[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-crypto-vger
Subject: [PATCH 0/1] fips-allowed tests fail with non-FIPS ciphers
From: John Haxby <john.haxby () oracle ! com>
Date: 2015-09-24 16:02:02
Message-ID: 1443110523-23473-1-git-send-email-john.haxby () oracle ! com
[Download RAW message or body]
Hello All,
"Make fips=1 work on 4.1", they said, wittily, "it'll be easy."
I suppose it wasn't that complicated, although I seem to be unearthing
other problems as I go along. The first problem was dracut (and I owe
an upstream patch for that) and the second problem was tcrypt.
The tcrypt module was failing on authenc ciphers that wrap non-FIPS
ciphers and hashes. These ones in fact:
authenc(hmac(md5),ecb(cipher_null))
authenc(hmac(sha1),cbc(des))
authenc(hmac(sha1),ecb(cipher_null))
authenc(hmac(sha224),cbc(des))
authenc(hmac(sha256),cbc(des))
authenc(hmac(sha384),cbc(des))
authenc(hmac(sha512),cbc(des))
I'm fairly sure that wrapping des, cipher_null and md5 in authenc
shouldn't make them fips-allowed so the following patch simply removes
that.
Interestingly, some of these just failed outright and others just sat
there chewing CPU time. I think that's just a curiousity though,
rather than a problem.
jch
John Haxby (1):
Disable fips-allowed for non-FIPS authenc ciphers
crypto/testmgr.c | 7 -------
1 file changed, 7 deletions(-)
--
2.4.3
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic