From: Christoph Hellwig <hch@infradead.org>
To: Maurizio Lombardi <mlombard@redhat.com>
Cc: cleech@redhat.com, mchristi@redhat.com,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org, "Black,
David" <David.Black@dell.com>
Subject: Re: [RFC PATCH 0/4] iscsi: chap: introduce support for SHA1 and SHA3-256
Date: Tue, 3 Sep 2019 00:00:13 -0700 [thread overview]
Message-ID: <20190903070013.GA12256@infradead.org> (raw)
In-Reply-To: <20190829155929.27701-1-mlombard@redhat.com>
On Thu, Aug 29, 2019 at 05:59:25PM +0200, Maurizio Lombardi wrote:
> iSCSI with the Challenge-Handshake Authentication Protocol is not FIPS compliant.
> This is due to the fact that CHAP currently uses MD5 as the only supported
> digest algorithm and MD5 is not allowed by FIPS.
>
> When FIPS mode is enabled on the target server, the CHAP authentication
> won't work because the target driver will be prevented from using the MD5 module.
>
> Given that CHAP is agnostic regarding the algorithm it uses, this
> patchset introduce support for two new alternatives: SHA1 and SHA3-256.
>
> SHA1 has already its own assigned value for its use in CHAP, as reported by IANA:
> https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xml#ppp-numbers-9
> On the other hand the use of SHA1 on FIPS-enabled systems has been deprecated
> and therefore it's not a vialable long term option.
>
> We could consider introducing a more modern hash algorithm like SHA3-256, as
> this patchset does.
But we'll need IANA assignments and IETF consensus before adding new
algorithms to ensure we have interoperable implementations.
Adding Dave Black who has helped with IANA interaction in NVMe recently.
next prev parent reply other threads:[~2019-09-03 7:00 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-29 15:59 [RFC PATCH 0/4] iscsi: chap: introduce support for SHA1 and SHA3-256 Maurizio Lombardi
2019-08-29 15:59 ` [PATCH 1/4] target-iscsi: CHAP: add support to SHA1 and SHA3-256 hash functions Maurizio Lombardi
2019-08-29 15:59 ` [PATCH 2/4] target-iscsi: remove unneeded function Maurizio Lombardi
2019-08-29 15:59 ` [PATCH 3/4] target-iscsi: tie the challenge length to the hash digest size Maurizio Lombardi
2019-08-29 15:59 ` [PATCH 4/4] target-iscsi: rename some variables to avoid confusion Maurizio Lombardi
2019-09-03 7:00 ` Christoph Hellwig [this message]
2019-09-03 23:59 ` [RFC PATCH 0/4] iscsi: chap: introduce support for SHA1 and SHA3-256 Black, David
2019-09-10 14:07 ` Maurizio Lombardi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190903070013.GA12256@infradead.org \
--to=hch@infradead.org \
--cc=David.Black@dell.com \
--cc=cleech@redhat.com \
--cc=linux-scsi@vger.kernel.org \
--cc=mchristi@redhat.com \
--cc=mlombard@redhat.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox