Partial revert of "In essiv_aead_setkey(), use the same logic as crypto_authenc_esn_setkey() to zeroize keys on exit." #333
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jallisonciq
requested review from
kerneltoast,
PlaidCat,
bmastbergen and
jason-rodri
jason-rodri
approved these changes
Jun 10, 2025
…to_authenc_esn_setkey() to zeroize keys on exit." LE-3197 A bug was introduced while updating the kernel per atsec’s request. When key zeroization was added, setting the crypto algorithm key was removed in error. This re-adds the code to set the crypto key. Tested under non-FIPS and FIPS mode. NB. This bug only causes the algorithm to be unusable and an error message returned to users. No corruption or insecure algorithm use is allowed. [Sultan: touched up the commit message with what Jeremy wrote] Signed-off-by: Jason Rodriguez <jrodriguez@ciq.com> Signed-off-by: Jeremy Allison <jallison@ciq.com> Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
kerneltoast
force-pushed
the
{jallison}_fips-9-compliant/5.14.0-284.30.1
branch
from
6cccbd3 to
6016b18
Compare
kerneltoast
changed the title
kerneltoast
approved these changes
Jun 13, 2025
jallisonciq
merged commit dd0d2f4
into
fips-9-compliant/5.14.0-284.30.1
2 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix a FIPS bug that got into the FIPS 9.2 code by mistake. This only affects the 9.2 FIPS kernel, no other kernel.
A bug was introduced while updating the kernel per atsec’s request. When key zeroization was added, setting the crypto algorithm key was removed in error. This re-adds the code to set the crypto key.
We can only fix this in compliant, as it touches the crypto code that is frozen in certified.
See this ticket for details:
https://ciqinc.atlassian.net/browse/LE-3197
Tested under non-FIPS and FIPS mode. NB. This bug only causes the algorithm to be unusable and an error message returned to users. No corruption or insecure algorithm use is allowed.