| Message ID | 16370043.OYgDIDmMpM@tauon.atsec.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Herbert Xu |
| Headers | show |
Hi Stephan, Yes, can you give me some more detail about your findings on dracut-fips !? This seems to be the major difference between our test environments where a bunch of algorithms are failing self-test during boot with fips=1. Thanks -Tapas On 8/16/16, 4:38 AM, "Stephan Mueller" <smueller@chronox.de> wrote: >Hi Tapas, > >I was able to reproduce the issue now. > >I tested the patch below and it works for me now. Yet, I see that >dracut-fips seems to need some fixes too as it cannot find cmac when >compiled as module and has some issues with the authenc() ciphers too. > > >---8<--- > >In FIPS mode, setting XTS keys where the AES key is identical to the >tweak key is forbidden. Thus, the self test with such property will fail >in FIPS mode. > >As we have other tests available for XTS, this patch simply removes the >offending test vectors. > >Reported-by: Tapas Sarangi <TSarangi@trustwave.com> >Signed-off-by: Stephan Mueller <stephan.mueller@atsec.com> >--- > crypto/testmgr.h | 44 ++++---------------------------------------- > 1 file changed, 4 insertions(+), 40 deletions(-) > >diff --git a/crypto/testmgr.h b/crypto/testmgr.h >index acb6bbf..893b321 100644 >--- a/crypto/testmgr.h >+++ b/crypto/testmgr.h >@@ -15179,8 +15179,8 @@ static struct cipher_testvec >cast6_xts_dec_tv_template[] = { > #define HMAC_SHA512_AES_CBC_ENC_TEST_VEC 7 > #define AES_LRW_ENC_TEST_VECTORS 8 > #define AES_LRW_DEC_TEST_VECTORS 8 >-#define AES_XTS_ENC_TEST_VECTORS 5 >-#define AES_XTS_DEC_TEST_VECTORS 5 >+#define AES_XTS_ENC_TEST_VECTORS 4 >+#define AES_XTS_DEC_TEST_VECTORS 4 > #define AES_CTR_ENC_TEST_VECTORS 5 > #define AES_CTR_DEC_TEST_VECTORS 5 > #define AES_OFB_ENC_TEST_VECTORS 1 >@@ -18218,25 +18218,7 @@ static struct cipher_testvec >aes_lrw_dec_tv_template[] = { > > static struct cipher_testvec aes_xts_enc_tv_template[] = { > /* >http://scanmail.trustwave.com/?c=4062&d=-96y1wXsB1ZUProHtkc64VYvnNekxXtLFt >hU_sfSVw&s=5&u=http%3a%2f%2fgrouper%2eieee%2eorg%2fgroups%2f1619%2femail%2 >fpdf00086%2epdf */ >- { /* XTS-AES 1 */ >- .key = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .klen = 32, >- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .input = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .ilen = 32, >- .result = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" >- "\x9b\x9f\xe9\xa3\xea\xdd\xa6\x92" >- "\xcd\x43\xd2\xf5\x95\x98\xed\x85" >- "\x8c\x02\xc2\x65\x2f\xbf\x92\x2e", >- .rlen = 32, >- }, { /* XTS-AES 2 */ >+ { /* XTS-AES 2 */ > .key = "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x22\x22\x22\x22\x22\x22\x22\x22" >@@ -18560,25 +18542,7 @@ static struct cipher_testvec >aes_xts_enc_tv_template[] = { > > static struct cipher_testvec aes_xts_dec_tv_template[] = { > /* >http://scanmail.trustwave.com/?c=4062&d=-96y1wXsB1ZUProHtkc64VYvnNekxXtLFt >hU_sfSVw&s=5&u=http%3a%2f%2fgrouper%2eieee%2eorg%2fgroups%2f1619%2femail%2 >fpdf00086%2epdf */ >- { /* XTS-AES 1 */ >- .key = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .klen = 32, >- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .input = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" >- "\x9b\x9f\xe9\xa3\xea\xdd\xa6\x92" >- "\xcd\x43\xd2\xf5\x95\x98\xed\x85" >- "\x8c\x02\xc2\x65\x2f\xbf\x92\x2e", >- .ilen = 32, >- .result = "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00" >- "\x00\x00\x00\x00\x00\x00\x00\x00", >- .rlen = 32, >- }, { /* XTS-AES 2 */ >+ { /* XTS-AES 2 */ > .key = "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x22\x22\x22\x22\x22\x22\x22\x22" >-- >2.7.4 > >
Am Mittwoch, 17. August 2016, 14:52:32 CEST schrieb Tapas Sarangi: Hi Tapas, (please, do not top-post) > Hi Stephan, > > Yes, can you give me some more detail about your findings on dracut-fips > !? This seems to be the major difference between our test environments > where a bunch of algorithms are failing self-test during boot with fips=1. cmac must be statically compiled as otherwise dracut-fips does not find it (it misses it in the module list). The authenc() cipher must not be compiled as somehow the modprobe in dracut- fips does not find some components -- I am not sure what the issue is yet. I even have compiled all parts forming an authenc cipher (authenc, hmac, the hashes, the block chaining modes, the symmetric ciphers) to be bound into the kernel statically. But still, something is not found by the tcrypt module in dracut-fips. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Stephan, On 8/17/16, 9:57 AM, "Stephan Mueller" <smueller@chronox.de> wrote: >Am Mittwoch, 17. August 2016, 14:52:32 CEST schrieb Tapas Sarangi: > >Hi Tapas, > >(please, do not top-post) DNT, Sorry. > >> Hi Stephan, >> >> Yes, can you give me some more detail about your findings on dracut-fips >> !? This seems to be the major difference between our test environments >> where a bunch of algorithms are failing self-test during boot with >>fips=1. > >cmac must be statically compiled as otherwise dracut-fips does not find >it (it >misses it in the module list). > >The authenc() cipher must not be compiled as somehow the modprobe in >dracut- >fips does not find some components -- I am not sure what the issue is >yet. I >even have compiled all parts forming an authenc cipher (authenc, hmac, >the >hashes, the block chaining modes, the symmetric ciphers) to be bound into >the >kernel statically. But still, something is not found by the tcrypt module >in >dracut-fips. Is that all the authenc() ciphers, or only some of them ? In my patch where I had disabled .fips_allowed are mostly authenc() ciphers with cbc(des3_ede) algo. Not all the authenc() ciphers were needed to be disabled, but some. For your XTS related findings and patches, are they going to 4.8 or 4.9 ? Thanks -Tapas
Am Mittwoch, 17. August 2016, 15:09:11 CEST schrieb Tapas Sarangi: Hi Tapas, > Is that all the authenc() ciphers, or only some of them ? In my patch I have not yet had the chance to fully dissect the authenc issue yet. > where I had disabled .fips_allowed are mostly authenc() ciphers with > cbc(des3_ede) algo. Not all the authenc() ciphers were needed to be > disabled, but some. Can you please point me to your patch? > > For your XTS related findings and patches, are they going to 4.8 or 4.9 ? The XTS patch set is for 4.8-rc1 and should therefore go into 4.9 if accepted by the maintainer. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Aug 16, 2016 at 11:38:00AM +0200, Stephan Mueller wrote: > Hi Tapas, > > I was able to reproduce the issue now. > > I tested the patch below and it works for me now. Yet, I see that dracut-fips seems to need some fixes too as it cannot find cmac when compiled as module and has some issues with the authenc() ciphers too. > > > ---8<--- > > In FIPS mode, setting XTS keys where the AES key is identical to the > tweak key is forbidden. Thus, the self test with such property will fail > in FIPS mode. > > As we have other tests available for XTS, this patch simply removes the > offending test vectors. > > Reported-by: Tapas Sarangi <TSarangi@trustwave.com> > Signed-off-by: Stephan Mueller <stephan.mueller@atsec.com> We should fix this without removing tests. Perhaps add a field in the vector to indicate that it should be skipped when in FIPS mode, just like we do for expected weak keys. Cheers,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h index acb6bbf..893b321 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -15179,8 +15179,8 @@ static struct cipher_testvec cast6_xts_dec_tv_template[] = { #define HMAC_SHA512_AES_CBC_ENC_TEST_VEC 7 #define AES_LRW_ENC_TEST_VECTORS 8 #define AES_LRW_DEC_TEST_VECTORS 8 -#define AES_XTS_ENC_TEST_VECTORS 5 -#define AES_XTS_DEC_TEST_VECTORS 5 +#define AES_XTS_ENC_TEST_VECTORS 4 +#define AES_XTS_DEC_TEST_VECTORS 4 #define AES_CTR_ENC_TEST_VECTORS 5 #define AES_CTR_DEC_TEST_VECTORS 5 #define AES_OFB_ENC_TEST_VECTORS 1 @@ -18218,25 +18218,7 @@ static struct cipher_testvec aes_lrw_dec_tv_template[] = { static struct cipher_testvec aes_xts_enc_tv_template[] = { /* http://grouper.ieee.org/groups/1619/email/pdf00086.pdf */ - { /* XTS-AES 1 */ - .key = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .klen = 32, - .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .input = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .ilen = 32, - .result = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" - "\x9b\x9f\xe9\xa3\xea\xdd\xa6\x92" - "\xcd\x43\xd2\xf5\x95\x98\xed\x85" - "\x8c\x02\xc2\x65\x2f\xbf\x92\x2e", - .rlen = 32, - }, { /* XTS-AES 2 */ + { /* XTS-AES 2 */ .key = "\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11" "\x22\x22\x22\x22\x22\x22\x22\x22" @@ -18560,25 +18542,7 @@ static struct cipher_testvec aes_xts_enc_tv_template[] = { static struct cipher_testvec aes_xts_dec_tv_template[] = { /* http://grouper.ieee.org/groups/1619/email/pdf00086.pdf */ - { /* XTS-AES 1 */ - .key = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .klen = 32, - .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .input = "\x91\x7c\xf6\x9e\xbd\x68\xb2\xec" - "\x9b\x9f\xe9\xa3\xea\xdd\xa6\x92" - "\xcd\x43\xd2\xf5\x95\x98\xed\x85" - "\x8c\x02\xc2\x65\x2f\xbf\x92\x2e", - .ilen = 32, - .result = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .rlen = 32, - }, { /* XTS-AES 2 */ + { /* XTS-AES 2 */ .key = "\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11" "\x22\x22\x22\x22\x22\x22\x22\x22"
Hi Tapas, I was able to reproduce the issue now. I tested the patch below and it works for me now. Yet, I see that dracut-fips seems to need some fixes too as it cannot find cmac when compiled as module and has some issues with the authenc() ciphers too. ---8<--- In FIPS mode, setting XTS keys where the AES key is identical to the tweak key is forbidden. Thus, the self test with such property will fail in FIPS mode. As we have other tests available for XTS, this patch simply removes the offending test vectors. Reported-by: Tapas Sarangi <TSarangi@trustwave.com> Signed-off-by: Stephan Mueller <stephan.mueller@atsec.com> --- crypto/testmgr.h | 44 ++++---------------------------------------- 1 file changed, 4 insertions(+), 40 deletions(-)