Lines Matching +full:fips +full:- +full:140 +full:- +full:2
1 // SPDX-License-Identifier: GPL-2.0-only
8 * Self-tests of fips140.ko cryptographic functionality. These are run at
9 * module load time to fulfill FIPS 140 and NIAP FPT_TST_EXT.1 requirements.
11 * The actual requirements for these self-tests are somewhat vague, but
12 * section 9 ("Self-Tests") of the FIPS 140-2 Implementation Guidance document
13 …tps://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-…
14 * is somewhat helpful. Basically, all implementations of all FIPS approved
17 * - There are provisions for skipping tests that are already sufficiently
18 * covered by other tests. E.g., HMAC-SHA256 may cover SHA-256.
20 * - Only one test vector is required per algorithm, and it can be generated
21 * by any known-good implementation or taken from any official document.
23 * - For ciphers, both encryption and decryption must be tested.
25 * - Only one key size per algorithm needs to be tested.
33 * our test vectors except the AES-CBC-CTS and DRBG ones were generated by the
34 * script tools/crypto/gen_fips140_testvecs.py, using the known-good
38 * Note that we don't reuse the upstream crypto API's self-tests
41 * - To meet FIPS requirements, the self-tests must be located within the FIPS
45 * - testmgr is much more heavyweight than required for FIPS and NIAP; it
48 * tests that can run with minimal overhead on every boot-up.
50 * - Despite being more heavyweight in general, testmgr doesn't test the
51 * SHA-256 and AES library APIs, despite that being needed here.
61 #include "fips140-module.h"
77 /* Test vector for a length-preserving encryption algorithm */
122 * the case of a library implementation should have "-lib" appended.
127 * The test function. It should execute a known-answer test on an
152 return -EBADMSG; in fips_check_result()
158 * None of the algorithms should be ASYNC, as the FIPS module doesn't register
160 * algorithms, which would need their own FIPS certification.)
162 * Ideally we would verify alg->cra_module == THIS_MODULE here as well, but that
163 * doesn't work because the files are compiled as built-in code.
168 if (alg->cra_flags & CRYPTO_ALG_ASYNC) { in fips_validate_alg()
170 alg->cra_name, alg->cra_driver_name); in fips_validate_alg()
171 return -EINVAL; in fips_validate_alg()
179 if (err == -ENOENT) { in fips_handle_alloc_tfm_error()
200 const struct skcipher_testvec *vec = &test->skcipher; in fips_test_aes_library()
205 if (WARN_ON(vec->message_size != AES_BLOCK_SIZE)) in fips_test_aes_library()
206 return -EINVAL; in fips_test_aes_library()
208 err = aes_expandkey(&ctx, vec->key, vec->key_size); in fips_test_aes_library()
213 aes_encrypt(&ctx, block, vec->plaintext); in fips_test_aes_library()
214 err = fips_check_result(block, vec->ciphertext, AES_BLOCK_SIZE, in fips_test_aes_library()
219 return fips_check_result(block, vec->plaintext, AES_BLOCK_SIZE, in fips_test_aes_library()
223 /* Test a length-preserving symmetric cipher using the crypto_skcipher API. */
227 const struct skcipher_testvec *vec = &test->skcipher; in fips_test_skcipher()
235 if (WARN_ON(vec->iv_size > MAX_IV_SIZE)) in fips_test_skcipher()
236 return -EINVAL; in fips_test_skcipher()
237 if (WARN_ON(vec->message_size <= 0)) in fips_test_skcipher()
238 return -EINVAL; in fips_test_skcipher()
243 err = fips_validate_alg(&crypto_skcipher_alg(tfm)->base); in fips_test_skcipher()
246 if (crypto_skcipher_ivsize(tfm) != vec->iv_size) { in fips_test_skcipher()
248 err = -EINVAL; in fips_test_skcipher()
253 message = kmemdup(vec->plaintext, vec->message_size, GFP_KERNEL); in fips_test_skcipher()
255 err = -ENOMEM; in fips_test_skcipher()
258 sg_init_one(&sg, message, vec->message_size); in fips_test_skcipher()
262 skcipher_request_set_crypt(req, &sg, &sg, vec->message_size, iv); in fips_test_skcipher()
264 err = crypto_skcipher_setkey(tfm, vec->key, vec->key_size); in fips_test_skcipher()
271 memcpy(iv, vec->iv, vec->iv_size); in fips_test_skcipher()
277 err = fips_check_result(message, vec->ciphertext, vec->message_size, in fips_test_skcipher()
283 memcpy(iv, vec->iv, vec->iv_size); in fips_test_skcipher()
289 err = fips_check_result(message, vec->plaintext, vec->message_size, in fips_test_skcipher()
302 const struct aead_testvec *vec = &test->aead; in fips_test_aead()
303 const int tag_size = vec->ciphertext_size - vec->plaintext_size; in fips_test_aead()
308 struct scatterlist sg[2]; in fips_test_aead()
313 if (WARN_ON(vec->iv_size > MAX_IV_SIZE)) in fips_test_aead()
314 return -EINVAL; in fips_test_aead()
315 if (WARN_ON(vec->ciphertext_size <= vec->plaintext_size)) in fips_test_aead()
316 return -EINVAL; in fips_test_aead()
321 err = fips_validate_alg(&crypto_aead_alg(tfm)->base); in fips_test_aead()
324 if (crypto_aead_ivsize(tfm) != vec->iv_size) { in fips_test_aead()
326 err = -EINVAL; in fips_test_aead()
331 assoc = kmemdup(vec->assoc, vec->assoc_size, GFP_KERNEL); in fips_test_aead()
332 message = kzalloc(vec->ciphertext_size, GFP_KERNEL); in fips_test_aead()
334 err = -ENOMEM; in fips_test_aead()
337 memcpy(message, vec->plaintext, vec->plaintext_size); in fips_test_aead()
340 if (vec->assoc_size) in fips_test_aead()
341 sg_set_buf(&sg[sg_idx++], assoc, vec->assoc_size); in fips_test_aead()
342 sg_set_buf(&sg[sg_idx++], message, vec->ciphertext_size); in fips_test_aead()
344 aead_request_set_ad(req, vec->assoc_size); in fips_test_aead()
347 err = crypto_aead_setkey(tfm, vec->key, vec->key_size); in fips_test_aead()
364 memcpy(iv, vec->iv, vec->iv_size); in fips_test_aead()
365 aead_request_set_crypt(req, sg, sg, vec->plaintext_size, iv); in fips_test_aead()
371 err = fips_check_result(message, vec->ciphertext, vec->ciphertext_size, in fips_test_aead()
380 memcpy(iv, vec->iv, vec->iv_size); in fips_test_aead()
381 aead_request_set_crypt(req, sg, sg, vec->ciphertext_size, iv); in fips_test_aead()
387 err = fips_check_result(message, vec->plaintext, vec->plaintext_size, in fips_test_aead()
401 * hash algorithms in the FIPS module have the ASYNC flag, and thus there will
407 const struct hash_testvec *vec = &test->hash; in fips_test_hash()
412 if (WARN_ON(vec->digest_size > HASH_MAX_DIGESTSIZE)) in fips_test_hash()
413 return -EINVAL; in fips_test_hash()
418 err = fips_validate_alg(&crypto_shash_alg(tfm)->base); in fips_test_hash()
421 if (crypto_shash_digestsize(tfm) != vec->digest_size) { in fips_test_hash()
423 err = -EINVAL; in fips_test_hash()
427 if (vec->key) { in fips_test_hash()
428 err = crypto_shash_setkey(tfm, vec->key, vec->key_size); in fips_test_hash()
435 err = crypto_shash_tfm_digest(tfm, vec->message, vec->message_size, in fips_test_hash()
441 err = fips_check_result(digest, vec->digest, vec->digest_size, in fips_test_hash()
451 const struct hash_testvec *vec = &test->hash; in fips_test_sha256_library()
454 if (WARN_ON(vec->digest_size != SHA256_DIGEST_SIZE)) in fips_test_sha256_library()
455 return -EINVAL; in fips_test_sha256_library()
457 sha256(vec->message, vec->message_size, digest); in fips_test_sha256_library()
458 return fips_check_result(digest, vec->digest, vec->digest_size, in fips_test_sha256_library()
466 const struct drbg_testvec *vec = &test->drbg; in fips_test_drbg()
476 err = fips_validate_alg(&crypto_rng_alg(rng)->base); in fips_test_drbg()
480 output = kzalloc(vec->out_size, GFP_KERNEL); in fips_test_drbg()
482 err = -ENOMEM; in fips_test_drbg()
491 drbg_string_fill(&testentropy, vec->entropy, vec->entropy_size); in fips_test_drbg()
492 drbg_string_fill(&pers, vec->pers, vec->pers_size); in fips_test_drbg()
502 * (relevant for the prediction-resistant DRBG variants only). in fips_test_drbg()
504 drbg_string_fill(&addtl, vec->add_a, vec->add_size); in fips_test_drbg()
505 if (vec->entpr_size) { in fips_test_drbg()
506 drbg_string_fill(&testentropy, vec->entpr_a, vec->entpr_size); in fips_test_drbg()
508 vec->out_size, &addtl, in fips_test_drbg()
511 err = crypto_drbg_get_bytes_addtl(rng, output, vec->out_size, in fips_test_drbg()
524 drbg_string_fill(&addtl, vec->add_b, vec->add_size); in fips_test_drbg()
525 if (test->drbg.entpr_size) { in fips_test_drbg()
526 drbg_string_fill(&testentropy, vec->entpr_b, vec->entpr_size); in fips_test_drbg()
528 vec->out_size, &addtl, in fips_test_drbg()
531 err = crypto_drbg_get_bytes_addtl(rng, output, vec->out_size, in fips_test_drbg()
535 pr_err("failed to get bytes from %s (try 2): %d\n", in fips_test_drbg()
541 err = fips_check_result(output, vec->output, vec->out_size, in fips_test_drbg()
550 #include "fips140-generated-testvecs.h"
553 * List of all self-tests. Keep this in sync with fips140_algorithms[].
555 * When possible, we have followed the FIPS 140-2 Implementation Guidance (IG)
557 * list of tests that is near-minimal (and thus minimizes runtime overhead)
570 * are accessible through the crypto_cipher API (e.g. "aes-ce"), as they
571 * are covered indirectly by AES-CMAC and AES-ECB tests.
575 .impls = {"aes-lib"},
586 * Tests for AES-CMAC, a.k.a. "cmac(aes)" in crypto API syntax.
590 * implements AES-GCM and AES-CMAC. However, AES-GCM doesn't "count"
591 * because this module's implementations of AES-GCM won't actually be
592 * FIPS-approved, due to a quirk in the FIPS requirements.
594 * Therefore, for us this requirement applies to AES-CMAC, so we must
598 * implementations of "cmac(aes)" such as "cmac-aes-ce", as they don't
606 "cmac(aes-generic)",
607 "cmac(aes-arm64)",
608 "cmac(aes-ce)",
610 "cmac-aes-neon",
611 "cmac-aes-ce",
624 * Tests for AES-ECB, a.k.a. "ecb(aes)" in crypto API syntax.
633 * implementations of "ecb(aes)" such as "ecb-aes-ce", as they don't
641 "ecb(aes-generic)",
642 "ecb(aes-arm64)",
643 "ecb(aes-ce)",
645 "ecb-aes-neon",
646 "ecb-aes-neonbs",
647 "ecb-aes-ce",
659 * Tests for AES-CBC, AES-CBC-CTS, AES-CTR, AES-XTS, and AES-GCM.
670 * such as "cbc-aes-ce", as such implementations don't reuse another
674 * The AES-GCM test isn't actually required, as it's expected that this
675 * module's AES-GCM implementation won't actually be able to be
676 * FIPS-approved. This is unfortunate; it's caused by the FIPS
678 * don't generate their own IVs. We choose to still include the AES-GCM
679 * test to keep it on par with the other FIPS-approved algorithms, in
680 * case it turns out that AES-GCM can be approved after all.
686 "cbc-aes-neon",
687 "cbc-aes-neonbs",
688 "cbc-aes-ce",
704 "cts-cbc-aes-neon",
705 "cts-cbc-aes-ce",
730 "ctr-aes-neon",
731 "ctr-aes-neonbs",
732 "ctr-aes-ce",
748 "xts-aes-neon",
749 "xts-aes-neonbs",
750 "xts-aes-ce",
766 "gcm-aes-ce",
784 /* Tests for SHA-1 */
789 "sha1-generic",
790 "sha1-ce"
801 * Tests for all SHA-256 implementations other than the sha256() library
803 * corresponding SHA-224 implementations.
809 "sha256-generic",
810 "sha256-arm64",
811 "sha256-ce",
823 * separately because it may use its own SHA-256 implementation.
827 .impls = {"sha256-lib"},
837 * Tests for all SHA-512 implementations. As per the IG, these tests
838 * also fulfill the tests for the corresponding SHA-384 implementations.
844 "sha512-generic",
845 "sha512-arm64",
846 "sha512-ce",
858 * provided that the same HMAC code is shared by all HMAC-SHA*. This is
859 * true in our case. We choose HMAC-SHA256 for the test.
877 * Known-answer tests for the SP800-90A DRBG algorithms.
880 …* https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/d…
882 * The selection of these tests follows the FIPS 140-2 IG as well as
883 * Section 11 of SP800-90A:
885 * - We must test all DRBG types (HMAC, Hash, and CTR) that the module
890 * - We only need to test one HMAC variant.
892 * - We must test all DRBG operations: Instantiate(), Reseed(), and
898 * - The personalization string, additional input, and prediction
901 * additional input, and we test the prediction-resistant variant.
902 * Testing the non-prediction-resistant variant is not required.
965 if (test->impls[0] == NULL) { in fips_run_test()
966 err = test->func(test, test->alg); in fips_run_test()
968 pr_emerg("self-tests failed for algorithm %s: %d\n", in fips_run_test()
969 test->alg, err); in fips_run_test()
973 for (i = 0; i < ARRAY_SIZE(test->impls) && test->impls[i] != NULL; in fips_run_test()
975 err = test->func(test, test->impls[i]); in fips_run_test()
977 pr_emerg("self-tests failed for algorithm %s, implementation %s: %d\n", in fips_run_test()
978 test->alg, test->impls[i], err); in fips_run_test()
989 pr_info("running self-tests\n"); in fips140_run_selftests()
996 pr_info("all self-tests passed\n"); in fips140_run_selftests()