[PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Stephan Müller]

FIPS 140 requires a minimum security strength of 112 bits. This implies
that the HMAC key must not be smaller than 112 in FIPS mode.

This restriction implies that the test vectors for HMAC that have a key
that is smaller than 112 bits must be disabled when FIPS support is
compiled.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/hmac.c    |  4 ++++
 crypto/testmgr.h | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/crypto/hmac.c b/crypto/hmac.c
index 25856aa7ccbf..3610ff0b6739 100644
--- a/crypto/hmac.c
+++ b/crypto/hmac.c
@@ -15,6 +15,7 @@
 #include <crypto/internal/hash.h>
 #include <crypto/scatterwalk.h>
 #include <linux/err.h>
+#include <linux/fips.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
@@ -51,6 +52,9 @@ static int hmac_setkey(struct crypto_shash *parent,
 	SHASH_DESC_ON_STACK(shash, hash);
 	unsigned int i;
 
+	if (fips_enabled && (keylen < 112 / 8))
+		return -EINVAL;
+
 	shash->tfm = hash;
 
 	if (keylen > bs) {
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index a253d66ba1c1..1c39d294b9ba 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -5706,6 +5706,7 @@ static const struct hash_testvec hmac_sha1_tv_template[] = {
 		.digest	= "\xb6\x17\x31\x86\x55\x05\x72\x64"
 			  "\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e\xf1"
 			  "\x46\xbe",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key	= "Jefe",
 		.ksize	= 4,
@@ -5713,6 +5714,7 @@ static const struct hash_testvec hmac_sha1_tv_template[] = {
 		.psize	= 28,
 		.digest	= "\xef\xfc\xdf\x6a\xe5\xeb\x2f\xa2\xd2\x74"
 			  "\x16\xd5\xf1\x84\xdf\x9c\x25\x9a\x7c\x79",
+#endif
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
 		.ksize	= 20,
@@ -5789,6 +5791,7 @@ static const struct hash_testvec hmac_sha224_tv_template[] = {
 			"\x68\x32\x10\x7c\xd4\x9d\xf3\x3f"
 			"\x47\xb4\xb1\x16\x99\x12\xba\x4f"
 			"\x53\x68\x4b\x22",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key    = "Jefe",
 		.ksize  = 4,
@@ -5802,6 +5805,7 @@ static const struct hash_testvec hmac_sha224_tv_template[] = {
 			"\x45\x69\x0f\x3a\x7e\x9e\x6d\x0f"
 			"\x8b\xbe\xa2\xa3\x9e\x61\x48\x00"
 			"\x8f\xd0\x5e\x44",
+#endif
 	}, {
 		.key    = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -5936,6 +5940,7 @@ static const struct hash_testvec hmac_sha256_tv_template[] = {
 			  "\x99\x03\xa0\xf1\xcf\x2b\xbd\xc5"
 			  "\xba\x0a\xa3\xf3\xd9\xae\x3c\x1c"
 			  "\x7a\x3b\x16\x96\xa0\xb6\x8c\xf7",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key	= "Jefe",
 		.ksize	= 4,
@@ -5945,6 +5950,7 @@ static const struct hash_testvec hmac_sha256_tv_template[] = {
 			  "\x6a\x04\x24\x26\x08\x95\x75\xc7"
 			  "\x5a\x00\x3f\x08\x9d\x27\x39\x83"
 			  "\x9d\xec\x58\xb9\x64\xec\x38\x43",
+#endif
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6432,6 +6438,7 @@ static const struct hash_testvec hmac_sha384_tv_template[] = {
 			  "\x82\xaa\x03\x4c\x7c\xeb\xc5\x9c"
 			  "\xfa\xea\x9e\xa9\x07\x6e\xde\x7f"
 			  "\x4a\xf1\x52\xe8\xb2\xfa\x9c\xb6",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key	= "Jefe",
 		.ksize	= 4,
@@ -6443,6 +6450,7 @@ static const struct hash_testvec hmac_sha384_tv_template[] = {
 			  "\xe4\x2e\xc3\x73\x63\x22\x44\x5e"
 			  "\x8e\x22\x40\xca\x5e\x69\xe2\xc7"
 			  "\x8b\x32\x39\xec\xfa\xb2\x16\x49",
+#endif
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6530,6 +6538,7 @@ static const struct hash_testvec hmac_sha512_tv_template[] = {
 			  "\x03\x8b\x27\x4e\xae\xa3\xf4\xe4"
 			  "\xbe\x9d\x91\x4e\xeb\x61\xf1\x70"
 			  "\x2e\x69\x6c\x20\x3a\x12\x68\x54",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key	= "Jefe",
 		.ksize	= 4,
@@ -6543,6 +6552,7 @@ static const struct hash_testvec hmac_sha512_tv_template[] = {
 			  "\x6d\x03\x4f\x65\xf8\xf0\xe6\xfd"
 			  "\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b"
 			  "\x63\x6e\x07\x0a\x38\xbc\xe7\x37",
+#endif
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6629,6 +6639,7 @@ static const struct hash_testvec hmac_sha3_224_tv_template[] = {
 			  "\x6a\x03\x1d\xca\xfd\x56\x37\x3d"
 			  "\x98\x84\x36\x76\x41\xd8\xc5\x9a"
 			  "\xf3\xc8\x60\xf7",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key	= "Jefe",
 		.ksize	= 4,
@@ -6638,6 +6649,7 @@ static const struct hash_testvec hmac_sha3_224_tv_template[] = {
 			  "\x1b\x79\x86\x34\xad\x38\x68\x11"
 			  "\xc2\xcf\xc8\x5b\xfa\xf5\xd5\x2b"
 			  "\xba\xce\x5e\x66",
+#endif
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6716,6 +6728,7 @@ static const struct hash_testvec hmac_sha3_256_tv_template[] = {
 			  "\xe2\xa3\xa4\x0e\x69\x77\x43\x51"
 			  "\x14\x0b\xb7\x18\x5e\x12\x02\xcd"
 			  "\xcc\x91\x75\x89\xf9\x5e\x16\xbb",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key	= "Jefe",
 		.ksize	= 4,
@@ -6725,6 +6738,7 @@ static const struct hash_testvec hmac_sha3_256_tv_template[] = {
 			  "\x35\x96\xbb\xb0\xda\x73\xb8\x87"
 			  "\xc9\x17\x1f\x93\x09\x5b\x29\x4a"
 			  "\xe8\x57\xfb\xe2\x64\x5e\x1b\xa5",
+#endif
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6805,6 +6819,7 @@ static const struct hash_testvec hmac_sha3_384_tv_template[] = {
 			  "\x1b\xc2\x7d\xc1\x0a\x2e\x72\x3a"
 			  "\x20\xd3\x70\xb4\x77\x43\x13\x0e"
 			  "\x26\xac\x7e\x3d\x53\x28\x86\xbd",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key	= "Jefe",
 		.ksize	= 4,
@@ -6816,6 +6831,7 @@ static const struct hash_testvec hmac_sha3_384_tv_template[] = {
 			  "\x3c\xa1\x35\x08\xa9\x32\x43\xce"
 			  "\x48\xc0\x45\xdc\x00\x7f\x26\xa2"
 			  "\x1b\x3f\x5e\x0e\x9d\xf4\xc2\x0a",
+#endif
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6902,6 +6918,7 @@ static const struct hash_testvec hmac_sha3_512_tv_template[] = {
 			  "\x88\xd2\x2b\x6d\xc6\x13\x80\xf2"
 			  "\x3a\x66\x8f\xd3\x88\x8b\xb8\x05"
 			  "\x37\xc0\xa0\xb8\x64\x07\x68\x9e",
+#ifndef CONFIG_CRYPTO_FIPS
 	}, {
 		.key	= "Jefe",
 		.ksize	= 4,
@@ -6915,6 +6932,7 @@ static const struct hash_testvec hmac_sha3_512_tv_template[] = {
 			  "\xee\x7a\x0c\x31\xd0\x22\xa9\x5e"
 			  "\x1f\xc9\x2b\xa9\xd7\x7d\xf8\x83"
 			  "\x96\x02\x75\xbe\xb4\xe6\x20\x24",
+#endif
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-- 
2.33.1

Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Eric Biggers]

Hi Stephan,

On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan Müller wrote:
> FIPS 140 requires a minimum security strength of 112 bits. This implies
> that the HMAC key must not be smaller than 112 in FIPS mode.
> 
> This restriction implies that the test vectors for HMAC that have a key
> that is smaller than 112 bits must be disabled when FIPS support is
> compiled.
> 
> Signed-off-by: Stephan Mueller <smueller@chronox.de>

This could make sense, but the weird thing is that the HMAC code has been like
this from the beginning, yet many companies have already gotten this exact same
HMAC implementation FIPS-certified.  What changed?

- Eric

Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Stephan Müller]

Am Samstag, 8. Januar 2022, 00:28:31 CET schrieb Eric Biggers:

Hi Eric,

> Hi Stephan,
> 
> On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan Müller wrote:
> > FIPS 140 requires a minimum security strength of 112 bits. This implies
> > that the HMAC key must not be smaller than 112 in FIPS mode.
> > 
> > This restriction implies that the test vectors for HMAC that have a key
> > that is smaller than 112 bits must be disabled when FIPS support is
> > compiled.
> > 
> > Signed-off-by: Stephan Mueller <smueller@chronox.de>
> 
> This could make sense, but the weird thing is that the HMAC code has been
> like this from the beginning, yet many companies have already gotten this
> exact same HMAC implementation FIPS-certified.  What changed?

FIPS 140-3 (which is now mandatory) requires this based on SP800-131A.
> 
> - Eric


Ciao
Stephan

Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Stephan Mueller]

Am Samstag, 8. Januar 2022, 07:39:27 CET schrieb Stephan Müller:

Hi,

> Am Samstag, 8. Januar 2022, 00:28:31 CET schrieb Eric Biggers:
> 
> Hi Eric,
> 
> > Hi Stephan,
> > 
> > On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan Müller wrote:
> > > FIPS 140 requires a minimum security strength of 112 bits. This implies
> > > that the HMAC key must not be smaller than 112 in FIPS mode.
> > > 
> > > This restriction implies that the test vectors for HMAC that have a key
> > > that is smaller than 112 bits must be disabled when FIPS support is
> > > compiled.
> > > 
> > > Signed-off-by: Stephan Mueller <smueller@chronox.de>
> > 
> > This could make sense, but the weird thing is that the HMAC code has been
> > like this from the beginning, yet many companies have already gotten this
> > exact same HMAC implementation FIPS-certified.  What changed?
> 
> FIPS 140-3 (which is now mandatory) requires this based on SP800-131A.

Here are a few more details:

The requirement from FIPS 140-3 that the crypto module (aka kernel crypto API) 
must provide an indicator whether the algorithm(s) in use are FIPS compliant.

If you look at various user space libraries, they make quite an effort these 
days to add that "service indicator" as an API. Adding such an API to the 
crypto API is not helpful.

Thus we revert to the notion of a "global service indicator" meaning that when 
the kernel is booted with fips=1, all algorithms operate in FIPS mode. This 
means that all non-approved algos must be technically disabled.

There have been patches from me disabling RSA < 2k and others not too long 
ago. In the future, I would expect additional patches disabling the use of GCM 
when invoked without seqiv or disabling dh when not used with one of the up-
and-coming FFDHE / MODP groups from Nicolai's patch set. All those patches 
revolve around the same issue.

Note, for some algorithms like XTS key check we already had such technical 
enforcements. This was due to the fact that FIPS 140-2 required for some 
aspects technical enforcements but for some others, "procedural" coverage (aka 
documentation) was sufficient.

Ciao
Stephan

Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Herbert Xu]

On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan Müller wrote:
>
> diff --git a/crypto/testmgr.h b/crypto/testmgr.h
> index a253d66ba1c1..1c39d294b9ba 100644
> --- a/crypto/testmgr.h
> +++ b/crypto/testmgr.h
> @@ -5706,6 +5706,7 @@ static const struct hash_testvec hmac_sha1_tv_template[] = {
>  		.digest	= "\xb6\x17\x31\x86\x55\x05\x72\x64"
>  			  "\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e\xf1"
>  			  "\x46\xbe",
> +#ifndef CONFIG_CRYPTO_FIPS
>  	}, {
>  		.key	= "Jefe",
>  		.ksize	= 4,

Please don't use ifdefs, you can instead add a fips_skip setting
just like we do for cipher test vectors.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Stephan Mueller]

Am Freitag, 28. Januar 2022, 05:46:20 CET schrieb Herbert Xu:

Hi Herbert,

> On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan Müller wrote:
> > diff --git a/crypto/testmgr.h b/crypto/testmgr.h
> > index a253d66ba1c1..1c39d294b9ba 100644
> > --- a/crypto/testmgr.h
> > +++ b/crypto/testmgr.h
> > @@ -5706,6 +5706,7 @@ static const struct hash_testvec
> > hmac_sha1_tv_template[] = {> 
> >  		.digest	= "\xb6\x17\x31\x86\x55\x05\x72\x64"
> >  		
> >  			  "\xe2\x8b\xc0\xb6\xfb\x37\x8c\x8e\xf1"
> >  			  "\x46\xbe",
> > 
> > +#ifndef CONFIG_CRYPTO_FIPS
> > 
> >  	}, {
> >  	
> >  		.key	= "Jefe",
> >  		.ksize	= 4,
> 
> Please don't use ifdefs, you can instead add a fips_skip setting
> just like we do for cipher test vectors.

Thank you for the hint, will do.
> 
> Thanks,


Ciao
Stephan

[PATCH v2 0/2] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Stephan Müller]

Hi,

this is patch set version 2 for adding the HMAC limitation to disallow
keys < 112 bits in FIPS mode.

Version 2 changes:

As requested, instead of ifdef'ing test vectors out that violate the
constraint added with this patch set, they are compiled but disabled in
FIPS mode based on the .fips_skip flag.

The first patch adds the generic support for the fips_skip flag to
hashes / HMAC test vectors similarly to the support found for symmetric
algorithms.

The second patch uses the fips_skip flag to mark offending test vectors.

Stephan Mueller (2):
  crypto: HMAC - add fips_skip support
  crypto: HMAC - disallow keys < 112 bits in FIPS mode

 crypto/hmac.c    |  4 ++++
 crypto/testmgr.c |  3 +++
 crypto/testmgr.h | 11 +++++++++++
 3 files changed, 18 insertions(+)

-- 
2.33.1

[PATCH v2 1/2] crypto: HMAC - add fips_skip support

[Stephan Müller]

By adding the support for the flag fips_skip, hash / HMAC test vectors
may be marked to be not applicable in FIPS mode. Such vectors are
silently skipped in FIPS mode.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/testmgr.c | 3 +++
 crypto/testmgr.h | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 5831d4bbc64f..26674570ea72 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1854,6 +1854,9 @@ static int __alg_test_hash(const struct hash_testvec *vecs,
 	}
 
 	for (i = 0; i < num_vecs; i++) {
+		if (fips_enabled && vecs[i].fips_skip)
+			continue;
+
 		err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate);
 		if (err)
 			goto out;
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index a253d66ba1c1..17b37525f289 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -33,6 +33,7 @@
  * @ksize:	Length of @key in bytes (0 if no key)
  * @setkey_error: Expected error from setkey()
  * @digest_error: Expected error from digest()
+ * @fips_skip:	Skip the test vector in FIPS mode
  */
 struct hash_testvec {
 	const char *key;
@@ -42,6 +43,7 @@ struct hash_testvec {
 	unsigned short ksize;
 	int setkey_error;
 	int digest_error;
+	bool fips_skip;
 };
 
 /*
-- 
2.33.1

[PATCH v2 2/2] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Stephan Müller]

FIPS 140 requires a minimum security strength of 112 bits. This implies
that the HMAC key must not be smaller than 112 in FIPS mode.

This restriction implies that the test vectors for HMAC that have a key
that is smaller than 112 bits must be disabled when FIPS support is
compiled.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/hmac.c    | 4 ++++
 crypto/testmgr.h | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/crypto/hmac.c b/crypto/hmac.c
index 25856aa7ccbf..3610ff0b6739 100644
--- a/crypto/hmac.c
+++ b/crypto/hmac.c
@@ -15,6 +15,7 @@
 #include <crypto/internal/hash.h>
 #include <crypto/scatterwalk.h>
 #include <linux/err.h>
+#include <linux/fips.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
@@ -51,6 +52,9 @@ static int hmac_setkey(struct crypto_shash *parent,
 	SHASH_DESC_ON_STACK(shash, hash);
 	unsigned int i;
 
+	if (fips_enabled && (keylen < 112 / 8))
+		return -EINVAL;
+
 	shash->tfm = hash;
 
 	if (keylen > bs) {
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 17b37525f289..85ccf811f5e7 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -5715,6 +5715,7 @@ static const struct hash_testvec hmac_sha1_tv_template[] = {
 		.psize	= 28,
 		.digest	= "\xef\xfc\xdf\x6a\xe5\xeb\x2f\xa2\xd2\x74"
 			  "\x16\xd5\xf1\x84\xdf\x9c\x25\x9a\x7c\x79",
+		.fips_skip = 1,
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
 		.ksize	= 20,
@@ -5804,6 +5805,7 @@ static const struct hash_testvec hmac_sha224_tv_template[] = {
 			"\x45\x69\x0f\x3a\x7e\x9e\x6d\x0f"
 			"\x8b\xbe\xa2\xa3\x9e\x61\x48\x00"
 			"\x8f\xd0\x5e\x44",
+		.fips_skip = 1,
 	}, {
 		.key    = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -5947,6 +5949,7 @@ static const struct hash_testvec hmac_sha256_tv_template[] = {
 			  "\x6a\x04\x24\x26\x08\x95\x75\xc7"
 			  "\x5a\x00\x3f\x08\x9d\x27\x39\x83"
 			  "\x9d\xec\x58\xb9\x64\xec\x38\x43",
+		.fips_skip = 1,
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6445,6 +6448,7 @@ static const struct hash_testvec hmac_sha384_tv_template[] = {
 			  "\xe4\x2e\xc3\x73\x63\x22\x44\x5e"
 			  "\x8e\x22\x40\xca\x5e\x69\xe2\xc7"
 			  "\x8b\x32\x39\xec\xfa\xb2\x16\x49",
+		.fips_skip = 1,
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6545,6 +6549,7 @@ static const struct hash_testvec hmac_sha512_tv_template[] = {
 			  "\x6d\x03\x4f\x65\xf8\xf0\xe6\xfd"
 			  "\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b"
 			  "\x63\x6e\x07\x0a\x38\xbc\xe7\x37",
+		.fips_skip = 1,
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6640,6 +6645,7 @@ static const struct hash_testvec hmac_sha3_224_tv_template[] = {
 			  "\x1b\x79\x86\x34\xad\x38\x68\x11"
 			  "\xc2\xcf\xc8\x5b\xfa\xf5\xd5\x2b"
 			  "\xba\xce\x5e\x66",
+		.fips_skip = 1,
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6727,6 +6733,7 @@ static const struct hash_testvec hmac_sha3_256_tv_template[] = {
 			  "\x35\x96\xbb\xb0\xda\x73\xb8\x87"
 			  "\xc9\x17\x1f\x93\x09\x5b\x29\x4a"
 			  "\xe8\x57\xfb\xe2\x64\x5e\x1b\xa5",
+		.fips_skip = 1,
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6818,6 +6825,7 @@ static const struct hash_testvec hmac_sha3_384_tv_template[] = {
 			  "\x3c\xa1\x35\x08\xa9\x32\x43\xce"
 			  "\x48\xc0\x45\xdc\x00\x7f\x26\xa2"
 			  "\x1b\x3f\x5e\x0e\x9d\xf4\xc2\x0a",
+		.fips_skip = 1,
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
@@ -6917,6 +6925,7 @@ static const struct hash_testvec hmac_sha3_512_tv_template[] = {
 			  "\xee\x7a\x0c\x31\xd0\x22\xa9\x5e"
 			  "\x1f\xc9\x2b\xa9\xd7\x7d\xf8\x83"
 			  "\x96\x02\x75\xbe\xb4\xe6\x20\x24",
+		.fips_skip = 1,
 	}, {
 		.key	= "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
 			  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
-- 
2.33.1

Re: [PATCH v2 0/2] crypto: HMAC - disallow keys < 112 bits in FIPS mode

[Herbert Xu]

On Tue, Feb 01, 2022 at 09:40:24AM +0100, Stephan Müller wrote:
> Hi,
> 
> this is patch set version 2 for adding the HMAC limitation to disallow
> keys < 112 bits in FIPS mode.
> 
> Version 2 changes:
> 
> As requested, instead of ifdef'ing test vectors out that violate the
> constraint added with this patch set, they are compiled but disabled in
> FIPS mode based on the .fips_skip flag.
> 
> The first patch adds the generic support for the fips_skip flag to
> hashes / HMAC test vectors similarly to the support found for symmetric
> algorithms.
> 
> The second patch uses the fips_skip flag to mark offending test vectors.
> 
> Stephan Mueller (2):
>   crypto: HMAC - add fips_skip support
>   crypto: HMAC - disallow keys < 112 bits in FIPS mode
> 
>  crypto/hmac.c    |  4 ++++
>  crypto/testmgr.c |  3 +++
>  crypto/testmgr.h | 11 +++++++++++
>  3 files changed, 18 insertions(+)

All applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt