Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-22 12:11:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
8f7c8b88bd
linux/crypto/asymmetric_keys/selftest.h

23 lines
692 B
C
Raw Normal View History

certs: Move RSA self-test data to separate file In preparation of adding new ECDSA self-tests, the existing data for the RSA self-tests is moved to a separate file. This file is only compiled if the new CONFIG_FIPS_SIGNATURE_SELFTEST_RSA configuration option is set, which ensures that the required dependencies (RSA, SHA-256) are present. Otherwise, the kernel would panic when trying to execute the self-test. The introduction of this new option, rather than adding the dependencies to the existing CONFIG_FIPS_SIGNATURE_SELFTEST option, allows for additional self-tests to be added for different algorithms. The kernel can then be configured to only execute the self-tests for those algorithms that are included. Signed-off-by: Joachim Vandersmissen <git@jvdsn.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2024-05-13 04:55:06 +00:00
/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Helper function for self-testing PKCS#7 signature verification.
*
* Copyright (C) 2024 Joachim Vandersmissen <git@jvdsn.com>
*/
void fips_signature_selftest(const char *name,
const u8 *keys, size_t keys_len,
const u8 *data, size_t data_len,
const u8 *sig, size_t sig_len);
#ifdef CONFIG_FIPS_SIGNATURE_SELFTEST_RSA
void __init fips_signature_selftest_rsa(void);
#else
static inline void __init fips_signature_selftest_rsa(void) { }
#endif
certs: Add ECDSA signature verification self-test Commit c27b2d2012e1 ("crypto: testmgr - allow ecdsa-nist-p256 and -p384 in FIPS mode") enabled support for ECDSA in crypto/testmgr.c. The PKCS#7 signature verification API builds upon the KCAPI primitives to perform its high-level operations. Therefore, this change in testmgr.c also allows ECDSA to be used by the PKCS#7 signature verification API (in FIPS mode). However, from a FIPS perspective, the PKCS#7 signature verification API is a distinct "service" from the KCAPI primitives. This is because the PKCS#7 API performs a "full" signature verification, which consists of both hashing the data to be verified, and the public key operation. On the other hand, the KCAPI primitive does not perform this hashing step - it accepts pre-hashed data from the caller and only performs the public key operation. For this reason, the ECDSA self-tests in crypto/testmgr.c are not sufficient to cover ECDSA signature verification offered by the PKCS#7 API. This is reflected by the self-test already present in this file for RSA PKCS#1 v1.5 signature verification. The solution is simply to add a second self-test here for ECDSA. P-256 with SHA-256 hashing was chosen as those parameters should remain FIPS-approved for the foreseeable future, while keeping the performance impact to a minimum. The ECDSA certificate and PKCS#7 signed data was generated using OpenSSL. The input data is identical to the input data for the existing RSA self-test. Signed-off-by: Joachim Vandersmissen <git@jvdsn.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2024-05-13 04:55:07 +00:00
#ifdef CONFIG_FIPS_SIGNATURE_SELFTEST_ECDSA
void __init fips_signature_selftest_ecdsa(void);
#else
static inline void __init fips_signature_selftest_ecdsa(void) { }
#endif
Reference in New Issue Copy Permalink