From: Eric Biggers <ebiggers@kernel.org>
To: Li Tian <litian@redhat.com>
Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>,
"Theodore Y . Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>
Subject: Re: [PATCH RFC] crypto/hkdf: Fix salt length short issue in FIPS mode
Date: Wed, 26 Nov 2025 19:23:43 -0800 [thread overview]
Message-ID: <20251127032343.GA60146@sol> (raw)
In-Reply-To: <CAHhBTWs6rWq2huD8Ech79OVOxK3v3ijU3KFFOGLQ+pr7277Vew@mail.gmail.com>
On Thu, Nov 27, 2025 at 11:11:29AM +0800, Li Tian wrote:
> The error message I saw is `basic hdkf test(hmac(sha256-ni)): hkdf_extract
> failed with -22`.
> And I was looking at hmac.c that has `if (fips_enabled && (keylen < 112 /
> 8))...` So I got the impression `crypto_shash_setkey(hmac_tfm, salt,
> saltlen)` in hkdf_extract reached this failure.
112 / 8 is 14, not 32.
Also since v6.17, "hmac(sha256)" no longer uses crypto/hmac.c. I forgot
to put the keylen < 14 check in the new version in crypto/sha256.c.
That means the test failure you're reporting was already fixed.
If you'd prefer that it be broken again, we can add the key length check
back in. But this whole thing is just more evidence that it's incorrect
anyway, and it needs to be up to the caller to do a check if it needs
to. In HKDF the secret is in the input keying material, not the salt.
- Eric
prev parent reply other threads:[~2025-11-27 3:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-26 13:42 [PATCH RFC] crypto/hkdf: Fix salt length short issue in FIPS mode Li Tian
2025-11-26 17:41 ` Eric Biggers
[not found] ` <CAHhBTWuOy1nC1rYqye8BzE+unoC+3M9Dsw+Mj54=3eeFwqyTXw@mail.gmail.com>
2025-11-27 1:14 ` Eric Biggers
[not found] ` <CAHhBTWsTqP3LzJV+=_usvttJcMFoLYSY5Sqt2H-U-oki3Hu0Mw@mail.gmail.com>
2025-11-27 1:51 ` Eric Biggers
[not found] ` <CAHhBTWs6rWq2huD8Ech79OVOxK3v3ijU3KFFOGLQ+pr7277Vew@mail.gmail.com>
2025-11-27 3:23 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251127032343.GA60146@sol \
--to=ebiggers@kernel.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jaegeuk@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=litian@redhat.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).