[PATCH 0/8] crypto: Avoid using RNG in interrupt context

[PATCH 0/8] crypto: Avoid using RNG in interrupt context

[Herbert Xu]

Hi:

Currently we always use stdrng in interrupt context, which doesn't
work very well with DRBG which cannot be called there.

We could change DRBG but it really does a lot of work (e.g., a
reseed) in its generation function and doing it in interrupt context
would be bad.

In fact, the only reason we were doing this in interrupt context
is to conserver entropy, which is a non-issue with DRBG.

So this series changes all the RNG users to only use the RNG in
process context, and then makes DRBG the default RNG.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH 1/8] crypto: chainiv - Move IV seeding into init function

[Herbert Xu]

We currently do the IV seeding on the first givencrypt call in
order to conserve entropy.  However, this does not work with
DRBG which cannot be called from interrupt context.  In fact,
with DRBG we don't need to conserve entropy anyway.  So this
patch moves the seeding into the init function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/chainiv.c |   66 +++++++------------------------------------------------
 1 file changed, 9 insertions(+), 57 deletions(-)

diff --git a/crypto/chainiv.c b/crypto/chainiv.c
index 63c17d5..be0bd52 100644
--- a/crypto/chainiv.c
+++ b/crypto/chainiv.c
@@ -80,35 +80,15 @@ unlock:
 	return err;
 }
 
-static int chainiv_givencrypt_first(struct skcipher_givcrypt_request *req)
+static int chainiv_init_common(struct crypto_tfm *tfm, char iv[])
 {
-	struct crypto_ablkcipher *geniv = skcipher_givcrypt_reqtfm(req);
-	struct chainiv_ctx *ctx = crypto_ablkcipher_ctx(geniv);
-	int err = 0;
-
-	spin_lock_bh(&ctx->lock);
-	if (crypto_ablkcipher_crt(geniv)->givencrypt !=
-	    chainiv_givencrypt_first)
-		goto unlock;
-
-	crypto_ablkcipher_crt(geniv)->givencrypt = chainiv_givencrypt;
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->iv,
-				   crypto_ablkcipher_ivsize(geniv));
-
-unlock:
-	spin_unlock_bh(&ctx->lock);
+	struct crypto_ablkcipher *geniv = __crypto_ablkcipher_cast(tfm);
 
-	if (err)
-		return err;
-
-	return chainiv_givencrypt(req);
-}
-
-static int chainiv_init_common(struct crypto_tfm *tfm)
-{
 	tfm->crt_ablkcipher.reqsize = sizeof(struct ablkcipher_request);
 
-	return skcipher_geniv_init(tfm);
+	return crypto_rng_get_bytes(crypto_default_rng, iv,
+				    crypto_ablkcipher_ivsize(geniv)) ?:
+	       skcipher_geniv_init(tfm);
 }
 
 static int chainiv_init(struct crypto_tfm *tfm)
@@ -117,7 +97,7 @@ static int chainiv_init(struct crypto_tfm *tfm)
 
 	spin_lock_init(&ctx->lock);
 
-	return chainiv_init_common(tfm);
+	return chainiv_init_common(tfm, ctx->iv);
 }
 
 static int async_chainiv_schedule_work(struct async_chainiv_ctx *ctx)
@@ -205,33 +185,6 @@ postpone:
 	return async_chainiv_postpone_request(req);
 }
 
-static int async_chainiv_givencrypt_first(struct skcipher_givcrypt_request *req)
-{
-	struct crypto_ablkcipher *geniv = skcipher_givcrypt_reqtfm(req);
-	struct async_chainiv_ctx *ctx = crypto_ablkcipher_ctx(geniv);
-	int err = 0;
-
-	if (test_and_set_bit(CHAINIV_STATE_INUSE, &ctx->state))
-		goto out;
-
-	if (crypto_ablkcipher_crt(geniv)->givencrypt !=
-	    async_chainiv_givencrypt_first)
-		goto unlock;
-
-	crypto_ablkcipher_crt(geniv)->givencrypt = async_chainiv_givencrypt;
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->iv,
-				   crypto_ablkcipher_ivsize(geniv));
-
-unlock:
-	clear_bit(CHAINIV_STATE_INUSE, &ctx->state);
-
-	if (err)
-		return err;
-
-out:
-	return async_chainiv_givencrypt(req);
-}
-
 static void async_chainiv_do_postponed(struct work_struct *work)
 {
 	struct async_chainiv_ctx *ctx = container_of(work,
@@ -270,7 +223,7 @@ static int async_chainiv_init(struct crypto_tfm *tfm)
 	crypto_init_queue(&ctx->queue, 100);
 	INIT_WORK(&ctx->postponed, async_chainiv_do_postponed);
 
-	return chainiv_init_common(tfm);
+	return chainiv_init_common(tfm, ctx->iv);
 }
 
 static void async_chainiv_exit(struct crypto_tfm *tfm)
@@ -302,7 +255,7 @@ static struct crypto_instance *chainiv_alloc(struct rtattr **tb)
 	if (IS_ERR(inst))
 		goto put_rng;
 
-	inst->alg.cra_ablkcipher.givencrypt = chainiv_givencrypt_first;
+	inst->alg.cra_ablkcipher.givencrypt = chainiv_givencrypt;
 
 	inst->alg.cra_init = chainiv_init;
 	inst->alg.cra_exit = skcipher_geniv_exit;
@@ -312,8 +265,7 @@ static struct crypto_instance *chainiv_alloc(struct rtattr **tb)
 	if (!crypto_requires_sync(algt->type, algt->mask)) {
 		inst->alg.cra_flags |= CRYPTO_ALG_ASYNC;
 
-		inst->alg.cra_ablkcipher.givencrypt =
-			async_chainiv_givencrypt_first;
+		inst->alg.cra_ablkcipher.givencrypt = async_chainiv_givencrypt;
 
 		inst->alg.cra_init = async_chainiv_init;
 		inst->alg.cra_exit = async_chainiv_exit;

[PATCH 2/8] crypto: echainiv - Move IV seeding into init function

[Herbert Xu]

We currently do the IV seeding on the first givencrypt call in
order to conserve entropy.  However, this does not work with
DRBG which cannot be called from interrupt context.  In fact,
with DRBG we don't need to conserve entropy anyway.  So this
patch moves the seeding into the init function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/echainiv.c |   30 ++++++------------------------
 1 file changed, 6 insertions(+), 24 deletions(-)

diff --git a/crypto/echainiv.c b/crypto/echainiv.c
index 62a817f..08d3336 100644
--- a/crypto/echainiv.c
+++ b/crypto/echainiv.c
@@ -187,29 +187,6 @@ static int echainiv_decrypt(struct aead_request *req)
 	return crypto_aead_decrypt(subreq);
 }
 
-static int echainiv_encrypt_first(struct aead_request *req)
-{
-	struct crypto_aead *geniv = crypto_aead_reqtfm(req);
-	struct echainiv_ctx *ctx = crypto_aead_ctx(geniv);
-	int err = 0;
-
-	spin_lock_bh(&ctx->geniv.lock);
-	if (geniv->encrypt != echainiv_encrypt_first)
-		goto unlock;
-
-	geniv->encrypt = echainiv_encrypt;
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
-				   crypto_aead_ivsize(geniv));
-
-unlock:
-	spin_unlock_bh(&ctx->geniv.lock);
-
-	if (err)
-		return err;
-
-	return echainiv_encrypt(req);
-}
-
 static int echainiv_init(struct crypto_tfm *tfm)
 {
 	struct crypto_aead *geniv = __crypto_aead_cast(tfm);
@@ -220,6 +197,11 @@ static int echainiv_init(struct crypto_tfm *tfm)
 
 	crypto_aead_set_reqsize(geniv, sizeof(struct aead_request));
 
+	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
+				   crypto_aead_ivsize(geniv));
+	if (err)
+		goto out;
+
 	ctx->null = crypto_get_default_null_skcipher();
 	err = PTR_ERR(ctx->null);
 	if (IS_ERR(ctx->null))
@@ -272,7 +254,7 @@ static int echainiv_aead_create(struct crypto_template *tmpl,
 	    inst->alg.ivsize > MAX_IV_SIZE)
 		goto free_inst;
 
-	inst->alg.encrypt = echainiv_encrypt_first;
+	inst->alg.encrypt = echainiv_encrypt;
 	inst->alg.decrypt = echainiv_decrypt;
 
 	inst->alg.base.cra_init = echainiv_init;

[PATCH 3/8] crypto: eseqiv - Move IV seeding into init function

[Herbert Xu]

We currently do the IV seeding on the first givencrypt call in
order to conserve entropy.  However, this does not work with
DRBG which cannot be called from interrupt context.  In fact,
with DRBG we don't need to conserve entropy anyway.  So this
patch moves the seeding into the init function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/eseqiv.c |   29 ++++-------------------------
 1 file changed, 4 insertions(+), 25 deletions(-)

diff --git a/crypto/eseqiv.c b/crypto/eseqiv.c
index f116fae..78a7264 100644
--- a/crypto/eseqiv.c
+++ b/crypto/eseqiv.c
@@ -146,29 +146,6 @@ out:
 	return err;
 }
 
-static int eseqiv_givencrypt_first(struct skcipher_givcrypt_request *req)
-{
-	struct crypto_ablkcipher *geniv = skcipher_givcrypt_reqtfm(req);
-	struct eseqiv_ctx *ctx = crypto_ablkcipher_ctx(geniv);
-	int err = 0;
-
-	spin_lock_bh(&ctx->lock);
-	if (crypto_ablkcipher_crt(geniv)->givencrypt != eseqiv_givencrypt_first)
-		goto unlock;
-
-	crypto_ablkcipher_crt(geniv)->givencrypt = eseqiv_givencrypt;
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
-				   crypto_ablkcipher_ivsize(geniv));
-
-unlock:
-	spin_unlock_bh(&ctx->lock);
-
-	if (err)
-		return err;
-
-	return eseqiv_givencrypt(req);
-}
-
 static int eseqiv_init(struct crypto_tfm *tfm)
 {
 	struct crypto_ablkcipher *geniv = __crypto_ablkcipher_cast(tfm);
@@ -198,7 +175,9 @@ static int eseqiv_init(struct crypto_tfm *tfm)
 	tfm->crt_ablkcipher.reqsize = reqsize +
 				      sizeof(struct ablkcipher_request);
 
-	return skcipher_geniv_init(tfm);
+	return crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
+				    crypto_ablkcipher_ivsize(geniv)) ?:
+	       skcipher_geniv_init(tfm);
 }
 
 static struct crypto_template eseqiv_tmpl;
@@ -220,7 +199,7 @@ static struct crypto_instance *eseqiv_alloc(struct rtattr **tb)
 	if (inst->alg.cra_ablkcipher.ivsize != inst->alg.cra_blocksize)
 		goto free_inst;
 
-	inst->alg.cra_ablkcipher.givencrypt = eseqiv_givencrypt_first;
+	inst->alg.cra_ablkcipher.givencrypt = eseqiv_givencrypt;
 
 	inst->alg.cra_init = eseqiv_init;
 	inst->alg.cra_exit = skcipher_geniv_exit;

[PATCH 4/8] crypto: seqiv - Move IV seeding into init function

[Herbert Xu]

We currently do the IV seeding on the first givencrypt call in
order to conserve entropy.  However, this does not work with
DRBG which cannot be called from interrupt context.  In fact,
with DRBG we don't need to conserve entropy anyway.  So this
patch moves the seeding into the init function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/seqiv.c |  113 +++++++--------------------------------------------------
 1 file changed, 15 insertions(+), 98 deletions(-)

diff --git a/crypto/seqiv.c b/crypto/seqiv.c
index 2333974..42e4ee5 100644
--- a/crypto/seqiv.c
+++ b/crypto/seqiv.c
@@ -474,98 +474,6 @@ static int seqiv_aead_decrypt(struct aead_request *req)
 	return crypto_aead_decrypt(subreq);
 }
 
