Hello All,
"Make fips=1 work on 4.1", they said, wittily, "it'll be easy."
I suppose it wasn't that complicated, although I seem to be unearthing
other problems as I go along. The first problem was dracut (and I owe
an upstream patch for that) and the second problem was tcrypt.
The tcrypt module was failing on authenc ciphers that wrap non-FIPS
ciphers and hashes. These ones in fact:
authenc(hmac(md5),ecb(cipher_null))
authenc(hmac(sha1),cbc(des))
authenc(hmac(sha1),ecb(cipher_null))
authenc(hmac(sha224),cbc(des))
authenc(hmac(sha256),cbc(des))
authenc(hmac(sha384),cbc(des))
authenc(hmac(sha512),cbc(des))
Stepham Mueller pointed out that no authenc() ciphers are FIPS
approved and that ecb(des) also managed to get .fips_approved set.
The following patch removes fips_allowed for all those patches.
Again, Stephan pointed out that ansi_cprng will need to be taken off
the allowed list at the end of the year. This patch doesn't pre-empt
that.
jch
John Haxby (1):
Disable fips-allowed for authenc() and des() ciphers
crypto/testmgr.c | 16 ----------------
1 file changed, 16 deletions(-)
--
2.4.3
No authenc() ciphers are FIPS approved, nor is ecb(des).
After the end of 2015, ansi_cprng will also be non-approved.
Signed-off-by: John Haxby <[email protected]>
---
crypto/testmgr.c | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index fa18753..523c9b9 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -2080,7 +2080,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(md5),ecb(cipher_null))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2096,7 +2095,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha1),cbc(aes))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2110,7 +2108,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha1),cbc(des))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2124,7 +2121,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha1),cbc(des3_ede))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2138,7 +2134,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha1),ecb(cipher_null))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2158,7 +2153,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha224),cbc(des))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2172,7 +2166,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha224),cbc(des3_ede))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2186,7 +2179,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha256),cbc(aes))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2200,7 +2192,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha256),cbc(des))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2214,7 +2205,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha256),cbc(des3_ede))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2228,7 +2218,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha384),cbc(des))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2242,7 +2231,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha384),cbc(des3_ede))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2256,7 +2244,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha512),cbc(aes))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2270,7 +2257,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha512),cbc(des))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -2284,7 +2270,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "authenc(hmac(sha512),cbc(des3_ede))",
.test = alg_test_aead,
- .fips_allowed = 1,
.suite = {
.aead = {
.enc = {
@@ -3011,7 +2996,6 @@ static const struct alg_test_desc alg_test_descs[] = {
}, {
.alg = "ecb(des)",
.test = alg_test_skcipher,
- .fips_allowed = 1,
.suite = {
.cipher = {
.enc = {
--
2.4.3
Am Donnerstag, 24. September 2015, 18:24:35 schrieb John Haxby:
Hi John,
>No authenc() ciphers are FIPS approved, nor is ecb(des).
>After the end of 2015, ansi_cprng will also be non-approved.
>
>Signed-off-by: John Haxby <[email protected]>
Acked-by: Stephan Mueller <[email protected]>
Ciao
Stephan
On Fri, Sep 25, 2015 at 07:58:10AM +0200, Stephan Mueller wrote:
> Am Donnerstag, 24. September 2015, 18:24:35 schrieb John Haxby:
>
> Hi John,
>
> >No authenc() ciphers are FIPS approved, nor is ecb(des).
> >After the end of 2015, ansi_cprng will also be non-approved.
> >
> >Signed-off-by: John Haxby <[email protected]>
>
> Acked-by: Stephan Mueller <[email protected]>
Applied.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt