From: Stephan Mueller <smueller@chronox.de>
To: George Spelvin <linux@horizon.com>
Cc: nhorman@tuxdriver.com, linux-crypto@vger.kernel.org,
herbert@gondor.apana.org.au
Subject: Re: [PATCH v2 05/25] crypto: ansi_cprng - Eliminate ctx->I and ctx->last_rand_data
Date: Sun, 14 Dec 2014 12:50:33 +0100 [thread overview]
Message-ID: <9785762.pgn7FGFVr8@tachyon.chronox.de> (raw)
In-Reply-To: <d9f54bc1e51a49edd568a31ffa557dc0569d1028.1417951990.git.linux@horizon.com>
Am Sonntag, 7. Dezember 2014, 07:26:13 schrieb George Spelvin:
Hi George,
> Careful use of the other available buffers avoids the need for
> these, shrinking the context by 32 bytes.
>
> Neither the debug output nor the FIPS-required anti-repetition check
> are changed in the slightest.
>
> Signed-off-by: George Spelvin <linux@horizon.com>
> ---
> crypto/ansi_cprng.c | 50 ++++++++++++++++++++++++--------------------------
> 1 file changed, 24 insertions(+), 26 deletions(-)
>
> diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
> index 325aa727d..2edac42e 100644
> --- a/crypto/ansi_cprng.c
> +++ b/crypto/ansi_cprng.c
> @@ -37,19 +37,14 @@
>
> /*
> * Note: DT is our counter value
> - * I is our intermediate value
> * V is our seed vector
> * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
> * for implementation details
> */
> -
> -
> struct prng_context {
> spinlock_t prng_lock;
> unsigned char rand_data[DEFAULT_BLK_SZ];
> - unsigned char last_rand_data[DEFAULT_BLK_SZ];
> unsigned char DT[DEFAULT_BLK_SZ];
> - unsigned char I[DEFAULT_BLK_SZ];
> unsigned char V[DEFAULT_BLK_SZ];
> u32 rand_data_valid;
> struct crypto_cipher *tfm;
> @@ -97,27 +92,27 @@ static int _get_more_prng_bytes(struct prng_context
> *ctx, int cont_test)
>
> /*
> * Start by encrypting the counter value
> - * This gives us an intermediate value I
> + * This gives us an intermediate value I (stored in tmp)
> */
> - memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
> - crypto_cipher_encrypt_one(ctx->tfm, ctx->I, tmp);
> - hexdump("I", ctx->I);
> + crypto_cipher_encrypt_one(ctx->tfm, tmp, ctx->DT);
> + hexdump("I", tmp);
>
> /*
> - * Next xor I with our secret vector V
> - * encrypt that result to obtain our
> - * pseudo random data which we output
> + * Next xor I with our secret vector V. Encrypt that result
> + * to obtain our pseudo random data which we output. But
> + * keep that output in ctx->V for the moment; we need the
> + * previous rand_data for ons more thing.
> */
> - xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
> - hexdump("V^I", tmp);
> - crypto_cipher_encrypt_one(ctx->tfm, ctx->rand_data, tmp);
> - hexdump("R", ctx->rand_data);
> + xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
> + hexdump("V^I", ctx->V);
> + crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
> + hexdump("R", ctx->V);
>
> /*
> - * First check that we didn't produce the same
> - * random data that we did last time around through this
> + * Check that we didn't produce the same random data that we
> + * did last time around.
> */
> - if (!memcmp(ctx->rand_data, ctx->last_rand_data, DEFAULT_BLK_SZ)) {
> + if (!memcmp(ctx->V, ctx->rand_data, DEFAULT_BLK_SZ)) {
Due to the huge number of diffs, I may have missed the following point.
Therefore, please help me:
NIST requires that ctx->rand_data must be "primed" before the first random
number is returned to the aller (see FIPS 140-2 section 4.9.2). That means,
the very first random number that was generated must go into what is now ctx-
>rand_data, but shall not be returned to the caller.
Only starting with the 2nd random number these values shall be returned to the
caller.
Where do I see that priming?
Note, this priming should have an ability to be disabled for performing the
CAVS tests as they (as stupid as it may sound) want the very first random
number after the seeding.
> if (cont_test) {
> panic("cprng %p Failed repetition check!\n", ctx);
> }
> @@ -127,15 +122,19 @@ static int _get_more_prng_bytes(struct prng_context
> *ctx, int cont_test) ctx->flags |= PRNG_NEED_RESET;
> return -EINVAL;
> }
> - memcpy(ctx->last_rand_data, ctx->rand_data, DEFAULT_BLK_SZ);
> + /*
> + * Okay, the new data is okay, copy it to the buffer.
> + */
> + memcpy(ctx->rand_data, ctx->V, DEFAULT_BLK_SZ);
>
> /*
> - * Lastly xor the random data with I
> - * and encrypt that to obtain a new secret vector V
> + * Lastly xor the random data with I and encrypt that to obtain
> + * a new secret vector V.
> */
> - xor_vectors(ctx->rand_data, ctx->I, tmp, DEFAULT_BLK_SZ);
> - hexdump("R^I", tmp);
> - crypto_cipher_encrypt_one(ctx->tfm, ctx->V, tmp);
> + xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
> + hexdump("R^I", ctx->V);
> + memzero_explicit(tmp, DEFAULT_BLK_SZ);
> + crypto_cipher_encrypt_one(ctx->tfm, ctx->V, ctx->V);
> hexdump("V'", ctx->V);
>
> /*
> @@ -272,7 +271,6 @@ static int reset_prng_context(struct prng_context *ctx,
> memset(ctx->DT, 0, DEFAULT_BLK_SZ);
>
> memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
> - memset(ctx->last_rand_data, 0, DEFAULT_BLK_SZ);
>
> ctx->rand_data_valid = DEFAULT_BLK_SZ;
--
Ciao
Stephan
next prev parent reply other threads:[~2014-12-14 11:50 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-07 12:26 [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c George Spelvin
2014-12-07 12:26 ` [PATCH v2 01/25] crypto: ansi_cprng - unroll _get_more_prng_bytes George Spelvin
2014-12-07 12:26 ` [PATCH v2 02/25] crypto: ansi_cprng - Additional _get_more_prng_bytes cleanup George Spelvin
2014-12-07 12:26 ` [PATCH v2 03/25] crypto: ansi_cprng - Use %phN rather than print_hex_dump for debug George Spelvin
2014-12-07 12:26 ` [PATCH v2 04/25] crypto: ansi_cprng - Make debug output more like NIST test vectors George Spelvin
2014-12-07 12:26 ` [PATCH v2 05/25] crypto: ansi_cprng - Eliminate ctx->I and ctx->last_rand_data George Spelvin
2014-12-14 11:50 ` Stephan Mueller [this message]
2014-12-14 19:22 ` George Spelvin
2014-12-07 12:26 ` [PATCH v2 06/25] crypto: ansi_cprng - Make cont_test a bool George Spelvin
2014-12-07 12:26 ` [PATCH v2 07/25] crypto: ansi_cprng - Shrink context some more George Spelvin
2014-12-07 12:26 ` [PATCH v2 08/25] crypto: ansi_cprng - Don't call reset_prng_context from cprng_init George Spelvin
2014-12-07 12:26 ` [PATCH v2 09/25] crypto: ansi_cprng - Make length types consistent George Spelvin
2014-12-07 12:26 ` [PATCH v2 10/25] crypto: ansi_cprng - Use u8 data types consistently internally George Spelvin
2014-12-07 12:26 ` [PATCH v2 11/25] crypto: ansi_cprng - Eliminate unused PRNG_FIXED_SIZE flag George Spelvin
2014-12-07 12:26 ` [PATCH v2 12/25] crypto: ansi_cprng - Get rid of rdata buffer in fips_cprng_reset George Spelvin
2014-12-07 12:26 ` [PATCH v2 13/25] crypto: Add appropriate consts to RNG API George Spelvin
2014-12-14 11:39 ` Stephan Mueller
2014-12-07 12:26 ` [PATCH v2 14/25] crypto: tcrypt - Add const qualifiers all over the test code George Spelvin
2014-12-07 12:26 ` [PATCH v2 15/25] crypto: testmgr - Merge seed arrays in struct cprng_testvec George Spelvin
2014-12-07 12:26 ` [PATCH v2 16/25] crypto: testmgr - Report failure on zero-length crypto_rng_get_bytes George Spelvin
2014-12-07 12:26 ` [PATCH v2 17/25] crypto: testmgr - Don't crash if CPRNG test result is large George Spelvin
2014-12-07 12:26 ` [PATCH v2 18/25] crypto: testmgr - Add CPRNG stutter test George Spelvin
2014-12-07 12:26 ` [PATCH v2 19/25] crypto: ansi_cprng - simplify get_prng_bytes George Spelvin
2014-12-07 12:26 ` [PATCH v2 20/25] crypto: ansi_cprng - simplify xor_vectors() to xor_block() George Spelvin
2014-12-07 12:26 ` [PATCH v2 21/25] crypto: ansi_cprng - Rename rand_data_valid more sensibly George Spelvin
2014-12-07 12:26 ` [PATCH v2 22/25] crypto: ansi_cprng - Tweak comments George Spelvin
2014-12-07 12:26 ` [PATCH v2 23/25] crypto: ansi_cprng - Introduce a "union cipherblock" George Spelvin
2014-12-07 12:26 ` [PATCH v2 24/25] crypto: ansi_cprng - Introduce non-deterministic mode George Spelvin
2014-12-07 12:26 ` [PATCH v2 25/25] crypto: ansi_cprng - If non-deterministic, don't buffer old output George Spelvin
2014-12-07 22:49 ` George Spelvin
2014-12-08 14:22 ` Neil Horman
2014-12-08 16:43 ` George Spelvin
2014-12-08 18:07 ` Neil Horman
2014-12-08 20:34 ` George Spelvin
2014-12-14 12:06 ` [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c Stephan Mueller
2014-12-14 19:47 ` George Spelvin
2014-12-15 6:18 ` Stephan Mueller
2014-12-14 20:37 ` George Spelvin
2014-12-15 6:14 ` Stephan Mueller
2014-12-15 8:42 ` George Spelvin
2014-12-15 8:50 ` Stephan Mueller
2014-12-15 10:45 ` George Spelvin
2014-12-15 11:08 ` Stephan Mueller
2014-12-15 5:53 ` George Spelvin
2014-12-15 6:27 ` Stephan Mueller
2014-12-15 8:28 ` George Spelvin
2014-12-15 8:56 ` Stephan Mueller
2014-12-15 10:21 ` George Spelvin
2014-12-15 10:46 ` Stephan Mueller
2014-12-15 11:32 ` Neil Horman
2014-12-15 22:01 ` George Spelvin
2014-12-16 7:22 ` Stephan Mueller
2014-12-16 11:32 ` Neil Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9785762.pgn7FGFVr8@tachyon.chronox.de \
--to=smueller@chronox.de \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux@horizon.com \
--cc=nhorman@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.