| Message ID | 20191017131037.9903-1-mlombard@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | iscsi: chap: introduce support for SHA1, SHA256 and SHA3-256 | expand |
Hi Maurizio, > iSCSI with the Challenge-Handshake Authentication Protocol is not FIPS > compliant. This is due to the fact that CHAP currently uses MD5 as > the only supported digest algorithm and MD5 is not allowed by FIPS. > > When FIPS mode is enabled on the target server, the CHAP > authentication won't work because the target driver will be prevented > from using the MD5 module. > > Given that CHAP is agnostic regarding the algorithm it uses, this > patchset introduce support for three new alternatives: SHA1, SHA256 > and SHA3-256. Can you please submit these on top of 5.5/scsi-queue which has your string parsing fixes in place? Thanks!
Hello, Dne 25.10.2019 v 02:20 Martin K. Petersen napsal(a): > > Hi Maurizio, > >> iSCSI with the Challenge-Handshake Authentication Protocol is not FIPS >> compliant. This is due to the fact that CHAP currently uses MD5 as >> the only supported digest algorithm and MD5 is not allowed by FIPS. >> >> When FIPS mode is enabled on the target server, the CHAP >> authentication won't work because the target driver will be prevented >> from using the MD5 module. >> >> Given that CHAP is agnostic regarding the algorithm it uses, this >> patchset introduce support for three new alternatives: SHA1, SHA256 >> and SHA3-256. > > Can you please submit these on top of 5.5/scsi-queue which has your > string parsing fixes in place? > I will rebase on top of 5.5/scsi-queue and send a V3. Thanks, Maurizio
iSCSI with the Challenge-Handshake Authentication Protocol is not FIPS compliant. This is due to the fact that CHAP currently uses MD5 as the only supported digest algorithm and MD5 is not allowed by FIPS. When FIPS mode is enabled on the target server, the CHAP authentication won't work because the target driver will be prevented from using the MD5 module. Given that CHAP is agnostic regarding the algorithm it uses, this patchset introduce support for three new alternatives: SHA1, SHA256 and SHA3-256. They all have their protocol identifiers assigned by IANA: https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xml#ppp-numbers-9 Initiator-side code for open-iscsi has already been merged: https://github.com/open-iscsi/open-iscsi/pull/170 V2: adds SHA256 Maurizio Lombardi (3): target-iscsi: CHAP: add support to SHA1, SHA256 and SHA3-256 hash functions target-iscsi: tie the challenge length to the hash digest size target-iscsi: rename some variables to avoid confusion. drivers/target/iscsi/iscsi_target_auth.c | 232 +++++++++++++++-------- drivers/target/iscsi/iscsi_target_auth.h | 17 +- 2 files changed, 161 insertions(+), 88 deletions(-)