Set standard drbg in FIPS to use HMAC SHA256 - revert previous change. Approved by lab. #415
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PlaidCat
reviewed
Jul 15, 2025
There was a problem hiding this comment.
Just git commit message comments
This is kinda how i'm used to seeing it when looking at reverts
Revert: crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG
The default DRBG is the one that has the highest priority. The priority
is defined based on the order of the list drbg_cores[] where the highest
priority is given to the last entry by drbg_fill_array.
With this patch the default DRBG is switched from HMAC SHA256 to HMAC
SHA512 to support compliance with SP800-90B and SP800-90C (current
draft).
The user of the crypto API is completely unaffected by the change.
Signed-off-by: Stephan Mueller <[email protected]>
Acked-by: simo Sorce <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Could we maybe do something like this to keep our header?
I don't want to hold this up too much but we haven't really created a standard for this process
Revert: crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG
JIRA <number>
CIQ Revert
Original Author <email>
Original Commit 9b7b94683a9b9c42a743d591e48b9f51f505dd1f
Revert Reason: This changes the default DRBG back to HMAC SHA256 as more
processors have hardware acceleration for this algorithm.
Approved by the lab.
<original Message>
Signed-off-by: Jeremy Allison <[email protected]>
kinda like how we do the backports
8766d31
JIRA: INTERNAL Revert Author <[email protected]> Revert Commit 9b7b946 Revert Reason: This changes the default DRBG back to HMAC SHA256 as more processors have hardware acceleration for this algorithm. Approved by the lab. The default DRBG is the one that has the highest priority. The priority is defined based on the order of the list drbg_cores[] where the highest priority is given to the last entry by drbg_fill_array. With this patch the default DRBG is switched from HMAC SHA256 to HMAC SHA512 to support compliance with SP800-90B and SP800-90C (current draft). The user of the crypto API is completely unaffected by the change. Signed-off-by: Stephan Mueller <[email protected]> Acked-by: simo Sorce <[email protected]> Signed-off-by: Herbert Xu <[email protected]> Signed-off-by: Jeremy Allison <[email protected]>
jallisonciq
force-pushed
the
{jallison}-replace-drbg-with-256
branch
from
3a6e1bd to
7b40253
Compare
|
Updated commit message. JIRA: is marked "internal" as I didn't think we are publishing internal jira ticket numbers. |
|
We have been, its not public so its not useful to anyone other than us. |
PlaidCat
approved these changes
Jul 15, 2025
jallisonciq
merged commit 18bb3b9
into
fips-9-compliant/5.14.0-570.25.1.el9_6
4 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This changes the default DRBG back to HMAC SHA256 as more processors have hardware acceleration for this algorithm.
Approved by the lab.