[PATCH] crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG

[PATCH] crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG

[Stephan Müller]

The default DRBG is the one that has the highest priority. The priority
is defined based on the order of the list drbg_cores[] where the highest
priority is given to the last entry by drbg_fill_array.

With this patch the default DRBG is switched from HMAC SHA256 to HMAC
SHA512 to support compliance with SP800-90B and SP800-90C (current
draft).

The user of the crypto API is completely unaffected by the change.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/drbg.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 1b4587e0ddad..ea85d4a0fe9e 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
 		.blocklen_bytes = 48,
 		.cra_name = "hmac_sha384",
 		.backend_cra_name = "hmac(sha384)",
-	}, {
-		.flags = DRBG_HMAC | DRBG_STRENGTH256,
-		.statelen = 64, /* block length of cipher */
-		.blocklen_bytes = 64,
-		.cra_name = "hmac_sha512",
-		.backend_cra_name = "hmac(sha512)",
 	}, {
 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
 		.statelen = 32, /* block length of cipher */
 		.blocklen_bytes = 32,
 		.cra_name = "hmac_sha256",
 		.backend_cra_name = "hmac(sha256)",
+	}, {
+		.flags = DRBG_HMAC | DRBG_STRENGTH256,
+		.statelen = 64, /* block length of cipher */
+		.blocklen_bytes = 64,
+		.cra_name = "hmac_sha512",
+		.backend_cra_name = "hmac(sha512)",
 	},
 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
 };
-- 
2.31.1

Re: [PATCH] crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG

[Simo Sorce]

On Thu, 2021-05-20 at 21:31 +0200, Stephan Müller wrote:
> The default DRBG is the one that has the highest priority. The priority
> is defined based on the order of the list drbg_cores[] where the highest
> priority is given to the last entry by drbg_fill_array.
> 
> With this patch the default DRBG is switched from HMAC SHA256 to HMAC
> SHA512 to support compliance with SP800-90B and SP800-90C (current
> draft).
> 
> The user of the crypto API is completely unaffected by the change.
> 
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> ---
>  crypto/drbg.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 1b4587e0ddad..ea85d4a0fe9e 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
>  		.blocklen_bytes = 48,
>  		.cra_name = "hmac_sha384",
>  		.backend_cra_name = "hmac(sha384)",
> -	}, {
> -		.flags = DRBG_HMAC | DRBG_STRENGTH256,
> -		.statelen = 64, /* block length of cipher */
> -		.blocklen_bytes = 64,
> -		.cra_name = "hmac_sha512",
> -		.backend_cra_name = "hmac(sha512)",
>  	}, {
>  		.flags = DRBG_HMAC | DRBG_STRENGTH256,
>  		.statelen = 32, /* block length of cipher */
>  		.blocklen_bytes = 32,
>  		.cra_name = "hmac_sha256",
>  		.backend_cra_name = "hmac(sha256)",
> +	}, {
> +		.flags = DRBG_HMAC | DRBG_STRENGTH256,
> +		.statelen = 64, /* block length of cipher */
> +		.blocklen_bytes = 64,
> +		.cra_name = "hmac_sha512",
> +		.backend_cra_name = "hmac(sha512)",
>  	},
>  #endif /* CONFIG_CRYPTO_DRBG_HMAC */
>  };

We'd like this to ease certification pains.
Acked-by: simo Sorce <simo@redhat.com>

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

Re: [PATCH] crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG

[Herbert Xu]

On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan Müller wrote:
> The default DRBG is the one that has the highest priority. The priority
> is defined based on the order of the list drbg_cores[] where the highest
> priority is given to the last entry by drbg_fill_array.
> 
> With this patch the default DRBG is switched from HMAC SHA256 to HMAC
> SHA512 to support compliance with SP800-90B and SP800-90C (current
> draft).
> 
> The user of the crypto API is completely unaffected by the change.
> 
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> ---
>  crypto/drbg.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG

[Herbert Xu]

On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan Müller wrote:
>
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 1b4587e0ddad..ea85d4a0fe9e 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
>  		.blocklen_bytes = 48,
>  		.cra_name = "hmac_sha384",
>  		.backend_cra_name = "hmac(sha384)",
> -	}, {
> -		.flags = DRBG_HMAC | DRBG_STRENGTH256,
> -		.statelen = 64, /* block length of cipher */
> -		.blocklen_bytes = 64,
> -		.cra_name = "hmac_sha512",
> -		.backend_cra_name = "hmac(sha512)",
>  	}, {
>  		.flags = DRBG_HMAC | DRBG_STRENGTH256,
>  		.statelen = 32, /* block length of cipher */
>  		.blocklen_bytes = 32,
>  		.cra_name = "hmac_sha256",
>  		.backend_cra_name = "hmac(sha256)",
> +	}, {
> +		.flags = DRBG_HMAC | DRBG_STRENGTH256,
> +		.statelen = 64, /* block length of cipher */
> +		.blocklen_bytes = 64,
> +		.cra_name = "hmac_sha512",
> +		.backend_cra_name = "hmac(sha512)",
>  	},

Hi Stephan:

I just noticed that unlike hmac(sha256) drbg with hmac(sha512)
doesn't have a self-test.  Could you add one for it please?

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG

[Stephan Mueller]

Am Donnerstag, dem 24.06.2021 um 22:30 +0800 schrieb Herbert Xu:
> On Thu, May 20, 2021 at 09:31:11PM +0200, Stephan Müller wrote:
> > 
> > diff --git a/crypto/drbg.c b/crypto/drbg.c
> > index 1b4587e0ddad..ea85d4a0fe9e 100644
> > --- a/crypto/drbg.c
> > +++ b/crypto/drbg.c
> > @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
> >                 .blocklen_bytes = 48,
> >                 .cra_name = "hmac_sha384",
> >                 .backend_cra_name = "hmac(sha384)",
> > -       }, {
> > -               .flags = DRBG_HMAC | DRBG_STRENGTH256,
> > -               .statelen = 64, /* block length of cipher */
> > -               .blocklen_bytes = 64,
> > -               .cra_name = "hmac_sha512",
> > -               .backend_cra_name = "hmac(sha512)",
> >         }, {
> >                 .flags = DRBG_HMAC | DRBG_STRENGTH256,
> >                 .statelen = 32, /* block length of cipher */
> >                 .blocklen_bytes = 32,
> >                 .cra_name = "hmac_sha256",
> >                 .backend_cra_name = "hmac(sha256)",
> > +       }, {
> > +               .flags = DRBG_HMAC | DRBG_STRENGTH256,
> > +               .statelen = 64, /* block length of cipher */
> > +               .blocklen_bytes = 64,
> > +               .cra_name = "hmac_sha512",
> > +               .backend_cra_name = "hmac(sha512)",
> >         },
> 
> Hi Stephan:
> 
> I just noticed that unlike hmac(sha256) drbg with hmac(sha512)
> doesn't have a self-test.  Could you add one for it please?

Thank you very much for pointing this out. I will prepare one asap.

Thanks
Stephan
> 
> Thanks,

[PATCH] crypto: DRBG - self test for HMAC(SHA-512)

[Stephan Müller]

Considering that the HMAC(SHA-512) DRBG is the default DRBG now, a self
test is to be provided.

The test vector is obtained from a successful NIST ACVP test run.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/testmgr.c |  5 ++++-
 crypto/testmgr.h | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 1f7f63e836ae..c978e41f11a1 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4686,8 +4686,11 @@ static const struct alg_test_desc alg_test_descs[] = {
 		.test = alg_test_null,
 	}, {
 		.alg = "drbg_nopr_hmac_sha512",
-		.test = alg_test_null,
+		.test = alg_test_drbg,
 		.fips_allowed = 1,
+		.suite = {
+			.drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
+		}
 	}, {
 		.alg = "drbg_nopr_sha1",
 		.fips_allowed = 1,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 96eb7ce9f81b..3ed6ab34ab51 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -21984,6 +21984,55 @@ static const struct drbg_testvec drbg_nopr_hmac_sha256_tv_template[] = {
 	},
 };
 
+/* Test vector obtained during NIST ACVP testing */
+static const struct drbg_testvec drbg_nopr_hmac_sha512_tv_template[] = {
+	{
+		.entropy = (unsigned char *)
+			"\xDF\xB0\xF2\x18\xF0\x78\x07\x01\x29\xA4\x29\x26"
+			"\x2F\x8A\x34\xCB\x37\xEF\xEE\x41\xE6\x96\xF7\xFF"
+			"\x61\x47\xD3\xED\x41\x97\xEF\x64\x0C\x48\x56\x5A"
+			"\xE6\x40\x6E\x4A\x3B\x9E\x7F\xAC\x08\xEC\x25\xAE"
+			"\x0B\x51\x0E\x2C\x44\x2E\xBD\xDB\x57\xD0\x4A\x6D"
+			"\x80\x3E\x37\x0F",
+		.entropylen = 64,
+		.expected = (unsigned char *)
+			"\x48\xc6\xa8\xdb\x09\xae\xde\x5d\x8c\x77\xf3\x52"
+			"\x92\x71\xa7\xb9\x6d\x53\x6d\xa3\x73\xe3\x55\xb8"
+			"\x39\xd6\x44\x2b\xee\xcb\xe1\x32\x15\x30\xbe\x4e"
+			"\x9b\x1e\x06\xd1\x6b\xbf\xd5\x3e\xea\x7c\xf5\xaa"
+			"\x4b\x05\xb5\xd3\xa7\xb2\xc4\xfe\xe7\x1b\xda\x11"
+			"\x43\x98\x03\x70\x90\xbf\x6e\x43\x9b\xe4\x14\xef"
+			"\x71\xa3\x2a\xef\x9f\x0d\xb9\xe3\x52\xf2\x89\xc9"
+			"\x66\x9a\x60\x60\x99\x60\x62\x4c\xd6\x45\x52\x54"
+			"\xe6\x32\xb2\x1b\xd4\x48\xb5\xa6\xf9\xba\xd3\xff"
+			"\x29\xc5\x21\xe0\x91\x31\xe0\x38\x8c\x93\x0f\x3c"
+			"\x30\x7b\x53\xa3\xc0\x7f\x2d\xc1\x39\xec\x69\x0e"
+			"\xf2\x4a\x3c\x65\xcc\xed\x07\x2a\xf2\x33\x83\xdb"
+			"\x10\x74\x96\x40\xa7\xc5\x1b\xde\x81\xca\x0b\x8f"
+			"\x1e\x0a\x1a\x7a\xbf\x3c\x4a\xb8\x8c\xaf\x7b\x80"
+			"\xb7\xdc\x5d\x0f\xef\x1b\x97\x6e\x3d\x17\x23\x5a"
+			"\x31\xb9\x19\xcf\x5a\xc5\x00\x2a\xb6\xf3\x99\x34"
+			"\x65\xee\xe9\x1c\x55\xa0\x3b\x07\x60\xc9\xc4\xe4"
+			"\xf7\x57\x5c\x34\x9f\xc6\x31\x30\x3f\x23\xb2\x89"
+			"\xc0\xe7\x50\xf3\xde\x59\xd1\x0e\xb3\x0f\x78\xcc"
+			"\x7e\x54\x5e\x61\xf6\x86\x3d\xb3\x11\x94\x36\x3e"
+			"\x61\x5c\x48\x99\xf6\x7b\x02\x9a\xdc\x6a\x28\xe6"
+			"\xd1\xa7\xd1\xa3",
+		.expectedlen = 256,
+		.addtla = (unsigned char *)
+			"\x6B\x0F\x4A\x48\x0B\x12\x85\xE4\x72\x23\x7F\x7F"
+			"\x94\x7C\x24\x69\x14\x9F\xDC\x72\xA6\x33\xAD\x3C"
+			"\x8C\x72\xC1\x88\x49\x59\x82\xC5",
+		.addtlb = (unsigned char *)
+			"\xC4\xAF\x36\x3D\xB8\x5D\x9D\xFA\x92\xF5\xC3\x3C"
+			"\x2D\x1E\x22\x2A\xBD\x8B\x05\x6F\xA3\xFC\xBF\x16"
+			"\xED\xAA\x75\x8D\x73\x9A\xF6\xEC",
+		.addtllen = 32,
+		.pers = NULL,
+		.perslen = 0,
+	}
+};
+
 static const struct drbg_testvec drbg_nopr_ctr_aes192_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
-- 
2.31.1

Re: [PATCH] crypto: DRBG - self test for HMAC(SHA-512)

[Vlad Dronov]

Hello, Stephan, Herbert,

Thank you for posting this patch. I would like to confirm that it
fixes the issue
in the RHEL8, i.e. RHEL8 kernel boots up in the FIPS mode with your patch.

Herbert, could you please consider adding this patch to your cryptodev-2.6.git?

Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer

On Thu, Jun 24, 2021 at 5:44 PM Stephan Müller <smueller@chronox.de> wrote:
>
> Considering that the HMAC(SHA-512) DRBG is the default DRBG now, a self
> test is to be provided.
>
> The test vector is obtained from a successful NIST ACVP test run.
>
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> ---
>  crypto/testmgr.c |  5 ++++-
>  crypto/testmgr.h | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 53 insertions(+), 1 deletion(-)
>
>  ...

Re: [PATCH] crypto: DRBG - self test for HMAC(SHA-512)

[Herbert Xu]

On Thu, Jun 24, 2021 at 05:44:35PM +0200, Stephan Müller wrote:
> Considering that the HMAC(SHA-512) DRBG is the default DRBG now, a self
> test is to be provided.
> 
> The test vector is obtained from a successful NIST ACVP test run.
> 
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> ---
>  crypto/testmgr.c |  5 ++++-
>  crypto/testmgr.h | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 53 insertions(+), 1 deletion(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt