Make the jitterentropy RNG use lib/crypto/sha3 rather than crypto/sha3. For some reason it goes absolutely wild if crypto/sha3 is reimplemented to use lib/crypto/sha3, but it's fine if it uses lib directly.
Signed-off-by: David Howells <[email protected]> cc: Stephan Mueller <[email protected]> cc: Herbert Xu <[email protected]> cc: [email protected] --- crypto/jitterentropy-kcapi.c | 100 ++++++++++------------------------- crypto/jitterentropy.c | 7 +-- crypto/jitterentropy.h | 8 +-- 3 files changed, 36 insertions(+), 79 deletions(-) diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c index a53de7affe8d..b38118fe51cd 100644 --- a/crypto/jitterentropy-kcapi.c +++ b/crypto/jitterentropy-kcapi.c @@ -101,23 +101,13 @@ void jent_get_nstime(__u64 *out) jent_raw_hires_entropy_store(tmp); } -int jent_hash_time(void *hash_state, __u64 time, u8 *addtl, +int jent_hash_time(struct sha3_256_ctx *hash_state, __u64 time, u8 *addtl, unsigned int addtl_len, __u64 hash_loop_cnt, unsigned int stuck) { - struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state; - SHASH_DESC_ON_STACK(desc, hash_state_desc->tfm); + struct sha3_256_ctx desc; u8 intermediary[SHA3_256_DIGEST_SIZE]; __u64 j = 0; - int ret; - - desc->tfm = hash_state_desc->tfm; - - if (sizeof(intermediary) != crypto_shash_digestsize(desc->tfm)) { - pr_warn_ratelimited("Unexpected digest size\n"); - return -EINVAL; - } - kmsan_unpoison_memory(intermediary, sizeof(intermediary)); /* * This loop fills a buffer which is injected into the entropy pool. @@ -130,24 +120,20 @@ int jent_hash_time(void *hash_state, __u64 time, u8 *addtl, * * Note, it does not matter which or how much data you inject, we are * interested in one Keccack1600 compression operation performed with - * the crypto_shash_final. + * the sha3_256_final. */ for (j = 0; j < hash_loop_cnt; j++) { - ret = crypto_shash_init(desc) ?: - crypto_shash_update(desc, intermediary, - sizeof(intermediary)) ?: - crypto_shash_finup(desc, addtl, addtl_len, intermediary); - if (ret) - goto err; + sha3_256_init(&desc); + sha3_256_update(&desc, intermediary, sizeof(intermediary)); + sha3_256_update(&desc, addtl, addtl_len); + sha3_256_final(&desc, intermediary); } /* * Inject the data from the previous loop into the pool. This data is * not considered to contain any entropy, but it stirs the pool a bit. */ - ret = crypto_shash_update(hash_state_desc, intermediary, sizeof(intermediary)); - if (ret) - goto err; + sha3_256_update(hash_state, intermediary, sizeof(intermediary)); /* * Insert the time stamp into the hash context representing the pool. @@ -162,30 +148,25 @@ int jent_hash_time(void *hash_state, __u64 time, u8 *addtl, time = 0; } - ret = crypto_shash_update(hash_state_desc, (u8 *)&time, sizeof(__u64)); - -err: - shash_desc_zero(desc); + sha3_256_update(hash_state, (u8 *)&time, sizeof(__u64)); memzero_explicit(intermediary, sizeof(intermediary)); - - return ret; + return 0; } -int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len) +int jent_read_random_block(struct sha3_256_ctx *hash_state, char *dst, unsigned int dst_len) { - struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state; u8 jent_block[SHA3_256_DIGEST_SIZE]; + /* Obtain data from entropy pool and re-initialize it */ - int ret = crypto_shash_final(hash_state_desc, jent_block) ?: - crypto_shash_init(hash_state_desc) ?: - crypto_shash_update(hash_state_desc, jent_block, - sizeof(jent_block)); + sha3_256_final(hash_state, jent_block); + sha3_256_init(hash_state); + sha3_256_update(hash_state, jent_block, sizeof(jent_block)); - if (!ret && dst_len) + if (dst_len) memcpy(dst, jent_block, dst_len); memzero_explicit(jent_block, sizeof(jent_block)); - return ret; + return 0; } /*************************************************************************** @@ -195,8 +176,7 @@ int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len) struct jitterentropy { spinlock_t jent_lock; struct rand_data *entropy_collector; - struct crypto_shash *tfm; - struct shash_desc *sdesc; + struct sha3_256_ctx *sdesc; }; static void jent_kcapi_cleanup(struct crypto_tfm *tfm) @@ -205,16 +185,10 @@ static void jent_kcapi_cleanup(struct crypto_tfm *tfm) spin_lock(&rng->jent_lock); - if (rng->sdesc) { - shash_desc_zero(rng->sdesc); - kfree(rng->sdesc); - } + if (rng->sdesc) + kfree_sensitive(rng->sdesc); rng->sdesc = NULL; - if (rng->tfm) - crypto_free_shash(rng->tfm); - rng->tfm = NULL; - if (rng->entropy_collector) jent_entropy_collector_free(rng->entropy_collector); rng->entropy_collector = NULL; @@ -224,9 +198,8 @@ static void jent_kcapi_cleanup(struct crypto_tfm *tfm) static int jent_kcapi_init(struct crypto_tfm *tfm) { struct jitterentropy *rng = crypto_tfm_ctx(tfm); - struct crypto_shash *hash; - struct shash_desc *sdesc; - int size, ret = 0; + struct sha3_256_ctx *sdesc; + int ret = 0; spin_lock_init(&rng->jent_lock); @@ -239,22 +212,13 @@ static int jent_kcapi_init(struct crypto_tfm *tfm) * using a fast implementation, we would need to call it more often * as its variations are lower. */ - hash = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0); - if (IS_ERR(hash)) { - pr_err("Cannot allocate conditioning digest\n"); - return PTR_ERR(hash); - } - rng->tfm = hash; - - size = sizeof(struct shash_desc) + crypto_shash_descsize(hash); - sdesc = kmalloc(size, GFP_KERNEL); + sdesc = kmalloc(sizeof(struct sha3_256_ctx), GFP_KERNEL); if (!sdesc) { ret = -ENOMEM; goto err; } - sdesc->tfm = hash; - crypto_shash_init(sdesc); + sha3_256_init(sdesc); rng->sdesc = sdesc; rng->entropy_collector = @@ -334,23 +298,15 @@ static struct rng_alg jent_alg = { static int __init jent_mod_init(void) { - SHASH_DESC_ON_STACK(desc, tfm); - struct crypto_shash *tfm; + struct sha3_256_ctx desc; int ret = 0; jent_testing_init(); - tfm = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0); - if (IS_ERR(tfm)) { - jent_testing_exit(); - return PTR_ERR(tfm); - } + sha3_256_init(&desc); - desc->tfm = tfm; - crypto_shash_init(desc); - ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, desc, NULL); - shash_desc_zero(desc); - crypto_free_shash(tfm); + ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, &desc, NULL); + memzero_explicit(&desc, sizeof(desc)); if (ret) { /* Handle permanent health test error */ if (fips_enabled) diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c index 3f93cdc9a7af..36701447cc85 100644 --- a/crypto/jitterentropy.c +++ b/crypto/jitterentropy.c @@ -68,7 +68,7 @@ struct rand_data { * of the RNG are marked as SENSITIVE. A user must not * access that information while the RNG executes its loops to * calculate the next random value. */ - void *hash_state; /* SENSITIVE hash state entropy pool */ + struct sha3_256_ctx *hash_state; /* SENSITIVE hash state entropy pool */ __u64 prev_time; /* SENSITIVE Previous time stamp */ __u64 last_delta; /* SENSITIVE stuck test */ __s64 last_delta2; /* SENSITIVE stuck test */ @@ -656,7 +656,7 @@ int jent_read_entropy(struct rand_data *ec, unsigned char *data, struct rand_data *jent_entropy_collector_alloc(unsigned int osr, unsigned int flags, - void *hash_state) + struct sha3_256_ctx *hash_state) { struct rand_data *entropy_collector; @@ -704,7 +704,8 @@ void jent_entropy_collector_free(struct rand_data *entropy_collector) jent_zfree(entropy_collector); } -int jent_entropy_init(unsigned int osr, unsigned int flags, void *hash_state, +int jent_entropy_init(unsigned int osr, unsigned int flags, + struct sha3_256_ctx *hash_state, struct rand_data *p_ec) { /* diff --git a/crypto/jitterentropy.h b/crypto/jitterentropy.h index 4c5dbf2a8d8f..e4acbce79d9d 100644 --- a/crypto/jitterentropy.h +++ b/crypto/jitterentropy.h @@ -5,20 +5,20 @@ extern void jent_kvzfree(void *ptr, unsigned int len); extern void *jent_zalloc(unsigned int len); extern void jent_zfree(void *ptr); extern void jent_get_nstime(__u64 *out); -extern int jent_hash_time(void *hash_state, __u64 time, u8 *addtl, +extern int jent_hash_time(struct sha3_256_ctx *hash_state, __u64 time, u8 *addtl, unsigned int addtl_len, __u64 hash_loop_cnt, unsigned int stuck); -int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len); +int jent_read_random_block(struct sha3_256_ctx *hash_state, char *dst, unsigned int dst_len); struct rand_data; extern int jent_entropy_init(unsigned int osr, unsigned int flags, - void *hash_state, struct rand_data *p_ec); + struct sha3_256_ctx *hash_state, struct rand_data *p_ec); extern int jent_read_entropy(struct rand_data *ec, unsigned char *data, unsigned int len); extern struct rand_data *jent_entropy_collector_alloc(unsigned int osr, unsigned int flags, - void *hash_state); + struct sha3_256_ctx *hash_state); extern void jent_entropy_collector_free(struct rand_data *entropy_collector); #ifdef CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE
