Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp206741rwj; Thu, 22 Dec 2022 01:38:04 -0800 (PST) X-Google-Smtp-Source: AMrXdXu254uTXoML74DT4xwvqjws5E/C8C/HV78v4xzqBMUETtM5sRUGMsHkPMrB5tpsHAXcQzdP X-Received: by 2002:a17:902:d486:b0:186:60c0:9f9e with SMTP id c6-20020a170902d48600b0018660c09f9emr7237791plg.39.1671701884024; Thu, 22 Dec 2022 01:38:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671701884; cv=none; d=google.com; s=arc-20160816; b=b15aj/v8gPR3O1H+s51Fg2pXFc+qm9nTLYStIKiX9LhbPR3JsDAIW5s1KMLqkiHrpO ovQ4XpUtbDKKLeVs8Bs4OwQ3JNJAch3ejODEg2Ssrc3K8Awb33eZJWm3QG3Fo8M/uK/l W7EduYmSu2JHluslihP5NY6RSa4y8i9Ao7TjhtJHP7XPFLSdDFFwxe4f5OtCZosatzmd ia252MnFJ11dhfdApykQrFWxnKOhJ3q6/mqlMhjdYZ6lo+Rxd8yqJMN/nGVZ64HD3yfv /AP5K1yst3vl17/bbotCQf+w3s1wmA/HB3wtD6Q7zBBymnFaUicr3dhrZ1k/KIq2Zo/V jUoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=IKaTi4+rwFLmrmyaDkBv4CqTil1Gw+F5+6xdhW+tfX8=; b=plrJ/trsd50EWASfkbhjX1iFrPjtk04QfLzIZv6O2iEOdRvQMjiT7DffDAotgTp+2f i3NhVXRK9yYkhez2CjLcd/USQSXu7emouPgdT2/YBQjCkFs4XRCb0YFpios95UGMUrJ/ MONnZ+AJwG+qYpySfcDVgXSXbM2bitiCkDsqZw1sfB5UBIskCDxzROMq46DaN5npgO3D ReI4RB/T1qdenID4cSvecqZCY9hevIcFY9CI42TKBoYxhIlV/q5Fq6/qeaQ2i2+UtoWF QFxtvieQfUc90GJYhHH8JFaodPd4lgWTTzWn62qYlM6cZ2S/dpZ6xa+UB13de/bV6Kf1 780g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=M66jBwXC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r11-20020a170902c60b00b0018cfd25a8fasi72750plr.214.2022.12.22.01.37.55; Thu, 22 Dec 2022 01:38:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=M66jBwXC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235159AbiLVJXV (ORCPT + 68 others); Thu, 22 Dec 2022 04:23:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229907AbiLVJXT (ORCPT ); Thu, 22 Dec 2022 04:23:19 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FEE52723 for ; Thu, 22 Dec 2022 01:22:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671700950; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IKaTi4+rwFLmrmyaDkBv4CqTil1Gw+F5+6xdhW+tfX8=; b=M66jBwXCinAO1sTIf/8dM+POICJEe53Vr+/VPWEX6dWABMJeUUbfdWKyHyQSrn9RTVpPht Qf8D7SjVPVZ4DDod8UzPVjgV/hwZ8lanl220rQb8zx1Zw40NUp22LCr1+6Y6Unm3hYabAG iKGoq96C51SZth0hNOhNqBsv24yBrOo= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-113-rZ2C0oAENuG8JJz_Sh4SsQ-1; Thu, 22 Dec 2022 04:22:28 -0500 X-MC-Unique: rZ2C0oAENuG8JJz_Sh4SsQ-1 Received: by mail-wr1-f70.google.com with SMTP id x1-20020adfbb41000000b002426b33b618so239435wrg.7 for ; Thu, 22 Dec 2022 01:22:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=IKaTi4+rwFLmrmyaDkBv4CqTil1Gw+F5+6xdhW+tfX8=; b=S5r79gf6eIvRpDJ9RNFbI0jR+c5a4M+dC7lqNkNuxFbRrujiA5iArT6P44LtvUY7uS YSsH/ZmQCPjZHA/mv7VC9TYAP3nCsobLRvPRouZzwcZeJ3TGGXzqFMnyTiA5DtkTVohF GK2ImhLjtcFAlnEek4I/tpx/HjUiWLqsCi9KcZGB3bjzli8ra4FKbOoRwTdCr4qm7yVl hSDv6hicxeol7jROJkHlE1PZIKkYPqnCFnzhXlsV/pZCNmSI/uN2roObnbk8j2hLyUJ2 aLTGW4nSbjNeXwvO34s3hXHsfHJ2LFUhzc93SqlbR3jDwgvsYiTQntyp07gSze+VQKe2 SdoA== X-Gm-Message-State: AFqh2koE5o09deLHXYqfTP1uOUnBHCrNBI7KQnJGiOwwzKUXQlIT4zyN +LkPwXIqcprKb6qF1FJjRAWl5UzwSOnJfidK3ywu2luQGqf8UwG74wR90/JuVcEMhHJnzcJb5GM b+rX5wWZE0IhMJord6L/Te8a4 X-Received: by 2002:a5d:5268:0:b0:242:3fb4:1cb with SMTP id l8-20020a5d5268000000b002423fb401cbmr3074066wrc.43.1671700947314; Thu, 22 Dec 2022 01:22:27 -0800 (PST) X-Received: by 2002:a5d:5268:0:b0:242:3fb4:1cb with SMTP id l8-20020a5d5268000000b002423fb401cbmr3074052wrc.43.1671700947094; Thu, 22 Dec 2022 01:22:27 -0800 (PST) Received: from gerbillo.redhat.com (146-241-101-173.dyn.eolo.it. [146.241.101.173]) by smtp.gmail.com with ESMTPSA id b13-20020a05600003cd00b0024cb961b6aesm17743533wrg.104.2022.12.22.01.22.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Dec 2022 01:22:26 -0800 (PST) Message-ID: <6209669358d038b30e5fe20ba571f93241b5248d.camel@redhat.com> Subject: Re: [PATCH] sctp: Make sha1 as default algorithm if fips is enabled From: Paolo Abeni To: Ashwin Dayanand Kamat , Vlad Yasevich , Neil Horman , Marcelo Ricardo Leitner , "David S . Miller" , Eric Dumazet , Jakub Kicinski , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: srivatsab@vmware.com, srivatsa@csail.mit.edu, amakhalov@vmware.com, vsirnapalli@vmware.com, akaher@vmware.com Date: Thu, 22 Dec 2022 10:22:24 +0100 In-Reply-To: <1671513037-8958-1-git-send-email-kashwindayan@vmware.com> References: <1671513037-8958-1-git-send-email-kashwindayan@vmware.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 (3.42.4-2.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2022-12-20 at 10:40 +0530, Ashwin Dayanand Kamat wrote: > MD5 is not FIPS compliant. But still md5 was used as the default algorithm > for sctp if fips was enabled. > Due to this, listen() system call in ltp tests was failing for sctp > in fips environment, with below error message. > > [ 6397.892677] sctp: failed to load transform for md5: -2 > > Fix is to not assign md5 as default algorithm for sctp > if fips_enabled is true. Instead make sha1 as default algorithm. > > Signed-off-by: Ashwin Dayanand Kamat I don't know the fips standard in details, but it feel strange that you get fips compliance _disabling_ the encryption. Can you please point which part of the standard states it? Since this is fix, you should also provide a suitable fixes tag. When you will repost additionally include the target tree name (net) into the subject, thanks! > --- > net/sctp/protocol.c | 16 ++++++++-------- > 1 file changed, 8 insertions(+), 8 deletions(-) > > diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c > index 909a89a..b6e9810 100644 > --- a/net/sctp/protocol.c > +++ b/net/sctp/protocol.c > @@ -34,6 +34,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -1321,14 +1322,13 @@ static int __net_init sctp_defaults_init(struct net *net) > /* Whether Cookie Preservative is enabled(1) or not(0) */ > net->sctp.cookie_preserve_enable = 1; > > - /* Default sctp sockets to use md5 as their hmac alg */ > -#if defined (CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5) > - net->sctp.sctp_hmac_alg = "md5"; > -#elif defined (CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1) > - net->sctp.sctp_hmac_alg = "sha1"; > -#else > - net->sctp.sctp_hmac_alg = NULL; > -#endif > + /* Default sctp sockets to use md5 as default only if fips is not enabled */ > + if (!fips_enabled && IS_ENABLED(CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5)) > + net->sctp.sctp_hmac_alg = "md5"; > + else if (IS_ENABLED(CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1)) > + net->sctp.sctp_hmac_alg = "sha1"; > + else > + net->sctp.sctp_hmac_alg = NULL; It looks like the listener can still fail if fips mode is enabled after that the netns is initialized. I think it would be better to take action in sctp_listen_start() and buming a ratelimited notice the selected hmac is changed due to fips. Thanks, Paolo > > /* Max.Burst - 4 */ > net->sctp.max_burst = SCTP_DEFAULT_MAX_BURST;