On Fri, Jun 2, 2023 at 11:15 AM Simon Horman <simon.horman@xxxxxxxxxxxx> wrote: > > + Xin Long > > On Thu, Jun 01, 2023 at 11:47:54PM +0530, Ashwin Dayanand Kamat wrote: > > MD5 is not FIPS compliant. But still md5 was used as the > > default algorithm for sctp if fips was enabled. > > Due to this, listen() system call in ltp tests was > > failing for sctp in fips environment, with below error message. > > > > [ 6397.892677] sctp: failed to load transform for md5: -2 > > > > Fix is to not assign md5 as default algorithm for sctp > > if fips_enabled is true. Instead make sha1 as default algorithm. > > The issue fixes ltp testcase failure "cve-2018-5803 sctp_big_chunk" Hi, Ashwin, I have the same question as Paolo about "this patch gets fips compliance _disabling_ the encryption", is it from any standard? If not, can't you fix the ltp testcase for fips environment by sysctl? or set 'CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y' instead in config. Sorry if I don't understand this well. You're trying to avoid SCTP code calling crypto_alloc_shash(MD5), right? What about other places where it may also do it in kernel? (where ltp just doesn't cover) I don't think it makes sense to let SCTP have some code reply on FIPS only to make ltp testcase happy, while we can actually fix it in ltp by "sysctl". Thanks. > > > > Signed-off-by: Ashwin Dayanand Kamat <kashwindayan@xxxxxxxxxx> > > --- > > v3: > > * Resolved hunk failures. > > * Changed the ratelimited notice to be more meaningful. > > * Used ternary condition for if/else condtion. > > v2: > > * The listener can still fail if fips mode is enabled after > > that the netns is initialized. > > * Fixed this in sctp_listen_start() as suggested by > > Paolo Abeni <pabeni@xxxxxxxxxx> > > FWIIW, this seems reasonable to me. > > Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
