* FIPS mode: modprobe: ERROR: could not insert 'drbg' @ 2016-08-09 16:34 Tapas Sarangi 2016-08-09 17:05 ` Stephan Mueller 0 siblings, 1 reply; 17+ messages in thread From: Tapas Sarangi @ 2016-08-09 16:34 UTC (permalink / raw) To: linux-crypto Hi Stephan, Following up from the other thread: While trying to boot in FIPS mode, kernel panics with the following message. So far, I don¹t have success to get more information about which module or symbol is causing this. I haven¹t found any errors or warnings in kernel compilation. It boots fine in a non-fips mode. I am also pasting the CRYPTO related configs that I have enabled (See below). -Tapas /boot/vmlinuz-4.7.0-1.tos2_5: OK modprobe: ERROR: could not insert 'drbg': Unknown symbol in module, or unknown parameter (see dmesg) [ 1.330798] dracut: FATAL: FIPS integrity test failed [ 1.331534] dracut: Refusing to continue [ 1.333491] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 1.333491] [ 1.334768] CPU: 0 PID: 1 Comm: init Not tainted 4.7.0-1.tos2_5 #1 [ 1.335632] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 [ 1.336114] 0000000000000000 ffff88003e1dfbc8 ffffffff812ae299 0000000000000001 [ 1.336114] 0000000000000001 ffffffff81716b00 ffff88003e210000 ffff88003e1dfc48 [ 1.336114] ffffffff81104fd4 0000000000000010 ffff88003e1dfc58 ffff88003e1dfbf8 [ 1.336114] Call Trace: [ 1.336114] [<ffffffff812ae299>] dump_stack+0x51/0x78 [ 1.336114] [<ffffffff81104fd4>] panic+0xc1/0x211 [ 1.336114] [<ffffffff81058781>] forget_original_parent+0x411/0x420 [ 1.336114] [<ffffffff810f4a12>] ? perf_pin_task_context+0x12/0x40 [ 1.336114] [<ffffffff810fcd52>] ? perf_event_exit_task+0x3b2/0x470 [ 1.336114] [<ffffffff81058cb6>] exit_notify+0x36/0x1e0 [ 1.336114] [<ffffffff810d4b61>] ? cgroup_exit+0x71/0xc0 [ 1.336114] [<ffffffff81070fdf>] ? task_work_run+0x5f/0x90 [ 1.336114] [<ffffffff8105a4ff>] do_exit+0x31f/0x640 [ 1.336114] [<ffffffff811726d9>] ? ____fput+0x9/0x10 [ 1.336114] [<ffffffff81070fdf>] ? task_work_run+0x5f/0x90 [ 1.336114] [<ffffffff81046d0e>] ? __do_page_fault+0x17e/0x450 [ 1.336114] [<ffffffff8105a869>] do_group_exit+0x49/0xb0 [ 1.336114] [<ffffffff8105a8e2>] SyS_exit_group+0x12/0x20 [ 1.336114] [<ffffffff8154dd9b>] entry_SYSCALL_64_fastpath+0x13/0x8f [ 1.336114] Kernel Offset: disabled [ 1.336114] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 1.336114] # Enabled CRYPTO configs [root@localhost ~]# egrep 'CRYPTO.*=y|CRYPTO.*=m' /boot/config-4.7.0-1.tos2_5 CONFIG_BLK_DEV_CRYPTOLOOP=m CONFIG_RT2X00_LIB_CRYPTO=y CONFIG_CRYPTO=y CONFIG_CRYPTO_FIPS=y CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=m CONFIG_CRYPTO_AEAD2=y CONFIG_CRYPTO_BLKCIPHER=y CONFIG_CRYPTO_BLKCIPHER2=y CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=m CONFIG_CRYPTO_AKCIPHER2=y CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_USER=m CONFIG_CRYPTO_GF128MUL=m CONFIG_CRYPTO_NULL=m CONFIG_CRYPTO_NULL2=y CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_WORKQUEUE=y CONFIG_CRYPTO_CRYPTD=m CONFIG_CRYPTO_MCRYPTD=m CONFIG_CRYPTO_AUTHENC=m CONFIG_CRYPTO_TEST=m CONFIG_CRYPTO_ABLK_HELPER=m CONFIG_CRYPTO_GLUE_HELPER_X86=m CONFIG_CRYPTO_CCM=m CONFIG_CRYPTO_GCM=m CONFIG_CRYPTO_SEQIV=m CONFIG_CRYPTO_ECHAINIV=m CONFIG_CRYPTO_CBC=m CONFIG_CRYPTO_CTR=m CONFIG_CRYPTO_CTS=m CONFIG_CRYPTO_ECB=y CONFIG_CRYPTO_LRW=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_XTS=m CONFIG_CRYPTO_CMAC=m CONFIG_CRYPTO_HMAC=m CONFIG_CRYPTO_XCBC=m CONFIG_CRYPTO_VMAC=m CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32=m CONFIG_CRYPTO_CRC32_PCLMUL=m CONFIG_CRYPTO_CRCT10DIF=y CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m CONFIG_CRYPTO_GHASH=m CONFIG_CRYPTO_MD4=m CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_MICHAEL_MIC=m CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m CONFIG_CRYPTO_RMD320=m CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA1_SSSE3=m CONFIG_CRYPTO_SHA256_SSSE3=m CONFIG_CRYPTO_SHA512_SSSE3=m CONFIG_CRYPTO_SHA1_MB=m CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=m CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m CONFIG_CRYPTO_AES=y CONFIG_CRYPTO_AES_X86_64=m CONFIG_CRYPTO_AES_NI_INTEL=m CONFIG_CRYPTO_ANUBIS=m CONFIG_CRYPTO_ARC4=m CONFIG_CRYPTO_BLOWFISH=m CONFIG_CRYPTO_BLOWFISH_COMMON=m CONFIG_CRYPTO_BLOWFISH_X86_64=m CONFIG_CRYPTO_CAMELLIA=m CONFIG_CRYPTO_CAMELLIA_X86_64=m CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m CONFIG_CRYPTO_CAST_COMMON=m CONFIG_CRYPTO_CAST5=m CONFIG_CRYPTO_CAST5_AVX_X86_64=m CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CAST6_AVX_X86_64=m CONFIG_CRYPTO_DES=m CONFIG_CRYPTO_DES3_EDE_X86_64=m CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_KHAZAD=m CONFIG_CRYPTO_SALSA20=m CONFIG_CRYPTO_SALSA20_X86_64=m CONFIG_CRYPTO_SEED=m CONFIG_CRYPTO_SERPENT=m CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m CONFIG_CRYPTO_SERPENT_AVX_X86_64=m CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m CONFIG_CRYPTO_TEA=m CONFIG_CRYPTO_TWOFISH=m CONFIG_CRYPTO_TWOFISH_COMMON=m CONFIG_CRYPTO_TWOFISH_X86_64=m CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m CONFIG_CRYPTO_DEFLATE=m CONFIG_CRYPTO_LZO=m CONFIG_CRYPTO_LZ4=m CONFIG_CRYPTO_LZ4HC=m CONFIG_CRYPTO_ANSI_CPRNG=m CONFIG_CRYPTO_DRBG_MENU=m CONFIG_CRYPTO_DRBG_HMAC=y CONFIG_CRYPTO_DRBG=m CONFIG_CRYPTO_JITTERENTROPY=m CONFIG_CRYPTO_USER_API=m