| Message ID | 3171520.o5pSzXOnS6@positron.chronox.de |
|---|---|
| State | Accepted |
| Commit | 9b7b94683a9b9c42a743d591e48b9f51f505dd1f |
| Headers | show |
| Series | crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG | expand |
On Thu, 2021-05-20 at 21:31 +0200, Stephan Müller wrote: > The default DRBG is the one that has the highest priority. The priority > is defined based on the order of the list drbg_cores[] where the highest > priority is given to the last entry by drbg_fill_array. > > With this patch the default DRBG is switched from HMAC SHA256 to HMAC > SHA512 to support compliance with SP800-90B and SP800-90C (current > draft). > > The user of the crypto API is completely unaffected by the change. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > --- > crypto/drbg.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/crypto/drbg.c b/crypto/drbg.c > index 1b4587e0ddad..ea85d4a0fe9e 100644 > --- a/crypto/drbg.c > +++ b/crypto/drbg.c > @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = { > .blocklen_bytes = 48, > .cra_name = "hmac_sha384", > .backend_cra_name = "hmac(sha384)", > - }, { > - .flags = DRBG_HMAC | DRBG_STRENGTH256, > - .statelen = 64, /* block length of cipher */ > - .blocklen_bytes = 64, > - .cra_name = "hmac_sha512", > - .backend_cra_name = "hmac(sha512)", > }, { > .flags = DRBG_HMAC | DRBG_STRENGTH256, > .statelen = 32, /* block length of cipher */ > .blocklen_bytes = 32, > .cra_name = "hmac_sha256", > .backend_cra_name = "hmac(sha256)", > + }, { > + .flags = DRBG_HMAC | DRBG_STRENGTH256, > + .statelen = 64, /* block length of cipher */ > + .blocklen_bytes = 64, > + .cra_name = "hmac_sha512", > + .backend_cra_name = "hmac(sha512)", > }, > #endif /* CONFIG_CRYPTO_DRBG_HMAC */ > }; We'd like this to ease certification pains. Acked-by: simo Sorce <simo@redhat.com>
On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan Müller wrote: > The default DRBG is the one that has the highest priority. The priority > is defined based on the order of the list drbg_cores[] where the highest > priority is given to the last entry by drbg_fill_array. > > With this patch the default DRBG is switched from HMAC SHA256 to HMAC > SHA512 to support compliance with SP800-90B and SP800-90C (current > draft). > > The user of the crypto API is completely unaffected by the change. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > --- > crypto/drbg.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) Patch applied. Thanks. -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan Müller wrote: > > diff --git a/crypto/drbg.c b/crypto/drbg.c > index 1b4587e0ddad..ea85d4a0fe9e 100644 > --- a/crypto/drbg.c > +++ b/crypto/drbg.c > @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = { > .blocklen_bytes = 48, > .cra_name = "hmac_sha384", > .backend_cra_name = "hmac(sha384)", > - }, { > - .flags = DRBG_HMAC | DRBG_STRENGTH256, > - .statelen = 64, /* block length of cipher */ > - .blocklen_bytes = 64, > - .cra_name = "hmac_sha512", > - .backend_cra_name = "hmac(sha512)", > }, { > .flags = DRBG_HMAC | DRBG_STRENGTH256, > .statelen = 32, /* block length of cipher */ > .blocklen_bytes = 32, > .cra_name = "hmac_sha256", > .backend_cra_name = "hmac(sha256)", > + }, { > + .flags = DRBG_HMAC | DRBG_STRENGTH256, > + .statelen = 64, /* block length of cipher */ > + .blocklen_bytes = 64, > + .cra_name = "hmac_sha512", > + .backend_cra_name = "hmac(sha512)", > }, Hi Stephan: I just noticed that unlike hmac(sha256) drbg with hmac(sha512) doesn't have a self-test. Could you add one for it please? Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Am Donnerstag, dem 24.06.2021 um 22:30 +0800 schrieb Herbert Xu: > On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan Müller wrote: > > > > diff --git a/crypto/drbg.c b/crypto/drbg.c > > index 1b4587e0ddad..ea85d4a0fe9e 100644 > > --- a/crypto/drbg.c > > +++ b/crypto/drbg.c > > @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = { > > .blocklen_bytes = 48, > > .cra_name = "hmac_sha384", > > .backend_cra_name = "hmac(sha384)", > > - }, { > > - .flags = DRBG_HMAC | DRBG_STRENGTH256, > > - .statelen = 64, /* block length of cipher */ > > - .blocklen_bytes = 64, > > - .cra_name = "hmac_sha512", > > - .backend_cra_name = "hmac(sha512)", > > }, { > > .flags = DRBG_HMAC | DRBG_STRENGTH256, > > .statelen = 32, /* block length of cipher */ > > .blocklen_bytes = 32, > > .cra_name = "hmac_sha256", > > .backend_cra_name = "hmac(sha256)", > > + }, { > > + .flags = DRBG_HMAC | DRBG_STRENGTH256, > > + .statelen = 64, /* block length of cipher */ > > + .blocklen_bytes = 64, > > + .cra_name = "hmac_sha512", > > + .backend_cra_name = "hmac(sha512)", > > }, > > Hi Stephan: > > I just noticed that unlike hmac(sha256) drbg with hmac(sha512) > doesn't have a self-test. Could you add one for it please? Thank you very much for pointing this out. I will prepare one asap. Thanks Stephan > > Thanks,
Hello, Stephan, Herbert, Thank you for posting this patch. I would like to confirm that it fixes the issue in the RHEL8, i.e. RHEL8 kernel boots up in the FIPS mode with your patch. Herbert, could you please consider adding this patch to your cryptodev-2.6.git? Best regards, Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer On Thu, Jun 24, 2021 at 5:44 PM Stephan Müller <smueller@chronox.de> wrote: > > Considering that the HMAC(SHA-512) DRBG is the default DRBG now, a self > test is to be provided. > > The test vector is obtained from a successful NIST ACVP test run. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > --- > crypto/testmgr.c | 5 ++++- > crypto/testmgr.h | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 53 insertions(+), 1 deletion(-) > > ...
diff --git a/crypto/drbg.c b/crypto/drbg.c index 1b4587e0ddad..ea85d4a0fe9e 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = { .blocklen_bytes = 48, .cra_name = "hmac_sha384", .backend_cra_name = "hmac(sha384)", - }, { - .flags = DRBG_HMAC | DRBG_STRENGTH256, - .statelen = 64, /* block length of cipher */ - .blocklen_bytes = 64, - .cra_name = "hmac_sha512", - .backend_cra_name = "hmac(sha512)", }, { .flags = DRBG_HMAC | DRBG_STRENGTH256, .statelen = 32, /* block length of cipher */ .blocklen_bytes = 32, .cra_name = "hmac_sha256", .backend_cra_name = "hmac(sha256)", + }, { + .flags = DRBG_HMAC | DRBG_STRENGTH256, + .statelen = 64, /* block length of cipher */ + .blocklen_bytes = 64, + .cra_name = "hmac_sha512", + .backend_cra_name = "hmac(sha512)", }, #endif /* CONFIG_CRYPTO_DRBG_HMAC */ };
The default DRBG is the one that has the highest priority. The priority is defined based on the order of the list drbg_cores[] where the highest priority is given to the last entry by drbg_fill_array. With this patch the default DRBG is switched from HMAC SHA256 to HMAC SHA512 to support compliance with SP800-90B and SP800-90C (current draft). The user of the crypto API is completely unaffected by the change. Signed-off-by: Stephan Mueller <smueller@chronox.de> --- crypto/drbg.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)