Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2876370rwd;
        Fri, 2 Jun 2023 16:33:43 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ58YGtcyyezafvy3t0A+KmcylJ5w3lOqfNjrRWP8ETP/IRgEE03SoG2WLS6hkzFX/QwUb0O
X-Received: by 2002:a17:902:dac7:b0:1b1:a4e2:a2e6 with SMTP id q7-20020a170902dac700b001b1a4e2a2e6mr1693281plx.12.1685748823324;
        Fri, 02 Jun 2023 16:33:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685748823; cv=none;
        d=google.com; s=arc-20160816;
        b=vHZCFr0oAxGbXTi21DtWgy4U2c2K3XDy/nCAqQ+3L3Vl7gwJjjYPhkLx7pR874Ng0Z
         H9GuluQAAbP0IzlU1BQAuc7ppAdHJGiyqmHzL6g0dJVNLskIrj0DS4bT1KHKpt+ZE2KH
         h/I20e5n6YuJrHxjUy9c9CYG7O5EGieOR2HzD+ND7PjiiPkKgHQfgGtHuFp0TH92NEtQ
         7MD5THDohYXDYiujJo9+T4BUoKa6FpE+CFbNZ8ZZ4UwJWTVC+p+yowekoVivnrBSUumC
         r1VmdX/pMhy5Y26mGFM7a3fsPbdDzrb+X4A1S5RJvlJKKxcvziqmGm6KdQ7rKe2ndE6S
         BCZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=pNwliMKobCXtdO/si4Y3A+t6CcwMuWL8q/4P8sFnIjA=;
        b=YfIZADXuK8PBoJXkn9qiJy2e4oayfTO7nNDS3CLlcVg1rCbuMFbPJDTFfJrLZseevn
         uXWrTgwIpo5wPeqcQA6QPfz8XOChryFKX5z4CpFMvgsq12YI759YQpEeDtos+MKKD3TU
         IXQ7SGm4yD0WUrawGsJGLePe81wAdBeSB64YuxX7tatSZk0imUkJUQhaJZ0UcNUcetk5
         iNey/kuVFU3vWm40jcgOvUW6vAS/rU+72IPfwfcFoZL8kzfPAub8W/4ulmLOSYI/RrTd
         EMpFF+20pINFsQupp6vJtAZyjVybfijwKDYwgDriQ7yP1VjyhwUxmh6lbRt5zVReCsMX
         CS1A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20221208 header.b=UckfgwmK;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id lg13-20020a170902fb8d00b001b0499f7a90si1530667plb.513.2023.06.02.16.33.31;
        Fri, 02 Jun 2023 16:33:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20221208 header.b=UckfgwmK;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236639AbjFBXQ4 (ORCPT <rfc822;abcde12345.z@gmail.com>
        + 99 others); Fri, 2 Jun 2023 19:16:56 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46764 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234452AbjFBXQy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Jun 2023 19:16:54 -0400
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E3413123;
        Fri,  2 Jun 2023 16:16:50 -0700 (PDT)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-565ba2c7554so27244987b3.3;
        Fri, 02 Jun 2023 16:16:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1685747810; x=1688339810;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pNwliMKobCXtdO/si4Y3A+t6CcwMuWL8q/4P8sFnIjA=;
        b=UckfgwmKQA2cSEHE/6i4sgkEzADXF/46J2goOgxBCeKZKabFUdJzQUxAUAkovnWpXN
         diw/xMi18QdbsSUmdbYw++khW3L1wXD9wFAAfRelW2rCaPVzmr9eoEOfJXJy2bDxBNVR
         hCj42Ad/xNnBo/pqyr7kP4r4ETk9inlTuKYTm/1N3d7uLIQt5nLyOt7IoG1HtRs3Voxb
         Crw4HCoQO/8GLDwFWuhlUIc5iFsyJwSl2boL6uVfjWUQPTVRP4eH416L1GwCjYEHrGoK
         /D2NqV2xWGiEySnB/w1SvGY0GUUenmoJGjrChPqCUhq0XvjPdCbPAavP5jhthv28bf0i
         j21w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1685747810; x=1688339810;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=pNwliMKobCXtdO/si4Y3A+t6CcwMuWL8q/4P8sFnIjA=;
        b=E4xcQ3+4c8j1l4rSMigfENCEp48XYDex9FjjAWGDjtkvZv7jgei8zVHbf8Y1RlQyLk
         1myx5Af/bY2OHaj7p+IG2U2S3q5rkOQtu3ipmlA+xgwmUIaqTDysTLs5NdeCwcr0fEWx
         uKW8IbO5j8VkteE4YyVztVSu5YPhNkLAYxMjmO5yHoxcoSW1cx87wGfA/b6qUD+RMf06
         /ew0eRiHCQrLmPNFygnZVSE/odleo1yaOmwVWkmTQNsZd/K73CBAiO6E41vDJx47GexN
         JrTlqOuFcOToo7tpE7SAaBohXssyV3iZMbvD4OwnnTXapdIhxqE9GQnPxgHVUUM7bAgE
         /yzQ==
X-Gm-Message-State: AC+VfDwOLoCn2MDhEdefLhPkXDnGK/XB2wDCygkQQuaR+r0RRZJG/Byx
        2bwPsu/08Jiwl0RvcazKC43lWvZcSWRdrnd2ges=
X-Received: by 2002:a81:48cc:0:b0:54f:752e:9e60 with SMTP id
 v195-20020a8148cc000000b0054f752e9e60mr1425182ywa.37.1685747809851; Fri, 02
 Jun 2023 16:16:49 -0700 (PDT)
MIME-Version: 1.0
References: <1685643474-18654-1-git-send-email-kashwindayan@vmware.com> <ZHoHfcMgYqO3l7Np@corigine.com>
In-Reply-To: <ZHoHfcMgYqO3l7Np@corigine.com>
From:   Xin Long <lucien.xin@gmail.com>
Date:   Fri, 2 Jun 2023 19:16:09 -0400
Message-ID: <CADvbK_fCPPHto4XjPeTJPJ9NTXoJGgO7jjEcy1Bq3nQSFAzR9A@mail.gmail.com>
Subject: Re: [PATCH v3] net/sctp: Make sha1 as default algorithm if fips is enabled
To:     Simon Horman <simon.horman@corigine.com>
Cc:     Ashwin Dayanand Kamat <kashwindayan@vmware.com>,
        Vlad Yasevich <vyasevich@gmail.com>,
        Neil Horman <nhorman@tuxdriver.com>,
        Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
        "David S . Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>, linux-sctp@vger.kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        amakhalov@vmware.com, vsirnapalli@vmware.com, akaher@vmware.com,
        tkundu@vmware.com, keerthanak@vmware.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 2, 2023 at 11:15=E2=80=AFAM Simon Horman <simon.horman@corigine=
.com> wrote:
>
> + Xin Long
>
> On Thu, Jun 01, 2023 at 11:47:54PM +0530, Ashwin Dayanand Kamat wrote:
> > MD5 is not FIPS compliant. But still md5 was used as the
> > default algorithm for sctp if fips was enabled.
> > Due to this, listen() system call in ltp tests was
> > failing for sctp in fips environment, with below error message.
> >
> > [ 6397.892677] sctp: failed to load transform for md5: -2
> >
> > Fix is to not assign md5 as default algorithm for sctp
> > if fips_enabled is true. Instead make sha1 as default algorithm.
> > The issue fixes ltp testcase failure "cve-2018-5803 sctp_big_chunk"
Hi, Ashwin,

I have the same question as Paolo about "this patch gets fips compliance
_disabling_ the encryption", is it from any standard?

If not,  can't you fix the ltp testcase for fips environment by sysctl?
or set 'CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=3Dy' instead in config.

Sorry if I don't understand this well. You're trying to avoid SCTP code
calling crypto_alloc_shash(MD5), right? What about other places
where it may also do it in kernel? (where ltp just doesn't cover)

I don't think it makes sense to let SCTP have some code reply on
FIPS only to make ltp testcase happy, while we can actually fix it
in ltp by "sysctl".

Thanks.


> >
> > Signed-off-by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> > ---
> > v3:
> > * Resolved hunk failures.
> > * Changed the ratelimited notice to be more meaningful.
> > * Used ternary condition for if/else condtion.
> > v2:
> > * The listener can still fail if fips mode is enabled after
> >   that the netns is initialized.
> > * Fixed this in sctp_listen_start() as suggested by
> >   Paolo Abeni <pabeni@redhat.com>
>
> FWIIW, this seems reasonable to me.
>
> Reviewed-by: Simon Horman <simon.horman@corigine.com>