Am Samstag, 8. Januar 2022, 07:39:27 CET schrieb Stephan Müller: Hi, > Am Samstag, 8. Januar 2022, 00:28:31 CET schrieb Eric Biggers: > > Hi Eric, > > > Hi Stephan, > > > > On Fri, Jan 07, 2022 at 08:25:24PM +0100, Stephan Müller wrote: > > > FIPS 140 requires a minimum security strength of 112 bits. This implies > > > that the HMAC key must not be smaller than 112 in FIPS mode. > > > > > > This restriction implies that the test vectors for HMAC that have a key > > > that is smaller than 112 bits must be disabled when FIPS support is > > > compiled. > > > > > > Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> > > > > This could make sense, but the weird thing is that the HMAC code has been > > like this from the beginning, yet many companies have already gotten this > > exact same HMAC implementation FIPS-certified. What changed? > > FIPS 140-3 (which is now mandatory) requires this based on SP800-131A. Here are a few more details: The requirement from FIPS 140-3 that the crypto module (aka kernel crypto API) must provide an indicator whether the algorithm(s) in use are FIPS compliant. If you look at various user space libraries, they make quite an effort these days to add that "service indicator" as an API. Adding such an API to the crypto API is not helpful. Thus we revert to the notion of a "global service indicator" meaning that when the kernel is booted with fips=1, all algorithms operate in FIPS mode. This means that all non-approved algos must be technically disabled. There have been patches from me disabling RSA < 2k and others not too long ago. In the future, I would expect additional patches disabling the use of GCM when invoked without seqiv or disabling dh when not used with one of the up- and-coming FFDHE / MODP groups from Nicolai's patch set. All those patches revolve around the same issue. Note, for some algorithms like XTS key check we already had such technical enforcements. This was due to the fact that FIPS 140-2 required for some aspects technical enforcements but for some others, "procedural" coverage (aka documentation) was sufficient. Ciao Stephan
