The default DRBG is the one that has the highest priority. The priority
is defined based on the order of the list drbg_cores[] where the highest
priority is given to the last entry by drbg_fill_array.
With this patch the default DRBG is switched from HMAC SHA256 to HMAC
SHA512 to support compliance with SP800-90B and SP800-90C (current
draft).
The user of the crypto API is completely unaffected by the change.
Signed-off-by: Stephan Mueller <[email protected]>
---
crypto/drbg.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 1b4587e0ddad..ea85d4a0fe9e 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
.blocklen_bytes = 48,
.cra_name = "hmac_sha384",
.backend_cra_name = "hmac(sha384)",
- }, {
- .flags = DRBG_HMAC | DRBG_STRENGTH256,
- .statelen = 64, /* block length of cipher */
- .blocklen_bytes = 64,
- .cra_name = "hmac_sha512",
- .backend_cra_name = "hmac(sha512)",
}, {
.flags = DRBG_HMAC | DRBG_STRENGTH256,
.statelen = 32, /* block length of cipher */
.blocklen_bytes = 32,
.cra_name = "hmac_sha256",
.backend_cra_name = "hmac(sha256)",
+ }, {
+ .flags = DRBG_HMAC | DRBG_STRENGTH256,
+ .statelen = 64, /* block length of cipher */
+ .blocklen_bytes = 64,
+ .cra_name = "hmac_sha512",
+ .backend_cra_name = "hmac(sha512)",
},
#endif /* CONFIG_CRYPTO_DRBG_HMAC */
};
--
2.31.1
On Thu, 2021-05-20 at 21:31 +0200, Stephan Müller wrote:
> The default DRBG is the one that has the highest priority. The priority
> is defined based on the order of the list drbg_cores[] where the highest
> priority is given to the last entry by drbg_fill_array.
>
> With this patch the default DRBG is switched from HMAC SHA256 to HMAC
> SHA512 to support compliance with SP800-90B and SP800-90C (current
> draft).
>
> The user of the crypto API is completely unaffected by the change.
>
> Signed-off-by: Stephan Mueller <[email protected]>
> ---
> crypto/drbg.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 1b4587e0ddad..ea85d4a0fe9e 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
> .blocklen_bytes = 48,
> .cra_name = "hmac_sha384",
> .backend_cra_name = "hmac(sha384)",
> - }, {
> - .flags = DRBG_HMAC | DRBG_STRENGTH256,
> - .statelen = 64, /* block length of cipher */
> - .blocklen_bytes = 64,
> - .cra_name = "hmac_sha512",
> - .backend_cra_name = "hmac(sha512)",
> }, {
> .flags = DRBG_HMAC | DRBG_STRENGTH256,
> .statelen = 32, /* block length of cipher */
> .blocklen_bytes = 32,
> .cra_name = "hmac_sha256",
> .backend_cra_name = "hmac(sha256)",
> + }, {
> + .flags = DRBG_HMAC | DRBG_STRENGTH256,
> + .statelen = 64, /* block length of cipher */
> + .blocklen_bytes = 64,
> + .cra_name = "hmac_sha512",
> + .backend_cra_name = "hmac(sha512)",
> },
> #endif /* CONFIG_CRYPTO_DRBG_HMAC */
> };
We'd like this to ease certification pains.
Acked-by: simo Sorce <[email protected]>
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan M?ller wrote:
> The default DRBG is the one that has the highest priority. The priority
> is defined based on the order of the list drbg_cores[] where the highest
> priority is given to the last entry by drbg_fill_array.
>
> With this patch the default DRBG is switched from HMAC SHA256 to HMAC
> SHA512 to support compliance with SP800-90B and SP800-90C (current
> draft).
>
> The user of the crypto API is completely unaffected by the change.
>
> Signed-off-by: Stephan Mueller <[email protected]>
> ---
> crypto/drbg.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
Patch applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan M?ller wrote:
>
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 1b4587e0ddad..ea85d4a0fe9e 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
> .blocklen_bytes = 48,
> .cra_name = "hmac_sha384",
> .backend_cra_name = "hmac(sha384)",
> - }, {
> - .flags = DRBG_HMAC | DRBG_STRENGTH256,
> - .statelen = 64, /* block length of cipher */
> - .blocklen_bytes = 64,
> - .cra_name = "hmac_sha512",
> - .backend_cra_name = "hmac(sha512)",
> }, {
> .flags = DRBG_HMAC | DRBG_STRENGTH256,
> .statelen = 32, /* block length of cipher */
> .blocklen_bytes = 32,
> .cra_name = "hmac_sha256",
> .backend_cra_name = "hmac(sha256)",
> + }, {
> + .flags = DRBG_HMAC | DRBG_STRENGTH256,
> + .statelen = 64, /* block length of cipher */
> + .blocklen_bytes = 64,
> + .cra_name = "hmac_sha512",
> + .backend_cra_name = "hmac(sha512)",
> },
Hi Stephan:
I just noticed that unlike hmac(sha256) drbg with hmac(sha512)
doesn't have a self-test. Could you add one for it please?
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Am Donnerstag, dem 24.06.2021 um 22:30 +0800 schrieb Herbert Xu:
> On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan Müller wrote:
> >
> > diff --git a/crypto/drbg.c b/crypto/drbg.c
> > index 1b4587e0ddad..ea85d4a0fe9e 100644
> > --- a/crypto/drbg.c
> > +++ b/crypto/drbg.c
> > @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
> > .blocklen_bytes = 48,
> > .cra_name = "hmac_sha384",
> > .backend_cra_name = "hmac(sha384)",
> > - }, {
> > - .flags = DRBG_HMAC | DRBG_STRENGTH256,
> > - .statelen = 64, /* block length of cipher */
> > - .blocklen_bytes = 64,
> > - .cra_name = "hmac_sha512",
> > - .backend_cra_name = "hmac(sha512)",
> > }, {
> > .flags = DRBG_HMAC | DRBG_STRENGTH256,
> > .statelen = 32, /* block length of cipher */
> > .blocklen_bytes = 32,
> > .cra_name = "hmac_sha256",
> > .backend_cra_name = "hmac(sha256)",
> > + }, {
> > + .flags = DRBG_HMAC | DRBG_STRENGTH256,
> > + .statelen = 64, /* block length of cipher */
> > + .blocklen_bytes = 64,
> > + .cra_name = "hmac_sha512",
> > + .backend_cra_name = "hmac(sha512)",
> > },
>
> Hi Stephan:
>
> I just noticed that unlike hmac(sha256) drbg with hmac(sha512)
> doesn't have a self-test. Could you add one for it please?
Thank you very much for pointing this out. I will prepare one asap.
Thanks
Stephan
>
> Thanks,
Considering that the HMAC(SHA-512) DRBG is the default DRBG now, a self
test is to be provided.
The test vector is obtained from a successful NIST ACVP test run.
Signed-off-by: Stephan Mueller <[email protected]>
---
crypto/testmgr.c | 5 ++++-
crypto/testmgr.h | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 1f7f63e836ae..c978e41f11a1 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4686,8 +4686,11 @@ static const struct alg_test_desc alg_test_descs[] = {
.test = alg_test_null,
}, {
.alg = "drbg_nopr_hmac_sha512",
- .test = alg_test_null,
+ .test = alg_test_drbg,
.fips_allowed = 1,
+ .suite = {
+ .drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
+ }
}, {
.alg = "drbg_nopr_sha1",
.fips_allowed = 1,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 96eb7ce9f81b..3ed6ab34ab51 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -21984,6 +21984,55 @@ static const struct drbg_testvec drbg_nopr_hmac_sha256_tv_template[] = {
},
};
+/* Test vector obtained during NIST ACVP testing */
+static const struct drbg_testvec drbg_nopr_hmac_sha512_tv_template[] = {
+ {
+ .entropy = (unsigned char *)
+ "\xDF\xB0\xF2\x18\xF0\x78\x07\x01\x29\xA4\x29\x26"
+ "\x2F\x8A\x34\xCB\x37\xEF\xEE\x41\xE6\x96\xF7\xFF"
+ "\x61\x47\xD3\xED\x41\x97\xEF\x64\x0C\x48\x56\x5A"
+ "\xE6\x40\x6E\x4A\x3B\x9E\x7F\xAC\x08\xEC\x25\xAE"
+ "\x0B\x51\x0E\x2C\x44\x2E\xBD\xDB\x57\xD0\x4A\x6D"
+ "\x80\x3E\x37\x0F",
+ .entropylen = 64,
+ .expected = (unsigned char *)
+ "\x48\xc6\xa8\xdb\x09\xae\xde\x5d\x8c\x77\xf3\x52"
+ "\x92\x71\xa7\xb9\x6d\x53\x6d\xa3\x73\xe3\x55\xb8"
+ "\x39\xd6\x44\x2b\xee\xcb\xe1\x32\x15\x30\xbe\x4e"
+ "\x9b\x1e\x06\xd1\x6b\xbf\xd5\x3e\xea\x7c\xf5\xaa"
+ "\x4b\x05\xb5\xd3\xa7\xb2\xc4\xfe\xe7\x1b\xda\x11"
+ "\x43\x98\x03\x70\x90\xbf\x6e\x43\x9b\xe4\x14\xef"
+ "\x71\xa3\x2a\xef\x9f\x0d\xb9\xe3\x52\xf2\x89\xc9"
+ "\x66\x9a\x60\x60\x99\x60\x62\x4c\xd6\x45\x52\x54"
+ "\xe6\x32\xb2\x1b\xd4\x48\xb5\xa6\xf9\xba\xd3\xff"
+ "\x29\xc5\x21\xe0\x91\x31\xe0\x38\x8c\x93\x0f\x3c"
+ "\x30\x7b\x53\xa3\xc0\x7f\x2d\xc1\x39\xec\x69\x0e"
+ "\xf2\x4a\x3c\x65\xcc\xed\x07\x2a\xf2\x33\x83\xdb"
+ "\x10\x74\x96\x40\xa7\xc5\x1b\xde\x81\xca\x0b\x8f"
+ "\x1e\x0a\x1a\x7a\xbf\x3c\x4a\xb8\x8c\xaf\x7b\x80"
+ "\xb7\xdc\x5d\x0f\xef\x1b\x97\x6e\x3d\x17\x23\x5a"
+ "\x31\xb9\x19\xcf\x5a\xc5\x00\x2a\xb6\xf3\x99\x34"
+ "\x65\xee\xe9\x1c\x55\xa0\x3b\x07\x60\xc9\xc4\xe4"
+ "\xf7\x57\x5c\x34\x9f\xc6\x31\x30\x3f\x23\xb2\x89"
+ "\xc0\xe7\x50\xf3\xde\x59\xd1\x0e\xb3\x0f\x78\xcc"
+ "\x7e\x54\x5e\x61\xf6\x86\x3d\xb3\x11\x94\x36\x3e"
+ "\x61\x5c\x48\x99\xf6\x7b\x02\x9a\xdc\x6a\x28\xe6"
+ "\xd1\xa7\xd1\xa3",
+ .expectedlen = 256,
+ .addtla = (unsigned char *)
+ "\x6B\x0F\x4A\x48\x0B\x12\x85\xE4\x72\x23\x7F\x7F"
+ "\x94\x7C\x24\x69\x14\x9F\xDC\x72\xA6\x33\xAD\x3C"
+ "\x8C\x72\xC1\x88\x49\x59\x82\xC5",
+ .addtlb = (unsigned char *)
+ "\xC4\xAF\x36\x3D\xB8\x5D\x9D\xFA\x92\xF5\xC3\x3C"
+ "\x2D\x1E\x22\x2A\xBD\x8B\x05\x6F\xA3\xFC\xBF\x16"
+ "\xED\xAA\x75\x8D\x73\x9A\xF6\xEC",
+ .addtllen = 32,
+ .pers = NULL,
+ .perslen = 0,
+ }
+};
+
static const struct drbg_testvec drbg_nopr_ctr_aes192_tv_template[] = {
{
.entropy = (unsigned char *)
--
2.31.1
Hello, Stephan, Herbert,
Thank you for posting this patch. I would like to confirm that it
fixes the issue
in the RHEL8, i.e. RHEL8 kernel boots up in the FIPS mode with your patch.
Herbert, could you please consider adding this patch to your cryptodev-2.6.git?
Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
On Thu, Jun 24, 2021 at 5:44 PM Stephan Müller <[email protected]> wrote:
>
> Considering that the HMAC(SHA-512) DRBG is the default DRBG now, a self
> test is to be provided.
>
> The test vector is obtained from a successful NIST ACVP test run.
>
> Signed-off-by: Stephan Mueller <[email protected]>
> ---
> crypto/testmgr.c | 5 ++++-
> crypto/testmgr.h | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 53 insertions(+), 1 deletion(-)
>
> ...
On Thu, Jun 24, 2021 at 05:44:35PM +0200, Stephan M?ller wrote:
> Considering that the HMAC(SHA-512) DRBG is the default DRBG now, a self
> test is to be provided.
>
> The test vector is obtained from a successful NIST ACVP test run.
>
> Signed-off-by: Stephan Mueller <[email protected]>
> ---
> crypto/testmgr.c | 5 ++++-
> crypto/testmgr.h | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 53 insertions(+), 1 deletion(-)
Patch applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt