From: Petr Vorel <pvorel@suse.cz>
To: Eric Biggers <ebiggers@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org, Cyril Hrubis <chrubis@suse.cz>
Subject: Re: ELIBBAD vs. ENOENT for ciphers not allowed by FIPS
Date: Thu, 23 Dec 2021 09:21:13 +0100 [thread overview]
Message-ID: <YcQxeW/hzS7cCUCs@pevik> (raw)
In-Reply-To: <YcOqoGOLfNTZh/ZF@quark>
Hi Herbert, Eric,
[ Cc Cyril ]
> On Thu, Dec 23, 2021 at 09:31:33AM +1100, Herbert Xu wrote:
> > On Wed, Dec 22, 2021 at 04:25:07PM -0600, Eric Biggers wrote:
> > > Isn't it just an implementation detail that !fips_allowed is handled by the
> > > self-test? Wouldn't it make more sense to report ENOENT for such algorithms?
> > ELIBBAD does not necessarily mean !fips_allowed, it could also
> > mean a specific implementation (or hardware) failed the self-test.
Herbert, Thanks for confirmation this was intended.
> > Yes, we could change ELIBBAD to something else in the case of
> > !fips_allowed, but it's certainly not a trivial change.
> > Please give a motivation for this.
> > Thanks,
> Some of the LTP tests check for ENOENT to determine whether an algorithm is
> intentionally unavailable, as opposed to it failing due to some other error.
> There is code in the kernel that does this same check too, e.g.
> fs/crypto/keysetup.c and block/blk-crypto-fallback.c.
> The way that ELIBBAD is overloaded to mean essentially the same thing as ENOENT,
> but only in some cases, is not expected.
> It would be more logical for ELIBBAD to be restricted to actual test failures.
> If it is too late to change, then fine, but it seems like a bug to me.
Not sure if it's a bug or not. With ENOENT everybody would understand missing
algorithm (no fix needed in the software). OTOH ELIBBAD allow to distinguish the
reason (algorithm was there, but disabled).
Kind regards,
Petr
> - Eric
next prev parent reply other threads:[~2021-12-23 8:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-22 19:11 ELIBBAD vs. ENOENT for ciphers not allowed by FIPS Petr Vorel
2021-12-22 22:08 ` Herbert Xu
2021-12-22 22:25 ` Eric Biggers
2021-12-22 22:31 ` Herbert Xu
2021-12-22 22:45 ` Eric Biggers
2021-12-23 8:21 ` Petr Vorel [this message]
2021-12-23 15:08 ` Eric Biggers
2021-12-27 5:52 ` Herbert Xu
2021-12-27 5:51 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YcQxeW/hzS7cCUCs@pevik \
--to=pvorel@suse.cz \
--cc=chrubis@suse.cz \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox