Re: [PATCH 2/2] ath9k: disable RNG by default
Hi Jason, On 2016-08-10 21:24, Jason Cooper wrote: *gentle reminder: others are reading which may not be directly included in the conversation. Including the archives. Please avoid top posting. :) Thanks:) The fact is, barring userspace expectations of /dev/hwrng, hw_random is the appropriate place for it. It's not a devicetree blob, mac address, or pci config space. Which are things we feed in once for the heck of it. This is a *continuous* source or questionable quality. I'm seriously considering putting this and timeriomem-rng into a subdirectory under hw_random/, maybe environ/. Anything in there gets quality=0 for default, and *doesn't* contribute to /dev/hwrng. Regardless which path we take, I think we should include 'adc' in the name. I've heard countless times about "Atheros cards come with an rng on board". :-/ If I understand correctly, you want to bind the ADC source to /dev/hwrng, and then change rng-tools to set the entropy to zero in the ioctl call ? There are two major problems with that approach, 1) We already tried once before to bind our solution to /dev/hwrng, and got so much complaints. The conclusion was that maybe we know that the output of /dev/hwrng does not have perfect entropy, but a normal user does not know and will misuse it. You mentioned in https://www.kernel.org/doc/Documentation/hw_random.txt we have "This data is NOT CHECKED by any fitness tests, and could potentially be bogus (if the hardware is faulty or has been tampered with). Data is only output if the hardware "has-data" flag is set, but nevertheless a security-conscious person would run fitness tests on the data before assuming it is truly random." But this is not enough to convince upstream to switch to /dev/hwrng. I think the concern of users misusing the solution is a very valid concern. 2) If we set the entropy to zero in rng-tools, we cannot tolerate the load. Rng-tools is not a timer-based solution. Similar to our solution, it is based on /proc/sys/kernel/random/write_wakeup_threshold. If we do not increase the entropy counter, rng-tools keep writing into the pool, and both rng-tools and WiFi chip will be overloaded. Thanks, Miaoqing -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] RANDOM: ATH9K RNG delivers zero bits of entropy
On Tue, Aug 09, 2016 at 02:04:44PM +, Jason Cooper wrote: > > iiuc, Ted, you're saying using the hw_random framework would be > disasterous because despite most drivers having a default quality of 0, > rngd assumes 1 bit of entropy for every bit read? Sorry, what I was trying to say (but failed) was that bypassing the hwrng framework and injecting entropy directly the entropy pool was disatrous. > Thankfully, most hw_random drivers don't set the quality. So unless the > user sets the default_quality param, it's zero. The fact that this is "most" and not "all" does scare me a little. As far as I'm concerned *all* hw_random drivers should set quality to zero, since it should be up to the system administrator. Perhaps the one exception is virtio_rng, since if you don't trust the hypvervisor, the security of the VM is hopeless. That being said, I have seen configurations of KVM which use: -object rng-random,filename=/dev/urandom,id=rng0 \ -device virtio-rng-pci,rng=rng0 Which is somewhat non-ideal. (Try running od -x /dev/random on such a guest system) - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] ath9k: disable RNG by default
Hi Miaoqing Pan, Stephen, *gentle reminder: others are reading which may not be directly included in the conversation. Including the archives. Please avoid top posting. :) On Wed, Aug 10, 2016 at 07:43:45AM +, Pan, Miaoqing wrote: > The problem with using the add_device_randomness is that we do not > know when to call that API, and we have to make our solution either > timer-based or interrupt based, which is not really the correct way of > implementing this feature. Exactly. I think we're dancing around the problem by discussing the quality of what the ath9k adc provides. The fact is, barring userspace expectations of /dev/hwrng, hw_random is the appropriate place for it. It's not a devicetree blob, mac address, or pci config space. Which are things we feed in once for the heck of it. This is a *continuous* source or questionable quality. I'm seriously considering putting this and timeriomem-rng into a subdirectory under hw_random/, maybe environ/. Anything in there gets quality=0 for default, and *doesn't* contribute to /dev/hwrng. Regardless which path we take, I think we should include 'adc' in the name. I've heard countless times about "Atheros cards come with an rng on board". :-/ thx, Jason. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] crypto: XTS - remove test that will fail in FIPS mode
Hi Stephan, Thanks. Sorry for a late reply to this. I did test your patch for testmgr.h with the vanilla kernel 4.7 source. This doesn¹t solve the xts(aes) self-test failure in FIPS mode. I get the exact same error as before. Thanks -Tapas On 8/10/16, 12:49 AM, "Stephan Mueller"wrote: >Hi Tapas, Herbert, > >Tapas: this patch should fix it. Can you please test? > >Herbert: The reason why I have to caught this issue in my tests is the >following: I compile xts-aes-aesni statically as you can see below. The >self test is marked as passed, although there is no XTS test performed. >When you boot in FIPS mode, the testmgr prints out all tests. But XTS is >not among them. Do you have an idea why that happens? > >name : xts(aes) >driver : xts-aes-aesni >module : kernel >priority : 400 >refcnt : 1 >selftest : passed >internal : no >type : ablkcipher >async: yes >blocksize: 16 >min keysize : 32 >max keysize : 64 >ivsize : 16 >geniv: > >---8<--- > >In FIPS mode, setting XTS keys where the AES key is identical to the >tweak key is forbidden. Thus, the self test with such property will fail >in FIPS mode. > >As we have other tests available for XTS, this patch simply removes the >offending test vectors. > >Reported-by: Tapas Sarangi >Signed-off-by: Stephan Mueller >--- > crypto/testmgr.h | 36 > 1 file changed, 36 deletions(-) > >diff --git a/crypto/testmgr.h b/crypto/testmgr.h >index acb6bbf..e4b58f5 100644 >--- a/crypto/testmgr.h >+++ b/crypto/testmgr.h >@@ -10179,24 +10179,6 @@ static struct cipher_testvec >tf_lrw_dec_tv_template[] = { > static struct cipher_testvec tf_xts_enc_tv_template[] = { > /* Generated from AES-XTS test vectors */ > { >- .key= "\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00", >- .klen = 32, >- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00", >- .input = "\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00", >- .ilen = 32, >- .result = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" >-"\x30\x74\xe4\x44\x52\x77\x97\x43" >-"\xa7\x60\xb2\x45\x2e\xf9\x00\x90" >-"\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", >- .rlen = 32, >- }, { > .key= "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x22\x22\x22\x22\x22\x22\x22\x22" >@@ -10522,24 +10504,6 @@ static struct cipher_testvec >tf_xts_dec_tv_template[] = { > /* Generated from AES-XTS test vectors */ > /* same as enc vectors with input and result reversed */ > { >- .key= "\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00", >- .klen = 32, >- .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00", >- .input = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" >-"\x30\x74\xe4\x44\x52\x77\x97\x43" >-"\xa7\x60\xb2\x45\x2e\xf9\x00\x90" >-"\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", >- .ilen = 32, >- .result = "\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00" >-"\x00\x00\x00\x00\x00\x00\x00\x00", >- .rlen = 32, >- }, { > .key= "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x11\x11\x11\x11\x11\x11\x11\x11" > "\x22\x22\x22\x22\x22\x22\x22\x22" >-- >2.7.4 > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the
Re: [PATCH v3] KEYS: add SP800-56A KDF support for DH
Am Dienstag, 9. August 2016, 15:48:00 CEST schrieb Mat Martineau: Hi Mat, > On Sat, 6 Aug 2016, Stephan Mueller wrote: > > diff --git a/security/keys/internal.h b/security/keys/internal.h > > index a705a7d..7659b52 100644 > > --- a/security/keys/internal.h > > +++ b/security/keys/internal.h > > @@ -259,15 +259,32 @@ static inline long keyctl_get_persistent(uid_t uid, > > key_serial_t destring) #endif > > > > #ifdef CONFIG_KEY_DH_OPERATIONS > > +#include > > +#include > > These may belong at the top of the file, even if they are only used when > CONFIG_KEY_DH_OPERATIONS is defined. Sure. As I have seen also this coding style in the kernel, I thought it would make sense here too. But I will move it. > > > extern long keyctl_dh_compute(struct keyctl_dh_params __user *, char > > __user *, - size_t, void __user *); > > + size_t, struct keyctl_kdf_params __user *); > > +extern long __keyctl_dh_compute(struct keyctl_dh_params __user *, char > > __user *, + size_t, struct keyctl_kdf_params *); > > +extern long compat_keyctl_dh_compute(struct keyctl_dh_params __user > > *params, + char __user *buffer, size_t buflen, > > + struct compat_keyctl_kdf_params __user *kdf); > > +#define KEYCTL_KDF_MAX_OUTPUT_LEN 1024/* max length of KDF output */ > > +#define KEYCTL_KDF_MAX_OI_LEN 64 /* max length of > > otherinfo */ > > #else > > static inline long keyctl_dh_compute(struct keyctl_dh_params __user > > *params,> > > char __user *buffer, size_t buflen, > > > > -void __user *reserved) > > +struct keyctl_kdf_params __user *kdf) > > { > > > > return -EOPNOTSUPP; > > > > } > > + > > +static inline long compat_keyctl_dh_compute( > > + struct keyctl_dh_params __user *params, > > + char __user *buffer, size_t buflen, > > + struct keyctl_kdf_params __user *kdf) > > +{ > > + return -EOPNOTSUPP > > +} > > #endif > > > > /* > > diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c > > index d580ad0..b106898 100644 > > --- a/security/keys/keyctl.c > > +++ b/security/keys/keyctl.c > > @@ -1689,7 +1689,7 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, > > arg2, unsigned long, arg3,> > > case KEYCTL_DH_COMPUTE: > > return keyctl_dh_compute((struct keyctl_dh_params __user *) > > arg2, > > > > (char __user *) arg3, (size_t) arg4, > > > > -(void __user *) arg5); > > +(struct keyctl_kdf_params __user *) > > arg5); > > > > default: > > return -EOPNOTSUPP; > > Regards, > -- > Mat Martineau > Intel OTC Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] ath9k: disable RNG by default
Am Mittwoch, 10. August 2016, 07:15:49 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > NIST SP 800-22-rev1a and NIST SP 800-90B are used together to evaluate the > amount of min entropy the source provides, and not to decide if the source > has passed the tests or failed. See > > https://github.com/usnistgov/SP800-90B_EntropyAssessment > > The goal is often to make sure the input entropy is more than the entropy we > expect from the output. You are correct on the SP800-90B tests (hence I did not refer to them for the binary decision). Yet, SP800-22 with the associated tool delivers a binary decision. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 5/6] crypto: sun4i-ss: Always use sun4i_tfm_ctx for storing pointer to dev ss
The dev *ss is stored both in sun4i_tfm_ctx and sun4i_req_ctx. Since this pointer will never be changed during tfm life, it is better to remove it from sun4i_req_ctx. Signed-off-by: LABBE Corentin--- drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 13 +++-- drivers/crypto/sunxi-ss/sun4i-ss.h | 1 - 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c index 60031e0..2ee3b59 100644 --- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c +++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c @@ -20,6 +20,15 @@ int sun4i_hash_crainit(struct crypto_tfm *tfm) { + struct sun4i_tfm_ctx *op = crypto_tfm_ctx(tfm); + struct ahash_alg *alg = __crypto_ahash_alg(tfm->__crt_alg); + struct sun4i_ss_alg_template *algt; + + memset(op, 0, sizeof(struct sun4i_tfm_ctx)); + + algt = container_of(alg, struct sun4i_ss_alg_template, alg.hash); + op->ss = algt->ss; + crypto_ahash_set_reqsize(__crypto_ahash_cast(tfm), sizeof(struct sun4i_req_ctx)); return 0; @@ -36,7 +45,6 @@ int sun4i_hash_init(struct ahash_request *areq) memset(op, 0, sizeof(struct sun4i_req_ctx)); algt = container_of(alg, struct sun4i_ss_alg_template, alg.hash); - op->ss = algt->ss; op->mode = algt->mode; return 0; @@ -168,8 +176,9 @@ int sun4i_hash(struct ahash_request *areq) */ struct sun4i_req_ctx *op = ahash_request_ctx(areq); - struct sun4i_ss_ctx *ss = op->ss; struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq); + struct sun4i_tfm_ctx *tfmctx = crypto_ahash_ctx(tfm); + struct sun4i_ss_ctx *ss = tfmctx->ss; unsigned int in_i = 0; /* advancement in the current SG */ unsigned int end; /* diff --git a/drivers/crypto/sunxi-ss/sun4i-ss.h b/drivers/crypto/sunxi-ss/sun4i-ss.h index ece5a1c..f04c0f8 100644 --- a/drivers/crypto/sunxi-ss/sun4i-ss.h +++ b/drivers/crypto/sunxi-ss/sun4i-ss.h @@ -163,7 +163,6 @@ struct sun4i_req_ctx { u32 hash[5]; /* for storing SS_IVx register */ char buf[64]; unsigned int len; - struct sun4i_ss_ctx *ss; int flags; }; -- 2.7.3 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH 2/2] ath9k: disable RNG by default
Hi Stephan, That is set as "optional but highly recommended" in the FIPS doc, plus the fact that we do not have a requirement to have a FIP-approved RNG in our case. Although FIPS might impose higher and stronger requirements on the source of entropy, but not passing those tests does not mean the source of entropy is of bad quality. As I mentioned earlier, we just need to evaluate the amount of entropy it provides correctly and use it accordingly. If we are dealing with a chip which has a HW RNG, we expect extremely high entropy close to full from our source, but this patch is for chips which do not have a dedicated HW RNG in place to improve the quality of random number generation on the platform. Thanks, Miaoqing -Original Message- From: Stephan Mueller [mailto:smuel...@chronox.de] Sent: Wednesday, August 10, 2016 3:27 PM To: Pan, MiaoqingCc: Herbert Xu ; Matt Mackall ; miaoq...@codeaurora.org; Valo, Kalle ; linux-wirel...@vger.kernel.org; ath9k-devel ; linux-crypto@vger.kernel.org; ja...@lakedaemon.net; Sepehrdad, Pouyan Subject: Re: [PATCH 2/2] ath9k: disable RNG by default Am Mittwoch, 10. August 2016, 07:15:49 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > NIST SP 800-22-rev1a and NIST SP 800-90B are used together to evaluate > the amount of min entropy the source provides, and not to decide if > the source has passed the tests or failed. See > > https://github.com/usnistgov/SP800-90B_EntropyAssessment > > The goal is often to make sure the input entropy is more than the > entropy we expect from the output. You are correct on the SP800-90B tests (hence I did not refer to them for the binary decision). Yet, SP800-22 with the associated tool delivers a binary decision. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] ath9k: disable RNG by default
Am Mittwoch, 10. August 2016, 02:35:04 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > For those less perfect noise source, can't pass the FIPS test. > > static int update_kernel_random(int random_step, > unsigned char *buf, fips_ctx_t *fipsctx_in) > { > unsigned char *p; > int fips; > > fips = fips_run_rng_test(fipsctx_in, buf); > if (fips) > return 1; > > for (p = buf; p + random_step <= [FIPS_RNG_BUFFER_SIZE]; > p += random_step) { > random_add_entropy(p, random_step); > random_sleep(); > } > return 0; > } Not even the poor cheap AIS20 statistical tests from rngd pass? I guess the only sensible solution is what Ted suggested to use add_device_randomness. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH 2/2] ath9k: disable RNG by default
Hi Stephan, The problem with using the add_device_randomness is that we do not know when to call that API, and we have to make our solution either timer-based or interrupt based, which is not really the correct way of implementing this feature. Thanks, Miaoqing -Original Message- From: Pan, Miaoqing Sent: Wednesday, August 10, 2016 3:41 PM To: Stephan MuellerCc: Herbert Xu ; Matt Mackall ; miaoq...@codeaurora.org; Valo, Kalle ; linux-wirel...@vger.kernel.org; ath9k-devel ; linux-crypto@vger.kernel.org; ja...@lakedaemon.net; Sepehrdad, Pouyan Subject: RE: [PATCH 2/2] ath9k: disable RNG by default Hi Stephan, That is set as "optional but highly recommended" in the FIPS doc, plus the fact that we do not have a requirement to have a FIP-approved RNG in our case. Although FIPS might impose higher and stronger requirements on the source of entropy, but not passing those tests does not mean the source of entropy is of bad quality. As I mentioned earlier, we just need to evaluate the amount of entropy it provides correctly and use it accordingly. If we are dealing with a chip which has a HW RNG, we expect extremely high entropy close to full from our source, but this patch is for chips which do not have a dedicated HW RNG in place to improve the quality of random number generation on the platform. Thanks, Miaoqing -Original Message- From: Stephan Mueller [mailto:smuel...@chronox.de] Sent: Wednesday, August 10, 2016 3:27 PM To: Pan, Miaoqing Cc: Herbert Xu ; Matt Mackall ; miaoq...@codeaurora.org; Valo, Kalle ; linux-wirel...@vger.kernel.org; ath9k-devel ; linux-crypto@vger.kernel.org; ja...@lakedaemon.net; Sepehrdad, Pouyan Subject: Re: [PATCH 2/2] ath9k: disable RNG by default Am Mittwoch, 10. August 2016, 07:15:49 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > NIST SP 800-22-rev1a and NIST SP 800-90B are used together to evaluate > the amount of min entropy the source provides, and not to decide if > the source has passed the tests or failed. See > > https://github.com/usnistgov/SP800-90B_EntropyAssessment > > The goal is often to make sure the input entropy is more than the > entropy we expect from the output. You are correct on the SP800-90B tests (hence I did not refer to them for the binary decision). Yet, SP800-22 with the associated tool delivers a binary decision. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[cryptodev:master 17/45] drivers/crypto/ccp/ccp-dev-v5.c:838:3: error: label 'e_hwrng' used but not defined
tree: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master head: 47856204146ba6fd0f198dbb23c4ed7ad1c3fd99 commit: 99d90b2ebd8b327c0c496798db99009b30c70945 [17/45] crypto: ccp - Enable DMA service on a v5 CCP config: i386-randconfig-h1-08102150 (attached as .config) compiler: gcc-6 (Debian 6.1.1-9) 6.1.1 20160705 reproduce: git checkout 99d90b2ebd8b327c0c496798db99009b30c70945 # save the attached .config to linux build tree make ARCH=i386 Note: the cryptodev/master HEAD 47856204146ba6fd0f198dbb23c4ed7ad1c3fd99 builds fine. It only hurts bisectibility. All errors (new ones prefixed by >>): drivers/crypto/ccp/ccp-dev-v5.c: In function 'ccp5_init': >> drivers/crypto/ccp/ccp-dev-v5.c:838:3: error: label 'e_hwrng' used but not >> defined goto e_hwrng; ^~~~ vim +/e_hwrng +838 drivers/crypto/ccp/ccp-dev-v5.c 832 if (ret) 833 goto e_kthread; 834 835 /* Register the DMA engine support */ 836 ret = ccp_dmaengine_register(ccp); 837 if (ret) > 838 goto e_hwrng; 839 840 return 0; 841 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: Binary data
RE: [PATCH 2/2] ath9k: disable RNG by default
