2023-10-29 20:48:43

by Dimitri John Ledkov

[permalink] [raw]
Subject: [PATCH 1/4] crypto: drbg - ensure most preferred type is FIPS health checked

drbg supports multiple types of drbg, and multiple parameters of
each. Health check sanity only checks one drbg of a single type. One
can enable all three types of drbg. And instead of checking the most
preferred algorithm (last one wins), it is currently checking first
one instead.

Update ifdef to ensure that healthcheck prefers HMAC, over HASH, over
CTR, last one wins, like all other code and functions.

Fixes: 541af946fe ("crypto: drbg - SP800-90A Deterministic Random Bit Generator")

Signed-off-by: Dimitri John Ledkov <[email protected]>
---
crypto/drbg.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index ff4ebbc68e..2cce18dcfc 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -2018,9 +2018,11 @@ static inline int __init drbg_healthcheck_sanity(void)

#ifdef CONFIG_CRYPTO_DRBG_CTR
drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
-#elif defined CONFIG_CRYPTO_DRBG_HASH
+#endif
+#ifdef CONFIG_CRYPTO_DRBG_HASH
drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
-#else
+#endif
+#ifdef CONFIG_CRYPTO_DRBG_HMAC
drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
#endif

--
2.34.1


2023-10-29 20:49:00

by Dimitri John Ledkov

[permalink] [raw]
Subject: [PATCH 2/4] crypto: drbg - update FIPS CTR self-checks to aes256

When originally drbg was introduced FIPS self-checks for all types but
CTR were using the most preferred parameters for each type of
DRBG. Update CTR self-check to use aes256.

Fixes: 541af946fe ("crypto: drbg - SP800-90A Deterministic Random Bit Generator")
Signed-off-by: Dimitri John Ledkov <[email protected]>
---
crypto/drbg.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 2cce18dcfc..b120e2866b 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1478,8 +1478,8 @@ static int drbg_generate(struct drbg_state *drbg,
err = alg_test("drbg_pr_hmac_sha256",
"drbg_pr_hmac_sha256", 0, 0);
else if (drbg->core->flags & DRBG_CTR)
- err = alg_test("drbg_pr_ctr_aes128",
- "drbg_pr_ctr_aes128", 0, 0);
+ err = alg_test("drbg_pr_ctr_aes256",
+ "drbg_pr_ctr_aes256", 0, 0);
else
err = alg_test("drbg_pr_sha256",
"drbg_pr_sha256", 0, 0);
@@ -2017,7 +2017,7 @@ static inline int __init drbg_healthcheck_sanity(void)
return 0;

#ifdef CONFIG_CRYPTO_DRBG_CTR
- drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
+ drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
#endif
#ifdef CONFIG_CRYPTO_DRBG_HASH
drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
--
2.34.1

2023-10-29 20:49:06

by Dimitri John Ledkov

[permalink] [raw]
Subject: [PATCH 3/4] crypto: drbg - ensure drbg hmac sha512 is used in FIPS selftests

Update code comment, self test & healthcheck to use HMAC SHA512,
instead of HMAC SHA256. These changes are in dead-code, or FIPS
enabled code-paths only and have not effect on usual kernel builds.

On systems booting in FIPS mode that has the effect of switch sanity
selftest to HMAC sha512 based (which has been the default DRBG).

Fixes: 9b7b94683a ("crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG")
Signed-off-by: Dimitri John Ledkov <[email protected]>
---
crypto/drbg.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index b120e2866b..99666193d9 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -111,9 +111,9 @@
* as stdrng. Each DRBG receives an increasing cra_priority values the later
* they are defined in this array (see drbg_fill_array).
*
- * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
- * the SHA256 / AES 256 over other ciphers. Thus, the favored
- * DRBGs are the latest entries in this array.
+ * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
+ * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
+ * favored DRBGs are the latest entries in this array.
*/
static const struct drbg_core drbg_cores[] = {
#ifdef CONFIG_CRYPTO_DRBG_CTR
@@ -1475,8 +1475,8 @@ static int drbg_generate(struct drbg_state *drbg,
int err = 0;
pr_devel("DRBG: start to perform self test\n");
if (drbg->core->flags & DRBG_HMAC)
- err = alg_test("drbg_pr_hmac_sha256",
- "drbg_pr_hmac_sha256", 0, 0);
+ err = alg_test("drbg_pr_hmac_sha512",
+ "drbg_pr_hmac_sha512", 0, 0);
else if (drbg->core->flags & DRBG_CTR)
err = alg_test("drbg_pr_ctr_aes256",
"drbg_pr_ctr_aes256", 0, 0);
@@ -2023,7 +2023,7 @@ static inline int __init drbg_healthcheck_sanity(void)
drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
#endif
#ifdef CONFIG_CRYPTO_DRBG_HMAC
- drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
+ drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
#endif

drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
--
2.34.1

2023-10-29 20:49:10

by Dimitri John Ledkov

[permalink] [raw]
Subject: [PATCH 4/4] crypto: drbg - Remove SHA1 from drbg

SP800-90C 3rd draft states that SHA-1 will be removed from all
specifications, including drbg by end of 2030. Given kernels built
today will be operating past that date, start complying with upcoming
requirements.

No functional change, as SHA-256 / SHA-512 based DRBG have always been
the preferred ones.

Signed-off-by: Dimitri John Ledkov <[email protected]>
---
crypto/drbg.c | 16 ----------------
crypto/testmgr.c | 25 ++++---------------------
2 files changed, 4 insertions(+), 37 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 99666193d9..bccadaedcf 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -139,12 +139,6 @@ static const struct drbg_core drbg_cores[] = {
#endif /* CONFIG_CRYPTO_DRBG_CTR */
#ifdef CONFIG_CRYPTO_DRBG_HASH
{
- .flags = DRBG_HASH | DRBG_STRENGTH128,
- .statelen = 55, /* 440 bits */
- .blocklen_bytes = 20,
- .cra_name = "sha1",
- .backend_cra_name = "sha1",
- }, {
.flags = DRBG_HASH | DRBG_STRENGTH256,
.statelen = 111, /* 888 bits */
.blocklen_bytes = 48,
@@ -166,12 +160,6 @@ static const struct drbg_core drbg_cores[] = {
#endif /* CONFIG_CRYPTO_DRBG_HASH */
#ifdef CONFIG_CRYPTO_DRBG_HMAC
{
- .flags = DRBG_HMAC | DRBG_STRENGTH128,
- .statelen = 20, /* block length of cipher */
- .blocklen_bytes = 20,
- .cra_name = "hmac_sha1",
- .backend_cra_name = "hmac(sha1)",
- }, {
.flags = DRBG_HMAC | DRBG_STRENGTH256,
.statelen = 48, /* block length of cipher */
.blocklen_bytes = 48,
@@ -648,8 +636,6 @@ MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
-MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
-MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");

/* update function of HMAC DRBG as defined in 10.1.2.2 */
static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
@@ -768,8 +754,6 @@ MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
-MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
-MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");

/*
* Increment buffer
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 216878c8bc..209b21ef79 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4849,14 +4849,6 @@ static const struct alg_test_desc alg_test_descs[] = {
.suite = {
.drbg = __VECS(drbg_nopr_ctr_aes256_tv_template)
}
- }, {
- /*
- * There is no need to specifically test the DRBG with every
- * backend cipher -- covered by drbg_nopr_hmac_sha256 test
- */
- .alg = "drbg_nopr_hmac_sha1",
- .fips_allowed = 1,
- .test = alg_test_null,
}, {
.alg = "drbg_nopr_hmac_sha256",
.test = alg_test_drbg,
@@ -4865,7 +4857,10 @@ static const struct alg_test_desc alg_test_descs[] = {
.drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
}
}, {
- /* covered by drbg_nopr_hmac_sha256 test */
+ /*
+ * There is no need to specifically test the DRBG with every
+ * backend cipher -- covered by drbg_nopr_hmac_sha512 test
+ */
.alg = "drbg_nopr_hmac_sha384",
.test = alg_test_null,
}, {
@@ -4875,10 +4870,6 @@ static const struct alg_test_desc alg_test_descs[] = {
.suite = {
.drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
}
- }, {
- .alg = "drbg_nopr_sha1",
- .fips_allowed = 1,
- .test = alg_test_null,
}, {
.alg = "drbg_nopr_sha256",
.test = alg_test_drbg,
@@ -4910,10 +4901,6 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "drbg_pr_ctr_aes256",
.fips_allowed = 1,
.test = alg_test_null,
- }, {
- .alg = "drbg_pr_hmac_sha1",
- .fips_allowed = 1,
- .test = alg_test_null,
}, {
.alg = "drbg_pr_hmac_sha256",
.test = alg_test_drbg,
@@ -4929,10 +4916,6 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "drbg_pr_hmac_sha512",
.test = alg_test_null,
.fips_allowed = 1,
- }, {
- .alg = "drbg_pr_sha1",
- .fips_allowed = 1,
- .test = alg_test_null,
}, {
.alg = "drbg_pr_sha256",
.test = alg_test_drbg,
--
2.34.1

2023-10-30 10:22:59

by Stephan Müller

[permalink] [raw]
Subject: Re: [PATCH 1/4] crypto: drbg - ensure most preferred type is FIPS health checked

Am Sonntag, 29. Oktober 2023, 21:48:20 CET schrieb Dimitri John Ledkov:

Hi Dimitri,

> drbg supports multiple types of drbg, and multiple parameters of
> each. Health check sanity only checks one drbg of a single type. One
> can enable all three types of drbg. And instead of checking the most
> preferred algorithm (last one wins), it is currently checking first
> one instead.

The purpose of the sanity check is to make sure the various thresholds are
effective. For this, you need "a" DRBG, no matter which one.
>
> Update ifdef to ensure that healthcheck prefers HMAC, over HASH, over
> CTR, last one wins, like all other code and functions.

I can see that this patch makes the code more consistent with the rest. Yet, I
would doubt the "Fixes" indicator below is needed, though.

Anyhow:

Reviewed-by: Stephan Mueller <[email protected]>

Ciao
Stephan


2023-10-30 10:26:04

by Stephan Müller

[permalink] [raw]
Subject: Re: [PATCH 3/4] crypto: drbg - ensure drbg hmac sha512 is used in FIPS selftests

Am Sonntag, 29. Oktober 2023, 21:48:22 CET schrieb Dimitri John Ledkov:

Hi Dimitri,

> Update code comment, self test & healthcheck to use HMAC SHA512,
> instead of HMAC SHA256. These changes are in dead-code, or FIPS
> enabled code-paths only and have not effect on usual kernel builds.
>
> On systems booting in FIPS mode that has the effect of switch sanity
> selftest to HMAC sha512 based (which has been the default DRBG).
>
> Fixes: 9b7b94683a ("crypto: DRBG - switch to HMAC SHA512 DRBG as default
> DRBG") Signed-off-by: Dimitri John Ledkov <[email protected]>
> ---
> crypto/drbg.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index b120e2866b..99666193d9 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -111,9 +111,9 @@
> * as stdrng. Each DRBG receives an increasing cra_priority values the
> later * they are defined in this array (see drbg_fill_array).
> *
> - * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
> - * the SHA256 / AES 256 over other ciphers. Thus, the favored
> - * DRBGs are the latest entries in this array.
> + * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
> + * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
> + * favored DRBGs are the latest entries in this array.
> */
> static const struct drbg_core drbg_cores[] = {
> #ifdef CONFIG_CRYPTO_DRBG_CTR
> @@ -1475,8 +1475,8 @@ static int drbg_generate(struct drbg_state *drbg,
> int err = 0;
> pr_devel("DRBG: start to perform self test\n");
> if (drbg->core->flags & DRBG_HMAC)
> - err = alg_test("drbg_pr_hmac_sha256",
> - "drbg_pr_hmac_sha256", 0, 0);
> + err = alg_test("drbg_pr_hmac_sha512",
> + "drbg_pr_hmac_sha512", 0, 0);
> else if (drbg->core->flags & DRBG_CTR)
> err = alg_test("drbg_pr_ctr_aes256",
> "drbg_pr_ctr_aes256", 0, 0);
> @@ -2023,7 +2023,7 @@ static inline int __init drbg_healthcheck_sanity(void)
> drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
> #endif
> #ifdef CONFIG_CRYPTO_DRBG_HMAC
> - drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
> + drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
> #endif
>
> drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);

Reviewed-by: Stephan Mueller <[email protected]>

Ciao
Stephan


2023-10-30 10:31:21

by Dimitri John Ledkov

[permalink] [raw]
Subject: Re: [PATCH 2/4] crypto: drbg - update FIPS CTR self-checks to aes256

On Mon, 30 Oct 2023 at 12:23, Stephan Mueller <[email protected]> wrote:
>
> Am Sonntag, 29. Oktober 2023, 21:48:21 CET schrieb Dimitri John Ledkov:
>
> Hi Dimitri,
>
> > When originally drbg was introduced FIPS self-checks for all types but
> > CTR were using the most preferred parameters for each type of
> > DRBG. Update CTR self-check to use aes256.
> >
> > Fixes: 541af946fe ("crypto: drbg - SP800-90A Deterministic Random Bit
> > Generator") Signed-off-by: Dimitri John Ledkov
> > <[email protected]>
>
>
>
> > ---
> > crypto/drbg.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/crypto/drbg.c b/crypto/drbg.c
> > index 2cce18dcfc..b120e2866b 100644
> > --- a/crypto/drbg.c
> > +++ b/crypto/drbg.c
> > @@ -1478,8 +1478,8 @@ static int drbg_generate(struct drbg_state *drbg,
> > err = alg_test("drbg_pr_hmac_sha256",
> > "drbg_pr_hmac_sha256", 0, 0);
> > else if (drbg->core->flags & DRBG_CTR)
> > - err = alg_test("drbg_pr_ctr_aes128",
> > - "drbg_pr_ctr_aes128", 0, 0);
> > + err = alg_test("drbg_pr_ctr_aes256",
> > + "drbg_pr_ctr_aes256", 0, 0);
> > else
> > err = alg_test("drbg_pr_sha256",
> > "drbg_pr_sha256", 0, 0);
> > @@ -2017,7 +2017,7 @@ static inline int __init drbg_healthcheck_sanity(void)
> > return 0;
> >
> > #ifdef CONFIG_CRYPTO_DRBG_CTR
> > - drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
> > + drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
> > #endif
> > #ifdef CONFIG_CRYPTO_DRBG_HASH
> > drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
>
> I am not sure again whether this warrants a "Fixes" tag, because the first
> modification is in a commented-out code section and the latter again intends
> to test the DRBG thresholds and thus just needs "a" DRBG.
>

Agreed, it is more of a reference. But yes, I don't believe this needs
to trigger stable backports - because yes it is like dead code, or
fips only code which majority kernels don't do. Maybe I should
reference that commit in description only?

> Anyhow:
>
> Reviewed-by: Stephan Mueller <[email protected]>
>
>
> Ciao
> Stephan
>
>

--
okurrr,

Dimitri

2023-10-30 10:35:56

by Stephan Müller

[permalink] [raw]
Subject: Re: [PATCH 2/4] crypto: drbg - update FIPS CTR self-checks to aes256

Am Montag, 30. Oktober 2023, 11:30:32 CET schrieb Dimitri John Ledkov:

Hi Dimitri,

> On Mon, 30 Oct 2023 at 12:23, Stephan Mueller <[email protected]> wrote:
> > Am Sonntag, 29. Oktober 2023, 21:48:21 CET schrieb Dimitri John Ledkov:
> >
> > Hi Dimitri,
> >
> > > When originally drbg was introduced FIPS self-checks for all types but
> > > CTR were using the most preferred parameters for each type of
> > > DRBG. Update CTR self-check to use aes256.
> > >
> > > Fixes: 541af946fe ("crypto: drbg - SP800-90A Deterministic Random Bit
> > > Generator") Signed-off-by: Dimitri John Ledkov
> > > <[email protected]>
> > >
> > >
> > >
> > > ---
> > >
> > > crypto/drbg.c | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/crypto/drbg.c b/crypto/drbg.c
> > > index 2cce18dcfc..b120e2866b 100644
> > > --- a/crypto/drbg.c
> > > +++ b/crypto/drbg.c
> > > @@ -1478,8 +1478,8 @@ static int drbg_generate(struct drbg_state *drbg,
> > >
> > > err = alg_test("drbg_pr_hmac_sha256",
> > >
> > > "drbg_pr_hmac_sha256", 0, 0);
> > >
> > > else if (drbg->core->flags & DRBG_CTR)
> > >
> > > - err = alg_test("drbg_pr_ctr_aes128",
> > > - "drbg_pr_ctr_aes128", 0, 0);
> > > + err = alg_test("drbg_pr_ctr_aes256",
> > > + "drbg_pr_ctr_aes256", 0, 0);
> > >
> > > else
> > >
> > > err = alg_test("drbg_pr_sha256",
> > >
> > > "drbg_pr_sha256", 0, 0);
> > >
> > > @@ -2017,7 +2017,7 @@ static inline int __init
> > > drbg_healthcheck_sanity(void) return 0;
> > >
> > > #ifdef CONFIG_CRYPTO_DRBG_CTR
> > >
> > > - drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
> > > + drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
> > >
> > > #endif
> > > #ifdef CONFIG_CRYPTO_DRBG_HASH
> > >
> > > drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
> >
> > I am not sure again whether this warrants a "Fixes" tag, because the first
> > modification is in a commented-out code section and the latter again
> > intends to test the DRBG thresholds and thus just needs "a" DRBG.
>
> Agreed, it is more of a reference. But yes, I don't believe this needs
> to trigger stable backports - because yes it is like dead code, or
> fips only code which majority kernels don't do. Maybe I should
> reference that commit in description only?

I think this would be good to avoid the need to trigger backports for this
"trivial" patch.

Thanks a lot.
>
> > Anyhow:
> >
> > Reviewed-by: Stephan Mueller <[email protected]>
> >
> >
> > Ciao
> > Stephan


Ciao
Stephan


2023-10-30 11:21:12

by Stephan Müller

[permalink] [raw]
Subject: Re: [PATCH 4/4] crypto: drbg - Remove SHA1 from drbg

Am Sonntag, 29. Oktober 2023, 21:48:23 CET schrieb Dimitri John Ledkov:

Hi Dimitri,

> SP800-90C 3rd draft states that SHA-1 will be removed from all
> specifications, including drbg by end of 2030. Given kernels built
> today will be operating past that date, start complying with upcoming
> requirements.
>
> No functional change, as SHA-256 / SHA-512 based DRBG have always been
> the preferred ones.

Reviewed-by: Stephan Mueller <[email protected]>

Ciao
Stephan


2023-10-30 12:05:49

by Dimitri John Ledkov

[permalink] [raw]
Subject: [PATCH v2 0/4] drbg small fixes

This is v2 update of the
https://lore.kernel.org/linux-crypto/[email protected]/T/#u
patch series.

Added Review-by Stephan, and changed patch descriptions to drop Fixes:
metadata and explicitely mention that backporting this patches to
stable series will not bring any benefits per se (as they patch dead
code, fips_enabled only code, that doesn't affect certification).

Dimitri John Ledkov (4):
crypto: drbg - ensure most preferred type is FIPS health checked
crypto: drbg - update FIPS CTR self-checks to aes256
crypto: drbg - ensure drbg hmac sha512 is used in FIPS selftests
crypto: drbg - Remove SHA1 from drbg

crypto/drbg.c | 40 +++++++++++++---------------------------
crypto/testmgr.c | 25 ++++---------------------
2 files changed, 17 insertions(+), 48 deletions(-)

--
2.34.1

2023-10-30 12:06:00

by Dimitri John Ledkov

[permalink] [raw]
Subject: [PATCH v2 1/4] crypto: drbg - ensure most preferred type is FIPS health checked

drbg supports multiple types of drbg, and multiple parameters of
each. Health check sanity only checks one drbg of a single type. One
can enable all three types of drbg. And instead of checking the most
preferred algorithm (last one wins), it is currently checking first
one instead.

Update ifdef to ensure that healthcheck prefers HMAC, over HASH, over
CTR, last one wins, like all other code and functions.

This patch updates code from 541af946fe ("crypto: drbg - SP800-90A
Deterministic Random Bit Generator"), but is not interesting to
cherry-pick for stable updates, because it doesn't affect regular
builds, nor has any tangible effect on FIPS certifcation.

Signed-off-by: Dimitri John Ledkov <[email protected]>
Reviewed-by: Stephan Mueller <[email protected]>
---
crypto/drbg.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index ff4ebbc68e..2cce18dcfc 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -2018,9 +2018,11 @@ static inline int __init drbg_healthcheck_sanity(void)

#ifdef CONFIG_CRYPTO_DRBG_CTR
drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
-#elif defined CONFIG_CRYPTO_DRBG_HASH
+#endif
+#ifdef CONFIG_CRYPTO_DRBG_HASH
drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
-#else
+#endif
+#ifdef CONFIG_CRYPTO_DRBG_HMAC
drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
#endif

--
2.34.1

2023-10-30 12:06:13

by Dimitri John Ledkov

[permalink] [raw]
Subject: [PATCH v2 2/4] crypto: drbg - update FIPS CTR self-checks to aes256

When originally drbg was introduced FIPS self-checks for all types but
CTR were using the most preferred parameters for each type of
DRBG. Update CTR self-check to use aes256.

This patch updates code from 541af946fe ("crypto: drbg - SP800-90A
Deterministic Random Bit Generator"), but is not interesting to
cherry-pick for stable updates, because it doesn't affect regular
builds, nor has any tangible effect on FIPS certifcation.

Signed-off-by: Dimitri John Ledkov <[email protected]>
Reviewed-by: Stephan Mueller <[email protected]>
---
crypto/drbg.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 2cce18dcfc..b120e2866b 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1478,8 +1478,8 @@ static int drbg_generate(struct drbg_state *drbg,
err = alg_test("drbg_pr_hmac_sha256",
"drbg_pr_hmac_sha256", 0, 0);
else if (drbg->core->flags & DRBG_CTR)
- err = alg_test("drbg_pr_ctr_aes128",
- "drbg_pr_ctr_aes128", 0, 0);
+ err = alg_test("drbg_pr_ctr_aes256",
+ "drbg_pr_ctr_aes256", 0, 0);
else
err = alg_test("drbg_pr_sha256",
"drbg_pr_sha256", 0, 0);
@@ -2017,7 +2017,7 @@ static inline int __init drbg_healthcheck_sanity(void)
return 0;

#ifdef CONFIG_CRYPTO_DRBG_CTR
- drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
+ drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
#endif
#ifdef CONFIG_CRYPTO_DRBG_HASH
drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
--
2.34.1

2023-10-30 12:06:13

by Dimitri John Ledkov

[permalink] [raw]
Subject: [PATCH v2 3/4] crypto: drbg - ensure drbg hmac sha512 is used in FIPS selftests

Update code comment, self test & healthcheck to use HMAC SHA512,
instead of HMAC SHA256. These changes are in dead-code, or FIPS
enabled code-paths only and have not effect on usual kernel builds.

On systems booting in FIPS mode that has the effect of switch sanity
selftest to HMAC sha512 based (which has been the default DRBG).

This patch updates code from 9b7b94683a ("crypto: DRBG - switch to
HMAC SHA512 DRBG as default DRBG"), but is not interesting to
cherry-pick for stable updates, because it doesn't affect regular
builds, nor has any tangible effect on FIPS certifcation.

Signed-off-by: Dimitri John Ledkov <[email protected]>
Reviewed-by: Stephan Mueller <[email protected]>
---
crypto/drbg.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index b120e2866b..99666193d9 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -111,9 +111,9 @@
* as stdrng. Each DRBG receives an increasing cra_priority values the later
* they are defined in this array (see drbg_fill_array).
*
- * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
- * the SHA256 / AES 256 over other ciphers. Thus, the favored
- * DRBGs are the latest entries in this array.
+ * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
+ * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
+ * favored DRBGs are the latest entries in this array.
*/
static const struct drbg_core drbg_cores[] = {
#ifdef CONFIG_CRYPTO_DRBG_CTR
@@ -1475,8 +1475,8 @@ static int drbg_generate(struct drbg_state *drbg,
int err = 0;
pr_devel("DRBG: start to perform self test\n");
if (drbg->core->flags & DRBG_HMAC)
- err = alg_test("drbg_pr_hmac_sha256",
- "drbg_pr_hmac_sha256", 0, 0);
+ err = alg_test("drbg_pr_hmac_sha512",
+ "drbg_pr_hmac_sha512", 0, 0);
else if (drbg->core->flags & DRBG_CTR)
err = alg_test("drbg_pr_ctr_aes256",
"drbg_pr_ctr_aes256", 0, 0);
@@ -2023,7 +2023,7 @@ static inline int __init drbg_healthcheck_sanity(void)
drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
#endif
#ifdef CONFIG_CRYPTO_DRBG_HMAC
- drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
+ drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
#endif

drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
--
2.34.1