<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/crypto/testmgr.c, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-17T07:17:00+00:00</updated>
<entry>
<title>Merge tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next</title>
<updated>2026-06-17T07:17:00+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-17T07:17:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=b85966adbf5de0668a815c6e3527f87e0c387fb4'/>
<id>urn:sha1:b85966adbf5de0668a815c6e3527f87e0c387fb4</id>
<content type='text'>
Pull networking updates from Jakub Kicinski:
 "Core &amp; protocols:

   - Work on removing rtnl_lock protection throughout the stack
     continues. In this chapter:
       - don't use rtnl_lock for IPv6 multicast routing configuration
       - don't take rtnl_lock in ethtool for modern drivers
       - prepare Qdisc dump callbacks for rtnl_lock removal

   - Support dumping just ifindex + name of all interfaces, under RCU.
     It's a common operation for Netlink CLI tools (when translating
     names to ifindexes) and previously required full rtnl_lock.

   - Support dumping qdiscs and page pools for a specific netdev. Even
     tho user space wants a dump of all netdevs, most of the time, the
     OOO programming model results in repeating the dump for each
     netdev. Which, in absence of a cache, leads to a O(n^2) behavior.

   - Flush nexthops once on multi-nexthop removal (e.g. when device goes
     down), another O(n^2) -&gt; O(n) improvement.

   - Rehash locally generated traffic to a different nexthop on
     retransmit timeout.

   - Honor oif when choosing nexthop for locally generated IPv6 traffic.

   - Convert TCP Auth Option to crypto library, and drop non-RFC algos.

   - Increase subflow limits in MPTCP to 64 and endpoint limit to 256.

   - Support MPTCP signaling of IPv6 address + port (ADD_ADDR). We need
     to selectively skip reporting of the standard TCP Timestamp option,
     because they won't fit into the header space together (12 + 30 &gt;
     40).

   - Support using bridge neighbor suppression, Duplicate Address
     Detection, Gratuitous ARP and unsolicited NA forwarding - in EVPN
     deployments, e.g. VXLAN fabrics (IPv4 and IPv6).

   - Improve link state reporting for upper netdevs (e.g. macvlan) over
     tunnel devices (again, mostly for EVPN deployments).

   - Support binding GENEVE tunnels to a local address.

   - Speed up UDP tunnel destruction (remove one synchronize_rcu()).

   - Support exponential field encoding in multicast (IGMPv3 and MLDv2).

   - Support attaching PSP crypto offload to containers (veth, netkit).

   - Add a new IPSec Netlink message XFRM_MSG_MIGRATE_STATE that allows
     migrating individual IPsec SAs independently of their policies.

     The existing XFRM_MSG_MIGRATE is tightly coupled to policy+SA
     migration, lacks SPI for unique SA identification, and cannot
     express reqid changes or migrate Transport mode selectors.

     The new interface identifies the SA via SPI and mark, supports
     reqid changes, address family changes, encap removal, and uses an
     atomic create+install flow under x-&gt;lock to prevent SN/IV reuse
     during AEAD SA migration.

   - Implement GRO/GSO support for PPPoE.

   - Convert sockopt callbacks in a number of protocols to iov_iter.

  Cross-tree stuff:

   - Remove support for Crypto TFM cloning (unblocked after the TCP Auth
     Option rework). This feature regressed performance for all crypto
     API users, since it changed crypto transformation objects into
     reference-counted objects.

   - Add FCrypt-PCBC implementation to rxrpc and remove it from the
     global crypto API as obsolete and insecure.

  Wireless:

   - Major rework of station bandwidth handling, fixing issues with
     lower capability than AP.

   - Cleanups for EMLSR spec issues (drafts differed).

   - More Neighbor Awareness Networking (Wi-Fi Aware) work (multicast,
     schedule improvements, multi-station etc.)

   - Some Ultra High Reliability (UHR) / IEEE 802.11bn (D1.4) work
     (e.g. non-primary channel access, UHR DBE support).

   - Fine Timing Measurement ranging (i.e. distance measurement) APIs.

  Netfilter:

   - Use per-rule hash initval in nf_conncount. This avoids unnecessary
     lock contention with short keys (e.g. conntrack zones) in different
     namespaces.

   - Various safety improvements, both in packet parsing and object
     lifetimes. Notably add refcounts to conntrack timeout policy.

  Deletions:

   - Remove TLS + sockmap integration. TLS wants to pin user pages to
     avoid a copy, and sockmap wants to write to the input stream. More
     work on this integration is clearly needed, and we can't find any
     users (original author admitted that they never deployed it).

   - Remove support for TLS offload with TCP Offload Engine (the far
     more common opportunistic offload is retained). The locking looks
     unfixable (driver sleeps under TCP spin locks) and people from the
     vendor that added this are AWOL.

   - Remove more ATM code, trying to leave behind only what PPPoATM
     needs, AAL5 and br2684 with permanent circuits.

   - Remove AppleTalk. Let it join hamradio in our out of tree protocol
     graveyard, I mean, repository.

   - Disable 32-bit x_tables compatibility (32bit binaries on 64bit
     kernel) interface in user namespaces. To be deleted completely,
     soon.

   - Remove 5/10 MHz support from cfg80211/mac80211.

  Drivers:

   - Software:
       - Support DEVMEM/DMABUF Tx over NETMEM_TX_NO_DMA devices (netkit)
       - bonding: add knob to strictly follow 802.3ad for link state

   - New drivers:
       - Alibaba Elastic Ethernet Adaptor (cloud vNIC).
       - NXP NETC switch within i.MX94.

   - DPLL:
       - Add operational state to pins (implement in zl3073x).
       - Add generic DPLL type, for daisy-chaining DPLLs (implement in ice).

   - Ethernet high-speed NICs:
       - Huawei (hinic3):
           - enhance tc flow offload support with queue selection,
             tunnels
       - nVidia/Mellanox:
           - avoid over-copying payload to the skb's linear part (up to
             60% win for LRO on slow CPUs like ARM64 V2)
           - expose more per-queue stats over the standard API
           - support additional, unprivileged PFs in the DPU
             configuration
           - support Socket Direct (multi-PF) with switchdev offloads
           - add a pool / frag allocator for DMA mapped buffers for
             control objects, save memory on systems with 64kB page size
           - take advantage of the ability to dynamically change RSS
             table size, even when table is configured by the user
           - increase the max RSS table size for even traffic
             distribution

   - Ethernet NICs:
       - Marvell/Aquantia:
           - AQC113 PTP support
       - Realtek USB (r8152):
           - support 10Gbit Link Speeds and Energy-Efficient Ethernet
             (EEE)
           - support firmware loaded (for RTL8157/RTL8159)
           - support for the RTL8159
       - Intel (ixgbe):
           - support Energy-Efficient Ethernet (EEE) on E610 devices

   - Ethernet switches:
       - Airoha:
           - support multiple netdevs on a single GDM block / port
       - Marvell (mv88e6xxx):
           - support SERDES of mv88e6321
       - Microchip (ksz8/9):
           - rework the driver callbacks to remove one indirection layer
       - Motorcomm (yt921x):
           - support port rate policing
           - support TBF qdisc offload
           - support ACL/flower offload
       - nVidia/Mellanox:
           - expose per-PG rx_discards
       - Realtek:
           - rtl8365mb: bridge offloading and VLAN support

   - Ethernet PHYs:
       - Airoha:
           - support Airoha AN8801R Gigabit PHYs.
       - Micrel:
           - implement 3 low-loss cable tunables
       - Realtek:
           - support MDI swapping for RTL8226-CG
           - support MDIO for RTL931x
       - Qualcomm:
           - at803x: Rx and Tx clock management for IPQ5018 PHY
       - Motorcomm:
           - support YT8522 100M RMII PHY
           - set drive strength in YT8531s RGMII
       - TI:
           - dp83822: add optional external PHY clock

   - Bluetooth:
       - hci_sync: add support for HCI_LE_Set_Host_Feature [v2]
       - SMP: use AES-CMAC library API
       - Intel:
           - support Product level reset
           - support smart trigger dump
       - Mediatek:
           - add event filter to filter specific event
       - Realtek:
           - fix RTL8761B/BU broken LE extended scan

   - WiFi:
       - Broadcom (b43):
           - new support for a 11n device
       - MediaTek (mt76):
           - support mt7927
           - mt792x: broken usb transport detection
           - mt7921: regulatory improvements
       - Qualcomm (ath9k):
           - GPIO interface improvements
       - Qualcomm (ath12k):
           - WDS support
           - replace dynamic memory allocation in WMI Rx path
           - thermal throttling/cooling device support
           - 6 GHz incumbent interference detection
           - channel 177 in 5 GHz
       - Realtek (rt89):
           - RTL8922AU support
           - USB 3 mode switch for performance
           - better monitor radiotap support
           - RTL8922DE preparations"

* tag 'net-next-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (1778 commits)
  ipv4: fib_rule: Move fib4_rules_exit() to -&gt;exit().
  net: serialize netif_running() check in enqueue_to_backlog()
  net: skmsg: preserve sg.copy across SG transforms
  appletalk: move the protocol out of tree
  appletalk: stop storing per-interface state in struct net_device
  selftests/bpf: test that TLS crypto is rejected on a sockmap socket
  selftests/bpf: drop the unused kTLS program from test_sockmap
  selftests/bpf: remove sockmap + ktls tests
  tls: remove dead sockmap (psock) handling from the SW path
  tls: reject the combination of TLS and sockmap
  atm: remove orphaned uAPI for deleted drivers, protocols and SVCs
  atm: remove unused ATM PHY operations
  atm: remove the unused pre_send and send_bh device operations
  atm: remove the unused change_qos device operation
  atm: remove SVC socket support and the signaling daemon interface
  atm: remove the local ATM (NSAP) address registry
  atm: remove dead SONET PHY ioctls
  atm: remove the unused send_oam / push_oam callbacks
  atm: remove AAL3/4 transport support
  net: dsa: sja1105: fix lastused timestamp in flower stats
  ...
</content>
</entry>
<entry>
<title>crypto: testmgr - allow authenc(hmac(sha{256,384}),cts(cbc(aes))) in FIPS mode</title>
<updated>2026-06-12T01:56:45+00:00</updated>
<author>
<name>Ilya Dryomov</name>
<email>idryomov@gmail.com</email>
</author>
<published>2026-06-03T15:50:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6b7e97752854b1f7bccc41864428ea3b55c53cde'/>
<id>urn:sha1:6b7e97752854b1f7bccc41864428ea3b55c53cde</id>
<content type='text'>
hmac(sha256), hmac(sha384) and cts(cbc(aes)) algorithms have been
marked as FIPS allowed for years.  Mark the respective authenc()
constructions per RFC 8009 ("AES Encryption with HMAC-SHA2 for
Kerberos 5") as such as well.

SP 800-57 Part 3 Rev. 1 from Jan 2015 [1] links the draft of what
became RFC 8009 in Oct 2016 as approved in section 6.3 Procurement
Guidance (item/recommendation 3).

[1] https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final

Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
Reviewed-by: Viacheslav Dubeyko &lt;Slava.Dubeyko@ibm.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: fcrypt - Remove support for FCrypt block cipher</title>
<updated>2026-06-10T00:03:03+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-05-22T05:07:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=374efbdc85d027814f6b26a8d641dc062f9017c0'/>
<id>urn:sha1:374efbdc85d027814f6b26a8d641dc062f9017c0</id>
<content type='text'>
Remove the insecure FCrypt block cipher from the crypto API.  Its only
user was net/rxrpc/, but now net/rxrpc/ implements it locally.  The
crypto API implementation is no longer needed.

For some additional context: FCrypt was designed in 1988 and is
essentially a weakened version of DES.  It has the same 56-bit key size
as DES, which is easily brute forced.  Moreover, it's cryptographically
weak and doesn't even provide the intended 56-bit security level.  Its
author considers it to be a mistake, as well
(https://lists.openafs.org/pipermail/openafs-devel/2000-December/005320.html).

But fortunately this 1980s-era homebrew block cipher was never adopted
outside of net/rxrpc/.  So its code can just be kept there.

Acked-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt; # m68k
Acked-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Tested-by: Marc Dionne &lt;marc.dionne@auristor.com&gt;
Link: https://patch.msgid.link/20260522050740.84561-5-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Remove support for "prediction resistance"</title>
<updated>2026-05-15T10:08:47+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-05-06T00:02:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=bd13e630f9d03510012f1a530f08e9cf533e946a'/>
<id>urn:sha1:bd13e630f9d03510012f1a530f08e9cf533e946a</id>
<content type='text'>
"Prediction resistance", i.e. the property that the RNG's output is
unpredictable even after a state compromise, might sound like a nice
property to have.  In reality, it's not very practical, as it requires
that fresh entropy be pulled on every request.  (The normal Linux RNG
doesn't provide prediction resistance.)  In the case of drbg.c, that
means pulling from "jitterentropy", which is extremely slow.

For some perspective, running a simple benchmark, generating 32 random
bytes takes the following amount of time:

    get_random_bytes(): 90 ns
    drbg_nopr_hmac_sha512: 3707 ns
    drbg_pr_hmac_sha512: 773082 ns

So at least in this case, the "pr" (prediction-resistant) DRBG is over
200 times slower than the "nopr" (non-prediction-resistant) DRBG, or
over 8000 times slower than the normal Linux RNG.  While anyone using
drbg.c has always had to tolerate that it's slower than the normal Linux
RNG, the "pr" DRBG is clearly at another level of slowness.

Thus, the following is also entirely unsurprising:

  - FIPS 140-3 doesn't actually require that SP800-90A DRBG
    implementations support prediction resistance.  The non-prediction
    resistant DRBGs can be, and have been, certified.

  - drbg.c registers "drbg_nopr_hmac_sha512" with a higher cra_priority
    than "drbg_pr_hmac_sha512".  So "drbg_nopr_hmac_sha512" is already
    the one actually being used in practice.

Given these considerations, it's clear that "drbg_pr_hmac_sha512" isn't
actually useful, and it essentially just existed as another curiosity in
the museum of crypto algorithms.  Remove it to simplify the code.

Suggested-by: Joachim Vandersmissen &lt;joachim@jvdsn.com&gt;
Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: testmgr - disallow RSA PKCS#1 SHA-1 sig algs in FIPS mode</title>
<updated>2026-05-07T08:10:02+00:00</updated>
<author>
<name>Jeff Barnes</name>
<email>jeffbarnes@linux.microsoft.com</email>
</author>
<published>2026-04-23T15:21:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=76d2e560c76dabbf9f31f4311069e68610d1ac18'/>
<id>urn:sha1:76d2e560c76dabbf9f31f4311069e68610d1ac18</id>
<content type='text'>
When booted with fips=1, RSA signature generation using SHA-1 must not be
available.  However, pkcs1pad(rsa,sha1) can currently be instantiated
because it is not present in alg_test_descs; alg_test() falls through the
no_test path and succeeds, after which the algorithm appears in
/proc/crypto as fips-capable.

Add explicit alg_test_descs entries for pkcs1pad(rsa,sha1) and
pkcs1(rsa,sha1) without marking them fips_allowed, so they are treated as
not FIPS-allowed when fips=1 is enabled.

Include both names to cover kernels where RSA sign/verify is provided via
the pkcs1(...) signature template, while pkcs1pad(...) remains for the
traditional wrapper naming and/or RSAES operations.

Signed-off-by: Jeff Barnes &lt;jeffbarnes@linux.microsoft.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Remove support for HMAC-SHA256 and HMAC-SHA384</title>
<updated>2026-05-07T08:10:00+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=89cfd38c788e9d8a2d05d1487c4513043e6d46a2'/>
<id>urn:sha1:89cfd38c788e9d8a2d05d1487c4513043e6d46a2</id>
<content type='text'>
Remove support for the HMAC-SHA256 and HMAC-SHA384 variants of
HMAC_DRBG, leaving only the HMAC-SHA512 variant of HMAC_DRBG.

HMAC-SHA512 is already the default.  The default did used to be
HMAC-SHA256, but several years ago it was upgraded to HMAC-SHA512 "to
support compliance with SP800-90B and SP800-90C".  Given that the point
of crypto/drbg.c is compliance with those standards, and there's also no
technical reason to prefer HMAC-SHA384 in this situation even if
acceptable, there's really no point in offering anything else.

Note: now that only HMAC-SHA512 remains, a lot of unnecessary
abstractions can be removed.  A later commit will do that.  This commit
just straightforwardly removes the HMAC-SHA256 and HMAC-SHA384 code.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: testmgr - Update test for drbg_nopr_hmac_sha512</title>
<updated>2026-05-07T08:10:00+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=8237a5f626a2fdfbc8325c4ab672b4e04f564619'/>
<id>urn:sha1:8237a5f626a2fdfbc8325c4ab672b4e04f564619</id>
<content type='text'>
Synchronize the drbg_nopr_hmac_sha512 test vector with the first test
vector from the latest ACVP json files, so that both of the DRBG test
vectors are pulled from a consistent source.

Note that the new test vector has a nonempty personalization string.
That should be helpful as well: Some FIPS labs require this, due to
their interpretation of SP800-90A 11.3.2 which says that a
"representative" value of the personalization string must be tested.

It also now does an explicit reseed, which makes it clearer that the
requirement to test "Reseed" is met, without having to interpret the
additional input processing as covering that.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: testmgr - Add test for drbg_pr_hmac_sha512</title>
<updated>2026-05-07T08:10:00+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:33:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ca952c7504707495ab8cf2fdd958ee10cf41f48f'/>
<id>urn:sha1:ca952c7504707495ab8cf2fdd958ee10cf41f48f</id>
<content type='text'>
Add a test for drbg_pr_hmac_sha512, which previously didn't have a test.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Remove support for HASH_DRBG</title>
<updated>2026-05-07T08:10:00+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:33:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=e227be3ffde0ec8063c9967062a43237a5545581'/>
<id>urn:sha1:e227be3ffde0ec8063c9967062a43237a5545581</id>
<content type='text'>
Remove the support for HASH_DRBG.  It's likely unused code, seeing as
HMAC_DRBG is always enabled and prioritized over it unless
NETLINK_CRYPTO is used to change the algorithm priorities.

There's also no compelling reason to support more than one of
[HMAC_DRBG, HASH_DRBG, CTR_DRBG].  By definition, callers cannot tell
any difference in their outputs.  And all are FIPS-certifiable, which is
the only point of the kernel's NIST DRBGs anyway.

Switching to HASH_DRBG doesn't seem all that compelling, either.  For
one, it's more complex than HMAC_DRBG.

Thus, let's just drop HASH_DRBG support and focus on HMAC_DRBG.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Acked-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt; # m68k
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Remove support for CTR_DRBG</title>
<updated>2026-05-07T08:10:00+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:33:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6f88f41eeb7d4ef34e4ddb133d10779a316da67f'/>
<id>urn:sha1:6f88f41eeb7d4ef34e4ddb133d10779a316da67f</id>
<content type='text'>
Remove the support for CTR_DRBG.  It's likely unused code, seeing as
HMAC_DRBG is always enabled and prioritized over it unless
NETLINK_CRYPTO is used to change the algorithm priorities.

There's also no compelling reason to support more than one of
[HMAC_DRBG, HASH_DRBG, CTR_DRBG].  By definition, callers cannot tell
any difference in their outputs.  And all are FIPS-certifiable, which is
the only point of the kernel's NIST DRBGs anyway.

Switching to CTR_DRBG doesn't seem all that compelling, either.  While
it's often the fastest NIST DRBG, it has several disadvantages:

- CTR_DRBG uses AES.  Some platforms don't have AES acceleration at all,
  causing a fallback to the table-based AES code which is very slow and
  can be vulnerable to cache-timing attacks.  In contrast, HMAC_DRBG
  uses primitives that are consistently constant-time.

- CTR_DRBG is usually considered to be somewhat less cryptographically
  robust than HMAC_DRBG.  Granted, HMAC_DRBG isn't all that great
  either, e.g. given the negative result from Woodage &amp; Shumow (2018)
  (https://eprint.iacr.org/2018/349.pdf), but that can be worked around.

- CTR_DRBG is more complex than HMAC_DRBG, risking bugs.  Indeed, while
  reviewing the CTR_DRBG code, I found two bugs, including one where it
  can return success while leaving the output buffer uninitialized.

- The kernel's implementation of CTR_DRBG uses an "ctr(aes)"
  crypto_skcipher and relies on it returning the next counter value.
  That's fragile, and indeed historically many "ctr(aes)"
  crypto_skcipher implementations haven't done that.  E.g. see
  commit 511306b2d075 ("crypto: arm/aes-ce - update IV after partial final CTR block"),
  commit fa5fd3afc7e6 ("crypto: arm64/aes-blk - update IV after partial final CTR block"),
  commit 371731ec2179 ("crypto: atmel-aes - Fix saving of IV for CTR mode"),
  commit 25baaf8e2c93 ("crypto: crypto4xx - fix ctr-aes missing output IV"),
  commit 334d37c9e263 ("crypto: caam - update IV using HW support"),
  commit 0a4491d3febe ("crypto: chelsio - count incomplete block in IV"),
  commit e8e3c1ca57d4 ("crypto: s5p - update iv after AES-CBC op end").

  I.e., there were many years where the kernel's CTR_DRBG code (if it
  were to have actually been used) repeated outputs on some platforms.

  AES-CTR also uses a 128-bit counter, which creates overflow edge cases
  that are sometimes gotten wrong.  E.g. see commit 009b30ac7444
  ("crypto: vmx - CTR: always increment IV as quadword").

So, while switching to CTR_DRBG for performance reasons isn't completely
out of the question (notably BoringSSL uses it), it would take quite a
bit more work to create a solid implementation of it in the kernel,
including a more solid implementation of AES-CTR itself (in lib/crypto/,
with a scalar bit-sliced fallback, etc).  Since HMAC_DRBG has always
been the default NIST DRBG variant in the kernel and is in a better
state, let's just standardize on it for now.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Acked-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt; # m68k
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
</feed>
