lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 30 Apr 2009 17:25:05 -0400
From:	Jarod Wilson <jarod@...hat.com>
To:	Herbert Xu <herbert@...dor.apana.org.au>
Cc:	linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
	Neil Horman <nhorman@...driver.com>
Subject: [PATCH v2] crypto: print self-test pass notices in fips mode

On Wednesday 29 April 2009 09:24:10 Jarod Wilson wrote:
> On Wednesday 29 April 2009 09:21:53 Jarod Wilson wrote:
> > On Wednesday 29 April 2009 09:18:17 Herbert Xu wrote:
> > > On Tue, Apr 28, 2009 at 09:21:35PM -0400, Jarod Wilson wrote:
> > > >
> > > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> > > > index 39ffa69..d0cc85c 100644
> > > > --- a/crypto/testmgr.c
> > > > +++ b/crypto/testmgr.c
> > > > @@ -2149,6 +2149,10 @@ notest:
> > > >  test_done:
> > > >  	if (fips_enabled && rc)
> > > >  		panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
> > > > +	/* fips mode requires we print out self-test success notices */
> > > > +	if (fips_enabled && !rc && strncmp(alg, "ctr(aes", 7))
> > > > +		printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
> > > > +		       driver, alg);
> > > 
> > > What is this strncmp crap for?
> > 
> > To avoid claiming we successfully self-tested ctr(aes) when its
> > not actually directly testable. Was intended to go sort of hand
> > in hand with the other patch to suppress 'no self test' messages
> > for ctr(aes) when in fips mode. Of course, since at this point,
> > we've run ecb(aes), and that's what's suggested as the way to
> > test ctr(aes)[*], perhaps we don't need to
> > suppress it.
> > 
> > [*] well, along with the sign-off from the lab that the counter
> > code is acceptable
> 
> So this might actually be another argument in favor of adding a "this
> algo isn't really testable" flag as Neil suggested...

According to our FIPS CAVS testing lab guru, when we're in fips mode,
we must print out notices of successful self-test completion for
every alg to be compliant.

New and improved v2, without strncmp crap. Doesn't need to touch a flag
though, due to not moving the notest label around anymore.

Applies atop '[PATCH v2] crypto: catch base cipher self-test failures
in fips mode'.

Personally, I wouldn't mind seeing this info printed out regardless of
whether or not we're in fips mode, I think its useful info, but will
stick with only in fips mode for now.

---
 crypto/testmgr.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index d410fad..b3ec7b9 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -2245,6 +2245,10 @@ test_done:
 	if (fips_enabled && rc)
 		panic("%s: %s alg self test failed in fips mode!\n", driver, alg);
 
+	if (fips_enabled && !rc)
+		printk(KERN_INFO "alg: self-tests for %s (%s) passed\n",
+		       driver, alg);
+
 	return rc;
 
 notest:


-- 
Jarod Wilson
jarod@...hat.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