1. 16 Aug, 2016 1 commit
  2. 20 Jun, 2016 2 commits
  3. 15 Jun, 2016 4 commits
  4. 02 Jun, 2016 1 commit
  5. 05 Apr, 2016 1 commit
  6. 25 Jan, 2016 1 commit
  7. 10 Dec, 2015 1 commit
  8. 11 Jun, 2015 1 commit
  9. 10 Jun, 2015 2 commits
    • Stephan Mueller's avatar
      crypto: drbg - reseed often if seedsource is degraded · 42ea507f
      Stephan Mueller authored
      As required by SP800-90A, the DRBG implements are reseeding threshold.
      This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as
      implemented in drbg_max_requests.
      
      With the recently introduced changes, the DRBG is now always used as a
      stdrng which is initialized very early in the boot cycle. To ensure that
      sufficient entropy is present, the Jitter RNG is added to even provide
      entropy at early boot time.
      
      However, the 2nd seed source, the nonblocking pool, is usually
      degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG
      (which I believe contains good entropy, which however is questioned by
      others) and is seeded with a degradded nonblocking pool. This seed is
      now used for quasi the lifetime of the system (2**48 requests is a lot).
      
      The patch now changes the reseed threshold as follows: up until the time
      the DRBG obtains a seed from a fully iniitialized nonblocking pool, the
      reseeding threshold is lowered such that the DRBG is forced to reseed
      itself resonably often. Once it obtains the seed from a fully
      initialized nonblocking pool, the reseed threshold is set to the value
      required by SP800-90A.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      42ea507f
    • Stephan Mueller's avatar
      crypto: drbg - Use callback API for random readiness · 57225e67
      Stephan Mueller authored
      The get_blocking_random_bytes API is broken because the wait can
      be arbitrarily long (potentially forever) so there is no safe way
      of calling it from within the kernel.
      
      This patch replaces it with the new callback API which does not
      have this problem.
      
      The patch also removes the entropy buffer registered with the DRBG
      handle in favor of stack variables to hold the seed data.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      57225e67
  10. 04 Jun, 2015 1 commit
  11. 27 May, 2015 3 commits
    • Stephan Mueller's avatar
      crypto: drbg - use Jitter RNG to obtain seed · b8ec5ba4
      Stephan Mueller authored
      During initialization, the DRBG now tries to allocate a handle of the
      Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG
      pulls the required entropy/nonce string from get_random_bytes and
      concatenates it with a string of equal size from the Jitter RNG. That
      combined string is now the seed for the DRBG.
      
      Written differently, the initial seed of the DRBG is now:
      
      get_random_bytes(entropy/nonce) || jitterentropy (entropy/nonce)
      
      If the Jitter RNG is not available, the DRBG only seeds from
      get_random_bytes.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      b8ec5ba4
    • Stephan Mueller's avatar
      crypto: drbg - add async seeding operation · 4c787990
      Stephan Mueller authored
      The async seeding operation is triggered during initalization right
      after the first non-blocking seeding is completed. As required by the
      asynchronous operation of random.c, a callback function is provided that
      is triggered by random.c once entropy is available. That callback
      function performs the actual seeding of the DRBG.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4c787990
    • Stephan Mueller's avatar
      crypto: drbg - prepare for async seeding · 3d6a5f75
      Stephan Mueller authored
      In order to prepare for the addition of the asynchronous seeding call,
      the invocation of seeding the DRBG is moved out into a helper function.
      
      In addition, a block of memory is allocated during initialization time
      that will be used as a scratchpad for obtaining entropy. That scratchpad
      is used for the initial seeding operation as well as by the
      asynchronous seeding call. The memory must be zeroized every time the
      DRBG seeding call succeeds to avoid entropy data lingering in memory.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3d6a5f75
  12. 23 Apr, 2015 1 commit
  13. 22 Apr, 2015 1 commit
  14. 21 Apr, 2015 6 commits
  15. 09 Mar, 2015 1 commit
  16. 04 Mar, 2015 2 commits
  17. 04 Jan, 2015 1 commit
  18. 22 Dec, 2014 1 commit
    • Stephan Mueller's avatar
      crypto: drbg - panic on continuous self test error · 905b42e5
      Stephan Mueller authored
      This patch adds a panic if the FIPS 140-2 self test error failed.
      Note, that entire code is only executed with fips_enabled (i.e. when the
      kernel is booted with fips=1. It is therefore not executed for 99.9% of
      all user base.
      
      As mathematically such failure cannot occur, this panic should never be
      triggered. But to comply with NISTs current requirements, an endless
      loop must be replaced with the panic.
      
      When the new version of FIPS 140 will be released, this entire
      continuous self test function will be ripped out as it will not be
      needed any more.
      
      This patch is functionally equivalent as implemented in ansi_cprng.c and drivers/char/random.c.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      905b42e5
  19. 27 Nov, 2014 1 commit
  20. 26 Nov, 2014 1 commit
  21. 10 Nov, 2014 1 commit
  22. 24 Oct, 2014 1 commit
  23. 05 Sep, 2014 1 commit
  24. 26 Aug, 2014 1 commit
  25. 25 Aug, 2014 3 commits