Hi Stephan, Would you please provide a recent NIST document which asks the entropy source to pass the NIST randomness tests ? Thanks, Miaoqing -Original Message- From: Stephan Mueller [mailto:smuel...@chronox.de] Sent: Wednesday, August 10, 2016 2:25 PM To: Pan, MiaoqingCc: Herbert Xu ; Matt Mackall ; miaoq...@codeaurora.org; Valo, Kalle ; linux-wirel...@vger.kernel.org; ath9k-devel ; linux-crypto@vger.kernel.org; ja...@lakedaemon.net; Sepehrdad, Pouyan Subject: Re: [PATCH 2/2] ath9k: disable RNG by default Am Mittwoch, 10. August 2016, 06:04:32 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > FIPS RNG test is supposed to be run on the output of an RNG, and not > on the RNG entropy source. It is not surprising that the RNG input > fails the entropy tests from NIST. Check the following example. > > Imagine you have a perfectly random sequence, a_1, a_2, .., a_n, where > each a_i is a byte. And imagine, this sequence passes all randomness tests. > > Now, let's say I create a new sequence a_1, 0, a_2, 0, a_3, 0, ..., 0, > a_n, where each zero is a byte > > If you give this sequence (as an entropy source) to a randomness test, > it will fail most of the tests, if not all. This does not mean this > sequence is not appropriate as an entropy source, it just means we > need twice more bytes to gain the same amount of entropy. Agreed. But that is a very simplistic view. > > I can give this 2n byte sequence to an RNG as an entropy source and it > provides the same amount of security as if I give the n byte stream. Well, I am working with standards bodies like NIST and BSI on RNG assessments. They all require that the noise source (pre-whitening, of course) pass statistical tests like the AIS20 tests, SP800-22 and similar. If you fail, you better have a good argument. And the only argument that is kind of allowed is that you oversample your noise source to seed a DRNG from (i.e. have an entropy to data ratio of significantly below 1). And the argument for the oversampling rate is always a very interesting discussion. You apply 10/32. In private, I am wondering about that ratio, but this should not be discussed here as I hope you have a valid argument for that. As we are talking about the current rngd, we have to consider that it does *not* perform an oversampling (yet) as mentioned in the previous emails. Do not get me wrong on my initial patch: your RNG may provide some entropy. But there are quite some folks who want to understand and audit a noise source before using it. Your current implementation simply does not allow switching the noise source off to feed the input_pool with data that increases the entropy estimator (at runtime). Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 4/6] crypto: sun4i-ss: fix spelling
Two words are badly spelled, this patch respell them. Signed-off-by: LABBE Corentin--- drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c index 7841d73..60031e0 100644 --- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c +++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c @@ -372,7 +372,7 @@ int sun4i_hash(struct ahash_request *areq) * I do not check RX FIFO size in this function since the size is 32 * after each enabling and this function neither write more than 32 words. * If we come from the update part, we cannot have more than - * 3 remainings bytes to write and SS is fast enought to not care about it. + * 3 remaining bytes to write and SS is fast enough to not care about it. */ hash_final: @@ -436,7 +436,7 @@ hash_final: /* * Wait for SS to finish the hash. -* The timeout could happen only in case of bad overcloking +* The timeout could happen only in case of bad overclocking * or driver bug. */ i = 0; -- 2.7.3 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH 2/2] ath9k: disable RNG by default
Hi Stephan, FIPS RNG test is supposed to be run on the output of an RNG, and not on the RNG entropy source. It is not surprising that the RNG input fails the entropy tests from NIST. Check the following example. Imagine you have a perfectly random sequence, a_1, a_2, .., a_n, where each a_i is a byte. And imagine, this sequence passes all randomness tests. Now, let's say I create a new sequence a_1, 0, a_2, 0, a_3, 0, ..., 0, a_n, where each zero is a byte If you give this sequence (as an entropy source) to a randomness test, it will fail most of the tests, if not all. This does not mean this sequence is not appropriate as an entropy source, it just means we need twice more bytes to gain the same amount of entropy. I can give this 2n byte sequence to an RNG as an entropy source and it provides the same amount of security as if I give the n byte stream. Thanks, Miaoqing -Original Message- From: Stephan Mueller [mailto:smuel...@chronox.de] Sent: Wednesday, August 10, 2016 1:29 PM To: Pan, MiaoqingCc: Herbert Xu ; Matt Mackall ; miaoq...@codeaurora.org; Valo, Kalle ; linux-wirel...@vger.kernel.org; ath9k-devel ; linux-crypto@vger.kernel.org; ja...@lakedaemon.net; Sepehrdad, Pouyan Subject: Re: [PATCH 2/2] ath9k: disable RNG by default Am Mittwoch, 10. August 2016, 02:35:04 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > For those less perfect noise source, can't pass the FIPS test. > > static int update_kernel_random(int random_step, > unsigned char *buf, fips_ctx_t *fipsctx_in) { > unsigned char *p; > int fips; > > fips = fips_run_rng_test(fipsctx_in, buf); > if (fips) > return 1; > > for (p = buf; p + random_step <= [FIPS_RNG_BUFFER_SIZE]; > p += random_step) { > random_add_entropy(p, random_step); > random_sleep(); > } > return 0; > } Not even the poor cheap AIS20 statistical tests from rngd pass? I guess the only sensible solution is what Ted suggested to use add_device_randomness. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] crypto: CCP - build error: label 'e_hwrng' undefined
Fix goto target for when registration fails Reported-by: kbuild test robotSigned-off-by: Gary R Hook --- drivers/crypto/ccp/ccp-dev-v5.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/ccp/ccp-dev-v5.c b/drivers/crypto/ccp/ccp-dev-v5.c index 4086714..114675e 100644 --- a/drivers/crypto/ccp/ccp-dev-v5.c +++ b/drivers/crypto/ccp/ccp-dev-v5.c @@ -835,7 +835,7 @@ static int ccp5_init(struct ccp_device *ccp) /* Register the DMA engine support */ ret = ccp_dmaengine_register(ccp); if (ret) - goto e_hwrng; + goto e_kthread; return 0; -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/6] crypto: sun4i-ss: unify update/final function
The update and final functions have lots of common action. This patch mix them in one function. This will give some improvements: - This will permit asynchronous support more easily - This will permit to use finup/digest functions with some performance improvements Signed-off-by: LABBE Corentin--- drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 147 ++-- drivers/crypto/sunxi-ss/sun4i-ss.h | 1 + 2 files changed, 85 insertions(+), 63 deletions(-) diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c index ff80314..2fb0684 100644 --- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c +++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c @@ -129,6 +129,9 @@ int sun4i_hash_import_sha1(struct ahash_request *areq, const void *in) return 0; } +#define SS_HASH_UPDATE 1 +#define SS_HASH_FINAL 2 + /* * sun4i_hash_update: update hash engine * @@ -156,7 +159,7 @@ int sun4i_hash_import_sha1(struct ahash_request *areq, const void *in) * write remaining data in op->buf * final state op->len=56 */ -int sun4i_hash_update(struct ahash_request *areq) +int sun4i_hash(struct ahash_request *areq) { u32 v, ivmode = 0; unsigned int i = 0; @@ -180,22 +183,30 @@ int sun4i_hash_update(struct ahash_request *areq) u32 spaces, rx_cnt = SS_RX_DEFAULT; size_t copied = 0; struct sg_mapping_iter mi; + unsigned int j = 0; + int zeros; + unsigned int index, padlen; + __be64 bits; + u32 bf[32]; + u32 wb = 0; + unsigned int nwait, nbw = 0; + struct scatterlist *in_sg = areq->src; dev_dbg(ss->dev, "%s %s bc=%llu len=%u mode=%x wl=%u h0=%0x", __func__, crypto_tfm_alg_name(areq->base.tfm), op->byte_count, areq->nbytes, op->mode, op->len, op->hash[0]); - if (areq->nbytes == 0) + if (unlikely(areq->nbytes == 0) && (op->flags & SS_HASH_FINAL) == 0) return 0; /* protect against overflow */ - if (areq->nbytes > UINT_MAX - op->len) { + if (unlikely(areq->nbytes > UINT_MAX - op->len)) { dev_err(ss->dev, "Cannot process too large request\n"); return -EINVAL; } - if (op->len + areq->nbytes < 64) { + if (op->len + areq->nbytes < 64 && (op->flags & SS_HASH_FINAL) == 0) { /* linearize data to op->buf */ copied = sg_pcopy_to_buffer(areq->src, sg_nents(areq->src), op->buf + op->len, areq->nbytes, 0); @@ -203,14 +214,6 @@ int sun4i_hash_update(struct ahash_request *areq) return 0; } - end = ((areq->nbytes + op->len) / 64) * 64 - op->len; - - if (end > areq->nbytes || areq->nbytes - end > 63) { - dev_err(ss->dev, "ERROR: Bound error %u %u\n", - end, areq->nbytes); - return -EINVAL; - } - spin_lock_bh(>slock); /* @@ -225,6 +228,33 @@ int sun4i_hash_update(struct ahash_request *areq) /* Enable the device */ writel(op->mode | SS_ENABLED | ivmode, ss->base + SS_CTL); + if ((op->flags & SS_HASH_UPDATE) == 0) + goto hash_final; + + /* start of handling data */ + if ((op->flags & SS_HASH_FINAL) == 0) { + end = ((areq->nbytes + op->len) / 64) * 64 - op->len; + + if (end > areq->nbytes || areq->nbytes - end > 63) { + dev_err(ss->dev, "ERROR: Bound error %u %u\n", + end, areq->nbytes); + return -EINVAL; + } + } else { + /* Since we have the flag final, we can go up to modulo 4 */ + end = ((areq->nbytes + op->len) / 4) * 4 - op->len; + } + + /* TODO if SGlen % 4 and op->len == 0 then DMA */ + i = 1; + while (in_sg && i == 1) { + if ((in_sg->length % 4) != 0) + i = 0; + in_sg = sg_next(in_sg); + } + if (i == 1 && op->len == 0) + dev_dbg(ss->dev, "We can DMA\n"); + i = 0; sg_miter_start(, areq->src, sg_nents(areq->src), SG_MITER_FROM_SG | SG_MITER_ATOMIC); @@ -285,7 +315,11 @@ int sun4i_hash_update(struct ahash_request *areq) } } } while (i < end); - /* final linear */ + + /* +* Now we have written to the device all that we can, +* store the remaining bytes in op->buf +*/ if ((areq->nbytes - i) < 64) { while (i < areq->nbytes && in_i < mi.length && op->len < 64) { /* how many bytes we can read from current SG */ @@ -304,13 +338,21 @@ int sun4i_hash_update(struct ahash_request *areq) sg_miter_stop(); + /* +* End of data process +* Now if
[PATCH 6/6] crypto: sun4i-ss: fix indentation of two crypto alg
Two crypto alg are badly indented, this patch fix this style issue. Signed-off-by: LABBE Corentin--- drivers/crypto/sunxi-ss/sun4i-ss-core.c | 68 - 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-core.c b/drivers/crypto/sunxi-ss/sun4i-ss-core.c index 107cd2a..3ac6c6c 100644 --- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c +++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c @@ -172,45 +172,45 @@ static struct sun4i_ss_alg_template ss_algs[] = { }, { .type = CRYPTO_ALG_TYPE_ABLKCIPHER, .alg.crypto = { - .cra_name = "cbc(des3_ede)", - .cra_driver_name = "cbc-des3-sun4i-ss", - .cra_priority = 300, - .cra_blocksize = DES3_EDE_BLOCK_SIZE, - .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER, - .cra_ctxsize = sizeof(struct sun4i_req_ctx), - .cra_module = THIS_MODULE, - .cra_alignmask = 3, - .cra_type = _ablkcipher_type, - .cra_init = sun4i_ss_cipher_init, - .cra_u.ablkcipher = { - .min_keysize= DES3_EDE_KEY_SIZE, - .max_keysize= DES3_EDE_KEY_SIZE, - .ivsize = DES3_EDE_BLOCK_SIZE, - .setkey = sun4i_ss_des3_setkey, - .encrypt= sun4i_ss_cbc_des3_encrypt, - .decrypt= sun4i_ss_cbc_des3_decrypt, + .cra_name = "cbc(des3_ede)", + .cra_driver_name = "cbc-des3-sun4i-ss", + .cra_priority = 300, + .cra_blocksize = DES3_EDE_BLOCK_SIZE, + .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER, + .cra_ctxsize = sizeof(struct sun4i_req_ctx), + .cra_module = THIS_MODULE, + .cra_alignmask = 3, + .cra_type = _ablkcipher_type, + .cra_init = sun4i_ss_cipher_init, + .cra_u.ablkcipher = { + .min_keysize= DES3_EDE_KEY_SIZE, + .max_keysize= DES3_EDE_KEY_SIZE, + .ivsize = DES3_EDE_BLOCK_SIZE, + .setkey = sun4i_ss_des3_setkey, + .encrypt= sun4i_ss_cbc_des3_encrypt, + .decrypt= sun4i_ss_cbc_des3_decrypt, } } }, { .type = CRYPTO_ALG_TYPE_ABLKCIPHER, .alg.crypto = { - .cra_name = "ecb(des3_ede)", - .cra_driver_name = "ecb-des3-sun4i-ss", - .cra_priority = 300, - .cra_blocksize = DES3_EDE_BLOCK_SIZE, - .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER, - .cra_ctxsize = sizeof(struct sun4i_req_ctx), - .cra_module = THIS_MODULE, - .cra_alignmask = 3, - .cra_type = _ablkcipher_type, - .cra_init = sun4i_ss_cipher_init, - .cra_u.ablkcipher = { - .min_keysize= DES3_EDE_KEY_SIZE, - .max_keysize= DES3_EDE_KEY_SIZE, - .ivsize = DES3_EDE_BLOCK_SIZE, - .setkey = sun4i_ss_des3_setkey, - .encrypt= sun4i_ss_ecb_des3_encrypt, - .decrypt= sun4i_ss_ecb_des3_decrypt, + .cra_name = "ecb(des3_ede)", + .cra_driver_name = "ecb-des3-sun4i-ss", + .cra_priority = 300, + .cra_blocksize = DES3_EDE_BLOCK_SIZE, + .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER, + .cra_ctxsize = sizeof(struct sun4i_req_ctx), + .cra_module = THIS_MODULE, + .cra_alignmask = 3, + .cra_type = _ablkcipher_type, + .cra_init = sun4i_ss_cipher_init, + .cra_u.ablkcipher = { + .min_keysize= DES3_EDE_KEY_SIZE, + .max_keysize= DES3_EDE_KEY_SIZE, + .ivsize = DES3_EDE_BLOCK_SIZE, + .setkey = sun4i_ss_des3_setkey, + .encrypt= sun4i_ss_ecb_des3_encrypt, + .decrypt= sun4i_ss_ecb_des3_decrypt, } } }, -- 2.7.3 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
How best to {en,de}crypt between sk_buff and iov_iter?
Is there a good way to encrypt data held in an iov_iter directly into an sk_buff and decrypt data held in an sk_buff back into an iov_iter? What I would like to avoid is: (a) Invoking skb_cow_data() to potentially take an unnecessary copy of the data I shouldn't need to change, but I need to do this to decrypt in place. (b) Having to copy the unencrypted data between the sk_buff and the iov_iter when the crypto process ought to get me a free copy. One problem, though, is that I might not be able to do drain/fill a complete sk_buff in a single operation because the iov_iter might not give me sufficient bufferage/data to do that, so it may take multiple operations. However, since I'm using an skcipher, I think it should be fine to call crypto_skcipher_encrypt() multiple times on the same skcipher. I can see a couple of alternatives: (1) Duplicate skb_copy_datagram_iter(), give it an initialised skcipher_request and let it set the crypto parameters for each block it transfers. copy_to_iter() would then need to be replaced with something that sets up an sglist each time from the iov. Something similar would need doing for skb_copy_datagram_from_iter(). (2) Create an sglist for the skb and one for the iov_iter and encrypt/decrypt between them. Unfortunately, if the iov_iter is a userspace reference then this would mean pinning userspace pages. (3) Add an {en,de}crypt-to-iov_iter capability to the crypto layer. I'm not sure how well this would work for hardware support, though. I think we'd come back to pinning userspace pages. David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] crypto: XTS - remove test that will fail in FIPS mode
Hi Tapas, Herbert, Tapas: this patch should fix it. Can you please test? Herbert: The reason why I have to caught this issue in my tests is the following: I compile xts-aes-aesni statically as you can see below. The self test is marked as passed, although there is no XTS test performed. When you boot in FIPS mode, the testmgr prints out all tests. But XTS is not among them. Do you have an idea why that happens? name : xts(aes) driver : xts-aes-aesni module : kernel priority : 400 refcnt : 1 selftest : passed internal : no type : ablkcipher async: yes blocksize: 16 min keysize : 32 max keysize : 64 ivsize : 16 geniv: ---8<--- In FIPS mode, setting XTS keys where the AES key is identical to the tweak key is forbidden. Thus, the self test with such property will fail in FIPS mode. As we have other tests available for XTS, this patch simply removes the offending test vectors. Reported-by: Tapas SarangiSigned-off-by: Stephan Mueller --- crypto/testmgr.h | 36 1 file changed, 36 deletions(-) diff --git a/crypto/testmgr.h b/crypto/testmgr.h index acb6bbf..e4b58f5 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -10179,24 +10179,6 @@ static struct cipher_testvec tf_lrw_dec_tv_template[] = { static struct cipher_testvec tf_xts_enc_tv_template[] = { /* Generated from AES-XTS test vectors */ { - .key= "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .klen = 32, - .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .input = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .ilen = 32, - .result = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" - "\x30\x74\xe4\x44\x52\x77\x97\x43" - "\xa7\x60\xb2\x45\x2e\xf9\x00\x90" - "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", - .rlen = 32, - }, { .key= "\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11" "\x22\x22\x22\x22\x22\x22\x22\x22" @@ -10522,24 +10504,6 @@ static struct cipher_testvec tf_xts_dec_tv_template[] = { /* Generated from AES-XTS test vectors */ /* same as enc vectors with input and result reversed */ { - .key= "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .klen = 32, - .iv = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .input = "\x4b\xc9\x44\x4a\x11\xa3\xef\xac" - "\x30\x74\xe4\x44\x52\x77\x97\x43" - "\xa7\x60\xb2\x45\x2e\xf9\x00\x90" - "\x9f\xaa\xfd\x89\x6e\x9d\x4a\xe0", - .ilen = 32, - .result = "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", - .rlen = 32, - }, { .key= "\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11" "\x22\x22\x22\x22\x22\x22\x22\x22" -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] crypto: fix a little typo
The sentence 'Based on' is misspelled, respell it. Signed-off-by: LABBE Corentin--- crypto/xts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/xts.c b/crypto/xts.c index 26ba583..305343f 100644 --- a/crypto/xts.c +++ b/crypto/xts.c @@ -5,7 +5,7 @@ * * Copyright (c) 2007 Rik Snel * - * Based om ecb.c + * Based on ecb.c * Copyright (c) 2006 Herbert Xu * * This program is free software; you can redistribute it and/or modify it -- 2.7.3 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] ath9k: disable RNG by default
Am Mittwoch, 10. August 2016, 06:46:31 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > Would you please provide a recent NIST document which asks the entropy > source to pass the NIST randomness tests ? See FIPS 140-2 IG 7.15 which explicitly references SP800-22. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/6] crypto: sun4i-ss: clean unused ss
The ss variable is never used, remove it. Signed-off-by: LABBE Corentin--- drivers/crypto/sunxi-ss/sun4i-ss-hash.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c index 2fb0684..7841d73 100644 --- a/drivers/crypto/sunxi-ss/sun4i-ss-hash.c +++ b/drivers/crypto/sunxi-ss/sun4i-ss-hash.c @@ -32,12 +32,10 @@ int sun4i_hash_init(struct ahash_request *areq) struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq); struct ahash_alg *alg = __crypto_ahash_alg(tfm->base.__crt_alg); struct sun4i_ss_alg_template *algt; - struct sun4i_ss_ctx *ss; memset(op, 0, sizeof(struct sun4i_req_ctx)); algt = container_of(alg, struct sun4i_ss_alg_template, alg.hash); - ss = algt->ss; op->ss = algt->ss; op->mode = algt->mode; -- 2.7.3 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/6] crypto: sun4i-ss: fix a few signed warning
The variable i is always checked against unsigned value and cannot be negative. This patch set it as unsigned. Signed-off-by: LABBE Corentin--- drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c index 3830d7c..90efd10 100644 --- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c +++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c @@ -29,7 +29,8 @@ static int sun4i_ss_opti_poll(struct ablkcipher_request *areq) u32 tx_cnt = 0; u32 spaces; u32 v; - int i, err = 0; + int err = 0; + unsigned int i; unsigned int ileft = areq->nbytes; unsigned int oleft = areq->nbytes; unsigned int todo; @@ -139,7 +140,8 @@ static int sun4i_ss_cipher_poll(struct ablkcipher_request *areq) u32 tx_cnt = 0; u32 v; u32 spaces; - int i, err = 0; + int err = 0; + unsigned int i; unsigned int ileft = areq->nbytes; unsigned int oleft = areq->nbytes; unsigned int todo; -- 2.7.3 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [cryptodev:master 17/45] drivers/crypto/ccp/ccp-dev-v5.c:838:3: error: label 'e_hwrng' used but not defined
A patch for this will be submitted shortly. On 08/10/2016 10:30 AM, kbuild test robot wrote: tree: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master head: 47856204146ba6fd0f198dbb23c4ed7ad1c3fd99 commit: 99d90b2ebd8b327c0c496798db99009b30c70945 [17/45] crypto: ccp - Enable DMA service on a v5 CCP config: i386-randconfig-h1-08102150 (attached as .config) compiler: gcc-6 (Debian 6.1.1-9) 6.1.1 20160705 reproduce: git checkout 99d90b2ebd8b327c0c496798db99009b30c70945 # save the attached .config to linux build tree make ARCH=i386 Note: the cryptodev/master HEAD 47856204146ba6fd0f198dbb23c4ed7ad1c3fd99 builds fine. It only hurts bisectibility. All errors (new ones prefixed by >>): drivers/crypto/ccp/ccp-dev-v5.c: In function 'ccp5_init': drivers/crypto/ccp/ccp-dev-v5.c:838:3: error: label 'e_hwrng' used but not defined goto e_hwrng; ^~~~ vim +/e_hwrng +838 drivers/crypto/ccp/ccp-dev-v5.c 832 if (ret) 833 goto e_kthread; 834 835 /* Register the DMA engine support */ 836 ret = ccp_dmaengine_register(ccp); 837 if (ret) > 838 goto e_hwrng; 839 840 return 0; 841 --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4] DH support: add KDF handling support
Add the interface logic to support DH with KDF handling support. The dh_compute code now allows the following options: - no KDF support / output of raw DH shared secret: dh_compute - KDF support without "other information" string: dh_compute_kdf - KDF support with "other information string: dh_compute_kdf_oi where the OI string is provided on STDIN. The test to verify the code is based on a test vector used for the CAVS testing of SP800-56A. Signed-off-by: Stephan Mueller--- Makefile | 1 + keyctl.c | 133 keyutils.c | 14 +++ keyutils.h | 11 ++ man/keyctl_dh_compute.3 | 58 +++ tests/keyctl/dh_compute/valid/runtest.sh | 168 +++ tests/toolbox.inc.sh | 44 version.lds | 2 + 8 files changed, 431 insertions(+) diff --git a/Makefile b/Makefile index 824bbbf..90fc33f 100644 --- a/Makefile +++ b/Makefile @@ -195,6 +195,7 @@ endif $(LNS) keyctl_read.3 $(DESTDIR)$(MAN3)/keyctl_read_alloc.3 $(LNS) recursive_key_scan.3 $(DESTDIR)$(MAN3)/recursive_session_key_scan.3 $(LNS) keyctl_dh_compute.3 $(DESTDIR)$(MAN3)/keyctl_dh_compute_alloc.3 + $(LNS) keyctl_dh_compute.3 $(DESTDIR)$(MAN3)/keyctl_dh_compute_kdf.3 $(INSTALL) -D -m 0644 keyutils.h $(DESTDIR)$(INCLUDEDIR)/keyutils.h ### diff --git a/keyctl.c b/keyctl.c index edb03de..fcf2f02 100644 --- a/keyctl.c +++ b/keyctl.c @@ -20,6 +20,7 @@ #include #include #include "keyutils.h" +#include struct command { void (*action)(int argc, char *argv[]) __attribute__((noreturn)); @@ -67,6 +68,8 @@ static nr void act_keyctl_purge(int argc, char *argv[]); static nr void act_keyctl_invalidate(int argc, char *argv[]); static nr void act_keyctl_get_persistent(int argc, char *argv[]); static nr void act_keyctl_dh_compute(int argc, char *argv[]); +static nr void act_keyctl_dh_compute_kdf(int argc, char *argv[]); +static nr void act_keyctl_dh_compute_kdf_oi(int argc, char *argv[]); const struct command commands[] = { { act_keyctl___version, "--version","" }, @@ -76,6 +79,8 @@ const struct command commands[] = { { act_keyctl_clear, "clear","" }, { act_keyctl_describe, "describe", "" }, { act_keyctl_dh_compute, "dh_compute", " " }, + { act_keyctl_dh_compute_kdf, "dh_compute_kdf", " " }, + { act_keyctl_dh_compute_kdf_oi, "dh_compute_kdf_oi", " " }, { act_keyctl_instantiate, "instantiate"," " }, { act_keyctl_invalidate,"invalidate", "" }, { act_keyctl_get_persistent, "get_persistent", " []" }, @@ -1663,6 +1668,7 @@ static void act_keyctl_dh_compute(int argc, char *argv[]) } printf("%02hhx", *p); + *p = 0x00; /* zeroize buffer */ p++; col++; @@ -1674,6 +1680,133 @@ static void act_keyctl_dh_compute(int argc, char *argv[]) } while (--ret > 0); printf("\n"); + + free(buffer); + + exit(0); +} + +static void act_keyctl_dh_compute_kdf(int argc, char *argv[]) +{ + key_serial_t private, prime, base; + char *buffer; + char *p; + int ret, sep, col; + unsigned long buflen = 0; + + if (argc != 6) + format(); + + private = get_key_id(argv[1]); + prime = get_key_id(argv[2]); + base = get_key_id(argv[3]); + + buflen = strtoul(argv[4], NULL, 10); + if (buflen == ULONG_MAX) + error("dh_compute: cannot convert generated length value"); + + buffer = malloc(buflen); + if (!buffer) + error("dh_compute: cannot allocate memory"); + + ret = keyctl_dh_compute_kdf(private, prime, base, argv[5], NULL, 0, + buffer, buflen); + if (ret < 0) + error("keyctl_dh_compute_alloc"); + + /* hexdump the contents */ + printf("%u bytes of data in result:\n", ret); + + sep = 0; + col = 0; + p = buffer; + + do { + if (sep) { + putchar(sep); + sep = 0; + } + + printf("%02hhx", *p); + *p = 0x00; /* zeroize buffer */ + p++; + + col++; + if (col % 32 == 0) + sep = '\n'; + else if (col % 4 == 0) + sep = ' '; + + } while (--ret > 0); + + printf("\n"); + + free(buffer); + + exit(0); +} + +static void act_keyctl_dh_compute_kdf_oi(int argc, char *argv[]) +{ + key_serial_t private, prime, base; + char *buffer; + char
[PATCH v4] KEYS: add SP800-56A KDF support for DH
SP800-56A defines the use of DH with key derivation function based on a counter. The input to the KDF is defined as (DH shared secret || other information). The value for the "other information" is to be provided by the caller. The KDF is provided by the kernel crypto API. The SP800-56A KDF is equal to the SP800-108 counter KDF. However, the caller is allowed to specify the KDF type that he wants to use to derive the key material allowing the use of the other KDFs provided with the kernel crypto API. As the KDF implements the proper truncation of the DH shared secret to the requested size, this patch fills the caller buffer up to its size. The patch is tested with a new test added to the keyutils user space code which uses a CAVS test vector testing the compliance with SP800-56A. Signed-off-by: Stephan Mueller--- Documentation/security/keys.txt | 35 ++--- include/linux/compat.h | 7 +++ include/uapi/linux/keyctl.h | 7 +++ security/keys/Kconfig | 1 + security/keys/Makefile | 3 +- security/keys/compat.c | 5 +- security/keys/compat_dh.c | 36 + security/keys/dh.c | 110 +++- security/keys/internal.h| 21 +++- security/keys/keyctl.c | 2 +- 10 files changed, 201 insertions(+), 26 deletions(-) create mode 100644 security/keys/compat_dh.c diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index 3849814..9df0605 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -827,7 +827,7 @@ The keyctl syscall functions are: long keyctl(KEYCTL_DH_COMPUTE, struct keyctl_dh_params *params, char *buffer, size_t buflen, - void *reserved); + struct keyctl_kdf_params *kdf); The params struct contains serial numbers for three keys: @@ -844,18 +844,37 @@ The keyctl syscall functions are: public key. If the base is the remote public key, the result is the shared secret. - The reserved argument must be set to NULL. + If the parameter kdf is NULL, the following applies: - The buffer length must be at least the length of the prime, or zero. +- The buffer length must be at least the length of the prime, or zero. - If the buffer length is nonzero, the length of the result is - returned when it is successfully calculated and copied in to the - buffer. When the buffer length is zero, the minimum required - buffer length is returned. +- If the buffer length is nonzero, the length of the result is + returned when it is successfully calculated and copied in to the + buffer. When the buffer length is zero, the minimum required + buffer length is returned. + + The kdf parameter allows the caller to apply a key derivation function + (KDF) on the Diffie-Hellman computation where only the result + of the KDF is returned to the caller. The KDF is characterized with + struct keyctl_kdf_params as follows: + +- char *kdfname specifies the NUL terminated string identifying + the KDF function used from the kernel crypto API. As of now, + only non-keyed KDFs are supported, such as kdf_ctr(sha256), + kdf_fb(sha1) or kdf_dpi(sha512). The use of kdf_ctr() complies + with SP800-56A. + +- char *otherinfo specifies the OtherInfo data as documented in + SP800-56A section 5.8.1.2. The length of the buffer is given with + otherinfolen. The format of OtherInfo is defined by the caller. + The otherinfo pointer may be NULL if no OtherInfo shall be used. This function will return error EOPNOTSUPP if the key type is not supported, error ENOKEY if the key could not be found, or error - EACCES if the key is not readable by the caller. + EACCES if the key is not readable by the caller. In addition, the + function will return EMSGSIZE when the parameter kdf is non-NULL + and either the buffer length or the OtherInfo length exceeds the + allowed length. === KERNEL SERVICES diff --git a/include/linux/compat.h b/include/linux/compat.h index f964ef7..00f348f 100644 --- a/include/linux/compat.h +++ b/include/linux/compat.h @@ -295,6 +295,13 @@ struct compat_old_sigaction { }; #endif +struct compat_keyctl_kdf_params { + compat_uptr_t kdfname; + compat_uptr_t otherinfo; + __u32 otherinfolen; + __u32 __spare[8]; +}; + struct compat_statfs; struct compat_statfs64; struct compat_old_linux_dirent; diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h index 86eddd6..0abe048 100644 --- a/include/uapi/linux/keyctl.h +++ b/include/uapi/linux/keyctl.h @@ -68,4 +68,11 @@ struct keyctl_dh_params { __s32 base; }; +struct keyctl_kdf_params { + char *kdfname; + char
Re: [PATCH 2/2] ath9k: disable RNG by default
Am Mittwoch, 10. August 2016, 06:04:32 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > FIPS RNG test is supposed to be run on the output of an RNG, and not on the > RNG entropy source. It is not surprising that the RNG input fails the > entropy tests from NIST. Check the following example. > > Imagine you have a perfectly random sequence, a_1, a_2, .., a_n, where each > a_i is a byte. And imagine, this sequence passes all randomness tests. > > Now, let's say I create a new sequence a_1, 0, a_2, 0, a_3, 0, ..., 0, a_n, > where each zero is a byte > > If you give this sequence (as an entropy source) to a randomness test, it > will fail most of the tests, if not all. This does not mean this sequence > is not appropriate as an entropy source, it just means we need twice more > bytes to gain the same amount of entropy. Agreed. But that is a very simplistic view. > > I can give this 2n byte sequence to an RNG as an entropy source and it > provides the same amount of security as if I give the n byte stream. Well, I am working with standards bodies like NIST and BSI on RNG assessments. They all require that the noise source (pre-whitening, of course) pass statistical tests like the AIS20 tests, SP800-22 and similar. If you fail, you better have a good argument. And the only argument that is kind of allowed is that you oversample your noise source to seed a DRNG from (i.e. have an entropy to data ratio of significantly below 1). And the argument for the oversampling rate is always a very interesting discussion. You apply 10/32. In private, I am wondering about that ratio, but this should not be discussed here as I hope you have a valid argument for that. As we are talking about the current rngd, we have to consider that it does *not* perform an oversampling (yet) as mentioned in the previous emails. Do not get me wrong on my initial patch: your RNG may provide some entropy. But there are quite some folks who want to understand and audit a noise source before using it. Your current implementation simply does not allow switching the noise source off to feed the input_pool with data that increases the entropy estimator (at runtime). Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH 2/2] ath9k: disable RNG by default
Hi Stephan, NIST SP 800-22-rev1a and NIST SP 800-90B are used together to evaluate the amount of min entropy the source provides, and not to decide if the source has passed the tests or failed. See https://github.com/usnistgov/SP800-90B_EntropyAssessment The goal is often to make sure the input entropy is more than the entropy we expect from the output. Thanks, Miaoqing -Original Message- From: Stephan Mueller [mailto:smuel...@chronox.de] Sent: Wednesday, August 10, 2016 2:52 PM To: Pan, MiaoqingCc: Herbert Xu ; Matt Mackall ; miaoq...@codeaurora.org; Valo, Kalle ; linux-wirel...@vger.kernel.org; ath9k-devel ; linux-crypto@vger.kernel.org; ja...@lakedaemon.net; Sepehrdad, Pouyan Subject: Re: [PATCH 2/2] ath9k: disable RNG by default Am Mittwoch, 10. August 2016, 06:46:31 CEST schrieb Pan, Miaoqing: Hi Miaoqing, > Hi Stephan, > > Would you please provide a recent NIST document which asks the entropy > source to pass the NIST randomness tests ? See FIPS 140-2 IG 7.15 which explicitly references SP800-22. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html