From: Simon Horman <simon.horman@corigine.com>
To: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Srivatsa Bhat <srivatsab@vmware.com>,
"srivatsa@csail.mit.edu" <srivatsa@csail.mit.edu>,
Alexey Makhalov <amakhalov@vmware.com>,
Vasavi Sirnapalli <vsirnapalli@vmware.com>,
Ajay Kaher <akaher@vmware.com>, Tapas Kundu <tkundu@vmware.com>,
Keerthana Kalyanasundaram <keerthanak@vmware.com>
Subject: Re: [PATCH v2] net/sctp: Make sha1 as default algorithm if fips is enabled
Date: Sat, 27 May 2023 16:13:25 +0200 [thread overview]
Message-ID: <ZHIQBUEvo49G9j/0@corigine.com> (raw)
In-Reply-To: <B70BBC83-2B9F-4C49-943D-74C424EA4DCE@vmware.com>
On Sat, May 27, 2023 at 07:49:26AM +0000, Ashwin Dayanand Kamat wrote:
>
>
> > On 25-Mar-2023, at 12:03 PM, Ashwin Dayanand Kamat <kashwindayan@vmware.com> wrote:
> >
> >
> >> On 23-Mar-2023, at 2:16 AM, Simon Horman <simon.horman@corigine.com> wrote:
> >>
> >> !! External Email
> >>
> >> On Wed, Mar 22, 2023 at 07:34:40PM +0530, Ashwin Dayanand Kamat wrote:
> >>> MD5 is not FIPS compliant. But still md5 was used as the default
> >>> algorithm for sctp if fips was enabled.
> >>> Due to this, listen() system call in ltp tests was failing for sctp
> >>> in fips environment, with below error message.
> >>>
> >>> [ 6397.892677] sctp: failed to load transform for md5: -2
> >>>
> >>> Fix is to not assign md5 as default algorithm for sctp
> >>> if fips_enabled is true. Instead make sha1 as default algorithm.
> >>>
> >>> Fixes: ltp testcase failure "cve-2018-5803 sctp_big_chunk"
> >>> Signed-off-by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> >>> ---
> >>> v2:
> >>> the listener can still fail if fips mode is enabled after
> >>> that the netns is initialized. So taking action in sctp_listen_start()
> >>> and buming a ratelimited notice the selected hmac is changed due to fips.
> >>> ---
> >>> net/sctp/socket.c | 10 ++++++++++
> >>> 1 file changed, 10 insertions(+)
> >>>
> >>> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> >>> index b91616f819de..a1107f42869e 100644
> >>> --- a/net/sctp/socket.c
> >>> +++ b/net/sctp/socket.c
> >>> @@ -49,6 +49,7 @@
> >>> #include <linux/poll.h>
> >>> #include <linux/init.h>
> >>> #include <linux/slab.h>
> >>> +#include <linux/fips.h>
> >>> #include <linux/file.h>
> >>> #include <linux/compat.h>
> >>> #include <linux/rhashtable.h>
> >>> @@ -8496,6 +8497,15 @@ static int sctp_listen_start(struct sock *sk, int backlog)
> >>> struct crypto_shash *tfm = NULL;
> >>> char alg[32];
> >>>
> >>> + if (fips_enabled && !strcmp(sp->sctp_hmac_alg, "md5")) {
> >>> +#if (IS_ENABLED(CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1))
> >>
> >> I'm probably misunderstanding things, but would
> >> IS_ENABLED(CONFIG_SCTP_COOKIE_HMAC_SHA1)
> >> be more appropriate here?
> >>
> >
> > Hi Simon,
> > I have moved the same check from sctp_init() to here based on the review for v1 patch.
> > Please let me know if there is any alternative which can be used?
> >
> > Thanks,
> > Ashwin Kamat
> >
> Hi Team,
> Any update on this?
Hi Ashwin,
I don't recall exactly what I was thinking 2 months ago.
But looking at this a second time it seems that I may have misread your
patch: I now have no objections to it in its original form.
next prev parent reply other threads:[~2023-05-27 14:14 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-22 14:04 [PATCH v2] net/sctp: Make sha1 as default algorithm if fips is enabled Ashwin Dayanand Kamat
2023-03-22 20:46 ` Simon Horman
[not found] ` <4BCFED42-2BBD-42B0-91C5-B12FEE000812@vmware.com>
2023-03-25 6:33 ` Ashwin Dayanand Kamat
2023-05-27 7:49 ` Ashwin Dayanand Kamat
2023-05-27 14:13 ` Simon Horman [this message]
2023-06-01 18:21 ` Ashwin Dayanand Kamat
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZHIQBUEvo49G9j/0@corigine.com \
--to=simon.horman@corigine.com \
--cc=akaher@vmware.com \
--cc=amakhalov@vmware.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kashwindayan@vmware.com \
--cc=keerthanak@vmware.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pabeni@redhat.com \
--cc=srivatsa@csail.mit.edu \
--cc=srivatsab@vmware.com \
--cc=tkundu@vmware.com \
--cc=vsirnapalli@vmware.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).