[PATCH v2] crypto: testmgr - disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode

Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] crypto: testmgr - disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode
@ 2026-04-23 15:21 Jeff Barnes
  2026-05-05  9:24 ` Herbert Xu
  0 siblings, 1 reply; 2+ messages in thread
From: Jeff Barnes @ 2026-04-23 15:21 UTC (permalink / raw)
  To: Herbert Xu, David S. Miller, Maxime Coquelin, Alexandre Torgue
  Cc: linux-crypto, linux-stm32, linux-arm-kernel, linux-kernel,
	Jeff Barnes

When booted with fips=1, RSA signature generation using SHA-1 must not be
available.  However, pkcs1pad(rsa,sha1) can currently be instantiated
because it is not present in alg_test_descs; alg_test() falls through the
no_test path and succeeds, after which the algorithm appears in
/proc/crypto as fips-capable.

Add explicit alg_test_descs entries for pkcs1pad(rsa,sha1) and
pkcs1(rsa,sha1) without marking them fips_allowed, so they are treated as
not FIPS-allowed when fips=1 is enabled.

Include both names to cover kernels where RSA sign/verify is provided via
the pkcs1(...) signature template, while pkcs1pad(...) remains for the
traditional wrapper naming and/or RSAES operations.

Signed-off-by: Jeff Barnes <jeffbarnes@linux.microsoft.com>
---
This series fixes an issue where SHA-1 RSA signature generation remains
available when booted with fips=1.

On a FIPS-enabled system, pkcs1pad(rsa,sha1) can be instantiated even
though SHA-1 must not be available for signature generation. The reason
is that the algorithm is not listed in crypto/testmgr.c's alg_test_descs,
so alg_test() falls through the no_test path and succeeds. Once
instantiated, /proc/crypto reports the algorithm as "fips: yes".

This patch adds explicit alg_test_descs entries for:

  - pkcs1pad(rsa,sha1)
  - pkcs1(rsa,sha1)

without setting fips=1, so they are treated as not FIPS-allowed in
FIPS mode.

Both names are covered to handle kernels where RSA signature operations
are provided via the pkcs1(...) signature template, while pkcs1pad(...)
remains for the historical wrapper naming and/or RSAES operations.

Reproducer / evidence (current behavior):
  1) Boot with fips=1 (confirm /proc/sys/crypto/fips_enabled == 1)
  2) Allocate the transform:
       crypto_alloc_akcipher("pkcs1pad(rsa,sha1)", 0, 0)
  3) Observe that /proc/crypto now contains:
       name   : pkcs1pad(rsa,sha1)
       fips   : yes
       selftest: passed
  4) A simple in-kernel demo module can instantiate the transform and reach
     the signing path in FIPS mode.

With this change, attempts to instantiate these SHA-1 RSA signing
templates in FIPS mode are rejected, preventing SHA-1 signature
generation in approved mode.

Thanks for taking a look.
---
Changes in v2:
- Rewrap commit message body to conform to 75-column limit
- Fix From/Signed-off-by address mismatch
Link to v1: https://lore.kernel.org/r/20260422-disallow_rsa_sha1_signing_in_fips_mode-v1-1-1359bc7d41be@microsoft.com
---
 crypto/testmgr.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 30671e7bc349..e54d298a26c1 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5306,6 +5306,9 @@ static const struct alg_test_desc alg_test_descs[] = {
 		.suite = {
 			.sig = __VECS(pkcs1_rsa_none_tv_template)
 		}
+	}, {
+		.alg = "pkcs1(rsa,sha1)",
+		.test = alg_test_null,
 	}, {
 		.alg = "pkcs1(rsa,sha224)",
 		.test = alg_test_null,
@@ -5341,6 +5344,9 @@ static const struct alg_test_desc alg_test_descs[] = {
 		.alg = "pkcs1pad(rsa)",
 		.test = alg_test_null,
 		.fips_allowed = 1,
+	}, {
+		.alg = "pkcs1pad(rsa,sha1)",
+		.test = alg_test_null,
 	}, {
 		.alg = "rfc3686(ctr(aes))",
 		.generic_driver = "rfc3686(ctr(aes-lib))",

