From: Eric Biggers <ebiggers@kernel.org>
To: Joachim Vandersmissen <git@jvdsn.com>
Cc: linux-crypto@vger.kernel.org, simo@redhat.com
Subject: Re: FIPS requirements in lib/crypto/ APIs
Date: Thu, 18 Sep 2025 11:33:47 -0500 [thread overview]
Message-ID: <20250918163347.GB1422@quark> (raw)
In-Reply-To: <0b7ce82a-1a2f-4be9-bfa7-eaf6a5ef9b40@jvdsn.com>
On Thu, Sep 18, 2025 at 11:00:45AM -0500, Joachim Vandersmissen wrote:
> Hi Eric,
>
> I'm starting a new thread since I don't want to push the SHAKE256 thread
> off-topic too much.
>
> One simple example of a FIPS requirement that I currently don't see in
> lib/crypto/ is that HMAC keys must be at least 112 bits in length. If the
> lib/crypto/ HMAC API wants to be FIPS compliant, it must enforce that (i.e.,
> disallow HMAC computations using those small keys). It's trivial to add a
> check to __hmac_sha1_preparekey or hmac_sha1_preparekey or
> hmac_sha1_init_usingrawkey, but the API functions don't return an error
> code. How would the caller know anything is wrong? Maybe there needs to be a
> mechanism in place first to let callers know about these kinds of checks?
>
> It would be great to have your guidance since you've done so much work on
> the lib/crypto/ APIs, you obviously know the design very well.
That's misleading. First, in the approach to FIPS certification that is
currently (sort of) supported by the upstream kernel, the FIPS module
contains the entire kernel. lib/crypto/ contains kernel-internal
functions, which are *not* part of the interface of the FIPS module.
So, lib/crypto/ does *not* need to have a "FIPS compliant API".
Second, according to the document "Implementation Guidance for FIPS
140-3 and the Cryptographic Module Validation Program", HMAC with keys
shorter than 112 bits is still approved for legacy use in verifying
existing messages.
Third, HMAC is sometimes used with HKDF, where the input keying material
is passed as the *data*. The HMAC key length would be the wrong length
to check in this case.
Fourth, not every user of HMAC is the kernel is necessarily for a
"security function" of the FIPS module. Non-security functions can use
non-FIPS-approved algorithms.
Point is: lib/crypto/ is correct in allowing HMAC keys shorter than 112
bits. (And this is a lot like how lib/ also has entirely
non-FIPS-approved algorithms, like ChaCha20...) It's up to callers of
the hmac_*() functions, who have more information about the purpose for
which HMAC is actually being used, to do the check *if* they need it.
- Eric
next prev parent reply other threads:[~2025-09-18 16:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-18 16:00 FIPS requirements in lib/crypto/ APIs Joachim Vandersmissen
2025-09-18 16:33 ` Eric Biggers [this message]
2025-09-18 17:48 ` Joachim Vandersmissen
2025-09-18 18:06 ` Eric Biggers
2025-09-19 15:22 ` Theodore Ts'o
2025-09-22 13:41 ` Jeff Barnes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250918163347.GB1422@quark \
--to=ebiggers@kernel.org \
--cc=git@jvdsn.com \
--cc=linux-crypto@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox