From patchwork Tue Dec 1 12:52:50 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Stancek X-Patchwork-Id: 7737231 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 7CC7B9F39D for ; Tue, 1 Dec 2015 13:18:33 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8743720634 for ; Tue, 1 Dec 2015 13:18:32 +0000 (UTC) Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 40608204D1 for ; Tue, 1 Dec 2015 13:18:31 +0000 (UTC) X-TM-IMSS-Message-ID: <1da4ce610000aa72@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id 1da4ce610000aa72 ; Tue, 1 Dec 2015 08:18:39 -0500 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB1DFchO020697; Tue, 1 Dec 2015 08:15:53 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id tB1CrB8q142567 for ; Tue, 1 Dec 2015 07:53:11 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id tB1CrBEb018406; Tue, 1 Dec 2015 07:53:11 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BgAADdll1WnBy3hNFeGQEBAg8BAQKDXkkmrwEBS4xRhAIMFwqFboIYAQEBAQEBEgEBAQEBCAsJCSGEZ3uBDkOILg28TIZUiiWCFAxBgTEFlleFKogOgiSNDY0wgi1HARUHgVc9NAGFcAEBAQ X-IPAS-Result: A1BgAADdll1WnBy3hNFeGQEBAg8BAQKDXkkmrwEBS4xRhAIMFwqFboIYAQEBAQEBEgEBAQEBCAsJCSGEZ3uBDkOILg28TIZUiiWCFAxBgTEFlleFKogOgiSNDY0wgi1HARUHgVc9NAGFcAEBAQ X-IronPort-AV: E=Sophos;i="5.20,368,1444708800"; d="scan'208";a="4980607" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by goalie.tycho.ncsc.mil with ESMTP; 01 Dec 2015 07:53:00 -0500 X-TM-IMSS-Message-ID: <1d9543fd00037483@nsa.gov> Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 ADH-AES256-SHA (256/256)) id 1d9543fd00037483 ; Tue, 1 Dec 2015 07:53:11 -0500 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id A5F16A3B40; Tue, 1 Dec 2015 12:52:58 +0000 (UTC) Received: from dustball.brq.redhat.com (dustball.brq.redhat.com [10.34.26.57]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB1CqtlR000301; Tue, 1 Dec 2015 07:52:57 -0500 From: Jan Stancek To: selinux@tycho.nsa.gov Subject: [selinux-testsuite PATCH] net_socket: replace md5 with sha1 in ipsec-load Date: Tue, 1 Dec 2015 13:52:50 +0100 Message-Id: <6a9c04a259806de434a2ae5ea3142a6bb8868906.1448973992.git.jstancek@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-TM-AS-MML: disable X-Mailman-Approved-At: Tue, 01 Dec 2015 08:15:37 -0500 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: sds@tycho.nsa.gov, jstancek@redhat.com MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP ipsec-load is currently passing 'auth md5 0123456789012345' to ip xfrm, which fails in FIPS mode: RTNETLINK answers: Function not implemented According to [1], md5 is not on list of compliant hashes for FIPS 140-2. [1] http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf This patch is replacing 'md5' with 'sha1'. Signed-off-by: Jan Stancek Cc: Paul Moore Cc: Stephen Smalley --- tests/inet_socket/ipsec-load | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load index b9d2c6e43544..c72d4b9d2f95 100755 --- a/tests/inet_socket/ipsec-load +++ b/tests/inet_socket/ipsec-load @@ -5,7 +5,7 @@ ip xfrm policy flush ip xfrm state flush goodclientcon=`secon -u --pid $$`:`secon -r --pid $$`:test_inet_client_t:`secon -m --pid $$` badclientcon=`secon -u --pid $$`:`secon -r --pid $$`:test_inet_bad_client_t:`secon -m --pid $$` -ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x200 ctx $goodclientcon auth md5 0123456789012345 -ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x250 ctx $badclientcon auth md5 0123456789012345 +ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345 +ip xfrm state add src 127.0.0.1 dst 127.0.0.1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required