---
base-commit: 8879a3c110cb8ca5a69c937643f226697aa551d9
change-id: 20260422-disallow_rsa_sha1_signing_in_fips_mode-8fbb6229ad54

Best regards,
-- 
Jeff Barnes <jeffbarnes@linux.microsoft.com>

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] crypto: testmgr - disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode
  2026-04-23 15:21 [PATCH v2] crypto: testmgr - disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode Jeff Barnes
@ 2026-05-05  9:24 ` Herbert Xu
  0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2026-05-05  9:24 UTC (permalink / raw)
  To: Jeff Barnes
  Cc: David S. Miller, Maxime Coquelin, Alexandre Torgue, linux-crypto,
	linux-stm32, linux-arm-kernel, linux-kernel

On Thu, Apr 23, 2026 at 11:21:41AM -0400, Jeff Barnes wrote:
> When booted with fips=1, RSA signature generation using SHA-1 must not be
> available.  However, pkcs1pad(rsa,sha1) can currently be instantiated
> because it is not present in alg_test_descs; alg_test() falls through the
> no_test path and succeeds, after which the algorithm appears in
> /proc/crypto as fips-capable.
> 
> Add explicit alg_test_descs entries for pkcs1pad(rsa,sha1) and
> pkcs1(rsa,sha1) without marking them fips_allowed, so they are treated as
> not FIPS-allowed when fips=1 is enabled.
> 
> Include both names to cover kernels where RSA sign/verify is provided via
> the pkcs1(...) signature template, while pkcs1pad(...) remains for the
> traditional wrapper naming and/or RSAES operations.
> 
> Signed-off-by: Jeff Barnes <jeffbarnes@linux.microsoft.com>
> ---
> This series fixes an issue where SHA-1 RSA signature generation remains
> available when booted with fips=1.
> 
> On a FIPS-enabled system, pkcs1pad(rsa,sha1) can be instantiated even
> though SHA-1 must not be available for signature generation. The reason
> is that the algorithm is not listed in crypto/testmgr.c's alg_test_descs,
> so alg_test() falls through the no_test path and succeeds. Once
> instantiated, /proc/crypto reports the algorithm as "fips: yes".
> 
> This patch adds explicit alg_test_descs entries for:
> 
>   - pkcs1pad(rsa,sha1)
>   - pkcs1(rsa,sha1)
> 
> without setting fips=1, so they are treated as not FIPS-allowed in
> FIPS mode.
> 
> Both names are covered to handle kernels where RSA signature operations
> are provided via the pkcs1(...) signature template, while pkcs1pad(...)
> remains for the historical wrapper naming and/or RSAES operations.
> 
> Reproducer / evidence (current behavior):
>   1) Boot with fips=1 (confirm /proc/sys/crypto/fips_enabled == 1)
>   2) Allocate the transform:
>        crypto_alloc_akcipher("pkcs1pad(rsa,sha1)", 0, 0)
>   3) Observe that /proc/crypto now contains:
>        name   : pkcs1pad(rsa,sha1)
>        fips   : yes
>        selftest: passed
>   4) A simple in-kernel demo module can instantiate the transform and reach
>      the signing path in FIPS mode.
> 
> With this change, attempts to instantiate these SHA-1 RSA signing
> templates in FIPS mode are rejected, preventing SHA-1 signature
> generation in approved mode.
> 
> Thanks for taking a look.
> ---
> Changes in v2:
> - Rewrap commit message body to conform to 75-column limit
> - Fix From/Signed-off-by address mismatch
> Link to v1: https://lore.kernel.org/r/20260422-disallow_rsa_sha1_signing_in_fips_mode-v1-1-1359bc7d41be@microsoft.com
> ---
>  crypto/testmgr.c | 6 ++++++
>  1 file changed, 6 insertions(+)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-05  9:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-23 15:21 [PATCH v2] crypto: testmgr - disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode Jeff Barnes
2026-05-05  9:24 ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox