1. 01 May, 2018 1 commit
  2. 05 Oct, 2017 1 commit
  3. 12 Jul, 2017 1 commit
  4. 14 Jun, 2017 1 commit
  5. 30 Nov, 2016 1 commit
    • Stephan Mueller's avatar
      crypto: drbg - prevent invalid SG mappings · 51029812
      Stephan Mueller authored
      When using SGs, only heap memory (memory that is valid as per
      virt_addr_valid) is allowed to be referenced. The CTR DRBG used to
      reference the caller-provided memory directly in an SG. In case the
      caller provided stack memory pointers, the SG mapping is not considered
      to be valid. In some cases, this would even cause a paging fault.
      
      The change adds a new scratch buffer that is used unconditionally to
      catch the cases where the caller-provided buffer is not suitable for
      use in an SG. The crypto operation of the CTR DRBG produces its output
      with that scratch buffer and finally copies the content of the
      scratch buffer to the caller's buffer.
      
      The scratch buffer is allocated during allocation time of the CTR DRBG
      as its access is protected with the DRBG mutex.
      Signed-off-by: 's avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      51029812
  6. 24 Aug, 2016 1 commit
  7. 16 Aug, 2016 1 commit
  8. 20 Jun, 2016 2 commits
  9. 15 Jun, 2016 4 commits
  10. 02 Jun, 2016 1 commit
  11. 05 Apr, 2016 1 commit
  12. 25 Jan, 2016 1 commit
  13. 10 Dec, 2015 1 commit
  14. 11 Jun, 2015 1 commit
  15. 10 Jun, 2015 2 commits
    • Stephan Mueller's avatar
      crypto: drbg - reseed often if seedsource is degraded · 42ea507f
      Stephan Mueller authored
      As required by SP800-90A, the DRBG implements are reseeding threshold.
      This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as
      implemented in drbg_max_requests.
      
      With the recently introduced changes, the DRBG is now always used as a
      stdrng which is initialized very early in the boot cycle. To ensure that
      sufficient entropy is present, the Jitter RNG is added to even provide
      entropy at early boot time.
      
      However, the 2nd seed source, the nonblocking pool, is usually
      degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG
      (which I believe contains good entropy, which however is questioned by
      others) and is seeded with a degradded nonblocking pool. This seed is
      now used for quasi the lifetime of the system (2**48 requests is a lot).
      
      The patch now changes the reseed threshold as follows: up until the time
      the DRBG obtains a seed from a fully iniitialized nonblocking pool, the
      reseeding threshold is lowered such that the DRBG is forced to reseed
      itself resonably often. Once it obtains the seed from a fully
      initialized nonblocking pool, the reseed threshold is set to the value
      required by SP800-90A.
      Signed-off-by: 's avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      42ea507f
    • Stephan Mueller's avatar
      crypto: drbg - Use callback API for random readiness · 57225e67
      Stephan Mueller authored
      The get_blocking_random_bytes API is broken because the wait can
      be arbitrarily long (potentially forever) so there is no safe way
      of calling it from within the kernel.
      
      This patch replaces it with the new callback API which does not
      have this problem.
      
      The patch also removes the entropy buffer registered with the DRBG
      handle in favor of stack variables to hold the seed data.
      Signed-off-by: 's avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      57225e67
  16. 04 Jun, 2015 1 commit
  17. 27 May, 2015 3 commits
    • Stephan Mueller's avatar
      crypto: drbg - use Jitter RNG to obtain seed · b8ec5ba4
      Stephan Mueller authored
      During initialization, the DRBG now tries to allocate a handle of the
      Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG
      pulls the required entropy/nonce string from get_random_bytes and
      concatenates it with a string of equal size from the Jitter RNG. That
      combined string is now the seed for the DRBG.
      
      Written differently, the initial seed of the DRBG is now:
      
      get_random_bytes(entropy/nonce) || jitterentropy (entropy/nonce)
      
      If the Jitter RNG is not available, the DRBG only seeds from
      get_random_bytes.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: 's avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      b8ec5ba4
    • Stephan Mueller's avatar
      crypto: drbg - add async seeding operation · 4c787990
      Stephan Mueller authored
      The async seeding operation is triggered during initalization right
      after the first non-blocking seeding is completed. As required by the
      asynchronous operation of random.c, a callback function is provided that
      is triggered by random.c once entropy is available. That callback
      function performs the actual seeding of the DRBG.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: 's avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      4c787990
    • Stephan Mueller's avatar
      crypto: drbg - prepare for async seeding · 3d6a5f75
      Stephan Mueller authored
      In order to prepare for the addition of the asynchronous seeding call,
      the invocation of seeding the DRBG is moved out into a helper function.
      
      In addition, a block of memory is allocated during initialization time
      that will be used as a scratchpad for obtaining entropy. That scratchpad
      is used for the initial seeding operation as well as by the
      asynchronous seeding call. The memory must be zeroized every time the
      DRBG seeding call succeeds to avoid entropy data lingering in memory.
      
      CC: Andreas Steffen <andreas.steffen@strongswan.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      CC: Sandy Harris <sandyinchina@gmail.com>
      Signed-off-by: 's avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      3d6a5f75
  18. 23 Apr, 2015 1 commit
  19. 22 Apr, 2015 1 commit
  20. 21 Apr, 2015 6 commits
  21. 09 Mar, 2015 1 commit
  22. 04 Mar, 2015 2 commits
  23. 04 Jan, 2015 1 commit
  24. 22 Dec, 2014 1 commit
    • Stephan Mueller's avatar
      crypto: drbg - panic on continuous self test error · 905b42e5
      Stephan Mueller authored
      This patch adds a panic if the FIPS 140-2 self test error failed.
      Note, that entire code is only executed with fips_enabled (i.e. when the
      kernel is booted with fips=1. It is therefore not executed for 99.9% of
      all user base.
      
      As mathematically such failure cannot occur, this panic should never be
      triggered. But to comply with NISTs current requirements, an endless
      loop must be replaced with the panic.
      
      When the new version of FIPS 140 will be released, this entire
      continuous self test function will be ripped out as it will not be
      needed any more.
      
      This patch is functionally equivalent as implemented in ansi_cprng.c and drivers/char/random.c.
      Signed-off-by: 's avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      905b42e5
  25. 27 Nov, 2014 1 commit
  26. 26 Nov, 2014 1 commit
  27. 10 Nov, 2014 1 commit