Skip to content

Commit 7186bff

Browse files
ifranzkiifranzki
committed
engine: Enable external AES-GCM IV when libica is in FIPS mode
When the system is in FIPS mode, newer libica versions may prevent AES-GCM from being used with an external IV. FIPS requires that the AES-GCM IV is created libica internally via an approved random source. The IBMCA engine can not support the internal generation of the AES-GCM IV, because the engine API for AES-GCM does not allow this. Applications using OpenSSL to perform AES-GCM (e.g. the TLS protocol) may require to provide an external IV. Enable the use of external AES-GCM IVs for libica, if the used libica library supports this. Newer libica versions support to allow external AES-GCM IVs via function ica_allow_external_gcm_iv_in_fips_mode(). Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
1 parent 727304a commit 7186bff

File tree

2 files changed

+12
-1
lines changed

2 files changed

+12
-1
lines changed

src/engine/e_ibmca.c

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,8 @@ ica_aes_gcm_intermediate_t p_ica_aes_gcm_intermediate;
103103
ica_aes_gcm_last_t p_ica_aes_gcm_last;
104104
#endif
105105
ica_cleanup_t p_ica_cleanup;
106+
ica_allow_external_gcm_iv_in_fips_mode_t
107+
p_ica_allow_external_gcm_iv_in_fips_mode;
106108

107109
/* save libcrypto's default ec methods */
108110
#ifndef NO_EC
@@ -825,7 +827,15 @@ static int ibmca_init(ENGINE *e)
825827
BIND(ibmca_dso, ica_ed448_ctx_del);
826828

827829
/* ica_cleanup is not always present and only needed for newer libraries */
828-
p_ica_cleanup = (ica_cleanup_t)dlsym(ibmca_dso, "ica_cleanup");
830+
BIND(ibmca_dso, ica_cleanup);
831+
832+
/*
833+
* Allow external AES-GCM IV when libica runs in FIPS mode.
834+
* ica_allow_external_gcm_iv_in_fips_mode() is not always present and only
835+
* available with newer libraries.
836+
*/
837+
if (BIND(ibmca_dso, ica_allow_external_gcm_iv_in_fips_mode))
838+
p_ica_allow_external_gcm_iv_in_fips_mode(1);
829839

830840
/* disable fallbacks on Libica */
831841
if (BIND(ibmca_dso, ica_set_fallback_mode))

src/engine/ibmca.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -617,6 +617,7 @@ typedef
617617
int (*ica_ed448_ctx_del_t)(ICA_ED448_CTX **ctx);
618618

619619
typedef void (*ica_cleanup_t)(void);
620+
typedef void (*ica_allow_external_gcm_iv_in_fips_mode_t)(int allow);
620621

621622
/* entry points into libica, filled out at DSO load time */
622623
extern ica_get_functionlist_t p_ica_get_functionlist;

0 commit comments

Comments
 (0)