1. photon
  2. Commit c36e7526579269406de35c5bc358f45ee3a498ae
Browse code

Allow some algorithms in kernel fips mode

Change-Id: I8e4d8ff7117d1250ec2572644ddc9a63aede33b5
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3387
Reviewed-by: Sharath George
Tested-by: Sharath George

suezzelur authored on 2017/08/02 07:56:57
Showing 3 changed files
SPECS/linux/0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch
History View file @ c36e752
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,146 @@
0 
+From a47b26cd49d01a2e2f914ff9e59ee7e25bc30148 Mon Sep 17 00:00:00 2001
1 
+From: Ansis Atteka <aatteka@ovn.org>
2 
+Date: Mon, 31 Jul 2017 09:56:37 -0700
3 
+Subject: [PATCH] Revert "crypto: testmgr - Disable fips-allowed for authenc()
4 
+ and des() ciphers"
5 
+
6 
+This reverts commit 284a0f6e87b0721e1be8bca419893902d9cf577a.
7 
+---
8 
+ crypto/testmgr.c | 16 ++++++++++++++++
9 
+ 1 file changed, 16 insertions(+)
10 
+
11 
+diff --git a/crypto/testmgr.c b/crypto/testmgr.c
12 
+index ae8c57fd8bc7..235e984d9772 100644
13 
+--- a/crypto/testmgr.c
14 
+@@ -2091,6 +2091,7 @@ static const struct alg_test_desc alg_test_descs[] = {
15 
+ 	}, {
16 
+ 		.alg = "authenc(hmac(md5),ecb(cipher_null))",
17 
+ 		.test = alg_test_aead,
18 
++		.fips_allowed = 1,
19 
+ 		.suite = {
20 
+ 			.aead = {
21 
+ 				.enc = {
22 
+@@ -2106,6 +2107,7 @@ static const struct alg_test_desc alg_test_descs[] = {
23 
+ 	}, {
24 
+ 		.alg = "authenc(hmac(sha1),cbc(aes))",
25 
+ 		.test = alg_test_aead,
26 
++		.fips_allowed = 1,
27 
+ 		.suite = {
28 
+ 			.aead = {
29 
+ 				.enc = {
30 
+@@ -2119,6 +2121,7 @@ static const struct alg_test_desc alg_test_descs[] = {
31 
+ 	}, {
32 
+ 		.alg = "authenc(hmac(sha1),cbc(des))",
33 
+ 		.test = alg_test_aead,
34 
++		.fips_allowed = 1,
35 
+ 		.suite = {
36 
+ 			.aead = {
37 
+ 				.enc = {
38 
+@@ -2132,6 +2135,7 @@ static const struct alg_test_desc alg_test_descs[] = {
39 
+ 	}, {
40 
+ 		.alg = "authenc(hmac(sha1),cbc(des3_ede))",
41 
+ 		.test = alg_test_aead,
42 
++		.fips_allowed = 1,
43 
+ 		.suite = {
44 
+ 			.aead = {
45 
+ 				.enc = {
46 
+@@ -2145,6 +2149,7 @@ static const struct alg_test_desc alg_test_descs[] = {
47 
+ 	}, {
48 
+ 		.alg = "authenc(hmac(sha1),ecb(cipher_null))",
49 
+ 		.test = alg_test_aead,
50 
++		.fips_allowed = 1,
51 
+ 		.suite = {
52 
+ 			.aead = {
53 
+ 				.enc = {
54 
+@@ -2164,6 +2169,7 @@ static const struct alg_test_desc alg_test_descs[] = {
55 
+ 	}, {
56 
+ 		.alg = "authenc(hmac(sha224),cbc(des))",
57 
+ 		.test = alg_test_aead,
58 
++		.fips_allowed = 1,
59 
+ 		.suite = {
60 
+ 			.aead = {
61 
+ 				.enc = {
62 
+@@ -2177,6 +2183,7 @@ static const struct alg_test_desc alg_test_descs[] = {
63 
+ 	}, {
64 
+ 		.alg = "authenc(hmac(sha224),cbc(des3_ede))",
65 
+ 		.test = alg_test_aead,
66 
++		.fips_allowed = 1,
67 
+ 		.suite = {
68 
+ 			.aead = {
69 
+ 				.enc = {
70 
+@@ -2190,6 +2197,7 @@ static const struct alg_test_desc alg_test_descs[] = {
71 
+ 	}, {
72 
+ 		.alg = "authenc(hmac(sha256),cbc(aes))",
73 
+ 		.test = alg_test_aead,
74 
++		.fips_allowed = 1,
75 
+ 		.suite = {
76 
+ 			.aead = {
77 
+ 				.enc = {
78 
+@@ -2203,6 +2211,7 @@ static const struct alg_test_desc alg_test_descs[] = {
79 
+ 	}, {
80 
+ 		.alg = "authenc(hmac(sha256),cbc(des))",
81 
+ 		.test = alg_test_aead,
82 
++		.fips_allowed = 1,
83 
+ 		.suite = {
84 
+ 			.aead = {
85 
+ 				.enc = {
86 
+@@ -2216,6 +2225,7 @@ static const struct alg_test_desc alg_test_descs[] = {
87 
+ 	}, {
88 
+ 		.alg = "authenc(hmac(sha256),cbc(des3_ede))",
89 
+ 		.test = alg_test_aead,
90 
++		.fips_allowed = 1,
91 
+ 		.suite = {
92 
+ 			.aead = {
93 
+ 				.enc = {
94 
+@@ -2229,6 +2239,7 @@ static const struct alg_test_desc alg_test_descs[] = {
95 
+ 	}, {
96 
+ 		.alg = "authenc(hmac(sha384),cbc(des))",
97 
+ 		.test = alg_test_aead,
98 
++		.fips_allowed = 1,
99 
+ 		.suite = {
100 
+ 			.aead = {
101 
+ 				.enc = {
102 
+@@ -2242,6 +2253,7 @@ static const struct alg_test_desc alg_test_descs[] = {
103 
+ 	}, {
104 
+ 		.alg = "authenc(hmac(sha384),cbc(des3_ede))",
105 
+ 		.test = alg_test_aead,
106 
++		.fips_allowed = 1,
107 
+ 		.suite = {
108 
+ 			.aead = {
109 
+ 				.enc = {
110 
+@@ -2255,6 +2267,7 @@ static const struct alg_test_desc alg_test_descs[] = {
111 
+ 	}, {
112 
+ 		.alg = "authenc(hmac(sha512),cbc(aes))",
113 
+ 		.test = alg_test_aead,
114 
++		.fips_allowed = 1,
115 
+ 		.suite = {
116 
+ 			.aead = {
117 
+ 				.enc = {
118 
+@@ -2268,6 +2281,7 @@ static const struct alg_test_desc alg_test_descs[] = {
119 
+ 	}, {
120 
+ 		.alg = "authenc(hmac(sha512),cbc(des))",
121 
+ 		.test = alg_test_aead,
122 
++		.fips_allowed = 1,
123 
+ 		.suite = {
124 
+ 			.aead = {
125 
+ 				.enc = {
126 
+@@ -2281,6 +2295,7 @@ static const struct alg_test_desc alg_test_descs[] = {
127 
+ 	}, {
128 
+ 		.alg = "authenc(hmac(sha512),cbc(des3_ede))",
129 
+ 		.test = alg_test_aead,
130 
++		.fips_allowed = 1,
131 
+ 		.suite = {
132 
+ 			.aead = {
133 
+ 				.enc = {
134 
+@@ -3007,6 +3022,7 @@ static const struct alg_test_desc alg_test_descs[] = {
135 
+ 	}, {
136 
+ 		.alg = "ecb(des)",
137 
+ 		.test = alg_test_skcipher,
138 
++		.fips_allowed = 1,
139 
+ 		.suite = {
140 
+ 			.cipher = {
141 
+ 				.enc = {
142 
+--
143 
+2.11.0
144 
+
SPECS/linux/0002-allow-also-ecb-cipher_null.patch
History View file @ c36e752
0 145 
new file mode 100644
... ... 
@@ -0,0 +1,24 @@
0 
+From c1deec443b0ee878078ac3b60b8123a7728c0e43 Mon Sep 17 00:00:00 2001
1 
+From: Ansis Atteka <aatteka@ovn.org>
2 
+Date: Tue, 1 Aug 2017 09:37:18 -0700
3 
+Subject: [PATCH] allow also ecb(cipher_null)
4 
+
5 
+---
6 
+ crypto/testmgr.c | 1 +
7 
+ 1 file changed, 1 insertion(+)
8 
+
9 
+diff --git a/crypto/testmgr.c b/crypto/testmgr.c
10 
+index 7acf747..e6c0177 100644
11 
+--- a/crypto/testmgr.c
12 
+@@ -3037,6 +3037,7 @@ static const struct alg_test_desc alg_test_descs[] = {
13 
+ 	}, {
14 
+ 		.alg = "ecb(cipher_null)",
15 
+ 		.test = alg_test_null,
16 
++        .fips_allowed = 1,
17 
+ 	}, {
18 
+ 		.alg = "ecb(des)",
19 
+ 		.test = alg_test_skcipher,
20 
+--
21 
+2.7.4
22 
+
SPECS/linux/linux.spec
History View file @ c36e752
... ... 
@@ -2,7 +2,7 @@
2 2 
 Summary:        Kernel
3 3 
 Name:           linux
4 4 
 Version:    	4.4.77
5 
-Release:    	1%{?dist}
5 
+Release:    	2%{?dist}
6 6 
 License:    	GPLv2
7 7 
 URL:        	http://www.kernel.org/
8 8 
 Group:        	System Environment/Kernel
... ... 
@@ -33,6 +33,10 @@ Patch14:        vmxnet3-1.4.8.0-segCnt-can-be-1-for-LRO-packets.patch
33 33 
 #fixes CVE-2016-6187
34 34 
 Patch15:        apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch
35 35 
 Patch16:        net-9p-vsock.patch
36 
+#allow some algorithms in FIPS mode
37 
+Patch17:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch
38 
+Patch18:        0002-allow-also-ecb-cipher_null.patch
39 
+
36 40 
 BuildRequires:  bc
37 41 
 BuildRequires:  kbd
38 42 
 BuildRequires:  kmod
... ... 
@@ -119,6 +123,8 @@ This package contains the 'perf' performance analysis tools for Linux kernel.
119 119 
 %patch14 -p1
120 120 
 %patch15 -p1
121 121 
 %patch16 -p1
122 
+%patch17 -p1
123 
+%patch18 -p1
122 124
123 125 
 %build
124 126 
 make mrproper
... ... 
@@ -271,6 +277,10 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
271 271 
 /usr/share/perf-core
272 272
273 273 
 %changelog
274 
+*   Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.4.77-2
275 
+-   Allow some algorithms in FIPS mode
276 
+-   Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports
277 
+-   bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree
274 278 
 *   Mon Jul 17 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.77-1
275 279 
 -   Fix CVE-2017-11176
276 280 
 *   Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.74-1