summaryrefslogtreecommitdiffstats
path: root/crypto/drbg.c
Commit message (Collapse)AuthorAgeFilesLines
* Revert "crypto: drbg - use memzero_explicit() for clearing sensitive data"Herbert Xu2015-01-051-12/+11
| | | | | | | | | This reverts commit 421d82f5b3e75f94e31875e37d45cdf6a557c120. None of the data zeroed are on the stack so the compiler cannot optimise them away. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - panic on continuous self test errorStephan Mueller2014-12-221-9/+2
| | | | | | | | | | | | | | | | | | | | This patch adds a panic if the FIPS 140-2 self test error failed. Note, that entire code is only executed with fips_enabled (i.e. when the kernel is booted with fips=1. It is therefore not executed for 99.9% of all user base. As mathematically such failure cannot occur, this panic should never be triggered. But to comply with NISTs current requirements, an endless loop must be replaced with the panic. When the new version of FIPS 140 will be released, this entire continuous self test function will be ripped out as it will not be needed any more. This patch is functionally equivalent as implemented in ansi_cprng.c and drivers/char/random.c. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - use memzero_explicit() for clearing sensitive dataNickolaus Woodruff2014-11-271-11/+12
| | | | | | | | | | Compiler dead store optimization can sometimes remove final calls to memset() used to clear sensitive data at the end of a function. Replace trailing memset() calls with memzero_explicit() to preclude unwanted removal. Signed-off-by: Nickolaus Woodruff <nickolauswoodruff@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - use MODULE_ALIAS_CRYPTOStephan Mueller2014-11-261-22/+22
| | | | | | | Use the crypto- prefix for the DRBG implementations. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - add MODULE_ALIAS for all DRBG typesStephan Mueller2014-11-101-0/+25
| | | | | | | | | | | The kernel module drbg.ko is currently not loaded automatically when a DRBG is requested by a consumer. This is due to missing MODULE_ALIAS flags for each of the implemented DRBG types. This patch adds aliases for each of the 22 defined DRBGs. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - use crypto_incStephan Mueller2014-10-241-41/+38
| | | | | | | | | | | The DRBG internal buffer addition function is replaced with crypto_inc when a buffer is to be incremented by one. The function drbg_add_buf is moved to the CONFIG_CRYPTO_DRBG_HASH ifdef area as it is now only needed for the Hash DRBG. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Herbert Xu2014-09-051-3/+0
|\ | | | | | | | | Merging the crypto tree for 3.17 in order to resolve the conflict on the 32-bit DRBG overflow fix.
| * crypto: drbg - remove check for uninitialized DRBG handleStephan Mueller2014-09-051-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The drbg_healthcheck() contained a test to call the DRBG with an uninitialized DRBG cipher handle. As this is an inappropriate use of the kernel crypto API to try to generate random numbers before initialization, checks verifying for an initialized DRBG have been removed in previous patches. Now, the drbg_healthcheck test must also be removed. Changes V2: Added patch marker to email subject line. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - fix sparse warning for cpu_to_be[32|64]Stephan Mueller2014-08-261-2/+2
| | | | | | | | | | | | | | | | | | | | The sparse tool complained that the cpu_to_be[32|64] functions return __be[32|64] instead of __u32 or __u64. The patch replaces the __u32 and __u64 with __be32 and __be64. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - remove unnecessary sanity check for shadow stateStephan Mueller2014-08-251-3/+0
| | | | | | | | | | | | | | | | | | During creation of the DRBG shadow state, it is ensured that the DRBG state structure is already allocated. Thus, a sanity check for verifying that the structure is allocated is removed. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - remove configuration of fixed valuesStephan Mueller2014-08-251-33/+0
| | | | | | | | | | | | | | | | | | | | | | | | SP800-90A mandates several hard-coded values. The old drbg_cores allows the setting of these values per DRBG implementation. However, due to the hard requirement of SP800-90A, these values are now returned globally for each DRBG. The ability to set such values per DRBG is therefore removed. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - remove unnecessary sanity checksStephan Mueller2014-08-251-9/+0
| | | | | | | | | | | | | | | | | | The drbg_make_shadow function contains sanity checks which are not needed as the function is invoked at times where it is ensured that the checked-for variables are available. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - use kmalloc instead of kzalloc for V and CStephan Mueller2014-08-251-3/+8
| | | | | | | | | | | | | | | | | | | | | | When allocating V, C, the zeroization is only needed when allocating a new instance of the DRBG, i.e. when performing an initial seeding. For all other allocations, the memcpy implemented in drbg_copy_drbg ensures that the memory is filled with the correct information. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - remove superflowous memset(0)Stephan Mueller2014-08-251-4/+2
| | | | | | | | | | | | | | Remove memset(0) which is not needed due to the kzalloc of the memory. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - remove superflowous checksStephan Mueller2014-08-251-10/+6
| | | | | | | | | | | | | | | | The crypto_init and crypto_fini functions are always implemented. Thus, there is no need for a protecting check. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - kzfree does not need a check for NULL pointerStephan Mueller2014-08-251-12/+6
| | | | | | | | | | | | | | | | The kzfree function already performs the NULL pointer check. Therefore, the DRBG code does not need to implement such check. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: drbg - replace int2byte with cpu_to_beStephan Mueller2014-08-251-16/+18
|/ | | | | | | | | | | | | | | | | | | | The DRBG requires the conversion of an integer into a string representation of that integer. The previous implementation converted the given integer byte-wise. However, the kernel offers the cpu_to_be function which already re-arranges the memory representation of an integer such that it applies when interpreting the same memory as character string. The change therefore uses an integer-cast / union of the target character array together with the cpu_to_be function to convert an integer into its string representation. Tests show that the Hash and CTR DRBG implementations (the HMAC DRBG does not require such conversion) is about 10% faster (or requires less computing power, respectively). Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - fix failure of generating multiple of 2**16 bytesStephan Mueller2014-08-011-1/+1
| | | | | | | | | | The function drbg_generate_long slices the request into 2**16 byte or smaller chunks. However, the loop, however invokes the random number generation function with zero bytes when the request size is a multiple of 2**16 bytes. The fix prevents zero bytes requests. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - drbg_exit() can be staticFengguang Wu2014-07-101-1/+1
| | | | | | CC: Stephan Mueller <smueller@chronox.de> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - HMAC-SHA1 DRBG has crypto strength of 128 bitsStephan Mueller2014-07-081-1/+1
| | | | | | | | | | The patch corrects the security strength of the HMAC-SHA1 DRBG to 128 bits. This strength defines the size of the seed required for the DRBG. Thus, the patch lowers the seeding requirement from 256 bits to 128 bits for HMAC-SHA1. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Mix a time stamp into DRBG stateStephan Mueller2014-07-081-24/+35
| | | | | | | | | | | | | | | | | | | | | | | | | The current locking approach of the DRBG tries to keep the protected code paths very minimal. It is therefore possible that two threads query one DRBG instance at the same time. When thread A requests random numbers, a shadow copy of the DRBG state is created upon which the request for A is processed. After finishing the state for A's request is merged back into the DRBG state. If now thread B requests random numbers from the same DRBG after the request for thread A is received, but before A's shadow state is merged back, the random numbers for B will be identical to the ones for A. Please note that the time window is very small for this scenario. To prevent that there is even a theoretical chance for thread A and B having the same DRBG state, the current time stamp is provided as additional information string for each new request. The addition of the time stamp as additional information string implies that now all generate functions must be capable to process a linked list with additional information strings instead of a scalar. CC: Rafael Aquini <aquini@redhat.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Select correct DRBG core for stdrngStephan Mueller2014-07-081-1/+1
| | | | | | | | | | | | When the DRBG is initialized, the core is looked up using the DRBG name. The name that can be used for the lookup is registered in cra_driver_name. The cra_name value contains stdrng. Thus, the lookup code must use crypto_tfm_alg_driver_name to obtain the precise DRBG name and select the correct DRBG. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Call CTR DRBG DF function only onceStephan Mueller2014-07-081-19/+22
| | | | | | | | | | | | | | | | | The CTR DRBG requires the update function to be called twice when generating a random number. In both cases, update function must process the additional information string by using the DF function. As the DF produces the same result in both cases, we can save one invocation of the DF function when the first DF function result is reused. The result of the DF function is stored in the scratchpad storage. The patch ensures that the scratchpad is not cleared when we want to reuse the DF result. For achieving this, the CTR DRBG update function must know by whom and in which scenario it is called. This information is provided with the reseed parameter to the update function. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Fix format string for debugging statementsStephan Mueller2014-07-081-2/+2
| | | | | | | | | | | The initial format strings caused warnings on several architectures. The updated format strings now match the variable types. Reported-by: kbuild test robot <fengguang.wu@intel.com> Reported-by: Randy Dunlap <rdunlap@infradead.org> CC: Joe Perches <joe@perches.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - cleanup of preprocessor macrosStephan Mueller2014-07-081-11/+17
| | | | | | | | | | | The structure used to construct the module description line was marked problematic by the sparse code analysis tool. The module line description now does not contain any ifdefs to prevent error reports from sparse. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Use Kconfig to ensure at least one RNG option is setHerbert Xu2014-07-041-6/+0
| | | | | | | | | | | This patch removes the build-time test that ensures at least one RNG is set. Instead we will simply not build drbg if no options are set through Kconfig. This also fixes a typo in the name of the Kconfig option CRYTPO_DRBG (should be CRYPTO_DRBG). Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - use of kernel linked listStephan Mueller2014-07-041-109/+124
| | | | | | | | | | | | | The DRBG-style linked list to manage input data that is fed into the cipher invocations is replaced with the kernel linked list implementation. The change is transparent to users of the interfaces offered by the DRBG. Therefore, no changes to the testmgr code is needed. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - fix memory corruption for AES192Stephan Mueller2014-07-041-3/+11
| | | | | | | | | | | | | | | | | | | For the CTR DRBG, the drbg_state->scratchpad temp buffer (i.e. the memory location immediately before the drbg_state->tfm variable is the buffer that the BCC function operates on. BCC operates blockwise. Making the temp buffer drbg_statelen(drbg) in size is sufficient when the DRBG state length is a multiple of the block size. For AES192 this is not the case and the length for temp is insufficient (yes, that also means for such ciphers, the final output of all BCC rounds are truncated before used to update the state of the DRBG!!). The patch enlarges the temp buffer from drbg_statelen to drbg_statelen + drbg_blocklen to have sufficient space. Reported-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - simplify ordering of linked list in drbg_ctr_dfStephan Mueller2014-06-261-5/+5
| | | | | | | | | As reported by a static code analyzer, the code for the ordering of the linked list can be simplified. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - SP800-90A Deterministic Random Bit GeneratorStephan Mueller2014-06-201-0/+2007
This is a clean-room implementation of the DRBG defined in SP800-90A. All three viable DRBGs defined in the standard are implemented: * HMAC: This is the leanest DRBG and compiled per default * Hash: The more complex DRBG can be enabled at compile time * CTR: The most complex DRBG can also be enabled at compile time The DRBG implementation offers the following: * All three DRBG types are implemented with a derivation function. * All DRBG types are available with and without prediction resistance. * All SHA types of SHA-1, SHA-256, SHA-384, SHA-512 are available for the HMAC and Hash DRBGs. * All AES types of AES-128, AES-192 and AES-256 are available for the CTR DRBG. * A self test is implemented with drbg_healthcheck(). * The FIPS 140-2 continuous self test is implemented. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>