[PATCH 0/1] fips-allowed tests fail with non-FIPS ciphers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello All,

"Make fips=1 work on 4.1", they said, wittily, "it'll be easy."

I suppose it wasn't that complicated, although I seem to be unearthing
other problems as I go along.  The first problem was dracut (and I owe
an upstream patch for that) and the second problem was tcrypt.

The tcrypt module was failing on authenc ciphers that wrap non-FIPS
ciphers and hashes.  These ones in fact:

    authenc(hmac(md5),ecb(cipher_null))
    authenc(hmac(sha1),cbc(des))
    authenc(hmac(sha1),ecb(cipher_null))
    authenc(hmac(sha224),cbc(des))
    authenc(hmac(sha256),cbc(des))
    authenc(hmac(sha384),cbc(des))
    authenc(hmac(sha512),cbc(des))

I'm fairly sure that wrapping des, cipher_null and md5 in authenc
shouldn't make them fips-allowed so the following patch simply removes
that.

Interestingly, some of these just failed outright and others just sat
there chewing CPU time.  I think that's just a curiousity though,
rather than a problem.

jch

John Haxby (1):
  Disable fips-allowed for non-FIPS authenc ciphers

 crypto/testmgr.c | 7 -------
 1 file changed, 7 deletions(-)

-- 
2.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux