[PATCH RFC] crypto/hkdf: Skip tests with keys too short in FIPS mode

[PATCH RFC] crypto/hkdf: Skip tests with keys too short in FIPS mode

[Li Tian]

FIPS mode mandates the keys to _setkey should be longer than 14 bytes.
It's up to the callers to not use keys too short.

Signed-off-by: Li Tian <litian@redhat.com>
---
 crypto/hkdf.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/crypto/hkdf.c b/crypto/hkdf.c
index 82d1b32ca6ce..73d318f3f677 100644
--- a/crypto/hkdf.c
+++ b/crypto/hkdf.c
@@ -10,6 +10,7 @@
 #include <crypto/internal/hash.h>
 #include <crypto/sha2.h>
 #include <crypto/hkdf.h>
+#include <linux/fips.h>
 #include <linux/module.h>
 
 /*
@@ -462,7 +463,12 @@ static const struct hkdf_testvec hkdf_sha512_tv[] = {
 };
 
 static int hkdf_test(const char *shash, const struct hkdf_testvec *tv)
-{	struct crypto_shash *tfm = NULL;
+{
+	/* Skip the tests with keys too short in FIPS mode */
+	if (fips_enabled && (tv->salt_size < 112 / 8))
+		return 0;
+
+	struct crypto_shash *tfm = NULL;
 	u8 *prk = NULL, *okm = NULL;
 	unsigned int prk_size;
 	const char *driver;
-- 
2.50.0

Re: [PATCH RFC] crypto/hkdf: Skip tests with keys too short in FIPS mode

[Eric Biggers]

On Fri, Dec 05, 2025 at 07:31:36PM +0800, Li Tian wrote:
> FIPS mode mandates the keys to _setkey should be longer than 14 bytes.
> It's up to the callers to not use keys too short.
> 
> Signed-off-by: Li Tian <litian@redhat.com>
> ---
>  crypto/hkdf.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/crypto/hkdf.c b/crypto/hkdf.c
> index 82d1b32ca6ce..73d318f3f677 100644
> --- a/crypto/hkdf.c
> +++ b/crypto/hkdf.c
> @@ -10,6 +10,7 @@
>  #include <crypto/internal/hash.h>
>  #include <crypto/sha2.h>
>  #include <crypto/hkdf.h>
> +#include <linux/fips.h>
>  #include <linux/module.h>
>  
>  /*
> @@ -462,7 +463,12 @@ static const struct hkdf_testvec hkdf_sha512_tv[] = {
>  };
>  
>  static int hkdf_test(const char *shash, const struct hkdf_testvec *tv)
> -{	struct crypto_shash *tfm = NULL;
> +{
> +	/* Skip the tests with keys too short in FIPS mode */
> +	if (fips_enabled && (tv->salt_size < 112 / 8))
> +		return 0;
> +

As I've explained before, in HKDF the secret is in the input keying
material, not the salt.

What problem are you trying to solve?

- Eric

Re: [PATCH RFC] crypto/hkdf: Skip tests with keys too short in FIPS mode

[Li Tian]

On Wed, Dec 10, 2025 at 6:54 AM Eric Biggers <ebiggers@kernel.org> wrote:
> What problem are you trying to solve?

Eric, as you've said "keylen < 14 check in the new version in
crypto/sha256.c." was forgotten.
IMHO, it deserves recovery in terms of FIPS. And by the time the check
is restored, the hkdf_test
cases failure will likely surface again. Hence the skipping in this proposal.

Li Tian

Re: [PATCH RFC] crypto/hkdf: Skip tests with keys too short in FIPS mode

[Eric Biggers]

On Wed, Dec 17, 2025 at 08:08:48AM +0800, Li Tian wrote:
> On Wed, Dec 10, 2025 at 6:54 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > What problem are you trying to solve?
> 
> Eric, as you've said "keylen < 14 check in the new version in
> crypto/sha256.c." was forgotten.
> IMHO, it deserves recovery in terms of FIPS. And by the time the check
> is restored, the hkdf_test
> cases failure will likely surface again. Hence the skipping in this proposal.
> 
> Li Tian

Sure, but there's no reason to consider this patch unless the incorrect
and problematic keylen check is added back in.

- Eric