1. 20 Apr, 2018 1 commit
  2. 03 Nov, 2017 1 commit
  3. 20 Sep, 2017 1 commit
    • Stephan Mueller's avatar
      crypto: drbg - fix freeing of resources · bd6227a1
      Stephan Mueller authored
      During the change to use aligned buffers, the deallocation code path was
      not updated correctly. The current code tries to free the aligned buffer
      pointer and not the original buffer pointer as it is supposed to.
      
      Thus, the code is updated to free the original buffer pointer and set
      the aligned buffer pointer that is used throughout the code to NULL.
      
      Fixes: 3cfc3b97 ("crypto: drbg - use aligned buffers")
      CC: <stable@vger.kernel.org>
      CC: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      bd6227a1
  4. 22 Jun, 2017 1 commit
  5. 10 Jun, 2017 1 commit
  6. 23 May, 2017 1 commit
  7. 24 Mar, 2017 1 commit
  8. 30 Nov, 2016 1 commit
    • Stephan Mueller's avatar
      crypto: drbg - prevent invalid SG mappings · 51029812
      Stephan Mueller authored
      When using SGs, only heap memory (memory that is valid as per
      virt_addr_valid) is allowed to be referenced. The CTR DRBG used to
      reference the caller-provided memory directly in an SG. In case the
      caller provided stack memory pointers, the SG mapping is not considered
      to be valid. In some cases, this would even cause a paging fault.
      
      The change adds a new scratch buffer that is used unconditionally to
      catch the cases where the caller-provided buffer is not suitable for
      use in an SG. The crypto operation of the CTR DRBG produces its output
      with that scratch buffer and finally copies the content of the
      scratch buffer to the caller's buffer.
      
      The scratch buffer is allocated during allocation time of the CTR DRBG
      as its access is protected with the DRBG mutex.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      51029812
  9. 21 Nov, 2016 1 commit
    • Stephan Mueller's avatar
      crypto: drbg - advance output buffer pointer · 8ff4c191
      Stephan Mueller authored
      The CTR DRBG segments the number of random bytes to be generated into
      128 byte blocks. The current code misses the advancement of the output
      buffer pointer when the requestor asks for more than 128 bytes of data.
      In this case, the next 128 byte block of random numbers is copied to
      the beginning of the output buffer again. This implies that only the
      first 128 bytes of the output buffer would ever be filled.
      
      The patch adds the advancement of the buffer pointer to fill the entire
      buffer.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8ff4c191
  10. 24 Aug, 2016 1 commit
  11. 16 Aug, 2016 1 commit
  12. 20 Jun, 2016 2 commits
  13. 15 Jun, 2016 4 commits
  14. 02 Jun, 2016 1 commit
  15. 05 Apr, 2016 1 commit
  16. 25 Jan, 2016 1 commit
  17. 10 Dec, 2015 1 commit
  18. 11 Jun, 2015 1 commit
  19. 10 Jun, 2015 2 commits
    • Stephan Mueller's avatar
      crypto: drbg - reseed often if seedsource is degraded · 42ea507f
      Stephan Mueller authored
      As required by SP800-90A, the DRBG implements are reseeding threshold.
      This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as
      implemented in drbg_max_requests.
      
      With the recently introduced changes, the DRBG is now always used as a
      stdrng which is initialized very early in the boot cycle. To ensure that
      sufficient entropy is present, the Jitter RNG is added to even provide
      entropy at early boot time.
      
      However, the 2nd seed source, the nonblocking pool, is usually
      degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG
      (which I believe contains good entropy, which however is questioned by
      others) and is seeded with a degradded nonblocking pool. This seed is
      now used for quasi the lifetime of the system (2**48 requests is a lot).
      
      The patch now changes the reseed threshold as follows: up until the time
      the DRBG obtains a seed from a fully iniitialized nonblocking pool, the
      reseeding threshold is lowered such that the DRBG is forced to reseed
      itself resonably often. Once it obtains the seed from a fully
      initialized nonblocking pool, the reseed threshold is set to the value
      required by SP800-90A.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      42ea507f
    • Stephan Mueller's avatar
      crypto: drbg - Use callback API for random readiness · 57225e67
      Stephan Mueller authored
      The get_blocking_random_bytes API is broken because the wait can
      be arbitrarily long (potentially forever) so there is no safe way
      of calling it from within the kernel.
      
      This patch replaces it with the new callback API which does not
      have this problem.
      
      The patch also removes the entropy buffer registered with the DRBG
      handle in favor of stack variables to hold the seed data.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      57225e67
  20. 04 Jun, 2015 1 commit
  21. 27 May, 2015 3 commits
    • Stephan Mueller's avatar
      crypto: drbg - use Jitter RNG to obtain seed · b8ec5ba4
      Stephan Mueller authored
      During initialization, the DRBG now tries to allocate a handle of the
      Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG
      pulls the required entropy/nonce string from get_random_bytes and
      concatenates it with a string of equal size from the Jitter RNG. That
      combined string is now the seed for the DRBG.
      
      Written differently, the initial seed of the DRBG is now:
      
      get_random_bytes(entropy/nonce) || jitterentropy (entropy/nonce)
      
      If the Jitter RNG is not available, the DRBG only seeds from
      get_random_bytes.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      b8ec5ba4
    • Stephan Mueller's avatar
      crypto: drbg - add async seeding operation · 4c787990
      Stephan Mueller authored
      The async seeding operation is triggered during initalization right
      after the first non-blocking seeding is completed. As required by the
      asynchronous operation of random.c, a callback function is provided that
      is triggered by random.c once entropy is available. That callback
      function performs the actual seeding of the DRBG.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4c787990
    • Stephan Mueller's avatar
      crypto: drbg - prepare for async seeding · 3d6a5f75
      Stephan Mueller authored
      In order to prepare for the addition of the asynchronous seeding call,
      the invocation of seeding the DRBG is moved out into a helper function.
      
      In addition, a block of memory is allocated during initialization time
      that will be used as a scratchpad for obtaining entropy. That scratchpad
      is used for the initial seeding operation as well as by the
      asynchronous seeding call. The memory must be zeroized every time the
      DRBG seeding call succeeds to avoid entropy data lingering in memory.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3d6a5f75
  22. 23 Apr, 2015 1 commit
  23. 22 Apr, 2015 1 commit
  24. 21 Apr, 2015 6 commits
  25. 09 Mar, 2015 1 commit
  26. 04 Mar, 2015 2 commits
  27. 04 Jan, 2015 1 commit