From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-kernel@vger.kernel.org,
Stephan Mueller <smueller@chronox.de>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 00/38] Fix and simplify the NIST DRBG implementation
Date: Sun, 19 Apr 2026 23:33:44 -0700 [thread overview]
Message-ID: <20260420063422.324906-1-ebiggers@kernel.org> (raw)
This series is intended to be taken through the cryptodev tree. It can
also be retrieved from:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git drbg-v1
This series fixes and greatly simplifies crypto/drbg.c, i.e. the
kernel's implementation of NIST SP800-90A. This code isn't normally
used, but it's sometimes used by people doing FIPS 140-3 certifications.
Note: this series is *not* meant to encourage using this code over
random.c. In fact, my recent commit 65b3c2f627851639 made "normal"
systems stop using this code. It's just that the reality is that this
is in the kernel tree, it's been there for many years, and people are
using it to get FIPS 140-3 certifications. As long as that's the case,
it might as well be fixed up and simplified. Another reason to simplify
this as much as possible is that for historical reasons it's accessible
to unprivileged users via AF_ALG (even though it shouldn't be). So I do
think this is a clear step forwards, regardless of level of enthusiasm
for FIPS, especially considering the massively negative diffstat.
Patches 1-5 begin with some bug fixes. Fixes for CTR_DRBG and HASH_DRBG
are included, despite that code being removed later in the series, so
that they can be backported (though that is likely unused code anyway).
Patches 6-11 do some initial cleanups.
Patches 12-17 clean up the museum of DRBG variants to just support the
HMAC-SHA512 DRBG only, dropping support for the others. This is already
the default variant, it makes sense that it's the default, and it's
probably the only one actually being used on current kernels. In any
case, supporting more than one is pretty pointless. See the patches for
more details about why it makes sense to keep using this one.
Patches 18-33 contain many more cleanups, including switching from the
crypto_shash API to the crypto library.
Patch 34 is a significant one: it starts adding 32 bytes from
get_random_bytes() to every additional input string. This is to work
around the forward secrecy bug described in Woodage & Shumow (2018)
(https://eprint.iacr.org/2018/349.pdf), and to ensure that random.c
reseeds are actually reflected in drbg.c. Of course, for FIPS 140-3
this is irrelevant, but this is the right thing to do in practice, and
it should make drbg.c quite a bit more robust in practice. (This isn't
particularly novel, either; BoringSSL does essentially this same thing.)
Patches 35-38 are some further cleanups, including some tweaks to when
the formal reseeding happens.
Note: while the primary goal of this series is to fix and simplify this
code, this series is also intended to preserve the FIPS 140-3
"certifiable" property of crypto/drbg.c. I.e. after this series, it
should still be possible to get a FIPS 140-3 certification that covers
it. In fact it should become quite a bit easier, since there will be
only one DRBG variant to worry about and the code will be much more
straightforward. If there's anything I missed, let me know.
Eric Biggers (38):
crypto: drbg - Fix returning success on failure in CTR_DRBG
crypto: drbg - Fix misaligned writes in CTR_DRBG and HASH_DRBG
crypto: drbg - Fix ineffective sanity check
crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels
crypto: drbg - Fix the fips_enabled priority boost
crypto: drbg - Remove always-enabled symbol CRYPTO_DRBG_HMAC
crypto: drbg - Remove broken commented-out code
crypto: drbg - Remove unhelpful helper functions
crypto: drbg - Remove obsolete FIPS 140-2 continuous test
crypto: drbg - Fold include/crypto/drbg.h into crypto/drbg.c
crypto: drbg - Remove import of crypto_cipher functions
crypto: drbg - Remove support for CTR_DRBG
crypto: drbg - Remove support for HASH_DRBG
crypto: drbg - Flatten the DRBG menu
crypto: testmgr - Add test for drbg_pr_hmac_sha512
crypto: testmgr - Update test for drbg_nopr_hmac_sha512
crypto: drbg - Remove support for HMAC-SHA256 and HMAC-SHA384
crypto: drbg - Simplify algorithm registration
crypto: drbg - De-virtualize drbg_state_ops
crypto: drbg - Move fixed values into constants
crypto: drbg - Embed V and C into struct drbg_state
crypto: drbg - Use HMAC-SHA512 library API
crypto: drbg - Remove drbg_core
crypto: drbg - Install separate seed functions for pr and nopr
crypto: drbg - Move module aliases to end of file
crypto: drbg - Consolidate "instantiate" logic and remove
drbg_state::C
crypto: drbg - Eliminate use of 'drbg_string' and lists
crypto: drbg - Simplify drbg_generate_long() and fold into caller
crypto: drbg - Put rng_alg methods in logical order
crypto: drbg - Fold drbg_instantiate() into drbg_kcapi_seed()
crypto: drbg - Separate "reseed" case in drbg_kcapi_seed()
crypto: drbg - Fold drbg_prepare_hrng() into drbg_kcapi_seed()
crypto: drbg - Simplify "uninstantiate" logic
crypto: drbg - Include get_random_bytes() output in additional input
crypto: drbg - Change DRBG_MAX_REQUESTS to 4096
crypto: drbg - Remove redundant reseeding based on random.c state
crypto: drbg - Clean up generation code
crypto: drbg - Clean up loop in drbg_hmac_update()
Documentation/crypto/api-samples.rst | 2 +-
Documentation/crypto/userspace-if.rst | 2 +-
arch/m68k/configs/amiga_defconfig | 2 -
arch/m68k/configs/apollo_defconfig | 2 -
arch/m68k/configs/atari_defconfig | 2 -
arch/m68k/configs/bvme6000_defconfig | 2 -
arch/m68k/configs/hp300_defconfig | 2 -
arch/m68k/configs/mac_defconfig | 2 -
arch/m68k/configs/multi_defconfig | 2 -
arch/m68k/configs/mvme147_defconfig | 2 -
arch/m68k/configs/mvme16x_defconfig | 2 -
arch/m68k/configs/q40_defconfig | 2 -
arch/m68k/configs/sun3_defconfig | 2 -
arch/m68k/configs/sun3x_defconfig | 2 -
arch/mips/configs/decstation_64_defconfig | 2 -
arch/mips/configs/decstation_defconfig | 2 -
arch/mips/configs/decstation_r4k_defconfig | 2 -
crypto/Kconfig | 40 +-
crypto/df_sp80090a.c | 8 +-
crypto/drbg.c | 1800 +++--------------
crypto/testmgr.c | 143 +-
crypto/testmgr.h | 1262 ++++--------
drivers/crypto/xilinx/xilinx-trng.c | 1 -
include/crypto/df_sp80090a.h | 25 +
include/crypto/drbg.h | 263 ---
include/crypto/internal/drbg.h | 54 -
.../crypto/chacha20-s390/test-cipher.c | 1 -
27 files changed, 728 insertions(+), 2903 deletions(-)
delete mode 100644 include/crypto/drbg.h
delete mode 100644 include/crypto/internal/drbg.h
base-commit: c1f49dea2b8f335813d3b348fd39117fb8efb428
--
2.53.0
next reply other threads:[~2026-04-20 6:36 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 6:33 Eric Biggers [this message]
2026-04-20 6:33 ` [PATCH 01/38] crypto: drbg - Fix returning success on failure in CTR_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 02/38] crypto: drbg - Fix misaligned writes in CTR_DRBG and HASH_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 03/38] crypto: drbg - Fix ineffective sanity check Eric Biggers
2026-04-20 6:33 ` [PATCH 04/38] crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels Eric Biggers
2026-04-20 6:33 ` [PATCH 05/38] crypto: drbg - Fix the fips_enabled priority boost Eric Biggers
2026-04-20 6:33 ` [PATCH 06/38] crypto: drbg - Remove always-enabled symbol CRYPTO_DRBG_HMAC Eric Biggers
2026-04-20 6:33 ` [PATCH 07/38] crypto: drbg - Remove broken commented-out code Eric Biggers
2026-04-20 6:33 ` [PATCH 08/38] crypto: drbg - Remove unhelpful helper functions Eric Biggers
2026-04-20 6:33 ` [PATCH 09/38] crypto: drbg - Remove obsolete FIPS 140-2 continuous test Eric Biggers
2026-04-20 6:33 ` [PATCH 10/38] crypto: drbg - Fold include/crypto/drbg.h into crypto/drbg.c Eric Biggers
2026-04-20 6:33 ` [PATCH 11/38] crypto: drbg - Remove import of crypto_cipher functions Eric Biggers
2026-04-20 6:33 ` [PATCH 12/38] crypto: drbg - Remove support for CTR_DRBG Eric Biggers
2026-04-20 8:07 ` Geert Uytterhoeven
2026-04-20 14:40 ` Stephan Mueller
2026-04-20 17:47 ` Eric Biggers
2026-04-20 19:54 ` Stephan Mueller
2026-04-20 20:56 ` Eric Biggers
2026-04-20 20:58 ` Stephan Mueller
2026-04-20 6:33 ` [PATCH 13/38] crypto: drbg - Remove support for HASH_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 14/38] crypto: drbg - Flatten the DRBG menu Eric Biggers
2026-04-20 6:33 ` [PATCH 15/38] crypto: testmgr - Add test for drbg_pr_hmac_sha512 Eric Biggers
2026-04-20 16:04 ` Joachim Vandersmissen
2026-04-20 17:06 ` Eric Biggers
2026-04-20 6:34 ` [PATCH 16/38] crypto: testmgr - Update test for drbg_nopr_hmac_sha512 Eric Biggers
2026-04-20 6:34 ` [PATCH 17/38] crypto: drbg - Remove support for HMAC-SHA256 and HMAC-SHA384 Eric Biggers
2026-04-20 6:34 ` [PATCH 18/38] crypto: drbg - Simplify algorithm registration Eric Biggers
2026-04-20 6:34 ` [PATCH 19/38] crypto: drbg - De-virtualize drbg_state_ops Eric Biggers
2026-04-20 6:34 ` [PATCH 20/38] crypto: drbg - Move fixed values into constants Eric Biggers
2026-04-20 16:06 ` Joachim Vandersmissen
2026-04-20 6:34 ` [PATCH 21/38] crypto: drbg - Embed V and C into struct drbg_state Eric Biggers
2026-04-20 6:34 ` [PATCH 22/38] crypto: drbg - Use HMAC-SHA512 library API Eric Biggers
2026-04-20 6:34 ` [PATCH 23/38] crypto: drbg - Remove drbg_core Eric Biggers
2026-04-20 6:34 ` [PATCH 24/38] crypto: drbg - Install separate seed functions for pr and nopr Eric Biggers
2026-04-20 6:34 ` [PATCH 25/38] crypto: drbg - Move module aliases to end of file Eric Biggers
2026-04-20 6:34 ` [PATCH 26/38] crypto: drbg - Consolidate "instantiate" logic and remove drbg_state::C Eric Biggers
2026-04-20 6:34 ` [PATCH 27/38] crypto: drbg - Eliminate use of 'drbg_string' and lists Eric Biggers
2026-04-20 6:34 ` [PATCH 28/38] crypto: drbg - Simplify drbg_generate_long() and fold into caller Eric Biggers
2026-04-20 6:34 ` [PATCH 29/38] crypto: drbg - Put rng_alg methods in logical order Eric Biggers
2026-04-20 6:34 ` [PATCH 30/38] crypto: drbg - Fold drbg_instantiate() into drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 31/38] crypto: drbg - Separate "reseed" case in drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 32/38] crypto: drbg - Fold drbg_prepare_hrng() into drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 33/38] crypto: drbg - Simplify "uninstantiate" logic Eric Biggers
2026-04-20 6:34 ` [PATCH 34/38] crypto: drbg - Include get_random_bytes() output in additional input Eric Biggers
2026-04-20 6:34 ` [PATCH 35/38] crypto: drbg - Change DRBG_MAX_REQUESTS to 4096 Eric Biggers
2026-04-20 6:34 ` [PATCH 36/38] crypto: drbg - Remove redundant reseeding based on random.c state Eric Biggers
2026-04-20 16:48 ` Joachim Vandersmissen
2026-04-20 17:25 ` Eric Biggers
2026-04-20 6:34 ` [PATCH 37/38] crypto: drbg - Clean up generation code Eric Biggers
2026-04-20 6:34 ` [PATCH 38/38] crypto: drbg - Clean up loop in drbg_hmac_update() Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420063422.324906-1-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox