2022-01-07 19:25:36

by Stephan Müller

[permalink] [raw]
Subject: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

FIPS 140 requires a minimum security strength of 112 bits. This implies
that the HMAC key must not be smaller than 112 in FIPS mode.

This restriction implies that the test vectors for HMAC that have a key
that is smaller than 112 bits must be disabled when FIPS support is
compiled.

Signed-off-by: Stephan Mueller <[email protected]>
---
crypto/hmac.c | 4 ++++
crypto/testmgr.h | 18 ++++++++++++++++++
2 files changed, 22 insertions(+)

diff --git a/crypto/hmac.c b/crypto/hmac.c
index 25856aa7ccbf..3610ff0b6739 100644
--- a/crypto/hmac.c
+++ b/crypto/hmac.c
@@ -15,6 +15,7 @@
#include <crypto/internal/hash.h>
#include <crypto/scatterwalk.h>
#include <linux/err.h>
+#include <linux/fips.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
@@ -51,6 +52,9 @@ static int hmac_setkey(struct crypto_shash *parent,
SHASH_DESC_ON_STACK(shash, hash);
unsigned int i;

+ if (fips_enabled && (keylen < 112 / 8))
+ return -EINVAL;
+
shash->tfm = hash;

if (keylen > bs) {
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index a253d66ba1c1..1c39d294b9ba 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -5706,6 +5706,7 @@ static const struct hash_testvec hmac_sha1_tv_template[] = {
.digest = "\xb6\x17\x31\x86\x55\x05\x72\x64"
"\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e\xf1"
"\x46\xbe",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -5713,6 +5714,7 @@ static const struct hash_testvec hmac_sha1_tv_template[] = {
.psize = 28,
.digest = "\xef\xfc\xdf\x6a\xe5\xeb\x2f\xa2\xd2\x74"
"\x16\xd5\xf1\x84\xdf\x9c\x25\x9a\x7c\x79",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
.ksize = 20,
@@ -5789,6 +5791,7 @@ static const struct hash_testvec hmac_sha224_tv_template[] = {
"\x68\x32\x10\x7c\xd4\x9d\xf3\x3f"
"\x47\xb4\xb1\x16\x99\x12\xba\x4f"
"\x53\x68\x4b\x22",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -5802,6 +5805,7 @@ static const struct hash_testvec hmac_sha224_tv_template[] = {
"\x45\x69\x0f\x3a\x7e\x9e\x6d\x0f"
"\x8b\xbe\xa2\xa3\x9e\x61\x48\x00"
"\x8f\xd0\x5e\x44",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -5936,6 +5940,7 @@ static const struct hash_testvec hmac_sha256_tv_template[] = {
"\x99\x03\xa0\xf1\xcf\x2b\xbd\xc5"
"\xba\x0a\xa3\xf3\xd9\xae\x3c\x1c"
"\x7a\x3b\x16\x96\xa0\xb6\x8c\xf7",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -5945,6 +5950,7 @@ static const struct hash_testvec hmac_sha256_tv_template[] = {
"\x6a\x04\x24\x26\x08\x95\x75\xc7"
"\x5a\x00\x3f\x08\x9d\x27\x39\x83"
"\x9d\xec\x58\xb9\x64\xec\x38\x43",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6432,6 +6438,7 @@ static const struct hash_testvec hmac_sha384_tv_template[] = {
"\x82\xaa\x03\x4c\x7c\xeb\xc5\x9c"
"\xfa\xea\x9e\xa9\x07\x6e\xde\x7f"
"\x4a\xf1\x52\xe8\xb2\xfa\x9c\xb6",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -6443,6 +6450,7 @@ static const struct hash_testvec hmac_sha384_tv_template[] = {
"\xe4\x2e\xc3\x73\x63\x22\x44\x5e"
"\x8e\x22\x40\xca\x5e\x69\xe2\xc7"
"\x8b\x32\x39\xec\xfa\xb2\x16\x49",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6530,6 +6538,7 @@ static const struct hash_testvec hmac_sha512_tv_template[] = {
"\x03\x8b\x27\x4e\xae\xa3\xf4\xe4"
"\xbe\x9d\x91\x4e\xeb\x61\xf1\x70"
"\x2e\x69\x6c\x20\x3a\x12\x68\x54",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -6543,6 +6552,7 @@ static const struct hash_testvec hmac_sha512_tv_template[] = {
"\x6d\x03\x4f\x65\xf8\xf0\xe6\xfd"
"\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b"
"\x63\x6e\x07\x0a\x38\xbc\xe7\x37",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6629,6 +6639,7 @@ static const struct hash_testvec hmac_sha3_224_tv_template[] = {
"\x6a\x03\x1d\xca\xfd\x56\x37\x3d"
"\x98\x84\x36\x76\x41\xd8\xc5\x9a"
"\xf3\xc8\x60\xf7",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -6638,6 +6649,7 @@ static const struct hash_testvec hmac_sha3_224_tv_template[] = {
"\x1b\x79\x86\x34\xad\x38\x68\x11"
"\xc2\xcf\xc8\x5b\xfa\xf5\xd5\x2b"
"\xba\xce\x5e\x66",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6716,6 +6728,7 @@ static const struct hash_testvec hmac_sha3_256_tv_template[] = {
"\xe2\xa3\xa4\x0e\x69\x77\x43\x51"
"\x14\x0b\xb7\x18\x5e\x12\x02\xcd"
"\xcc\x91\x75\x89\xf9\x5e\x16\xbb",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -6725,6 +6738,7 @@ static const struct hash_testvec hmac_sha3_256_tv_template[] = {
"\x35\x96\xbb\xb0\xda\x73\xb8\x87"
"\xc9\x17\x1f\x93\x09\x5b\x29\x4a"
"\xe8\x57\xfb\xe2\x64\x5e\x1b\xa5",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6805,6 +6819,7 @@ static const struct hash_testvec hmac_sha3_384_tv_template[] = {
"\x1b\xc2\x7d\xc1\x0a\x2e\x72\x3a"
"\x20\xd3\x70\xb4\x77\x43\x13\x0e"
"\x26\xac\x7e\x3d\x53\x28\x86\xbd",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -6816,6 +6831,7 @@ static const struct hash_testvec hmac_sha3_384_tv_template[] = {
"\x3c\xa1\x35\x08\xa9\x32\x43\xce"
"\x48\xc0\x45\xdc\x00\x7f\x26\xa2"
"\x1b\x3f\x5e\x0e\x9d\xf4\xc2\x0a",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6902,6 +6918,7 @@ static const struct hash_testvec hmac_sha3_512_tv_template[] = {
"\x88\xd2\x2b\x6d\xc6\x13\x80\xf2"
"\x3a\x66\x8f\xd3\x88\x8b\xb8\x05"
"\x37\xc0\xa0\xb8\x64\x07\x68\x9e",
+#ifndef CONFIG_CRYPTO_FIPS
}, {
.key = "Jefe",
.ksize = 4,
@@ -6915,6 +6932,7 @@ static const struct hash_testvec hmac_sha3_512_tv_template[] = {
"\xee\x7a\x0c\x31\xd0\x22\xa9\x5e"
"\x1f\xc9\x2b\xa9\xd7\x7d\xf8\x83"
"\x96\x02\x75\xbe\xb4\xe6\x20\x24",
+#endif
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
--
2.33.1






2022-01-07 23:28:37

by Eric Biggers

[permalink] [raw]
Subject: Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

Hi Stephan,

On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan M?ller wrote:
> FIPS 140 requires a minimum security strength of 112 bits. This implies
> that the HMAC key must not be smaller than 112 in FIPS mode.
>
> This restriction implies that the test vectors for HMAC that have a key
> that is smaller than 112 bits must be disabled when FIPS support is
> compiled.
>
> Signed-off-by: Stephan Mueller <[email protected]>

This could make sense, but the weird thing is that the HMAC code has been like
this from the beginning, yet many companies have already gotten this exact same
HMAC implementation FIPS-certified. What changed?

- Eric

2022-01-08 06:47:17

by Stephan Müller

[permalink] [raw]
Subject: Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

Am Samstag, 8. Januar 2022, 00:28:31 CET schrieb Eric Biggers:

Hi Eric,

> Hi Stephan,
>
> On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan M?ller wrote:
> > FIPS 140 requires a minimum security strength of 112 bits. This implies
> > that the HMAC key must not be smaller than 112 in FIPS mode.
> >
> > This restriction implies that the test vectors for HMAC that have a key
> > that is smaller than 112 bits must be disabled when FIPS support is
> > compiled.
> >
> > Signed-off-by: Stephan Mueller <[email protected]>
>
> This could make sense, but the weird thing is that the HMAC code has been
> like this from the beginning, yet many companies have already gotten this
> exact same HMAC implementation FIPS-certified. What changed?

FIPS 140-3 (which is now mandatory) requires this based on SP800-131A.
>
> - Eric


Ciao
Stephan



2022-01-11 07:18:06

by Stephan Müller

[permalink] [raw]
Subject: Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

Am Samstag, 8. Januar 2022, 07:39:27 CET schrieb Stephan M?ller:

Hi,

> Am Samstag, 8. Januar 2022, 00:28:31 CET schrieb Eric Biggers:
>
> Hi Eric,
>
> > Hi Stephan,
> >
> > On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan M?ller wrote:
> > > FIPS 140 requires a minimum security strength of 112 bits. This implies
> > > that the HMAC key must not be smaller than 112 in FIPS mode.
> > >
> > > This restriction implies that the test vectors for HMAC that have a key
> > > that is smaller than 112 bits must be disabled when FIPS support is
> > > compiled.
> > >
> > > Signed-off-by: Stephan Mueller <[email protected]>
> >
> > This could make sense, but the weird thing is that the HMAC code has been
> > like this from the beginning, yet many companies have already gotten this
> > exact same HMAC implementation FIPS-certified. What changed?
>
> FIPS 140-3 (which is now mandatory) requires this based on SP800-131A.

Here are a few more details:

The requirement from FIPS 140-3 that the crypto module (aka kernel crypto API)
must provide an indicator whether the algorithm(s) in use are FIPS compliant.

If you look at various user space libraries, they make quite an effort these
days to add that "service indicator" as an API. Adding such an API to the
crypto API is not helpful.

Thus we revert to the notion of a "global service indicator" meaning that when
the kernel is booted with fips=1, all algorithms operate in FIPS mode. This
means that all non-approved algos must be technically disabled.

There have been patches from me disabling RSA < 2k and others not too long
ago. In the future, I would expect additional patches disabling the use of GCM
when invoked without seqiv or disabling dh when not used with one of the up-
and-coming FFDHE / MODP groups from Nicolai's patch set. All those patches
revolve around the same issue.

Note, for some algorithms like XTS key check we already had such technical
enforcements. This was due to the fact that FIPS 140-2 required for some
aspects technical enforcements but for some others, "procedural" coverage (aka
documentation) was sufficient.

Ciao
Stephan



2022-01-29 16:26:19

by Herbert Xu

[permalink] [raw]
Subject: Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan M?ller wrote:
>
> diff --git a/crypto/testmgr.h b/crypto/testmgr.h
> index a253d66ba1c1..1c39d294b9ba 100644
> --- a/crypto/testmgr.h
> +++ b/crypto/testmgr.h
> @@ -5706,6 +5706,7 @@ static const struct hash_testvec hmac_sha1_tv_template[] = {
> .digest = "\xb6\x17\x31\x86\x55\x05\x72\x64"
> "\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e\xf1"
> "\x46\xbe",
> +#ifndef CONFIG_CRYPTO_FIPS
> }, {
> .key = "Jefe",
> .ksize = 4,

Please don't use ifdefs, you can instead add a fips_skip setting
just like we do for cipher test vectors.

Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

2022-01-29 17:56:43

by Stephan Müller

[permalink] [raw]
Subject: Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

Am Freitag, 28. Januar 2022, 05:46:20 CET schrieb Herbert Xu:

Hi Herbert,

> On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan M?ller wrote:
> > diff --git a/crypto/testmgr.h b/crypto/testmgr.h
> > index a253d66ba1c1..1c39d294b9ba 100644
> > --- a/crypto/testmgr.h
> > +++ b/crypto/testmgr.h
> > @@ -5706,6 +5706,7 @@ static const struct hash_testvec
> > hmac_sha1_tv_template[] = {>
> > .digest = "\xb6\x17\x31\x86\x55\x05\x72\x64"
> >
> > "\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e\xf1"
> > "\x46\xbe",
> >
> > +#ifndef CONFIG_CRYPTO_FIPS
> >
> > }, {
> >
> > .key = "Jefe",
> > .ksize = 4,
>
> Please don't use ifdefs, you can instead add a fips_skip setting
> just like we do for cipher test vectors.

Thank you for the hint, will do.
>
> Thanks,


Ciao
Stephan


2022-02-02 15:14:48

by Stephan Müller

[permalink] [raw]
Subject: [PATCH v2 0/2] crypto: HMAC - disallow keys < 112 bits in FIPS mode

Hi,

this is patch set version 2 for adding the HMAC limitation to disallow
keys < 112 bits in FIPS mode.

Version 2 changes:

As requested, instead of ifdef'ing test vectors out that violate the
constraint added with this patch set, they are compiled but disabled in
FIPS mode based on the .fips_skip flag.

The first patch adds the generic support for the fips_skip flag to
hashes / HMAC test vectors similarly to the support found for symmetric
algorithms.

The second patch uses the fips_skip flag to mark offending test vectors.

Stephan Mueller (2):
crypto: HMAC - add fips_skip support
crypto: HMAC - disallow keys < 112 bits in FIPS mode

crypto/hmac.c | 4 ++++
crypto/testmgr.c | 3 +++
crypto/testmgr.h | 11 +++++++++++
3 files changed, 18 insertions(+)

--
2.33.1




2022-02-02 21:26:09

by Stephan Müller

[permalink] [raw]
Subject: [PATCH v2 1/2] crypto: HMAC - add fips_skip support

By adding the support for the flag fips_skip, hash / HMAC test vectors
may be marked to be not applicable in FIPS mode. Such vectors are
silently skipped in FIPS mode.

Signed-off-by: Stephan Mueller <[email protected]>
---
crypto/testmgr.c | 3 +++
crypto/testmgr.h | 2 ++
2 files changed, 5 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 5831d4bbc64f..26674570ea72 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1854,6 +1854,9 @@ static int __alg_test_hash(const struct hash_testvec *vecs,
}

for (i = 0; i < num_vecs; i++) {
+ if (fips_enabled && vecs[i].fips_skip)
+ continue;
+
err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate);
if (err)
goto out;
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index a253d66ba1c1..17b37525f289 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -33,6 +33,7 @@
* @ksize: Length of @key in bytes (0 if no key)
* @setkey_error: Expected error from setkey()
* @digest_error: Expected error from digest()
+ * @fips_skip: Skip the test vector in FIPS mode
*/
struct hash_testvec {
const char *key;
@@ -42,6 +43,7 @@ struct hash_testvec {
unsigned short ksize;
int setkey_error;
int digest_error;
+ bool fips_skip;
};

/*
--
2.33.1




2022-02-03 20:35:24

by Stephan Müller

[permalink] [raw]
Subject: [PATCH v2 2/2] crypto: HMAC - disallow keys < 112 bits in FIPS mode

FIPS 140 requires a minimum security strength of 112 bits. This implies
that the HMAC key must not be smaller than 112 in FIPS mode.

This restriction implies that the test vectors for HMAC that have a key
that is smaller than 112 bits must be disabled when FIPS support is
compiled.

Signed-off-by: Stephan Mueller <[email protected]>
---
crypto/hmac.c | 4 ++++
crypto/testmgr.h | 9 +++++++++
2 files changed, 13 insertions(+)

diff --git a/crypto/hmac.c b/crypto/hmac.c
index 25856aa7ccbf..3610ff0b6739 100644
--- a/crypto/hmac.c
+++ b/crypto/hmac.c
@@ -15,6 +15,7 @@
#include <crypto/internal/hash.h>
#include <crypto/scatterwalk.h>
#include <linux/err.h>
+#include <linux/fips.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
@@ -51,6 +52,9 @@ static int hmac_setkey(struct crypto_shash *parent,
SHASH_DESC_ON_STACK(shash, hash);
unsigned int i;

+ if (fips_enabled && (keylen < 112 / 8))
+ return -EINVAL;
+
shash->tfm = hash;

if (keylen > bs) {
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 17b37525f289..85ccf811f5e7 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -5715,6 +5715,7 @@ static const struct hash_testvec hmac_sha1_tv_template[] = {
.psize = 28,
.digest = "\xef\xfc\xdf\x6a\xe5\xeb\x2f\xa2\xd2\x74"
"\x16\xd5\xf1\x84\xdf\x9c\x25\x9a\x7c\x79",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
.ksize = 20,
@@ -5804,6 +5805,7 @@ static const struct hash_testvec hmac_sha224_tv_template[] = {
"\x45\x69\x0f\x3a\x7e\x9e\x6d\x0f"
"\x8b\xbe\xa2\xa3\x9e\x61\x48\x00"
"\x8f\xd0\x5e\x44",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -5947,6 +5949,7 @@ static const struct hash_testvec hmac_sha256_tv_template[] = {
"\x6a\x04\x24\x26\x08\x95\x75\xc7"
"\x5a\x00\x3f\x08\x9d\x27\x39\x83"
"\x9d\xec\x58\xb9\x64\xec\x38\x43",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6445,6 +6448,7 @@ static const struct hash_testvec hmac_sha384_tv_template[] = {
"\xe4\x2e\xc3\x73\x63\x22\x44\x5e"
"\x8e\x22\x40\xca\x5e\x69\xe2\xc7"
"\x8b\x32\x39\xec\xfa\xb2\x16\x49",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6545,6 +6549,7 @@ static const struct hash_testvec hmac_sha512_tv_template[] = {
"\x6d\x03\x4f\x65\xf8\xf0\xe6\xfd"
"\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b"
"\x63\x6e\x07\x0a\x38\xbc\xe7\x37",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6640,6 +6645,7 @@ static const struct hash_testvec hmac_sha3_224_tv_template[] = {
"\x1b\x79\x86\x34\xad\x38\x68\x11"
"\xc2\xcf\xc8\x5b\xfa\xf5\xd5\x2b"
"\xba\xce\x5e\x66",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6727,6 +6733,7 @@ static const struct hash_testvec hmac_sha3_256_tv_template[] = {
"\x35\x96\xbb\xb0\xda\x73\xb8\x87"
"\xc9\x17\x1f\x93\x09\x5b\x29\x4a"
"\xe8\x57\xfb\xe2\x64\x5e\x1b\xa5",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6818,6 +6825,7 @@ static const struct hash_testvec hmac_sha3_384_tv_template[] = {
"\x3c\xa1\x35\x08\xa9\x32\x43\xce"
"\x48\xc0\x45\xdc\x00\x7f\x26\xa2"
"\x1b\x3f\x5e\x0e\x9d\xf4\xc2\x0a",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6917,6 +6925,7 @@ static const struct hash_testvec hmac_sha3_512_tv_template[] = {
"\xee\x7a\x0c\x31\xd0\x22\xa9\x5e"
"\x1f\xc9\x2b\xa9\xd7\x7d\xf8\x83"
"\x96\x02\x75\xbe\xb4\xe6\x20\x24",
+ .fips_skip = 1,
}, {
.key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
--
2.33.1




2022-02-11 18:31:55

by Herbert Xu

[permalink] [raw]
Subject: Re: [PATCH v2 0/2] crypto: HMAC - disallow keys < 112 bits in FIPS mode

On Tue, Feb 01, 2022 at 09:40:24AM +0100, Stephan M?ller wrote:
> Hi,
>
> this is patch set version 2 for adding the HMAC limitation to disallow
> keys < 112 bits in FIPS mode.
>
> Version 2 changes:
>
> As requested, instead of ifdef'ing test vectors out that violate the
> constraint added with this patch set, they are compiled but disabled in
> FIPS mode based on the .fips_skip flag.
>
> The first patch adds the generic support for the fips_skip flag to
> hashes / HMAC test vectors similarly to the support found for symmetric
> algorithms.
>
> The second patch uses the fips_skip flag to mark offending test vectors.
>
> Stephan Mueller (2):
> crypto: HMAC - add fips_skip support
> crypto: HMAC - disallow keys < 112 bits in FIPS mode
>
> crypto/hmac.c | 4 ++++
> crypto/testmgr.c | 3 +++
> crypto/testmgr.h | 11 +++++++++++
> 3 files changed, 18 insertions(+)

All applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt