Commit 7ee44f1b authored by Dimitri John Ledkov's avatar Dimitri John Ledkov Committed by Herbert Xu

crypto: drbg - ensure most preferred type is FIPS health checked

drbg supports multiple types of drbg, and multiple parameters of
each. Health check sanity only checks one drbg of a single type. One
can enable all three types of drbg. And instead of checking the most
preferred algorithm (last one wins), it is currently checking first
one instead.

Update ifdef to ensure that healthcheck prefers HMAC, over HASH, over
CTR, last one wins, like all other code and functions.

This patch updates code from 541af946 ("crypto: drbg - SP800-90A
Deterministic Random Bit Generator"), but is not interesting to
cherry-pick for stable updates, because it doesn't affect regular
builds, nor has any tangible effect on FIPS certifcation.
Signed-off-by: default avatarDimitri John Ledkov <dimitri.ledkov@canonical.com>
Reviewed-by: default avatarStephan Mueller <smueller@chronox.de>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent d872ca16
...@@ -2018,9 +2018,11 @@ static inline int __init drbg_healthcheck_sanity(void) ...@@ -2018,9 +2018,11 @@ static inline int __init drbg_healthcheck_sanity(void)
#ifdef CONFIG_CRYPTO_DRBG_CTR #ifdef CONFIG_CRYPTO_DRBG_CTR
drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
#elif defined CONFIG_CRYPTO_DRBG_HASH #endif
#ifdef CONFIG_CRYPTO_DRBG_HASH
drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
#else #endif
#ifdef CONFIG_CRYPTO_DRBG_HMAC
drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
#endif #endif
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment