Re: [PATCH 15/38] crypto: testmgr - Add test for drbg_pr_hmac_sha512

Next message: Salvatore Dipietro: "Re: [PATCH 1/1] iomap: avoid compaction for costly folio order allocation"
Previous message: Keith Busch: "Re: [PATCH v3] nvme-auth: Include SC_C in RVAL controller hash"
In reply to: Joachim Vandersmissen: "Re: [PATCH 15/38] crypto: testmgr - Add test for drbg_pr_hmac_sha512"
Next in thread: Eric Biggers: "[PATCH 16/38] crypto: testmgr - Update test for drbg_nopr_hmac_sha512"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Biggers

Date: Mon Apr 20 2026 - 13:08:26 EST

On Mon, Apr 20, 2026 at 11:04:51AM -0500, Joachim Vandersmissen wrote:
> Hi Eric,
>
> Was there any particular reason for adding this test? I don't think there's
> any _explicit_ requirement for having tests for both non-PR and PR DRBG
> variants.

Well, *if* predictionResistance=true continues to supported, then this
test is needed, considering that drbg_pr_hmac_sha256 and its test was
removed. Code always should be tested. (Also, considering FIPS, the
guidance I've gotten from a FIPS lab in the past is that
predictionResistance=true has to be tested if it's supported.)

> In fact, as part of this very comprehensive cleanup, maybe the PR variants
> of the DRBGs should be removed as well? Is anyone actually using those? PR
> variants are (were) registered before the non-PR variants, so non-PR was
> always used by default.

But yes, I think you're right that we should just go ahead and remove
support for predictionResistance=true too. I was a bit on the fence
about removing something that's "more" secure and also has a relatively
straightforward implementation. But since it's not the default, it
doesn't make much sense to use it, this test would have to be added, and
it's not required for FIPS certifications either (in fact it seems to
just make them a bit harder), it does seem like the right choice.

- Eric