-static int seqiv_givencrypt_first(struct skcipher_givcrypt_request *req)
-{
-	struct crypto_ablkcipher *geniv = skcipher_givcrypt_reqtfm(req);
-	struct seqiv_ctx *ctx = crypto_ablkcipher_ctx(geniv);
-	int err = 0;
-
-	spin_lock_bh(&ctx->lock);
-	if (crypto_ablkcipher_crt(geniv)->givencrypt != seqiv_givencrypt_first)
-		goto unlock;
-
-	crypto_ablkcipher_crt(geniv)->givencrypt = seqiv_givencrypt;
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
-				   crypto_ablkcipher_ivsize(geniv));
-
-unlock:
-	spin_unlock_bh(&ctx->lock);
-
-	if (err)
-		return err;
-
-	return seqiv_givencrypt(req);
-}
-
-static int seqiv_aead_givencrypt_first(struct aead_givcrypt_request *req)
-{
-	struct crypto_aead *geniv = aead_givcrypt_reqtfm(req);
-	struct seqiv_ctx *ctx = crypto_aead_ctx(geniv);
-	int err = 0;
-
-	spin_lock_bh(&ctx->lock);
-	if (crypto_aead_crt(geniv)->givencrypt != seqiv_aead_givencrypt_first)
-		goto unlock;
-
-	crypto_aead_crt(geniv)->givencrypt = seqiv_aead_givencrypt;
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
-				   crypto_aead_ivsize(geniv));
-
-unlock:
-	spin_unlock_bh(&ctx->lock);
-
-	if (err)
-		return err;
-
-	return seqiv_aead_givencrypt(req);
-}
-
-static int seqniv_aead_encrypt_first(struct aead_request *req)
-{
-	struct crypto_aead *geniv = crypto_aead_reqtfm(req);
-	struct seqiv_aead_ctx *ctx = crypto_aead_ctx(geniv);
-	int err = 0;
-
-	spin_lock_bh(&ctx->geniv.lock);
-	if (geniv->encrypt != seqniv_aead_encrypt_first)
-		goto unlock;
-
-	geniv->encrypt = seqniv_aead_encrypt;
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
-				   crypto_aead_ivsize(geniv));
-
-unlock:
-	spin_unlock_bh(&ctx->geniv.lock);
-
-	if (err)
-		return err;
-
-	return seqniv_aead_encrypt(req);
-}
-
-static int seqiv_aead_encrypt_first(struct aead_request *req)
-{
-	struct crypto_aead *geniv = crypto_aead_reqtfm(req);
-	struct seqiv_aead_ctx *ctx = crypto_aead_ctx(geniv);
-	int err = 0;
-
-	spin_lock_bh(&ctx->geniv.lock);
-	if (geniv->encrypt != seqiv_aead_encrypt_first)
-		goto unlock;
-
-	geniv->encrypt = seqiv_aead_encrypt;
-	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
-				   crypto_aead_ivsize(geniv));
-
-unlock:
-	spin_unlock_bh(&ctx->geniv.lock);
-
-	if (err)
-		return err;
-
-	return seqiv_aead_encrypt(req);
-}
-
 static int seqiv_init(struct crypto_tfm *tfm)
 {
 	struct crypto_ablkcipher *geniv = __crypto_ablkcipher_cast(tfm);
@@ -575,7 +483,9 @@ static int seqiv_init(struct crypto_tfm *tfm)
 
 	tfm->crt_ablkcipher.reqsize = sizeof(struct ablkcipher_request);
 
-	return skcipher_geniv_init(tfm);
+	return crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
+				    crypto_ablkcipher_ivsize(geniv)) ?:
+	       skcipher_geniv_init(tfm);
 }
 
 static int seqiv_old_aead_init(struct crypto_tfm *tfm)
@@ -588,7 +498,9 @@ static int seqiv_old_aead_init(struct crypto_tfm *tfm)
 	crypto_aead_set_reqsize(__crypto_aead_cast(tfm),
 				sizeof(struct aead_request));
 
-	return aead_geniv_init(tfm);
+	return crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
+				    crypto_aead_ivsize(geniv)) ?:
+	       aead_geniv_init(tfm);
 }
 
 static int seqiv_aead_init_common(struct crypto_tfm *tfm, unsigned int reqsize)
@@ -601,6 +513,11 @@ static int seqiv_aead_init_common(struct crypto_tfm *tfm, unsigned int reqsize)
 
 	crypto_aead_set_reqsize(geniv, sizeof(struct aead_request));
 
+	err = crypto_rng_get_bytes(crypto_default_rng, ctx->salt,
+				   crypto_aead_ivsize(geniv));
+	if (err)
+		goto out;
+
 	ctx->null = crypto_get_default_null_skcipher();
 	err = PTR_ERR(ctx->null);
 	if (IS_ERR(ctx->null))
@@ -654,7 +571,7 @@ static int seqiv_ablkcipher_create(struct crypto_template *tmpl,
 	if (inst->alg.cra_ablkcipher.ivsize < sizeof(u64))
 		goto free_inst;
 
-	inst->alg.cra_ablkcipher.givencrypt = seqiv_givencrypt_first;
+	inst->alg.cra_ablkcipher.givencrypt = seqiv_givencrypt;
 
 	inst->alg.cra_init = seqiv_init;
 	inst->alg.cra_exit = skcipher_geniv_exit;
@@ -685,7 +602,7 @@ static int seqiv_old_aead_create(struct crypto_template *tmpl,
 	if (inst->alg.cra_aead.ivsize < sizeof(u64))
 		goto free_inst;
 
-	inst->alg.cra_aead.givencrypt = seqiv_aead_givencrypt_first;
+	inst->alg.cra_aead.givencrypt = seqiv_aead_givencrypt;
 
 	inst->alg.cra_init = seqiv_old_aead_init;
 	inst->alg.cra_exit = aead_geniv_exit;
@@ -732,7 +649,7 @@ static int seqiv_aead_create(struct crypto_template *tmpl, struct rtattr **tb)
 	if (inst->alg.ivsize != sizeof(u64))
 		goto free_inst;
 
-	inst->alg.encrypt = seqiv_aead_encrypt_first;
+	inst->alg.encrypt = seqiv_aead_encrypt;
 	inst->alg.decrypt = seqiv_aead_decrypt;
 
 	inst->alg.base.cra_init = seqiv_aead_init;
@@ -804,7 +721,7 @@ static int seqniv_create(struct crypto_template *tmpl, struct rtattr **tb)
 	if (inst->alg.ivsize != sizeof(u64))
 		goto free_inst;
 
-	inst->alg.encrypt = seqniv_aead_encrypt_first;
+	inst->alg.encrypt = seqniv_aead_encrypt;
 	inst->alg.decrypt = seqniv_aead_decrypt;
 
 	inst->alg.base.cra_init = seqniv_aead_init;

[PATCH 5/8] crypto: drbg - Add stdrng alias and increase priority

[Herbert Xu]

This patch adds the stdrng module alias and increases the priority
to ensure that it is loaded in preference to other RNGs.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/drbg.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 9284348..04836b4 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1876,7 +1876,7 @@ static inline void __init drbg_fill_array(struct rng_alg *alg,
 					  const struct drbg_core *core, int pr)
 {
 	int pos = 0;
-	static int priority = 100;
+	static int priority = 200;
 
 	memcpy(alg->base.cra_name, "stdrng", 6);
 	if (pr) {
@@ -1965,3 +1965,4 @@ MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
 		   CRYPTO_DRBG_HASH_STRING
 		   CRYPTO_DRBG_HMAC_STRING
 		   CRYPTO_DRBG_CTR_STRING);
+MODULE_ALIAS_CRYPTO("stdrng");

[PATCH 6/8] crypto: echainiv - Set Kconfig default to m

[Herbert Xu]

As this is required by many IPsec algorithms, let's set the default
to m.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/Kconfig |    1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index af011a9..c3b6a5b 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -232,6 +232,7 @@ config CRYPTO_ECHAINIV
 	select CRYPTO_AEAD
 	select CRYPTO_NULL
 	select CRYPTO_RNG
+	default m
 	help
 	  This IV generator generates an IV based on the encryption of
 	  a sequence number xored with a salt.  This is the default

[PATCH 7/8] crypto: rng - Make DRBG the default RNG

[Herbert Xu]

This patch creates a new invisible Kconfig option CRYPTO_RNG_DEFAULT
that simply selects the DRBG.  This new option is then selected
by the IV generators.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/Kconfig |   15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index c3b6a5b..19ca651 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -78,6 +78,10 @@ config CRYPTO_RNG2
 	tristate
 	select CRYPTO_ALGAPI2
 
+config CRYPTO_RNG_DEFAULT
+	tristate
+	select CRYPTO_DRBG_MENU
+
 config CRYPTO_PCOMP
 	tristate
 	select CRYPTO_PCOMP2
@@ -222,7 +226,7 @@ config CRYPTO_SEQIV
 	select CRYPTO_AEAD
 	select CRYPTO_BLKCIPHER
 	select CRYPTO_NULL
-	select CRYPTO_RNG
+	select CRYPTO_RNG_DEFAULT
 	help
 	  This IV generator generates an IV based on a sequence number by
 	  xoring it with a salt.  This algorithm is mainly useful for CTR
@@ -231,7 +235,7 @@ config CRYPTO_ECHAINIV
 	tristate "Encrypted Chain IV Generator"
 	select CRYPTO_AEAD
 	select CRYPTO_NULL
-	select CRYPTO_RNG
+	select CRYPTO_RNG_DEFAULT
 	default m
 	help
 	  This IV generator generates an IV based on the encryption of
@@ -1450,7 +1454,6 @@ comment "Random Number Generation"
 
 config CRYPTO_ANSI_CPRNG
 	tristate "Pseudo Random Number Generation for Cryptographic modules"
-	default m
 	select CRYPTO_AES
 	select CRYPTO_RNG
 	help
@@ -1468,11 +1471,9 @@ menuconfig CRYPTO_DRBG_MENU
 if CRYPTO_DRBG_MENU
 
 config CRYPTO_DRBG_HMAC
-	bool "Enable HMAC DRBG"
+	bool
 	default y
 	select CRYPTO_HMAC
-	help
-	  Enable the HMAC DRBG variant as defined in NIST SP800-90A.
 
 config CRYPTO_DRBG_HASH
 	bool "Enable Hash DRBG"
@@ -1488,7 +1489,7 @@ config CRYPTO_DRBG_CTR
 
 config CRYPTO_DRBG
 	tristate
-	default CRYPTO_DRBG_MENU if (CRYPTO_DRBG_HMAC || CRYPTO_DRBG_HASH || CRYPTO_DRBG_CTR)
+	default CRYPTO_DRBG_MENU
 	select CRYPTO_RNG
 	select CRYPTO_JITTERENTROPY
 

[PATCH 8/8] crypto: rng - Remove krng

[Herbert Xu]

This patch removes krng so that DRBG can take its place.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/Makefile |    1 
 crypto/krng.c   |   61 --------------------------------------------------------
 2 files changed, 62 deletions(-)

diff --git a/crypto/Makefile b/crypto/Makefile
index 5db5b95..a0f49c3 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -92,7 +92,6 @@ obj-$(CONFIG_CRYPTO_LZ4) += lz4.o
 obj-$(CONFIG_CRYPTO_LZ4HC) += lz4hc.o
 obj-$(CONFIG_CRYPTO_842) += 842.o
 obj-$(CONFIG_CRYPTO_RNG2) += rng.o
-obj-$(CONFIG_CRYPTO_RNG2) += krng.o
 obj-$(CONFIG_CRYPTO_ANSI_CPRNG) += ansi_cprng.o
 obj-$(CONFIG_CRYPTO_DRBG) += drbg.o
 CFLAGS_jitterentropy.o = -O0
diff --git a/crypto/krng.c b/crypto/krng.c
deleted file mode 100644
index 40ed78e..0000000
--- a/crypto/krng.c
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * RNG implementation using standard kernel RNG.
- *
- * Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * any later version.
- *
- */
-
-#include <crypto/internal/rng.h>
-#include <linux/err.h>
-#include <linux/init.h>
-#include <linux/module.h>
-#include <linux/random.h>
-
-static int krng_generate(struct crypto_rng *tfm,
-			 const u8 *src, unsigned int slen,
-			 u8 *rdata, unsigned int dlen)
-{
-	get_random_bytes(rdata, dlen);
-	return 0;
-}
-
-static int krng_seed(struct crypto_rng *tfm, const u8 *seed, unsigned int slen)
-{
-	return 0;
-}
-
-static struct rng_alg krng_alg = {
-	.generate		= krng_generate,
-	.seed			= krng_seed,
-	.base			=	{
-		.cra_name		= "stdrng",
-		.cra_driver_name	= "krng",
-		.cra_priority		= 200,
-		.cra_module		= THIS_MODULE,
-	}
-};
-
-
-/* Module initalization */
-static int __init krng_mod_init(void)
-{
-	return crypto_register_rng(&krng_alg);
-}
-
-static void __exit krng_mod_fini(void)
-{
-	crypto_unregister_rng(&krng_alg);
-}
-
-module_init(krng_mod_init);
-module_exit(krng_mod_fini);
-
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("Kernel Random Number Generator");
-MODULE_ALIAS_CRYPTO("stdrng");
-MODULE_ALIAS_CRYPTO("krng");

Re: [PATCH 5/8] crypto: drbg - Add stdrng alias and increase priority

[Stephan Mueller]

Am Mittwoch, 3. Juni 2015, 14:49:28 schrieb Herbert Xu:

Hi Herbert,

>This patch adds the stdrng module alias and increases the priority
>to ensure that it is loaded in preference to other RNGs.
>
>Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
>---
>
> crypto/drbg.c |    3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/crypto/drbg.c b/crypto/drbg.c
>index 9284348..04836b4 100644
>--- a/crypto/drbg.c
>+++ b/crypto/drbg.c
>@@ -1876,7 +1876,7 @@ static inline void __init drbg_fill_array(struct
>rng_alg *alg, const struct drbg_core *core, int pr)
> {
> 	int pos = 0;
>-	static int priority = 100;
>+	static int priority = 200;

Considering the patch 8/8 which removes krng, wouldn't it make sense to remove 
the following code from the DRBG:

        /*
         * If FIPS mode enabled, the selected DRBG shall have the
         * highest cra_priority over other stdrng instances to ensure
         * it is selected.
         */
        if (fips_enabled)
                alg->base.cra_priority += 200;

That code was added to get a higher prio than the krng in FIPS mode. As this 
is not needed any more (krng is gone), I would say it is safe to remove this 
code too.

>
> 	memcpy(alg->base.cra_name, "stdrng", 6);
> 	if (pr) {
>@@ -1965,3 +1965,4 @@ MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random
>Bit Generator (DRBG) " CRYPTO_DRBG_HASH_STRING
> 		   CRYPTO_DRBG_HMAC_STRING
> 		   CRYPTO_DRBG_CTR_STRING);
>+MODULE_ALIAS_CRYPTO("stdrng");


Ciao
Stephan

Re: [PATCH 5/8] crypto: drbg - Add stdrng alias and increase priority

[Herbert Xu]

On Wed, Jun 03, 2015 at 08:59:13AM +0200, Stephan Mueller wrote:
> 
> Considering the patch 8/8 which removes krng, wouldn't it make sense to remove 
> the following code from the DRBG:
> 
>         /*
>          * If FIPS mode enabled, the selected DRBG shall have the
>          * highest cra_priority over other stdrng instances to ensure
>          * it is selected.
>          */
>         if (fips_enabled)
>                 alg->base.cra_priority += 200;
> 
> That code was added to get a higher prio than the krng in FIPS mode. As this 
> is not needed any more (krng is gone), I would say it is safe to remove this 
> code too.

You'd have to remove it from ansi_cprng first.  Feel free to send
patches to do that.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH 5/8] crypto: drbg - Add stdrng alias and increase priority

[Stephan Mueller]

Am Mittwoch, 3. Juni 2015, 15:01:39 schrieb Herbert Xu:

Hi Herbert,

> You'd have to remove it from ansi_cprng first.  Feel free to send
> patches to do that.

Absolutely, my bad.

-- 
Ciao
Stephan