Re: [PATCH] random: add blocking facility to urandom

2011-09-06 Thread Stephan Mueller
On 05.09.2011 04:36:29, +0200, Sandy Harris sandyinch...@gmail.com wrote: Hi Sandy, On Fri, Sep 2, 2011 at 10:37 PM, Jarod Wilson ja...@redhat.com wrote: Certain security-related certifications and their respective review bodies have said that they find use of /dev/urandom for certain

Re: [PATCH] random: add blocking facility to urandom

2011-09-07 Thread Stephan Mueller
On 07.09.2011 23:18:58, +0200, Ted Ts'o ty...@mit.edu wrote: Hi Ted, On Wed, Sep 07, 2011 at 04:02:24PM -0400, Steve Grubb wrote: When a system is underattack, do you really want to be using a PRNG for anything like seeding openssl? Because a PRNG is what urandom degrades into when its

Re: [RFC][PATCH] Entropy generator with 100 kB/s throughput

2013-02-10 Thread Stephan Mueller
On 09.02.2013 19:06:29, +0100, Theodore Ts'o ty...@mit.edu wrote: Hi Ted, thank you for the review. On Fri, Feb 08, 2013 at 11:04:54PM +0100, Stephan Mueller wrote: * an array of statistical test suites pass the output of the entropy collector (again, the output is not mangled

Re: [RFC][PATCH] Entropy generator with 100 kB/s throughput

2013-02-10 Thread Stephan Mueller
On 10.02.2013 02:57:51, +0100, Jeff Epler jep...@unpythonic.net wrote: Hi Jeff, On Sat, Feb 09, 2013 at 01:06:29PM -0500, Theodore Ts'o wrote: For that reasons, what I would suggest doing first is generate a series of outputs of jitterentropy_get_nstime() followed by schedule(). Look and see

Re: [RFC][PATCH] Entropy generator with 100 kB/s throughput

2013-02-10 Thread Stephan Mueller
On 10.02.2013 19:50:02, +0100, Theodore Ts'o ty...@mit.edu wrote: Hi Ted, On Sun, Feb 10, 2013 at 01:46:18PM +0100, Stephan Mueller wrote: However, the CPU has timing jitter in the execution of instruction. And I try to harvest that jitter. The good thing is that this jitter is always present

Re: [RFC][PATCH] Entropy generator with 100 kB/s throughput

2013-02-21 Thread Stephan Mueller
On 21.02.2013 15:07:12, +0100, Phil Carmody pc+l...@asdf.org wrote: Hi Phil, Apologies if this is misthreaded, I had to hand-craft the headers. The patch offers an entropy generator based on CPU timing jitter. The entropy collector has the following properties: * it does not maintain any

[PATCH][RFC] CPU Jitter random number generator

2013-05-13 Thread Stephan Mueller
at the web site as well. Note: for the kernel crypto API, please read the provided Kconfig file for the provided switches and which of them are recommended in regular operation. These switches must currently be set manually in the Makefile. Ciao Stephan Signed-off-by: Stephan Mueller smuel

[PATCH][RFC] CPU Jitter random number generator (resent)

2013-05-21 Thread Stephan Mueller
the documentation are available at the web site as well. Note: for the kernel crypto API, please read the provided Kconfig file for the switches and which of them are recommended in regular operation. These switches must currently be set manually in the Makefile. Ciao Stephan Signed-off-by: Stephan Mueller smuel

Re: [PATCH][RFC] CPU Jitter random number generator (resent)

2013-05-21 Thread Stephan Mueller
On Tue, 21 May 2013 12:09:02 -0400 Sandy Harris sandyinch...@gmail.com wrote: Hi Sandy, I very much like the basic notion here. The existing random(4) driver may not get enough entropy in a VM or on a device like a Linux router and I think work such as yours or HAVEGE (

Re: [PATCH][RFC] CPU Jitter random number generator (resent)

2013-05-22 Thread Stephan Mueller
On Tue, 21 May 2013 17:39:49 -0400 Sandy Harris sandyinch...@gmail.com wrote: Hi Sandy, On Tue, May 21, 2013 at 3:01 PM, Theodore Ts'o ty...@mit.edu wrote: I continue to be suspicious about claims that userspace timing measurements are measuring anything other than OS behaviour. Yes,

Re: [PATCH][RFC] CPU Jitter random number generator (resent)

2013-05-22 Thread Stephan Mueller
On Wed, 22 May 2013 13:40:04 -0400 Sandy Harris sandyinch...@gmail.com wrote: Hi Sandy, Stephan Mueller smuel...@chronox.de wrote: Ted is right that the non-deterministic behavior is caused by the OS due to its complexity. ... For VM's, it means we should definitely use

Re: [PATCH][RFC] CPU Jitter random number generator (resent)

2013-05-23 Thread Stephan Mueller
used as a fallback. The patch is tested with 3.9. Signed-off-by: Stephan Mueller smuel...@chronox.de --- diff -urNp linux-3.9.orig/drivers/char/Makefile linux-3.9/drivers/char/Makefile --- linux-3.9.orig/drivers/char/Makefile2013-05-22 20:55:58.547094987 +0200 +++ linux-3.9/drivers/char

[PATCH][RFC] Tests on 200 different CPUs/Arches and OSes with CPU Jitter RNG

2013-08-18 Thread Stephan Mueller
Hi Sandy, Ted, (this is a reply to [3]) I prepared a new release of the CPU Jitter RNG available at [1]. The core of the RNG remains unchanged. However, there are the following changes: - addition of a patch to integrate the RNG into /dev/random as explained in appendix B.3 of [2], although

Re: [PATCH][RFC] Tests on 200 different CPUs/Arches and OSes with CPU Jitter RNG

2013-08-20 Thread Stephan Mueller
Am Sonntag, 18. August 2013, 20:05:52 schrieb Stephan Mueller: Hi Ted, Sandy, For FIPS 140-2, there is currently a draft of an Implementation Guidance discussed covering the requirements of seed sources for deterministic random number generators. The standard seed source when having

[PATCH][RFC] Tests on 200 different CPUs/Arches and OSes with CPU Jitter RNG (resent)

2013-09-09 Thread Stephan Mueller
Hi Ted, (this is a reply to [3] and possibly an addition to your blog [4]) I prepared a new release of the CPU Jitter RNG available at [1]. The core of the RNG remains unchanged. However, there are the following changes: - addition of a patch to integrate the RNG into /dev/random as explained

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-12 Thread Stephan Mueller
Am Freitag, 11. Oktober 2013, 23:28:35 schrieb Theodore Ts'o: Hi Theodore, Hi Stephan, I haven't had a chance to look at your paper in detail, yet, but a quick scan has found a huge red flag for me that puts the rest of your analysis in severe doubt for me. You say that you got really good

Re: Fwd: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-14 Thread Stephan Mueller
Am Montag, 14. Oktober 2013, 09:38:34 schrieb Sandy Harris: Hi Sandy, Stephan Mueller smuel...@chronox.de wrote: If what you are doing is not a parity computation, then you need a better description so people like me do not misread it. It is not a parity computation that the folding loop

Re: Fwd: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-14 Thread Stephan Mueller
Am Montag, 14. Oktober 2013, 16:12:24 schrieb Stephan Mueller: Hi Sandy, (PS: I am aware that in case none of the individual bits would contain one full bit of entropy, the folding operation may --mathematically spoken-- not deliver one full bit of entropy. However, after speaking

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-14 Thread Stephan Mueller
Am Montag, 14. Oktober 2013, 10:14:00 schrieb Sandy Harris: Hi Sandy, On Mon, Oct 14, 2013 at 9:38 AM, Sandy Harris sandyinch...@gmail.com wrote: Stephan Mueller smuel...@chronox.de wrote: Can you please help me understand why you think that a whitening function (cryptographic

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-14 Thread Stephan Mueller
Am Montag, 14. Oktober 2013, 11:18:16 schrieb Sandy Harris: Hi Sandy, On Mon, Oct 14, 2013 at 10:40 AM, Stephan Mueller smuel...@chronox.de wrote: Another thing: when you start adding whitening functions, other people are starting (and did -- thus I added section 4.3 to my documentation

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-15 Thread Stephan Mueller
Am Montag, 14. Oktober 2013, 11:18:16 schrieb Sandy Harris: Hi Sandy, Could you please review the following code to see that the mix is function right in your eyes? However, having done that, I see no reason not to add mixing. Using bit() for getting one bit of input and rotl(x) for rotating

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-28 Thread Stephan Mueller
Am Freitag, 11. Oktober 2013, 20:38:51 schrieb Stephan Mueller: Hi Ted, Hi, the CPU Jitter RNG [1] is a true random number generator that is intended to work in user and kernel space equally well on a large number of different CPUs. The heart of the RNG is about 30 lines of code. The current

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-28 Thread Stephan Mueller
Am Montag, 28. Oktober 2013, 14:06:23 schrieb Henrique de Moraes Holschuh: Hi Henrique, On Mon, 28 Oct 2013, Stephan Mueller wrote: If it is accepted that the CPU Jitter RNG delivers entropy, the latter update may now allow us to get rid of storing the seed file during shutdown

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-29 Thread Stephan Mueller
Am Montag, 28. Oktober 2013, 17:45:49 schrieb Theodore Ts'o: Hi Theodore, first of all, thank you for your thoughts. And, before we continue any discussion, please consider that all the big testing that is done to analyze the jitter so far did (a) not include any whitening schema

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-29 Thread Stephan Mueller
Am Dienstag, 29. Oktober 2013, 09:24:48 schrieb Theodore Ts'o: Hi Theodore, On Tue, Oct 29, 2013 at 09:42:30AM +0100, Stephan Mueller wrote: Based on this suggestion, I now added the tests in Appendix F.46.8 where I disable the caches and the tests in Appendix F.46.9 where I disable

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-10-29 Thread Stephan Mueller
Am Dienstag, 29. Oktober 2013, 15:00:31 schrieb Stephan Mueller: Hi Ted, Am Dienstag, 29. Oktober 2013, 09:24:48 schrieb Theodore Ts'o: Hi Theodore, On Tue, Oct 29, 2013 at 09:42:30AM +0100, Stephan Mueller wrote: Based on this suggestion, I now added the tests in Appendix F.46.8 where I

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-03 Thread Stephan Mueller
Am Samstag, 2. November 2013, 12:01:13 schrieb Pavel Machek: Hi Pavel, Hi! sense of where the unpredictability might be coming from, and whether the unpredictability is coming from something which is fundamentally arising from something which is chaotic or quantum effect, or just because

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-05 Thread Stephan Mueller
Am Sonntag, 3. November 2013, 07:41:35 schrieb Theodore Ts'o: Hi Theodore, On Sun, Nov 03, 2013 at 08:20:34AM +0100, Stephan Mueller wrote: Sandy Harris pointed out a very good paper that I would definitely recommend that people read: http://lwn.net/images/conf/rtlws11/random-hardware.pdf

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-05 Thread Stephan Mueller
Am Montag, 4. November 2013, 00:32:07 schrieb Pavel Machek: Hi Pavel, Hi! Another friend of mine mentioned that he assumes the rise and fall times of transistors varies very slightly and could be the main reason for the jitter. I do not think that this is really the case, because our gates

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-05 Thread Stephan Mueller
Am Dienstag, 5. November 2013, 13:25:40 schrieb Stephan Mueller: Hi Pavel, Am Montag, 4. November 2013, 00:32:07 schrieb Pavel Machek: But they usually _do_ have RTC or other clock, not driven by CPU oscilator. Good. What about just while (!enough_entropy) { cur_time = read_rtc

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-06 Thread Stephan Mueller
Am Dienstag, 5. November 2013, 14:45:58 schrieb Stephan Mueller: Hi Pavel, Am Dienstag, 5. November 2013, 13:25:40 schrieb Stephan Mueller: Hi Pavel, Am Montag, 4. November 2013, 00:32:07 schrieb Pavel Machek: But they usually _do_ have RTC or other clock, not driven by CPU oscilator. Good

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-06 Thread Stephan Mueller
Am Dienstag, 5. November 2013, 13:20:57 schrieb Stephan Mueller: Hi Ted, Am Sonntag, 3. November 2013, 07:41:35 schrieb Theodore Ts'o: Hi Theodore, On Sun, Nov 03, 2013 at 08:20:34AM +0100, Stephan Mueller wrote: Sandy Harris pointed out a very good paper that I would definitely recommend

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-06 Thread Stephan Mueller
Am Mittwoch, 6. November 2013, 07:43:54 schrieb Theodore Ts'o: Hi Theodore, On Wed, Nov 06, 2013 at 12:49:45PM +0100, Stephan Mueller wrote: Here is a quote from his answer to my question whether he was able to identify the root cause: its inherent in the microtiming of Hardware

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-06 Thread Stephan Mueller
Am Mittwoch, 6. November 2013, 14:26:35 schrieb Pavel Machek: Hi Pavel, Hi! I plugged that idea into my current Jitter RNG processing and disabled the other jitter measurements to get a clear, isolated picture. The result is also a white noise! And it is even quite fast. After doing

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-06 Thread Stephan Mueller
Am Mittwoch, 6. November 2013, 08:04:32 schrieb Theodore Ts'o: Hi Theodore, On Wed, Nov 06, 2013 at 01:51:17PM +0100, Stephan Mueller wrote: That's unfortunate, since it leaves open the question of whether this jitter is something that could be at least somewhat predictable if you had a lot

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-06 Thread Stephan Mueller
Am Donnerstag, 7. November 2013, 02:03:57 schrieb Nicholas Mc Guire: Hi Nicholas, On Wed, 06 Nov 2013, Stephan Mueller wrote: Am Mittwoch, 6. November 2013, 07:43:54 schrieb Theodore Ts'o: Hi Theodore, On Wed, Nov 06, 2013 at 12:49:45PM +0100, Stephan Mueller wrote: Here is a quote from

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-09 Thread Stephan Mueller
Am Samstag, 9. November 2013, 23:04:49 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: Am Mittwoch, 6. November 2013, 08:04:32 schrieb Theodore Ts'o: On Wed, Nov 06, 2013 at 01:51:17PM +0100, Stephan Mueller wrote: That's unfortunate, since it leaves open the question

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-09 Thread Stephan Mueller
Am Samstag, 9. November 2013, 23:04:07 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: Am Donnerstag, 7. November 2013, 02:03:57 schrieb Nicholas Mc Guire: On Wed, 06 Nov 2013, Stephan Mueller wrote: Besides, how on earth shall an attacker even gain knowledge about the state

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-10 Thread Stephan Mueller
Am Sonntag, 10. November 2013, 17:31:07 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: Am Samstag, 9. November 2013, 23:04:49 schrieb Clemens Ladisch: Stephan Mueller wrote: Am Mittwoch, 6. November 2013, 08:04:32 schrieb Theodore Ts'o: On Wed, Nov 06, 2013 at 01:51:17PM

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-12 Thread Stephan Mueller
Am Sonntag, 10. November 2013, 21:28:06 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: Am Sonntag, 10. November 2013, 17:31:07 schrieb Clemens Ladisch: In the case of CPUs, the jitter you observe in delta times results in part from the complexities of the inner state

Re: [PATCH] CPU Jitter RNG: Executing time variation tests on bare metal

2013-11-12 Thread Stephan Mueller
Am Dienstag, 29. Oktober 2013, 09:24:48 schrieb Theodore Ts'o: Hi Theodore, On Tue, Oct 29, 2013 at 09:42:30AM +0100, Stephan Mueller wrote: Based on this suggestion, I now added the tests in Appendix F.46.8 where I disable the caches and the tests in Appendix F.46.9 where I disable

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-13 Thread Stephan Mueller
Am Mittwoch, 13. November 2013, 12:51:44 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: Am Sonntag, 10. November 2013, 21:28:06 schrieb Clemens Ladisch: Many CPUs allow to disable branch prediction, but this is very vendor specific (try to find MSR documentation). The biggest

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-14 Thread Stephan Mueller
Am Donnerstag, 14. November 2013, 11:51:03 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: Am Mittwoch, 13. November 2013, 12:51:44 schrieb Clemens Ladisch: (And any setting that increases accesses to main memory is likey to introduce more entropy due to clock drift between

Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random

2013-11-14 Thread Stephan Mueller
Am Donnerstag, 14. November 2013, 19:30:22 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: Am Donnerstag, 14. November 2013, 11:51:03 schrieb Clemens Ladisch: An attacker would not try to detect patterns; he would apply knowledge of the internals. I do not buy that argument

Re: [RFC PATCH] char: random: stir the output pools differently when the random_write lenght allows splitting the seed

2014-01-10 Thread Stephan Mueller
Am Freitag, 10. Januar 2014, 09:13:57 schrieb Clemens Ladisch: Hi Clemens, Rafael Aquini wrote: This patch introduces changes to the random_write method so it can split the given seed and completely stir the output pools with different halves of it, when seed lenght allows us doing so. -

Re: [RFC PATCH] char: random: stir the output pools differently when the random_write lenght allows splitting the seed

2014-01-10 Thread Stephan Mueller
Am Freitag, 10. Januar 2014, 12:37:26 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: Am Freitag, 10. Januar 2014, 09:13:57 schrieb Clemens Ladisch: Rafael Aquini wrote: This patch introduces changes to the random_write method so it can split the given seed and completely stir

[PATCH 4/6] compile the DRBG code

2014-03-08 Thread Stephan Mueller
Signed-off-by: Stephan Mueller smuel...@chronox.de diff --git a/crypto/Makefile b/crypto/Makefile index b29402a..0d63373 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -92,6 +92,7 @@ obj-$(CONFIG_CRYPTO_842) += 842.o obj-$(CONFIG_CRYPTO_RNG2) += rng.o obj-$(CONFIG_CRYPTO_RNG2) += krng.o

[PATCH 0/6] SP800-90A Deterministic Random Bit Generator

2014-03-08 Thread Stephan Mueller
. As defined in SP800-131A, the ANSI X9.31 DRNG is to be sunset by the end of this year for official uses, including FIPS 140-2 compliance. Additional tests are available at [1]. [1] http://www.chronox.de/drbg.html Stephan Mueller (6): SP800-90A Deterministic Random Bit Generator header file

[PATCH 1/6] SP800-90A Deterministic Random Bit Generator

2014-03-08 Thread Stephan Mueller
This is a clean-room implementation of the DRBG defined in SP800-90A. All three viable DRBGs defined in the standard are implemented: * HMAC * Hash * CTR Signed-off-by: Stephan Mueller smuel...@chronox.de create mode 100644 crypto/drbg.c diff --git a/crypto/drbg.c b

[PATCH 3/6] DRBG kernel configuration options

2014-03-08 Thread Stephan Mueller
The different DRBG types of CTR, Hash, HMAC can be enabled or disabled at compile time. At least one DRBG type shall be selected. The default is the HMAC DRBG as its code base is smallest. Signed-off-by: Stephan Mueller smuel...@chronox.de diff --git a/crypto/Kconfig b/crypto/Kconfig index

[PATCH 5/6] DRBG testmgr test vectors

2014-03-08 Thread Stephan Mueller
of SHA-512. Signed-off-by: Stephan Mueller smuel...@chronox.de diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 7d44aa3..2ee3bba 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -92,6 +92,29 @@ struct cprng_testvec { unsigned short loops; }; +struct drbg_testvec

[PATCH 2/6] header file for DRBG

2014-03-08 Thread Stephan Mueller
cipher * getter functions for data from struct drbg_core Signed-off-by: Stephan Mueller smuel...@chronox.de create mode 100644 include/crypto/drbg.h diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h new file mode 100644 index 000..16515f9 --- /dev/null +++ b/include/crypto/drbg.h

[PATCH 6/6] Add DRBG test code to testmgr

2014-03-08 Thread Stephan Mueller
not covered with specific test cases. All currently implemented DRBG types and backend ciphers are definined in SP800-90A. Therefore, the fips_allowed flag is set for all. Signed-off-by: Stephan Mueller smuel...@chronox.de diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 7795550..e8cd57c

[PATCH v2 4/6] compile the DRBG code

2014-03-17 Thread Stephan Mueller
Signed-off-by: Stephan Mueller smuel...@chronox.de --- diff --git a/crypto/Makefile b/crypto/Makefile index b29402a..0d63373 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -92,6 +92,7 @@ obj-$(CONFIG_CRYPTO_842) += 842.o obj-$(CONFIG_CRYPTO_RNG2) += rng.o obj-$(CONFIG_CRYPTO_RNG2

[PATCH v2 1/6] SP800-90A Deterministic Random Bit Generator

2014-03-17 Thread Stephan Mueller
://www.chronox.de/drbg.html - Performing tests by obtaining data which is not a multiple of cipher block size and check it with the ent tool to ensure that the generation loop does not reuse stale buffers to avoid errors like CVE-2013-4345. Signed-off-by: Stephan Mueller smuel

[PATCH v2 5/6] DRBG testmgr test vectors

2014-03-17 Thread Stephan Mueller
of SHA-512. Changes to v1: * Fix coding style and apply scripts/checkpatch.pl Signed-off-by: Stephan Mueller smuel...@chronox.de --- diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 7d44aa3..1f48312 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -92,6 +92,29 @@ struct

[PATCH v2 3/6] DRBG kernel configuration options

2014-03-17 Thread Stephan Mueller
The different DRBG types of CTR, Hash, HMAC can be enabled or disabled at compile time. At least one DRBG type shall be selected. The default is the HMAC DRBG as its code base is smallest. Signed-off-by: Stephan Mueller smuel...@chronox.de --- diff --git a/crypto/Kconfig b/crypto/Kconfig index

[PATCH v2 2/6] header file for DRBG

2014-03-17 Thread Stephan Mueller
and backend cipher * getter functions for data from struct drbg_core Changes to v1: * Changes due to modification of drbg.c as documented in PATCH 1 * Fix coding style and apply scripts/checkpatch.pl Signed-off-by: Stephan Mueller smuel...@chronox.de --- create mode 100644 include/crypto/drbg.h diff

[PATCH v2 6/6] Add DRBG test code to testmgr

2014-03-17 Thread Stephan Mueller
/checkpatch.pl Signed-off-by: Stephan Mueller smuel...@chronox.de --- diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 7795550..baa6cb7 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -27,6 +27,7 @@ #include linux/slab.h #include linux/string.h #include crypto/rng.h +#include crypto

Re: [PATCH v2 1/6] SP800-90A Deterministic Random Bit Generator

2014-03-19 Thread Stephan Mueller
Am Montag, 17. März 2014, 08:34:06 schrieb Stephan Mueller: +static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, + bool reseed) +{ + int ret = 0; + unsigned char *entropy = NULL; + size_t entropylen = 0; + struct drbg_string data1

Re: [PATCH v2 1/6] SP800-90A Deterministic Random Bit Generator

2014-03-20 Thread Stephan Mueller
Am Donnerstag, 20. März 2014, 09:12:55 schrieb Clemens Ladisch: Hi Clemens, Stephan Mueller wrote: This is a clean-room implementation of the DRBG defined in SP800-90A. Why? I guess it's for certification? As per SP800-131A, the ANSI X9.31 DRNG is sunset by the end of 2014

[PATCH v4 2/6] header file for DRBG

2014-04-11 Thread Stephan Mueller
Changes v4: * change return codes of generate functions to signed int to convey error codes and to match the kernel crypto API expecations on the generate function. Signed-off-by: Stephan Mueller smuel...@chronox.de --- create mode 100644 include/crypto/drbg.h diff --git a/include/crypto

Re: [PATCH v4 1/6] SP800-90A Deterministic Random Bit Generator

2014-04-11 Thread Stephan Mueller
Am Freitag, 11. April 2014, 11:20:21 schrieb Joe Perches: Hi Joe, It looks like const could be used a bit more often. For instance: perhaps uses of key could be changed to const unsigned char *key Good point. I will try to find areas where const can be used. However, due to the use of

Re: [PATCH v5 1/6] SP800-90A Deterministic Random Bit Generator

2014-04-15 Thread Stephan Mueller
Am Montag, 14. April 2014, 22:51:05 schrieb Joe Perches: Hi Joe, On Tue, 2014-04-15 at 07:35 +0200, Stephan Mueller wrote: diff --git a/crypto/drbg.c b/crypto/drbg.c [] @@ -0,0 +1,1997 @@ [] +/*** + * Backend cipher

[RFC] /dev/random for in-kernel use

2014-04-27 Thread Stephan Mueller
Hi, before I start, please allow me to point out that this email is not a discussion about entropy. There was already too much such discussion without any conclusion. This email shall just explore the pros and cons as well as an implementation of making the logic behind /dev/random available

Re: [RFC] /dev/random for in-kernel use

2014-04-28 Thread Stephan Mueller
Am Sonntag, 27. April 2014, 20:19:41 schrieb Theodore Ts'o: Hi Theodore, On Sun, Apr 27, 2014 at 08:49:48PM +0200, Stephan Mueller wrote: With the heavy update of random.c during the 3.13 development, the re-seeding of the nonblocking_pool from the input_pool is now prevented

Re: [RFC] /dev/random for in-kernel use

2014-04-28 Thread Stephan Mueller
Am Montag, 28. April 2014, 10:23:50 schrieb Theodore Ts'o: Hi Theodore, I am not too convinced of RDRAND due to the lack of usable source code (i.e. source code that I can build myself). But that is my personal taste :-) The problem is the FIPS validation would presumably require obeying

[PATCH 2/2] Asynchronous and syncronous API for accessing kernel_pool

2014-05-11 Thread Stephan Mueller
that is invoked once the request is completed. A third API call, get_blocking_random_bytes_cancel, is provided to cancel the random number gathering operation. Signed-off-by: Stephan Mueller smuel...@chronox.de --- drivers/char/random.c | 113

[PATCH 1/2] Addition of kernel_pool

2014-05-11 Thread Stephan Mueller
fully equally to the blocking and nonblocking pool with respect to the initialization and update. As now there are three output pools, the patch adds a round-robin logic for processing additional entropy when the input_pool is nearly full. Signed-off-by: Stephan Mueller smuel...@chronox.de

[PATCH 0/2] Add in-kernel /dev/random equivalent

2014-05-11 Thread Stephan Mueller
the collection process is ongoing. [1] https://lkml.org/lkml/2014/4/27/174 Stephan Mueller (2): Addition of kernel_pool Asynchronous and syncronous API for accessing kernel_pool drivers/char/random.c | 163 + include/linux/random.h | 16 + 2

arch_random_refill

2014-05-11 Thread Stephan Mueller
Hi Peter, some time back when the RDRAND instruction was debated, a patch was offered for driver/char/random.c that in essence turned /dev/random into a frontend for RDRAND in case that instruction was available. The patch kind of monopolized the noise sources such that if a user space random

Re: arch_random_refill

2014-05-11 Thread Stephan Mueller
Am Sonntag, 11. Mai 2014, 20:22:28 schrieb H. Peter Anvin: Hi Peter, Note, I do not see an issue with the patch that adds RDSEED as part of add_interrupt_randomness outlined in [2]. The reason is that this patch does not monopolizes the noise sources. I do not want to imply that

[PATCH v7 6/6] Add DRBG test code to testmgr

2014-05-20 Thread Stephan Mueller
not covered with specific test cases. All currently implemented DRBG types and backend ciphers are defined in SP800-90A. Therefore, the fips_allowed flag is set for all. Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/testmgr.c | 248

[PATCH v7 5/6] DRBG testmgr test vectors

2014-05-20 Thread Stephan Mueller
of SHA-512. Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/testmgr.h | 843 +++ 1 file changed, 843 insertions(+) diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 3db83db..0030ff5 100644 --- a/crypto/testmgr.h +++ b/crypto

[PATCH v7 4/6] compile the DRBG code

2014-05-20 Thread Stephan Mueller
Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/Makefile b/crypto/Makefile index 38e64231..bfa94fa 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -92,6 +92,7 @@ obj-$(CONFIG_CRYPTO_842) += 842.o obj

[PATCH v7 3/6] DRBG kernel configuration options

2014-05-20 Thread Stephan Mueller
The different DRBG types of CTR, Hash, HMAC can be enabled or disabled at compile time. At least one DRBG type shall be selected. The default is the HMAC DRBG as its code base is smallest. Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/Kconfig | 36

[PATCH v7 2/6] header file for DRBG

2014-05-20 Thread Stephan Mueller
cipher * getter functions for data from struct drbg_core Signed-off-by: Stephan Mueller smuel...@chronox.de --- include/crypto/drbg.h | 291 ++ 1 file changed, 291 insertions(+) create mode 100644 include/crypto/drbg.h diff --git a/include/crypto

[PATCH v7 0/6] SP800-90A Deterministic Random Bit Generator

2014-05-20 Thread Stephan Mueller
. As defined in SP800-131A, the ANSI X9.31 DRNG is to be sunset by the end of this year for official uses, including FIPS 140-2 compliance. Additional tests including the CAVS test framework are available at [1]. [1] http://www.chronox.de/drbg.html Stephan Mueller (6): SP800-90A Deterministic Random

Re: [PATCH v7 1/6] SP800-90A Deterministic Random Bit Generator

2014-05-21 Thread Stephan Mueller
Am Mittwoch, 21. Mai 2014, 06:18:58 schrieb Stephan Mueller: Hi, +/* + * Tests as defined in 11.3.2 in addition to the cipher tests: testing + * of the error handling. + * + * Note: testing of failing seed source as defined in 11.3.2 is not applicable + * as seed source of get_random_bytes

Re: [PATCH v7 0/6] SP800-90A Deterministic Random Bit Generator

2014-05-25 Thread Stephan Mueller
Am Samstag, 24. Mai 2014, 05:14:59 schrieb Herbert Xu: Hi Herbert, Stephan Mueller smuel...@chronox.de wrote: Hi, the following set of patches implements the deterministic random bit generator (DRBG) specified by SP800-90A. The DRBG implementation offers the following

Re: [PATCH v7 1/6] SP800-90A Deterministic Random Bit Generator

2014-05-25 Thread Stephan Mueller
Am Samstag, 24. Mai 2014, 05:10:07 schrieb Herbert Xu: Hi Herbert, Stephan Mueller smuel...@chronox.de wrote: + memset(drbg_algs[i], 0, sizeof(struct crypto_alg)); + if (pr) { + memcpy(drbg_algs[i].cra_name, drbg(pr(, 8); + memcpy(drbg_algs[i

[PATCH v8 7/7] Add documentation of drbg.stdrng

2014-05-26 Thread Stephan Mueller
The drbg.stdrng kernel command line flag allows the selection of the DRBG used as stdrng. Signed-off-by: Stephan Mueller smuel...@chronox.de --- Documentation/kernel-parameters.txt | 10 ++ 1 file changed, 10 insertions(+) diff --git a/Documentation/kernel-parameters.txt b

[PATCH v8 4/7] compile the DRBG code

2014-05-26 Thread Stephan Mueller
Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/Makefile b/crypto/Makefile index 38e64231..bfa94fa 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -92,6 +92,7 @@ obj-$(CONFIG_CRYPTO_842) += 842.o obj

[PATCH v8 3/7] DRBG kernel configuration options

2014-05-26 Thread Stephan Mueller
The different DRBG types of CTR, Hash, HMAC can be enabled or disabled at compile time. At least one DRBG type shall be selected. The default is the HMAC DRBG as its code base is smallest. Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/Kconfig | 36

[PATCH v8 2/7] header file for DRBG

2014-05-26 Thread Stephan Mueller
cipher * getter functions for data from struct drbg_core Signed-off-by: Stephan Mueller smuel...@chronox.de --- include/crypto/drbg.h | 289 ++ 1 file changed, 289 insertions(+) create mode 100644 include/crypto/drbg.h diff --git a/include/crypto

[PATCH v8 0/7] SP800-90A Deterministic Random Bit Generator

2014-05-26 Thread Stephan Mueller
* rebase patch to 3.15-rc7 Stephan Mueller (7): SP800-90A Deterministic Random Bit Generator header file for DRBG DRBG kernel configuration options compile the DRBG code DRBG testmgr test vectors Add DRBG test code to testmgr Add documentation of drbg.stdrng Documentation/kernel

Re: [PATCH v7 0/6] SP800-90A Deterministic Random Bit Generator

2014-05-30 Thread Stephan Mueller
Am Freitag, 30. Mai 2014, 17:05:48 schrieb Herbert Xu: Hi Herbert, On Mon, May 26, 2014 at 07:42:57AM +0200, Stephan Mueller wrote: A second aspect is the implementation of the stdrng. Currently, the offered patch does not include the stdrng selection. I am currently working

[PATCH v9 5/6] DRBG testmgr test vectors

2014-06-01 Thread Stephan Mueller
of SHA-512. Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/testmgr.h | 843 +++ 1 file changed, 843 insertions(+) diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 3db83db..0030ff5 100644 --- a/crypto/testmgr.h +++ b/crypto

