Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1008329pxf; Thu, 8 Apr 2021 19:45:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwpszs4WN/3zGEqP9a2XxhpYA4zCurvDumj1BK/41mnsUPHOZBoB0CelJSUhXyP3xc0QodK X-Received: by 2002:a05:6402:214:: with SMTP id t20mr15370683edv.229.1617936315555; Thu, 08 Apr 2021 19:45:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617936315; cv=none; d=google.com; s=arc-20160816; b=R4MduVewIK1za+odSte8TkUj1wbMyNdJqz/3O2uJUWhvvvnQGgsTFTSkbMXLZFmUgx txTQy+IkWyMyi+KcNoWk7vtzrkaHAs0gB9bO5jV4vUbwxtLuz6fIJiY32eSIaWE5rGZH wVUiiC3Tb0jst4pSC2ATaxkB0EE9YHk+ArGZaSTDF1eF4TgBA2e8+/vEllj6d4Uc+KNc iPoJ6wI3IU5p4AEdfqK14ElejIyOyajawd0dfH6qguZbXa1+620wIzbGiZToh0sB84BP IDnMD/p4heJPAuByRTmtOBLgNlqTBCh2hMU5+DgeGjFU7LPz71SBuucG2TFTfY5W/GME l2mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=hbt6s8Xm+0C1xOzwiz1rM7kEjqZ3GwCpYUjNtvQ8fwo=; b=xDFIS9oBS+36fE8aU9fz4n3NyrvDR+L8YSJwBeRBjwMBQJ3WlV6rwWZkczysytymLD EgTeOxXm7iH7iqvc1X4R1C6Dj/ALb2SU2QI9nn+u73iohO6rhMmrH7G8vXRNvnX80alq 6/cUaFNBl0B8ZyIeEpHsJ+IZuMN/oe7q4i+fINGATmFNJ374tbJ421c5dUKMQPPJgyxD e9gxI4oRMpINc+JjuOntu2CxGOedKitbYIow/fSPWb8XrDwyQJ3azqHdlidJSARrwQ4Z 4ZZCe8bnlAv+QKfEFWSAphcZ1HKyEfOBx8YNhR+mBtuDf3kbwVr64t0W4BWl4YuQPgKG OZUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=NuoCA2qX; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t22si928504ejf.537.2021.04.08.19.44.52; Thu, 08 Apr 2021 19:45:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=NuoCA2qX; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232673AbhDICpD (ORCPT + 99 others); Thu, 8 Apr 2021 22:45:03 -0400 Received: from mail.zx2c4.com ([104.131.123.232]:48744 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232616AbhDICpC (ORCPT ); Thu, 8 Apr 2021 22:45:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1617936286; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hbt6s8Xm+0C1xOzwiz1rM7kEjqZ3GwCpYUjNtvQ8fwo=; b=NuoCA2qXSwXBxPHvGhsMX28Wp0sOMV4tfvJPmDdEP95/kXrI/Rd2V6UrSiDfVwqAzLwy4G 0eeTiSqtJYeM70fh29XPLBs7kIu+0oMNtFJGz+ZGOSsM7FVXL0gnIeZnd1X0dG5SFTX9cM YxrDXQ3GLBGYoBSEJq6XwKpSSDGeIIE= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 2509b4cb (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Fri, 9 Apr 2021 02:44:46 +0000 (UTC) Received: by mail-yb1-f180.google.com with SMTP id n12so4951848ybf.8; Thu, 08 Apr 2021 19:44:46 -0700 (PDT) X-Gm-Message-State: AOAM533kDwqTQ0PNOdEQkXuwtQdCRM94G+r6Ghl+Pqw0TjOeFb83efxP 71OlDILHdkHy5DDdrxXDk7Hz2T0VAlxfCeMeX2M= X-Received: by 2002:a25:ad0f:: with SMTP id y15mr12846290ybi.306.1617936285990; Thu, 08 Apr 2021 19:44:45 -0700 (PDT) MIME-Version: 1.0 References: <20210407113920.3735505-1-liuhangbin@gmail.com> <20210409024143.GL2900@Leo-laptop-t470s> In-Reply-To: <20210409024143.GL2900@Leo-laptop-t470s> From: "Jason A. Donenfeld" Date: Thu, 8 Apr 2021 20:44:35 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH net-next] [RESEND] wireguard: disable in FIPS mode To: Hangbin Liu Cc: Simo Sorce , Netdev , =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= , Jakub Kicinski , Ondrej Mosnacek , Linux Crypto Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Hangbin, On Thu, Apr 8, 2021 at 8:41 PM Hangbin Liu wrote: > I agree that the best way is to disable the crypto modules in FIPS mode. > But the code in lib/crypto looks not the same with crypto/. For modules > in crypto, there is an alg_test() to check if the crytpo is FIPS allowed > when do register. > > - crypto_register_alg() > - crypto_wait_for_test() > - crypto_probing_notify(CRYPTO_MSG_ALG_REGISTER, larval->adult) > - cryptomgr_schedule_test() > - cryptomgr_test() > - alg_test() > > But in lib/crypto the code are more like a library. We can call it anytime > and there is no register. Maybe we should add a similar check in lib/crypto. > But I'm not familiar with crypto code... Not sure if anyone in linux-crypto@ > would like help do that. Since it's just a normal module library, you can simply do this in the module_init function, rather than deep within registration abstractions. > > diff --git a/lib/crypto/curve25519.c b/lib/crypto/curve25519.c > > index 288a62cd29b2..b794f49c291a 100644 > > --- a/lib/crypto/curve25519.c > > +++ b/lib/crypto/curve25519.c > > @@ -12,11 +12,15 @@ > > #include > > #include > > #include > > +#include > > > > bool curve25519_selftest(void); > > > > static int __init mod_init(void) > > { > > + if (!fips_enabled) > > + return -EOPNOTSUPP; > > Question here, why it is !fips_enabled? Shouldn't we return error when > fips_enabled? Er, just not thinking straight today. `if (fips_enabled)` is probably what you want indeed. Jason