sha1) can currently be instantiated because it is not present in alg_test_descs; alg_test() falls through the no_test path and succeeds, after which the algorithm appears in /proc/crypto as fips-capable. Add explicit alg_test_descs entries for pkcs1pad(rsa,sha1) and pkcs1(rsa,sha1) without marking them fips_allowed, so they are treated as not FIPS-allowed when fips=1 is enabled. Include both names to cover kernels where RSA sign/verify is provided via the pkcs1(...) signature template, while pkcs1pad(...) remains for the traditional wrapper naming and/or RSAES operations. Signed-off-by: Jeff Barnes --- This series fixes an issue where SHA-1 RSA signature generation remains available when booted with fips=1. On a FIPS-enabled system, pkcs1pad(rsa,sha1) can be instantiated even though SHA-1 must not be available for signature generation. The reason is that the algorithm is not listed in crypto/testmgr.c's alg_test_descs, so alg_test() falls through the no_test path and succeeds. Once instantiated, /proc/crypto reports the algorithm as "fips: yes". This patch adds explicit alg_test_descs entries for: - pkcs1pad(rsa,sha1) - pkcs1(rsa,sha1) without setting fips=1, so they are treated as not FIPS-allowed in FIPS mode. Both names are covered to handle kernels where RSA signature operations are provided via the pkcs1(...) signature template, while pkcs1pad(...) remains for the historical wrapper naming and/or RSAES operations. Reproducer / evidence (current behavior): 1) Boot with fips=1 (confirm /proc/sys/crypto/fips_enabled == 1) 2) Allocate the transform: crypto_alloc_akcipher("pkcs1pad(rsa,sha1)", 0, 0) 3) Observe that /proc/crypto now contains: name : pkcs1pad(rsa,sha1) fips : yes selftest: passed 4) A simple in-kernel demo module can instantiate the transform and reach the signing path in FIPS mode. With this change, attempts to instantiate these SHA-1 RSA signing templates in FIPS mode are rejected, preventing SHA-1 signature generation in approved mode. Thanks for taking a look. --- Changes in v2: - Rewrap commit message body to conform to 75-column limit - Fix From/Signed-off-by address mismatch Link to v1: https://lore.kernel.org/r/20260422-disallow_rsa_sha1_signing_in_fips_mode-v1-1-1359bc7d41be@microsoft.com --- crypto/testmgr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 30671e7bc349..e54d298a26c1 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -5306,6 +5306,9 @@ static const struct alg_test_desc alg_test_descs[] = { .suite = { .sig = __VECS(pkcs1_rsa_none_tv_template) } + }, { + .alg = "pkcs1(rsa,sha1)", + .test = alg_test_null, }, { .alg = "pkcs1(rsa,sha224)", .test = alg_test_null, @@ -5341,6 +5344,9 @@ static const struct alg_test_desc alg_test_descs[] = { .alg = "pkcs1pad(rsa)", .test = alg_test_null, .fips_allowed = 1, + }, { + .alg = "pkcs1pad(rsa,sha1)", + .test = alg_test_null, }, { .alg = "rfc3686(ctr(aes))", .generic_driver = "rfc3686(ctr(aes-lib))", --- base-commit: 8879a3c110cb8ca5a69c937643f226697aa551d9 change-id: 20260422-disallow_rsa_sha1_signing_in_fips_mode-8fbb6229ad54 Best regards, -- Jeff Barnes