CONFIG_CRYPTO_USER_API_HASH=m CONFIG_CRYPTO_USER_API_SKCIPHER=m CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m CONFIG_CRYPTO_DEV_PADLOCK_SHA=m CONFIG_CRYPTO_DEV_CCP=y CONFIG_CRYPTO_DEV_CCP_DD=m CONFIG_CRYPTO_DEV_CCP_CRYPTO=m CONFIG_CRYPTO_DEV_QAT=m CONFIG_CRYPTO_DEV_QAT_DH895xCC=m ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: FIPS mode: modprobe: ERROR: could not insert 'drbg' 2016-08-09 16:34 FIPS mode: modprobe: ERROR: could not insert 'drbg' Tapas Sarangi @ 2016-08-09 17:05 ` Stephan Mueller 2016-08-09 17:11 ` Tapas Sarangi 0 siblings, 1 reply; 17+ messages in thread From: Stephan Mueller @ 2016-08-09 17:05 UTC (permalink / raw) To: Tapas Sarangi; +Cc: linux-crypto Am Dienstag, 9. August 2016, 16:34:59 CEST schrieb Tapas Sarangi: Hi Tapas, > Hi Stephan, > > Following up from the other thread: > > While trying to boot in FIPS mode, kernel panics with the following > message. So far, I don¹t have success to get more information about which > module or symbol is causing this. I haven¹t found any errors or warnings > in kernel compilation. It boots fine in a non-fips mode. > > I am also pasting the CRYPTO related configs that I have enabled (See > below). I do not see the issue immediately. Could you boot without fips=1 and do a modprobe drbg ? I am also testing fips=1 now. Ciao Stephan ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: FIPS mode: modprobe: ERROR: could not insert 'drbg' 2016-08-09 17:05 ` Stephan Mueller @ 2016-08-09 17:11 ` Tapas Sarangi 2016-08-09 17:52 ` Stephan Mueller 0 siblings, 1 reply; 17+ messages in thread From: Tapas Sarangi @ 2016-08-09 17:11 UTC (permalink / raw) To: Stephan Mueller; +Cc: linux-crypto Hi Stephan, Thanks. I have already tried that. ‘drbg’ module is loaded fine in a non-fips mode. Here are output from some commands. I see that at some point you had a patch to use CONFIG_CRYPTO_LRNG. I am not using that, could that be a problem ? -Tapas [root@localhost ~]# modprobe drbg [root@localhost ~]# echo $? 0 [root@localhost ~]# dmesg | tail -5 [ 3.636174] nf_conntrack version 0.5.0 (7168 buckets, 28672 max) [ 3.738645] NET: Registered protocol family 10 [ 3.743004] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 3.773384] input: ImExPS/2 BYD TouchPad as /devices/platform/i8042/serio1/input/input3 [ 3.776803] mousedev: PS/2 mouse device common for all mice [root@localhost ~]# lsmod | grep drbg drbg 14147 1 [root@localhost ~]# modinfo drbg filename: /lib/modules/4.7.0-1.tos2_5/kernel/crypto/drbg.ko.gz alias: crypto-stdrng alias: stdrng description: NIST SP800-90A Deterministic Random Bit Generator (DRBG) using following cores: HMAC author: Stephan Mueller <smueller@chronox.de> license: GPL alias: crypto-drbg_nopr_hmac_sha1 alias: drbg_nopr_hmac_sha1 alias: crypto-drbg_pr_hmac_sha1 alias: drbg_pr_hmac_sha1 alias: crypto-drbg_nopr_hmac_sha256 alias: drbg_nopr_hmac_sha256 alias: crypto-drbg_pr_hmac_sha256 alias: drbg_pr_hmac_sha256 alias: crypto-drbg_nopr_hmac_sha384 alias: drbg_nopr_hmac_sha384 alias: crypto-drbg_pr_hmac_sha384 alias: drbg_pr_hmac_sha384 alias: crypto-drbg_nopr_hmac_sha512 alias: drbg_nopr_hmac_sha512 alias: crypto-drbg_pr_hmac_sha512 alias: drbg_pr_hmac_sha512 depends: intree: Y vermagic: 4.7.0-1.tos2_5 SMP mod_unload modversions On 8/9/16, 12:05 PM, "Stephan Mueller" <smueller@chronox.de> wrote: >Am Dienstag, 9. August 2016, 16:34:59 CEST schrieb Tapas Sarangi: > >Hi Tapas, > >> Hi Stephan, >> >> Following up from the other thread: >> >> While trying to boot in FIPS mode, kernel panics with the following >> message. So far, I don¹t have success to get more information about >>which >> module or symbol is causing this. I haven¹t found any errors or warnings >> in kernel compilation. It boots fine in a non-fips mode. >> >> I am also pasting the CRYPTO related configs that I have enabled (See >> below). > >I do not see the issue immediately. Could you boot without fips=1 and do >a >modprobe drbg ? > >I am also testing fips=1 now. > >Ciao >Stephan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: FIPS mode: modprobe: ERROR: could not insert 'drbg' 2016-08-09 17:11 ` Tapas Sarangi @ 2016-08-09 17:52 ` Stephan Mueller 2016-08-09 19:02 ` [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test Stephan Mueller 0 siblings, 1 reply; 17+ messages in thread From: Stephan Mueller @ 2016-08-09 17:52 UTC (permalink / raw) To: Tapas Sarangi, herbert; +Cc: linux-crypto Am Dienstag, 9. August 2016, 17:11:09 CEST schrieb Tapas Sarangi: Hi Tapas, Herbert, > Hi Stephan, > > Thanks. I have already tried that. ‘drbg’ module is loaded fine in a > non-fips mode. Here are output from some commands. There is something strange going on. I have to compile the DRBG statically. When booting the kernel with fips=1 (of course after changing the key size to 2k or 3k in certs/x509.genkey), the DRBG does not show up in /proc/crypto nor can I find testmgr entries about the DRBG. When I reboot the kernel without fips=1, all works as expected. When I create a copy of the drbg.c code and have it compiled as a module to ensure it is signed, I can insmod it and the testmgr successfully tests it. Note, with fips=1, my kernel crashes randomly somewhere in the elf loading code -- I guess it is because there is no stdrng. > > I see that at some point you had a patch to use CONFIG_CRYPTO_LRNG. I am > not using that, could that be a problem ? Nope, this LRNG is something completely different -- it is my proposal to replace the current /dev/random and /dev/urandom implementation as documented in [1]. [1] http://www.chronox.de/lrng.html Ciao Stephan ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test 2016-08-09 17:52 ` Stephan Mueller @ 2016-08-09 19:02 ` Stephan Mueller 2016-08-09 21:59 ` Tapas Sarangi 2016-08-16 9:49 ` [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test Herbert Xu 0 siblings, 2 replies; 17+ messages in thread From: Stephan Mueller @ 2016-08-09 19:02 UTC (permalink / raw) To: Tapas Sarangi; +Cc: herbert, linux-crypto Am Dienstag, 9. August 2016, 19:52:46 CEST schrieb Stephan Mueller: Hi Tapas, I think I found the issue. Can you please test the attached patch? ---8<--- When calling the DRBG health test in FIPS mode, the Jitter RNG is not yet present in the kernel crypto API which will cause the instantiation to fail and thus the health test to fail. As the health tests cover the enforcement of various thresholds, invoke the functions that are supposed to enforce the thresholds directly. This patch also saves precious seed. Reported-by: Tapas Sarangi <TSarangi@trustwave.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> --- crypto/drbg.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/crypto/drbg.c b/crypto/drbg.c index f752da3..edf3ce0 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1917,6 +1917,8 @@ static inline int __init drbg_healthcheck_sanity(void) return -ENOMEM; mutex_init(&drbg->drbg_mutex); + drbg->core = &drbg_cores[coreref]; + drbg->reseed_threshold = drbg_max_requests(drbg); /* * if the following tests fail, it is likely that there is a buffer @@ -1926,12 +1928,6 @@ static inline int __init drbg_healthcheck_sanity(void) * grave bug. */ - /* get a valid instance of DRBG for following tests */ - ret = drbg_instantiate(drbg, NULL, coreref, pr); - if (ret) { - rc = ret; - goto outbuf; - } max_addtllen = drbg_max_addtl(drbg); max_request_bytes = drbg_max_request_bytes(drbg); drbg_string_fill(&addtl, buf, max_addtllen + 1); @@ -1941,10 +1937,9 @@ static inline int __init drbg_healthcheck_sanity(void) /* overflow max_bits */ len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); BUG_ON(0 < len); - drbg_uninstantiate(drbg); /* overflow max addtllen with personalization string */ - ret = drbg_instantiate(drbg, &addtl, coreref, pr); + ret = drbg_seed(drbg, &addtl, false); BUG_ON(0 == ret); /* all tests passed */ rc = 0; @@ -1952,9 +1947,7 @@ static inline int __init drbg_healthcheck_sanity(void) pr_devel("DRBG: Sanity tests for failure code paths successfully " "completed\n"); - drbg_uninstantiate(drbg); -outbuf: - kzfree(drbg); + kfree(drbg); return rc; } -- 2.7.4 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test 2016-08-09 19:02 ` [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test Stephan Mueller @ 2016-08-09 21:59 ` Tapas Sarangi 2016-08-10 5:49 ` [PATCH] crypto: XTS - remove test that will fail in FIPS mode Stephan Mueller 2016-08-16 9:49 ` [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test Herbert Xu 1 sibling, 1 reply; 17+ messages in thread From: Tapas Sarangi @ 2016-08-09 21:59 UTC (permalink / raw) To: Stephan Mueller; +Cc: herbert, linux-crypto Hi Stephan, Thanks. The patch that I applied have different line numbers than yours. In any case, patch worked to get rid of Œdrbg¹ related error. Now, fips mode is failing on self-test: /boot/vmlinuz-4.7.0-1.tos2_5: OK [ 1.296714] alg: skcipher: setkey failed on test 1 for xts(aes-asm): flags=100000 [ 1.297665] Kernel panic - not syncing: xts(aes): xts(aes) alg self test failed in fips mode! [ 1.297665] Thanks -Tapas On 8/9/16, 2:02 PM, "Stephan Mueller" <smueller@chronox.de> wrote: >Am Dienstag, 9. August 2016, 19:52:46 CEST schrieb Stephan Mueller: > >Hi Tapas, > >I think I found the issue. Can you please test the attached patch? > >---8<--- > >When calling the DRBG health test in FIPS mode, the Jitter RNG is not >yet present in the kernel crypto API which will cause the instantiation >to fail and thus the health test to fail. > >As the health tests cover the enforcement of various thresholds, invoke >the functions that are supposed to enforce the thresholds directly. > >This patch also saves precious seed. > >Reported-by: Tapas Sarangi <TSarangi@trustwave.com> >Signed-off-by: Stephan Mueller <smueller@chronox.de> >--- > crypto/drbg.c | 15 ++++----------- > 1 file changed, 4 insertions(+), 11 deletions(-) > >diff --git a/crypto/drbg.c b/crypto/drbg.c >index f752da3..edf3ce0 100644 >--- a/crypto/drbg.c >+++ b/crypto/drbg.c >@@ -1917,6 +1917,8 @@ static inline int __init >drbg_healthcheck_sanity(void) > return -ENOMEM; > > mutex_init(&drbg->drbg_mutex); >+ drbg->core = &drbg_cores[coreref]; >+ drbg->reseed_threshold = drbg_max_requests(drbg); > > /* > * if the following tests fail, it is likely that there is a buffer >@@ -1926,12 +1928,6 @@ static inline int __init >drbg_healthcheck_sanity(void) > * grave bug. > */ > >- /* get a valid instance of DRBG for following tests */ >- ret = drbg_instantiate(drbg, NULL, coreref, pr); >- if (ret) { >- rc = ret; >- goto outbuf; >- } > max_addtllen = drbg_max_addtl(drbg); > max_request_bytes = drbg_max_request_bytes(drbg); > drbg_string_fill(&addtl, buf, max_addtllen + 1); >@@ -1941,10 +1937,9 @@ static inline int __init >drbg_healthcheck_sanity(void) > /* overflow max_bits */ > len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); > BUG_ON(0 < len); >- drbg_uninstantiate(drbg); > > /* overflow max addtllen with personalization string */ >- ret = drbg_instantiate(drbg, &addtl, coreref, pr); >+ ret = drbg_seed(drbg, &addtl, false); > BUG_ON(0 == ret); > /* all tests passed */ > rc = 0; >@@ -1952,9 +1947,7 @@ static inline int __init >drbg_healthcheck_sanity(void) > pr_devel("DRBG: Sanity tests for failure code paths successfully " > "completed\n"); > >- drbg_uninstantiate(drbg); >-outbuf: >- kzfree(drbg); >+ kfree(drbg); > return rc; > } > >-- >2.7.4 > > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH] crypto: XTS - remove test that will fail in FIPS mode 2016-08-09 21:59 ` Tapas Sarangi @ 2016-08-10 5:49 ` Stephan Mueller 2016-08-10 22:08 ` Tapas Sarangi 2016-08-16 9:38 ` [PATCH v2] " Stephan Mueller 0 siblings, 2 replies; 17+ messages in thread From: Stephan Mueller @ 2016-08-10 5:49 UTC (permalink / raw) To: Tapas Sarangi, herbert; +Cc: linux-crypto Hi Tapas, Herbert, Tapas: this patch should fix it. Can you please test? Herbert: The reason why I have to caught this issue in my tests is the following: I compile xts-aes-aesni statically as you can see below. The self test is marked as passed, although there is no XTS test performed. When you boot in FIPS mode, the testmgr prints out all tests. But XTS is not among them. Do you have an idea why that happens? name : xts(aes) driver : xts-aes-aesni module : kernel priority : 400 refcnt : 1 selftest : passed internal : no type : ablkcipher async : yes blocksize : 16 min keysize : 32 max keysize : 64 ivsize : 16 geniv : <default> ---8<--- In FIPS mode, setting XTS keys where the AES key is identical to the tweak key is forbidden. Thus, the self test with such property will fail in FIPS mode. As we have other tests available for XTS, this patch simply removes the offending test vectors. Reported-by: Tapas Sarangi <TSarangi@trustwave.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> --- crypto/testmgr.h | 36 ------------------------------------ 1 file changed, 36 deletions(-) diff --git a/crypto/testmgr.h b/crypto/testmgr.h index acb6bbf..e4b58f5 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -10179,24 +10179,6 @@ static struct cipher_testvec tf_lrw_dec_tv_template[] = { static struct cipher_testvec tf_xts_enc_tv_template[] = { /* Generated from AES-XTS test vectors */ { - .key = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .klen = 32, - .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .input = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .ilen = 32, - .result = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" - "\x30\x74\xe4\x44\x52\x77\x97\x43" - "\xa7\x60\xb2\x45\x2e\xf9\x00\x90" - "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", - .rlen = 32, - }, { .key = "\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11" "\x22\x22\x22\x22\x22\x22\x22\x22" @@ -10522,24 +10504,6 @@ static struct cipher_testvec tf_xts_dec_tv_template[] = { /* Generated from AES-XTS test vectors */ /* same as enc vectors with input and result reversed */ { - .key = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .klen = 32, - .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .input = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" - "\x30\x74\xe4\x44\x52\x77\x97\x43" - "\xa7\x60\xb2\x45\x2e\xf9\x00\x90" - "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", - .ilen = 32, - .result = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .rlen = 32, - }, { .key = "\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11" "\x22\x22\x22\x22\x22\x22\x22\x22" -- 2.7.4 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH] crypto: XTS - remove test that will fail in FIPS mode 2016-08-10 5:49 ` [PATCH] crypto: XTS - remove test that will fail in FIPS mode Stephan Mueller @ 2016-08-10 22:08 ` Tapas Sarangi 2016-08-11 19:42 ` Tapas Sarangi 2016-08-16 9:38 ` [PATCH v2] " Stephan Mueller 1 sibling, 1 reply; 17+ messages in thread From: Tapas Sarangi @ 2016-08-10 22:08 UTC (permalink / raw) To: Stephan Mueller, herbert; +Cc: linux-crypto Hi Stephan, Thanks. Sorry for a late reply to this. I did test your patch for testmgr.h with the vanilla kernel 4.7 source. This doesn¹t solve the xts(aes) self-test failure in FIPS mode. I get the exact same error as before. Thanks -Tapas On 8/10/16, 12:49 AM, "Stephan Mueller" <smueller@chronox.de> wrote: >Hi Tapas, Herbert, > >Tapas: this patch should fix it. Can you please test? > >Herbert: The reason why I have to caught this issue in my tests is the >following: I compile xts-aes-aesni statically as you can see below. The >self test is marked as passed, although there is no XTS test performed. >When you boot in FIPS mode, the testmgr prints out all tests. But XTS is >not among them. Do you have an idea why that happens? > >name : xts(aes) >driver : xts-aes-aesni >module : kernel >priority : 400 >refcnt : 1 >selftest : passed >internal : no >type : ablkcipher >async : yes >blocksize : 16 >min keysize : 32 >max keysize : 64 >ivsize : 16 >geniv : <default> > >---8<--- > >In FIPS mode, setting XTS keys where the AES key is identical to the >tweak key is forbidden. Thus, the self test with such property will fail >in FIPS mode. > >As we have other tests available for XTS, this patch simply removes the >offending test vectors. > >Reported-by: Tapas Sarangi <TSarangi@trustwave.com> >Signed-off-by: Stephan Mueller <smueller@chronox.de> >--- > crypto/testmgr.h | 36 ------------------------------------ > 1 file changed, 36 deletions(-) > >diff --git a/crypto/testmgr.h b/crypto/testmgr.h >index acb6bbf..e4b58f5 100644 >--- a/crypto/testmgr.h >+++ b/crypto/testmgr.h >@@ -10179,24 +10179,6 @@ static struct cipher_testvec >tf_lrw_dec_tv_template[] = { > static struct cipher_testvec tf_xts_enc_tv_template[] = { > /* Generated from AES-XTS test vectors */ > { >- .key = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .klen = 32, >- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .input = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .ilen = 32, >- .result = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" >- "\x30\x74\xe4\x44\x52\x77\x97\x43" >- "\xa7\x60\xb2\x45\x2e\xf9\x00\x90" >- "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", >- .rlen = 32, >- }, { > .key = "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x22\x22\x22\x22\x22\x22\x22\x22" >@@ -10522,24 +10504,6 @@ static struct cipher_testvec >tf_xts_dec_tv_template[] = { > /* Generated from AES-XTS test vectors */ > /* same as enc vectors with input and result reversed */ > { >- .key = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .klen = 32, >- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .input = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" >- "\x30\x74\xe4\x44\x52\x77\x97\x43" >- "\xa7\x60\xb2\x45\x2e\xf9\x00\x90" >- "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", >- .ilen = 32, >- .result = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .rlen = 32, >- }, { > .key = "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x22\x22\x22\x22\x22\x22\x22\x22" >-- >2.7.4 > > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] crypto: XTS - remove test that will fail in FIPS mode 2016-08-10 22:08 ` Tapas Sarangi @ 2016-08-11 19:42 ` Tapas Sarangi 2016-08-12 8:43 ` Stephan Mueller 0 siblings, 1 reply; 17+ messages in thread From: Tapas Sarangi @ 2016-08-11 19:42 UTC (permalink / raw) To: Stephan Mueller, herbert; +Cc: linux-crypto Hi Stephan, Any other ideas about this problem ? Since XTS is not amongst the self-tests as you observed, is it safe to disable .fips_allowed for xts(aes) in testmgr.c ? Thanks -Tapas On 8/10/16, 5:08 PM, "Tapas Sarangi" <TSarangi@trustwave.com> wrote: >Hi Stephan, > >Thanks. Sorry for a late reply to this. > >I did test your patch for testmgr.h with the vanilla kernel 4.7 source. >This doesn¹t solve the xts(aes) self-test failure in FIPS mode. I get the >exact same error as before. > >Thanks >-Tapas > > > > > > > >On 8/10/16, 12:49 AM, "Stephan Mueller" <smueller@chronox.de> wrote: > >>Hi Tapas, Herbert, >> >>Tapas: this patch should fix it. Can you please test? >> >>Herbert: The reason why I have to caught this issue in my tests is the >>following: I compile xts-aes-aesni statically as you can see below. The >>self test is marked as passed, although there is no XTS test performed. >>When you boot in FIPS mode, the testmgr prints out all tests. But XTS is >>not among them. Do you have an idea why that happens? >> >>name : xts(aes) >>driver : xts-aes-aesni >>module : kernel >>priority : 400 >>refcnt : 1 >>selftest : passed >>internal : no >>type : ablkcipher >>async : yes >>blocksize : 16 >>min keysize : 32 >>max keysize : 64 >>ivsize : 16 >>geniv : <default> >> >>---8<--- >> >>In FIPS mode, setting XTS keys where the AES key is identical to the >>tweak key is forbidden. Thus, the self test with such property will fail >>in FIPS mode. >> >>As we have other tests available for XTS, this patch simply removes the >>offending test vectors. >> >>Reported-by: Tapas Sarangi <TSarangi@trustwave.com> >>Signed-off-by: Stephan Mueller <smueller@chronox.de> >>--- >> crypto/testmgr.h | 36 ------------------------------------ >> 1 file changed, 36 deletions(-) >> >>diff --git a/crypto/testmgr.h b/crypto/testmgr.h >>index acb6bbf..e4b58f5 100644 >>--- a/crypto/testmgr.h >>+++ b/crypto/testmgr.h >>@@ -10179,24 +10179,6 @@ static struct cipher_testvec >>tf_lrw_dec_tv_template[] = { >> static struct cipher_testvec tf_xts_enc_tv_template[] = { >> /* Generated from AES-XTS test vectors */ >> { >>- .key = "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00", >>- .klen = 32, >>- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00", >>- .input = "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00", >>- .ilen = 32, >>- .result = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" >>- "\x30\x74\xe4\x44\x52\x77\x97\x43" >>- "\xa7\x60\xb2\x45\x2e\xf9\x00\x90" >>- "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", >>- .rlen = 32, >>- }, { >> .key = "\x11\x11\x11\x11\x11\x11\x11\x11" >> "\x11\x11\x11\x11\x11\x11\x11\x11" >> "\x22\x22\x22\x22\x22\x22\x22\x22" >>@@ -10522,24 +10504,6 @@ static struct cipher_testvec >>tf_xts_dec_tv_template[] = { >> /* Generated from AES-XTS test vectors */ >> /* same as enc vectors with input and result reversed */ >> { >>- .key = "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00", >>- .klen = 32, >>- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00", >>- .input = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" >>- "\x30\x74\xe4\x44\x52\x77\x97\x43" >>- "\xa7\x60\xb2\x45\x2e\xf9\x00\x90" >>- "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", >>- .ilen = 32, >>- .result = "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00" >>- "\x00\x00\x00\x00\x00\x00\x00\x00", >>- .rlen = 32, >>- }, { >> .key = "\x11\x11\x11\x11\x11\x11\x11\x11" >> "\x11\x11\x11\x11\x11\x11\x11\x11" >> "\x22\x22\x22\x22\x22\x22\x22\x22" >>-- >>2.7.4 >> >> > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] crypto: XTS - remove test that will fail in FIPS mode 2016-08-11 19:42 ` Tapas Sarangi @ 2016-08-12 8:43 ` Stephan Mueller 0 siblings, 0 replies; 17+ messages in thread From: Stephan Mueller @ 2016-08-12 8:43 UTC (permalink / raw) To: Tapas Sarangi; +Cc: herbert, linux-crypto Am Donnerstag, 11. August 2016, 19:42:54 CEST schrieb Tapas Sarangi: Hi Tapas, > Hi Stephan, > > Any other ideas about this problem ? Since XTS is not amongst the > self-tests as you observed, is it safe to disable .fips_allowed for > xts(aes) in testmgr.c ? If you do that, none of your XTS implementations will be allowed and work in FIPS mode. The thing is that I cannot reproduce the issue (yet). I am still looking. Ciao Stephan ^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v2] crypto: XTS - remove test that will fail in FIPS mode 2016-08-10 5:49 ` [PATCH] crypto: XTS - remove test that will fail in FIPS mode Stephan Mueller 2016-08-10 22:08 ` Tapas Sarangi @ 2016-08-16 9:38 ` Stephan Mueller 2016-08-17 14:52 ` Tapas Sarangi 2016-08-23 9:47 ` Herbert Xu 1 sibling, 2 replies; 17+ messages in thread From: Stephan Mueller @ 2016-08-16 9:38 UTC (permalink / raw) To: Tapas Sarangi; +Cc: herbert, linux-crypto Hi Tapas, I was able to reproduce the issue now. I tested the patch below and it works for me now. Yet, I see that dracut-fips seems to need some fixes too as it cannot find cmac when compiled as module and has some issues with the authenc() ciphers too. ---8<--- In FIPS mode, setting XTS keys where the AES key is identical to the tweak key is forbidden. Thus, the self test with such property will fail in FIPS mode. As we have other tests available for XTS, this patch simply removes the offending test vectors. Reported-by: Tapas Sarangi <TSarangi@trustwave.com> Signed-off-by: Stephan Mueller <stephan.mueller@atsec.com> --- crypto/testmgr.h | 44 ++++---------------------------------------- 1 file changed, 4 insertions(+), 40 deletions(-) diff --git a/crypto/testmgr.h b/crypto/testmgr.h index acb6bbf..893b321 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -15179,8 +15179,8 @@ static struct cipher_testvec cast6_xts_dec_tv_template[] = { #define HMAC_SHA512_AES_CBC_ENC_TEST_VEC 7 #define AES_LRW_ENC_TEST_VECTORS 8 #define AES_LRW_DEC_TEST_VECTORS 8 -#define AES_XTS_ENC_TEST_VECTORS 5 -#define AES_XTS_DEC_TEST_VECTORS 5 +#define AES_XTS_ENC_TEST_VECTORS 4 +#define AES_XTS_DEC_TEST_VECTORS 4 #define AES_CTR_ENC_TEST_VECTORS 5 #define AES_CTR_DEC_TEST_VECTORS 5 #define AES_OFB_ENC_TEST_VECTORS 1 @@ -18218,25 +18218,7 @@ static struct cipher_testvec aes_lrw_dec_tv_template[] = { static struct cipher_testvec aes_xts_enc_tv_template[] = { /* http://grouper.ieee.org/groups/1619/email/pdf00086.pdf */ - { /* XTS-AES 1 */ - .key = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .klen = 32, - .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .input = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .ilen = 32, - .result = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" - "\x9b\x9f\xe9\xa3\xea\xdd\xa6\x92" - "\xcd\x43\xd2\xf5\x95\x98\xed\x85" - "\x8c\x02\xc2\x65\x2f\xbf\x92\x2e", - .rlen = 32, - }, { /* XTS-AES 2 */ + { /* XTS-AES 2 */ .key = "\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11" "\x22\x22\x22\x22\x22\x22\x22\x22" @@ -18560,25 +18542,7 @@ static struct cipher_testvec aes_xts_enc_tv_template[] = { static struct cipher_testvec aes_xts_dec_tv_template[] = { /* http://grouper.ieee.org/groups/1619/email/pdf00086.pdf */ - { /* XTS-AES 1 */ - .key = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .klen = 32, - .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .input = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" - "\x9b\x9f\xe9\xa3\xea\xdd\xa6\x92" - "\xcd\x43\xd2\xf5\x95\x98\xed\x85" - "\x8c\x02\xc2\x65\x2f\xbf\x92\x2e", - .ilen = 32, - .result = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .rlen = 32, - }, { /* XTS-AES 2 */ + { /* XTS-AES 2 */ .key = "\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11" "\x22\x22\x22\x22\x22\x22\x22\x22" -- 2.7.4 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v2] crypto: XTS - remove test that will fail in FIPS mode 2016-08-16 9:38 ` [PATCH v2] " Stephan Mueller @ 2016-08-17 14:52 ` Tapas Sarangi 2016-08-17 14:57 ` Stephan Mueller 2016-08-23 9:47 ` Herbert Xu 1 sibling, 1 reply; 17+ messages in thread From: Tapas Sarangi @ 2016-08-17 14:52 UTC (permalink / raw) To: Stephan Mueller; +Cc: herbert, linux-crypto Hi Stephan, Yes, can you give me some more detail about your findings on dracut-fips !? This seems to be the major difference between our test environments where a bunch of algorithms are failing self-test during boot with fips=1. Thanks -Tapas On 8/16/16, 4:38 AM, "Stephan Mueller" <smueller@chronox.de> wrote: >Hi Tapas, > >I was able to reproduce the issue now. > >I tested the patch below and it works for me now. Yet, I see that >dracut-fips seems to need some fixes too as it cannot find cmac when >compiled as module and has some issues with the authenc() ciphers too. > > >---8<--- > >In FIPS mode, setting XTS keys where the AES key is identical to the >tweak key is forbidden. Thus, the self test with such property will fail >in FIPS mode. > >As we have other tests available for XTS, this patch simply removes the >offending test vectors. > >Reported-by: Tapas Sarangi <TSarangi@trustwave.com> >Signed-off-by: Stephan Mueller <stephan.mueller@atsec.com> >--- > crypto/testmgr.h | 44 ++++---------------------------------------- > 1 file changed, 4 insertions(+), 40 deletions(-) > >diff --git a/crypto/testmgr.h b/crypto/testmgr.h >index acb6bbf..893b321 100644 >--- a/crypto/testmgr.h >+++ b/crypto/testmgr.h >@@ -15179,8 +15179,8 @@ static struct cipher_testvec >cast6_xts_dec_tv_template[] = { > #define HMAC_SHA512_AES_CBC_ENC_TEST_VEC 7 > #define AES_LRW_ENC_TEST_VECTORS 8 > #define AES_LRW_DEC_TEST_VECTORS 8 >-#define AES_XTS_ENC_TEST_VECTORS 5 >-#define AES_XTS_DEC_TEST_VECTORS 5 >+#define AES_XTS_ENC_TEST_VECTORS 4 >+#define AES_XTS_DEC_TEST_VECTORS 4 > #define AES_CTR_ENC_TEST_VECTORS 5 > #define AES_CTR_DEC_TEST_VECTORS 5 > #define AES_OFB_ENC_TEST_VECTORS 1 >@@ -18218,25 +18218,7 @@ static struct cipher_testvec >aes_lrw_dec_tv_template[] = { > > static struct cipher_testvec aes_xts_enc_tv_template[] = { > /* >http://scanmail.trustwave.com/?c=4062&d=-96y1wXsB1ZUProHtkc64VYvnNekxXtLFt >hU_sfSVw&s=5&u=http%3a%2f%2fgrouper%2eieee%2eorg%2fgroups%2f1619%2femail%2 >fpdf00086%2epdf */ >- { /* XTS-AES 1 */ >- .key = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .klen = 32, >- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .input = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .ilen = 32, >- .result = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" >- "\x9b\x9f\xe9\xa3\xea\xdd\xa6\x92" >- "\xcd\x43\xd2\xf5\x95\x98\xed\x85" >- "\x8c\x02\xc2\x65\x2f\xbf\x92\x2e", >- .rlen = 32, >- }, { /* XTS-AES 2 */ >+ { /* XTS-AES 2 */ > .key = "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x22\x22\x22\x22\x22\x22\x22\x22" >@@ -18560,25 +18542,7 @@ static struct cipher_testvec >aes_xts_enc_tv_template[] = { > > static struct cipher_testvec aes_xts_dec_tv_template[] = { > /* >http://scanmail.trustwave.com/?c=4062&d=-96y1wXsB1ZUProHtkc64VYvnNekxXtLFt >hU_sfSVw&s=5&u=http%3a%2f%2fgrouper%2eieee%2eorg%2fgroups%2f1619%2femail%2 >fpdf00086%2epdf */ >- { /* XTS-AES 1 */ >- .key = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .klen = 32, >- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .input = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" >- "\x9b\x9f\xe9\xa3\xea\xdd\xa6\x92" >- "\xcd\x43\xd2\xf5\x95\x98\xed\x85" >- "\x8c\x02\xc2\x65\x2f\xbf\x92\x2e", >- .ilen = 32, >- .result = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .rlen = 32, >- }, { /* XTS-AES 2 */ >+ { /* XTS-AES 2 */ > .key = "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x22\x22\x22\x22\x22\x22\x22\x22" >-- >2.7.4 > > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] crypto: XTS - remove test that will fail in FIPS mode 2016-08-17 14:52 ` Tapas Sarangi @ 2016-08-17 14:57 ` Stephan Mueller 2016-08-17 15:09 ` Tapas Sarangi 0 siblings, 1 reply; 17+ messages in thread From: Stephan Mueller @ 2016-08-17 14:57 UTC (permalink / raw) To: Tapas Sarangi; +Cc: herbert, linux-crypto Am Mittwoch, 17. August 2016, 14:52:32 CEST schrieb Tapas Sarangi: Hi Tapas, (please, do not top-post) > Hi Stephan, > > Yes, can you give me some more detail about your findings on dracut-fips > !? This seems to be the major difference between our test environments > where a bunch of algorithms are failing self-test during boot with fips=1. cmac must be statically compiled as otherwise dracut-fips does not find it (it misses it in the module list). The authenc() cipher must not be compiled as somehow the modprobe in dracut- fips does not find some components -- I am not sure what the issue is yet. I even have compiled all parts forming an authenc cipher (authenc, hmac, the hashes, the block chaining modes, the symmetric ciphers) to be bound into the kernel statically. But still, something is not found by the tcrypt module in dracut-fips. Ciao Stephan ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] crypto: XTS - remove test that will fail in FIPS mode 2016-08-17 14:57 ` Stephan Mueller @ 2016-08-17 15:09 ` Tapas Sarangi 2016-08-18 8:20 ` Stephan Mueller 0 siblings, 1 reply; 17+ messages in thread From: Tapas Sarangi @ 2016-08-17 15:09 UTC (permalink / raw) To: Stephan Mueller; +Cc: herbert, linux-crypto Hi Stephan, On 8/17/16, 9:57 AM, "Stephan Mueller" <smueller@chronox.de> wrote: >Am Mittwoch, 17. August 2016, 14:52:32 CEST schrieb Tapas Sarangi: > >Hi Tapas, > >(please, do not top-post) DNT, Sorry. > >> Hi Stephan, >> >> Yes, can you give me some more detail about your findings on dracut-fips >> !? This seems to be the major difference between our test environments >> where a bunch of algorithms are failing self-test during boot with >>fips=1. > >cmac must be statically compiled as otherwise dracut-fips does not find >it (it >misses it in the module list). > >The authenc() cipher must not be compiled as somehow the modprobe in >dracut- >fips does not find some components -- I am not sure what the issue is >yet. I >even have compiled all parts forming an authenc cipher (authenc, hmac, >the >hashes, the block chaining modes, the symmetric ciphers) to be bound into >the >kernel statically. But still, something is not found by the tcrypt module >in >dracut-fips. Is that all the authenc() ciphers, or only some of them ? In my patch where I had disabled .fips_allowed are mostly authenc() ciphers with cbc(des3_ede) algo. Not all the authenc() ciphers were needed to be disabled, but some. For your XTS related findings and patches, are they going to 4.8 or 4.9 ? Thanks -Tapas ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] crypto: XTS - remove test that will fail in FIPS mode 2016-08-17 15:09 ` Tapas Sarangi @ 2016-08-18 8:20 ` Stephan Mueller 0 siblings, 0 replies; 17+ messages in thread From: Stephan Mueller @ 2016-08-18 8:20 UTC (permalink / raw) To: Tapas Sarangi; +Cc: herbert, linux-crypto Am Mittwoch, 17. August 2016, 15:09:11 CEST schrieb Tapas Sarangi: Hi Tapas, > Is that all the authenc() ciphers, or only some of them ? In my patch I have not yet had the chance to fully dissect the authenc issue yet. > where I had disabled .fips_allowed are mostly authenc() ciphers with > cbc(des3_ede) algo. Not all the authenc() ciphers were needed to be > disabled, but some. Can you please point me to your patch? > > For your XTS related findings and patches, are they going to 4.8 or 4.9 ? The XTS patch set is for 4.8-rc1 and should therefore go into 4.9 if accepted by the maintainer. Ciao Stephan ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v2] crypto: XTS - remove test that will fail in FIPS mode 2016-08-16 9:38 ` [PATCH v2] " Stephan Mueller 2016-08-17 14:52 ` Tapas Sarangi @ 2016-08-23 9:47 ` Herbert Xu 1 sibling, 0 replies; 17+ messages in thread From: Herbert Xu @ 2016-08-23 9:47 UTC (permalink / raw) To: Stephan Mueller; +Cc: Tapas Sarangi, linux-crypto On Tue, Aug 16, 2016 at 11:38:00AM +0200, Stephan Mueller wrote: > Hi Tapas, > > I was able to reproduce the issue now. > > I tested the patch below and it works for me now. Yet, I see that dracut-fips seems to need some fixes too as it cannot find cmac when compiled as module and has some issues with the authenc() ciphers too. > > > ---8<--- > > In FIPS mode, setting XTS keys where the AES key is identical to the > tweak key is forbidden. Thus, the self test with such property will fail > in FIPS mode. > > As we have other tests available for XTS, this patch simply removes the > offending test vectors. > > Reported-by: Tapas Sarangi <TSarangi@trustwave.com> > Signed-off-by: Stephan Mueller <stephan.mueller@atsec.com> We should fix this without removing tests. Perhaps add a field in the vector to indicate that it should be skipped when in FIPS mode, just like we do for expected weak keys. Cheers, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test 2016-08-09 19:02 ` [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test Stephan Mueller 2016-08-09 21:59 ` Tapas Sarangi @ 2016-08-16 9:49 ` Herbert Xu 1 sibling, 0 replies; 17+ messages in thread From: Herbert Xu @ 2016-08-16 9:49 UTC (permalink / raw) To: Stephan Mueller; +Cc: TSarangi, linux-crypto Stephan Mueller <smueller@chronox.de> wrote: > Am Dienstag, 9. August 2016, 19:52:46 CEST schrieb Stephan Mueller: > > Hi Tapas, > > I think I found the issue. Can you please test the attached patch? > > ---8<--- > > When calling the DRBG health test in FIPS mode, the Jitter RNG is not > yet present in the kernel crypto API which will cause the instantiation > to fail and thus the health test to fail. > > As the health tests cover the enforcement of various thresholds, invoke > the functions that are supposed to enforce the thresholds directly. > > This patch also saves precious seed. > > Reported-by: Tapas Sarangi <TSarangi@trustwave.com> > Signed-off-by: Stephan Mueller <smueller@chronox.de> Patch applied. Thanks. -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2016-08-23 9:48 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-08-09 16:34 FIPS mode: modprobe: ERROR: could not insert 'drbg' Tapas Sarangi 2016-08-09 17:05 ` Stephan Mueller 2016-08-09 17:11 ` Tapas Sarangi 2016-08-09 17:52 ` Stephan Mueller 2016-08-09 19:02 ` [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test Stephan Mueller 2016-08-09 21:59 ` Tapas Sarangi 2016-08-10 5:49 ` [PATCH] crypto: XTS - remove test that will fail in FIPS mode Stephan Mueller 2016-08-10 22:08 ` Tapas Sarangi 2016-08-11 19:42 ` Tapas Sarangi 2016-08-12 8:43 ` Stephan Mueller 2016-08-16 9:38 ` [PATCH v2] " Stephan Mueller 2016-08-17 14:52 ` Tapas Sarangi 2016-08-17 14:57 ` Stephan Mueller 2016-08-17 15:09 ` Tapas Sarangi 2016-08-18 8:20 ` Stephan Mueller 2016-08-23 9:47 ` Herbert Xu 2016-08-16 9:49 ` [PATCH] crypto: DRBG: do not call drbg_instantiate in healt test Herbert Xu
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.