]> www.infradead.org Git - users/hch/misc.git/commitdiff
crypto: drbg - Remove SHA1 from drbg
authorDimitri John Ledkov <dimitri.ledkov@canonical.com>
Mon, 30 Oct 2023 12:05:16 +0000 (14:05 +0200)
committerHerbert Xu <herbert@gondor.apana.org.au>
Fri, 17 Nov 2023 11:16:29 +0000 (19:16 +0800)
SP800-90C 3rd draft states that SHA-1 will be removed from all
specifications, including drbg by end of 2030. Given kernels built
today will be operating past that date, start complying with upcoming
requirements.

No functional change, as SHA-256 / SHA-512 based DRBG have always been
the preferred ones.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto/drbg.c
crypto/testmgr.c

index 9ac034bb23fa9124b283b0596bd40e1cd3181a85..3addce90930c3e8ba4d5a823479604d8a5ebaf95 100644 (file)
@@ -139,12 +139,6 @@ static const struct drbg_core drbg_cores[] = {
 #endif /* CONFIG_CRYPTO_DRBG_CTR */
 #ifdef CONFIG_CRYPTO_DRBG_HASH
        {
-               .flags = DRBG_HASH | DRBG_STRENGTH128,
-               .statelen = 55, /* 440 bits */
-               .blocklen_bytes = 20,
-               .cra_name = "sha1",
-               .backend_cra_name = "sha1",
-       }, {
                .flags = DRBG_HASH | DRBG_STRENGTH256,
                .statelen = 111, /* 888 bits */
                .blocklen_bytes = 48,
@@ -166,12 +160,6 @@ static const struct drbg_core drbg_cores[] = {
 #endif /* CONFIG_CRYPTO_DRBG_HASH */
 #ifdef CONFIG_CRYPTO_DRBG_HMAC
        {
-               .flags = DRBG_HMAC | DRBG_STRENGTH128,
-               .statelen = 20, /* block length of cipher */
-               .blocklen_bytes = 20,
-               .cra_name = "hmac_sha1",
-               .backend_cra_name = "hmac(sha1)",
-       }, {
                .flags = DRBG_HMAC | DRBG_STRENGTH256,
                .statelen = 48, /* block length of cipher */
                .blocklen_bytes = 48,
@@ -648,8 +636,6 @@ MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
-MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
-MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
 
 /* update function of HMAC DRBG as defined in 10.1.2.2 */
 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
@@ -768,8 +754,6 @@ MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
-MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
-MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
 
 /*
  * Increment buffer
index 15c7a3011269b71c22c96a53e9c76622bb64fef8..59f0540d442ee81d6f129693ca9235c47e90e4b5 100644 (file)
@@ -4845,14 +4845,6 @@ static const struct alg_test_desc alg_test_descs[] = {
                .suite = {
                        .drbg = __VECS(drbg_nopr_ctr_aes256_tv_template)
                }
-       }, {
-               /*
-                * There is no need to specifically test the DRBG with every
-                * backend cipher -- covered by drbg_nopr_hmac_sha256 test
-                */
-               .alg = "drbg_nopr_hmac_sha1",
-               .fips_allowed = 1,
-               .test = alg_test_null,
        }, {
                .alg = "drbg_nopr_hmac_sha256",
                .test = alg_test_drbg,
@@ -4861,7 +4853,10 @@ static const struct alg_test_desc alg_test_descs[] = {
                        .drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
                }
        }, {
-               /* covered by drbg_nopr_hmac_sha256 test */
+               /*
+                * There is no need to specifically test the DRBG with every
+                * backend cipher -- covered by drbg_nopr_hmac_sha512 test
+                */
                .alg = "drbg_nopr_hmac_sha384",
                .test = alg_test_null,
        }, {
@@ -4871,10 +4866,6 @@ static const struct alg_test_desc alg_test_descs[] = {
                .suite = {
                        .drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
                }
-       }, {
-               .alg = "drbg_nopr_sha1",
-               .fips_allowed = 1,
-               .test = alg_test_null,
        }, {
                .alg = "drbg_nopr_sha256",
                .test = alg_test_drbg,
@@ -4906,10 +4897,6 @@ static const struct alg_test_desc alg_test_descs[] = {
                .alg = "drbg_pr_ctr_aes256",
                .fips_allowed = 1,
                .test = alg_test_null,
-       }, {
-               .alg = "drbg_pr_hmac_sha1",
-               .fips_allowed = 1,
-               .test = alg_test_null,
        }, {
                .alg = "drbg_pr_hmac_sha256",
                .test = alg_test_drbg,
@@ -4925,10 +4912,6 @@ static const struct alg_test_desc alg_test_descs[] = {
                .alg = "drbg_pr_hmac_sha512",
                .test = alg_test_null,
                .fips_allowed = 1,
-       }, {
-               .alg = "drbg_pr_sha1",
-               .fips_allowed = 1,
-               .test = alg_test_null,
        }, {
                .alg = "drbg_pr_sha256",
                .test = alg_test_drbg,