[PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

This is a reworked version of my earlier patch series, based on feedback
from Neil Horman and Stephan Mueller.  Thank you both very much!

It's mostly the same content as before, but I've tried to improve comments
and commit messages to address questions, to reorder the patches to put
the questionable stuff at the end, and I've also (at Neil's prodding)
made some larger scale changes.

I've added appropriate const qualifiers to the RNG API, and also const
declarations to all of the self-tests in testmgr.h.  (That's a very
large but simple patch.)

The significant code improvement is the addition of what I call the
"stutter test" to testmgr.  This reads from the RNG in irregular chunks
and verifies that the output matches that produced by a more regular
pattern.  This should prevent any recurrence of CVE-2013-4345.
(It itself passed an important test by detecting a bug in my code!)

Dropped change:
* Neil said he wanted deterministic to remain the default, so I dropped
  the patch that changed the default seedsize.

Pending issues:
* Neil would like me to post the results of the NIST and FIPS test
  vectors.  The current code doesn't print anything on a successful
  test; I need to know what result format is wanted.
* Stephan says he has the FIPS test vectors referred to above and
  will send them to me when he finds them.
* Is non-deterministic mode (last three patches) wanted?

George Spelvin (25):
  crypto: ansi_cprng - unroll _get_more_prng_bytes
  crypto: ansi_cprng - Additional _get_more_prng_bytes cleanup
  crypto: ansi_cprng - Use %phN rather than print_hex_dump for debug
  crypto: ansi_cprng - Make debug output more like NIST test vectors
  crypto: ansi_cprng - Eliminate ctx->I and ctx->last_rand_data
  crypto: ansi_cprng - Make cont_test a bool
  crypto: ansi_cprng - Shrink context some more
  crypto: ansi_cprng - Don't call reset_prng_context from cprng_init
  crypto: ansi_cprng - Make length types consistent
  crypto: ansi_cprng - Use u8 data types consistently internally
  crypto: ansi_cprng - Eliminate unused PRNG_FIXED_SIZE flag
  crypto: ansi_cprng - Get rid of rdata buffer in fips_cprng_reset
  crypto: Add appropriate consts to RNG API
  crypto: tcrypt - Add const qualifiers all over the test code.
  crypto: testmgr - Merge seed arrays in struct cprng_testvec
  crypto: testmgr - Report failure on zero-length crypto_rng_get_bytes
  crypto: testmgr - Don't crash if CPRNG test result is large
  crypto: testmgr - Add CPRNG stutter test.
  crypto: ansi_cprng - simplify get_prng_bytes
  crypto: ansi_cprng - simplify xor_vectors() to xor_block()
  crypto: ansi_cprng - Rename rand_data_valid more sensibly
  crypto: ansi_cprng - Tweak comments
  crypto: ansi_cprng - Introduce a "union cipherblock"
  crypto: ansi_cprng - Introduce non-deterministic mode
  crypto: ansi_cprng - If non-deterministic, don't buffer old output

 crypto/ansi_cprng.c    | 369 ++++++++++++++++--------------------
 crypto/krng.c          |   2 +-
 crypto/rng.c           |   3 +-
 crypto/tcrypt.c        |  46 ++---
 crypto/tcrypt.h        |  30 +--
 crypto/testmgr.c       | 190 +++++++++++++------
 crypto/testmgr.h       | 502 ++++++++++++++++++++++++-------------------------
 include/crypto/rng.h   |   2 +-
 include/linux/crypto.h |   6 +-
 9 files changed, 587 insertions(+), 563 deletions(-)

-- 
2.1.3

[PATCH v2 01/25] crypto: ansi_cprng - unroll _get_more_prng_bytes

[George Spelvin]

It's more legible, and the code is 16 bytes smaller (i386).

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 91 +++++++++++++++++++++--------------------------------
 1 file changed, 35 insertions(+), 56 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index b63b5094..ce315bf7 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -100,69 +100,48 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 	hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ);
 
 	/*
-	 * This algorithm is a 3 stage state machine
+	 * Start by encrypting the counter value
+	 * This gives us an intermediate value I
 	 */
-	for (i = 0; i < 3; i++) {
+	memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
+	output = ctx->I;
+	hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
+	crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
 
-		switch (i) {
-		case 0:
-			/*
-			 * Start by encrypting the counter value
-			 * This gives us an intermediate value I
-			 */
-			memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
-			output = ctx->I;
-			hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
-			break;
-		case 1:
-
-			/*
-			 * Next xor I with our secret vector V
-			 * encrypt that result to obtain our
-			 * pseudo random data which we output
-			 */
-			xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
-			hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ);
-			output = ctx->rand_data;
-			break;
-		case 2:
-			/*
-			 * First check that we didn't produce the same
-			 * random data that we did last time around through this
-			 */
-			if (!memcmp(ctx->rand_data, ctx->last_rand_data,
-					DEFAULT_BLK_SZ)) {
-				if (cont_test) {
-					panic("cprng %p Failed repetition check!\n",
-						ctx);
-				}
-
-				printk(KERN_ERR
-					"ctx %p Failed repetition check!\n",
-					ctx);
-
-				ctx->flags |= PRNG_NEED_RESET;
-				return -EINVAL;
-			}
-			memcpy(ctx->last_rand_data, ctx->rand_data,
-				DEFAULT_BLK_SZ);
+	/*
+	 * Next xor I with our secret vector V
+	 * encrypt that result to obtain our
+	 * pseudo random data which we output
+	 */
+	xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
+	hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ);
+	output = ctx->rand_data;
+	crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
 
-			/*
-			 * Lastly xor the random data with I
-			 * and encrypt that to obtain a new secret vector V
-			 */
-			xor_vectors(ctx->rand_data, ctx->I, tmp,
-				DEFAULT_BLK_SZ);
-			output = ctx->V;
-			hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ);
-			break;
+	/*
+	 * First check that we didn't produce the same
+	 * random data that we did last time around through this
+	 */
+	if (!memcmp(ctx->rand_data, ctx->last_rand_data, DEFAULT_BLK_SZ)) {
+		if (cont_test) {
+			panic("cprng %p Failed repetition check!\n", ctx);
 		}
 
+		printk(KERN_ERR "ctx %p Failed repetition check!\n", ctx);
 
-		/* do the encryption */
-		crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
-
+		ctx->flags |= PRNG_NEED_RESET;
+		return -EINVAL;
 	}
+	memcpy(ctx->last_rand_data, ctx->rand_data, DEFAULT_BLK_SZ);
+
+	/*
+	 * Lastly xor the random data with I
+	 * and encrypt that to obtain a new secret vector V
+	 */
+	xor_vectors(ctx->rand_data, ctx->I, tmp, DEFAULT_BLK_SZ);
+	output = ctx->V;
+	hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ);
+	crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
 
 	/*
 	 * Now update our DT value
-- 
2.1.3

[PATCH v2 02/25] crypto: ansi_cprng - Additional _get_more_prng_bytes cleanup

[George Spelvin]

The local variable "output" is no longer required.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index ce315bf7..143e0cfa 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -89,8 +89,6 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 {
 	int i;
 	unsigned char tmp[DEFAULT_BLK_SZ];
-	unsigned char *output = NULL;
-
 
 	dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",
 		ctx);
@@ -104,9 +102,8 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 	 * This gives us an intermediate value I
 	 */
 	memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
-	output = ctx->I;
 	hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
-	crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
+	crypto_cipher_encrypt_one(ctx->tfm, ctx->I, tmp);
 
 	/*
 	 * Next xor I with our secret vector V
@@ -115,8 +112,7 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 	 */
 	xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
 	hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ);
-	output = ctx->rand_data;
-	crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
+	crypto_cipher_encrypt_one(ctx->tfm, ctx->rand_data, tmp);
 
 	/*
 	 * First check that we didn't produce the same
@@ -139,9 +135,8 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 	 * and encrypt that to obtain a new secret vector V
 	 */
 	xor_vectors(ctx->rand_data, ctx->I, tmp, DEFAULT_BLK_SZ);
-	output = ctx->V;
 	hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ);
-	crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
+	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, tmp);
 
 	/*
 	 * Now update our DT value
-- 
2.1.3

[PATCH v2 03/25] crypto: ansi_cprng - Use %phN rather than print_hex_dump for debug

[George Spelvin]

Since the goal is to compare to NIST test vectors, which are printed
on a single like without spaces, this comes much closer.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 143e0cfa..b54e4e75 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -60,10 +60,7 @@ static int dbg;
 static void hexdump(char *note, unsigned char *buf, unsigned int len)
 {
 	if (dbg) {
-		printk(KERN_CRIT "%s", note);
-		print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
-				16, 1,
-				buf, len, false);
+		printk(KERN_CRIT "%s%*phN", note, (int)len, buf);
 	}
 }
 
-- 
2.1.3

[PATCH v2 04/25] crypto: ansi_cprng - Make debug output more like NIST test vectors

[George Spelvin]

This uses more meaningful labels (if you have the spec as a
reference), and avoids printing some stuff (like the original DT)
twice.

It also strips out the len parameter and uses a fixed length of
DEFAULT_BLK_SZ.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index b54e4e75..325aa727d 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -19,6 +19,7 @@
 #include <linux/module.h>
 #include <linux/moduleparam.h>
 #include <linux/string.h>
+#include <linux/stringify.h>
 
 #include "internal.h"
 
@@ -57,10 +58,11 @@ struct prng_context {
 
 static int dbg;
 
-static void hexdump(char *note, unsigned char *buf, unsigned int len)
+static void hexdump(char const *note, const unsigned char buf[DEFAULT_BLK_SZ])
 {
 	if (dbg) {
-		printk(KERN_CRIT "%s%*phN", note, (int)len, buf);
+		printk(KERN_CRIT "%s = %" __stringify(DEFAULT_BLK_SZ) "phN",
+			note, buf);
 	}
 }
 
@@ -90,17 +92,16 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 	dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",
 		ctx);
 
-	hexdump("Input DT: ", ctx->DT, DEFAULT_BLK_SZ);
-	hexdump("Input I: ", ctx->I, DEFAULT_BLK_SZ);
-	hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ);
+	hexdump("DT", ctx->DT);
+	hexdump("V", ctx->V);
 
 	/*
 	 * Start by encrypting the counter value
 	 * This gives us an intermediate value I
 	 */
 	memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
-	hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
 	crypto_cipher_encrypt_one(ctx->tfm, ctx->I, tmp);
+	hexdump("I", ctx->I);
 
 	/*
 	 * Next xor I with our secret vector V
@@ -108,8 +109,9 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 	 * pseudo random data which we output
 	 */
 	xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
-	hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ);
+	hexdump("V^I", tmp);
 	crypto_cipher_encrypt_one(ctx->tfm, ctx->rand_data, tmp);
+	hexdump("R", ctx->rand_data);
 
 	/*
 	 * First check that we didn't produce the same
@@ -132,8 +134,9 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 	 * and encrypt that to obtain a new secret vector V
 	 */
 	xor_vectors(ctx->rand_data, ctx->I, tmp, DEFAULT_BLK_SZ);
-	hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ);
+	hexdump("R^I", tmp);
 	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, tmp);
+	hexdump("V'", ctx->V);
 
 	/*
 	 * Now update our DT value
@@ -143,15 +146,11 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 		if (ctx->DT[i] != 0)
 			break;
 	}
+	hexdump("DT'", ctx->DT);
 
 	dbgprint("Returning new block for context %p\n", ctx);
 	ctx->rand_data_valid = 0;
 
-	hexdump("Output DT: ", ctx->DT, DEFAULT_BLK_SZ);
-	hexdump("Output I: ", ctx->I, DEFAULT_BLK_SZ);
-	hexdump("Output V: ", ctx->V, DEFAULT_BLK_SZ);
-	hexdump("New Random Data: ", ctx->rand_data, DEFAULT_BLK_SZ);
-
 	return 0;
 }
 
-- 
2.1.3

[PATCH v2 05/25] crypto: ansi_cprng - Eliminate ctx->I and ctx->last_rand_data

[George Spelvin]

Careful use of the other available buffers avoids the need for
these, shrinking the context by 32 bytes.

Neither the debug output nor the FIPS-required anti-repetition check
are changed in the slightest.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 50 ++++++++++++++++++++++++--------------------------
 1 file changed, 24 insertions(+), 26 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 325aa727d..2edac42e 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -37,19 +37,14 @@
 
 /*
  * Note: DT is our counter value
- *	 I is our intermediate value
  *	 V is our seed vector
  * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
  * for implementation details
  */
-
-
 struct prng_context {
 	spinlock_t prng_lock;
 	unsigned char rand_data[DEFAULT_BLK_SZ];
-	unsigned char last_rand_data[DEFAULT_BLK_SZ];
 	unsigned char DT[DEFAULT_BLK_SZ];
-	unsigned char I[DEFAULT_BLK_SZ];
 	unsigned char V[DEFAULT_BLK_SZ];
 	u32 rand_data_valid;
 	struct crypto_cipher *tfm;
@@ -97,27 +92,27 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 
 	/*
 	 * Start by encrypting the counter value
-	 * This gives us an intermediate value I
+	 * This gives us an intermediate value I (stored in tmp)
 	 */
-	memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
-	crypto_cipher_encrypt_one(ctx->tfm, ctx->I, tmp);
-	hexdump("I", ctx->I);
+	crypto_cipher_encrypt_one(ctx->tfm, tmp, ctx->DT);
+	hexdump("I", tmp);
 
 	/*
-	 * Next xor I with our secret vector V
-	 * encrypt that result to obtain our
-	 * pseudo random data which we output
+	 * Next xor I with our secret vector V.  Encrypt that result
+	 * to obtain our pseudo random data which we output.  But
+	 * keep that output in ctx->V for the moment; we need the
+	 * previous rand_data for ons more thing.
 	 */
-	xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
-	hexdump("V^I", tmp);
-	crypto_cipher_encrypt_one(ctx->tfm, ctx->rand_data, tmp);
-	hexdump("R", ctx->rand_data);
+	xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
+	hexdump("V^I", ctx->V);
+	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
+	hexdump("R", ctx->V);
 
 	/*
-	 * First check that we didn't produce the same
-	 * random data that we did last time around through this
+	 * Check that we didn't produce the same random data that we
+	 * did last time around.
 	 */
-	if (!memcmp(ctx->rand_data, ctx->last_rand_data, DEFAULT_BLK_SZ)) {
+	if (!memcmp(ctx->V, ctx->rand_data, DEFAULT_BLK_SZ)) {
 		if (cont_test) {
 			panic("cprng %p Failed repetition check!\n", ctx);
 		}
@@ -127,15 +122,19 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 		ctx->flags |= PRNG_NEED_RESET;
 		return -EINVAL;
 	}
-	memcpy(ctx->last_rand_data, ctx->rand_data, DEFAULT_BLK_SZ);
+	/*
+	 * Okay, the new data is okay, copy it to the buffer.
+	 */
+	memcpy(ctx->rand_data, ctx->V, DEFAULT_BLK_SZ);
 
 	/*
-	 * Lastly xor the random data with I
-	 * and encrypt that to obtain a new secret vector V
+	 * Lastly xor the random data with I and encrypt that to obtain
+	 * a new secret vector V.
 	 */
-	xor_vectors(ctx->rand_data, ctx->I, tmp, DEFAULT_BLK_SZ);
-	hexdump("R^I", tmp);
-	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, tmp);
+	xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
+	hexdump("R^I", ctx->V);
+	memzero_explicit(tmp, DEFAULT_BLK_SZ);
+	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
 	hexdump("V'", ctx->V);
 
 	/*
@@ -272,7 +271,6 @@ static int reset_prng_context(struct prng_context *ctx,
 		memset(ctx->DT, 0, DEFAULT_BLK_SZ);
 
 	memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
-	memset(ctx->last_rand_data, 0, DEFAULT_BLK_SZ);
 
 	ctx->rand_data_valid = DEFAULT_BLK_SZ;
 
-- 
2.1.3

[PATCH v2 06/25] crypto: ansi_cprng - Make cont_test a bool

[George Spelvin]

This makes no difference to the generated code, but I like to use bool
where appropriate for documentation.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 2edac42e..730e0857 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -79,7 +79,7 @@ static void xor_vectors(unsigned char *in1, unsigned char *in2,
  * Returns DEFAULT_BLK_SZ bytes of random data per call
  * returns 0 if generation succeeded, <0 if something went wrong
  */
-static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
+static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 {
 	int i;
 	unsigned char tmp[DEFAULT_BLK_SZ];
@@ -155,7 +155,7 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 
 /* Our exported functions */
 static int get_prng_bytes(char *buf, size_t nbytes, struct prng_context *ctx,
-				int do_cont_test)
+				bool do_cont_test)
 {
 	unsigned char *ptr = buf;
 	unsigned int byte_count = (unsigned int)nbytes;
@@ -322,7 +322,7 @@ static int cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
 {
 	struct prng_context *prng = crypto_rng_ctx(tfm);
 
-	return get_prng_bytes(rdata, dlen, prng, 0);
+	return get_prng_bytes(rdata, dlen, prng, false);
 }
 
 /*
@@ -356,7 +356,7 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
 {
 	struct prng_context *prng = crypto_rng_ctx(tfm);
 
-	return get_prng_bytes(rdata, dlen, prng, 1);
+	return get_prng_bytes(rdata, dlen, prng, true);
 }
 
 static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
@@ -380,7 +380,7 @@ static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
 		goto out;
 
 	/* this primes our continuity test */
-	rc = get_prng_bytes(rdata, DEFAULT_BLK_SZ, prng, 0);
+	rc = get_prng_bytes(rdata, DEFAULT_BLK_SZ, prng, false);
 	prng->rand_data_valid = DEFAULT_BLK_SZ;
 
 out:
-- 
2.1.3

[PATCH v2 07/25] crypto: ansi_cprng - Shrink context some more

[George Spelvin]

ctx->flags only has 2 bits assigned, so there's no need for a
32-bit field.  Likewise, rand_data_valid is at most 16.

A typical x86 spinlock_t is 16 bits, so they fit very nicely
right next to it, shrinking the 64-bit context structure to
64 bytes.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 730e0857..022662d7 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -43,12 +43,12 @@
  */
 struct prng_context {
 	spinlock_t prng_lock;
+	u8 flags;
+	u8 rand_data_valid;
 	unsigned char rand_data[DEFAULT_BLK_SZ];
 	unsigned char DT[DEFAULT_BLK_SZ];
 	unsigned char V[DEFAULT_BLK_SZ];
-	u32 rand_data_valid;
 	struct crypto_cipher *tfm;
-	u32 flags;
 };
 
 static int dbg;
-- 
2.1.3

[PATCH v2 08/25] crypto: ansi_cprng - Don't call reset_prng_context from cprng_init

[George Spelvin]

The PRNG_NEEDS_RESET flag ensures that it will be called, so
reset_prng_context() no longer needs to support NULL key and V pointers.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 47 ++++++++++++++---------------------------------
 1 file changed, 14 insertions(+), 33 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 022662d7..62b8f958 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -23,10 +23,8 @@
 
 #include "internal.h"
 
-#define DEFAULT_PRNG_KEY "0123456789abcdef"
 #define DEFAULT_PRNG_KSZ 16
 #define DEFAULT_BLK_SZ 16
-#define DEFAULT_V_SEED "zaybxcwdveuftgsh"
 
 /*
  * Flags for the prng_context flags field
@@ -250,41 +248,28 @@ static int reset_prng_context(struct prng_context *ctx,
 			      unsigned char *V, unsigned char *DT)
 {
 	int ret;
-	unsigned char *prng_key;
 
 	spin_lock_bh(&ctx->prng_lock);
 	ctx->flags |= PRNG_NEED_RESET;
-
-	prng_key = (key != NULL) ? key : (unsigned char *)DEFAULT_PRNG_KEY;
-
-	if (!key)
-		klen = DEFAULT_PRNG_KSZ;
-
-	if (V)
-		memcpy(ctx->V, V, DEFAULT_BLK_SZ);
-	else
-		memcpy(ctx->V, DEFAULT_V_SEED, DEFAULT_BLK_SZ);
-
-	if (DT)
-		memcpy(ctx->DT, DT, DEFAULT_BLK_SZ);
-	else
-		memset(ctx->DT, 0, DEFAULT_BLK_SZ);
-
-	memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
-
 	ctx->rand_data_valid = DEFAULT_BLK_SZ;
 
-	ret = crypto_cipher_setkey(ctx->tfm, prng_key, klen);
+	memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
+
+	if (!DT)
+		DT = ctx->rand_data;	/* Use all-zeros if NULL */
+
+	memcpy(ctx->DT, DT, DEFAULT_BLK_SZ);
+	memcpy(ctx->V, V, DEFAULT_BLK_SZ);
+
+	ret = crypto_cipher_setkey(ctx->tfm, key, klen);
 	if (ret) {
 		dbgprint(KERN_CRIT "PRNG: setkey() failed flags=%x\n",
 			crypto_cipher_get_flags(ctx->tfm));
-		goto out;
+	} else {
+		ctx->flags &= ~PRNG_NEED_RESET;
 	}
-
-	ret = 0;
-	ctx->flags &= ~PRNG_NEED_RESET;
-out:
 	spin_unlock_bh(&ctx->prng_lock);
+
 	return ret;
 }
 
@@ -300,13 +285,9 @@ static int cprng_init(struct crypto_tfm *tfm)
 		return PTR_ERR(ctx->tfm);
 	}
 
-	if (reset_prng_context(ctx, NULL, DEFAULT_PRNG_KSZ, NULL, NULL) < 0)
-		return -EINVAL;
-
 	/*
-	 * after allocation, we should always force the user to reset
-	 * so they don't inadvertently use the insecure default values
-	 * without specifying them intentially
+	 * After allocation, we always force the user to reset, which
+	 * completes initialization of the context.
 	 */
 	ctx->flags |= PRNG_NEED_RESET;
 	return 0;
-- 
2.1.3

[PATCH v2 09/25] crypto: ansi_cprng - Make length types consistent

[George Spelvin]

The public crypto API uses "unsigned int", but the internals used
a mixture of that and size_t, which are different sizes on 64 bits.

This shuts up a GCC warning about printf format.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 62b8f958..d4106e54 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -152,11 +152,11 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 }
 
 /* Our exported functions */
-static int get_prng_bytes(char *buf, size_t nbytes, struct prng_context *ctx,
-				bool do_cont_test)
+static int get_prng_bytes(char *buf, unsigned int nbytes,
+			  struct prng_context *ctx, bool do_cont_test)
 {
 	unsigned char *ptr = buf;
-	unsigned int byte_count = (unsigned int)nbytes;
+	unsigned int byte_count = nbytes;
 	int err;
 
 
@@ -244,7 +244,7 @@ static void free_prng_context(struct prng_context *ctx)
 }
 
 static int reset_prng_context(struct prng_context *ctx,
-			      unsigned char *key, size_t klen,
+			      unsigned char *key, unsigned int klen,
 			      unsigned char *V, unsigned char *DT)
 {
 	int ret;
-- 
2.1.3

[PATCH v2 10/25] crypto: ansi_cprng - Use u8 data types consistently internally

[George Spelvin]

Yes, they're equivalent to "unsigned char", but let's stick with what
the crypto API uses externally.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index d4106e54..74ec151e 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -43,15 +43,15 @@ struct prng_context {
 	spinlock_t prng_lock;
 	u8 flags;
 	u8 rand_data_valid;
-	unsigned char rand_data[DEFAULT_BLK_SZ];
-	unsigned char DT[DEFAULT_BLK_SZ];
-	unsigned char V[DEFAULT_BLK_SZ];
+	u8 rand_data[DEFAULT_BLK_SZ];
+	u8 DT[DEFAULT_BLK_SZ];
+	u8 V[DEFAULT_BLK_SZ];
 	struct crypto_cipher *tfm;
 };
 
 static int dbg;
 
-static void hexdump(char const *note, const unsigned char buf[DEFAULT_BLK_SZ])
+static void hexdump(char const *note, const u8 buf[DEFAULT_BLK_SZ])
 {
 	if (dbg) {
 		printk(KERN_CRIT "%s = %" __stringify(DEFAULT_BLK_SZ) "phN",
@@ -64,8 +64,8 @@ if (dbg)\
 	printk(format, ##args);\
 } while (0)
 
-static void xor_vectors(unsigned char *in1, unsigned char *in2,
-			unsigned char *out, unsigned int size)
+static void xor_vectors(const u8 *in1, const u8 *in2,
+			u8 *out, unsigned int size)
 {
 	int i;
 
@@ -80,7 +80,7 @@ static void xor_vectors(unsigned char *in1, unsigned char *in2,
 static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 {
 	int i;
-	unsigned char tmp[DEFAULT_BLK_SZ];
+	u8 tmp[DEFAULT_BLK_SZ];
 
 	dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",
 		ctx);
@@ -152,10 +152,10 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 }
 
 /* Our exported functions */
-static int get_prng_bytes(char *buf, unsigned int nbytes,
+static int get_prng_bytes(u8 *buf, unsigned int nbytes,
 			  struct prng_context *ctx, bool do_cont_test)
 {
-	unsigned char *ptr = buf;
+	u8 *ptr = buf;
 	unsigned int byte_count = nbytes;
 	int err;
 
@@ -243,9 +243,8 @@ static void free_prng_context(struct prng_context *ctx)
 	crypto_free_cipher(ctx->tfm);
 }
 
-static int reset_prng_context(struct prng_context *ctx,
-			      unsigned char *key, unsigned int klen,
-			      unsigned char *V, unsigned char *DT)
+static int reset_prng_context(struct prng_context *ctx, const u8 *key,
+			      unsigned int klen, const u8 *V, const u8 *DT)
 {
 	int ret;
 
-- 
2.1.3

[PATCH v2 11/25] crypto: ansi_cprng - Eliminate unused PRNG_FIXED_SIZE flag

[George Spelvin]

There's no way to set it, so it's dead code.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 74ec151e..f6a1e987 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -30,8 +30,7 @@
  * Flags for the prng_context flags field
  */
 
-#define PRNG_FIXED_SIZE 0x1
-#define PRNG_NEED_RESET 0x2
+#define PRNG_NEED_RESET 0x1
 
 /*
  * Note: DT is our counter value
@@ -166,17 +165,6 @@ static int get_prng_bytes(u8 *buf, unsigned int nbytes,
 	if (ctx->flags & PRNG_NEED_RESET)
 		goto done;
 
-	/*
-	 * If the FIXED_SIZE flag is on, only return whole blocks of
-	 * pseudo random data
-	 */
-	err = -EINVAL;
-	if (ctx->flags & PRNG_FIXED_SIZE) {
-		if (nbytes < DEFAULT_BLK_SZ)
-			goto done;
-		byte_count = DEFAULT_BLK_SZ;
-	}
-
 	err = byte_count;
 
 	dbgprint(KERN_CRIT "getting %d random bytes for context %p\n",
-- 
2.1.3

[PATCH v2 12/25] crypto: ansi_cprng - Get rid of rdata buffer in fips_cprng_reset

[George Spelvin]

Calling the lower-level function does what's needed with less overhead.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index f6a1e987..249b944f 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -329,7 +329,6 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
 
 static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
 {
-	u8 rdata[DEFAULT_BLK_SZ];
 	u8 *key = seed + DEFAULT_BLK_SZ;
 	int rc;
 
@@ -348,7 +347,7 @@ static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
 		goto out;
 
 	/* this primes our continuity test */
-	rc = get_prng_bytes(rdata, DEFAULT_BLK_SZ, prng, false);
+	rc = _get_more_prng_bytes(prng, false);
 	prng->rand_data_valid = DEFAULT_BLK_SZ;
 
 out:
-- 
2.1.3

[PATCH v2 13/25] crypto: Add appropriate consts to RNG API

[George Spelvin]

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c    | 11 ++++++-----
 crypto/krng.c          |  2 +-
 crypto/rng.c           |  3 ++-
 include/crypto/rng.h   |  2 +-
 include/linux/crypto.h |  6 ++++--
 5 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 249b944f..c1c81266 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -299,11 +299,11 @@ static int cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
  *  V and KEY are required during reset, and DT is optional, detected
  *  as being present by testing the length of the seed
  */
-static int cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
+static int cprng_reset(struct crypto_rng *tfm, const u8 *seed, unsigned int slen)
 {
 	struct prng_context *prng = crypto_rng_ctx(tfm);
-	u8 *key = seed + DEFAULT_BLK_SZ;
-	u8 *dt = NULL;
+	const u8 *key = seed + DEFAULT_BLK_SZ;
+	const u8 *dt = NULL;
 
 	if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
 		return -EINVAL;
@@ -327,9 +327,10 @@ static int fips_cprng_get_random(struct crypto_rng *tfm, u8 *rdata,
 	return get_prng_bytes(rdata, dlen, prng, true);
 }
 
-static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
+static int fips_cprng_reset(struct crypto_rng *tfm, const u8 *seed,
+			    unsigned int slen)
 {
-	u8 *key = seed + DEFAULT_BLK_SZ;
+	const u8 *key = seed + DEFAULT_BLK_SZ;
 	int rc;
 
 	struct prng_context *prng = crypto_rng_ctx(tfm);
diff --git a/crypto/krng.c b/crypto/krng.c
index a2d2b72f..007ea7e3 100644
--- a/crypto/krng.c
+++ b/crypto/krng.c
@@ -22,7 +22,7 @@ static int krng_get_random(struct crypto_rng *tfm, u8 *rdata, unsigned int dlen)
 	return 0;
 }
 
-static int krng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
+static int krng_reset(struct crypto_rng *tfm, const u8 *seed, unsigned int slen)
 {
 	return 0;
 }
diff --git a/crypto/rng.c b/crypto/rng.c
index e0a25c24..9e3a6efd 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -29,7 +29,8 @@ struct crypto_rng *crypto_default_rng;
 EXPORT_SYMBOL_GPL(crypto_default_rng);
 static int crypto_default_rng_refcnt;
 
-static int rngapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
+static int rngapi_reset(struct crypto_rng *tfm, const u8 *seed,
+			unsigned int slen)
 {
 	u8 *buf = NULL;
 	int err;
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index c93f9b91..9659300a 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -62,7 +62,7 @@ static inline int crypto_rng_get_bytes(struct crypto_rng *tfm,
 }
 
 static inline int crypto_rng_reset(struct crypto_rng *tfm,
-				   u8 *seed, unsigned int slen)
+				   const u8 *seed, unsigned int slen)
 {
 	return crypto_rng_crt(tfm)->rng_reset(tfm, seed, slen);
 }
diff --git a/include/linux/crypto.h b/include/linux/crypto.h
index d45e9496..8aa6350b 100644
--- a/include/linux/crypto.h
+++ b/include/linux/crypto.h
@@ -264,7 +264,8 @@ struct compress_alg {
 struct rng_alg {
 	int (*rng_make_random)(struct crypto_rng *tfm, u8 *rdata,
 			       unsigned int dlen);
-	int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
+	int (*rng_reset)(struct crypto_rng *tfm, const u8 *seed,
+			       unsigned int slen);
 
 	unsigned int seedsize;
 };
@@ -399,7 +400,8 @@ struct compress_tfm {
 struct rng_tfm {
 	int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
 			      unsigned int dlen);
-	int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
+	int (*rng_reset)(struct crypto_rng *tfm, const u8 *seed,
+			 unsigned int slen);
 };
 
 #define crt_ablkcipher	crt_u.ablkcipher
-- 
2.1.3

[PATCH v2 14/25] crypto: tcrypt - Add const qualifiers all over the test code.

[George Spelvin]

Huge diff, but simple.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/tcrypt.c  |  46 +++----
 crypto/tcrypt.h  |  30 ++--
 crypto/testmgr.c |  58 ++++----
 crypto/testmgr.h | 410 +++++++++++++++++++++++++++----------------------------
 4 files changed, 276 insertions(+), 268 deletions(-)

diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index 890449e6..38a57ad0 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -63,7 +63,7 @@ static u32 mask;
 static int mode;
 static char *tvmem[TVMEMSIZE];
 
-static char *check[] = {
+static const char * const check[] = {
 	"des", "md5", "des3_ede", "rot13", "sha1", "sha224", "sha256",
 	"blowfish", "twofish", "serpent", "sha384", "sha512", "md4", "aes",
 	"cast6", "arc4", "michael_mic", "deflate", "crc32c", "tea", "xtea",
@@ -211,8 +211,8 @@ out:
 	return ret;
 }
 
-static u32 block_sizes[] = { 16, 64, 256, 1024, 8192, 0 };
-static u32 aead_sizes[] = { 16, 64, 256, 512, 1024, 2048, 4096, 8192, 0 };
+static const u32 block_sizes[] = { 16, 64, 256, 1024, 8192, 0 };
+static const u32 aead_sizes[] = { 16, 64, 256, 512, 1024, 2048, 4096, 8192, 0 };
 
 #define XBUFSIZE 8
 #define MAX_IVLEN 32
@@ -266,9 +266,9 @@ static void sg_init_aead(struct scatterlist *sg, char *xbuf[XBUFSIZE],
 }
 
 static void test_aead_speed(const char *algo, int enc, unsigned int secs,
-			    struct aead_speed_template *template,
+			    const struct aead_speed_template *template,
 			    unsigned int tcount, u8 authsize,
-			    unsigned int aad_size, u8 *keysize)
+			    unsigned int aad_size, const u8 *keysize)
 {
 	unsigned int i, j;
 	struct crypto_aead *tfm;
@@ -284,7 +284,7 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs,
 	char *xbuf[XBUFSIZE];
 	char *xoutbuf[XBUFSIZE];
 	char *axbuf[XBUFSIZE];
-	unsigned int *b_size;
+	const unsigned int *b_size;
 	unsigned int iv_len;
 
 	if (aad_size >= PAGE_SIZE) {
@@ -412,8 +412,8 @@ out_noxbuf:
 }
 
 static void test_cipher_speed(const char *algo, int enc, unsigned int secs,
-			      struct cipher_speed_template *template,
-			      unsigned int tcount, u8 *keysize)
+			      const struct cipher_speed_template *template,
+			      unsigned int tcount, const u8 *keysize)
 {
 	unsigned int ret, i, j, iv_len;
 	const char *key;
@@ -421,7 +421,7 @@ static void test_cipher_speed(const char *algo, int enc, unsigned int secs,
 	struct crypto_blkcipher *tfm;
 	struct blkcipher_desc desc;
 	const char *e;
-	u32 *b_size;
+	const u32 *b_size;
 
 	if (enc == ENCRYPT)
 	        e = "encryption";
@@ -513,7 +513,7 @@ out:
 
 static int test_hash_jiffies_digest(struct hash_desc *desc,
 				    struct scatterlist *sg, int blen,
-				    char *out, int secs)
+				    u8 *out, int secs)
 {
 	unsigned long start, end;
 	int bcount;
@@ -533,7 +533,7 @@ static int test_hash_jiffies_digest(struct hash_desc *desc,
 }
 
 static int test_hash_jiffies(struct hash_desc *desc, struct scatterlist *sg,
-			     int blen, int plen, char *out, int secs)
+			     int blen, int plen, u8 *out, int secs)
 {
 	unsigned long start, end;
 	int bcount, pcount;
@@ -565,7 +565,7 @@ static int test_hash_jiffies(struct hash_desc *desc, struct scatterlist *sg,
 }
 
 static int test_hash_cycles_digest(struct hash_desc *desc,
-				   struct scatterlist *sg, int blen, char *out)
+				   struct scatterlist *sg, int blen, u8 *out)
 {
 	unsigned long cycles = 0;
 	int i;
@@ -608,7 +608,7 @@ out:
 }
 
 static int test_hash_cycles(struct hash_desc *desc, struct scatterlist *sg,
-			    int blen, int plen, char *out)
+			    int blen, int plen, u8 *out)
 {
 	unsigned long cycles = 0;
 	int i, pcount;
@@ -681,7 +681,7 @@ static void test_hash_sg_init(struct scatterlist *sg)
 }
 
 static void test_hash_speed(const char *algo, unsigned int secs,
-			    struct hash_speed *speed)
+			    const struct hash_speed *speed)
 {
 	struct scatterlist sg[TVMEMSIZE];
 	struct crypto_hash *tfm;
@@ -773,7 +773,7 @@ static inline int do_one_ahash_op(struct ahash_request *req, int ret)
 }
 
 static int test_ahash_jiffies_digest(struct ahash_request *req, int blen,
-				     char *out, int secs)
+				     u8 *out, int secs)
 {
 	unsigned long start, end;
 	int bcount;
@@ -793,7 +793,7 @@ static int test_ahash_jiffies_digest(struct ahash_request *req, int blen,
 }
 
 static int test_ahash_jiffies(struct ahash_request *req, int blen,
-			      int plen, char *out, int secs)
+			      int plen, u8 *out, int secs)
 {
 	unsigned long start, end;
 	int bcount, pcount;
@@ -825,7 +825,7 @@ static int test_ahash_jiffies(struct ahash_request *req, int blen,
 }
 
 static int test_ahash_cycles_digest(struct ahash_request *req, int blen,
-				    char *out)
+				    u8 *out)
 {
 	unsigned long cycles = 0;
 	int ret, i;
@@ -863,7 +863,7 @@ out:
 }
 
 static int test_ahash_cycles(struct ahash_request *req, int blen,
-			     int plen, char *out)
+			     int plen, u8 *out)
 {
 	unsigned long cycles = 0;
 	int i, pcount, ret;
@@ -920,7 +920,7 @@ out:
 }
 
 static void test_ahash_speed(const char *algo, unsigned int secs,
-			     struct hash_speed *speed)
+			     const struct hash_speed *speed)
 {
 	struct scatterlist sg[TVMEMSIZE];
 	struct tcrypt_result tresult;
@@ -1075,8 +1075,8 @@ out:
 }
 
 static void test_acipher_speed(const char *algo, int enc, unsigned int secs,
-			       struct cipher_speed_template *template,
-			       unsigned int tcount, u8 *keysize)
+			       const struct cipher_speed_template *template,
+			       unsigned int tcount, const u8 *keysize)
 {
 	unsigned int ret, i, j, k, iv_len;
 	struct tcrypt_result tresult;
@@ -1085,7 +1085,7 @@ static void test_acipher_speed(const char *algo, int enc, unsigned int secs,
 	struct ablkcipher_request *req;
 	struct crypto_ablkcipher *tfm;
 	const char *e;
-	u32 *b_size;
+	const u32 *b_size;
 
 	if (enc == ENCRYPT)
 		e = "encryption";
@@ -1204,7 +1204,7 @@ out:
 
 static void test_available(void)
 {
-	char **name = check;
+	const char * const *name = check;
 
 	while (*name) {
 		printk("alg %s ", *name);
diff --git a/crypto/tcrypt.h b/crypto/tcrypt.h
index 6c7e21a0..f042476a 100644
--- a/crypto/tcrypt.h
+++ b/crypto/tcrypt.h
@@ -38,7 +38,7 @@ struct hash_speed {
  */
 #define DES3_SPEED_VECTORS	1
 
-static struct cipher_speed_template des3_speed_template[] = {
+static const struct cipher_speed_template des3_speed_template[] = {
 	{
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef"
 			  "\x55\x55\x55\x55\x55\x55\x55\x55"
@@ -50,27 +50,27 @@ static struct cipher_speed_template des3_speed_template[] = {
 /*
  * Cipher speed tests
  */
-static u8 speed_template_8[] = {8, 0};
-static u8 speed_template_24[] = {24, 0};
-static u8 speed_template_8_16[] = {8, 16, 0};
-static u8 speed_template_8_32[] = {8, 32, 0};
-static u8 speed_template_16_32[] = {16, 32, 0};
-static u8 speed_template_16_24_32[] = {16, 24, 32, 0};
-static u8 speed_template_20_28_36[] = {20, 28, 36, 0};
-static u8 speed_template_32_40_48[] = {32, 40, 48, 0};
-static u8 speed_template_32_48[] = {32, 48, 0};
-static u8 speed_template_32_48_64[] = {32, 48, 64, 0};
-static u8 speed_template_32_64[] = {32, 64, 0};
+static const u8 speed_template_8[] = {8, 0};
+static const u8 speed_template_24[] = {24, 0};
+static const u8 speed_template_8_16[] = {8, 16, 0};
+static const u8 speed_template_8_32[] = {8, 32, 0};
+static const u8 speed_template_16_32[] = {16, 32, 0};
+static const u8 speed_template_16_24_32[] = {16, 24, 32, 0};
+static const u8 speed_template_20_28_36[] = {20, 28, 36, 0};
+static const u8 speed_template_32_40_48[] = {32, 40, 48, 0};
+static const u8 speed_template_32_48[] = {32, 48, 0};
+static const u8 speed_template_32_48_64[] = {32, 48, 64, 0};
+static const u8 speed_template_32_64[] = {32, 64, 0};
 
 /*
  * AEAD speed tests
  */
-static u8 aead_speed_template_20[] = {20, 0};
+static const u8 aead_speed_template_20[] = {20, 0};
 
 /*
  * Digest speed tests
  */
-static struct hash_speed generic_hash_speed_template[] = {
+static const struct hash_speed generic_hash_speed_template[] = {
 	{ .blen = 16,	.plen = 16, },
 	{ .blen = 64,	.plen = 16, },
 	{ .blen = 64,	.plen = 64, },
@@ -98,7 +98,7 @@ static struct hash_speed generic_hash_speed_template[] = {
 	{  .blen = 0,	.plen = 0, }
 };
 
-static struct hash_speed hash_speed_template_16[] = {
+static const struct hash_speed hash_speed_template_16[] = {
 	{ .blen = 16,	.plen = 16,	.klen = 16, },
 	{ .blen = 64,	.plen = 16,	.klen = 16, },
 	{ .blen = 64,	.plen = 64,	.klen = 16, },
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 29a0cbdd..9f4746eb 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -73,44 +73,44 @@ struct tcrypt_result {
 
 struct aead_test_suite {
 	struct {
-		struct aead_testvec *vecs;
+		const struct aead_testvec *vecs;
 		unsigned int count;
 	} enc, dec;
 };
 
 struct cipher_test_suite {
 	struct {
-		struct cipher_testvec *vecs;
+		const struct cipher_testvec *vecs;
 		unsigned int count;
 	} enc, dec;
 };
 
 struct comp_test_suite {
 	struct {
-		struct comp_testvec *vecs;
+		const struct comp_testvec *vecs;
 		unsigned int count;
 	} comp, decomp;
 };
 
 struct pcomp_test_suite {
 	struct {
-		struct pcomp_testvec *vecs;
+		const struct pcomp_testvec *vecs;
 		unsigned int count;
 	} comp, decomp;
 };
 
 struct hash_test_suite {
-	struct hash_testvec *vecs;
+	const struct hash_testvec *vecs;
 	unsigned int count;
 };
 
 struct cprng_test_suite {
-	struct cprng_testvec *vecs;
+	const struct cprng_testvec *vecs;
 	unsigned int count;
 };
 
 struct drbg_test_suite {
-	struct drbg_testvec *vecs;
+	const struct drbg_testvec *vecs;
 	unsigned int count;
 };
 
@@ -131,9 +131,10 @@ struct alg_test_desc {
 	} suite;
 };
 
-static unsigned int IDX[8] = { IDX1, IDX2, IDX3, IDX4, IDX5, IDX6, IDX7, IDX8 };
+static const unsigned int IDX[8] =
+			{ IDX1, IDX2, IDX3, IDX4, IDX5, IDX6, IDX7, IDX8 };
 
-static void hexdump(unsigned char *buf, unsigned int len)
+static void hexdump(const u8 *buf, unsigned int len)
 {
 	print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
 			16, 1,
@@ -189,7 +190,8 @@ static int wait_async_op(struct tcrypt_result *tr, int ret)
 	return ret;
 }
 
-static int __test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
+static int __test_hash(struct crypto_ahash *tfm,
+		       const struct hash_testvec *template,
 		       unsigned int tcount, bool use_digest,
 		       const int align_offset)
 {
@@ -389,7 +391,8 @@ out_nobuf:
 	return ret;
 }
 
-static int test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
+static int test_hash(struct crypto_ahash *tfm,
+		     const struct hash_testvec *template,
 		     unsigned int tcount, bool use_digest)
 {
 	unsigned int alignmask;
@@ -417,7 +420,7 @@ static int test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
 }
 
 static int __test_aead(struct crypto_aead *tfm, int enc,
-		       struct aead_testvec *template, unsigned int tcount,
+		       const struct aead_testvec *template, unsigned int tcount,
 		       const bool diff_dst, const int align_offset)
 {
 	const char *algo = crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm));
@@ -799,7 +802,7 @@ out_noxbuf:
 }
 
 static int test_aead(struct crypto_aead *tfm, int enc,
-		     struct aead_testvec *template, unsigned int tcount)
+		     const struct aead_testvec *template, unsigned int tcount)
 {
 	unsigned int alignmask;
 	int ret;
@@ -832,11 +835,12 @@ static int test_aead(struct crypto_aead *tfm, int enc,
 }
 
 static int test_cipher(struct crypto_cipher *tfm, int enc,
-		       struct cipher_testvec *template, unsigned int tcount)
+		       const struct cipher_testvec *template,
+		       unsigned int tcount)
 {
 	const char *algo = crypto_tfm_alg_driver_name(crypto_cipher_tfm(tfm));
 	unsigned int i, j, k;
-	char *q;
+	const char *q;
 	const char *e;
 	void *data;
 	char *xbuf[XBUFSIZE];
@@ -907,7 +911,8 @@ out_nobuf:
 }
 
 static int __test_skcipher(struct crypto_ablkcipher *tfm, int enc,
-			   struct cipher_testvec *template, unsigned int tcount,
+			   const struct cipher_testvec *template,
+			   unsigned int tcount,
 			   const bool diff_dst, const int align_offset)
 {
 	const char *algo =
@@ -1154,7 +1159,8 @@ out_nobuf:
 }
 
 static int test_skcipher(struct crypto_ablkcipher *tfm, int enc,
-			 struct cipher_testvec *template, unsigned int tcount)
+			 const struct cipher_testvec *template,
+			 unsigned int tcount)
 {
 	unsigned int alignmask;
 	int ret;
@@ -1186,8 +1192,10 @@ static int test_skcipher(struct crypto_ablkcipher *tfm, int enc,
 	return 0;
 }
 
-static int test_comp(struct crypto_comp *tfm, struct comp_testvec *ctemplate,
-		     struct comp_testvec *dtemplate, int ctcount, int dtcount)
+static int test_comp(struct crypto_comp *tfm,
+		     const struct comp_testvec *ctemplate,
+		     const struct comp_testvec *dtemplate,
+		     int ctcount, int dtcount)
 {
 	const char *algo = crypto_tfm_alg_driver_name(crypto_comp_tfm(tfm));
 	unsigned int i;
@@ -1267,8 +1275,8 @@ out:
 }
 
 static int test_pcomp(struct crypto_pcomp *tfm,
-		      struct pcomp_testvec *ctemplate,
-		      struct pcomp_testvec *dtemplate, int ctcount,
+		      const struct pcomp_testvec *ctemplate,
+		      const struct pcomp_testvec *dtemplate, int ctcount,
 		      int dtcount)
 {
 	const char *algo = crypto_tfm_alg_driver_name(crypto_pcomp_tfm(tfm));
@@ -1443,8 +1451,8 @@ static int test_pcomp(struct crypto_pcomp *tfm,
 }
 
 
-static int test_cprng(struct crypto_rng *tfm, struct cprng_testvec *template,
-		      unsigned int tcount)
+static int test_cprng(struct crypto_rng *tfm,
+		      const struct cprng_testvec *template, unsigned int tcount)
 {
 	const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm));
 	int err = 0, i, j, seedsize;
@@ -1726,7 +1734,7 @@ static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver,
 }
 
 
-static int drbg_cavs_test(struct drbg_testvec *test, int pr,
+static int drbg_cavs_test(const struct drbg_testvec *test, int pr,
 			  const char *driver, u32 type, u32 mask)
 {
 	int ret = -EAGAIN;
@@ -1800,7 +1808,7 @@ static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver,
 	int err = 0;
 	int pr = 0;
 	int i = 0;
-	struct drbg_testvec *template = desc->suite.drbg.vecs;
+	const struct drbg_testvec *template = desc->suite.drbg.vecs;
 	unsigned int tcount = desc->suite.drbg.count;
 
 	if (0 == memcmp(driver, "drbg_pr_", 8))
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 62e2485b..306a33b2 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -37,9 +37,9 @@
 
 struct hash_testvec {
 	/* only used with keyed hash algorithms */
-	char *key;
-	char *plaintext;
-	char *digest;
+	const char *key;
+	const char *plaintext;
+	const char *digest;
 	unsigned char tap[MAX_TAP];
 	unsigned short psize;
 	unsigned char np;
@@ -47,10 +47,10 @@ struct hash_testvec {
 };
 
 struct cipher_testvec {
-	char *key;
-	char *iv;
-	char *input;
-	char *result;
+	const char *key;
+	const char *iv;
+	const char *input;
+	const char *result;
 	unsigned short tap[MAX_TAP];
 	int np;
 	unsigned char also_non_np;
@@ -62,11 +62,11 @@ struct cipher_testvec {
 };
 
 struct aead_testvec {
-	char *key;
-	char *iv;
-	char *input;
-	char *assoc;
-	char *result;
+	const char *key;
+	const char *iv;
+	const char *input;
+	const char *assoc;
+	const char *result;
 	unsigned char tap[MAX_TAP];
 	unsigned char atap[MAX_TAP];
 	int np;
@@ -81,10 +81,10 @@ struct aead_testvec {
 };
 
 struct cprng_testvec {
-	char *key;
-	char *dt;
-	char *v;
-	char *result;
+	const char *key;
+	const char *dt;
+	const char *v;
+	const char *result;
 	unsigned char klen;
 	unsigned short dtlen;
 	unsigned short vlen;
@@ -93,28 +93,28 @@ struct cprng_testvec {
 };
 
 struct drbg_testvec {
-	unsigned char *entropy;
+	const unsigned char *entropy;
 	size_t entropylen;
-	unsigned char *entpra;
-	unsigned char *entprb;
+	const unsigned char *entpra;
+	const unsigned char *entprb;
 	size_t entprlen;
-	unsigned char *addtla;
-	unsigned char *addtlb;
+	const unsigned char *addtla;
+	const unsigned char *addtlb;
 	size_t addtllen;
-	unsigned char *pers;
+	const unsigned char *pers;
 	size_t perslen;
-	unsigned char *expected;
+	const unsigned char *expected;
 	size_t expectedlen;
 };
 
-static char zeroed_string[48];
+static const char zeroed_string[48];
 
 /*
  * MD4 test vectors from RFC1320
  */
 #define MD4_TEST_VECTORS	7
 
-static struct hash_testvec md4_tv_template [] = {
+static const struct hash_testvec md4_tv_template [] = {
 	{
 		.plaintext = "",
 		.digest	= "\x31\xd6\xcf\xe0\xd1\x6a\xe9\x31"
@@ -160,7 +160,7 @@ static struct hash_testvec md4_tv_template [] = {
  */
 #define MD5_TEST_VECTORS	7
 
-static struct hash_testvec md5_tv_template[] = {
+static const struct hash_testvec md5_tv_template[] = {
 	{
 		.digest	= "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04"
 			  "\xe9\x80\x09\x98\xec\xf8\x42\x7e",
@@ -206,7 +206,7 @@ static struct hash_testvec md5_tv_template[] = {
  */
 #define RMD128_TEST_VECTORS     10
 
-static struct hash_testvec rmd128_tv_template[] = {
+static const struct hash_testvec rmd128_tv_template[] = {
 	{
 		.digest	= "\xcd\xf2\x62\x13\xa1\x50\xdc\x3e"
 			  "\xcb\x61\x0f\x18\xf6\xb3\x8b\x46",
@@ -270,7 +270,7 @@ static struct hash_testvec rmd128_tv_template[] = {
  */
 #define RMD160_TEST_VECTORS     10
 
-static struct hash_testvec rmd160_tv_template[] = {
+static const struct hash_testvec rmd160_tv_template[] = {
 	{
 		.digest	= "\x9c\x11\x85\xa5\xc5\xe9\xfc\x54\x61\x28"
 			  "\x08\x97\x7e\xe8\xf5\x48\xb2\x25\x8d\x31",
@@ -334,7 +334,7 @@ static struct hash_testvec rmd160_tv_template[] = {
  */
 #define RMD256_TEST_VECTORS     8
 
-static struct hash_testvec rmd256_tv_template[] = {
+static const struct hash_testvec rmd256_tv_template[] = {
 	{
 		.digest	= "\x02\xba\x4c\x4e\x5f\x8e\xcd\x18"
 			  "\x77\xfc\x52\xd6\x4d\x30\xe3\x7a"
@@ -402,7 +402,7 @@ static struct hash_testvec rmd256_tv_template[] = {
  */
 #define RMD320_TEST_VECTORS     8
 
-static struct hash_testvec rmd320_tv_template[] = {
+static const struct hash_testvec rmd320_tv_template[] = {
 	{
 		.digest	= "\x22\xd6\x5d\x56\x61\x53\x6c\xdc\x75\xc1"
 			  "\xfd\xf5\xc6\xde\x7b\x41\xb9\xf2\x73\x25"
@@ -466,7 +466,7 @@ static struct hash_testvec rmd320_tv_template[] = {
 };
 
 #define CRCT10DIF_TEST_VECTORS	3
-static struct hash_testvec crct10dif_tv_template[] = {
+static const struct hash_testvec crct10dif_tv_template[] = {
 	{
 		.plaintext = "abc",
 		.psize  = 3,
@@ -504,7 +504,7 @@ static struct hash_testvec crct10dif_tv_template[] = {
  */
 #define SHA1_TEST_VECTORS	6
 
-static struct hash_testvec sha1_tv_template[] = {
+static const struct hash_testvec sha1_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -696,7 +696,7 @@ static struct hash_testvec sha1_tv_template[] = {
  */
 #define SHA224_TEST_VECTORS     5
 
-static struct hash_testvec sha224_tv_template[] = {
+static const struct hash_testvec sha224_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -870,7 +870,7 @@ static struct hash_testvec sha224_tv_template[] = {
  */
 #define SHA256_TEST_VECTORS	5
 
-static struct hash_testvec sha256_tv_template[] = {
+static const struct hash_testvec sha256_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1043,7 +1043,7 @@ static struct hash_testvec sha256_tv_template[] = {
  */
 #define SHA384_TEST_VECTORS	6
 
-static struct hash_testvec sha384_tv_template[] = {
+static const struct hash_testvec sha384_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1237,7 +1237,7 @@ static struct hash_testvec sha384_tv_template[] = {
  */
 #define SHA512_TEST_VECTORS	6
 
-static struct hash_testvec sha512_tv_template[] = {
+static const struct hash_testvec sha512_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1446,7 +1446,7 @@ static struct hash_testvec sha512_tv_template[] = {
  */
 #define WP512_TEST_VECTORS	8
 
-static struct hash_testvec wp512_tv_template[] = {
+static const struct hash_testvec wp512_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1544,7 +1544,7 @@ static struct hash_testvec wp512_tv_template[] = {
 
 #define WP384_TEST_VECTORS	8
 
-static struct hash_testvec wp384_tv_template[] = {
+static const struct hash_testvec wp384_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1626,7 +1626,7 @@ static struct hash_testvec wp384_tv_template[] = {
 
 #define WP256_TEST_VECTORS	8
 
-static struct hash_testvec wp256_tv_template[] = {
+static const struct hash_testvec wp256_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1695,7 +1695,7 @@ static struct hash_testvec wp256_tv_template[] = {
  */
 #define TGR192_TEST_VECTORS	6
 
-static struct hash_testvec tgr192_tv_template[] = {
+static const struct hash_testvec tgr192_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1740,7 +1740,7 @@ static struct hash_testvec tgr192_tv_template[] = {
 
 #define TGR160_TEST_VECTORS	6
 
-static struct hash_testvec tgr160_tv_template[] = {
+static const struct hash_testvec tgr160_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1785,7 +1785,7 @@ static struct hash_testvec tgr160_tv_template[] = {
 
 #define TGR128_TEST_VECTORS	6
 
-static struct hash_testvec tgr128_tv_template[] = {
+static const struct hash_testvec tgr128_tv_template[] = {
 	{
 		.plaintext = "",
 		.psize	= 0,
@@ -1824,7 +1824,7 @@ static struct hash_testvec tgr128_tv_template[] = {
 
 #define GHASH_TEST_VECTORS 5
 
-static struct hash_testvec ghash_tv_template[] =
+static const struct hash_testvec ghash_tv_template[] =
 {
 	{
 		.key	= "\xdf\xa6\xbf\x4d\xed\x81\xdb\x03"
@@ -1884,7 +1884,7 @@ static struct hash_testvec ghash_tv_template[] =
  */
 #define HMAC_MD5_TEST_VECTORS	7
 
-static struct hash_testvec hmac_md5_tv_template[] =
+static const struct hash_testvec hmac_md5_tv_template[] =
 {
 	{
 		.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
@@ -1966,7 +1966,7 @@ static struct hash_testvec hmac_md5_tv_template[] =
  */
 #define HMAC_RMD128_TEST_VECTORS	7
 
-static struct hash_testvec hmac_rmd128_tv_template[] = {
+static const struct hash_testvec hmac_rmd128_tv_template[] = {
 	{
 		.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
 		.ksize	= 16,
@@ -2047,7 +2047,7 @@ static struct hash_testvec hmac_rmd128_tv_template[] = {
  */
 #define HMAC_RMD160_TEST_VECTORS	7
 
-static struct hash_testvec hmac_rmd160_tv_template[] = {
+static const struct hash_testvec hmac_rmd160_tv_template[] = {
 	{
 		.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
 		.ksize	= 20,
@@ -2128,7 +2128,7 @@ static struct hash_testvec hmac_rmd160_tv_template[] = {
  */
 #define HMAC_SHA1_TEST_VECTORS	7
 
-static struct hash_testvec hmac_sha1_tv_template[] = {
+static const struct hash_testvec hmac_sha1_tv_template[] = {
 	{
 		.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
 		.ksize	= 20,
@@ -2211,7 +2211,7 @@ static struct hash_testvec hmac_sha1_tv_template[] = {
  */
 #define HMAC_SHA224_TEST_VECTORS    4
 
-static struct hash_testvec hmac_sha224_tv_template[] = {
+static const struct hash_testvec hmac_sha224_tv_template[] = {
 	{
 		.key    = "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
 			"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
@@ -2326,7 +2326,7 @@ static struct hash_testvec hmac_sha224_tv_template[] = {
  */
 #define HMAC_SHA256_TEST_VECTORS	10
 
-static struct hash_testvec hmac_sha256_tv_template[] = {
+static const struct hash_testvec hmac_sha256_tv_template[] = {
 	{
 		.key	= "\x01\x02\x03\x04\x05\x06\x07\x08"
 			  "\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
@@ -2463,7 +2463,7 @@ static struct hash_testvec hmac_sha256_tv_template[] = {
 
 #define CMAC_AES_TEST_VECTORS 6
 
-static struct hash_testvec aes_cmac128_tv_template[] = {
+static const struct hash_testvec aes_cmac128_tv_template[] = {
 	{ /* From NIST Special Publication 800-38B, AES-128 */
 		.key		= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
 				  "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
@@ -2540,7 +2540,7 @@ static struct hash_testvec aes_cmac128_tv_template[] = {
 
 #define CMAC_DES3_EDE_TEST_VECTORS 4
 
-static struct hash_testvec des3_ede_cmac64_tv_template[] = {
+static const struct hash_testvec des3_ede_cmac64_tv_template[] = {
 /*
  * From NIST Special Publication 800-38B, Three Key TDEA
  * Corrected test vectors from:
@@ -2588,7 +2588,7 @@ static struct hash_testvec des3_ede_cmac64_tv_template[] = {
 
 #define XCBC_AES_TEST_VECTORS 6
 
-static struct hash_testvec aes_xcbc128_tv_template[] = {
+static const struct hash_testvec aes_xcbc128_tv_template[] = {
 	{
 		.key	= "\x00\x01\x02\x03\x04\x05\x06\x07"
 			  "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
@@ -2683,7 +2683,7 @@ static char vmac_string6[129] = {'p', 't', '*', '7', 'l',
 				 'i', '!', '#', 'w', '0',
 				 'z', '/', '4', 'A', 'n'};
 
-static struct hash_testvec aes_vmac128_tv_template[] = {
+static const struct hash_testvec aes_vmac128_tv_template[] = {
 	{
 		.key	= "\x00\x01\x02\x03\x04\x05\x06\x07"
 			  "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
@@ -2763,7 +2763,7 @@ static struct hash_testvec aes_vmac128_tv_template[] = {
 
 #define HMAC_SHA384_TEST_VECTORS	4
 
-static struct hash_testvec hmac_sha384_tv_template[] = {
+static const struct hash_testvec hmac_sha384_tv_template[] = {
 	{
 		.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
 			  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
@@ -2863,7 +2863,7 @@ static struct hash_testvec hmac_sha384_tv_template[] = {
 
 #define HMAC_SHA512_TEST_VECTORS	4
 
-static struct hash_testvec hmac_sha512_tv_template[] = {
+static const struct hash_testvec hmac_sha512_tv_template[] = {
 	{
 		.key	= "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
 			  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
@@ -2984,7 +2984,7 @@ static struct hash_testvec hmac_sha512_tv_template[] = {
 #define DES3_EDE_CTR_ENC_TEST_VECTORS	2
 #define DES3_EDE_CTR_DEC_TEST_VECTORS	2
 
-static struct cipher_testvec des_enc_tv_template[] = {
+static const struct cipher_testvec des_enc_tv_template[] = {
 	{ /* From Applied Cryptography */
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef",
 		.klen	= 8,
@@ -3158,7 +3158,7 @@ static struct cipher_testvec des_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des_dec_tv_template[] = {
+static const struct cipher_testvec des_dec_tv_template[] = {
 	{ /* From Applied Cryptography */
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef",
 		.klen	= 8,
@@ -3268,7 +3268,7 @@ static struct cipher_testvec des_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des_cbc_enc_tv_template[] = {
+static const struct cipher_testvec des_cbc_enc_tv_template[] = {
 	{ /* From OpenSSL */
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef",
 		.klen	= 8,
@@ -3394,7 +3394,7 @@ static struct cipher_testvec des_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des_cbc_dec_tv_template[] = {
+static const struct cipher_testvec des_cbc_dec_tv_template[] = {
 	{ /* FIPS Pub 81 */
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef",
 		.klen	= 8,
@@ -3503,7 +3503,7 @@ static struct cipher_testvec des_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des_ctr_enc_tv_template[] = {
+static const struct cipher_testvec des_ctr_enc_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55",
 		.klen	= 8,
@@ -3649,7 +3649,7 @@ static struct cipher_testvec des_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des_ctr_dec_tv_template[] = {
+static const struct cipher_testvec des_ctr_dec_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55",
 		.klen	= 8,
@@ -3795,7 +3795,7 @@ static struct cipher_testvec des_ctr_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des3_ede_enc_tv_template[] = {
+static const struct cipher_testvec des3_ede_enc_tv_template[] = {
 	{ /* These are from openssl */
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef"
 			  "\x55\x55\x55\x55\x55\x55\x55\x55"
@@ -3960,7 +3960,7 @@ static struct cipher_testvec des3_ede_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des3_ede_dec_tv_template[] = {
+static const struct cipher_testvec des3_ede_dec_tv_template[] = {
 	{ /* These are from openssl */
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef"
 			  "\x55\x55\x55\x55\x55\x55\x55\x55"
@@ -4125,7 +4125,7 @@ static struct cipher_testvec des3_ede_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des3_ede_cbc_enc_tv_template[] = {
+static const struct cipher_testvec des3_ede_cbc_enc_tv_template[] = {
 	{ /* Generated from openssl */
 		.key	= "\xE9\xC0\xFF\x2E\x76\x0B\x64\x24"
 			  "\x44\x4D\x99\x5A\x12\xD6\x40\xC0"
@@ -4305,7 +4305,7 @@ static struct cipher_testvec des3_ede_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des3_ede_cbc_dec_tv_template[] = {
+static const struct cipher_testvec des3_ede_cbc_dec_tv_template[] = {
 	{ /* Generated from openssl */
 		.key	= "\xE9\xC0\xFF\x2E\x76\x0B\x64\x24"
 			  "\x44\x4D\x99\x5A\x12\xD6\x40\xC0"
@@ -4485,7 +4485,7 @@ static struct cipher_testvec des3_ede_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des3_ede_ctr_enc_tv_template[] = {
+static const struct cipher_testvec des3_ede_ctr_enc_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x9C\xD6\xF3\x9C\xB9\x5A\x67\x00"
 			  "\x5A\x67\x00\x2D\xCE\xEB\x2D\xCE"
@@ -4763,7 +4763,7 @@ static struct cipher_testvec des3_ede_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec des3_ede_ctr_dec_tv_template[] = {
+static const struct cipher_testvec des3_ede_ctr_dec_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x9C\xD6\xF3\x9C\xB9\x5A\x67\x00"
 			  "\x5A\x67\x00\x2D\xCE\xEB\x2D\xCE"
@@ -5051,7 +5051,7 @@ static struct cipher_testvec des3_ede_ctr_dec_tv_template[] = {
 #define BF_CTR_ENC_TEST_VECTORS	2
 #define BF_CTR_DEC_TEST_VECTORS	2
 
-static struct cipher_testvec bf_enc_tv_template[] = {
+static const struct cipher_testvec bf_enc_tv_template[] = {
 	{ /* DES test vectors from OpenSSL */
 		.key	= "\x00\x00\x00\x00\x00\x00\x00\x00",
 		.klen	= 8,
@@ -5243,7 +5243,7 @@ static struct cipher_testvec bf_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec bf_dec_tv_template[] = {
+static const struct cipher_testvec bf_dec_tv_template[] = {
 	{ /* DES test vectors from OpenSSL */
 		.key	= "\x00\x00\x00\x00\x00\x00\x00\x00",
 		.klen	= 8,
@@ -5435,7 +5435,7 @@ static struct cipher_testvec bf_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec bf_cbc_enc_tv_template[] = {
+static const struct cipher_testvec bf_cbc_enc_tv_template[] = {
 	{ /* From OpenSSL */
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef"
 			  "\xf0\xe1\xd2\xc3\xb4\xa5\x96\x87",
@@ -5592,7 +5592,7 @@ static struct cipher_testvec bf_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec bf_cbc_dec_tv_template[] = {
+static const struct cipher_testvec bf_cbc_dec_tv_template[] = {
 	{ /* From OpenSSL */
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef"
 			  "\xf0\xe1\xd2\xc3\xb4\xa5\x96\x87",
@@ -5749,7 +5749,7 @@ static struct cipher_testvec bf_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec bf_ctr_enc_tv_template[] = {
+static const struct cipher_testvec bf_ctr_enc_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -6161,7 +6161,7 @@ static struct cipher_testvec bf_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec bf_ctr_dec_tv_template[] = {
+static const struct cipher_testvec bf_ctr_dec_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -6587,7 +6587,7 @@ static struct cipher_testvec bf_ctr_dec_tv_template[] = {
 #define TF_XTS_ENC_TEST_VECTORS		5
 #define TF_XTS_DEC_TEST_VECTORS		5
 
-static struct cipher_testvec tf_enc_tv_template[] = {
+static const struct cipher_testvec tf_enc_tv_template[] = {
 	{
 		.key	= zeroed_string,
 		.klen	= 16,
@@ -6755,7 +6755,7 @@ static struct cipher_testvec tf_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_dec_tv_template[] = {
+static const struct cipher_testvec tf_dec_tv_template[] = {
 	{
 		.key	= zeroed_string,
 		.klen	= 16,
@@ -6923,7 +6923,7 @@ static struct cipher_testvec tf_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_cbc_enc_tv_template[] = {
+static const struct cipher_testvec tf_cbc_enc_tv_template[] = {
 	{ /* Generated with Nettle */
 		.key	= zeroed_string,
 		.klen	= 16,
@@ -7106,7 +7106,7 @@ static struct cipher_testvec tf_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_cbc_dec_tv_template[] = {
+static const struct cipher_testvec tf_cbc_dec_tv_template[] = {
 	{ /* Reverse of the first four above */
 		.key	= zeroed_string,
 		.klen	= 16,
@@ -7289,7 +7289,7 @@ static struct cipher_testvec tf_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_ctr_enc_tv_template[] = {
+static const struct cipher_testvec tf_ctr_enc_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -7700,7 +7700,7 @@ static struct cipher_testvec tf_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_ctr_dec_tv_template[] = {
+static const struct cipher_testvec tf_ctr_dec_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -8111,7 +8111,7 @@ static struct cipher_testvec tf_ctr_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_lrw_enc_tv_template[] = {
+static const struct cipher_testvec tf_lrw_enc_tv_template[] = {
 	/* Generated from AES-LRW test vectors */
 	{
 		.key	= "\x45\x62\xac\x25\xf8\x28\x17\x6d"
@@ -8363,7 +8363,7 @@ static struct cipher_testvec tf_lrw_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_lrw_dec_tv_template[] = {
+static const struct cipher_testvec tf_lrw_dec_tv_template[] = {
 	/* Generated from AES-LRW test vectors */
 	/* same as enc vectors with input and result reversed */
 	{
@@ -8616,7 +8616,7 @@ static struct cipher_testvec tf_lrw_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_xts_enc_tv_template[] = {
+static const struct cipher_testvec tf_xts_enc_tv_template[] = {
 	/* Generated from AES-XTS test vectors */
 {
 		.key	= "\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -8958,7 +8958,7 @@ static struct cipher_testvec tf_xts_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tf_xts_dec_tv_template[] = {
+static const struct cipher_testvec tf_xts_dec_tv_template[] = {
 	/* Generated from AES-XTS test vectors */
 	/* same as enc vectors with input and result reversed */
 	{
@@ -9323,7 +9323,7 @@ static struct cipher_testvec tf_xts_dec_tv_template[] = {
 #define SERPENT_XTS_ENC_TEST_VECTORS	5
 #define SERPENT_XTS_DEC_TEST_VECTORS	5
 
-static struct cipher_testvec serpent_enc_tv_template[] = {
+static const struct cipher_testvec serpent_enc_tv_template[] = {
 	{
 		.input	= "\x00\x01\x02\x03\x04\x05\x06\x07"
 			  "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
@@ -9499,7 +9499,7 @@ static struct cipher_testvec serpent_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tnepres_enc_tv_template[] = {
+static const struct cipher_testvec tnepres_enc_tv_template[] = {
 	{ /* KeySize=128, PT=0, I=1 */
 		.input	= "\x00\x00\x00\x00\x00\x00\x00\x00"
 			  "\x00\x00\x00\x00\x00\x00\x00\x00",
@@ -9549,7 +9549,7 @@ static struct cipher_testvec tnepres_enc_tv_template[] = {
 };
 
 
-static struct cipher_testvec serpent_dec_tv_template[] = {
+static const struct cipher_testvec serpent_dec_tv_template[] = {
 	{
 		.input	= "\x12\x07\xfc\xce\x9b\xd0\xd6\x47"
 			  "\x6a\xe9\x8f\xbe\xd1\x43\xa0\xe2",
@@ -9725,7 +9725,7 @@ static struct cipher_testvec serpent_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec tnepres_dec_tv_template[] = {
+static const struct cipher_testvec tnepres_dec_tv_template[] = {
 	{
 		.input	= "\x41\xcc\x6b\x31\x59\x31\x45\x97"
 			  "\x6d\x6f\xbb\x38\x4b\x37\x21\x28",
@@ -9766,7 +9766,7 @@ static struct cipher_testvec tnepres_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec serpent_cbc_enc_tv_template[] = {
+static const struct cipher_testvec serpent_cbc_enc_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -9907,7 +9907,7 @@ static struct cipher_testvec serpent_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec serpent_cbc_dec_tv_template[] = {
+static const struct cipher_testvec serpent_cbc_dec_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -10048,7 +10048,7 @@ static struct cipher_testvec serpent_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec serpent_ctr_enc_tv_template[] = {
+static const struct cipher_testvec serpent_ctr_enc_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -10459,7 +10459,7 @@ static struct cipher_testvec serpent_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec serpent_ctr_dec_tv_template[] = {
+static const struct cipher_testvec serpent_ctr_dec_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -10870,7 +10870,7 @@ static struct cipher_testvec serpent_ctr_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec serpent_lrw_enc_tv_template[] = {
+static const struct cipher_testvec serpent_lrw_enc_tv_template[] = {
 	/* Generated from AES-LRW test vectors */
 	{
 		.key	= "\x45\x62\xac\x25\xf8\x28\x17\x6d"
@@ -11122,7 +11122,7 @@ static struct cipher_testvec serpent_lrw_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec serpent_lrw_dec_tv_template[] = {
+static const struct cipher_testvec serpent_lrw_dec_tv_template[] = {
 	/* Generated from AES-LRW test vectors */
 	/* same as enc vectors with input and result reversed */
 	{
@@ -11375,7 +11375,7 @@ static struct cipher_testvec serpent_lrw_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec serpent_xts_enc_tv_template[] = {
+static const struct cipher_testvec serpent_xts_enc_tv_template[] = {
 	/* Generated from AES-XTS test vectors */
 	{
 		.key	= "\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -11717,7 +11717,7 @@ static struct cipher_testvec serpent_xts_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec serpent_xts_dec_tv_template[] = {
+static const struct cipher_testvec serpent_xts_dec_tv_template[] = {
 	/* Generated from AES-XTS test vectors */
 	/* same as enc vectors with input and result reversed */
 	{
@@ -12072,7 +12072,7 @@ static struct cipher_testvec serpent_xts_dec_tv_template[] = {
 #define CAST6_XTS_ENC_TEST_VECTORS	1
 #define CAST6_XTS_DEC_TEST_VECTORS	1
 
-static struct cipher_testvec cast6_enc_tv_template[] = {
+static const struct cipher_testvec cast6_enc_tv_template[] = {
 	{
 		.key	= "\x23\x42\xbb\x9e\xfa\x38\x54\x2c"
 			  "\x0a\xf7\x56\x47\xf2\x9f\x61\x5d",
@@ -12243,7 +12243,7 @@ static struct cipher_testvec cast6_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_dec_tv_template[] = {
+static const struct cipher_testvec cast6_dec_tv_template[] = {
 	{
 		.key	= "\x23\x42\xbb\x9e\xfa\x38\x54\x2c"
 			  "\x0a\xf7\x56\x47\xf2\x9f\x61\x5d",
@@ -12414,7 +12414,7 @@ static struct cipher_testvec cast6_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_cbc_enc_tv_template[] = {
+static const struct cipher_testvec cast6_cbc_enc_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -12555,7 +12555,7 @@ static struct cipher_testvec cast6_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_cbc_dec_tv_template[] = {
+static const struct cipher_testvec cast6_cbc_dec_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -12696,7 +12696,7 @@ static struct cipher_testvec cast6_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_ctr_enc_tv_template[] = {
+static const struct cipher_testvec cast6_ctr_enc_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -12853,7 +12853,7 @@ static struct cipher_testvec cast6_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_ctr_dec_tv_template[] = {
+static const struct cipher_testvec cast6_ctr_dec_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -13010,7 +13010,7 @@ static struct cipher_testvec cast6_ctr_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_lrw_enc_tv_template[] = {
+static const struct cipher_testvec cast6_lrw_enc_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\xf8\xd4\x76\xff\xd6\x46\xee\x6c"
 			  "\x23\x84\xcb\x1c\x77\xd6\x19\x5d"
@@ -13157,7 +13157,7 @@ static struct cipher_testvec cast6_lrw_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_lrw_dec_tv_template[] = {
+static const struct cipher_testvec cast6_lrw_dec_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\xf8\xd4\x76\xff\xd6\x46\xee\x6c"
 			  "\x23\x84\xcb\x1c\x77\xd6\x19\x5d"
@@ -13304,7 +13304,7 @@ static struct cipher_testvec cast6_lrw_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_xts_enc_tv_template[] = {
+static const struct cipher_testvec cast6_xts_enc_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x27\x18\x28\x18\x28\x45\x90\x45"
 			  "\x23\x53\x60\x28\x74\x71\x35\x26"
@@ -13453,7 +13453,7 @@ static struct cipher_testvec cast6_xts_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast6_xts_dec_tv_template[] = {
+static const struct cipher_testvec cast6_xts_dec_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x27\x18\x28\x18\x28\x45\x90\x45"
 			  "\x23\x53\x60\x28\x74\x71\x35\x26"
@@ -13638,7 +13638,7 @@ static struct cipher_testvec cast6_xts_dec_tv_template[] = {
 #define AES_CCM_4309_ENC_TEST_VECTORS 7
 #define AES_CCM_4309_DEC_TEST_VECTORS 10
 
-static struct cipher_testvec aes_enc_tv_template[] = {
+static const struct cipher_testvec aes_enc_tv_template[] = {
 	{ /* From FIPS-197 */
 		.key	= "\x00\x01\x02\x03\x04\x05\x06\x07"
 			  "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
@@ -13810,7 +13810,7 @@ static struct cipher_testvec aes_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec aes_dec_tv_template[] = {
+static const struct cipher_testvec aes_dec_tv_template[] = {
 	{ /* From FIPS-197 */
 		.key	= "\x00\x01\x02\x03\x04\x05\x06\x07"
 			  "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
@@ -13982,7 +13982,7 @@ static struct cipher_testvec aes_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec aes_cbc_enc_tv_template[] = {
+static const struct cipher_testvec aes_cbc_enc_tv_template[] = {
 	{ /* From RFC 3602 */
 		.key    = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b"
 			  "\x51\x2e\x03\xd5\x34\x12\x00\x06",
@@ -14201,7 +14201,7 @@ static struct cipher_testvec aes_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec aes_cbc_dec_tv_template[] = {
+static const struct cipher_testvec aes_cbc_dec_tv_template[] = {
 	{ /* From RFC 3602 */
 		.key    = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b"
 			  "\x51\x2e\x03\xd5\x34\x12\x00\x06",
@@ -14420,7 +14420,7 @@ static struct cipher_testvec aes_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct aead_testvec hmac_md5_ecb_cipher_null_enc_tv_template[] = {
+static const struct aead_testvec hmac_md5_ecb_cipher_null_enc_tv_template[] = {
 	{ /* Input data from RFC 2410 Case 1 */
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -14462,7 +14462,7 @@ static struct aead_testvec hmac_md5_ecb_cipher_null_enc_tv_template[] = {
 	},
 };
 
-static struct aead_testvec hmac_md5_ecb_cipher_null_dec_tv_template[] = {
+static const struct aead_testvec hmac_md5_ecb_cipher_null_dec_tv_template[] = {
 	{
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -14504,7 +14504,7 @@ static struct aead_testvec hmac_md5_ecb_cipher_null_dec_tv_template[] = {
 	},
 };
 
-static struct aead_testvec hmac_sha1_aes_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha1_aes_cbc_enc_tv_temp[] = {
 	{ /* RFC 3602 Case 1 */
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -14753,7 +14753,7 @@ static struct aead_testvec hmac_sha1_aes_cbc_enc_tv_temp[] = {
 	},
 };
 
-static struct aead_testvec hmac_sha1_ecb_cipher_null_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha1_ecb_cipher_null_enc_tv_temp[] = {
 	{ /* Input data from RFC 2410 Case 1 */
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -14799,7 +14799,7 @@ static struct aead_testvec hmac_sha1_ecb_cipher_null_enc_tv_temp[] = {
 	},
 };
 
-static struct aead_testvec hmac_sha1_ecb_cipher_null_dec_tv_temp[] = {
+static const struct aead_testvec hmac_sha1_ecb_cipher_null_dec_tv_temp[] = {
 	{
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -14845,7 +14845,7 @@ static struct aead_testvec hmac_sha1_ecb_cipher_null_dec_tv_temp[] = {
 	},
 };
 
-static struct aead_testvec hmac_sha256_aes_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha256_aes_cbc_enc_tv_temp[] = {
 	{ /* RFC 3602 Case 1 */
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15108,7 +15108,7 @@ static struct aead_testvec hmac_sha256_aes_cbc_enc_tv_temp[] = {
 	},
 };
 
-static struct aead_testvec hmac_sha512_aes_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha512_aes_cbc_enc_tv_temp[] = {
 	{ /* RFC 3602 Case 1 */
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15429,7 +15429,7 @@ static struct aead_testvec hmac_sha512_aes_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA1_DES_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha1_des_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha1_des_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15489,7 +15489,7 @@ static struct aead_testvec hmac_sha1_des_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA224_DES_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha224_des_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha224_des_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15549,7 +15549,7 @@ static struct aead_testvec hmac_sha224_des_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA256_DES_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha256_des_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha256_des_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15611,7 +15611,7 @@ static struct aead_testvec hmac_sha256_des_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA384_DES_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha384_des_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha384_des_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15677,7 +15677,7 @@ static struct aead_testvec hmac_sha384_des_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA512_DES_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha512_des_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha512_des_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15747,7 +15747,7 @@ static struct aead_testvec hmac_sha512_des_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA1_DES3_EDE_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha1_des3_ede_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha1_des3_ede_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15809,7 +15809,7 @@ static struct aead_testvec hmac_sha1_des3_ede_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA224_DES3_EDE_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha224_des3_ede_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha224_des3_ede_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15871,7 +15871,7 @@ static struct aead_testvec hmac_sha224_des3_ede_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA256_DES3_EDE_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha256_des3_ede_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha256_des3_ede_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -15935,7 +15935,7 @@ static struct aead_testvec hmac_sha256_des3_ede_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA384_DES3_EDE_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha384_des3_ede_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha384_des3_ede_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -16003,7 +16003,7 @@ static struct aead_testvec hmac_sha384_des3_ede_cbc_enc_tv_temp[] = {
 
 #define HMAC_SHA512_DES3_EDE_CBC_ENC_TEST_VEC	1
 
-static struct aead_testvec hmac_sha512_des3_ede_cbc_enc_tv_temp[] = {
+static const struct aead_testvec hmac_sha512_des3_ede_cbc_enc_tv_temp[] = {
 	{ /*Generated with cryptopp*/
 #ifdef __LITTLE_ENDIAN
 		.key    = "\x08\x00"		/* rta length */
@@ -16073,7 +16073,7 @@ static struct aead_testvec hmac_sha512_des3_ede_cbc_enc_tv_temp[] = {
 	},
 };
 
-static struct cipher_testvec aes_lrw_enc_tv_template[] = {
+static const struct cipher_testvec aes_lrw_enc_tv_template[] = {
 	/* from http://grouper.ieee.org/groups/1619/email/pdf00017.pdf */
 	{ /* LRW-32-AES 1 */
 		.key    = "\x45\x62\xac\x25\xf8\x28\x17\x6d"
@@ -16326,7 +16326,7 @@ static struct cipher_testvec aes_lrw_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec aes_lrw_dec_tv_template[] = {
+static const struct cipher_testvec aes_lrw_dec_tv_template[] = {
 	/* from http://grouper.ieee.org/groups/1619/email/pdf00017.pdf */
 	/* same as enc vectors with input and result reversed */
 	{ /* LRW-32-AES 1 */
@@ -16580,7 +16580,7 @@ static struct cipher_testvec aes_lrw_dec_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec aes_xts_enc_tv_template[] = {
+static const struct cipher_testvec aes_xts_enc_tv_template[] = {
 	/* http://grouper.ieee.org/groups/1619/email/pdf00086.pdf */
 	{ /* XTS-AES 1 */
 		.key    = "\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -16922,7 +16922,7 @@ static struct cipher_testvec aes_xts_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec aes_xts_dec_tv_template[] = {
+static const struct cipher_testvec aes_xts_dec_tv_template[] = {
 	/* http://grouper.ieee.org/groups/1619/email/pdf00086.pdf */
 	{ /* XTS-AES 1 */
 		.key    = "\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -17265,7 +17265,7 @@ static struct cipher_testvec aes_xts_dec_tv_template[] = {
 };
 
 
-static struct cipher_testvec aes_ctr_enc_tv_template[] = {
+static const struct cipher_testvec aes_ctr_enc_tv_template[] = {
 	{ /* From NIST Special Publication 800-38A, Appendix F.5 */
 		.key	= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
 			  "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
@@ -17620,7 +17620,7 @@ static struct cipher_testvec aes_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec aes_ctr_dec_tv_template[] = {
+static const struct cipher_testvec aes_ctr_dec_tv_template[] = {
 	{ /* From NIST Special Publication 800-38A, Appendix F.5 */
 		.key	= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
 			  "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
@@ -17975,7 +17975,7 @@ static struct cipher_testvec aes_ctr_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec aes_ctr_rfc3686_enc_tv_template[] = {
+static const struct cipher_testvec aes_ctr_rfc3686_enc_tv_template[] = {
 	{ /* From RFC 3686 */
 		.key	= "\xae\x68\x52\xf8\x12\x10\x67\xcc"
 			  "\x4b\xf7\xa5\x76\x55\x77\xf3\x9e"
@@ -19107,7 +19107,7 @@ static struct cipher_testvec aes_ctr_rfc3686_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec aes_ctr_rfc3686_dec_tv_template[] = {
+static const struct cipher_testvec aes_ctr_rfc3686_dec_tv_template[] = {
 	{ /* From RFC 3686 */
 		.key	= "\xae\x68\x52\xf8\x12\x10\x67\xcc"
 			  "\x4b\xf7\xa5\x76\x55\x77\xf3\x9e"
@@ -19198,7 +19198,7 @@ static struct cipher_testvec aes_ctr_rfc3686_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec aes_ofb_enc_tv_template[] = {
+static const struct cipher_testvec aes_ofb_enc_tv_template[] = {
 	 /* From NIST Special Publication 800-38A, Appendix F.5 */
 	{
 		.key	= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
@@ -19227,7 +19227,7 @@ static struct cipher_testvec aes_ofb_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec aes_ofb_dec_tv_template[] = {
+static const struct cipher_testvec aes_ofb_dec_tv_template[] = {
 	 /* From NIST Special Publication 800-38A, Appendix F.5 */
 	{
 		.key	= "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
@@ -19256,7 +19256,7 @@ static struct cipher_testvec aes_ofb_dec_tv_template[] = {
 	}
 };
 
-static struct aead_testvec aes_gcm_enc_tv_template[] = {
+static const struct aead_testvec aes_gcm_enc_tv_template[] = {
 	{ /* From McGrew & Viega - http://citeseer.ist.psu.edu/656989.html */
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -19416,7 +19416,7 @@ static struct aead_testvec aes_gcm_enc_tv_template[] = {
 	}
 };
 
-static struct aead_testvec aes_gcm_dec_tv_template[] = {
+static const struct aead_testvec aes_gcm_dec_tv_template[] = {
 	{ /* From McGrew & Viega - http://citeseer.ist.psu.edu/656989.html */
 		.key    = zeroed_string,
 		.klen	= 32,
@@ -19618,7 +19618,7 @@ static struct aead_testvec aes_gcm_dec_tv_template[] = {
 	}
 };
 
-static struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = {
+static const struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = {
         { /* Generated using Crypto++ */
 		.key    = zeroed_string,
 		.klen	= 20,
@@ -19792,7 +19792,7 @@ static struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = {
 	}
 };
 
-static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = {
+static const struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = {
         { /* Generated using Crypto++ */
 		.key    = zeroed_string,
 		.klen	= 20,
@@ -19968,7 +19968,7 @@ static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = {
 	}
 };
 
-static struct aead_testvec aes_gcm_rfc4543_enc_tv_template[] = {
+static const struct aead_testvec aes_gcm_rfc4543_enc_tv_template[] = {
 	{ /* From draft-mcgrew-gcm-test-01 */
 		.key	= "\x4c\x80\xcd\xef\xbb\x5d\x10\xda"
 			  "\x90\x6a\xc7\x3c\x36\x13\xa6\x34"
@@ -19998,7 +19998,7 @@ static struct aead_testvec aes_gcm_rfc4543_enc_tv_template[] = {
 	}
 };
 
-static struct aead_testvec aes_gcm_rfc4543_dec_tv_template[] = {
+static const struct aead_testvec aes_gcm_rfc4543_dec_tv_template[] = {
 	{ /* From draft-mcgrew-gcm-test-01 */
 		.key	= "\x4c\x80\xcd\xef\xbb\x5d\x10\xda"
 			  "\x90\x6a\xc7\x3c\x36\x13\xa6\x34"
@@ -20055,7 +20055,7 @@ static struct aead_testvec aes_gcm_rfc4543_dec_tv_template[] = {
 	},
 };
 
-static struct aead_testvec aes_ccm_enc_tv_template[] = {
+static const struct aead_testvec aes_ccm_enc_tv_template[] = {
 	{ /* From RFC 3610 */
 		.key	= "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"
 			  "\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf",
@@ -20206,7 +20206,7 @@ static struct aead_testvec aes_ccm_enc_tv_template[] = {
 	}
 };
 
-static struct aead_testvec aes_ccm_dec_tv_template[] = {
+static const struct aead_testvec aes_ccm_dec_tv_template[] = {
 	{ /* From RFC 3610 */
 		.key	= "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"
 			  "\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf",
@@ -20345,7 +20345,7 @@ static struct aead_testvec aes_ccm_dec_tv_template[] = {
  * nb: actual key lengths are (klen - 3), the last 3 bytes are actually
  * part of the nonce which combine w/the iv, but need to be input this way.
  */
-static struct aead_testvec aes_ccm_rfc4309_enc_tv_template[] = {
+static const struct aead_testvec aes_ccm_rfc4309_enc_tv_template[] = {
 	{
 		.key	= "\x83\xac\x54\x66\xc2\xeb\xe5\x05"
 			  "\x2e\x01\xd1\xfc\x5d\x82\x66\x2e"
@@ -20505,7 +20505,7 @@ static struct aead_testvec aes_ccm_rfc4309_enc_tv_template[] = {
 	},
 };
 
-static struct aead_testvec aes_ccm_rfc4309_dec_tv_template[] = {
+static const struct aead_testvec aes_ccm_rfc4309_dec_tv_template[] = {
 	{
 		.key	= "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1"
 			  "\xff\x80\x2e\x48\x7d\x82\xf8\xb9"
@@ -20711,7 +20711,7 @@ static struct aead_testvec aes_ccm_rfc4309_dec_tv_template[] = {
  */
 #define ANSI_CPRNG_AES_TEST_VECTORS	6
 
-static struct cprng_testvec ansi_cprng_aes_tv_template[] = {
+static const struct cprng_testvec ansi_cprng_aes_tv_template[] = {
 	{
 		.key	= "\xf3\xb1\x66\x6d\x13\x60\x72\x42"
 			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02",
@@ -20807,7 +20807,7 @@ static struct cprng_testvec ansi_cprng_aes_tv_template[] = {
  * (Hash, HMAC, CTR) are tested with all permutations of use cases (w/ and
  * w/o personalization string, w/ and w/o additional input string).
  */
-static struct drbg_testvec drbg_pr_sha256_tv_template[] = {
+static const struct drbg_testvec drbg_pr_sha256_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
 			"\x72\x88\x4c\xcd\x6c\x85\x57\x70\xf7\x0b\x8b\x86"
@@ -20965,7 +20965,7 @@ static struct drbg_testvec drbg_pr_sha256_tv_template[] = {
 	},
 };
 
-static struct drbg_testvec drbg_pr_hmac_sha256_tv_template[] = {
+static const struct drbg_testvec drbg_pr_hmac_sha256_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
 			"\x99\x69\xe5\x4b\x47\x03\xff\x31\x78\x5b\x87\x9a"
@@ -21123,7 +21123,7 @@ static struct drbg_testvec drbg_pr_hmac_sha256_tv_template[] = {
 	},
 };
 
-static struct drbg_testvec drbg_pr_ctr_aes128_tv_template[] = {
+static const struct drbg_testvec drbg_pr_ctr_aes128_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
 			"\xd1\x44\xc6\x61\x81\x6d\xca\x9d\x15\x28\x8a\x42"
@@ -21247,7 +21247,7 @@ static struct drbg_testvec drbg_pr_ctr_aes128_tv_template[] = {
  * (Hash, HMAC, CTR) are tested with all permutations of use cases (w/ and
  * w/o personalization string, w/ and w/o additional input string).
  */
-static struct drbg_testvec drbg_nopr_sha256_tv_template[] = {
+static const struct drbg_testvec drbg_nopr_sha256_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
 			"\xa6\x5a\xd0\xf3\x45\xdb\x4e\x0e\xff\xe8\x75\xc3"
@@ -21369,7 +21369,7 @@ static struct drbg_testvec drbg_nopr_sha256_tv_template[] = {
 	},
 };
 
-static struct drbg_testvec drbg_nopr_hmac_sha256_tv_template[] = {
+static const struct drbg_testvec drbg_nopr_hmac_sha256_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
 			"\xca\x85\x19\x11\x34\x93\x84\xbf\xfe\x89\xde\x1c"
@@ -21491,7 +21491,7 @@ static struct drbg_testvec drbg_nopr_hmac_sha256_tv_template[] = {
 	},
 };
 
-static struct drbg_testvec drbg_nopr_ctr_aes192_tv_template[] = {
+static const struct drbg_testvec drbg_nopr_ctr_aes192_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
 			"\xc3\x5c\x2f\xa2\xa8\x9d\x52\xa1\x1f\xa3\x2a\xa9"
@@ -21515,7 +21515,7 @@ static struct drbg_testvec drbg_nopr_ctr_aes192_tv_template[] = {
 	},
 };
 
-static struct drbg_testvec drbg_nopr_ctr_aes256_tv_template[] = {
+static const struct drbg_testvec drbg_nopr_ctr_aes256_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
 			"\x36\x40\x19\x40\xfa\x8b\x1f\xba\x91\xa1\x66\x1f"
@@ -21539,7 +21539,7 @@ static struct drbg_testvec drbg_nopr_ctr_aes256_tv_template[] = {
 	},
 };
 
-static struct drbg_testvec drbg_nopr_ctr_aes128_tv_template[] = {
+static const struct drbg_testvec drbg_nopr_ctr_aes128_tv_template[] = {
 	{
 		.entropy = (unsigned char *)
 			"\x87\xe1\xc5\x32\x99\x7f\x57\xa3\x5c\x28\x6d\xe8"
@@ -21635,7 +21635,7 @@ static struct drbg_testvec drbg_nopr_ctr_aes128_tv_template[] = {
 #define CAST5_CTR_ENC_TEST_VECTORS	2
 #define CAST5_CTR_DEC_TEST_VECTORS	2
 
-static struct cipher_testvec cast5_enc_tv_template[] = {
+static const struct cipher_testvec cast5_enc_tv_template[] = {
 	{
 		.key	= "\x01\x23\x45\x67\x12\x34\x56\x78"
 			  "\x23\x45\x67\x89\x34\x56\x78\x9a",
@@ -21796,7 +21796,7 @@ static struct cipher_testvec cast5_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast5_dec_tv_template[] = {
+static const struct cipher_testvec cast5_dec_tv_template[] = {
 	{
 		.key	= "\x01\x23\x45\x67\x12\x34\x56\x78"
 			  "\x23\x45\x67\x89\x34\x56\x78\x9a",
@@ -21957,7 +21957,7 @@ static struct cipher_testvec cast5_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast5_cbc_enc_tv_template[] = {
+static const struct cipher_testvec cast5_cbc_enc_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A",
@@ -22095,7 +22095,7 @@ static struct cipher_testvec cast5_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast5_cbc_dec_tv_template[] = {
+static const struct cipher_testvec cast5_cbc_dec_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A",
@@ -22233,7 +22233,7 @@ static struct cipher_testvec cast5_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast5_ctr_enc_tv_template[] = {
+static const struct cipher_testvec cast5_ctr_enc_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A",
@@ -22384,7 +22384,7 @@ static struct cipher_testvec cast5_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec cast5_ctr_dec_tv_template[] = {
+static const struct cipher_testvec cast5_ctr_dec_tv_template[] = {
 	{ /* Generated from TF test vectors */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A",
@@ -22541,7 +22541,7 @@ static struct cipher_testvec cast5_ctr_dec_tv_template[] = {
 #define ARC4_ENC_TEST_VECTORS	7
 #define ARC4_DEC_TEST_VECTORS	7
 
-static struct cipher_testvec arc4_enc_tv_template[] = {
+static const struct cipher_testvec arc4_enc_tv_template[] = {
 	{
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef",
 		.klen	= 8,
@@ -22607,7 +22607,7 @@ static struct cipher_testvec arc4_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec arc4_dec_tv_template[] = {
+static const struct cipher_testvec arc4_dec_tv_template[] = {
 	{
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef",
 		.klen	= 8,
@@ -22679,7 +22679,7 @@ static struct cipher_testvec arc4_dec_tv_template[] = {
 #define TEA_ENC_TEST_VECTORS	4
 #define TEA_DEC_TEST_VECTORS	4
 
-static struct cipher_testvec tea_enc_tv_template[] = {
+static const struct cipher_testvec tea_enc_tv_template[] = {
 	{
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -22722,7 +22722,7 @@ static struct cipher_testvec tea_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec tea_dec_tv_template[] = {
+static const struct cipher_testvec tea_dec_tv_template[] = {
 	{
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -22771,7 +22771,7 @@ static struct cipher_testvec tea_dec_tv_template[] = {
 #define XTEA_ENC_TEST_VECTORS	4
 #define XTEA_DEC_TEST_VECTORS	4
 
-static struct cipher_testvec xtea_enc_tv_template[] = {
+static const struct cipher_testvec xtea_enc_tv_template[] = {
 	{
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -22814,7 +22814,7 @@ static struct cipher_testvec xtea_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec xtea_dec_tv_template[] = {
+static const struct cipher_testvec xtea_dec_tv_template[] = {
 	{
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -22863,7 +22863,7 @@ static struct cipher_testvec xtea_dec_tv_template[] = {
 #define KHAZAD_ENC_TEST_VECTORS 5
 #define KHAZAD_DEC_TEST_VECTORS 5
 
-static struct cipher_testvec khazad_enc_tv_template[] = {
+static const struct cipher_testvec khazad_enc_tv_template[] = {
 	{
 		.key	= "\x80\x00\x00\x00\x00\x00\x00\x00"
 			  "\x00\x00\x00\x00\x00\x00\x00\x00",
@@ -22909,7 +22909,7 @@ static struct cipher_testvec khazad_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec khazad_dec_tv_template[] = {
+static const struct cipher_testvec khazad_dec_tv_template[] = {
 	{
 		.key	= "\x80\x00\x00\x00\x00\x00\x00\x00"
 			  "\x00\x00\x00\x00\x00\x00\x00\x00",
@@ -22964,7 +22964,7 @@ static struct cipher_testvec khazad_dec_tv_template[] = {
 #define ANUBIS_CBC_ENC_TEST_VECTORS		2
 #define ANUBIS_CBC_DEC_TEST_VECTORS		2
 
-static struct cipher_testvec anubis_enc_tv_template[] = {
+static const struct cipher_testvec anubis_enc_tv_template[] = {
 	{
 		.key	= "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
 			  "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe",
@@ -23027,7 +23027,7 @@ static struct cipher_testvec anubis_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec anubis_dec_tv_template[] = {
+static const struct cipher_testvec anubis_dec_tv_template[] = {
 	{
 		.key	= "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
 			  "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe",
@@ -23090,7 +23090,7 @@ static struct cipher_testvec anubis_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec anubis_cbc_enc_tv_template[] = {
+static const struct cipher_testvec anubis_cbc_enc_tv_template[] = {
 	{
 		.key	= "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
 			  "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe",
@@ -23125,7 +23125,7 @@ static struct cipher_testvec anubis_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec anubis_cbc_dec_tv_template[] = {
+static const struct cipher_testvec anubis_cbc_dec_tv_template[] = {
 	{
 		.key	= "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
 			  "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe",
@@ -23166,7 +23166,7 @@ static struct cipher_testvec anubis_cbc_dec_tv_template[] = {
 #define XETA_ENC_TEST_VECTORS	4
 #define XETA_DEC_TEST_VECTORS	4
 
-static struct cipher_testvec xeta_enc_tv_template[] = {
+static const struct cipher_testvec xeta_enc_tv_template[] = {
 	{
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -23209,7 +23209,7 @@ static struct cipher_testvec xeta_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec xeta_dec_tv_template[] = {
+static const struct cipher_testvec xeta_dec_tv_template[] = {
 	{
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -23258,7 +23258,7 @@ static struct cipher_testvec xeta_dec_tv_template[] = {
 #define FCRYPT_ENC_TEST_VECTORS	ARRAY_SIZE(fcrypt_pcbc_enc_tv_template)
 #define FCRYPT_DEC_TEST_VECTORS	ARRAY_SIZE(fcrypt_pcbc_dec_tv_template)
 
-static struct cipher_testvec fcrypt_pcbc_enc_tv_template[] = {
+static const struct cipher_testvec fcrypt_pcbc_enc_tv_template[] = {
 	{ /* http://www.openafs.org/pipermail/openafs-devel/2000-December/005320.html */
 		.key	= "\x00\x00\x00\x00\x00\x00\x00\x00",
 		.klen	= 8,
@@ -23319,7 +23319,7 @@ static struct cipher_testvec fcrypt_pcbc_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec fcrypt_pcbc_dec_tv_template[] = {
+static const struct cipher_testvec fcrypt_pcbc_dec_tv_template[] = {
 	{ /* http://www.openafs.org/pipermail/openafs-devel/2000-December/005320.html */
 		.key	= "\x00\x00\x00\x00\x00\x00\x00\x00",
 		.klen	= 8,
@@ -23394,7 +23394,7 @@ static struct cipher_testvec fcrypt_pcbc_dec_tv_template[] = {
 #define CAMELLIA_XTS_ENC_TEST_VECTORS 5
 #define CAMELLIA_XTS_DEC_TEST_VECTORS 5
 
-static struct cipher_testvec camellia_enc_tv_template[] = {
+static const struct cipher_testvec camellia_enc_tv_template[] = {
 	{
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef"
 			  "\xfe\xdc\xba\x98\x76\x54\x32\x10",
@@ -23694,7 +23694,7 @@ static struct cipher_testvec camellia_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_dec_tv_template[] = {
+static const struct cipher_testvec camellia_dec_tv_template[] = {
 	{
 		.key	= "\x01\x23\x45\x67\x89\xab\xcd\xef"
 			  "\xfe\xdc\xba\x98\x76\x54\x32\x10",
@@ -23994,7 +23994,7 @@ static struct cipher_testvec camellia_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_cbc_enc_tv_template[] = {
+static const struct cipher_testvec camellia_cbc_enc_tv_template[] = {
 	{
 		.key    = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b"
 			  "\x51\x2e\x03\xd5\x34\x12\x00\x06",
@@ -24290,7 +24290,7 @@ static struct cipher_testvec camellia_cbc_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_cbc_dec_tv_template[] = {
+static const struct cipher_testvec camellia_cbc_dec_tv_template[] = {
 	{
 		.key    = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b"
 			  "\x51\x2e\x03\xd5\x34\x12\x00\x06",
@@ -24586,7 +24586,7 @@ static struct cipher_testvec camellia_cbc_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_ctr_enc_tv_template[] = {
+static const struct cipher_testvec camellia_ctr_enc_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -25253,7 +25253,7 @@ static struct cipher_testvec camellia_ctr_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_ctr_dec_tv_template[] = {
+static const struct cipher_testvec camellia_ctr_dec_tv_template[] = {
 	{ /* Generated with Crypto++ */
 		.key	= "\x85\x62\x3F\x1C\xF9\xD6\x1C\xF9"
 			  "\xD6\xB3\x90\x6D\x4A\x90\x6D\x4A"
@@ -25920,7 +25920,7 @@ static struct cipher_testvec camellia_ctr_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_lrw_enc_tv_template[] = {
+static const struct cipher_testvec camellia_lrw_enc_tv_template[] = {
 	/* Generated from AES-LRW test vectors */
 	{
 		.key	= "\x45\x62\xac\x25\xf8\x28\x17\x6d"
@@ -26172,7 +26172,7 @@ static struct cipher_testvec camellia_lrw_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_lrw_dec_tv_template[] = {
+static const struct cipher_testvec camellia_lrw_dec_tv_template[] = {
 	/* Generated from AES-LRW test vectors */
 	/* same as enc vectors with input and result reversed */
 	{
@@ -26425,7 +26425,7 @@ static struct cipher_testvec camellia_lrw_dec_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_xts_enc_tv_template[] = {
+static const struct cipher_testvec camellia_xts_enc_tv_template[] = {
 	/* Generated from AES-XTS test vectors */
 	{
 		.key	= "\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -26767,7 +26767,7 @@ static struct cipher_testvec camellia_xts_enc_tv_template[] = {
 	},
 };
 
-static struct cipher_testvec camellia_xts_dec_tv_template[] = {
+static const struct cipher_testvec camellia_xts_dec_tv_template[] = {
 	/* Generated from AES-XTS test vectors */
 	/* same as enc vectors with input and result reversed */
 	{
@@ -27116,7 +27116,7 @@ static struct cipher_testvec camellia_xts_dec_tv_template[] = {
 #define SEED_ENC_TEST_VECTORS	4
 #define SEED_DEC_TEST_VECTORS	4
 
-static struct cipher_testvec seed_enc_tv_template[] = {
+static const struct cipher_testvec seed_enc_tv_template[] = {
 	{
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -27158,7 +27158,7 @@ static struct cipher_testvec seed_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec seed_dec_tv_template[] = {
+static const struct cipher_testvec seed_dec_tv_template[] = {
 	{
 		.key    = zeroed_string,
 		.klen	= 16,
@@ -27201,7 +27201,7 @@ static struct cipher_testvec seed_dec_tv_template[] = {
 };
 
 #define SALSA20_STREAM_ENC_TEST_VECTORS 5
-static struct cipher_testvec salsa20_stream_enc_tv_template[] = {
+static const struct cipher_testvec salsa20_stream_enc_tv_template[] = {
 	/*
 	* Testvectors from verified.test-vectors submitted to ECRYPT.
 	* They are truncated to size 39, 64, 111, 129 to test a variety
@@ -28375,7 +28375,7 @@ static struct cipher_testvec salsa20_stream_enc_tv_template[] = {
  */
 #define CTS_MODE_ENC_TEST_VECTORS 6
 #define CTS_MODE_DEC_TEST_VECTORS 6
-static struct cipher_testvec cts_mode_enc_tv_template[] = {
+static const struct cipher_testvec cts_mode_enc_tv_template[] = {
 	{ /* from rfc3962 */
 		.klen	= 16,
 		.key    = "\x63\x68\x69\x63\x6b\x65\x6e\x20"
@@ -28477,7 +28477,7 @@ static struct cipher_testvec cts_mode_enc_tv_template[] = {
 	}
 };
 
-static struct cipher_testvec cts_mode_dec_tv_template[] = {
+static const struct cipher_testvec cts_mode_dec_tv_template[] = {
 	{ /* from rfc3962 */
 		.klen	= 16,
 		.key    = "\x63\x68\x69\x63\x6b\x65\x6e\x20"
@@ -28606,7 +28606,7 @@ struct pcomp_testvec {
 #define DEFLATE_COMP_TEST_VECTORS 2
 #define DEFLATE_DECOMP_TEST_VECTORS 2
 
-static struct comp_testvec deflate_comp_tv_template[] = {
+static const struct comp_testvec deflate_comp_tv_template[] = {
 	{
 		.inlen	= 70,
 		.outlen	= 38,
@@ -28642,7 +28642,7 @@ static struct comp_testvec deflate_comp_tv_template[] = {
 	},
 };
 
-static struct comp_testvec deflate_decomp_tv_template[] = {
+static const struct comp_testvec deflate_decomp_tv_template[] = {
 	{
 		.inlen	= 122,
 		.outlen	= 191,
@@ -28731,7 +28731,7 @@ static const struct {
 	}
 };
 
-static struct pcomp_testvec zlib_comp_tv_template[] = {
+static const struct pcomp_testvec zlib_comp_tv_template[] = {
 	{
 		.params = &deflate_comp_params,
 		.paramsize = sizeof(deflate_comp_params),
@@ -28771,7 +28771,7 @@ static struct pcomp_testvec zlib_comp_tv_template[] = {
 	},
 };
 
-static struct pcomp_testvec zlib_decomp_tv_template[] = {
+static const struct pcomp_testvec zlib_decomp_tv_template[] = {
 	{
 		.params = &deflate_decomp_params,
 		.paramsize = sizeof(deflate_decomp_params),
@@ -28817,7 +28817,7 @@ static struct pcomp_testvec zlib_decomp_tv_template[] = {
 #define LZO_COMP_TEST_VECTORS 2
 #define LZO_DECOMP_TEST_VECTORS 2
 
-static struct comp_testvec lzo_comp_tv_template[] = {
+static const struct comp_testvec lzo_comp_tv_template[] = {
 	{
 		.inlen	= 70,
 		.outlen	= 57,
@@ -28857,7 +28857,7 @@ static struct comp_testvec lzo_comp_tv_template[] = {
 	},
 };
 
-static struct comp_testvec lzo_decomp_tv_template[] = {
+static const struct comp_testvec lzo_decomp_tv_template[] = {
 	{
 		.inlen	= 133,
 		.outlen	= 159,
@@ -28900,7 +28900,7 @@ static struct comp_testvec lzo_decomp_tv_template[] = {
  */
 #define MICHAEL_MIC_TEST_VECTORS 6
 
-static struct hash_testvec michael_mic_tv_template[] = {
+static const struct hash_testvec michael_mic_tv_template[] = {
 	{
 		.key = "\x00\x00\x00\x00\x00\x00\x00\x00",
 		.ksize = 8,
@@ -28950,7 +28950,7 @@ static struct hash_testvec michael_mic_tv_template[] = {
  */
 #define CRC32C_TEST_VECTORS 15
 
-static struct hash_testvec crc32c_tv_template[] = {
+static const struct hash_testvec crc32c_tv_template[] = {
 	{
 		.psize = 0,
 		.digest = "\x00\x00\x00\x00",
@@ -29388,7 +29388,7 @@ static struct hash_testvec crc32c_tv_template[] = {
  */
 #define BFIN_CRC_TEST_VECTORS 6
 
-static struct hash_testvec bfin_crc_tv_template[] = {
+static const struct hash_testvec bfin_crc_tv_template[] = {
 	{
 		.psize = 0,
 		.digest = "\x00\x00\x00\x00",
@@ -29476,7 +29476,7 @@ static struct hash_testvec bfin_crc_tv_template[] = {
 #define LZ4_COMP_TEST_VECTORS 1
 #define LZ4_DECOMP_TEST_VECTORS 1
 
-static struct comp_testvec lz4_comp_tv_template[] = {
+static const struct comp_testvec lz4_comp_tv_template[] = {
 	{
 		.inlen	= 70,
 		.outlen	= 45,
@@ -29491,7 +29491,7 @@ static struct comp_testvec lz4_comp_tv_template[] = {
 	},
 };
 
-static struct comp_testvec lz4_decomp_tv_template[] = {
+static const struct comp_testvec lz4_decomp_tv_template[] = {
 	{
 		.inlen	= 45,
 		.outlen	= 70,
@@ -29509,7 +29509,7 @@ static struct comp_testvec lz4_decomp_tv_template[] = {
 #define LZ4HC_COMP_TEST_VECTORS 1
 #define LZ4HC_DECOMP_TEST_VECTORS 1
 
-static struct comp_testvec lz4hc_comp_tv_template[] = {
+static const struct comp_testvec lz4hc_comp_tv_template[] = {
 	{
 		.inlen	= 70,
 		.outlen	= 45,
@@ -29524,7 +29524,7 @@ static struct comp_testvec lz4hc_comp_tv_template[] = {
 	},
 };
 
-static struct comp_testvec lz4hc_decomp_tv_template[] = {
+static const struct comp_testvec lz4hc_decomp_tv_template[] = {
 	{
 		.inlen	= 45,
 		.outlen	= 70,
-- 
2.1.3

[PATCH v2 15/25] crypto: testmgr - Merge seed arrays in struct cprng_testvec

[George Spelvin]

The current code stores three pointers to three arrays, and three lengths,
and then has to kmalloc an array just to concatenate them.

This seems ridiculous.  Just store one combined array and combined
length, and don't do any reformatting at run-time.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/testmgr.c | 37 ++++++---------------
 crypto/testmgr.h | 98 +++++++++++++++++++++++++-------------------------------
 2 files changed, 53 insertions(+), 82 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 9f4746eb..0e179c72 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1455,33 +1455,17 @@ static int test_cprng(struct crypto_rng *tfm,
 		      const struct cprng_testvec *template, unsigned int tcount)
 {
 	const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm));
-	int err = 0, i, j, seedsize;
-	u8 *seed;
-	char result[32];
-
-	seedsize = crypto_rng_seedsize(tfm);
-
-	seed = kmalloc(seedsize, GFP_KERNEL);
-	if (!seed) {
-		printk(KERN_ERR "alg: cprng: Failed to allocate seed space "
-		       "for %s\n", algo);
-		return -ENOMEM;
-	}
+	int err = 0, i, j;
+	u8 result[32];
 
 	for (i = 0; i < tcount; i++) {
-		memset(result, 0, 32);
+		memset(result, 0, sizeof result);
 
-		memcpy(seed, template[i].v, template[i].vlen);
-		memcpy(seed + template[i].vlen, template[i].key,
-		       template[i].klen);
-		memcpy(seed + template[i].vlen + template[i].klen,
-		       template[i].dt, template[i].dtlen);
-
-		err = crypto_rng_reset(tfm, seed, seedsize);
+		err = crypto_rng_reset(tfm, template[i].seed, template[i].slen);
 		if (err) {
 			printk(KERN_ERR "alg: cprng: Failed to reset rng "
 			       "for %s\n", algo);
-			goto out;
+			break;
 		}
 
 		for (j = 0; j < template[i].loops; j++) {
@@ -1492,23 +1476,20 @@ static int test_cprng(struct crypto_rng *tfm,
 				       "the correct amount of random data for "
 				       "%s (requested %d, got %d)\n", algo,
 				       template[i].rlen, err);
-				goto out;
+				break;
 			}
 		}
 
-		err = memcmp(result, template[i].result,
-			     template[i].rlen);
+		err = memcmp(result, template[i].result, template[i].rlen);
 		if (err) {
 			printk(KERN_ERR "alg: cprng: Test %d failed for %s\n",
 			       i, algo);
 			hexdump(result, template[i].rlen);
 			err = -EINVAL;
-			goto out;
+			break;
 		}
 	}
 
-out:
-	kfree(seed);
 	return err;
 }
 
@@ -1730,6 +1711,8 @@ static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver,
 
 	crypto_free_rng(rng);
 
+printk("alg_test_cprng: testing %s: err %d\n", driver, err);
+
 	return err;
 }
 
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 306a33b2..af346520 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -81,14 +81,10 @@ struct aead_testvec {
 };
 
 struct cprng_testvec {
-	const char *key;
-	const char *dt;
-	const char *v;
+	const char *seed;
 	const char *result;
-	unsigned char klen;
-	unsigned short dtlen;
-	unsigned short vlen;
-	unsigned short rlen;
+	unsigned char slen;
+	unsigned char rlen;
 	unsigned short loops;
 };
 
@@ -20708,90 +20704,82 @@ static const struct aead_testvec aes_ccm_rfc4309_dec_tv_template[] = {
  * test vectors, taken from Appendix B.2.9 and B.2.10:
  *     http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf
  * Only AES-128 is supported at this time.
+ *
+ * CPRNGs take a single seed argument.  For this algorithm, it consists
+ * of the concatenation of the initial vector V, the key, and (optional)
+ * the initial DT.
  */
 #define ANSI_CPRNG_AES_TEST_VECTORS	6
 
 static const struct cprng_testvec ansi_cprng_aes_tv_template[] = {
 	{
-		.key	= "\xf3\xb1\x66\x6d\x13\x60\x72\x42"
-			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02",
-		.klen	= 16,
-		.dt	= "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"
+		.seed	= "\x80\x00\x00\x00\x00\x00\x00\x00"	/* V[16] */
+			  "\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\xf3\xb1\x66\x6d\x13\x60\x72\x42"	/* Key[16] */
+			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02"
+			  "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"	/* DT[16] */
 			  "\xd7\x1d\x4a\xfb\xb0\xe9\x22\xf9",
-		.dtlen	= 16,
-		.v	= "\x80\x00\x00\x00\x00\x00\x00\x00"
-			  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.vlen	= 16,
+		.slen	= 48,
 		.result	= "\x59\x53\x1e\xd1\x3b\xb0\xc0\x55"
 			  "\x84\x79\x66\x85\xc1\x2f\x76\x41",
 		.rlen	= 16,
 		.loops	= 1,
 	}, {
-		.key	= "\xf3\xb1\x66\x6d\x13\x60\x72\x42"
-			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02",
-		.klen	= 16,
-		.dt	= "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"
+		.seed	= "\xc0\x00\x00\x00\x00\x00\x00\x00"	/* V */
+			  "\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\xf3\xb1\x66\x6d\x13\x60\x72\x42"	/* Key */
+			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02"
+			  "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"	/* DT */
 			  "\xd7\x1d\x4a\xfb\xb0\xe9\x22\xfa",
-		.dtlen	= 16,
-		.v	= "\xc0\x00\x00\x00\x00\x00\x00\x00"
-			  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.vlen	= 16,
+		.slen	= 48,
 		.result	= "\x7c\x22\x2c\xf4\xca\x8f\xa2\x4c"
 			  "\x1c\x9c\xb6\x41\xa9\xf3\x22\x0d",
 		.rlen	= 16,
 		.loops	= 1,
 	}, {
-		.key	= "\xf3\xb1\x66\x6d\x13\x60\x72\x42"
-			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02",
-		.klen	= 16,
-		.dt	= "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"
+		.seed	= "\xe0\x00\x00\x00\x00\x00\x00\x00"	/* V */
+			  "\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\xf3\xb1\x66\x6d\x13\x60\x72\x42"	/* Key */
+			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02"
+			  "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"	/* DT */
 			  "\xd7\x1d\x4a\xfb\xb0\xe9\x22\xfb",
-		.dtlen	= 16,
-		.v	= "\xe0\x00\x00\x00\x00\x00\x00\x00"
-			  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.vlen	= 16,
+		.slen	= 48,
 		.result	= "\x8a\xaa\x00\x39\x66\x67\x5b\xe5"
 			  "\x29\x14\x28\x81\xa9\x4d\x4e\xc7",
 		.rlen	= 16,
 		.loops	= 1,
 	}, {
-		.key	= "\xf3\xb1\x66\x6d\x13\x60\x72\x42"
-			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02",
-		.klen	= 16,
-		.dt	= "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"
+		.seed	= "\xf0\x00\x00\x00\x00\x00\x00\x00"	/* V */
+			  "\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\xf3\xb1\x66\x6d\x13\x60\x72\x42"	/* Key */
+			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02"
+			  "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"	/* DT */
 			  "\xd7\x1d\x4a\xfb\xb0\xe9\x22\xfc",
-		.dtlen	= 16,
-		.v	= "\xf0\x00\x00\x00\x00\x00\x00\x00"
-			  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.vlen	= 16,
+		.slen	= 48,
 		.result	= "\x88\xdd\xa4\x56\x30\x24\x23\xe5"
 			  "\xf6\x9d\xa5\x7e\x7b\x95\xc7\x3a",
 		.rlen	= 16,
 		.loops	= 1,
 	}, {
-		.key	= "\xf3\xb1\x66\x6d\x13\x60\x72\x42"
-			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02",
-		.klen	= 16,
-		.dt	= "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"
+		.seed	= "\xf8\x00\x00\x00\x00\x00\x00\x00"	/* V */
+			  "\x00\x00\x00\x00\x00\x00\x00\x00"
+			  "\xf3\xb1\x66\x6d\x13\x60\x72\x42"	/* Key */
+			  "\xed\x06\x1c\xab\xb8\xd4\x62\x02"
+			  "\xe6\xb3\xbe\x78\x2a\x23\xfa\x62"	/* DT */
 			  "\xd7\x1d\x4a\xfb\xb0\xe9\x22\xfd",
-		.dtlen	= 16,
-		.v	= "\xf8\x00\x00\x00\x00\x00\x00\x00"
-			  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.vlen	= 16,
+		.slen	= 48,
 		.result	= "\x05\x25\x92\x46\x61\x79\xd2\xcb"
 			  "\x78\xc4\x0b\x14\x0a\x5a\x9a\xc8",
 		.rlen	= 16,
 		.loops	= 1,
 	}, {	/* Monte Carlo Test */
-		.key	= "\x9f\x5b\x51\x20\x0b\xf3\x34\xb5"
-			  "\xd8\x2b\xe8\xc3\x72\x55\xc8\x48",
-		.klen	= 16,
-		.dt	= "\x63\x76\xbb\xe5\x29\x02\xba\x3b"
+		.seed	= "\x57\x2c\x8e\x76\x87\x26\x47\x97"	/* V */
+			  "\x7e\x74\xfb\xdd\xc4\x95\x01\xd1"
+			  "\x9f\x5b\x51\x20\x0b\xf3\x34\xb5"	/* Key */
+			  "\xd8\x2b\xe8\xc3\x72\x55\xc8\x48"
+			  "\x63\x76\xbb\xe5\x29\x02\xba\x3b"	/* DT */
 			  "\x67\xc9\x25\xfa\x70\x1f\x11\xac",
-		.dtlen	= 16,
-		.v	= "\x57\x2c\x8e\x76\x87\x26\x47\x97"
-			  "\x7e\x74\xfb\xdd\xc4\x95\x01\xd1",
-		.vlen	= 16,
+		.slen	= 48,
 		.result	= "\x48\xe9\xbd\x0d\x06\xee\x18\xfb"
 			  "\xe4\x57\x90\xd5\xc3\xfc\x9b\x73",
 		.rlen	= 16,
-- 
2.1.3

[PATCH v2 16/25] crypto: testmgr - Report failure on zero-length crypto_rng_get_bytes

[George Spelvin]

If crypto_rng_get_bytes returns an error code, returning it is a good
idea, but if it simply returns zero, the test shouldn't abort successfully.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/testmgr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 0e179c72..9faf265f 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1476,6 +1476,8 @@ static int test_cprng(struct crypto_rng *tfm,
 				       "the correct amount of random data for "
 				       "%s (requested %d, got %d)\n", algo,
 				       template[i].rlen, err);
+				if (err >= 0)
+					err = -EINVAL;
 				break;
 			}
 		}
-- 
2.1.3

[PATCH v2 17/25] crypto: testmgr - Don't crash if CPRNG test result is large

[George Spelvin]

The idea is to catch as many programmer mistakes as possible.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/testmgr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 9faf265f..6bf43682 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1459,6 +1459,11 @@ static int test_cprng(struct crypto_rng *tfm,
 	u8 result[32];
 
 	for (i = 0; i < tcount; i++) {
+		if (template[i].rlen > sizeof(result)) {
+			printk(KERN_CRIT "alg: cprng: Cannot test %s\n", algo);
+			err = -EOVERFLOW;
+			break;
+		}
 		memset(result, 0, sizeof result);
 
 		err = crypto_rng_reset(tfm, template[i].seed, template[i].slen);
-- 
2.1.3

[PATCH v2 18/25] crypto: testmgr - Add CPRNG stutter test.

[George Spelvin]

This is a test for the kind of bug that caused CVE-2013-4345,
which was in the code that adapted from fixed-size cipher blocks
to arbitrary-sized reads.

This does every known answer test twice: the first time using
block-aligned reads (assuming the known answer is a full block),
and a second time using reads of size 0, 1, 2, ... 61, 0, 1, ...

A simple 32-bit hash of all of the output bytes (not just the known
ones) is compared between the two.  Any error in the bookkeeping
will result in a mismatch.

A non-cryptographic hash suffices to detect coding errors.
We just need something better than an additive checksum, because
transposition is possible.

The maximum read size (61) is chosen so the pattern repeats
after 1891 = 31 * 61 bytes.  If this is relatively prime to the
CPRNG's internal buffer size, a long enough test will eventually
explore every possible read size at every possible alignment in
the CPRNG's internal buffer.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/testmgr.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 89 insertions(+), 9 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 6bf43682..a15860ad 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1455,11 +1455,15 @@ static int test_cprng(struct crypto_rng *tfm,
 		      const struct cprng_testvec *template, unsigned int tcount)
 {
 	const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm));
-	int err = 0, i, j;
-	u8 result[32];
+	int err = 0, i;
 
 	for (i = 0; i < tcount; i++) {
-		if (template[i].rlen > sizeof(result)) {
+		int j, k, bytes;
+		u32 hash1 = 0, hash2 = 0;
+		u8 result[61];		/* See below for size advice */
+		int rlen = template[i].rlen;
+
+		if (rlen > sizeof(result)) {
 			printk(KERN_CRIT "alg: cprng: Cannot test %s\n", algo);
 			err = -EOVERFLOW;
 			break;
@@ -1468,33 +1472,109 @@ static int test_cprng(struct crypto_rng *tfm,
 
 		err = crypto_rng_reset(tfm, template[i].seed, template[i].slen);
 		if (err) {
+fail_reset:
 			printk(KERN_ERR "alg: cprng: Failed to reset rng "
 			       "for %s\n", algo);
 			break;
 		}
 
 		for (j = 0; j < template[i].loops; j++) {
-			err = crypto_rng_get_bytes(tfm, result,
-						   template[i].rlen);
-			if (err != template[i].rlen) {
+			err = crypto_rng_get_bytes(tfm, result, rlen);
+			if (err != rlen) {
+fail_get:
 				printk(KERN_ERR "alg: cprng: Failed to obtain "
 				       "the correct amount of random data for "
 				       "%s (requested %d, got %d)\n", algo,
-				       template[i].rlen, err);
+				       rlen, err);
 				if (err >= 0)
 					err = -EINVAL;
 				break;
 			}
+			/* Compute simple hash for use by stutter test */
+			for (k = 0; k < rlen; k++) {
+				hash1 += result[k];
+				hash1 += hash1 << 10;
+				hash1 ^= hash1 >> 6;
+			}
 		}
 
-		err = memcmp(result, template[i].result, template[i].rlen);
+		err = memcmp(result, template[i].result, rlen);
 		if (err) {
 			printk(KERN_ERR "alg: cprng: Test %d failed for %s\n",
 			       i, algo);
-			hexdump(result, template[i].rlen);
+			hexdump(result, rlen);
 			err = -EINVAL;
 			break;
 		}
+
+		/*
+		 * Stutter test: repeat the computation, using odd-sized
+		 * reads.  This is to verify the output deblocking code,
+		 * which was the source of CVE-2013-4345.  So we read
+		 * from the RNG in 0, 1, 2, 3, 4, 5, ... byte chunks.
+		 *
+		 * When the read size reaches the size of our buffer,
+		 * the read size starts back at 0.
+		 *
+		 * For the current buffer size of 61, that happens after
+		 * 1891 = 31 * 61 bytes.  If this is relatively prime to
+		 * the CPRNG's internal state size, this will, if the test
+		 * is long enough, do every possible read size starting
+		 * at every possible offset in the CPRNG's internal state.
+		 *
+		 * The basic requirement to produce an odd total that
+		 * will be relatively prime to power-of-two state sizes
+		 * is that it be congruent to 1 or 2 mod 4.
+		 *
+		 * If you want to worry about larger factors, try:
+		 *  13:    91 =  7 * 13     73:  2701 = 37 * 73
+		 *  22:   253 = 11 * 23     82:  3403 = 41 * 83
+		 *  46:  1081 = 23 * 47    106:  5671 = 53 * 107
+		 *  58:  1711 = 29 * 59    157: 12403 = 79 * 157
+		 *  61:  1891 = 31 * 61    166: 13861 = 83 * 167
+		 *
+		 * The complete output streams are compared using a
+		 * non-cryptographic hash over the output bytes, which
+		 * is sufficient for the class of errors this is designed
+		 * to detect.
+		 */
+		err = crypto_rng_reset(tfm, template[i].seed, template[i].slen);
+		if (err)
+			goto fail_reset;
+
+		bytes = template[i].rlen * template[i].loops;
+		rlen = 0;
+		for (rlen = 0; ; rlen++) {
+			if (rlen > sizeof(result)) {
+				rlen = 0;
+			} else if (rlen > bytes) {
+				if (!bytes)
+					break;
+				rlen = bytes;
+			}
+			bytes -= rlen;
+			err = crypto_rng_get_bytes(tfm, result, rlen);
+			if (err != rlen)
+				goto fail_get;
+			/*
+			 * This is Bob Jenkins' one-at-a-time hash.
+			 * We just want something simple, byte-at-a-time,
+			 * and sensitive to transpositions, which a plain
+			 * additive checksum isn't.
+			 */
+			for (k = 0; k < rlen; k++) {
+				hash2 += result[k];
+				hash2 += hash2 << 10;
+				hash2 ^= hash2 >> 6;
+			}
+		}
+		if (hash1 != hash2) {
+			printk(KERN_ERR "alg: cprng: Stutter test %d failed "
+			       "for %s: %08x != %08x\n", i, algo, hash1, hash2);
+			err = -EINVAL;
+			break;
+		}
+		err = 0;
 	}
 
 	return err;
-- 
2.1.3

[PATCH v2 19/25] crypto: ansi_cprng - simplify get_prng_bytes

[George Spelvin]

The crypto is so slow that there's no point unrolling this function.

A simpler and clearer implementation will do just fine.

Two other changes:
1. Move the debug print outside the spinlock;
2. Move all modification of rand_data_valid out of _get_more_prng_bytes;
   that variable belongs to the byte-at-a-time layer outside the
   block-oriented primitive.

This is the code that gave us CVE-2013-4345; it's full of corner cases
which the standard test vectors don't exercise.  The stutter test was
created to exercise it.  (And yes, it did catch problems during
development.)

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 74 ++++++++++++++++++-----------------------------------
 1 file changed, 25 insertions(+), 49 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index c1c81266..a8cf98a5 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -145,7 +145,6 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 	hexdump("DT'", ctx->DT);
 
 	dbgprint("Returning new block for context %p\n", ctx);
-	ctx->rand_data_valid = 0;
 
 	return 0;
 }
@@ -156,68 +155,45 @@ static int get_prng_bytes(u8 *buf, unsigned int nbytes,
 {
 	u8 *ptr = buf;
 	unsigned int byte_count = nbytes;
-	int err;
+	unsigned int read_pos;
+	int err = -EINVAL;
 
+	dbgprint(KERN_CRIT "getting %u random bytes for context %p\n",
+		nbytes, ctx);
 
 	spin_lock_bh(&ctx->prng_lock);
 
-	err = -EINVAL;
 	if (ctx->flags & PRNG_NEED_RESET)
 		goto done;
 
-	err = byte_count;
-
-	dbgprint(KERN_CRIT "getting %d random bytes for context %p\n",
-		byte_count, ctx);
-
-
-remainder:
-	if (ctx->rand_data_valid == DEFAULT_BLK_SZ) {
-		if (_get_more_prng_bytes(ctx, do_cont_test) < 0) {
-			memset(buf, 0, nbytes);
-			err = -EINVAL;
-			goto done;
-		}
-	}
-
-	/*
-	 * Copy any data less than an entire block
-	 */
-	if (byte_count < DEFAULT_BLK_SZ) {
-empty_rbuf:
-		while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
-			*ptr = ctx->rand_data[ctx->rand_data_valid];
-			ptr++;
-			byte_count--;
-			ctx->rand_data_valid++;
-			if (byte_count == 0)
-				goto done;
-		}
-	}
-
-	/*
-	 * Now copy whole blocks
-	 */
-	for (; byte_count >= DEFAULT_BLK_SZ; byte_count -= DEFAULT_BLK_SZ) {
-		if (ctx->rand_data_valid == DEFAULT_BLK_SZ) {
+	read_pos = ctx->rand_data_valid;
+	if (byte_count > DEFAULT_BLK_SZ - read_pos) {
+		/* Leading partial block */
+		unsigned int avail = DEFAULT_BLK_SZ - read_pos;
+
+		memcpy(ptr, ctx->rand_data + read_pos, avail);
+		ptr += avail;
+		byte_count -= avail;
+		read_pos = 0;
+
+		/* Intermediate full blocks */
+		for (;;) {
 			if (_get_more_prng_bytes(ctx, do_cont_test) < 0) {
 				memset(buf, 0, nbytes);
-				err = -EINVAL;
 				goto done;
 			}
+			if (byte_count < DEFAULT_BLK_SZ)
+				break;
+			memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ);
+			ptr += DEFAULT_BLK_SZ;
+			byte_count -= DEFAULT_BLK_SZ;
 		}
-		if (ctx->rand_data_valid > 0)
-			goto empty_rbuf;
-		memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ);
-		ctx->rand_data_valid += DEFAULT_BLK_SZ;
-		ptr += DEFAULT_BLK_SZ;
 	}
 
-	/*
-	 * Now go back and get any remaining partial block
-	 */
-	if (byte_count)
-		goto remainder;
+	/* The final partial block; read_pos + byte_count <= DEFAULT_BLK_SZ */
+	memcpy(ptr, ctx->rand_data + read_pos, byte_count);
+	ctx->rand_data_valid = read_pos + byte_count;
+	err = nbytes;
 
 done:
 	spin_unlock_bh(&ctx->prng_lock);
-- 
2.1.3

[PATCH v2 20/25] crypto: ansi_cprng - simplify xor_vectors() to xor_block()

[George Spelvin]

It doesn't need a second input or a length parameter.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index a8cf98a5..f345b575 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -63,15 +63,14 @@ if (dbg)\
 	printk(format, ##args);\
 } while (0)
 
-static void xor_vectors(const u8 *in1, const u8 *in2,
-			u8 *out, unsigned int size)
+static void xor_block(const u8 in[DEFAULT_BLK_SZ], u8 out[DEFAULT_BLK_SZ])
 {
 	int i;
 
-	for (i = 0; i < size; i++)
-		out[i] = in1[i] ^ in2[i];
-
+	for (i = 0; i < DEFAULT_BLK_SZ; i++)
+		out[i] ^= in[i];
 }
+
 /*
  * Returns DEFAULT_BLK_SZ bytes of random data per call
  * returns 0 if generation succeeded, <0 if something went wrong
@@ -100,7 +99,7 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 	 * keep that output in ctx->V for the moment; we need the
 	 * previous rand_data for ons more thing.
 	 */
-	xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
+	xor_block(tmp, ctx->V);
 	hexdump("V^I", ctx->V);
 	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
 	hexdump("R", ctx->V);
@@ -128,7 +127,7 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 	 * Lastly xor the random data with I and encrypt that to obtain
 	 * a new secret vector V.
 	 */
-	xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
+	xor_block(tmp, ctx->V);
 	hexdump("R^I", ctx->V);
 	memzero_explicit(tmp, DEFAULT_BLK_SZ);
 	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
-- 
2.1.3

[PATCH v2 21/25] crypto: ansi_cprng - Rename rand_data_valid more sensibly

[George Spelvin]

Since it counts the number of bytes in rand_data which have been output,
and are no longer available for output, it's hardly a count of
"valid" bytes.  rand_data_pos is more appropriate.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index f345b575..f3e280c4 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -41,7 +41,7 @@
 struct prng_context {
 	spinlock_t prng_lock;
 	u8 flags;
-	u8 rand_data_valid;
+	u8 rand_read_pos;
 	u8 rand_data[DEFAULT_BLK_SZ];
 	u8 DT[DEFAULT_BLK_SZ];
 	u8 V[DEFAULT_BLK_SZ];
@@ -165,7 +165,7 @@ static int get_prng_bytes(u8 *buf, unsigned int nbytes,
 	if (ctx->flags & PRNG_NEED_RESET)
 		goto done;
 
-	read_pos = ctx->rand_data_valid;
+	read_pos = ctx->rand_read_pos;
 	if (byte_count > DEFAULT_BLK_SZ - read_pos) {
 		/* Leading partial block */
 		unsigned int avail = DEFAULT_BLK_SZ - read_pos;
@@ -191,7 +191,7 @@ static int get_prng_bytes(u8 *buf, unsigned int nbytes,
 
 	/* The final partial block; read_pos + byte_count <= DEFAULT_BLK_SZ */
 	memcpy(ptr, ctx->rand_data + read_pos, byte_count);
-	ctx->rand_data_valid = read_pos + byte_count;
+	ctx->rand_read_pos = read_pos + byte_count;
 	err = nbytes;
 
 done:
@@ -213,7 +213,7 @@ static int reset_prng_context(struct prng_context *ctx, const u8 *key,
 
 	spin_lock_bh(&ctx->prng_lock);
 	ctx->flags |= PRNG_NEED_RESET;
-	ctx->rand_data_valid = DEFAULT_BLK_SZ;
+	ctx->rand_read_pos = DEFAULT_BLK_SZ;
 
 	memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
 
@@ -324,7 +324,7 @@ static int fips_cprng_reset(struct crypto_rng *tfm, const u8 *seed,
 
 	/* this primes our continuity test */
 	rc = _get_more_prng_bytes(prng, false);
-	prng->rand_data_valid = DEFAULT_BLK_SZ;
+	prng->rand_read_pos = DEFAULT_BLK_SZ;
 
 out:
 	return rc;
-- 
2.1.3

[PATCH v2 22/25] crypto: ansi_cprng - Tweak comments

[George Spelvin]

It's not based on the NIST-recommended algorithm, it *is* the
NIST-recommended algorithm, and has even passed their validation
tests.

Also make clear that it's intended to be a determinsitic generator,
despite the confusing name of the DT vector.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index f3e280c4..9c8475a2 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -1,7 +1,9 @@
 /*
- * PRNG: Pseudo Random Number Generator
- *       Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
- *       AES 128 cipher
+ * PRNG: This is the "NIST-Recommended Random Number Generator Based
+ *	 on ANSI X9.31 Appendix A.2.4" using the AES 128 cipher.
+ *	 Many specific kernel snapshots have collected validations from
+ *	 the NIST RNG Validation System; results are available at
+ *	 http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngval.html
  *
  *  (C) Neil Horman <nhorman@tuxdriver.com>
  *
@@ -9,8 +11,6 @@
  *  under the terms of the GNU General Public License as published by the
  *  Free Software Foundation; either version 2 of the License, or (at your
  *  any later version.
- *
- *
  */
 
 #include <crypto/internal/rng.h>
@@ -36,7 +36,12 @@
  * Note: DT is our counter value
  *	 V is our seed vector
  * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
- * for implementation details
+ * for implementation details.
+ *
+ * Note that even though DT stands for "date/time", since this is a
+ * deterministic pseudo-random generator, it is a determinsitic counter,
+ * not a timestamp.  Its function is not to inject seed entropy, but to
+ * ensure a long period in the output.
  */
 struct prng_context {
 	spinlock_t prng_lock;
-- 
2.1.3

[PATCH v2 23/25] crypto: ansi_cprng - Introduce a "union cipherblock"

[George Spelvin]

This ensures alignment and makes xor_block more efficient,
but it's mostly in preparation for later changes.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 73 ++++++++++++++++++++++++++++++-----------------------
 1 file changed, 41 insertions(+), 32 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 9c8475a2..4d256d74 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -25,6 +25,15 @@
 
 #define DEFAULT_PRNG_KSZ 16
 #define DEFAULT_BLK_SZ 16
+#define BLK_INTS ((DEFAULT_BLK_SZ + 3) / 4)
+#define BLK_LONGS ((DEFAULT_BLK_SZ + 7) / 8)
+
+/* An aligned buffer thant can be accessed various ways */
+union cipherblock {
+	u8 b[DEFAULT_BLK_SZ];
+	u32 i[BLK_INTS];
+	u64 l[BLK_LONGS];
+};
 
 /*
  * Flags for the prng_context flags field
@@ -47,15 +56,15 @@ struct prng_context {
 	spinlock_t prng_lock;
 	u8 flags;
 	u8 rand_read_pos;
-	u8 rand_data[DEFAULT_BLK_SZ];
-	u8 DT[DEFAULT_BLK_SZ];
-	u8 V[DEFAULT_BLK_SZ];
+	union cipherblock rand_data;
+	union cipherblock DT;
+	union cipherblock V;
 	struct crypto_cipher *tfm;
 };
 
 static int dbg;
 
-static void hexdump(char const *note, const u8 buf[DEFAULT_BLK_SZ])
+static void hexdump(char const *note, const union cipherblock *buf)
 {
 	if (dbg) {
 		printk(KERN_CRIT "%s = %" __stringify(DEFAULT_BLK_SZ) "phN",
@@ -68,11 +77,11 @@ if (dbg)\
 	printk(format, ##args);\
 } while (0)
 
-static void xor_block(const u8 in[DEFAULT_BLK_SZ], u8 out[DEFAULT_BLK_SZ])
+static void xor_block(const u64 in[BLK_LONGS], u64 out[BLK_LONGS])
 {
 	int i;
 
-	for (i = 0; i < DEFAULT_BLK_SZ; i++)
+	for (i = 0; i < BLK_LONGS; i++)
 		out[i] ^= in[i];
 }
 
@@ -83,20 +92,20 @@ static void xor_block(const u8 in[DEFAULT_BLK_SZ], u8 out[DEFAULT_BLK_SZ])
 static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 {
 	int i;
-	u8 tmp[DEFAULT_BLK_SZ];
+	union cipherblock tmp;
 
 	dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",
 		ctx);
 
-	hexdump("DT", ctx->DT);
-	hexdump("V", ctx->V);
+	hexdump("DT", &ctx->DT);
+	hexdump("V", &ctx->V);
 
 	/*
 	 * Start by encrypting the counter value
 	 * This gives us an intermediate value I (stored in tmp)
 	 */
-	crypto_cipher_encrypt_one(ctx->tfm, tmp, ctx->DT);
-	hexdump("I", tmp);
+	crypto_cipher_encrypt_one(ctx->tfm, tmp.b, ctx->DT.b);
+	hexdump("I", &tmp);
 
 	/*
 	 * Next xor I with our secret vector V.  Encrypt that result
@@ -104,16 +113,16 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 	 * keep that output in ctx->V for the moment; we need the
 	 * previous rand_data for ons more thing.
 	 */
-	xor_block(tmp, ctx->V);
-	hexdump("V^I", ctx->V);
-	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
-	hexdump("R", ctx->V);
+	xor_block(tmp.l, ctx->V.l);
+	hexdump("V^I", &ctx->V);
+	crypto_cipher_encrypt_one(ctx->tfm, ctx->V.b, ctx->V.b);
+	hexdump("R", &ctx->V);
 
 	/*
 	 * Check that we didn't produce the same random data that we
 	 * did last time around.
 	 */
-	if (!memcmp(ctx->V, ctx->rand_data, DEFAULT_BLK_SZ)) {
+	if (!memcmp(ctx->V.b, ctx->rand_data.b, DEFAULT_BLK_SZ)) {
 		if (cont_test) {
 			panic("cprng %p Failed repetition check!\n", ctx);
 		}
@@ -126,27 +135,27 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 	/*
 	 * Okay, the new data is okay, copy it to the buffer.
 	 */
-	memcpy(ctx->rand_data, ctx->V, DEFAULT_BLK_SZ);
+	ctx->rand_data = ctx->V;
 
 	/*
 	 * Lastly xor the random data with I and encrypt that to obtain
 	 * a new secret vector V.
 	 */
-	xor_block(tmp, ctx->V);
-	hexdump("R^I", ctx->V);
-	memzero_explicit(tmp, DEFAULT_BLK_SZ);
-	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
-	hexdump("V'", ctx->V);
+	xor_block(tmp.l, ctx->V.l);
+	hexdump("R^I", &ctx->V);
+	memzero_explicit(tmp.b, DEFAULT_BLK_SZ);
+	crypto_cipher_encrypt_one(ctx->tfm, ctx->V.b, ctx->V.b);
+	hexdump("V'", &ctx->V);
 
 	/*
 	 * Now update our DT value
 	 */
 	for (i = DEFAULT_BLK_SZ - 1; i >= 0; i--) {
-		ctx->DT[i] += 1;
-		if (ctx->DT[i] != 0)
+		ctx->DT.b[i] += 1;
+		if (ctx->DT.b[i] != 0)
 			break;
 	}
-	hexdump("DT'", ctx->DT);
+	hexdump("DT'", &ctx->DT);
 
 	dbgprint("Returning new block for context %p\n", ctx);
 
@@ -175,7 +184,7 @@ static int get_prng_bytes(u8 *buf, unsigned int nbytes,
 		/* Leading partial block */
 		unsigned int avail = DEFAULT_BLK_SZ - read_pos;
 
-		memcpy(ptr, ctx->rand_data + read_pos, avail);
+		memcpy(ptr, ctx->rand_data.b + read_pos, avail);
 		ptr += avail;
 		byte_count -= avail;
 		read_pos = 0;
@@ -188,14 +197,14 @@ static int get_prng_bytes(u8 *buf, unsigned int nbytes,
 			}
 			if (byte_count < DEFAULT_BLK_SZ)
 				break;
-			memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ);
+			memcpy(ptr, ctx->rand_data.b, DEFAULT_BLK_SZ);
 			ptr += DEFAULT_BLK_SZ;
 			byte_count -= DEFAULT_BLK_SZ;
 		}
 	}
 
 	/* The final partial block; read_pos + byte_count <= DEFAULT_BLK_SZ */
-	memcpy(ptr, ctx->rand_data + read_pos, byte_count);
+	memcpy(ptr, ctx->rand_data.b + read_pos, byte_count);
 	ctx->rand_read_pos = read_pos + byte_count;
 	err = nbytes;
 
@@ -220,13 +229,13 @@ static int reset_prng_context(struct prng_context *ctx, const u8 *key,
 	ctx->flags |= PRNG_NEED_RESET;
 	ctx->rand_read_pos = DEFAULT_BLK_SZ;
 
-	memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
+	memset(ctx->rand_data.b, 0, DEFAULT_BLK_SZ);
 
 	if (!DT)
-		DT = ctx->rand_data;	/* Use all-zeros if NULL */
+		DT = ctx->rand_data.b;	/* Use all-zeros if NULL */
 
-	memcpy(ctx->DT, DT, DEFAULT_BLK_SZ);
-	memcpy(ctx->V, V, DEFAULT_BLK_SZ);
+	memcpy(ctx->DT.b, DT, DEFAULT_BLK_SZ);
+	memcpy(ctx->V.b, V, DEFAULT_BLK_SZ);
 
 	ret = crypto_cipher_setkey(ctx->tfm, key, klen);
 	if (ret) {
-- 
2.1.3

[PATCH v2 24/25] crypto: ansi_cprng - Introduce non-deterministic mode

[George Spelvin]

If DT is not provided, use timetamp data for the DT vector.

This is permitted by the NIST spec (although the determinstic
mode is still required for testing purposes), and encouraged by
the X9.31 and X9.17 standards the RNG is adopted from.

The question, however, is whether it's okay to have a "CPRNG"
that's not deterministic.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 52 ++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 40 insertions(+), 12 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index 4d256d74..d39ce301 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -40,6 +40,7 @@ union cipherblock {
  */
 
 #define PRNG_NEED_RESET 0x1
+#define PRNG_DETERMINISTIC 0x02
 
 /*
  * Note: DT is our counter value
@@ -47,10 +48,12 @@ union cipherblock {
  * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
  * for implementation details.
  *
- * Note that even though DT stands for "date/time", since this is a
- * deterministic pseudo-random generator, it is a determinsitic counter,
- * not a timestamp.  Its function is not to inject seed entropy, but to
- * ensure a long period in the output.
+ * Note that even though DT stands for "date/time", this generator may be
+ * operated in a fully determinsitic mode by specifying it in the initial
+ * seed.  In this case, it does not inject any timestamp-based entropy,
+ * but operates as a simple counter to ensure a long period in the output.
+ *
+ * Both options are permitted by the NIST recommendation.
  */
 struct prng_context {
 	spinlock_t prng_lock;
@@ -97,6 +100,16 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 	dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",
 		ctx);
 
+	/*
+	 * get_random_int produces a result based on the system jiffies
+	 * and random_get_entropy(), the highest-resolution timestamp
+	 * available.  This meets the spirit of the X9.17/X9.31 generation
+	 * specifications, but it's masked by hashing, so it can't be used
+	 * to leak information about /dev/random's seed material.
+	 */
+	if (!(ctx->flags & PRNG_DETERMINISTIC))
+		ctx->DT.i[0] = get_random_int();
+
 	hexdump("DT", &ctx->DT);
 	hexdump("V", &ctx->V);
 
@@ -150,12 +163,16 @@ static int _get_more_prng_bytes(struct prng_context *ctx, bool cont_test)
 	/*
 	 * Now update our DT value
 	 */
-	for (i = DEFAULT_BLK_SZ - 1; i >= 0; i--) {
-		ctx->DT.b[i] += 1;
-		if (ctx->DT.b[i] != 0)
-			break;
+	if (ctx->flags & PRNG_DETERMINISTIC) {
+		for (i = DEFAULT_BLK_SZ - 1; i >= 0; i--) {
+			ctx->DT.b[i] += 1;
+			if (ctx->DT.b[i] != 0)
+				break;
+		}
+		hexdump("DT'", &ctx->DT);
+	} else {
+		ctx->DT.i[0] = 0;	/* Prevent backtracking */
 	}
-	hexdump("DT'", &ctx->DT);
 
 	dbgprint("Returning new block for context %p\n", ctx);
 
@@ -226,13 +243,24 @@ static int reset_prng_context(struct prng_context *ctx, const u8 *key,
 	int ret;
 
 	spin_lock_bh(&ctx->prng_lock);
-	ctx->flags |= PRNG_NEED_RESET;
+	ctx->flags = PRNG_NEED_RESET;
 	ctx->rand_read_pos = DEFAULT_BLK_SZ;
 
 	memset(ctx->rand_data.b, 0, DEFAULT_BLK_SZ);
 
-	if (!DT)
-		DT = ctx->rand_data.b;	/* Use all-zeros if NULL */
+	if (DT) {
+		ctx->flags |= PRNG_DETERMINISTIC;
+		memcpy(ctx->DT.b, DT, DEFAULT_BLK_SZ);
+	} else {
+		int i;
+		/*
+		 * We will generate a fresh DT based on timestamp each time.
+		 * Also pad rest of buffer with seed, on general principles.
+		 * We reserve the first int for fresh entropy.
+		 */
+		for (i = 1; i < BLK_INTS; i++)
+			ctx->DT.i[i] = get_random_int();
+	}
 
 	memcpy(ctx->DT.b, DT, DEFAULT_BLK_SZ);
 	memcpy(ctx->V.b, V, DEFAULT_BLK_SZ);
-- 
2.1.3

[PATCH v2 25/25] crypto: ansi_cprng - If non-deterministic, don't buffer old output

[George Spelvin]

The standards documents are silent on how to handle multi-part
output, so this is an RFC for something in the spirit of the
source specifications, but not actually required by them.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index d39ce301..b88d3446 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -198,12 +198,14 @@ static int get_prng_bytes(u8 *buf, unsigned int nbytes,
 
 	read_pos = ctx->rand_read_pos;
 	if (byte_count > DEFAULT_BLK_SZ - read_pos) {
-		/* Leading partial block */
-		unsigned int avail = DEFAULT_BLK_SZ - read_pos;
+		if (ctx->flags & PRNG_DETERMINISTIC) {
+			/* Return leftover data from previous call */
+			unsigned int avail = DEFAULT_BLK_SZ - read_pos;
 
-		memcpy(ptr, ctx->rand_data.b + read_pos, avail);
-		ptr += avail;
-		byte_count -= avail;
+			memcpy(ptr, ctx->rand_data.b + read_pos, avail);
+			ptr += avail;
+			byte_count -= avail;
+		}
 		read_pos = 0;
 
 		/* Intermediate full blocks */
-- 
2.1.3

Re: [PATCH v2 25/25] crypto: ansi_cprng - If non-deterministic, don't buffer old output

[George Spelvin]

By the way, this patch includes a bug due to a last minute "oh, I can
make that more efficient!" which I realized after a night's sleep.
(The v1 patch worked, FWIW.)

Anyway, it's an RFC; I'm not even sure if I want this personally,
but it's a bit of extra paranoia to always genreate fresh seed per
read.

Re: [PATCH v2 25/25] crypto: ansi_cprng - If non-deterministic, don't buffer old output

[Neil Horman]

On Sun, Dec 07, 2014 at 05:49:59PM -0500, George Spelvin wrote:
> By the way, this patch includes a bug due to a last minute "oh, I can
> make that more efficient!" which I realized after a night's sleep.
> (The v1 patch worked, FWIW.)
> 
> Anyway, it's an RFC; I'm not even sure if I want this personally,
> but it's a bit of extra paranoia to always genreate fresh seed per
> read.
Wait, I'm confused. You mention in this note that this is an RFC patch, but not
anywhere else in the series.  Are you proposing this for inclusion or not?
Neil

> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [PATCH v2 25/25] crypto: ansi_cprng - If non-deterministic, don't buffer old output

[George Spelvin]

> Wait, I'm confused. You mention in this note that this is an RFC patch, but not
> anywhere else in the series.  Are you proposing this for inclusion or not?

Er, in the 0/25, I mentioned that I put the least certain stuff last,
and in particular I wasn't sure if the the last three patches were wanted
or not:

>> Pending issues:
>> * Is non-deterministic mode (last three patches) wanted?

I certainly wouldn't be unhappy if they went in, but with the comment
clarification just before, I wouldn't be unhappy if they didn't, either.

They're "If we wanted to do this, this is how it could be done.  Is this
something we want to do?"

Sorry if my motivations are confusing.  I did indeed start with wanting
to add the seeding because I misunderstood the comments: I thought
this was claiming to be X9.31 *and* I haven't seen the later versions
of the standaed (which you have) that back off on the requirements for
the DT[] vector.

Since you've patiently explained both of those to me, I'm more interested
in the other, more generic code cleanups.

You also sent me two detailed explanations of the consequences of making
the generator non-determinsitic in a way that gave me a general impression
of disliking of the idea.  So I've been weaning myself off the idea.

I put those patches at the end so they can easily be dropped from the series.

Or, as I also mentioned, simply postponed until there's been more discussion.  
Since that's an actual semantic change, collecting a few other opinions
would be valuable.

Re: [PATCH v2 25/25] crypto: ansi_cprng - If non-deterministic, don't buffer old output

[Neil Horman]

On Mon, Dec 08, 2014 at 11:43:13AM -0500, George Spelvin wrote:
> > Wait, I'm confused. You mention in this note that this is an RFC patch, but not
> > anywhere else in the series.  Are you proposing this for inclusion or not?
> 
> Er, in the 0/25, I mentioned that I put the least certain stuff last,
> and in particular I wasn't sure if the the last three patches were wanted
> or not:
> 
> >> Pending issues:
> >> * Is non-deterministic mode (last three patches) wanted?
> 
> I certainly wouldn't be unhappy if they went in, but with the comment
> clarification just before, I wouldn't be unhappy if they didn't, either.
> 
> They're "If we wanted to do this, this is how it could be done.  Is this
> something we want to do?"
> 
> Sorry if my motivations are confusing.  I did indeed start with wanting
Not your motivations, just the posting mechanics.  If you just want to discuss a
patch, and aren't yet proposing it for inclusion, you should put RFC in the
prefix of every patch header.

> to add the seeding because I misunderstood the comments: I thought
> this was claiming to be X9.31 *and* I haven't seen the later versions
> of the standaed (which you have) that back off on the requirements for
> the DT[] vector.
> 
> Since you've patiently explained both of those to me, I'm more interested
> in the other, more generic code cleanups.
> 
> You also sent me two detailed explanations of the consequences of making
> the generator non-determinsitic in a way that gave me a general impression
> of disliking of the idea.  So I've been weaning myself off the idea.
> 
Not particularly opposed to the idea, I just know that several use cases rely on
deterministic behavior for those entities that share the secret information, so
I need to be sure that the deterministic behavior remains and is the default.

> I put those patches at the end so they can easily be dropped from the series.
> 
> Or, as I also mentioned, simply postponed until there's been more discussion.  
> Since that's an actual semantic change, collecting a few other opinions
> would be valuable.
I'll look at this series in detail shortly.
Neil

> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [PATCH v2 25/25] crypto: ansi_cprng - If non-deterministic, don't buffer old output

[George Spelvin]

> Not your motivations, just the posting mechanics.  If you just want to
> discuss a patch, and aren't yet proposing it for inclusion, you should
> put RFC in the prefix of every patch header.

I understand the principle, and I should have on those patches (mea
culpa), but really *all* patch postings are for comment; I think of RFC
as "comment only; please don't apply this".

But it wasn't marked RFC, so that's why I posted a note downgrading
it when I realized I messed it up.  The note was basically "oh, shit,
I introduced a bug at the last minute; thankfully that was the most RFC
of the entire series, so nobody's likely to have merged it."

But it certainly is the case that for any significant patch series,
I really don't expect v1 to get merged as-is.

I'm serious about the changes, and it wouldn't have been a problem if
you had applied v1, but it would have surprised me.  Realistically,
I expect a couple of rounds of discussion and tweaking of the specific
form of the changes before people agree it's ready to go in.

And I think that's the case here; I adjusted a lot of details based on
feedback, but at a high level nothing changed; v2 makes the same changes
that v1 did.

> Not particularly opposed to the idea, I just know that several use cases
> rely on deterministic behavior for those entities that share the secret
> information, so I need to be sure that the deterministic behavior remains
> and is the default.

Right, because it's advertised as a PRNG.  Thinking about it, would
a separate crypto_alg with a different seedsize be a better solution
than obscure rules about seed size?  And something in the cra_flags
to indicate it's nondeterminsitic?

Re: [PATCH v2 13/25] crypto: Add appropriate consts to RNG API

[Stephan Mueller]

Am Sonntag, 7. Dezember 2014, 07:26:21 schrieb George Spelvin:

Hi George,

> Signed-off-by: George Spelvin <linux@horizon.com>
> ---
>  crypto/ansi_cprng.c    | 11 ++++++-----
>  crypto/krng.c          |  2 +-
>  crypto/rng.c           |  3 ++-
>  include/crypto/rng.h   |  2 +-
>  include/linux/crypto.h |  6 ++++--
>  5 files changed, 14 insertions(+), 10 deletions(-)

Please update the drbg too.
> 
> diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
> index 249b944f..c1c81266 100644
> --- a/crypto/ansi_cprng.c
> +++ b/crypto/ansi_cprng.c
> @@ -299,11 +299,11 @@ static int cprng_get_random(struct crypto_rng *tfm, u8
> *rdata, *  V and KEY are required during reset, and DT is optional,
> detected *  as being present by testing the length of the seed
>   */
> -static int cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
> +static int cprng_reset(struct crypto_rng *tfm, const u8 *seed, unsigned
> int slen) {
>  	struct prng_context *prng = crypto_rng_ctx(tfm);
> -	u8 *key = seed + DEFAULT_BLK_SZ;
> -	u8 *dt = NULL;
> +	const u8 *key = seed + DEFAULT_BLK_SZ;
> +	const u8 *dt = NULL;
> 
>  	if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
>  		return -EINVAL;
> @@ -327,9 +327,10 @@ static int fips_cprng_get_random(struct crypto_rng
> *tfm, u8 *rdata, return get_prng_bytes(rdata, dlen, prng, true);
>  }
> 
> -static int fips_cprng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int
> slen) +static int fips_cprng_reset(struct crypto_rng *tfm, const u8 *seed,
> +			    unsigned int slen)
>  {
> -	u8 *key = seed + DEFAULT_BLK_SZ;
> +	const u8 *key = seed + DEFAULT_BLK_SZ;
>  	int rc;
> 
>  	struct prng_context *prng = crypto_rng_ctx(tfm);
> diff --git a/crypto/krng.c b/crypto/krng.c
> index a2d2b72f..007ea7e3 100644
> --- a/crypto/krng.c
> +++ b/crypto/krng.c
> @@ -22,7 +22,7 @@ static int krng_get_random(struct crypto_rng *tfm, u8
> *rdata, unsigned int dlen) return 0;
>  }
> 
> -static int krng_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
> +static int krng_reset(struct crypto_rng *tfm, const u8 *seed, unsigned int
> slen) {
>  	return 0;
>  }
> diff --git a/crypto/rng.c b/crypto/rng.c
> index e0a25c24..9e3a6efd 100644
> --- a/crypto/rng.c
> +++ b/crypto/rng.c
> @@ -29,7 +29,8 @@ struct crypto_rng *crypto_default_rng;
>  EXPORT_SYMBOL_GPL(crypto_default_rng);
>  static int crypto_default_rng_refcnt;
> 
> -static int rngapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int
> slen) +static int rngapi_reset(struct crypto_rng *tfm, const u8 *seed,
> +			unsigned int slen)
>  {
>  	u8 *buf = NULL;
>  	int err;
> diff --git a/include/crypto/rng.h b/include/crypto/rng.h
> index c93f9b91..9659300a 100644
> --- a/include/crypto/rng.h
> +++ b/include/crypto/rng.h
> @@ -62,7 +62,7 @@ static inline int crypto_rng_get_bytes(struct crypto_rng
> *tfm, }
> 
>  static inline int crypto_rng_reset(struct crypto_rng *tfm,
> -				   u8 *seed, unsigned int slen)
> +				   const u8 *seed, unsigned int slen)
>  {
>  	return crypto_rng_crt(tfm)->rng_reset(tfm, seed, slen);
>  }
> diff --git a/include/linux/crypto.h b/include/linux/crypto.h
> index d45e9496..8aa6350b 100644
> --- a/include/linux/crypto.h
> +++ b/include/linux/crypto.h
> @@ -264,7 +264,8 @@ struct compress_alg {
>  struct rng_alg {
>  	int (*rng_make_random)(struct crypto_rng *tfm, u8 *rdata,
>  			       unsigned int dlen);
> -	int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
> +	int (*rng_reset)(struct crypto_rng *tfm, const u8 *seed,
> +			       unsigned int slen);
> 
>  	unsigned int seedsize;
>  };
> @@ -399,7 +400,8 @@ struct compress_tfm {
>  struct rng_tfm {
>  	int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
>  			      unsigned int dlen);
> -	int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
> +	int (*rng_reset)(struct crypto_rng *tfm, const u8 *seed,
> +			 unsigned int slen);
>  };
> 
>  #define crt_ablkcipher	crt_u.ablkcipher


-- 
Ciao
Stephan

Re: [PATCH v2 05/25] crypto: ansi_cprng - Eliminate ctx->I and ctx->last_rand_data

[Stephan Mueller]

Am Sonntag, 7. Dezember 2014, 07:26:13 schrieb George Spelvin:

Hi George,

> Careful use of the other available buffers avoids the need for
> these, shrinking the context by 32 bytes.
> 
> Neither the debug output nor the FIPS-required anti-repetition check
> are changed in the slightest.
> 
> Signed-off-by: George Spelvin <linux@horizon.com>
> ---
>  crypto/ansi_cprng.c | 50 ++++++++++++++++++++++++--------------------------
> 1 file changed, 24 insertions(+), 26 deletions(-)
> 
> diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
> index 325aa727d..2edac42e 100644
> --- a/crypto/ansi_cprng.c
> +++ b/crypto/ansi_cprng.c
> @@ -37,19 +37,14 @@
> 
>  /*
>   * Note: DT is our counter value
> - *	 I is our intermediate value
>   *	 V is our seed vector
>   * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
>   * for implementation details
>   */
> -
> -
>  struct prng_context {
>  	spinlock_t prng_lock;
>  	unsigned char rand_data[DEFAULT_BLK_SZ];
> -	unsigned char last_rand_data[DEFAULT_BLK_SZ];
>  	unsigned char DT[DEFAULT_BLK_SZ];
> -	unsigned char I[DEFAULT_BLK_SZ];
>  	unsigned char V[DEFAULT_BLK_SZ];
>  	u32 rand_data_valid;
>  	struct crypto_cipher *tfm;
> @@ -97,27 +92,27 @@ static int _get_more_prng_bytes(struct prng_context
> *ctx, int cont_test)
> 
>  	/*
>  	 * Start by encrypting the counter value
> -	 * This gives us an intermediate value I
> +	 * This gives us an intermediate value I (stored in tmp)
>  	 */
> -	memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
> -	crypto_cipher_encrypt_one(ctx->tfm, ctx->I, tmp);
> -	hexdump("I", ctx->I);
> +	crypto_cipher_encrypt_one(ctx->tfm, tmp, ctx->DT);
> +	hexdump("I", tmp);
> 
>  	/*
> -	 * Next xor I with our secret vector V
> -	 * encrypt that result to obtain our
> -	 * pseudo random data which we output
> +	 * Next xor I with our secret vector V.  Encrypt that result
> +	 * to obtain our pseudo random data which we output.  But
> +	 * keep that output in ctx->V for the moment; we need the
> +	 * previous rand_data for ons more thing.
>  	 */
> -	xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
> -	hexdump("V^I", tmp);
> -	crypto_cipher_encrypt_one(ctx->tfm, ctx->rand_data, tmp);
> -	hexdump("R", ctx->rand_data);
> +	xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
> +	hexdump("V^I", ctx->V);
> +	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
> +	hexdump("R", ctx->V);
> 
>  	/*
> -	 * First check that we didn't produce the same
> -	 * random data that we did last time around through this
> +	 * Check that we didn't produce the same random data that we
> +	 * did last time around.
>  	 */
> -	if (!memcmp(ctx->rand_data, ctx->last_rand_data, DEFAULT_BLK_SZ)) {
> +	if (!memcmp(ctx->V, ctx->rand_data, DEFAULT_BLK_SZ)) {

Due to the huge number of diffs, I may have missed the following point. 
Therefore, please help me:

NIST requires that ctx->rand_data must be "primed" before the first random 
number is returned to the aller (see FIPS 140-2 section 4.9.2). That means, 
the very first random number that was generated must go into what is now ctx-
>rand_data, but shall not be returned to the caller.

Only starting with the 2nd random number these values shall be returned to the 
caller.

Where do I see that priming?

Note, this priming should have an ability to be disabled for performing the 
CAVS tests as they (as stupid as it may sound) want the very first random 
number after the seeding.

>  		if (cont_test) {
>  			panic("cprng %p Failed repetition check!\n", ctx);
>  		}
> @@ -127,15 +122,19 @@ static int _get_more_prng_bytes(struct prng_context
> *ctx, int cont_test) ctx->flags |= PRNG_NEED_RESET;
>  		return -EINVAL;
>  	}
> -	memcpy(ctx->last_rand_data, ctx->rand_data, DEFAULT_BLK_SZ);
> +	/*
> +	 * Okay, the new data is okay, copy it to the buffer.
> +	 */
> +	memcpy(ctx->rand_data, ctx->V, DEFAULT_BLK_SZ);
> 
>  	/*
> -	 * Lastly xor the random data with I
> -	 * and encrypt that to obtain a new secret vector V
> +	 * Lastly xor the random data with I and encrypt that to obtain
> +	 * a new secret vector V.
>  	 */
> -	xor_vectors(ctx->rand_data, ctx->I, tmp, DEFAULT_BLK_SZ);
> -	hexdump("R^I", tmp);
> -	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, tmp);
> +	xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
> +	hexdump("R^I", ctx->V);
> +	memzero_explicit(tmp, DEFAULT_BLK_SZ);
> +	crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
>  	hexdump("V'", ctx->V);
> 
>  	/*
> @@ -272,7 +271,6 @@ static int reset_prng_context(struct prng_context *ctx,
>  		memset(ctx->DT, 0, DEFAULT_BLK_SZ);
> 
>  	memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
> -	memset(ctx->last_rand_data, 0, DEFAULT_BLK_SZ);
> 
>  	ctx->rand_data_valid = DEFAULT_BLK_SZ;


-- 
Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Sonntag, 7. Dezember 2014, 07:26:08 schrieb George Spelvin:

Hi George,

> This is a reworked version of my earlier patch series, based on feedback
> from Neil Horman and Stephan Mueller.  Thank you both very much!
> 
> It's mostly the same content as before, but I've tried to improve comments
> and commit messages to address questions, to reorder the patches to put
> the questionable stuff at the end, and I've also (at Neil's prodding)
> made some larger scale changes.
> 
> I've added appropriate const qualifiers to the RNG API, and also const
> declarations to all of the self-tests in testmgr.h.  (That's a very
> large but simple patch.)
> 
> The significant code improvement is the addition of what I call the
> "stutter test" to testmgr.  This reads from the RNG in irregular chunks
> and verifies that the output matches that produced by a more regular
> pattern.  This should prevent any recurrence of CVE-2013-4345.
> (It itself passed an important test by detecting a bug in my code!)
> 
> Dropped change:
> * Neil said he wanted deterministic to remain the default, so I dropped
>   the patch that changed the default seedsize.
> 
> Pending issues:
> * Neil would like me to post the results of the NIST and FIPS test
>   vectors.  The current code doesn't print anything on a successful
>   test; I need to know what result format is wanted.
> * Stephan says he has the FIPS test vectors referred to above and
>   will send them to me when he finds them.

I have send these vectors about a week ago. Do you have results?

Note, apart from the two comments  I sent today, I do not see any big problems 
in the patch set. However, I would like to see the test results.

To give you a helping hand, here is the test invocation of the test vectors I 
sent -- please replace struct kccavs_test->something with just "something" 
holding the values from the test vectors:

struct kccavs_data {
	char *data;
	u64 len;
};

/*
 * input: name
 * input seed: 48 bytes in kccavs_test->key
 * 	       from cprng_reset:
 *  This is the cprng_registered reset method the seed value is
 *  interpreted as the tuple { V KEY DT}
 *
 * output: one round of 32 bytes in kccavs_test->data
 */
static int kccavs_test_x931rng(size_t nbytes) {

	int size;
	int err;
	struct kccavs_data *key = &kccavs_test->key;
	struct kccavs_data *data = &kccavs_test->data;

	/* we scratch the buffer if one should exist */
	memset(data->data, 0, MAXDATALEN);
	data->len = 16;

	if (kccavs_test->rng == NULL) {
		kccavs_test->rng = crypto_alloc_rng(kccavs_test->name, 0, 0);
		if (IS_ERR(kccavs_test->rng)){
			int err = PTR_ERR(kccavs_test->rng);
			kccavs_test->rng = NULL;
			pr_info(DRIVER_NAME": could not allocate RNG handle "
				"for %s\n", kccavs_test->name);
			return err;
		}

		/* the ANSI X9.31 has seedsize
		 * DEFAULT_PRNG_KSZ + 2*DEFAULT_BLK_SZ
		 */
		size = crypto_rng_seedsize(kccavs_test->rng);
		if (size != 48) {
			pr_info(DRIVER_NAME": seedsize not equal to 48: %d\n", 
size);
			kccavs_free_cipher();
			return -EAGAIN;
		}
		if (size != key->len) {
			pr_info(DRIVER_NAME": size of supplied seed not equal 
to required size\n");
			kccavs_free_cipher();
			return -EINVAL;
		}

		err = crypto_rng_reset(kccavs_test->rng, key->data, size);
		if (err) {
			pr_info(DRIVER_NAME": Failed to reset rng\n");
			kccavs_free_cipher();
			return -EAGAIN;
		}
	}

	/* get one RNG round of data */
	err = crypto_rng_get_bytes(kccavs_test->rng, data->data, data->len);
	if (err <= 0) {
		pr_info(DRIVER_NAME": could not obtain random data\n");
		kccavs_free_cipher();
		return err;
	}
	
	/* do not free the rng handle - we keep until reseeded or terminated 
*/

	return 0;
}


Note, the test vectors I sent to you are two-fold. The larger set is just a 
"known-answer test" where you invoke the X9.31 with the input data and get the 
output data right away.

The MCT test vectors are "monte-carlo tests". They are invoked as follows: you 
read 10000 16 byte chunks -- the 10000th value is the one that should match 
with the expected result.


Note, the seed is to be constructed from the test vectors by simply 
concatenating them as outlined in the comment above. The following Perl code 
illustrates that:

my $seed = $v . $key . $dt;


> * Is non-deterministic mode (last three patches) wanted?
> 
> George Spelvin (25):
>   crypto: ansi_cprng - unroll _get_more_prng_bytes
>   crypto: ansi_cprng - Additional _get_more_prng_bytes cleanup
>   crypto: ansi_cprng - Use %phN rather than print_hex_dump for debug
>   crypto: ansi_cprng - Make debug output more like NIST test vectors
>   crypto: ansi_cprng - Eliminate ctx->I and ctx->last_rand_data
>   crypto: ansi_cprng - Make cont_test a bool
>   crypto: ansi_cprng - Shrink context some more
>   crypto: ansi_cprng - Don't call reset_prng_context from cprng_init
>   crypto: ansi_cprng - Make length types consistent
>   crypto: ansi_cprng - Use u8 data types consistently internally
>   crypto: ansi_cprng - Eliminate unused PRNG_FIXED_SIZE flag
>   crypto: ansi_cprng - Get rid of rdata buffer in fips_cprng_reset
>   crypto: Add appropriate consts to RNG API
>   crypto: tcrypt - Add const qualifiers all over the test code.
>   crypto: testmgr - Merge seed arrays in struct cprng_testvec
>   crypto: testmgr - Report failure on zero-length crypto_rng_get_bytes
>   crypto: testmgr - Don't crash if CPRNG test result is large
>   crypto: testmgr - Add CPRNG stutter test.
>   crypto: ansi_cprng - simplify get_prng_bytes
>   crypto: ansi_cprng - simplify xor_vectors() to xor_block()
>   crypto: ansi_cprng - Rename rand_data_valid more sensibly
>   crypto: ansi_cprng - Tweak comments
>   crypto: ansi_cprng - Introduce a "union cipherblock"
>   crypto: ansi_cprng - Introduce non-deterministic mode
>   crypto: ansi_cprng - If non-deterministic, don't buffer old output
> 
>  crypto/ansi_cprng.c    | 369 ++++++++++++++++--------------------
>  crypto/krng.c          |   2 +-
>  crypto/rng.c           |   3 +-
>  crypto/tcrypt.c        |  46 ++---
>  crypto/tcrypt.h        |  30 +--
>  crypto/testmgr.c       | 190 +++++++++++++------
>  crypto/testmgr.h       | 502
> ++++++++++++++++++++++++------------------------- include/crypto/rng.h   | 
>  2 +-
>  include/linux/crypto.h |   6 +-
>  9 files changed, 587 insertions(+), 563 deletions(-)


-- 
Ciao
Stephan

Re: [PATCH v2 05/25] crypto: ansi_cprng - Eliminate ctx->I and ctx->last_rand_data

[George Spelvin]

> Due to the huge number of diffs, I may have missed the following point. 
> Therefore, please help me:

No problem at all!  If you're doing me the kindness of actually reading
and reviewing this, I have *lots* of time to act as a tour guide.

I've just had my nose in this code, and your memory is presumably a bit
rustier on some details, even if you understand the larger system better
than I do.

(I hope that English figure of speech isn't too obscure for you.)

> Where do I see that priming?

It's in the same place as it always has been: in fips_cprng_reset,
just below the comment "this primes our continuity test".

Patch 12 changes the priming call from get_prng_bytes to
_get_more_prng_bytes in order to get rid of the "rdata" stack buffer.

Patches 5 and 21 make inconsequential syntactic changes to the area.

> Note, this priming should have an ability to be disabled for performing the 
> CAVS tests as they (as stupid as it may sound) want the very first random 
> number after the seeding.

In this regard, I didn't touch the existing code, which distinguishes the
functions "fips_cprng_reset" which does the priming, and "cprng_reset"
which doesn't, and exports two struct crypto_alg interfaces to make them
both available.

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

>> Pending issues:
>> * Neil would like me to post the results of the NIST and FIPS test
>>   vectors.  The current code doesn't print anything on a successful
>>   test; I need to know what result format is wanted.
>> * Stephan says he has the FIPS test vectors referred to above and
>>   will send them to me when he finds them.

> I have send these vectors about a week ago. Do you have results?

I got them, but I've been twiddling my thumbs waiting for the first
point above: to know what format the results should be in.

> Note, apart from the two comments  I sent today, I do not see any big
> prolems in the patch set. However, I would like to see the test results.

As far as I can tell, the tcrypt.ko module prints *nothing* if a test
is successful, and there is no module option to make it more verbose,
so I don't know what to show people.

I can say "yes, I ran it, and saw no errors" but that seems unsatisfactory.

What would you like to see, other than the following uuencoded test
results:

begin 664 test_results
`
end

As I mentioned (in passing; you may have forgotten), for my own use,
I simply copied the test code & vectors out of testmgr.[ch] and pasted
it into ansi_cprng.c's prng_mod_init (at the end, so it doesn't mess up
the line numbers of the other patches), with some tweaks to say "Test
%d passed".

There's also a debug option that dumps all kinds of details in
_get_more_prng_bytes, but that produces so much output on a 10,000-round
MCT that the kernel log buffer overflows and loses data.

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

In an earlier conversation with Neil, I had an idea that I'd like
your opinion on.

I still think whether true-random mode is wanted is up in the air,
but if it is, a better way to proide it would be to create a separate
crypto_alg for it, with a smaller seed size (no DT seed) and its own name.

But I have no idea what name to use.  Any suggestions?  And a FIPS
version, too?

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

> I have send these vectors about a week ago. Do you have results?

BTW, here is my current home-grown debugging output.

With some minor editor massaging (deleting the timestamps and
inserting a blank line before every "COUNT" line), it matches the
ANSI931_AES128MCT.fax and ANSI931_AES128VST.fax you sent.  I left it
un-massaged as some sort of evidence that it isn't just a direct copy.

[167586.775196] alg_test_cprng: testing ansi_cprng: err 0
[167586.775220] COUNT = 0
[167586.775222] Key = f3b1666d13607242ed061cabb8d46202
[167586.775225] DT = e6b3be782a23fa62d71d4afbb0e922f9
[167586.775226] V = 80000000000000000000000000000000
[167586.775230] R = 59531ed13bb0c05584796685c12f7641
[167586.775231] cprng: Test 0 passed
[167586.775234] cprng: Stutter test 0 passed
[167586.775235] COUNT = 1
[167586.775236] Key = f3b1666d13607242ed061cabb8d46202
[167586.775237] DT = e6b3be782a23fa62d71d4afbb0e922fa
[167586.775237] V = c0000000000000000000000000000000
[167586.775239] R = 7c222cf4ca8fa24c1c9cb641a9f3220d
[167586.775240] cprng: Test 1 passed
[167586.775242] cprng: Stutter test 1 passed
[167586.775243] COUNT = 2
[167586.775244] Key = f3b1666d13607242ed061cabb8d46202
[167586.775245] DT = e6b3be782a23fa62d71d4afbb0e922fb
[167586.775245] V = e0000000000000000000000000000000
[167586.775247] R = 8aaa003966675be529142881a94d4ec7
[167586.775248] cprng: Test 2 passed
[167586.775250] cprng: Stutter test 2 passed
[167586.775250] COUNT = 3
[167586.775251] Key = f3b1666d13607242ed061cabb8d46202
[167586.775252] DT = e6b3be782a23fa62d71d4afbb0e922fc
[167586.775253] V = f0000000000000000000000000000000
[167586.775255] R = 88dda456302423e5f69da57e7b95c73a
[167586.775255] cprng: Test 3 passed
[167586.775257] cprng: Stutter test 3 passed
[167586.775258] COUNT = 4
[167586.775259] Key = f3b1666d13607242ed061cabb8d46202
[167586.775260] DT = e6b3be782a23fa62d71d4afbb0e922fd
[167586.775260] V = f8000000000000000000000000000000
[167586.775262] R = 052592466179d2cb78c40b140a5a9ac8
[167586.775263] cprng: Test 4 passed
[167586.775265] cprng: Stutter test 4 passed
[167586.775266] COUNT = 5
[167586.775266] Key = 9f5b51200bf334b5d82be8c37255c848
[167586.775267] DT = 6376bbe52902ba3b67c925fa701f11ac
[167586.775268] V = 572c8e76872647977e74fbddc49501d1
[167586.775270] R = 2b6c7070067fc873079864a30a316927
[167586.775271] cprng: Test 5 passed
[167586.775273] cprng: Stutter test 5 passed
[167586.775274] COUNT = 6
[167586.775275] Key = 9f5b51200bf334b5d82be8c37255c848
[167586.775276] DT = 6376bbe52902ba3b67c925fa701f11ac
[167586.775276] V = 572c8e76872647977e74fbddc49501d1
[167586.775279] R = 3bed4e991f23567cf7e2c9306e12b6d2
[167586.775280] cprng: Test 6 passed
[167586.775283] cprng: Stutter test 6 passed
[167586.775284] COUNT = 7
[167586.775285] Key = 9f5b51200bf334b5d82be8c37255c848
[167586.775286] DT = 6376bbe52902ba3b67c925fa701f11ac
[167586.775286] V = 572c8e76872647977e74fbddc49501d1
[167586.775291] R = a5975adb24344f7e2dbbaf96060063ee
[167586.775291] cprng: Test 7 passed
[167586.775297] cprng: Stutter test 7 passed
[167586.775298] COUNT = 8
[167586.775298] Key = 9f5b51200bf334b5d82be8c37255c848
[167586.775299] DT = 6376bbe52902ba3b67c925fa701f11ac
[167586.775300] V = 572c8e76872647977e74fbddc49501d1
[167586.780146] R = 48e9bd0d06ee18fbe45790d5c3fc9b73
[167586.780147] cprng: Test 8 passed
[167586.784921] cprng: Stutter test 8 passed
[167586.784923] COUNT = 9
[167586.784925] Key = 10379b53317a2500879e88ad445ea387
[167586.784927] DT = 055a913d7587d54ee58c053fd4beb4a2
[167586.784928] V = a7d058a34e1bf49b40f0b6d26661f889
[167586.791891] R = c252c3f173558775929fe3fb8345feb2
[167586.791892] cprng: Test 9 passed
[167586.797633] cprng: Stutter test 9 passed
[167586.797635] COUNT = 10
[167586.797637] Key = a9d40024ad65b4120636f28758662cbf
[167586.797639] DT = 8f210f47c3534774067563d111251f84
[167586.797640] V = 80000000000000000000000000000000
[167586.797645] R = a80bd181ddc04a55a554da4d520dd493
[167586.797646] cprng: Test 10 passed
[167586.797650] cprng: Stutter test 10 passed
[167586.797652] [X9.31]
[AES 128-Key]
[167586.797654] COUNT = 0
[167586.797656] Key = a9d40024ad65b4120636f28758662cbf
[167586.797657] DT = 8f210f47c3534774067563d111251f84
[167586.797659] V = 80000000000000000000000000000000
[167586.797662] R = a80bd181ddc04a55a554da4d520dd493
[167586.797664] COUNT = 1
[167586.797665] Key = a9d40024ad65b4120636f28758662cbf
[167586.797667] DT = 8f210f47c3534774067563d111251f85
[167586.797668] V = c0000000000000000000000000000000
[167586.797671] R = 5ed27d0a7883408b42ecfdb7bfffc056
[167586.797672] COUNT = 2
[167586.797674] Key = a9d40024ad65b4120636f28758662cbf
[167586.797675] DT = 8f210f47c3534774067563d111251f86
[167586.797677] V = e0000000000000000000000000000000
[167586.797680] R = 40859edac9fee6735262389927aa063c
[167586.797682] COUNT = 3
[167586.797683] Key = a9d40024ad65b4120636f28758662cbf
[167586.797685] DT = 8f210f47c3534774067563d111251f87
[167586.797686] V = f0000000000000000000000000000000
[167586.797689] R = c566e9c1d34c30e7325ee15035c5c1fd
[167586.797691] COUNT = 4
[167586.797692] Key = a9d40024ad65b4120636f28758662cbf
[167586.797693] DT = 8f210f47c3534774067563d111251f88
[167586.797695] V = f8000000000000000000000000000000
[167586.797698] R = 0c1daa16ae3f771bfdd609a96932aefe
[167586.797700] COUNT = 5
[167586.797701] Key = a9d40024ad65b4120636f28758662cbf
[167586.797703] DT = 8f210f47c3534774067563d111251f89
[167586.797704] V = fc000000000000000000000000000000
[167586.797707] R = fa269d8b3f7e8046dc1002ee6ceaa4ba
[167586.797708] COUNT = 6
[167586.797710] Key = a9d40024ad65b4120636f28758662cbf
[167586.797711] DT = 8f210f47c3534774067563d111251f8a
[167586.797713] V = fe000000000000000000000000000000
[167586.797715] R = 4e1aa8c5c653e2a778e0dbd1526eb04f
[167586.797718] COUNT = 7
[167586.797719] Key = a9d40024ad65b4120636f28758662cbf
[167586.797720] DT = 8f210f47c3534774067563d111251f8b
[167586.797721] V = ff000000000000000000000000000000
[167586.797725] R = 812cd80ce6d5c1cccbf790c6fe351372
[167586.797726] COUNT = 8
[167586.797728] Key = a9d40024ad65b4120636f28758662cbf
[167586.797729] DT = 8f210f47c3534774067563d111251f8c
[167586.797731] V = ff800000000000000000000000000000
[167586.797733] R = 01c23ab8a10facad20e9a4efd9a53e39
[167586.797735] COUNT = 9
[167586.797736] Key = a9d40024ad65b4120636f28758662cbf
[167586.797738] DT = 8f210f47c3534774067563d111251f8d
[167586.797739] V = ffc00000000000000000000000000000
[167586.797742] R = 8cfb09605e7ed12824be17099f106022
[167586.797744] COUNT = 10
[167586.797746] Key = a9d40024ad65b4120636f28758662cbf
[167586.797747] DT = 8f210f47c3534774067563d111251f8e
[167586.797748] V = ffe00000000000000000000000000000
[167586.797751] R = 0e98216a1968d7808f368712d4766c0d
[167586.797753] COUNT = 11
[167586.797754] Key = a9d40024ad65b4120636f28758662cbf
[167586.797756] DT = 8f210f47c3534774067563d111251f8f
[167586.797757] V = fff00000000000000000000000000000
[167586.797760] R = 6113ce157a4d9525f2fe33509ced98af
[167586.797762] COUNT = 12
[167586.797763] Key = a9d40024ad65b4120636f28758662cbf
[167586.797764] DT = 8f210f47c3534774067563d111251f90
[167586.797766] V = fff80000000000000000000000000000
[167586.797769] R = b5d87fb4da572abe77ecf7c6cb12a232
[167586.797771] COUNT = 13
[167586.797772] Key = a9d40024ad65b4120636f28758662cbf
[167586.797774] DT = 8f210f47c3534774067563d111251f91
[167586.797775] V = fffc0000000000000000000000000000
[167586.797778] R = d7b1a681267a9d83b67dc3ee694257f4
[167586.797779] COUNT = 14
[167586.797781] Key = a9d40024ad65b4120636f28758662cbf
[167586.797782] DT = 8f210f47c3534774067563d111251f92
[167586.797784] V = fffe0000000000000000000000000000
[167586.797786] R = 46470510f72d0e9dc51e802bfc869b6a
[167586.797789] COUNT = 15
[167586.797790] Key = a9d40024ad65b4120636f28758662cbf
[167586.797791] DT = 8f210f47c3534774067563d111251f93
[167586.797792] V = ffff0000000000000000000000000000
[167586.797796] R = f2a1487a2367b7cf37f51d5cf46c95f2
[167586.797797] COUNT = 16
[167586.797799] Key = a9d40024ad65b4120636f28758662cbf
[167586.797800] DT = 8f210f47c3534774067563d111251f94
[167586.797802] V = ffff8000000000000000000000000000
[167586.797804] R = a02b7bfcb1ff61b485e2f4799cc22fc7
[167586.797806] COUNT = 17
[167586.797807] Key = a9d40024ad65b4120636f28758662cbf
[167586.797809] DT = 8f210f47c3534774067563d111251f95
[167586.797810] V = ffffc000000000000000000000000000
[167586.797814] R = 596abac16deddfbee1345471ab85a7f8
[167586.797815] COUNT = 18
[167586.797817] Key = a9d40024ad65b4120636f28758662cbf
[167586.797818] DT = 8f210f47c3534774067563d111251f96
[167586.797819] V = ffffe000000000000000000000000000
[167586.797822] R = e6afbfb28608eb578a33d02a8c9a8aad
[167586.797824] COUNT = 19
[167586.797825] Key = a9d40024ad65b4120636f28758662cbf
[167586.797827] DT = 8f210f47c3534774067563d111251f97
[167586.797828] V = fffff000000000000000000000000000
[167586.797831] R = a9ba3933c0ad155e59fab7f45ac42035
[167586.797833] COUNT = 20
[167586.797835] Key = a9d40024ad65b4120636f28758662cbf
[167586.797836] DT = 8f210f47c3534774067563d111251f98
[167586.797838] V = fffff800000000000000000000000000
[167586.797840] R = 8fbeb299630f2d54962d268672195a10
[167586.797842] COUNT = 21
[167586.797843] Key = a9d40024ad65b4120636f28758662cbf
[167586.797845] DT = 8f210f47c3534774067563d111251f99
[167586.797846] V = fffffc00000000000000000000000000
[167586.797849] R = 1ea5cd984515c115becf7ec42ba0ba80
[167586.797851] COUNT = 22
[167586.797853] Key = a9d40024ad65b4120636f28758662cbf
[167586.797854] DT = 8f210f47c3534774067563d111251f9a
[167586.797855] V = fffffe00000000000000000000000000
[167586.797858] R = a2ef920bf732a46a7c0320d279331d63
[167586.797860] COUNT = 23
[167586.797861] Key = a9d40024ad65b4120636f28758662cbf
[167586.797863] DT = 8f210f47c3534774067563d111251f9b
[167586.797864] V = ffffff00000000000000000000000000
[167586.797867] R = edd1ab55491b523d428347aadb6b085e
[167586.797869] COUNT = 24
[167586.797870] Key = a9d40024ad65b4120636f28758662cbf
[167586.797871] DT = 8f210f47c3534774067563d111251f9c
[167586.797873] V = ffffff80000000000000000000000000
[167586.797876] R = 22e9b702dbc16f7c03586656b8daf2b4
[167586.797878] COUNT = 25
[167586.797879] Key = a9d40024ad65b4120636f28758662cbf
[167586.797881] DT = 8f210f47c3534774067563d111251f9d
[167586.797882] V = ffffffc0000000000000000000000000
[167586.797885] R = aee98e4b6820df0ae4c1e70996ce17aa
[167586.797886] COUNT = 26
[167586.797888] Key = a9d40024ad65b4120636f28758662cbf
[167586.797889] DT = 8f210f47c3534774067563d111251f9e
[167586.797891] V = ffffffe0000000000000000000000000
[167586.797893] R = 29a75b2c8f9e152c52e21816d19f46e1
[167586.797895] COUNT = 27
[167586.797897] Key = a9d40024ad65b4120636f28758662cbf
[167586.797898] DT = 8f210f47c3534774067563d111251f9f
[167586.797899] V = fffffff0000000000000000000000000
[167586.797903] R = 85b1ee76c75b4e24cd12a621acf45f70
[167586.797904] COUNT = 28
[167586.797906] Key = a9d40024ad65b4120636f28758662cbf
[167586.797907] DT = 8f210f47c3534774067563d111251fa0
[167586.797909] V = fffffff8000000000000000000000000
[167586.797911] R = f00879323dc053f56222783087f3ea33
[167586.797913] COUNT = 29
[167586.797914] Key = a9d40024ad65b4120636f28758662cbf
[167586.797916] DT = 8f210f47c3534774067563d111251fa1
[167586.797917] V = fffffffc000000000000000000000000
[167586.797920] R = ec3209bd5eae231fb0153905aa54268c
[167586.797922] COUNT = 30
[167586.797923] Key = a9d40024ad65b4120636f28758662cbf
[167586.797925] DT = 8f210f47c3534774067563d111251fa2
[167586.797926] V = fffffffe000000000000000000000000
[167586.797929] R = 84ae91db0300bfcdedf5dbdc47607d72
[167586.797931] COUNT = 31
[167586.797932] Key = a9d40024ad65b4120636f28758662cbf
[167586.797934] DT = 8f210f47c3534774067563d111251fa3
[167586.797935] V = ffffffff000000000000000000000000
[167586.797938] R = 4e0129005ec23dfae7fd21ea67cb2b87
[167586.797940] COUNT = 32
[167586.797941] Key = a9d40024ad65b4120636f28758662cbf
[167586.797942] DT = 8f210f47c3534774067563d111251fa4
[167586.797944] V = ffffffff800000000000000000000000
[167586.797947] R = f7149af63bc31351cef8b0cc9648e4f3
[167586.797949] COUNT = 33
[167586.797950] Key = a9d40024ad65b4120636f28758662cbf
[167586.797952] DT = 8f210f47c3534774067563d111251fa5
[167586.797953] V = ffffffffc00000000000000000000000
[167586.797956] R = 637742c7def9eecd6add5c8143c88b65
[167586.797957] COUNT = 34
[167586.797959] Key = a9d40024ad65b4120636f28758662cbf
[167586.797960] DT = 8f210f47c3534774067563d111251fa6
[167586.797962] V = ffffffffe00000000000000000000000
[167586.797964] R = 04e2ce1cb8e423693b24e09889ab03d9
[167586.797966] COUNT = 35
[167586.797967] Key = a9d40024ad65b4120636f28758662cbf
[167586.797969] DT = 8f210f47c3534774067563d111251fa7
[167586.797970] V = fffffffff00000000000000000000000
[167586.797974] R = 2b80dea14e38fa8e5579bdf4e44785f0
[167586.797975] COUNT = 36
[167586.797977] Key = a9d40024ad65b4120636f28758662cbf
[167586.797978] DT = 8f210f47c3534774067563d111251fa8
[167586.797980] V = fffffffff80000000000000000000000
[167586.797982] R = 331a4b7f1b51ec7452d6c94c450cefd6
[167586.797984] COUNT = 37
[167586.797985] Key = a9d40024ad65b4120636f28758662cbf
[167586.797987] DT = 8f210f47c3534774067563d111251fa9
[167586.797988] V = fffffffffc0000000000000000000000
[167586.797991] R = 86a58139c440ac4b976374948848b93d
[167586.797993] COUNT = 38
[167586.797995] Key = a9d40024ad65b4120636f28758662cbf
[167586.797996] DT = 8f210f47c3534774067563d111251faa
[167586.797997] V = fffffffffe0000000000000000000000
[167586.798000] R = 798bbb90c0a1057c5b81064f814fb555
[167586.798002] COUNT = 39
[167586.798003] Key = a9d40024ad65b4120636f28758662cbf
[167586.798005] DT = 8f210f47c3534774067563d111251fab
[167586.798006] V = ffffffffff0000000000000000000000
[167586.798009] R = b287c1f11da6a0e95e7840c653a587a9
[167586.798011] COUNT = 40
[167586.798012] Key = a9d40024ad65b4120636f28758662cbf
[167586.798013] DT = 8f210f47c3534774067563d111251fac
[167586.798015] V = ffffffffff8000000000000000000000
[167586.798018] R = 2d2e606dbf492cb194214697d7f95bb9
[167586.798020] COUNT = 41
[167586.798021] Key = a9d40024ad65b4120636f28758662cbf
[167586.798023] DT = 8f210f47c3534774067563d111251fad
[167586.798024] V = ffffffffffc000000000000000000000
[167586.798027] R = 8c1bc482c63360818b11bb98c00d28c3
[167586.798028] COUNT = 42
[167586.798030] Key = a9d40024ad65b4120636f28758662cbf
[167586.798031] DT = 8f210f47c3534774067563d111251fae
[167586.798033] V = ffffffffffe000000000000000000000
[167586.798036] R = 824d9fbd714e7954717820001d58dd4b
[167586.798038] COUNT = 43
[167586.798039] Key = a9d40024ad65b4120636f28758662cbf
[167586.798041] DT = 8f210f47c3534774067563d111251faf
[167586.798042] V = fffffffffff000000000000000000000
[167586.798045] R = da4468d89c8c40863596dc40ca5d9b2a
[167586.798046] COUNT = 44
[167586.798048] Key = a9d40024ad65b4120636f28758662cbf
[167586.798049] DT = 8f210f47c3534774067563d111251fb0
[167586.798051] V = fffffffffff800000000000000000000
[167586.798053] R = 7d552e4fe7ab7168a664857afa703605
[167586.798055] COUNT = 45
[167586.798056] Key = a9d40024ad65b4120636f28758662cbf
[167586.798058] DT = 8f210f47c3534774067563d111251fb1
[167586.798059] V = fffffffffffc00000000000000000000
[167586.798063] R = df652fec6a2e106672d04057c57b97df
[167586.798064] COUNT = 46
[167586.798066] Key = a9d40024ad65b4120636f28758662cbf
[167586.798067] DT = 8f210f47c3534774067563d111251fb2
[167586.798068] V = fffffffffffe00000000000000000000
[167586.798071] R = 359e37674001168541a1ffd3c95423d2
[167586.798073] COUNT = 47
[167586.798074] Key = a9d40024ad65b4120636f28758662cbf
[167586.798076] DT = 8f210f47c3534774067563d111251fb3
[167586.798077] V = ffffffffffff00000000000000000000
[167586.798080] R = ba1b774c6973ab540231efd04cc2eb89
[167586.798082] COUNT = 48
[167586.798083] Key = a9d40024ad65b4120636f28758662cbf
[167586.798084] DT = 8f210f47c3534774067563d111251fb4
[167586.798086] V = ffffffffffff80000000000000000000
[167586.798089] R = 811daf8e9a5fb3fbf19ce7c7ffe67cd7
[167586.798091] COUNT = 49
[167586.798092] Key = a9d40024ad65b4120636f28758662cbf
[167586.798094] DT = 8f210f47c3534774067563d111251fb5
[167586.798095] V = ffffffffffffc0000000000000000000
[167586.798098] R = bdd0e6138a99c195d838cf62077818e2
[167586.798099] COUNT = 50
[167586.798101] Key = a9d40024ad65b4120636f28758662cbf
[167586.798102] DT = 8f210f47c3534774067563d111251fb6
[167586.798104] V = ffffffffffffe0000000000000000000
[167586.798106] R = 9fa566318825465221f01405bda24c59
[167586.798109] COUNT = 51
[167586.798110] Key = a9d40024ad65b4120636f28758662cbf
[167586.798111] DT = 8f210f47c3534774067563d111251fb7
[167586.798112] V = fffffffffffff0000000000000000000
[167586.798116] R = 4a7711e527490717c8d022be71cb996b
[167586.798117] COUNT = 52
[167586.798119] Key = a9d40024ad65b4120636f28758662cbf
[167586.798120] DT = 8f210f47c3534774067563d111251fb8
[167586.798122] V = fffffffffffff8000000000000000000
[167586.798124] R = 51e5b1d9a4e78cf129ba07cbd57fb179
[167586.798126] COUNT = 53
[167586.798127] Key = a9d40024ad65b4120636f28758662cbf
[167586.798129] DT = 8f210f47c3534774067563d111251fb9
[167586.798130] V = fffffffffffffc000000000000000000
[167586.798133] R = 0fab1fbae0844df8d411fd7ec40743fd
[167586.798135] COUNT = 54
[167586.798137] Key = a9d40024ad65b4120636f28758662cbf
[167586.798138] DT = 8f210f47c3534774067563d111251fba
[167586.798139] V = fffffffffffffe000000000000000000
[167586.798142] R = 5efabf3ac815a6bb2d1dc898970d4edd
[167586.798144] COUNT = 55
[167586.798145] Key = a9d40024ad65b4120636f28758662cbf
[167586.798147] DT = 8f210f47c3534774067563d111251fbb
[167586.798148] V = ffffffffffffff000000000000000000
[167586.798151] R = 782ef137436c16f32cb19ac205cda059
[167586.798153] COUNT = 56
[167586.798154] Key = a9d40024ad65b4120636f28758662cbf
[167586.798155] DT = 8f210f47c3534774067563d111251fbc
[167586.798157] V = ffffffffffffff800000000000000000
[167586.798160] R = a71f99d2c5ea21809f85a3fe5fbf0c30
[167586.798162] COUNT = 57
[167586.798163] Key = a9d40024ad65b4120636f28758662cbf
[167586.798165] DT = 8f210f47c3534774067563d111251fbd
[167586.798166] V = ffffffffffffffc00000000000000000
[167586.798169] R = e0350ccfc394cd17b2b9e4a6cd6611b7
[167586.798170] COUNT = 58
[167586.798172] Key = a9d40024ad65b4120636f28758662cbf
[167586.798173] DT = 8f210f47c3534774067563d111251fbe
[167586.798175] V = ffffffffffffffe00000000000000000
[167586.798178] R = 22e1d7fcdeb2c31a59818aed978c903f
[167586.798180] COUNT = 59
[167586.798181] Key = a9d40024ad65b4120636f28758662cbf
[167586.798182] DT = 8f210f47c3534774067563d111251fbf
[167586.798183] V = fffffffffffffff00000000000000000
[167586.798187] R = 0640a4a4e8f3bfafae167ac5e0bea443
[167586.798188] COUNT = 60
[167586.798190] Key = a9d40024ad65b4120636f28758662cbf
[167586.798191] DT = 8f210f47c3534774067563d111251fc0
[167586.798193] V = fffffffffffffff80000000000000000
[167586.798195] R = 0a9ec9dc5177b5344af8cbdbec9e3e3d
[167586.798197] COUNT = 61
[167586.798198] Key = a9d40024ad65b4120636f28758662cbf
[167586.798200] DT = 8f210f47c3534774067563d111251fc1
[167586.798201] V = fffffffffffffffc0000000000000000
[167586.798205] R = 6ef62f7c2d7652bb988b97b95a8053fa
[167586.798206] COUNT = 62
[167586.798208] Key = a9d40024ad65b4120636f28758662cbf
[167586.798209] DT = 8f210f47c3534774067563d111251fc2
[167586.798210] V = fffffffffffffffe0000000000000000
[167586.798213] R = e92f4e578087ae5b3eff59e95a317cfc
[167586.798215] COUNT = 63
[167586.798216] Key = a9d40024ad65b4120636f28758662cbf
[167586.798218] DT = 8f210f47c3534774067563d111251fc3
[167586.798219] V = ffffffffffffffff0000000000000000
[167586.798222] R = f6bcceb4a3cf6588155dcffa91263bc2
[167586.798224] COUNT = 64
[167586.798225] Key = a9d40024ad65b4120636f28758662cbf
[167586.798226] DT = 8f210f47c3534774067563d111251fc4
[167586.798228] V = ffffffffffffffff8000000000000000
[167586.798231] R = 558266c60306a5bfb3073d1bdda57cc3
[167586.798233] COUNT = 65
[167586.798234] Key = a9d40024ad65b4120636f28758662cbf
[167586.798236] DT = 8f210f47c3534774067563d111251fc5
[167586.798237] V = ffffffffffffffffc000000000000000
[167586.798240] R = ae87df36e215653dcf528dc7ad2c7a22
[167586.798241] COUNT = 66
[167586.798243] Key = a9d40024ad65b4120636f28758662cbf
[167586.798244] DT = 8f210f47c3534774067563d111251fc6
[167586.798246] V = ffffffffffffffffe000000000000000
[167586.798248] R = 5e2b8e188a4c09bb8f31817df35e88a5
[167586.798251] COUNT = 67
[167586.798252] Key = a9d40024ad65b4120636f28758662cbf
[167586.798253] DT = 8f210f47c3534774067563d111251fc7
[167586.798254] V = fffffffffffffffff000000000000000
[167586.798258] R = 1d9cef3820ae3e85fa9f6d6ed08c002f
[167586.798259] COUNT = 68
[167586.798261] Key = a9d40024ad65b4120636f28758662cbf
[167586.798262] DT = 8f210f47c3534774067563d111251fc8
[167586.798264] V = fffffffffffffffff800000000000000
[167586.798266] R = d1e9bff7d9042d2ccdb6e235561a0237
[167586.798268] COUNT = 69
[167586.798269] Key = a9d40024ad65b4120636f28758662cbf
[167586.798271] DT = 8f210f47c3534774067563d111251fc9
[167586.798272] V = fffffffffffffffffc00000000000000
[167586.798276] R = 0ebb95bee2bd65d26c6a71c11d429c7e
[167586.798277] COUNT = 70
[167586.798279] Key = a9d40024ad65b4120636f28758662cbf
[167586.798280] DT = 8f210f47c3534774067563d111251fca
[167586.798282] V = fffffffffffffffffe00000000000000
[167586.798284] R = 8ae5c6eb09b33d69fb059ed707ab83c1
[167586.798286] COUNT = 71
[167586.798287] Key = a9d40024ad65b4120636f28758662cbf
[167586.798289] DT = 8f210f47c3534774067563d111251fcb
[167586.798290] V = ffffffffffffffffff00000000000000
[167586.798293] R = eec477375d2856e8e70cd32ebb534347
[167586.798295] COUNT = 72
[167586.798297] Key = a9d40024ad65b4120636f28758662cbf
[167586.798298] DT = 8f210f47c3534774067563d111251fcc
[167586.798299] V = ffffffffffffffffff80000000000000
[167586.798302] R = c1e7fc24eb03ba19903fb89f0b2081cc
[167586.798304] COUNT = 73
[167586.798305] Key = a9d40024ad65b4120636f28758662cbf
[167586.798307] DT = 8f210f47c3534774067563d111251fcd
[167586.798308] V = ffffffffffffffffffc0000000000000
[167586.798311] R = 285088e3ac31481655b249e7615a14e6
[167586.798313] COUNT = 74
[167586.798314] Key = a9d40024ad65b4120636f28758662cbf
[167586.798315] DT = 8f210f47c3534774067563d111251fce
[167586.798317] V = ffffffffffffffffffe0000000000000
[167586.798320] R = 3d3800ca2c2fc328c79c99b95eb5814d
[167586.798322] COUNT = 75
[167586.798323] Key = a9d40024ad65b4120636f28758662cbf
[167586.798325] DT = 8f210f47c3534774067563d111251fcf
[167586.798326] V = fffffffffffffffffff0000000000000
[167586.798329] R = 1a15362a6805a3a4a6447bf20e499ea3
[167586.798330] COUNT = 76
[167586.798332] Key = a9d40024ad65b4120636f28758662cbf
[167586.798333] DT = 8f210f47c3534774067563d111251fd0
[167586.798335] V = fffffffffffffffffff8000000000000
[167586.798337] R = f0d8d3e8925364eb7a08f8d5fdf2aaba
[167586.798340] COUNT = 77
[167586.798341] Key = a9d40024ad65b4120636f28758662cbf
[167586.798342] DT = 8f210f47c3534774067563d111251fd1
[167586.798343] V = fffffffffffffffffffc000000000000
[167586.798347] R = b021bee6e576fc3efb2da3ba6e9061b4
[167586.798348] COUNT = 78
[167586.798350] Key = a9d40024ad65b4120636f28758662cbf
[167586.798351] DT = 8f210f47c3534774067563d111251fd2
[167586.798353] V = fffffffffffffffffffe000000000000
[167586.798355] R = c27ffdb85c6ac70d7ffc9768c68066fe
[167586.798357] COUNT = 79
[167586.798358] Key = a9d40024ad65b4120636f28758662cbf
[167586.798360] DT = 8f210f47c3534774067563d111251fd3
[167586.798361] V = ffffffffffffffffffff000000000000
[167586.798364] R = daa3135edab2a1835205dd93d7fa1fa3
[167586.798366] COUNT = 80
[167586.798368] Key = a9d40024ad65b4120636f28758662cbf
[167586.798369] DT = 8f210f47c3534774067563d111251fd4
[167586.798370] V = ffffffffffffffffffff800000000000
[167586.798373] R = 2ae0ea148770e489f50e09f55f58032c
[167586.798375] COUNT = 81
[167586.798376] Key = a9d40024ad65b4120636f28758662cbf
[167586.798378] DT = 8f210f47c3534774067563d111251fd5
[167586.798379] V = ffffffffffffffffffffc00000000000
[167586.798382] R = 0b6cfc8f52d349cfb6023b260671f14d
[167586.798384] COUNT = 82
[167586.798385] Key = a9d40024ad65b4120636f28758662cbf
[167586.798386] DT = 8f210f47c3534774067563d111251fd6
[167586.798388] V = ffffffffffffffffffffe00000000000
[167586.798391] R = 2b27f8b02f3033f5fe249da6224a7bc8
[167586.798393] COUNT = 83
[167586.798394] Key = a9d40024ad65b4120636f28758662cbf
[167586.798396] DT = 8f210f47c3534774067563d111251fd7
[167586.798397] V = fffffffffffffffffffff00000000000
[167586.798400] R = e1e0eb86dd75ffea743d28087ef56864
[167586.798401] COUNT = 84
[167586.798403] Key = a9d40024ad65b4120636f28758662cbf
[167586.798404] DT = 8f210f47c3534774067563d111251fd8
[167586.798406] V = fffffffffffffffffffff80000000000
[167586.798409] R = ac34a42b0484c03cbf05e76666f7dcd7
[167586.798411] COUNT = 85
[167586.798412] Key = a9d40024ad65b4120636f28758662cbf
[167586.798414] DT = 8f210f47c3534774067563d111251fd9
[167586.798415] V = fffffffffffffffffffffc0000000000
[167586.798418] R = 3e7b9014dc114153164b1942365d5f83
[167586.798419] COUNT = 86
[167586.798421] Key = a9d40024ad65b4120636f28758662cbf
[167586.798422] DT = 8f210f47c3534774067563d111251fda
[167586.798424] V = fffffffffffffffffffffe0000000000
[167586.798427] R = b4d04a8817a7f1501f31a3f6a7a28407
[167586.798429] COUNT = 87
[167586.798430] Key = a9d40024ad65b4120636f28758662cbf
[167586.798432] DT = 8f210f47c3534774067563d111251fdb
[167586.798433] V = ffffffffffffffffffffff0000000000
[167586.798436] R = 787095b844b094f1906ab0072a1517cb
[167586.798437] COUNT = 88
[167586.798439] Key = a9d40024ad65b4120636f28758662cbf
[167586.798440] DT = 8f210f47c3534774067563d111251fdc
[167586.798442] V = ffffffffffffffffffffff8000000000
[167586.798445] R = 996ac1d03ccd7a107c83b1fd088c5cbc
[167586.798447] COUNT = 89
[167586.798448] Key = a9d40024ad65b4120636f28758662cbf
[167586.798450] DT = 8f210f47c3534774067563d111251fdd
[167586.798451] V = ffffffffffffffffffffffc000000000
[167586.798454] R = dbf0e24a343be682c1f73ecf29b8341a
[167586.798455] COUNT = 90
[167586.798457] Key = a9d40024ad65b4120636f28758662cbf
[167586.798458] DT = 8f210f47c3534774067563d111251fde
[167586.798460] V = ffffffffffffffffffffffe000000000
[167586.798462] R = 3029e157f677f09b22ca513d5c8473df
[167586.798464] COUNT = 91
[167586.798465] Key = a9d40024ad65b4120636f28758662cbf
[167586.798467] DT = 8f210f47c3534774067563d111251fdf
[167586.798468] V = fffffffffffffffffffffff000000000
[167586.798472] R = 6bd4272da97267deb7782bf69a9f1497
[167586.798473] COUNT = 92
[167586.798475] Key = a9d40024ad65b4120636f28758662cbf
[167586.798476] DT = 8f210f47c3534774067563d111251fe0
[167586.798477] V = fffffffffffffffffffffff800000000
[167586.798480] R = 3e0db343d318397c7348a58e7b6a0226
[167586.798482] COUNT = 93
[167586.798483] Key = a9d40024ad65b4120636f28758662cbf
[167586.798485] DT = 8f210f47c3534774067563d111251fe1
[167586.798486] V = fffffffffffffffffffffffc00000000
[167586.798489] R = 3d83b06d968c2451d4bcd44e30dc52ec
[167586.798491] COUNT = 94
[167586.798492] Key = a9d40024ad65b4120636f28758662cbf
[167586.798493] DT = 8f210f47c3534774067563d111251fe2
[167586.798495] V = fffffffffffffffffffffffe00000000
[167586.798498] R = d68850f07ed172bcc651d09450689f2b
[167586.798500] COUNT = 95
[167586.798501] Key = a9d40024ad65b4120636f28758662cbf
[167586.798503] DT = 8f210f47c3534774067563d111251fe3
[167586.798504] V = ffffffffffffffffffffffff00000000
[167586.798507] R = a0250147fb7a2228c2ede356ccd65331
[167586.798508] COUNT = 96
[167586.798510] Key = a9d40024ad65b4120636f28758662cbf
[167586.798511] DT = 8f210f47c3534774067563d111251fe4
[167586.798513] V = ffffffffffffffffffffffff80000000
[167586.798515] R = 5a57df8d4e87ab2b72593d01ca3e55dc
[167586.798518] COUNT = 97
[167586.798519] Key = a9d40024ad65b4120636f28758662cbf
[167586.798520] DT = 8f210f47c3534774067563d111251fe5
[167586.798521] V = ffffffffffffffffffffffffc0000000
[167586.798525] R = 494d1d35b797aceab8c7aba765239e66
[167586.798526] COUNT = 98
[167586.798528] Key = a9d40024ad65b4120636f28758662cbf
[167586.798529] DT = 8f210f47c3534774067563d111251fe6
[167586.798531] V = ffffffffffffffffffffffffe0000000
[167586.798533] R = 024d94511e8a04366a3df4c50b25b012
[167586.798535] COUNT = 99
[167586.798536] Key = a9d40024ad65b4120636f28758662cbf
[167586.798538] DT = 8f210f47c3534774067563d111251fe7
[167586.798539] V = fffffffffffffffffffffffff0000000
[167586.798542] R = fec9f458911507af320c08a609675ec9
[167586.798544] COUNT = 100
[167586.798546] Key = a9d40024ad65b4120636f28758662cbf
[167586.798547] DT = 8f210f47c3534774067563d111251fe8
[167586.798548] V = fffffffffffffffffffffffff8000000
[167586.798551] R = 42e839d7e111a211ad306583bec44822
[167586.798553] COUNT = 101
[167586.798554] Key = a9d40024ad65b4120636f28758662cbf
[167586.798556] DT = 8f210f47c3534774067563d111251fe9
[167586.798557] V = fffffffffffffffffffffffffc000000
[167586.798560] R = ad91301938e9dbe2ecf1c3df822dd1b4
[167586.798562] COUNT = 102
[167586.798563] Key = a9d40024ad65b4120636f28758662cbf
[167586.798564] DT = 8f210f47c3534774067563d111251fea
[167586.798566] V = fffffffffffffffffffffffffe000000
[167586.798569] R = d44714513a362b36e939acb64d32c38f
[167586.798571] COUNT = 103
[167586.798572] Key = a9d40024ad65b4120636f28758662cbf
[167586.798574] DT = 8f210f47c3534774067563d111251feb
[167586.798575] V = ffffffffffffffffffffffffff000000
[167586.798578] R = a6b665aff1c3ad57c7154a8c0d5fd9a5
[167586.798580] COUNT = 104
[167586.798581] Key = a9d40024ad65b4120636f28758662cbf
[167586.798582] DT = 8f210f47c3534774067563d111251fec
[167586.798584] V = ffffffffffffffffffffffffff800000
[167586.798587] R = 26cafe93a78ccc9767e8d413e1bfefb3
[167586.798589] COUNT = 105
[167586.798590] Key = a9d40024ad65b4120636f28758662cbf
[167586.798592] DT = 8f210f47c3534774067563d111251fed
[167586.798593] V = ffffffffffffffffffffffffffc00000
[167586.798596] R = c8e99427c4e780a010a090d0372defba
[167586.798598] COUNT = 106
[167586.798599] Key = a9d40024ad65b4120636f28758662cbf
[167586.798600] DT = 8f210f47c3534774067563d111251fee
[167586.798602] V = ffffffffffffffffffffffffffe00000
[167586.798605] R = 608f34e459ddc8f5e7344246ec6742fb
[167586.798607] COUNT = 107
[167586.798608] Key = a9d40024ad65b4120636f28758662cbf
[167586.798610] DT = 8f210f47c3534774067563d111251fef
[167586.798611] V = fffffffffffffffffffffffffff00000
[167586.798614] R = e46129e11248167041f6fcda17531a01
[167586.798615] COUNT = 108
[167586.798617] Key = a9d40024ad65b4120636f28758662cbf
[167586.798618] DT = 8f210f47c3534774067563d111251ff0
[167586.798620] V = fffffffffffffffffffffffffff80000
[167586.798622] R = 20bd71dcc355f2aa21224b787f253388
[167586.798625] COUNT = 109
[167586.798626] Key = a9d40024ad65b4120636f28758662cbf
[167586.798627] DT = 8f210f47c3534774067563d111251ff1
[167586.798628] V = fffffffffffffffffffffffffffc0000
[167586.798632] R = 91f992dd175770f24be1911947919897
[167586.798633] COUNT = 110
[167586.798635] Key = a9d40024ad65b4120636f28758662cbf
[167586.798636] DT = 8f210f47c3534774067563d111251ff2
[167586.798638] V = fffffffffffffffffffffffffffe0000
[167586.798640] R = 24280af730525ac6323b26d2b2d72e78
[167586.798642] COUNT = 111
[167586.798643] Key = a9d40024ad65b4120636f28758662cbf
[167586.798645] DT = 8f210f47c3534774067563d111251ff3
[167586.798646] V = ffffffffffffffffffffffffffff0000
[167586.798649] R = 586b62c4ef8b0754f1e0e54de8280db5
[167586.798651] COUNT = 112
[167586.798653] Key = a9d40024ad65b4120636f28758662cbf
[167586.798654] DT = 8f210f47c3534774067563d111251ff4
[167586.798655] V = ffffffffffffffffffffffffffff8000
[167586.798658] R = d5bdca69e14cfd3e68f4ddf986e644ec
[167586.798660] COUNT = 113
[167586.798661] Key = a9d40024ad65b4120636f28758662cbf
[167586.798663] DT = 8f210f47c3534774067563d111251ff5
[167586.798664] V = ffffffffffffffffffffffffffffc000
[167586.798667] R = 27de0bafeda3747ed45c3eb01812bfba
[167586.798669] COUNT = 114
[167586.798670] Key = a9d40024ad65b4120636f28758662cbf
[167586.798671] DT = 8f210f47c3534774067563d111251ff6
[167586.798673] V = ffffffffffffffffffffffffffffe000
[167586.798676] R = 47dffc9fb3d804d04f97f57be89df32c
[167586.798678] COUNT = 115
[167586.798679] Key = a9d40024ad65b4120636f28758662cbf
[167586.798681] DT = 8f210f47c3534774067563d111251ff7
[167586.798682] V = fffffffffffffffffffffffffffff000
[167586.798685] R = 0dfbf494a749c4690a53ea0c4e954f28
[167586.798686] COUNT = 116
[167586.798688] Key = a9d40024ad65b4120636f28758662cbf
[167586.798689] DT = 8f210f47c3534774067563d111251ff8
[167586.798691] V = fffffffffffffffffffffffffffff800
[167586.798694] R = 4d99f726b46f2ac6caf44dfbb953efa4
[167586.798696] COUNT = 117
[167586.798697] Key = a9d40024ad65b4120636f28758662cbf
[167586.798699] DT = 8f210f47c3534774067563d111251ff9
[167586.798700] V = fffffffffffffffffffffffffffffc00
[167586.798703] R = 8c5e52f5aabba9d3381c30bbb035437e
[167586.798704] COUNT = 118
[167586.798706] Key = a9d40024ad65b4120636f28758662cbf
[167586.798707] DT = 8f210f47c3534774067563d111251ffa
[167586.798709] V = fffffffffffffffffffffffffffffe00
[167586.798711] R = ece785972cb280231256819f3398b099
[167586.798713] COUNT = 119
[167586.798714] Key = a9d40024ad65b4120636f28758662cbf
[167586.798716] DT = 8f210f47c3534774067563d111251ffb
[167586.798717] V = ffffffffffffffffffffffffffffff00
[167586.798721] R = c2d2fb45d60e0344abe1da62c5f000a6
[167586.798722] COUNT = 120
[167586.798724] Key = a9d40024ad65b4120636f28758662cbf
[167586.798725] DT = 8f210f47c3534774067563d111251ffc
[167586.798727] V = ffffffffffffffffffffffffffffff80
[167586.798729] R = 44c999a091dd477a53282c619a66435f
[167586.798731] COUNT = 121
[167586.798732] Key = a9d40024ad65b4120636f28758662cbf
[167586.798734] DT = 8f210f47c3534774067563d111251ffd
[167586.798735] V = ffffffffffffffffffffffffffffffc0
[167586.798739] R = 2c5052b61fb6584557a47386d54af8e8
[167586.798740] COUNT = 122
[167586.798742] Key = a9d40024ad65b4120636f28758662cbf
[167586.798743] DT = 8f210f47c3534774067563d111251ffe
[167586.798745] V = ffffffffffffffffffffffffffffffe0
[167586.798747] R = e425de6b33246ced032c9fabb7dcc0b2
[167586.798749] COUNT = 123
[167586.798750] Key = a9d40024ad65b4120636f28758662cbf
[167586.798752] DT = 8f210f47c3534774067563d111251fff
[167586.798753] V = fffffffffffffffffffffffffffffff0
[167586.798757] R = 84cd42770bea4ee6c8b10b4a2e63de44
[167586.798758] COUNT = 124
[167586.798760] Key = a9d40024ad65b4120636f28758662cbf
[167586.798761] DT = 8f210f47c3534774067563d111252000
[167586.798762] V = fffffffffffffffffffffffffffffff8
[167586.798765] R = 1b08e2134f683c451ec9330251958a12
[167586.798767] COUNT = 125
[167586.798768] Key = a9d40024ad65b4120636f28758662cbf
[167586.798770] DT = 8f210f47c3534774067563d111252001
[167586.798771] V = fffffffffffffffffffffffffffffffc
[167586.798774] R = 48ec5931c00380c7530232b89216c9eb
[167586.798776] COUNT = 126
[167586.798777] Key = a9d40024ad65b4120636f28758662cbf
[167586.798778] DT = 8f210f47c3534774067563d111252002
[167586.798780] V = fffffffffffffffffffffffffffffffe
[167586.798783] R = c87cd7f5569b91b3103add66de907bcc
[167586.798785] COUNT = 127
[167586.798786] Key = a9d40024ad65b4120636f28758662cbf
[167586.798788] DT = 8f210f47c3534774067563d111252003
[167586.798789] V = ffffffffffffffffffffffffffffffff
[167586.798792] R = 2ad3d5a6ccc2fdd66de9f4d46b150079prng_mod_init: err 0

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Sonntag, 14. Dezember 2014, 15:37:38 schrieb George Spelvin:

Hi George,

> In an earlier conversation with Neil, I had an idea that I'd like
> your opinion on.
> 
> I still think whether true-random mode is wanted is up in the air,
> but if it is, a better way to proide it would be to create a separate
> crypto_alg for it, with a smaller seed size (no DT seed) and its own name.
> 
In my personal view, there is no need for such rather non-deterministic 
behavior. The reasons are several-fold:

- one who wants non-deterministic operation goes straight to get_random_bytes 
or uses stdrng in a normal system. This RNG is built for that purpose. Though, 
get_random_bytes is logically /dev/urandom. If somebody wants to have an in-
kernel /dev/random implementation, I have one available. When I come around, I 
want to make that in-kernel /dev/random as a seed source for my DRBG. That in-
kernel /dev/random would be a good seed source for the X9.31 too -- and here 
you should put your effort into, IMHO. 

- the non-determinism you get from get_random_int is very weak. If you start 
thinking about the information theoretical entropy behind that function that 
is used once in a while, you may not get much entropy. Please, please, please, 
I do not want to start a discussion around entropy -- I will not participate 
in such discussion :-)

- the deterministic RNGs are cryptographically strong. Thus, when you seed 
them with a good noise source like get_random_bytes, you will get good random 
numbers. Ensure proper reseeding and you will be on the safe side.

Thus, I am questioning whether such slightly non-deterministic RNG would be 
used.

> But I have no idea what name to use.  Any suggestions?  And a FIPS
> version, too?

There is no FIPS version of a non-deterministic RNG. Either deterministic or 
die (the SP800-90B death).

-- 
Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Sonntag, 14. Dezember 2014, 14:47:30 schrieb George Spelvin:

Hi George,

> >> Pending issues:
> >> * Neil would like me to post the results of the NIST and FIPS test
> >> 
> >>   vectors.  The current code doesn't print anything on a successful
> >>   test; I need to know what result format is wanted.
> >> 
> >> * Stephan says he has the FIPS test vectors referred to above and
> >> 
> >>   will send them to me when he finds them.
> > 
> > I have send these vectors about a week ago. Do you have results?
> 
> I got them, but I've been twiddling my thumbs waiting for the first
> point above: to know what format the results should be in.


I just would like to see a yes or no -- you got the expected results with the 
test vectors too. Thus, generate the random numbers, do a comparison with the 
expected results (and maybe publish your code for others to verify) and be 
done with it.
> 
> > Note, apart from the two comments  I sent today, I do not see any big
> > prolems in the patch set. However, I would like to see the test results.
> 
> As far as I can tell, the tcrypt.ko module prints *nothing* if a test
> is successful, and there is no module option to make it more verbose,
> so I don't know what to show people.

Passing tcrypt and testmgr is good. However, the CAVS test vectors test some 
edge conditions. Therefore, I would like to see them passing and not just the 
"normal" test vectors in testmgr.
> 
> I can say "yes, I ran it, and saw no errors" but that seems unsatisfactory.

Publish the code on how you ran it.
> 
> What would you like to see, other than the following uuencoded test
> results:
> 
> begin 664 test_results
> `
> end
> 
> As I mentioned (in passing; you may have forgotten), for my own use,
> I simply copied the test code & vectors out of testmgr.[ch] and pasted
> it into ansi_cprng.c's prng_mod_init (at the end, so it doesn't mess up
> the line numbers of the other patches), with some tweaks to say "Test
> %d passed".

See above on my thoughts of those vectors.
> 
> There's also a debug option that dumps all kinds of details in
> _get_more_prng_bytes, but that produces so much output on a 10,000-round
> MCT that the kernel log buffer overflows and loses data.

No interim results are necessary.

-- 
Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Montag, 15. Dezember 2014, 00:53:19 schrieb George Spelvin:

Hi George,

> > I have send these vectors about a week ago. Do you have results?
> 
> BTW, here is my current home-grown debugging output.

That output is good for the VST test vectors. For the MCT vectors, I need the 
10000th value.
> 
> With some minor editor massaging (deleting the timestamps and
> inserting a blank line before every "COUNT" line), it matches the
> ANSI931_AES128MCT.fax and ANSI931_AES128VST.fax you sent.  I left it
> un-massaged as some sort of evidence that it isn't just a direct copy.

I cannot match these test vectors and the results to the ones I sent to you. 
E.g. I do not find the key value f3b1666d13607242ed061cabb8d46202 anywhere in 
the data set.

(to everybody: if somebody wants the X9.31 test vectors we are discussing 
here, please let me know -- I do not want to send a 90KB tar archive to this 
mailing list.)

> 
> [167586.775196] alg_test_cprng: testing ansi_cprng: err 0
> [167586.775220] COUNT = 0
> [167586.775222] Key = f3b1666d13607242ed061cabb8d46202
> [167586.775225] DT = e6b3be782a23fa62d71d4afbb0e922f9
> [167586.775226] V = 80000000000000000000000000000000
> [167586.775230] R = 59531ed13bb0c05584796685c12f7641
> [167586.775231] cprng: Test 0 passed
> [167586.775234] cprng: Stutter test 0 passed
> [167586.775235] COUNT = 1
> [167586.775236] Key = f3b1666d13607242ed061cabb8d46202
> [167586.775237] DT = e6b3be782a23fa62d71d4afbb0e922fa
> [167586.775237] V = c0000000000000000000000000000000
> [167586.775239] R = 7c222cf4ca8fa24c1c9cb641a9f3220d
> [167586.775240] cprng: Test 1 passed
> [167586.775242] cprng: Stutter test 1 passed
> [167586.775243] COUNT = 2
> [167586.775244] Key = f3b1666d13607242ed061cabb8d46202
> [167586.775245] DT = e6b3be782a23fa62d71d4afbb0e922fb
> [167586.775245] V = e0000000000000000000000000000000
> [167586.775247] R = 8aaa003966675be529142881a94d4ec7
> [167586.775248] cprng: Test 2 passed
> [167586.775250] cprng: Stutter test 2 passed
> [167586.775250] COUNT = 3
> [167586.775251] Key = f3b1666d13607242ed061cabb8d46202
> [167586.775252] DT = e6b3be782a23fa62d71d4afbb0e922fc
> [167586.775253] V = f0000000000000000000000000000000
> [167586.775255] R = 88dda456302423e5f69da57e7b95c73a
> [167586.775255] cprng: Test 3 passed
> [167586.775257] cprng: Stutter test 3 passed
> [167586.775258] COUNT = 4
> [167586.775259] Key = f3b1666d13607242ed061cabb8d46202
> [167586.775260] DT = e6b3be782a23fa62d71d4afbb0e922fd
> [167586.775260] V = f8000000000000000000000000000000
> [167586.775262] R = 052592466179d2cb78c40b140a5a9ac8
> [167586.775263] cprng: Test 4 passed
> [167586.775265] cprng: Stutter test 4 passed
> [167586.775266] COUNT = 5
> [167586.775266] Key = 9f5b51200bf334b5d82be8c37255c848
> [167586.775267] DT = 6376bbe52902ba3b67c925fa701f11ac
> [167586.775268] V = 572c8e76872647977e74fbddc49501d1
> [167586.775270] R = 2b6c7070067fc873079864a30a316927
> [167586.775271] cprng: Test 5 passed
> [167586.775273] cprng: Stutter test 5 passed
> [167586.775274] COUNT = 6
> [167586.775275] Key = 9f5b51200bf334b5d82be8c37255c848
> [167586.775276] DT = 6376bbe52902ba3b67c925fa701f11ac
> [167586.775276] V = 572c8e76872647977e74fbddc49501d1
> [167586.775279] R = 3bed4e991f23567cf7e2c9306e12b6d2
> [167586.775280] cprng: Test 6 passed
> [167586.775283] cprng: Stutter test 6 passed
> [167586.775284] COUNT = 7
> [167586.775285] Key = 9f5b51200bf334b5d82be8c37255c848
> [167586.775286] DT = 6376bbe52902ba3b67c925fa701f11ac
> [167586.775286] V = 572c8e76872647977e74fbddc49501d1
> [167586.775291] R = a5975adb24344f7e2dbbaf96060063ee
> [167586.775291] cprng: Test 7 passed
> [167586.775297] cprng: Stutter test 7 passed
> [167586.775298] COUNT = 8
> [167586.775298] Key = 9f5b51200bf334b5d82be8c37255c848
> [167586.775299] DT = 6376bbe52902ba3b67c925fa701f11ac
> [167586.775300] V = 572c8e76872647977e74fbddc49501d1
> [167586.780146] R = 48e9bd0d06ee18fbe45790d5c3fc9b73
> [167586.780147] cprng: Test 8 passed
> [167586.784921] cprng: Stutter test 8 passed
> [167586.784923] COUNT = 9
> [167586.784925] Key = 10379b53317a2500879e88ad445ea387
> [167586.784927] DT = 055a913d7587d54ee58c053fd4beb4a2
> [167586.784928] V = a7d058a34e1bf49b40f0b6d26661f889
> [167586.791891] R = c252c3f173558775929fe3fb8345feb2
> [167586.791892] cprng: Test 9 passed
> [167586.797633] cprng: Stutter test 9 passed
> [167586.797635] COUNT = 10
> [167586.797637] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797639] DT = 8f210f47c3534774067563d111251f84
> [167586.797640] V = 80000000000000000000000000000000
> [167586.797645] R = a80bd181ddc04a55a554da4d520dd493
> [167586.797646] cprng: Test 10 passed
> [167586.797650] cprng: Stutter test 10 passed
> [167586.797652] [X9.31]
> [AES 128-Key]
> [167586.797654] COUNT = 0
> [167586.797656] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797657] DT = 8f210f47c3534774067563d111251f84
> [167586.797659] V = 80000000000000000000000000000000
> [167586.797662] R = a80bd181ddc04a55a554da4d520dd493
> [167586.797664] COUNT = 1
> [167586.797665] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797667] DT = 8f210f47c3534774067563d111251f85
> [167586.797668] V = c0000000000000000000000000000000
> [167586.797671] R = 5ed27d0a7883408b42ecfdb7bfffc056
> [167586.797672] COUNT = 2
> [167586.797674] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797675] DT = 8f210f47c3534774067563d111251f86
> [167586.797677] V = e0000000000000000000000000000000
> [167586.797680] R = 40859edac9fee6735262389927aa063c
> [167586.797682] COUNT = 3
> [167586.797683] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797685] DT = 8f210f47c3534774067563d111251f87
> [167586.797686] V = f0000000000000000000000000000000
> [167586.797689] R = c566e9c1d34c30e7325ee15035c5c1fd
> [167586.797691] COUNT = 4
> [167586.797692] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797693] DT = 8f210f47c3534774067563d111251f88
> [167586.797695] V = f8000000000000000000000000000000
> [167586.797698] R = 0c1daa16ae3f771bfdd609a96932aefe
> [167586.797700] COUNT = 5
> [167586.797701] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797703] DT = 8f210f47c3534774067563d111251f89
> [167586.797704] V = fc000000000000000000000000000000
> [167586.797707] R = fa269d8b3f7e8046dc1002ee6ceaa4ba
> [167586.797708] COUNT = 6
> [167586.797710] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797711] DT = 8f210f47c3534774067563d111251f8a
> [167586.797713] V = fe000000000000000000000000000000
> [167586.797715] R = 4e1aa8c5c653e2a778e0dbd1526eb04f
> [167586.797718] COUNT = 7
> [167586.797719] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797720] DT = 8f210f47c3534774067563d111251f8b
> [167586.797721] V = ff000000000000000000000000000000
> [167586.797725] R = 812cd80ce6d5c1cccbf790c6fe351372
> [167586.797726] COUNT = 8
> [167586.797728] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797729] DT = 8f210f47c3534774067563d111251f8c
> [167586.797731] V = ff800000000000000000000000000000
> [167586.797733] R = 01c23ab8a10facad20e9a4efd9a53e39
> [167586.797735] COUNT = 9
> [167586.797736] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797738] DT = 8f210f47c3534774067563d111251f8d
> [167586.797739] V = ffc00000000000000000000000000000
> [167586.797742] R = 8cfb09605e7ed12824be17099f106022
> [167586.797744] COUNT = 10
> [167586.797746] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797747] DT = 8f210f47c3534774067563d111251f8e
> [167586.797748] V = ffe00000000000000000000000000000
> [167586.797751] R = 0e98216a1968d7808f368712d4766c0d
> [167586.797753] COUNT = 11
> [167586.797754] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797756] DT = 8f210f47c3534774067563d111251f8f
> [167586.797757] V = fff00000000000000000000000000000
> [167586.797760] R = 6113ce157a4d9525f2fe33509ced98af
> [167586.797762] COUNT = 12
> [167586.797763] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797764] DT = 8f210f47c3534774067563d111251f90
> [167586.797766] V = fff80000000000000000000000000000
> [167586.797769] R = b5d87fb4da572abe77ecf7c6cb12a232
> [167586.797771] COUNT = 13
> [167586.797772] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797774] DT = 8f210f47c3534774067563d111251f91
> [167586.797775] V = fffc0000000000000000000000000000
> [167586.797778] R = d7b1a681267a9d83b67dc3ee694257f4
> [167586.797779] COUNT = 14
> [167586.797781] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797782] DT = 8f210f47c3534774067563d111251f92
> [167586.797784] V = fffe0000000000000000000000000000
> [167586.797786] R = 46470510f72d0e9dc51e802bfc869b6a
> [167586.797789] COUNT = 15
> [167586.797790] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797791] DT = 8f210f47c3534774067563d111251f93
> [167586.797792] V = ffff0000000000000000000000000000
> [167586.797796] R = f2a1487a2367b7cf37f51d5cf46c95f2
> [167586.797797] COUNT = 16
> [167586.797799] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797800] DT = 8f210f47c3534774067563d111251f94
> [167586.797802] V = ffff8000000000000000000000000000
> [167586.797804] R = a02b7bfcb1ff61b485e2f4799cc22fc7
> [167586.797806] COUNT = 17
> [167586.797807] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797809] DT = 8f210f47c3534774067563d111251f95
> [167586.797810] V = ffffc000000000000000000000000000
> [167586.797814] R = 596abac16deddfbee1345471ab85a7f8
> [167586.797815] COUNT = 18
> [167586.797817] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797818] DT = 8f210f47c3534774067563d111251f96
> [167586.797819] V = ffffe000000000000000000000000000
> [167586.797822] R = e6afbfb28608eb578a33d02a8c9a8aad
> [167586.797824] COUNT = 19
> [167586.797825] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797827] DT = 8f210f47c3534774067563d111251f97
> [167586.797828] V = fffff000000000000000000000000000
> [167586.797831] R = a9ba3933c0ad155e59fab7f45ac42035
> [167586.797833] COUNT = 20
> [167586.797835] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797836] DT = 8f210f47c3534774067563d111251f98
> [167586.797838] V = fffff800000000000000000000000000
> [167586.797840] R = 8fbeb299630f2d54962d268672195a10
> [167586.797842] COUNT = 21
> [167586.797843] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797845] DT = 8f210f47c3534774067563d111251f99
> [167586.797846] V = fffffc00000000000000000000000000
> [167586.797849] R = 1ea5cd984515c115becf7ec42ba0ba80
> [167586.797851] COUNT = 22
> [167586.797853] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797854] DT = 8f210f47c3534774067563d111251f9a
> [167586.797855] V = fffffe00000000000000000000000000
> [167586.797858] R = a2ef920bf732a46a7c0320d279331d63
> [167586.797860] COUNT = 23
> [167586.797861] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797863] DT = 8f210f47c3534774067563d111251f9b
> [167586.797864] V = ffffff00000000000000000000000000
> [167586.797867] R = edd1ab55491b523d428347aadb6b085e
> [167586.797869] COUNT = 24
> [167586.797870] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797871] DT = 8f210f47c3534774067563d111251f9c
> [167586.797873] V = ffffff80000000000000000000000000
> [167586.797876] R = 22e9b702dbc16f7c03586656b8daf2b4
> [167586.797878] COUNT = 25
> [167586.797879] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797881] DT = 8f210f47c3534774067563d111251f9d
> [167586.797882] V = ffffffc0000000000000000000000000
> [167586.797885] R = aee98e4b6820df0ae4c1e70996ce17aa
> [167586.797886] COUNT = 26
> [167586.797888] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797889] DT = 8f210f47c3534774067563d111251f9e
> [167586.797891] V = ffffffe0000000000000000000000000
> [167586.797893] R = 29a75b2c8f9e152c52e21816d19f46e1
> [167586.797895] COUNT = 27
> [167586.797897] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797898] DT = 8f210f47c3534774067563d111251f9f
> [167586.797899] V = fffffff0000000000000000000000000
> [167586.797903] R = 85b1ee76c75b4e24cd12a621acf45f70
> [167586.797904] COUNT = 28
> [167586.797906] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797907] DT = 8f210f47c3534774067563d111251fa0
> [167586.797909] V = fffffff8000000000000000000000000
> [167586.797911] R = f00879323dc053f56222783087f3ea33
> [167586.797913] COUNT = 29
> [167586.797914] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797916] DT = 8f210f47c3534774067563d111251fa1
> [167586.797917] V = fffffffc000000000000000000000000
> [167586.797920] R = ec3209bd5eae231fb0153905aa54268c
> [167586.797922] COUNT = 30
> [167586.797923] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797925] DT = 8f210f47c3534774067563d111251fa2
> [167586.797926] V = fffffffe000000000000000000000000
> [167586.797929] R = 84ae91db0300bfcdedf5dbdc47607d72
> [167586.797931] COUNT = 31
> [167586.797932] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797934] DT = 8f210f47c3534774067563d111251fa3
> [167586.797935] V = ffffffff000000000000000000000000
> [167586.797938] R = 4e0129005ec23dfae7fd21ea67cb2b87
> [167586.797940] COUNT = 32
> [167586.797941] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797942] DT = 8f210f47c3534774067563d111251fa4
> [167586.797944] V = ffffffff800000000000000000000000
> [167586.797947] R = f7149af63bc31351cef8b0cc9648e4f3
> [167586.797949] COUNT = 33
> [167586.797950] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797952] DT = 8f210f47c3534774067563d111251fa5
> [167586.797953] V = ffffffffc00000000000000000000000
> [167586.797956] R = 637742c7def9eecd6add5c8143c88b65
> [167586.797957] COUNT = 34
> [167586.797959] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797960] DT = 8f210f47c3534774067563d111251fa6
> [167586.797962] V = ffffffffe00000000000000000000000
> [167586.797964] R = 04e2ce1cb8e423693b24e09889ab03d9
> [167586.797966] COUNT = 35
> [167586.797967] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797969] DT = 8f210f47c3534774067563d111251fa7
> [167586.797970] V = fffffffff00000000000000000000000
> [167586.797974] R = 2b80dea14e38fa8e5579bdf4e44785f0
> [167586.797975] COUNT = 36
> [167586.797977] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797978] DT = 8f210f47c3534774067563d111251fa8
> [167586.797980] V = fffffffff80000000000000000000000
> [167586.797982] R = 331a4b7f1b51ec7452d6c94c450cefd6
> [167586.797984] COUNT = 37
> [167586.797985] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797987] DT = 8f210f47c3534774067563d111251fa9
> [167586.797988] V = fffffffffc0000000000000000000000
> [167586.797991] R = 86a58139c440ac4b976374948848b93d
> [167586.797993] COUNT = 38
> [167586.797995] Key = a9d40024ad65b4120636f28758662cbf
> [167586.797996] DT = 8f210f47c3534774067563d111251faa
> [167586.797997] V = fffffffffe0000000000000000000000
> [167586.798000] R = 798bbb90c0a1057c5b81064f814fb555
> [167586.798002] COUNT = 39
> [167586.798003] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798005] DT = 8f210f47c3534774067563d111251fab
> [167586.798006] V = ffffffffff0000000000000000000000
> [167586.798009] R = b287c1f11da6a0e95e7840c653a587a9
> [167586.798011] COUNT = 40
> [167586.798012] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798013] DT = 8f210f47c3534774067563d111251fac
> [167586.798015] V = ffffffffff8000000000000000000000
> [167586.798018] R = 2d2e606dbf492cb194214697d7f95bb9
> [167586.798020] COUNT = 41
> [167586.798021] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798023] DT = 8f210f47c3534774067563d111251fad
> [167586.798024] V = ffffffffffc000000000000000000000
> [167586.798027] R = 8c1bc482c63360818b11bb98c00d28c3
> [167586.798028] COUNT = 42
> [167586.798030] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798031] DT = 8f210f47c3534774067563d111251fae
> [167586.798033] V = ffffffffffe000000000000000000000
> [167586.798036] R = 824d9fbd714e7954717820001d58dd4b
> [167586.798038] COUNT = 43
> [167586.798039] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798041] DT = 8f210f47c3534774067563d111251faf
> [167586.798042] V = fffffffffff000000000000000000000
> [167586.798045] R = da4468d89c8c40863596dc40ca5d9b2a
> [167586.798046] COUNT = 44
> [167586.798048] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798049] DT = 8f210f47c3534774067563d111251fb0
> [167586.798051] V = fffffffffff800000000000000000000
> [167586.798053] R = 7d552e4fe7ab7168a664857afa703605
> [167586.798055] COUNT = 45
> [167586.798056] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798058] DT = 8f210f47c3534774067563d111251fb1
> [167586.798059] V = fffffffffffc00000000000000000000
> [167586.798063] R = df652fec6a2e106672d04057c57b97df
> [167586.798064] COUNT = 46
> [167586.798066] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798067] DT = 8f210f47c3534774067563d111251fb2
> [167586.798068] V = fffffffffffe00000000000000000000
> [167586.798071] R = 359e37674001168541a1ffd3c95423d2
> [167586.798073] COUNT = 47
> [167586.798074] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798076] DT = 8f210f47c3534774067563d111251fb3
> [167586.798077] V = ffffffffffff00000000000000000000
> [167586.798080] R = ba1b774c6973ab540231efd04cc2eb89
> [167586.798082] COUNT = 48
> [167586.798083] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798084] DT = 8f210f47c3534774067563d111251fb4
> [167586.798086] V = ffffffffffff80000000000000000000
> [167586.798089] R = 811daf8e9a5fb3fbf19ce7c7ffe67cd7
> [167586.798091] COUNT = 49
> [167586.798092] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798094] DT = 8f210f47c3534774067563d111251fb5
> [167586.798095] V = ffffffffffffc0000000000000000000
> [167586.798098] R = bdd0e6138a99c195d838cf62077818e2
> [167586.798099] COUNT = 50
> [167586.798101] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798102] DT = 8f210f47c3534774067563d111251fb6
> [167586.798104] V = ffffffffffffe0000000000000000000
> [167586.798106] R = 9fa566318825465221f01405bda24c59
> [167586.798109] COUNT = 51
> [167586.798110] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798111] DT = 8f210f47c3534774067563d111251fb7
> [167586.798112] V = fffffffffffff0000000000000000000
> [167586.798116] R = 4a7711e527490717c8d022be71cb996b
> [167586.798117] COUNT = 52
> [167586.798119] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798120] DT = 8f210f47c3534774067563d111251fb8
> [167586.798122] V = fffffffffffff8000000000000000000
> [167586.798124] R = 51e5b1d9a4e78cf129ba07cbd57fb179
> [167586.798126] COUNT = 53
> [167586.798127] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798129] DT = 8f210f47c3534774067563d111251fb9
> [167586.798130] V = fffffffffffffc000000000000000000
> [167586.798133] R = 0fab1fbae0844df8d411fd7ec40743fd
> [167586.798135] COUNT = 54
> [167586.798137] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798138] DT = 8f210f47c3534774067563d111251fba
> [167586.798139] V = fffffffffffffe000000000000000000
> [167586.798142] R = 5efabf3ac815a6bb2d1dc898970d4edd
> [167586.798144] COUNT = 55
> [167586.798145] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798147] DT = 8f210f47c3534774067563d111251fbb
> [167586.798148] V = ffffffffffffff000000000000000000
> [167586.798151] R = 782ef137436c16f32cb19ac205cda059
> [167586.798153] COUNT = 56
> [167586.798154] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798155] DT = 8f210f47c3534774067563d111251fbc
> [167586.798157] V = ffffffffffffff800000000000000000
> [167586.798160] R = a71f99d2c5ea21809f85a3fe5fbf0c30
> [167586.798162] COUNT = 57
> [167586.798163] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798165] DT = 8f210f47c3534774067563d111251fbd
> [167586.798166] V = ffffffffffffffc00000000000000000
> [167586.798169] R = e0350ccfc394cd17b2b9e4a6cd6611b7
> [167586.798170] COUNT = 58
> [167586.798172] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798173] DT = 8f210f47c3534774067563d111251fbe
> [167586.798175] V = ffffffffffffffe00000000000000000
> [167586.798178] R = 22e1d7fcdeb2c31a59818aed978c903f
> [167586.798180] COUNT = 59
> [167586.798181] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798182] DT = 8f210f47c3534774067563d111251fbf
> [167586.798183] V = fffffffffffffff00000000000000000
> [167586.798187] R = 0640a4a4e8f3bfafae167ac5e0bea443
> [167586.798188] COUNT = 60
> [167586.798190] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798191] DT = 8f210f47c3534774067563d111251fc0
> [167586.798193] V = fffffffffffffff80000000000000000
> [167586.798195] R = 0a9ec9dc5177b5344af8cbdbec9e3e3d
> [167586.798197] COUNT = 61
> [167586.798198] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798200] DT = 8f210f47c3534774067563d111251fc1
> [167586.798201] V = fffffffffffffffc0000000000000000
> [167586.798205] R = 6ef62f7c2d7652bb988b97b95a8053fa
> [167586.798206] COUNT = 62
> [167586.798208] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798209] DT = 8f210f47c3534774067563d111251fc2
> [167586.798210] V = fffffffffffffffe0000000000000000
> [167586.798213] R = e92f4e578087ae5b3eff59e95a317cfc
> [167586.798215] COUNT = 63
> [167586.798216] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798218] DT = 8f210f47c3534774067563d111251fc3
> [167586.798219] V = ffffffffffffffff0000000000000000
> [167586.798222] R = f6bcceb4a3cf6588155dcffa91263bc2
> [167586.798224] COUNT = 64
> [167586.798225] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798226] DT = 8f210f47c3534774067563d111251fc4
> [167586.798228] V = ffffffffffffffff8000000000000000
> [167586.798231] R = 558266c60306a5bfb3073d1bdda57cc3
> [167586.798233] COUNT = 65
> [167586.798234] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798236] DT = 8f210f47c3534774067563d111251fc5
> [167586.798237] V = ffffffffffffffffc000000000000000
> [167586.798240] R = ae87df36e215653dcf528dc7ad2c7a22
> [167586.798241] COUNT = 66
> [167586.798243] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798244] DT = 8f210f47c3534774067563d111251fc6
> [167586.798246] V = ffffffffffffffffe000000000000000
> [167586.798248] R = 5e2b8e188a4c09bb8f31817df35e88a5
> [167586.798251] COUNT = 67
> [167586.798252] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798253] DT = 8f210f47c3534774067563d111251fc7
> [167586.798254] V = fffffffffffffffff000000000000000
> [167586.798258] R = 1d9cef3820ae3e85fa9f6d6ed08c002f
> [167586.798259] COUNT = 68
> [167586.798261] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798262] DT = 8f210f47c3534774067563d111251fc8
> [167586.798264] V = fffffffffffffffff800000000000000
> [167586.798266] R = d1e9bff7d9042d2ccdb6e235561a0237
> [167586.798268] COUNT = 69
> [167586.798269] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798271] DT = 8f210f47c3534774067563d111251fc9
> [167586.798272] V = fffffffffffffffffc00000000000000
> [167586.798276] R = 0ebb95bee2bd65d26c6a71c11d429c7e
> [167586.798277] COUNT = 70
> [167586.798279] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798280] DT = 8f210f47c3534774067563d111251fca
> [167586.798282] V = fffffffffffffffffe00000000000000
> [167586.798284] R = 8ae5c6eb09b33d69fb059ed707ab83c1
> [167586.798286] COUNT = 71
> [167586.798287] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798289] DT = 8f210f47c3534774067563d111251fcb
> [167586.798290] V = ffffffffffffffffff00000000000000
> [167586.798293] R = eec477375d2856e8e70cd32ebb534347
> [167586.798295] COUNT = 72
> [167586.798297] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798298] DT = 8f210f47c3534774067563d111251fcc
> [167586.798299] V = ffffffffffffffffff80000000000000
> [167586.798302] R = c1e7fc24eb03ba19903fb89f0b2081cc
> [167586.798304] COUNT = 73
> [167586.798305] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798307] DT = 8f210f47c3534774067563d111251fcd
> [167586.798308] V = ffffffffffffffffffc0000000000000
> [167586.798311] R = 285088e3ac31481655b249e7615a14e6
> [167586.798313] COUNT = 74
> [167586.798314] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798315] DT = 8f210f47c3534774067563d111251fce
> [167586.798317] V = ffffffffffffffffffe0000000000000
> [167586.798320] R = 3d3800ca2c2fc328c79c99b95eb5814d
> [167586.798322] COUNT = 75
> [167586.798323] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798325] DT = 8f210f47c3534774067563d111251fcf
> [167586.798326] V = fffffffffffffffffff0000000000000
> [167586.798329] R = 1a15362a6805a3a4a6447bf20e499ea3
> [167586.798330] COUNT = 76
> [167586.798332] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798333] DT = 8f210f47c3534774067563d111251fd0
> [167586.798335] V = fffffffffffffffffff8000000000000
> [167586.798337] R = f0d8d3e8925364eb7a08f8d5fdf2aaba
> [167586.798340] COUNT = 77
> [167586.798341] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798342] DT = 8f210f47c3534774067563d111251fd1
> [167586.798343] V = fffffffffffffffffffc000000000000
> [167586.798347] R = b021bee6e576fc3efb2da3ba6e9061b4
> [167586.798348] COUNT = 78
> [167586.798350] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798351] DT = 8f210f47c3534774067563d111251fd2
> [167586.798353] V = fffffffffffffffffffe000000000000
> [167586.798355] R = c27ffdb85c6ac70d7ffc9768c68066fe
> [167586.798357] COUNT = 79
> [167586.798358] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798360] DT = 8f210f47c3534774067563d111251fd3
> [167586.798361] V = ffffffffffffffffffff000000000000
> [167586.798364] R = daa3135edab2a1835205dd93d7fa1fa3
> [167586.798366] COUNT = 80
> [167586.798368] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798369] DT = 8f210f47c3534774067563d111251fd4
> [167586.798370] V = ffffffffffffffffffff800000000000
> [167586.798373] R = 2ae0ea148770e489f50e09f55f58032c
> [167586.798375] COUNT = 81
> [167586.798376] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798378] DT = 8f210f47c3534774067563d111251fd5
> [167586.798379] V = ffffffffffffffffffffc00000000000
> [167586.798382] R = 0b6cfc8f52d349cfb6023b260671f14d
> [167586.798384] COUNT = 82
> [167586.798385] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798386] DT = 8f210f47c3534774067563d111251fd6
> [167586.798388] V = ffffffffffffffffffffe00000000000
> [167586.798391] R = 2b27f8b02f3033f5fe249da6224a7bc8
> [167586.798393] COUNT = 83
> [167586.798394] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798396] DT = 8f210f47c3534774067563d111251fd7
> [167586.798397] V = fffffffffffffffffffff00000000000
> [167586.798400] R = e1e0eb86dd75ffea743d28087ef56864
> [167586.798401] COUNT = 84
> [167586.798403] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798404] DT = 8f210f47c3534774067563d111251fd8
> [167586.798406] V = fffffffffffffffffffff80000000000
> [167586.798409] R = ac34a42b0484c03cbf05e76666f7dcd7
> [167586.798411] COUNT = 85
> [167586.798412] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798414] DT = 8f210f47c3534774067563d111251fd9
> [167586.798415] V = fffffffffffffffffffffc0000000000
> [167586.798418] R = 3e7b9014dc114153164b1942365d5f83
> [167586.798419] COUNT = 86
> [167586.798421] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798422] DT = 8f210f47c3534774067563d111251fda
> [167586.798424] V = fffffffffffffffffffffe0000000000
> [167586.798427] R = b4d04a8817a7f1501f31a3f6a7a28407
> [167586.798429] COUNT = 87
> [167586.798430] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798432] DT = 8f210f47c3534774067563d111251fdb
> [167586.798433] V = ffffffffffffffffffffff0000000000
> [167586.798436] R = 787095b844b094f1906ab0072a1517cb
> [167586.798437] COUNT = 88
> [167586.798439] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798440] DT = 8f210f47c3534774067563d111251fdc
> [167586.798442] V = ffffffffffffffffffffff8000000000
> [167586.798445] R = 996ac1d03ccd7a107c83b1fd088c5cbc
> [167586.798447] COUNT = 89
> [167586.798448] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798450] DT = 8f210f47c3534774067563d111251fdd
> [167586.798451] V = ffffffffffffffffffffffc000000000
> [167586.798454] R = dbf0e24a343be682c1f73ecf29b8341a
> [167586.798455] COUNT = 90
> [167586.798457] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798458] DT = 8f210f47c3534774067563d111251fde
> [167586.798460] V = ffffffffffffffffffffffe000000000
> [167586.798462] R = 3029e157f677f09b22ca513d5c8473df
> [167586.798464] COUNT = 91
> [167586.798465] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798467] DT = 8f210f47c3534774067563d111251fdf
> [167586.798468] V = fffffffffffffffffffffff000000000
> [167586.798472] R = 6bd4272da97267deb7782bf69a9f1497
> [167586.798473] COUNT = 92
> [167586.798475] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798476] DT = 8f210f47c3534774067563d111251fe0
> [167586.798477] V = fffffffffffffffffffffff800000000
> [167586.798480] R = 3e0db343d318397c7348a58e7b6a0226
> [167586.798482] COUNT = 93
> [167586.798483] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798485] DT = 8f210f47c3534774067563d111251fe1
> [167586.798486] V = fffffffffffffffffffffffc00000000
> [167586.798489] R = 3d83b06d968c2451d4bcd44e30dc52ec
> [167586.798491] COUNT = 94
> [167586.798492] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798493] DT = 8f210f47c3534774067563d111251fe2
> [167586.798495] V = fffffffffffffffffffffffe00000000
> [167586.798498] R = d68850f07ed172bcc651d09450689f2b
> [167586.798500] COUNT = 95
> [167586.798501] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798503] DT = 8f210f47c3534774067563d111251fe3
> [167586.798504] V = ffffffffffffffffffffffff00000000
> [167586.798507] R = a0250147fb7a2228c2ede356ccd65331
> [167586.798508] COUNT = 96
> [167586.798510] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798511] DT = 8f210f47c3534774067563d111251fe4
> [167586.798513] V = ffffffffffffffffffffffff80000000
> [167586.798515] R = 5a57df8d4e87ab2b72593d01ca3e55dc
> [167586.798518] COUNT = 97
> [167586.798519] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798520] DT = 8f210f47c3534774067563d111251fe5
> [167586.798521] V = ffffffffffffffffffffffffc0000000
> [167586.798525] R = 494d1d35b797aceab8c7aba765239e66
> [167586.798526] COUNT = 98
> [167586.798528] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798529] DT = 8f210f47c3534774067563d111251fe6
> [167586.798531] V = ffffffffffffffffffffffffe0000000
> [167586.798533] R = 024d94511e8a04366a3df4c50b25b012
> [167586.798535] COUNT = 99
> [167586.798536] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798538] DT = 8f210f47c3534774067563d111251fe7
> [167586.798539] V = fffffffffffffffffffffffff0000000
> [167586.798542] R = fec9f458911507af320c08a609675ec9
> [167586.798544] COUNT = 100
> [167586.798546] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798547] DT = 8f210f47c3534774067563d111251fe8
> [167586.798548] V = fffffffffffffffffffffffff8000000
> [167586.798551] R = 42e839d7e111a211ad306583bec44822
> [167586.798553] COUNT = 101
> [167586.798554] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798556] DT = 8f210f47c3534774067563d111251fe9
> [167586.798557] V = fffffffffffffffffffffffffc000000
> [167586.798560] R = ad91301938e9dbe2ecf1c3df822dd1b4
> [167586.798562] COUNT = 102
> [167586.798563] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798564] DT = 8f210f47c3534774067563d111251fea
> [167586.798566] V = fffffffffffffffffffffffffe000000
> [167586.798569] R = d44714513a362b36e939acb64d32c38f
> [167586.798571] COUNT = 103
> [167586.798572] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798574] DT = 8f210f47c3534774067563d111251feb
> [167586.798575] V = ffffffffffffffffffffffffff000000
> [167586.798578] R = a6b665aff1c3ad57c7154a8c0d5fd9a5
> [167586.798580] COUNT = 104
> [167586.798581] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798582] DT = 8f210f47c3534774067563d111251fec
> [167586.798584] V = ffffffffffffffffffffffffff800000
> [167586.798587] R = 26cafe93a78ccc9767e8d413e1bfefb3
> [167586.798589] COUNT = 105
> [167586.798590] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798592] DT = 8f210f47c3534774067563d111251fed
> [167586.798593] V = ffffffffffffffffffffffffffc00000
> [167586.798596] R = c8e99427c4e780a010a090d0372defba
> [167586.798598] COUNT = 106
> [167586.798599] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798600] DT = 8f210f47c3534774067563d111251fee
> [167586.798602] V = ffffffffffffffffffffffffffe00000
> [167586.798605] R = 608f34e459ddc8f5e7344246ec6742fb
> [167586.798607] COUNT = 107
> [167586.798608] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798610] DT = 8f210f47c3534774067563d111251fef
> [167586.798611] V = fffffffffffffffffffffffffff00000
> [167586.798614] R = e46129e11248167041f6fcda17531a01
> [167586.798615] COUNT = 108
> [167586.798617] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798618] DT = 8f210f47c3534774067563d111251ff0
> [167586.798620] V = fffffffffffffffffffffffffff80000
> [167586.798622] R = 20bd71dcc355f2aa21224b787f253388
> [167586.798625] COUNT = 109
> [167586.798626] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798627] DT = 8f210f47c3534774067563d111251ff1
> [167586.798628] V = fffffffffffffffffffffffffffc0000
> [167586.798632] R = 91f992dd175770f24be1911947919897
> [167586.798633] COUNT = 110
> [167586.798635] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798636] DT = 8f210f47c3534774067563d111251ff2
> [167586.798638] V = fffffffffffffffffffffffffffe0000
> [167586.798640] R = 24280af730525ac6323b26d2b2d72e78
> [167586.798642] COUNT = 111
> [167586.798643] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798645] DT = 8f210f47c3534774067563d111251ff3
> [167586.798646] V = ffffffffffffffffffffffffffff0000
> [167586.798649] R = 586b62c4ef8b0754f1e0e54de8280db5
> [167586.798651] COUNT = 112
> [167586.798653] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798654] DT = 8f210f47c3534774067563d111251ff4
> [167586.798655] V = ffffffffffffffffffffffffffff8000
> [167586.798658] R = d5bdca69e14cfd3e68f4ddf986e644ec
> [167586.798660] COUNT = 113
> [167586.798661] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798663] DT = 8f210f47c3534774067563d111251ff5
> [167586.798664] V = ffffffffffffffffffffffffffffc000
> [167586.798667] R = 27de0bafeda3747ed45c3eb01812bfba
> [167586.798669] COUNT = 114
> [167586.798670] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798671] DT = 8f210f47c3534774067563d111251ff6
> [167586.798673] V = ffffffffffffffffffffffffffffe000
> [167586.798676] R = 47dffc9fb3d804d04f97f57be89df32c
> [167586.798678] COUNT = 115
> [167586.798679] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798681] DT = 8f210f47c3534774067563d111251ff7
> [167586.798682] V = fffffffffffffffffffffffffffff000
> [167586.798685] R = 0dfbf494a749c4690a53ea0c4e954f28
> [167586.798686] COUNT = 116
> [167586.798688] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798689] DT = 8f210f47c3534774067563d111251ff8
> [167586.798691] V = fffffffffffffffffffffffffffff800
> [167586.798694] R = 4d99f726b46f2ac6caf44dfbb953efa4
> [167586.798696] COUNT = 117
> [167586.798697] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798699] DT = 8f210f47c3534774067563d111251ff9
> [167586.798700] V = fffffffffffffffffffffffffffffc00
> [167586.798703] R = 8c5e52f5aabba9d3381c30bbb035437e
> [167586.798704] COUNT = 118
> [167586.798706] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798707] DT = 8f210f47c3534774067563d111251ffa
> [167586.798709] V = fffffffffffffffffffffffffffffe00
> [167586.798711] R = ece785972cb280231256819f3398b099
> [167586.798713] COUNT = 119
> [167586.798714] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798716] DT = 8f210f47c3534774067563d111251ffb
> [167586.798717] V = ffffffffffffffffffffffffffffff00
> [167586.798721] R = c2d2fb45d60e0344abe1da62c5f000a6
> [167586.798722] COUNT = 120
> [167586.798724] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798725] DT = 8f210f47c3534774067563d111251ffc
> [167586.798727] V = ffffffffffffffffffffffffffffff80
> [167586.798729] R = 44c999a091dd477a53282c619a66435f
> [167586.798731] COUNT = 121
> [167586.798732] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798734] DT = 8f210f47c3534774067563d111251ffd
> [167586.798735] V = ffffffffffffffffffffffffffffffc0
> [167586.798739] R = 2c5052b61fb6584557a47386d54af8e8
> [167586.798740] COUNT = 122
> [167586.798742] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798743] DT = 8f210f47c3534774067563d111251ffe
> [167586.798745] V = ffffffffffffffffffffffffffffffe0
> [167586.798747] R = e425de6b33246ced032c9fabb7dcc0b2
> [167586.798749] COUNT = 123
> [167586.798750] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798752] DT = 8f210f47c3534774067563d111251fff
> [167586.798753] V = fffffffffffffffffffffffffffffff0
> [167586.798757] R = 84cd42770bea4ee6c8b10b4a2e63de44
> [167586.798758] COUNT = 124
> [167586.798760] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798761] DT = 8f210f47c3534774067563d111252000
> [167586.798762] V = fffffffffffffffffffffffffffffff8
> [167586.798765] R = 1b08e2134f683c451ec9330251958a12
> [167586.798767] COUNT = 125
> [167586.798768] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798770] DT = 8f210f47c3534774067563d111252001
> [167586.798771] V = fffffffffffffffffffffffffffffffc
> [167586.798774] R = 48ec5931c00380c7530232b89216c9eb
> [167586.798776] COUNT = 126
> [167586.798777] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798778] DT = 8f210f47c3534774067563d111252002
> [167586.798780] V = fffffffffffffffffffffffffffffffe
> [167586.798783] R = c87cd7f5569b91b3103add66de907bcc
> [167586.798785] COUNT = 127
> [167586.798786] Key = a9d40024ad65b4120636f28758662cbf
> [167586.798788] DT = 8f210f47c3534774067563d111252003
> [167586.798789] V = ffffffffffffffffffffffffffffffff
> [167586.798792] R = 2ad3d5a6ccc2fdd66de9f4d46b150079prng_mod_init: err 0


-- 
Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

> That output is good for the VST test vectors. For the MCT vectors, I need the 
> 10000th value.

That was test 9 in the first group:

> [167586.784923] COUNT = 9
> [167586.784925] Key = 10379b53317a2500879e88ad445ea387
> [167586.784927] DT = 055a913d7587d54ee58c053fd4beb4a2
> [167586.784928] V = a7d058a34e1bf49b40f0b6d26661f889
> [167586.791891] R = c252c3f173558775929fe3fb8345feb2
> [167586.791892] cprng: Test 9 passed
> [167586.797633] cprng: Stutter test 9 passed

Just like the CAVS test vectors, I don't print the "loops" value
anywhere.

> With some minor editor massaging (deleting the timestamps and
> inserting a blank line before every "COUNT" line), it matches the
> ANSI931_AES128MCT.fax and ANSI931_AES128VST.fax you sent.  I left it
> un-massaged as some sort of evidence that it isn't just a direct copy.

> I cannot match these test vectors and the results to the ones I sent to you. 
> E.g. I do not find the key value f3b1666d13607242ed061cabb8d46202 anywhere in 
> the data set.

Sorry, that's the union of the testmgr.h tests, a couple I added by hand,
and (at the end) the ones you sent me.

So no, you can't find all of my test results in your test vectors, but
all of your test vectors are in my test results.

(In all cases, the software compares the results with the expected answers.)

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

> - the non-determinism you get from get_random_int is very weak. If you start
> thinking about the information theoretical entropy behind that function that
> is used once in a while, you may not get much entropy. Please, please, please,
> I do not want to start a discussion around entropy -- I will not participate
> in such discussion :-)

I could have such a discussion, but there's no need to; for the most part,
I agree with you.  I wasn't trying to design a *good* RNG, I was trying
to comply slavishly with what X9.17, X9.31, and the NIST specification
call for: a timetamp.

To quote http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf,
section 3:

# Let DT be a date/time vector which is updated on each iteration. 

That's what I was trying to produce, nothing more and nothing less.

You will agree, I hope, that the result from get_random_int *does* include
the entropy of a high-resolution timestamp?  Which is cryptographically
equivalent to including the unobfuscated timestamp?

> Thus, I am questioning whether such slightly non-deterministic RNG would be 
> used.

As far as I know the only reason to *ever* use ansi_cprng is for
regulatory/certification reasons.  It's not horrible, but it's definitely
been superseded, by the NIST SP800-90A generators at least.

Which is why I'm trying to follow the spec as precisely as possible.

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Montag, 15. Dezember 2014, 03:42:44 schrieb George Spelvin:

Hi George,

>> - the non-determinism you get from get_random_int is very weak. If
>> you start thinking about the information theoretical entropy behind
>> that function that is used once in a while, you may not get much
>> entropy. Please, please, please, I do not want to start a discussion
>> around entropy -- I will not participate in such discussion :-)
>
>I could have such a discussion, but there's no need to; for the most
>part, I agree with you.  I wasn't trying to design a *good* RNG, I was
>trying to comply slavishly with what X9.17, X9.31, and the NIST
>specification call for: a timetamp.
>
>To quote
>http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf,
>section 3:
>
># Let DT be a date/time vector which is updated on each iteration.
>
>That's what I was trying to produce, nothing more and nothing less.

If you look into other X9.31 implementations, you see that the DT vector 
is a time stamp (even sometimes initialized to just 0 or 1) and then 
incremented each time. Thus, you get "some form" of a counter mode for 
the AES core.

But of course, you could update DT with time stamps, provided you can 
prove that they are monotonically increasing. 
>
>You will agree, I hope, that the result from get_random_int *does*
>include the entropy of a high-resolution timestamp?  Which is

get_random_int does provide entropy, but my gut feeling (I have not done 
measurements) is that it is in the range of maybe 2 / 3 bits per 
invocation.

>cryptographically equivalent to including the unobfuscated timestamp?

Sure.
>
>> Thus, I am questioning whether such slightly non-deterministic RNG
>> would be used.
>
>As far as I know the only reason to *ever* use ansi_cprng is for
>regulatory/certification reasons.  It's not horrible, but it's
>definitely been superseded, by the NIST SP800-90A generators at least.

Yes, therefore we have the DRBG implementation.
>
>Which is why I'm trying to follow the spec as precisely as possible.

If you only look at the regulatory side, then you must be aware of 
SP800-131A applicable at least to the US side. X9.31 is sunsetted by the 
end of 2015 and even not FIPS 140-2 certifiable any more for new 
validations.

Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Montag, 15. Dezember 2014, 03:28:16 schrieb George Spelvin:

Hi George,

>> That output is good for the VST test vectors. For the MCT vectors, I
>> need the 10000th value.
>
>That was test 9 in the first group:
>> [167586.784923] COUNT = 9
>> [167586.784925] Key = 10379b53317a2500879e88ad445ea387
>> [167586.784927] DT = 055a913d7587d54ee58c053fd4beb4a2
>> [167586.784928] V = a7d058a34e1bf49b40f0b6d26661f889
>> [167586.791891] R = c252c3f173558775929fe3fb8345feb2
>> [167586.791892] cprng: Test 9 passed
>> [167586.797633] cprng: Stutter test 9 passed
>
>Just like the CAVS test vectors, I don't print the "loops" value
>anywhere.

Good, that is what we need :-)

So, MCT for AES128 is pass then.
>
>> With some minor editor massaging (deleting the timestamps and
>> inserting a blank line before every "COUNT" line), it matches the
>> ANSI931_AES128MCT.fax and ANSI931_AES128VST.fax you sent.  I left it
>> un-massaged as some sort of evidence that it isn't just a direct
>> copy.
>> 
>> I cannot match these test vectors and the results to the ones I sent
>> to you. E.g. I do not find the key value
>> f3b1666d13607242ed061cabb8d46202 anywhere in the data set.
>
>Sorry, that's the union of the testmgr.h tests, a couple I added by
>hand, and (at the end) the ones you sent me.
>
>So no, you can't find all of my test results in your test vectors, but
>all of your test vectors are in my test results.
>
>(In all cases, the software compares the results with the expected
>answers.)

Ah, now I see it. Yes, all AES 128 are covered.

What about AES 192 and 256?



Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

> Ah, now I see it. Yes, all AES 128 are covered.
> 
> What about AES 192 and 256?

The implementation doesn't support them, and I didn't add them.

It would require either:
* Trickery based on the supplied seed length, which would conflict
  with the existing optional-DT support, or
* A separate crypto_alg for the different key (and therefore seed) sizes.

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

> If you look into other X9.31 implementations, you see that the DT vector 
> is a time stamp (even sometimes initialized to just 0 or 1) and then 
> incremented each time. Thus, you get "some form" of a counter mode for 
> the AES core.

I'm not saying you're wrong, but that still seems to me an extremely
contrived interpretation.  You're right that the tick rate isn't specified
and "once per call" isn't unambigously forbidden, but the plain reading
of the spec calls for a clock, not a counter.

> But of course, you could update DT with time stamps, provided you can 
> prove that they are monotonically increasing. 

I don't even see a need for that, although I could easily do it (by
adding get_random_int() rather than replacing).  I thought the goal was
that they were non-repeating, so short cycles are impossible.

>> You will agree, I hope, that the result from get_random_int *does*
>> include the entropy of a high-resolution timestamp?  Which is
>> cryptographically equivalent to including the unobfuscated timestamp?

> get_random_int does provide entropy, but my gut feeling (I have not done 
> measurements) is that it is in the range of maybe 2 / 3 bits per 
> invocation.

You said you didn't want to start a conversation about entropy, remember?
:-)  So I'm not discussing the issue, but please don't interpret that
as conceding anything.

As I said, it doesn't matter; my goal is just to do what the spec asks
for, as faithfully as possible without introducing any stupidities in
the process.

>> Which is why I'm trying to follow the spec as precisely as possible.

> If you only look at the regulatory side, then you must be aware of 
> SP800-131A applicable at least to the US side. X9.31 is sunsetted by the 
> end of 2015 and even not FIPS 140-2 certifiable any more for new 
> validations.

Well, if nobody wants it, why not simply rip it out?

I'm assuming there are other requirements documents that refer to
those documents, and haven't been updated to reflect tha changes.

That's what tends to happen: requirements flow downstream over
a period of years.  NIST may change its mind, but my contract
hasn't noticed yet.

I know this from personal experience: I've had frustrating discussions
about a "too hard to change" requirement for 1024-bit DSA *and* FIPS
140 certification.

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Montag, 15. Dezember 2014, 05:21:49 schrieb George Spelvin:

Hi George,

> > Ah, now I see it. Yes, all AES 128 are covered.
> > 
> > What about AES 192 and 256?
> 
> The implementation doesn't support them, and I didn't add them.

Sorry, my bad.  :-)

Then, I think the updated implementation matches with the spec.
> 
> It would require either:
> * Trickery based on the supplied seed length, which would conflict
>   with the existing optional-DT support, or
> * A separate crypto_alg for the different key (and therefore seed) sizes.


-- 
Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Montag, 15. Dezember 2014, 05:45:31 schrieb George Spelvin:

Hi George,

>>> You will agree, I hope, that the result from get_random_int *does*
>>> include the entropy of a high-resolution timestamp?  Which is
>>> cryptographically equivalent to including the unobfuscated
>>> timestamp?
>> 
>> get_random_int does provide entropy, but my gut feeling (I have not
>> done measurements) is that it is in the range of maybe 2 / 3 bits
>> per invocation.
>
>You said you didn't want to start a conversation about entropy,
>remember?
>:-)  So I'm not discussing the issue, but please don't interpret that
>
>as conceding anything.

;-)
>
>As I said, it doesn't matter; my goal is just to do what the spec asks
>for, as faithfully as possible without introducing any stupidities in
>the process.
>
>>> Which is why I'm trying to follow the spec as precisely as possible.
>> 
>> If you only look at the regulatory side, then you must be aware of
>> SP800-131A applicable at least to the US side. X9.31 is sunsetted by
>> the end of 2015 and even not FIPS 140-2 certifiable any more for new
>> validations.
>
>Well, if nobody wants it, why not simply rip it out?

All I referred to was the US regulatory side. And the US is not the 
world.

Note, even NIST considers X9.31 as a strong RNG after speaking with 
their cryptographers a couple of weeks ago. The only drawback it has is 
the missing reseed requirement which is brought in by SP800-90A.

After implementing SP800-90A I have to admit that I like the X9.31 for 
its simplicity (which is en-par with the HMAC DRBG which I therefore 
marked as default in the DRBG). The other two DRBGs (Hash and CTR are 
too complex for my personal taste -- but they are there for 
completeness).

Thus, I think the X9.31 does have a purpose as it implements a 
reasonably simple DRNG.
>
>I'm assuming there are other requirements documents that refer to
>those documents, and haven't been updated to reflect tha changes.

There are other regulartory bodies which still approve of the X9.31 -- 
like the German BSI, provided you can show that your use case ensures 
proper reseeding.
>
>That's what tends to happen: requirements flow downstream over
>a period of years.  NIST may change its mind, but my contract
>hasn't noticed yet.

Exactly -- there are use cases where the latest NIST regulations either 
accidentally or deliberately are not considered.

The biggest issue is today's "bad smell" of the SP800-90A standard after 
the Dual EC DRBG fiasco. Thus, I think people should think twice before 
using a NIST developed standard (which X9.31 is not, albeit IIRC it came 
out of the NSA realm long time ago).
>
>I know this from personal experience: I've had frustrating discussions
>about a "too hard to change" requirement for 1024-bit DSA *and* FIPS
>140 certification.

Hehehe, been there, done that, experienced the same.


Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Neil Horman]

On Mon, Dec 15, 2014 at 11:46:15AM +0100, Stephan Mueller wrote:
> Am Montag, 15. Dezember 2014, 05:21:49 schrieb George Spelvin:
> 
> Hi George,
> 
> > > Ah, now I see it. Yes, all AES 128 are covered.
> > > 
> > > What about AES 192 and 256?
> > 
> > The implementation doesn't support them, and I didn't add them.
> 
> Sorry, my bad.  :-)
> 
> Then, I think the updated implementation matches with the spec.
With that then, I'm really fine with the changes given that they pass the NIST
tests.

Acked-by: Neil Horman <nhorman@tuxdriver.com>

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[George Spelvin]

> With that then, I'm really fine with the changes given that they pass the NIST
> tests.

So here's the current list of issues.  First, minor ones:
1) Add const to DRBG interface, as per Stephan's request.
2) Revised version of that final patch that, you know, actually works.
3) Re-run tests at the very end just to make sure.

And the major ones:
4) Is non-deterministic DT desired?
5) If yes, how to request it?

On point 4, here are the primary arguments against:

* It makes the generator non-deterministic, which is a significant
  interface change and may break some applications.
* This is a crufty old generator, used primarily for compatibility,
  and it's best not to upset its quiet retirement.

And the primary arguments for:
* It's an honest good-faith implementation of the spec requirements.
  Using a counter is, IMHO, a strained interpretation.
* The implementation isn't particularly difficult.

After considering various options, my current (not very firm) thought
is that the best way to provide a non-deterministic option would be via
a separate algorithm name.

But externally-visible names are a high-level design issue and I could
definitely use some guidance there.  Opinions?

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Stephan Mueller]

Am Montag, 15. Dezember 2014, 17:01:02 schrieb George Spelvin:

Hi George,

>> With that then, I'm really fine with the changes given that they pass
>> the NIST tests.
>
>So here's the current list of issues.  First, minor ones:
>1) Add const to DRBG interface, as per Stephan's request.
>2) Revised version of that final patch that, you know, actually works.
>3) Re-run tests at the very end just to make sure.
>
>And the major ones:
>4) Is non-deterministic DT desired?
>5) If yes, how to request it?
>
>On point 4, here are the primary arguments against:
>
>* It makes the generator non-deterministic, which is a significant
>  interface change and may break some applications.
>* This is a crufty old generator, used primarily for compatibility,
>  and it's best not to upset its quiet retirement.
>
>And the primary arguments for:
>* It's an honest good-faith implementation of the spec requirements.
>  Using a counter is, IMHO, a strained interpretation.
>* The implementation isn't particularly difficult.
>
>After considering various options, my current (not very firm) thought
>is that the best way to provide a non-deterministic option would be via
>a separate algorithm name.
>
>But externally-visible names are a high-level design issue and I could
>definitely use some guidance there.  Opinions?

The standard X9.31 is called ansi_cprng.

Logically your non-deterministic approach is a constant reseeding of the 
DRNG. In SP800-90A speak this is called "prediction-resistance". Hence, 
my DRBGs use "pr" for that approach -- e.g. drbg_pr_sha256. The name 
follows the structure of "RNG type"_"[pr|nopr]"_"algo".

For the X9.31 RNG we do not have an algorithmic reference as we only 
have AES128. We only have the RNG type and the "pr" reference.

Thus, I would propose "ansi_cprng_pr" as a name that is analogous to the 
DRBG implementations.

Ciao
Stephan

Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c

[Neil Horman]

On Mon, Dec 15, 2014 at 05:01:02PM -0500, George Spelvin wrote:
> > With that then, I'm really fine with the changes given that they pass the NIST
> > tests.
> 
> So here's the current list of issues.  First, minor ones:
> 1) Add const to DRBG interface, as per Stephan's request.
> 2) Revised version of that final patch that, you know, actually works.
> 3) Re-run tests at the very end just to make sure.
> 
I would recommend that you do (1) in a follow on patch.  Same with (2) just drop
it from here.  Then you can rerun (3) before you submit those.

> And the major ones:
> 4) Is non-deterministic DT desired?
No, I have no need for it, nor does anyone that I know of who is currently using
it.  That said, if you want to add it, as long as you don't make
non-deterministic behavior the default, I'm not opposed.  Do it in a follow on
patch.

> 5) If yes, how to request it?
> 
Add a byte to the seed vector that holds optional flag information? set a flag
to indicate DT is determined by the wall clock?  Whatever you like really, just
don't change the default behavior.

> On point 4, here are the primary arguments against:
> 
> * It makes the generator non-deterministic, which is a significant
>   interface change and may break some applications.
> * This is a crufty old generator, used primarily for compatibility,
>   and it's best not to upset its quiet retirement.
> 
> And the primary arguments for:
> * It's an honest good-faith implementation of the spec requirements.
>   Using a counter is, IMHO, a strained interpretation.
> * The implementation isn't particularly difficult.
> 
> After considering various options, my current (not very firm) thought
> is that the best way to provide a non-deterministic option would be via
> a separate algorithm name.
> 
> But externally-visible names are a high-level design issue and I could
> definitely use some guidance there.  Opinions?
Honestly, if you don't have a user in mind for this feature, I just wouldn't
bother with it.  Unless you see some kernel code that is going to make use of
it, its going to be a feature that gets no exercize, and as such, won't really
be seen as much more than cruft itself.  If you have an in-kernel user in mind,
then sure, go with a new name, maybe nd(ansi_cprng) or some such.  Or just use
my interface above so that the existing registration can be either deterministic
or non-deterministic.  

But, if no one is going to be using it, why bother to do either?
Neil

> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>