| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251127032343.GA60146@sol> Date: Wed, 26 Nov 2025 19:23:43 -0800 From: Eric Biggers <ebiggers@...nel.org> To: Li Tian <litian@...hat.com> Cc: linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, linux-fscrypt@...r.kernel.org, Herbert Xu <herbert@...dor.apana.org.au>, "David S . Miller" <davem@...emloft.net>, "Theodore Y . Ts'o" <tytso@....edu>, Jaegeuk Kim <jaegeuk@...nel.org> Subject: Re: [PATCH RFC] crypto/hkdf: Fix salt length short issue in FIPS mode On Thu, Nov 27, 2025 at 11:11:29AM +0800, Li Tian wrote: > The error message I saw is `basic hdkf test(hmac(sha256-ni)): hkdf_extract > failed with -22`. > And I was looking at hmac.c that has `if (fips_enabled && (keylen < 112 / > 8))...` So I got the impression `crypto_shash_setkey(hmac_tfm, salt, > saltlen)` in hkdf_extract reached this failure. 112 / 8 is 14, not 32. Also since v6.17, "hmac(sha256)" no longer uses crypto/hmac.c. I forgot to put the keylen < 14 check in the new version in crypto/sha256.c. That means the test failure you're reporting was already fixed. If you'd prefer that it be broken again, we can add the key length check back in. But this whole thing is just more evidence that it's incorrect anyway, and it needs to be up to the caller to do a check if it needs to. In HKDF the secret is in the input keying material, not the salt. - Eric
Powered by blists - more mailing lists