From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-kernel@vger.kernel.org,
Stephan Mueller <smueller@chronox.de>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 09/38] crypto: drbg - Remove obsolete FIPS 140-2 continuous test
Date: Sun, 19 Apr 2026 23:33:53 -0700 [thread overview]
Message-ID: <20260420063422.324906-10-ebiggers@kernel.org> (raw)
In-Reply-To: <20260420063422.324906-1-ebiggers@kernel.org>
FIPS 140-2 required that a continuous test for repeated outputs be done
on both "Approved RNGs" and "Non-Approved RNGs".
That's apparently why crypto/drbg.c does such a test on the bytes it
pulls from get_random_bytes(), despite get_random_bytes() being a
"Non-Approved RNG" that is credited with zero entropy for FIPS purposes.
(From FIPS's point of view, the "Approved RNG" is jitterentropy.)
FIPS 140-3 "modernized" the continuous RNG test requirements. They're
now a bit more sophisticated, requiring both an "Adaptive Proportion
Test" and a "Repetition Count Test".
At the same time, FIPS 140-3 doesn't require continuous RNG tests on
"Non-Approved RNGs" if a "vetted conditioning component" is used. The
SP800-90A DRBGs are exactly such a vetted conditioning component, by
their design. (In the case of HASH_DRBG and CTR_DRBG, the derivation
function does have to be implemented. But the kernel does that.)
In other words: from FIPS 140-3's point of view, get_random_bytes()
still produces zero entropy, but the way the DRBG combines those bytes
with the jitterentropy bytes preserves all the "approved" entropy from
jitterentropy. Thus no test for get_random_bytes() is required.
Seeing as FIPS 140-2 certificates stopped being issued in 2021 in favor
of FIPS 140-3, this means this code is obsolete. Remove it.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/drbg.c | 78 ++-----------------------------------------
include/crypto/drbg.h | 2 --
2 files changed, 2 insertions(+), 78 deletions(-)
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 83cb6c1bbac0..66d7739469c6 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -203,59 +203,10 @@ static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
default:
return 32;
}
}
-/*
- * FIPS 140-2 continuous self test for the noise source
- * The test is performed on the noise source input data. Thus, the function
- * implicitly knows the size of the buffer to be equal to the security
- * strength.
- *
- * Note, this function disregards the nonce trailing the entropy data during
- * initial seeding.
- *
- * drbg->drbg_mutex must have been taken.
- *
- * @drbg DRBG handle
- * @entropy buffer of seed data to be checked
- *
- * return:
- * %true on success
- * %false when the CTRNG is not yet primed
- */
-static bool drbg_fips_continuous_test(struct drbg_state *drbg,
- const unsigned char *entropy)
- __must_hold(&drbg->drbg_mutex)
-{
- unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
-
- if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
- return true;
-
- /* skip test if we test the overall system */
- if (list_empty(&drbg->test_data.list))
- return true;
- /* only perform test in FIPS mode */
- if (!fips_enabled)
- return true;
-
- if (!drbg->fips_primed) {
- /* Priming of FIPS test */
- memcpy(drbg->prev, entropy, entropylen);
- drbg->fips_primed = true;
- /* priming: another round is needed */
- return false;
- }
- if (!memcmp(drbg->prev, entropy, entropylen))
- panic("DRBG continuous self test failed\n");
- memcpy(drbg->prev, entropy, entropylen);
-
- /* the test shall pass when the two values are not equal */
- return true;
-}
-
/******************************************************************
* CTR DRBG callback functions
******************************************************************/
#ifdef CONFIG_CRYPTO_DRBG_CTR
@@ -831,20 +782,10 @@ static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
}
return ret;
}
-static inline void drbg_get_random_bytes(struct drbg_state *drbg,
- unsigned char *entropy,
- unsigned int entropylen)
- __must_hold(&drbg->drbg_mutex)
-{
- do
- get_random_bytes(entropy, entropylen);
- while (!drbg_fips_continuous_test(drbg, entropy));
-}
-
static int drbg_seed_from_random(struct drbg_state *drbg)
__must_hold(&drbg->drbg_mutex)
{
struct drbg_string data;
LIST_HEAD(seedlist);
@@ -856,11 +797,11 @@ static int drbg_seed_from_random(struct drbg_state *drbg)
BUG_ON(entropylen > sizeof(entropy));
drbg_string_fill(&data, entropy, entropylen);
list_add_tail(&data.list, &seedlist);
- drbg_get_random_bytes(drbg, entropy, entropylen);
+ get_random_bytes(entropy, entropylen);
ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
memzero_explicit(entropy, entropylen);
return ret;
@@ -935,11 +876,11 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
/* Get seed from in-kernel /dev/urandom */
if (!rng_is_initialized())
new_seed_state = DRBG_SEED_STATE_PARTIAL;
- drbg_get_random_bytes(drbg, entropy, entropylen);
+ get_random_bytes(entropy, entropylen);
if (!drbg->jent) {
drbg_string_fill(&data1, entropy, entropylen);
pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
entropylen);
@@ -1016,15 +957,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
kfree_sensitive(drbg->scratchpadbuf);
drbg->scratchpadbuf = NULL;
drbg->reseed_ctr = 0;
drbg->d_ops = NULL;
drbg->core = NULL;
- if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
- kfree_sensitive(drbg->prev);
- drbg->prev = NULL;
- drbg->fips_primed = false;
- }
}
/*
* Allocate all sub-structures for a DRBG state.
* The DRBG state structure must already be allocated.
@@ -1086,20 +1022,10 @@ static inline int drbg_alloc_state(struct drbg_state *drbg)
goto fini;
}
drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
}
- if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
- drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
- GFP_KERNEL);
- if (!drbg->prev) {
- ret = -ENOMEM;
- goto fini;
- }
- drbg->fips_primed = false;
- }
-
return 0;
fini:
drbg->d_ops->crypto_fini(drbg);
err:
diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h
index 486aa793688e..4fafc69a8ee6 100644
--- a/include/crypto/drbg.h
+++ b/include/crypto/drbg.h
@@ -107,12 +107,10 @@ struct drbg_state {
struct scatterlist sg_in, sg_out; /* CTR mode SGLs */
enum drbg_seed_state seeded; /* DRBG fully seeded? */
unsigned long last_seed_time;
bool pr; /* Prediction resistance enabled? */
- bool fips_primed; /* Continuous test primed? */
- unsigned char *prev; /* FIPS 140-2 continuous test value */
struct crypto_rng *jent;
const struct drbg_state_ops *d_ops;
const struct drbg_core *core;
struct drbg_string test_data;
};
--
2.53.0
next prev parent reply other threads:[~2026-04-20 6:37 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 6:33 [PATCH 00/38] Fix and simplify the NIST DRBG implementation Eric Biggers
2026-04-20 6:33 ` [PATCH 01/38] crypto: drbg - Fix returning success on failure in CTR_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 02/38] crypto: drbg - Fix misaligned writes in CTR_DRBG and HASH_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 03/38] crypto: drbg - Fix ineffective sanity check Eric Biggers
2026-04-20 6:33 ` [PATCH 04/38] crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels Eric Biggers
2026-04-20 6:33 ` [PATCH 05/38] crypto: drbg - Fix the fips_enabled priority boost Eric Biggers
2026-04-20 6:33 ` [PATCH 06/38] crypto: drbg - Remove always-enabled symbol CRYPTO_DRBG_HMAC Eric Biggers
2026-04-20 6:33 ` [PATCH 07/38] crypto: drbg - Remove broken commented-out code Eric Biggers
2026-04-20 6:33 ` [PATCH 08/38] crypto: drbg - Remove unhelpful helper functions Eric Biggers
2026-04-20 6:33 ` Eric Biggers [this message]
2026-04-20 6:33 ` [PATCH 10/38] crypto: drbg - Fold include/crypto/drbg.h into crypto/drbg.c Eric Biggers
2026-04-20 6:33 ` [PATCH 11/38] crypto: drbg - Remove import of crypto_cipher functions Eric Biggers
2026-04-20 6:33 ` [PATCH 12/38] crypto: drbg - Remove support for CTR_DRBG Eric Biggers
2026-04-20 8:07 ` Geert Uytterhoeven
2026-04-20 14:40 ` Stephan Mueller
2026-04-20 17:47 ` Eric Biggers
2026-04-20 19:54 ` Stephan Mueller
2026-04-20 20:56 ` Eric Biggers
2026-04-20 20:58 ` Stephan Mueller
2026-04-20 6:33 ` [PATCH 13/38] crypto: drbg - Remove support for HASH_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 14/38] crypto: drbg - Flatten the DRBG menu Eric Biggers
2026-04-20 6:33 ` [PATCH 15/38] crypto: testmgr - Add test for drbg_pr_hmac_sha512 Eric Biggers
2026-04-20 16:04 ` Joachim Vandersmissen
2026-04-20 17:06 ` Eric Biggers
2026-04-20 6:34 ` [PATCH 16/38] crypto: testmgr - Update test for drbg_nopr_hmac_sha512 Eric Biggers
2026-04-20 6:34 ` [PATCH 17/38] crypto: drbg - Remove support for HMAC-SHA256 and HMAC-SHA384 Eric Biggers
2026-04-20 6:34 ` [PATCH 18/38] crypto: drbg - Simplify algorithm registration Eric Biggers
2026-04-20 6:34 ` [PATCH 19/38] crypto: drbg - De-virtualize drbg_state_ops Eric Biggers
2026-04-20 6:34 ` [PATCH 20/38] crypto: drbg - Move fixed values into constants Eric Biggers
2026-04-20 16:06 ` Joachim Vandersmissen
2026-04-20 6:34 ` [PATCH 21/38] crypto: drbg - Embed V and C into struct drbg_state Eric Biggers
2026-04-20 6:34 ` [PATCH 22/38] crypto: drbg - Use HMAC-SHA512 library API Eric Biggers
2026-04-20 6:34 ` [PATCH 23/38] crypto: drbg - Remove drbg_core Eric Biggers
2026-04-20 6:34 ` [PATCH 24/38] crypto: drbg - Install separate seed functions for pr and nopr Eric Biggers
2026-04-20 6:34 ` [PATCH 25/38] crypto: drbg - Move module aliases to end of file Eric Biggers
2026-04-20 6:34 ` [PATCH 26/38] crypto: drbg - Consolidate "instantiate" logic and remove drbg_state::C Eric Biggers
2026-04-20 6:34 ` [PATCH 27/38] crypto: drbg - Eliminate use of 'drbg_string' and lists Eric Biggers
2026-04-20 6:34 ` [PATCH 28/38] crypto: drbg - Simplify drbg_generate_long() and fold into caller Eric Biggers
2026-04-20 6:34 ` [PATCH 29/38] crypto: drbg - Put rng_alg methods in logical order Eric Biggers
2026-04-20 6:34 ` [PATCH 30/38] crypto: drbg - Fold drbg_instantiate() into drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 31/38] crypto: drbg - Separate "reseed" case in drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 32/38] crypto: drbg - Fold drbg_prepare_hrng() into drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 33/38] crypto: drbg - Simplify "uninstantiate" logic Eric Biggers
2026-04-20 6:34 ` [PATCH 34/38] crypto: drbg - Include get_random_bytes() output in additional input Eric Biggers
2026-04-20 6:34 ` [PATCH 35/38] crypto: drbg - Change DRBG_MAX_REQUESTS to 4096 Eric Biggers
2026-04-20 6:34 ` [PATCH 36/38] crypto: drbg - Remove redundant reseeding based on random.c state Eric Biggers
2026-04-20 16:48 ` Joachim Vandersmissen
2026-04-20 17:25 ` Eric Biggers
2026-04-20 6:34 ` [PATCH 37/38] crypto: drbg - Clean up generation code Eric Biggers
2026-04-20 6:34 ` [PATCH 38/38] crypto: drbg - Clean up loop in drbg_hmac_update() Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420063422.324906-10-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox