lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Apr 2021 15:15:51 -0600 From: "Jason A. Donenfeld" <Jason@...c4.com> To: Hangbin Liu <liuhangbin@...il.com> Cc: Netdev <netdev@...r.kernel.org>, Toke Høiland-Jørgensen <toke@...hat.com>, Jakub Kicinski <kuba@...nel.org>, Ondrej Mosnacek <omosnace@...hat.com>, Linux Crypto Mailing List <linux-crypto@...r.kernel.org> Subject: Re: [PATCH net-next] [RESEND] wireguard: disable in FIPS mode Hi Hangbin, On Wed, Apr 7, 2021 at 5:39 AM Hangbin Liu <liuhangbin@...il.com> wrote: > > As the cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not > FIPS certified, the WireGuard module should be disabled in FIPS mode. I'm not sure this makes so much sense to do _in wireguard_. If you feel like the FIPS-allergic part is actually blake, 25519, chacha, and poly1305, then wouldn't it make most sense to disable _those_ modules instead? And then the various things that rely on those (such as wireguard, but maybe there are other things too, like security/keys/big_key.c) would be naturally disabled transitively? [As an aside, I don't think any of this fips-flag-in-the-kernel makes much sense at all for anything, but that seems like a different discussion, maybe?] Jason
Powered by blists - more mailing lists