Re: [PATCH v2] crypto: testmgr - disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode

[Herbert Xu <herbert@gondor.apana.org.au>]

On Thu, Apr 23, 2026 at 11:21:41AM -0400, Jeff Barnes wrote:
> When booted with fips=1, RSA signature generation using SHA-1 must not be
> available.  However, pkcs1pad(rsa,sha1) can currently be instantiated
> because it is not present in alg_test_descs; alg_test() falls through the
> no_test path and succeeds, after which the algorithm appears in
> /proc/crypto as fips-capable.
> 
> Add explicit alg_test_descs entries for pkcs1pad(rsa,sha1) and
> pkcs1(rsa,sha1) without marking them fips_allowed, so they are treated as
> not FIPS-allowed when fips=1 is enabled.
> 
> Include both names to cover kernels where RSA sign/verify is provided via
> the pkcs1(...) signature template, while pkcs1pad(...) remains for the
> traditional wrapper naming and/or RSAES operations.
> 
> Signed-off-by: Jeff Barnes <jeffbarnes@linux.microsoft.com>
> ---
> This series fixes an issue where SHA-1 RSA signature generation remains
> available when booted with fips=1.
> 
> On a FIPS-enabled system, pkcs1pad(rsa,sha1) can be instantiated even
> though SHA-1 must not be available for signature generation. The reason
> is that the algorithm is not listed in crypto/testmgr.c's alg_test_descs,
> so alg_test() falls through the no_test path and succeeds. Once
> instantiated, /proc/crypto reports the algorithm as "fips: yes".
> 
> This patch adds explicit alg_test_descs entries for:
> 
>   - pkcs1pad(rsa,sha1)
>   - pkcs1(rsa,sha1)
> 
> without setting fips=1, so they are treated as not FIPS-allowed in
> FIPS mode.
> 
> Both names are covered to handle kernels where RSA signature operations
> are provided via the pkcs1(...) signature template, while pkcs1pad(...)
> remains for the historical wrapper naming and/or RSAES operations.
> 
> Reproducer / evidence (current behavior):
>   1) Boot with fips=1 (confirm /proc/sys/crypto/fips_enabled == 1)
>   2) Allocate the transform:
>        crypto_alloc_akcipher("pkcs1pad(rsa,sha1)", 0, 0)
>   3) Observe that /proc/crypto now contains:
>        name   : pkcs1pad(rsa,sha1)
>        fips   : yes
>        selftest: passed
>   4) A simple in-kernel demo module can instantiate the transform and reach
>      the signing path in FIPS mode.
> 
> With this change, attempts to instantiate these SHA-1 RSA signing
> templates in FIPS mode are rejected, preventing SHA-1 signature
> generation in approved mode.
> 
> Thanks for taking a look.
> ---
> Changes in v2:
> - Rewrap commit message body to conform to 75-column limit
> - Fix From/Signed-off-by address mismatch
> Link to v1: https://lore.kernel.org/r/20260422-disallow_rsa_sha1_signing_in_fips_mode-v1-1-1359bc7d41be@microsoft.com
> ---
>  crypto/testmgr.c | 6 ++++++
>  1 file changed, 6 insertions(+)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt