lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 03 Jun 2016 08:42:31 +0200
From:	Stephan Mueller <smueller@...onox.de>
To:	Marcus Meissner <meissner@...e.de>
Cc:	herbert@...dor.apana.org.au, davem@...emloft.net,
	linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: authenc methods vs FIPS in light of unencrypted associated data

Am Donnerstag, 2. Juni 2016, 18:01:04 schrieb Marcus Meissner:

Hi Marcus, Herbert

> Hi,
> 
> In February I already tagged some authenc ciphers for FIPS compatibility.
> 
> I currently revisit this to get testmgr running all the tests in strict FIPS
> mode.
> 
> The authenc() class is troublesome.
> 
> There is a HASH + ENC part of this method, but you can also add associated
> data, which is not encrypted. (using the ctx->null cipher in
> crypto/authenc.c)
> 
> But in FIPS mode the crypto_authenc_init_tfm does:
> 
> 	null = crypto_get_default_null_skcipher();
> 
> which results in error, as the crypto_alloc_blkcipher("ecb(cipher_null)", 0,
> 0); results in failure due to "ecb(cipher_null)" not FIPS compliant.
> 
> How to handle this?
> 
> I think GCM also does not encrypt, just hashes, the associated data, it just
> does copy the content itself and does not use a virtual cipher.

This issue points to a more pervasive issue in how the fips_allowed flag is 
handled. In combined ciphers, the use of individual components separately from 
the combined cipher may not be allowed in FIPS mode. However, the use of the 
combined cipher is allowed.

For example, GCM is an allowed cipher, but ghash is not. To make GCM usable, 
the fips_allowed flag is set for ghash which would allow a user to use ghash 
directly outside GCM, which is not allowed.

Therefore, the fips_allowed flag should only be evaluated for the cipher the 
user invokes. If that cipher employs sub-ordinate ciphers, the fips_allowed 
flag is not enforced any more. The idea would be that when fips_allowed is set 
for a cipher, it implies that this cipher with all its sub-ordinate ciphers is 
allowed even when those individual ciphers would be allowed.

Herbert, when using crypto_spawn_*, is there a flag set by the crypto API that 
the to-be-instantiated cipher is invoked by the kernel crypto API instead of 
by a user? I would assume that the INTERNAL flag could be of relevance here. 
If that INTERNAL flag is set, I think that the function alg_test could be 
changed such that if the INTERNAL flag is set, the fips_allowed flag is not 
enforced.

Ciao
Stephan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