03 Aug, 2018
1 commit
-
The cipher implementations of the kernel crypto API favor in-place
cipher operations. Thus, switch the CTR cipher operation in the DRBG to
perform in-place operations. This is implemented by using the output
buffer as input buffer and zeroizing it before the cipher operation to
implement a CTR encryption of a NULL buffer.The speed improvement is quite visibile with the following comparison
using the LRNG implementation.Without the patch set:
16 bytes| 12.267661 MB/s| 61338304 bytes | 5000000213 ns
32 bytes| 23.603770 MB/s| 118018848 bytes | 5000000073 ns
64 bytes| 46.732262 MB/s| 233661312 bytes | 5000000241 ns
128 bytes| 90.038042 MB/s| 450190208 bytes | 5000000244 ns
256 bytes| 160.399616 MB/s| 801998080 bytes | 5000000393 ns
512 bytes| 259.878400 MB/s| 1299392000 bytes | 5000001675 ns
1024 bytes| 386.050662 MB/s| 1930253312 bytes | 5000001661 ns
2048 bytes| 493.641728 MB/s| 2468208640 bytes | 5000001598 ns
4096 bytes| 581.835981 MB/s| 2909179904 bytes | 5000003426 nsWith the patch set:
16 bytes | 17.051142 MB/s | 85255712 bytes | 5000000854 ns
32 bytes | 32.695898 MB/s | 163479488 bytes | 5000000544 ns
64 bytes | 64.490739 MB/s | 322453696 bytes | 5000000954 ns
128 bytes | 123.285043 MB/s | 616425216 bytes | 5000000201 ns
256 bytes | 233.434573 MB/s | 1167172864 bytes | 5000000573 ns
512 bytes | 384.405197 MB/s | 1922025984 bytes | 5000000671 ns
1024 bytes | 566.313370 MB/s | 2831566848 bytes | 5000001080 ns
2048 bytes | 744.518042 MB/s | 3722590208 bytes | 5000000926 ns
4096 bytes | 867.501670 MB/s | 4337508352 bytes | 5000002181 nsSigned-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
20 Jul, 2018
1 commit
-
The CTR DRBG requires two SGLs pointing to input/output buffers for the
CTR AES operation. The used SGLs always have only one entry. Thus, the
SGL can be initialized during allocation time, preventing a
re-initialization of the SGLs during each call.The performance is increased by about 1 to 3 percent depending on the
size of the requested buffer size.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
21 Apr, 2018
1 commit
-
During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.Cc: stable@vger.kernel.org
Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
Signed-off-by: Stephan Mueller
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu
03 Nov, 2017
1 commit
-
DRBG is starting an async. crypto op and waiting for it complete.
Move it over to generic code doing the same.The code now also passes CRYPTO_TFM_REQ_MAY_SLEEP flag indicating
crypto request memory allocation may use GFP_KERNEL which should
be perfectly fine as the code is obviously sleeping for the
completion of the request any way.Signed-off-by: Gilad Ben-Yossef
Signed-off-by: Herbert Xu
20 Sep, 2017
1 commit
-
During the change to use aligned buffers, the deallocation code path was
not updated correctly. The current code tries to free the aligned buffer
pointer and not the original buffer pointer as it is supposed to.Thus, the code is updated to free the original buffer pointer and set
the aligned buffer pointer that is used throughout the code to NULL.Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
CC:
CC: Herbert Xu
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
22 Jun, 2017
1 commit
-
Initialise ctr_completion variable before use.
Cc:
Signed-off-by: Harsh Jain
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
23 May, 2017
1 commit
-
drbg_kcapi_sym_ctr() was using wait_for_completion_interruptible() to
wait for completion of async crypto op but if a signal occurs it
may return before DMA ops of HW crypto provider finish, thus
corrupting the output buffer.Resolve this by using wait_for_completion() instead.
Reported-by: Eric Biggers
Signed-off-by: Gilad Ben-Yossef
CC: stable@vger.kernel.org
Signed-off-by: Herbert Xu
24 Mar, 2017
1 commit
-
An SGL to be initialized only once even when its buffers are written
to several times.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
30 Nov, 2016
2 commits
-
Merge the crypto tree to pull in chelsio chcr fix.
-
When using SGs, only heap memory (memory that is valid as per
virt_addr_valid) is allowed to be referenced. The CTR DRBG used to
reference the caller-provided memory directly in an SG. In case the
caller provided stack memory pointers, the SG mapping is not considered
to be valid. In some cases, this would even cause a paging fault.The change adds a new scratch buffer that is used unconditionally to
catch the cases where the caller-provided buffer is not suitable for
use in an SG. The crypto operation of the CTR DRBG produces its output
with that scratch buffer and finally copies the content of the
scratch buffer to the caller's buffer.The scratch buffer is allocated during allocation time of the CTR DRBG
as its access is protected with the DRBG mutex.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
21 Nov, 2016
1 commit
-
The CTR DRBG segments the number of random bytes to be generated into
128 byte blocks. The current code misses the advancement of the output
buffer pointer when the requestor asks for more than 128 bytes of data.
In this case, the next 128 byte block of random numbers is copied to
the beginning of the output buffer again. This implies that only the
first 128 bytes of the output buffer would ever be filled.The patch adds the advancement of the buffer pointer to fill the entire
buffer.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
24 Aug, 2016
1 commit
-
Fix to return a negative error code from the error handling
case instead of 0.Signed-off-by: Wei Yongjun
Acked-by: Stephan Mueller
Signed-off-by: Herbert Xu
16 Aug, 2016
1 commit
-
When calling the DRBG health test in FIPS mode, the Jitter RNG is not
yet present in the kernel crypto API which will cause the instantiation
to fail and thus the health test to fail.As the health tests cover the enforcement of various thresholds, invoke
the functions that are supposed to enforce the thresholds directly.This patch also saves precious seed.
Reported-by: Tapas Sarangi
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
20 Jun, 2016
2 commits
-
We accidentally return PTR_ERR(NULL) which is success but we should
return -ENOMEM.Fixes: 355912852115 ('crypto: drbg - use CTR AES instead of ECB AES')
Signed-off-by: Dan Carpenter
Acked-by: Stephan Mueller
Signed-off-by: Herbert Xu -
crypto/drbg.c:1637:39-40: Unneeded semicolon
Remove unneeded semicolon.
Generated by: scripts/coccinelle/misc/semicolon.cocci
CC: Stephan Mueller
Signed-off-by: Fengguang Wu
Acked-by: Stephan Mueller
Signed-off-by: Herbert Xu
15 Jun, 2016
4 commits
-
The TFM object maintains the key for the CTR DRBG.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
The CTR DRBG update function performs a full CTR AES operation including
the XOR with "plaintext" data. Hence, remove the XOR from the code and
use the CTR mode to do the XOR.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
Hardware cipher implementation may require aligned buffers. All buffers
that potentially are processed with a cipher are now aligned.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
The CTR DRBG derives its random data from the CTR that is encrypted with
AES.This patch now changes the CTR DRBG implementation such that the
CTR AES mode is employed. This allows the use of steamlined CTR AES
implementation such as ctr-aes-aesni.Unfortunately there are the following subtile changes we need to apply
when using the CTR AES mode:- the CTR mode increments the counter after the cipher operation, but
the CTR DRBG requires the increment before the cipher op. Hence, the
crypto_inc is applied to the counter (drbg->V) once it is
recalculated.- the CTR mode wants to encrypt data, but the CTR DRBG is interested in
the encrypted counter only. The full CTR mode is the XOR of the
encrypted counter with the plaintext data. To access the encrypted
counter, the patch uses a NULL data vector as plaintext to be
"encrypted".Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
02 Jun, 2016
1 commit
-
The CTR DRBG code always set the key for each sym cipher invocation even
though the key has not been changed.The patch ensures that the setkey is only invoked when a new key is
generated by the DRBG.With this patch, the CTR DRBG performance increases by more than 150%.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
05 Apr, 2016
1 commit
-
The HMAC implementation allows setting the HMAC key independently from
the hashing operation. Therefore, the key only needs to be set when a
new key is generated.This patch increases the speed of the HMAC DRBG by at least 35% depending
on the use case.The patch is fully CAVS tested.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
25 Jan, 2016
1 commit
-
The newly released FIPS 140-2 IG 9.8 specifies that for SP800-90A
compliant DRBGs, the FIPS 140-2 continuous random number generator test
is not required any more.This patch removes the test and all associated data structures.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
10 Dec, 2015
1 commit
-
The drbg_state_ops structures are never modified, so declare them as const.
Done with the help of Coccinelle.
Signed-off-by: Julia Lawall
Signed-off-by: Herbert Xu
11 Jun, 2015
1 commit
-
Be more verbose and also report ->backend_cra_name when
crypto_alloc_shash() or crypto_alloc_cipher() fail in
drbg_init_hash_kernel() or drbg_init_sym_kernel()
correspondingly.Example
DRBG: could not allocate digest TFM handle: hmac(sha256)Signed-off-by: Sergey Senozhatsky
Signed-off-by: Herbert Xu
10 Jun, 2015
2 commits
-
As required by SP800-90A, the DRBG implements are reseeding threshold.
This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as
implemented in drbg_max_requests.With the recently introduced changes, the DRBG is now always used as a
stdrng which is initialized very early in the boot cycle. To ensure that
sufficient entropy is present, the Jitter RNG is added to even provide
entropy at early boot time.However, the 2nd seed source, the nonblocking pool, is usually
degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG
(which I believe contains good entropy, which however is questioned by
others) and is seeded with a degradded nonblocking pool. This seed is
now used for quasi the lifetime of the system (2**48 requests is a lot).The patch now changes the reseed threshold as follows: up until the time
the DRBG obtains a seed from a fully iniitialized nonblocking pool, the
reseeding threshold is lowered such that the DRBG is forced to reseed
itself resonably often. Once it obtains the seed from a fully
initialized nonblocking pool, the reseed threshold is set to the value
required by SP800-90A.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
The get_blocking_random_bytes API is broken because the wait can
be arbitrarily long (potentially forever) so there is no safe way
of calling it from within the kernel.This patch replaces it with the new callback API which does not
have this problem.The patch also removes the entropy buffer registered with the DRBG
handle in favor of stack variables to hold the seed data.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
04 Jun, 2015
1 commit
-
This patch adds the stdrng module alias and increases the priority
to ensure that it is loaded in preference to other RNGs.Signed-off-by: Herbert Xu
27 May, 2015
3 commits
-
During initialization, the DRBG now tries to allocate a handle of the
Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG
pulls the required entropy/nonce string from get_random_bytes and
concatenates it with a string of equal size from the Jitter RNG. That
combined string is now the seed for the DRBG.Written differently, the initial seed of the DRBG is now:
get_random_bytes(entropy/nonce) || jitterentropy (entropy/nonce)
If the Jitter RNG is not available, the DRBG only seeds from
get_random_bytes.CC: Andreas Steffen
CC: Theodore Ts'o
CC: Sandy Harris
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
The async seeding operation is triggered during initalization right
after the first non-blocking seeding is completed. As required by the
asynchronous operation of random.c, a callback function is provided that
is triggered by random.c once entropy is available. That callback
function performs the actual seeding of the DRBG.CC: Andreas Steffen
CC: Theodore Ts'o
CC: Sandy Harris
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
In order to prepare for the addition of the asynchronous seeding call,
the invocation of seeding the DRBG is moved out into a helper function.In addition, a block of memory is allocated during initialization time
that will be used as a scratchpad for obtaining entropy. That scratchpad
is used for the initial seeding operation as well as by the
asynchronous seeding call. The memory must be zeroized every time the
DRBG seeding call succeeds to avoid entropy data lingering in memory.CC: Andreas Steffen
CC: Theodore Ts'o
CC: Sandy Harris
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
23 Apr, 2015
1 commit
-
This patch removes the unnecessary CRYPTO_FIPS ifdef from
drbg_healthcheck_sanity so that the code always gets checked
by the compiler.Signed-off-by: Herbert Xu
Acked-by: Stephan Mueller
22 Apr, 2015
1 commit
-
This patch converts the DRBG implementation to the new low-level
rng interface.This allows us to get rid of struct drbg_gen by using the new RNG
API instead.Signed-off-by: Herbert Xu
Acked-by: Stephan Mueller
21 Apr, 2015
6 commits
-
Initialising the RNG in drbg_kcapi_init is a waste of precious
entropy because all users will immediately seed the RNG after
the allocation.In fact, all users should seed the RNG before using it. So there
is no point in doing the seeding in drbg_kcapi_init.This patch removes the initial seeding and the user must seed
the RNG explicitly (as they all currently do).This patch also changes drbg_kcapi_reset to allow reseeding.
That is, if you call it after a successful initial seeding, then
it will not reset the internal state of the DRBG before mixing
the new input and entropy.If you still wish to reset the internal state, you can always
free the DRBG and allocate a new one.Finally this patch removes locking from drbg_uninstantiate because
it's now only called from the destruction path which must not be
executed in parallel with normal operations.Signed-off-by: Herbert Xu
Acked-by: Stephan Mueller -
As we moved the mutex init out of drbg_instantiate and into cra_init
we need to explicitly initialise the mutex in drbg_healthcheck_sanity.Signed-off-by: Herbert Xu
Acked-by: Stephan Mueller -
As the DRBG does not operate on shadow copies of the DRBG instance
any more, the cipher handles only need to be allocated once during
initalization time and deallocated during uninstantiate time.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
The creation of a shadow copy is intended to only hold a short term
lock. But the drawback is that parallel users have a very similar DRBG
state which only differs by a high-resolution time stamp.The DRBG will now hold a long term lock. Therefore, the lock is changed
to a mutex which implies that the DRBG can only be used in process
context.The lock now guards the instantiation as well as the entire DRBG
generation operation. Therefore, multiple callers are fully serialized
when generating a random number.As the locking is changed to use a long-term lock to avoid such similar
DRBG states, the entire creation and maintenance of a shadow copy can be
removed.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
The drbg_generate returns 0 in success case. That means that
drbg_generate_long will always only generate drbg_max_request_bytes at
most. Longer requests will be truncated to drbg_max_request_bytes.Reported-by: Herbert Xu
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
The buffer uses for temporary data must be cleared entirely. In AES192
the used buffer is drbg_statelen(drbg) + drbg_blocklen(drbg) as
documented in the comment above drbg_ctr_df.This patch ensures that the temp buffer is completely wiped.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
09 Mar, 2015
1 commit
-
Change the RNGs to always return 0 in success case.
This patch ensures that seqiv.c works with RNGs other than krng. seqiv
expects that any return code other than 0 is an error. Without the
patch, rfc4106(gcm(aes)) will not work when using a DRBG or an ANSI
X9.31 RNG.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
04 Mar, 2015
1 commit
-
The DRBG code contains memset(0) calls to initialize a varaible
that are not necessary as the variable is always overwritten by
the processing.This patch increases the CTR and Hash DRBGs by about 5%.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu