From c602b6409fef59b967afdd750821544f7ef3bf5f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jallison@ciq.com>
Date: Tue, 2 Sep 2025 12:58:53 -0700
Subject: [PATCH] Revert "Revert: crypto: DRBG - switch to HMAC SHA512 DRBG as
 default DRBG"

    JIRA: INTERNAL
    Revert Author <jallison@ciq.com>
    Revert Commit fd8a0deb716f6f4dde224de4a6e1caa08cef801d.
    Revert Reason: This changes the default DRBG back to HMAC SHA512 to
    keep entropy certifications for all Rocky9.6 FIPS modules.
    Approved by the lab.

Keeping hmac(sha512) allows the entropy certificates used
for Rocky 9.2 FIPS to be re-used in 9.6, preventing re-certification
of all the kernel and userspace modules.

NB. We still get the scalability speedup from the per-CPU DRBG
changes.

Signed-off-by: Jeremy Allison <jallison@ciq.com>
---
 crypto/drbg.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index d5281a0c89b75..d14cc09b5d399 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = {
 		.blocklen_bytes = 48,
 		.cra_name = "hmac_sha384",
 		.backend_cra_name = "hmac(sha384)",
-	}, {
-		.flags = DRBG_HMAC | DRBG_STRENGTH256,
-		.statelen = 64, /* block length of cipher */
-		.blocklen_bytes = 64,
-		.cra_name = "hmac_sha512",
-		.backend_cra_name = "hmac(sha512)",
 	}, {
 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
 		.statelen = 32, /* block length of cipher */
 		.blocklen_bytes = 32,
 		.cra_name = "hmac_sha256",
 		.backend_cra_name = "hmac(sha256)",
+	}, {
+		.flags = DRBG_HMAC | DRBG_STRENGTH256,
+		.statelen = 64, /* block length of cipher */
+		.blocklen_bytes = 64,
+		.cra_name = "hmac_sha512",
+		.backend_cra_name = "hmac(sha512)",
 	},
 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
 };