| Message ID | 20231029204823.663930-1-dimitri.ledkov@canonical.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:d641:0:b0:403:3b70:6f57 with SMTP id cy1csp1850267vqb;
Sun, 29 Oct 2023 13:48:50 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IHIMGOAUC83vNxhs8zKW2ys4d+a7a+mjj+DUpN8VE31oreWz6stth0S4pY9HV+Ld2Eu/NDa
X-Received: by 2002:a05:6808:aba:b0:3b2:ec37:da9e with SMTP id
r26-20020a0568080aba00b003b2ec37da9emr9604036oij.55.1698612530476;
Sun, 29 Oct 2023 13:48:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698612530; cv=none;
d=google.com; s=arc-20160816;
b=jfiDuvmDqgA6c/Z/HWPIR0eB4NhPYporVeqfEeBmiAxxNMPmLYyVZ/55L5shtaDyC6
bzcTIjkekYnGjs4zCYw/SRONkyGF/hHnPZI+n5QXS+6NMekoffWwfd+usZ6Re6qnKokO
0stl/C94XXe9zGkNMtlxuXIQKWwL6keUNyywl8O90gnXWcDutfgqdfsJCy+k1nfxTLGb
EIDXZd76zsdbNy14WIuhiSR/9qlZL0VPE912yCGkWP/tRWNTn9h/8mfecD4KZ7BSSDJP
dLFEipNFoSmultfSF+5JHL8M8NBWcvjU7f0pjk9/dya7vbWNuiphuPISygsSn3O3Cd8j
Uh2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=kX0qGSlIN+myPQHKGzUHfDf+7TPtp+Gi684hQoqwER0=;
fh=GbauwlMJ5/XUYlmlVXsHUtFD6YE/+ncF76Wc5tNLmY0=;
b=W56cECYq9rucrZcXqxqJOY27FBwsbeKR+FLONijo2NEm0G6X5zv/8+0Iimoh4bXaxk
lmqDzDT3BT68YQexmK8qekvdEcM+kBu92vrWXervnTZ+e73Eb6yFfPLG4cxdtSS0Sga/
aINM083iCD5jysY+Sw0AaEz4MU7ogUMNnaTYv13xJtII1wob8eBceChVFTjzBGhSGYSU
cvpvUizmh8xDDyh5EbCHHYfKvP1JQCk78YYbgVu4Sflur5QsWls0eO1Ky0B2miSvdrZX
C0orv7g4zsEO1JE9ODsXJ6kz6+U1KcUxNKvgtCLIYnfSOMVkKFpRoclf+5aR3Z6W+1jG
lawA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@canonical.com header.s=20210705
header.b="lA1yE/m/";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
by mx.google.com with ESMTPS id
c7-20020a056a00008700b006b7037ffaf7si3959991pfj.128.2023.10.29.13.48.50
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 29 Oct 2023 13:48:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
dkim=pass header.i=@canonical.com header.s=20210705
header.b="lA1yE/m/";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by snail.vger.email (Postfix) with ESMTP id B6CD480A8B65;
Sun, 29 Oct 2023 13:48:49 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230300AbjJ2Usl (ORCPT <rfc822;fengqi706@gmail.com> + 30 others);
Sun, 29 Oct 2023 16:48:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51152 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230292AbjJ2Usi (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 29 Oct 2023 16:48:38 -0400
Received: from smtp-relay-internal-1.canonical.com
(smtp-relay-internal-1.canonical.com [185.125.188.123])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9554AF
for <linux-kernel@vger.kernel.org>;
Sun, 29 Oct 2023 13:48:35 -0700 (PDT)
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
[209.85.221.70])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256)
(No client certificate requested)
by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id
B2D533F36A
for <linux-kernel@vger.kernel.org>;
Sun, 29 Oct 2023 20:48:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
s=20210705; t=1698612513;
bh=kX0qGSlIN+myPQHKGzUHfDf+7TPtp+Gi684hQoqwER0=;
h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
b=lA1yE/m/IX92nKIvDWfudyyeKUxBo2Jk6w3EOgQkfIG4K6PmWel0488/KGUAv69zH
2mksmBH+EClxKsUF/IVZN8qpZqUR0Mg1o0hxzeHa/x0pKUBLM3ObtO0pTRuBZFTNIk
GDLm4bKvddXH8STbKCpLK4Qm+MlDKG7SKE3ViKiMtitaYDronwY/7LwvUpEyh0B2ul
vTt/JXhkaAXXuDbM/b57Uln44K1MeX8s+6AMm8xaCyNEUqb2Pz7p35lXEwfGY8Q1Rc
eN7bTqyW567kukqt2+ysWYkdacEsoykIo+n0eOggEKqCTf31XE49/K8xD/kYVyRbqK
N6vbshIn1m6qg==
Received: by mail-wr1-f70.google.com with SMTP id
ffacd0b85a97d-32f7943913aso752499f8f.1
for <linux-kernel@vger.kernel.org>;
Sun, 29 Oct 2023 13:48:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1698612512; x=1699217312;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=kX0qGSlIN+myPQHKGzUHfDf+7TPtp+Gi684hQoqwER0=;
b=chuTyyszSF9s0Inwi65v8bIBh6kQf9I/GfcZsBb1zaf/K2nvaVLeSeZuwfRa5vIDlh
9KYGTZuntRh9SIhU1cLjjIkCn3qE5NGHrmBE2pmt8sPANY9djz99JMmHue66PnNWDOfa
SZgcXkrTBAHiT4VuUhO1TaE4MdcLkH3ywcDJuvqnNXbBIfLQJ0XgbzdYxfpY3xqLm1Qr
Ks9YNZ3Ey6DY8M+5h7wgOPuBt2RYB3k8frY0wfJO6fxkX9eFTnRJdP2H62/EyZVi5FvC
d0zstDZelb7lWNmrkwdQza66zLvsXEiT18tYG+ZlJwWGGz4pLRGeqMcvgv6zemjR40XH
Vl3w==
X-Gm-Message-State: AOJu0Yxw4owpuSgvaVQG6QDqYCW6aLjxwnowZEUybZ9UzXxtsosoGOJG
p1+/cCxeEy+u6Bl8YmTOjNupclvgbP1y96GuC7tqm/rQepyCO7p2AdJjqBMSpDKsl70fx5Gph8S
v4XJEXoSiIbnOrpR7Al/DcrPpkxJK9Au3FqFaLOaJLHxMTwX26Kge+Ag=
X-Received: by 2002:a5d:6051:0:b0:32d:a4c4:f700 with SMTP id
j17-20020a5d6051000000b0032da4c4f700mr5575135wrt.38.1698612512450;
Sun, 29 Oct 2023 13:48:32 -0700 (PDT)
X-Received: by 2002:a5d:6051:0:b0:32d:a4c4:f700 with SMTP id
j17-20020a5d6051000000b0032da4c4f700mr5575127wrt.38.1698612512143;
Sun, 29 Oct 2023 13:48:32 -0700 (PDT)
Received: from localhost ([2001:67c:1560:8007::aac:c15c])
by smtp.gmail.com with ESMTPSA id
u9-20020a5d6ac9000000b0032d687fd9d0sm6599715wrw.19.2023.10.29.13.48.31
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 29 Oct 2023 13:48:31 -0700 (PDT)
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Stephan Mueller <smueller@chronox.de>
Cc: simo@redhat.com, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/4] crypto: drbg - ensure most preferred type is FIPS health
checked
Date: Sun, 29 Oct 2023 22:48:20 +0200
Message-Id: <20231029204823.663930-1-dimitri.ledkov@canonical.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
Sun, 29 Oct 2023 13:48:49 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1781124332562268922
X-GMAIL-MSGID: 1781124332562268922
|
| Series |
[1/4] crypto: drbg - ensure most preferred type is FIPS health checked
|
|
Commit Message
Dimitri John Ledkov
Oct. 29, 2023, 8:48 p.m. UTC
drbg supports multiple types of drbg, and multiple parameters of
each. Health check sanity only checks one drbg of a single type. One
can enable all three types of drbg. And instead of checking the most
preferred algorithm (last one wins), it is currently checking first
one instead.
Update ifdef to ensure that healthcheck prefers HMAC, over HASH, over
CTR, last one wins, like all other code and functions.
Fixes: 541af946fe ("crypto: drbg - SP800-90A Deterministic Random Bit Generator")
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
crypto/drbg.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Comments
Am Sonntag, 29. Oktober 2023, 21:48:20 CET schrieb Dimitri John Ledkov: Hi Dimitri, > drbg supports multiple types of drbg, and multiple parameters of > each. Health check sanity only checks one drbg of a single type. One > can enable all three types of drbg. And instead of checking the most > preferred algorithm (last one wins), it is currently checking first > one instead. The purpose of the sanity check is to make sure the various thresholds are effective. For this, you need "a" DRBG, no matter which one. > > Update ifdef to ensure that healthcheck prefers HMAC, over HASH, over > CTR, last one wins, like all other code and functions. I can see that this patch makes the code more consistent with the rest. Yet, I would doubt the "Fixes" indicator below is needed, though. Anyhow: Reviewed-by: Stephan Mueller <smueller@chronox.de> Ciao Stephan
On Mon, Oct 30, 2023 at 02:05:12PM +0200, Dimitri John Ledkov wrote: > This is v2 update of the > https://lore.kernel.org/linux-crypto/5821221.9qqs2JS0CK@tauon.chronox.de/T/#u > patch series. > > Added Review-by Stephan, and changed patch descriptions to drop Fixes: > metadata and explicitely mention that backporting this patches to > stable series will not bring any benefits per se (as they patch dead > code, fips_enabled only code, that doesn't affect certification). > > Dimitri John Ledkov (4): > crypto: drbg - ensure most preferred type is FIPS health checked > crypto: drbg - update FIPS CTR self-checks to aes256 > crypto: drbg - ensure drbg hmac sha512 is used in FIPS selftests > crypto: drbg - Remove SHA1 from drbg > > crypto/drbg.c | 40 +++++++++++++--------------------------- > crypto/testmgr.c | 25 ++++--------------------- > 2 files changed, 17 insertions(+), 48 deletions(-) > > -- > 2.34.1 All applied. Thanks.
diff --git a/crypto/drbg.c b/crypto/drbg.c index ff4ebbc68e..2cce18dcfc 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -2018,9 +2018,11 @@ static inline int __init drbg_healthcheck_sanity(void) #ifdef CONFIG_CRYPTO_DRBG_CTR drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); -#elif defined CONFIG_CRYPTO_DRBG_HASH +#endif +#ifdef CONFIG_CRYPTO_DRBG_HASH drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); -#else +#endif +#ifdef CONFIG_CRYPTO_DRBG_HMAC drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); #endif