[PATCH v9 3/6] DRBG kernel configuration options

2014-06-01 Thread Stephan Mueller
The different DRBG types of CTR, Hash, HMAC can be enabled or disabled at compile time. At least one DRBG type shall be selected. The default is the HMAC DRBG as its code base is smallest. Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/Kconfig | 36

[PATCH v9 4/6] compile the DRBG code

2014-06-01 Thread Stephan Mueller
Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/Makefile b/crypto/Makefile index 38e64231..bfa94fa 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -92,6 +92,7 @@ obj-$(CONFIG_CRYPTO_842) += 842.o obj

[PATCH v9 0/6] SP800-90A Deterministic Random Bit Generator

2014-06-01 Thread Stephan Mueller
is chosen as stdrng, in non-fips mode, the krng). Stephan Mueller (6): SP800-90A Deterministic Random Bit Generator header file for DRBG DRBG kernel configuration options compile the DRBG code DRBG testmgr test vectors Add DRBG test code to testmgr crypto/Kconfig| 36 +- crypto

Re: [PATCH 0/2] Add in-kernel /dev/random equivalent

2014-06-06 Thread Stephan Mueller
Am Freitag, 6. Juni 2014, 13:59:00 schrieb Pavel Machek: Hi Pavel, On Mon 2014-05-12 00:36:01, Stephan Mueller wrote: Hi, as discussed in thread [1], an in-kernel equivalent to the blocking /dev/random device behavior is suggested. This in-kernel blocking access to the RNG can be used

Re: [PATCH v2] DRBG: simplify ordering of linked list in drbg_ctr_df

2014-06-26 Thread Stephan Mueller
Am Donnerstag, 26. Juni 2014, 14:45:42 schrieb Herbert Xu: Hi Herbert, On Wed, Jun 25, 2014 at 05:08:28PM +0800, Herbert Xu wrote: On Mon, Jun 23, 2014 at 09:11:29AM +0200, Stephan Mueller wrote: As reported by a static code analyzer, the code for the ordering of the linked list can

[PATCH 4/4] DRBG: Call CTR DRBG DF function only once

2014-06-28 Thread Stephan Mueller
. This information is provided with the reseed parameter to the update function. Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/drbg.c | 41 ++--- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/crypto/drbg.c b/crypto/drbg.c index

[PATCH 3/4] DRBG: Fix format string for debugging statements

2014-06-28 Thread Stephan Mueller
The initial format strings caused warnings on several architectures. The updated format strings now match the variable types. Reported-by: kbuild test robot fengguang...@intel.com Reported-by: Randy Dunlap rdun...@infradead.org Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/drbg.c

[PATCH 2/4] DRBG: cleanup of preprocessor macros

2014-06-28 Thread Stephan Mueller
in favor of an init function reporting the erroneous built of the DRBG. Lastly, a fix of the use use of CONFIG_CRYPTO_DRBG_HASH has been applied. Reported-by: kbuild test robot fengguang...@intel.com Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/drbg.c | 43

[PATCH 1/4] DRBG: use of kernel linked list

2014-06-28 Thread Stephan Mueller
robot fengguang...@intel.com Signed-off-by: Stephan Mueller smuel...@chronox.de --- crypto/drbg.c | 233 +++--- include/crypto/drbg.h | 7 +- 2 files changed, 128 insertions(+), 112 deletions(-) diff --git a/crypto/drbg.c b/crypto/drbg.c index

[PATCH 0/4] DRBG: Fixes for sparse tool reports

2014-06-28 Thread Stephan Mueller
Hi, The following patches cover requested changes based on the sparse tool test run and suggestions by peer reviewers. In addition, a patch to make the CTR DRBG more efficient is added. Stephan Mueller (4): DRBG: use of kernel linked list DRBG: cleanup of preprocessor macros DRBG: Fix

Re: [PATCH 3/4] DRBG: Fix format string for debugging statements

2014-06-28 Thread Stephan Mueller
Am Sonntag, 29. Juni 2014, 12:24:02 schrieb Stephen Rothwell: Hi Stephen, Hi Stephan, On Sat, 28 Jun 2014 22:01:46 +0200 Stephan Mueller smuel...@chronox.de wrote: @@ -1987,8 +1987,9 @@ static int __init drbg_init(void) if (ARRAY_SIZE(drbg_cores) * 2 ARRAY_SIZE(drbg_algs

Re: [PATCH 3/4] DRBG: Fix format string for debugging statements

2014-06-28 Thread Stephan Mueller
Am Samstag, 28. Juni 2014, 20:53:19 schrieb Joe Perches: Hi Joe, On Sun, 2014-06-29 at 05:46 +0200, Stephan Mueller wrote: Am Sonntag, 29. Juni 2014, 12:24:02 schrieb Stephen Rothwell: Hi Stephen, Hi Stephan, On Sat, 28 Jun 2014 22:01:46 +0200 Stephan Mueller smuel

  1   2   3   4   5   6   7   8   9   10   >