+ Xin Long On Thu, Jun 01, 2023 at 11:47:54PM +0530, Ashwin Dayanand Kamat wrote: > MD5 is not FIPS compliant. But still md5 was used as the > default algorithm for sctp if fips was enabled. > Due to this, listen() system call in ltp tests was > failing for sctp in fips environment, with below error message. > > [ 6397.892677] sctp: failed to load transform for md5: -2 > > Fix is to not assign md5 as default algorithm for sctp > if fips_enabled is true. Instead make sha1 as default algorithm. > The issue fixes ltp testcase failure "cve-2018-5803 sctp_big_chunk" > > Signed-off-by: Ashwin Dayanand Kamat <kashwindayan@xxxxxxxxxx> > --- > v3: > * Resolved hunk failures. > * Changed the ratelimited notice to be more meaningful. > * Used ternary condition for if/else condtion. > v2: > * The listener can still fail if fips mode is enabled after > that the netns is initialized. > * Fixed this in sctp_listen_start() as suggested by > Paolo Abeni <pabeni@xxxxxxxxxx> FWIIW, this seems reasonable to me. Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
