aha/crypto
Jarod Wilson aa1a85dbd1 crypto: ansi_cprng - Avoid incorrect extra call to _get_more_prng_bytes
While working with some FIPS RNGVS test vectors yesterday, I discovered a
little bug in the way the ansi_cprng code works right now.

For example, the following test vector (complete with expected result)
from http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf ...

Key = f3b1666d13607242ed061cabb8d46202
DT = e6b3be782a23fa62d71d4afbb0e922fc
V = f0000000000000000000000000000000
R = 88dda456302423e5f69da57e7b95c73a

...when run through ansi_cprng, yields an incorrect R value
of e2afe0d794120103d6e86a2b503bdfaa.

If I load up ansi_cprng w/dbg=1 though, it was fairly obvious what was
going wrong:

----8<----
getting 16 random bytes for context ffff810033fb2b10
Calling _get_more_prng_bytes for context ffff810033fb2b10
Input DT: 00000000: e6 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
Input I: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Input V: 00000000: f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
tmp stage 0: 00000000: e6 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
tmp stage 1: 00000000: f4 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
tmp stage 2: 00000000: 8c 53 6f 73 a4 1a af d4 20 89 68 f4 58 64 f8 be 
Returning new block for context ffff810033fb2b10
Output DT: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
Output I: 00000000: 04 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
Output V: 00000000: 48 89 3b 71 bc e4 00 b6 5e 21 ba 37 8a 0a d5 70 
New Random Data: 00000000: 88 dd a4 56 30 24 23 e5 f6 9d a5 7e 7b 95 c7 3a 
Calling _get_more_prng_bytes for context ffff810033fb2b10
Input DT: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
Input I: 00000000: 04 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
Input V: 00000000: 48 89 3b 71 bc e4 00 b6 5e 21 ba 37 8a 0a d5 70 
tmp stage 0: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
tmp stage 1: 00000000: 80 6b 3a 8c 23 ae 8f 53 be 71 4c 16 fc 13 b2 ea 
tmp stage 2: 00000000: 2a 4d e1 2a 0b 58 8e e6 36 b8 9c 0a 26 22 b8 30 
Returning new block for context ffff810033fb2b10
Output DT: 00000000: e8 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
Output I: 00000000: c8 e2 01 fd 9f 4a 8f e5 e0 50 f6 21 76 19 67 9a 
Output V: 00000000: ba 98 e3 75 c0 1b 81 8d 03 d6 f8 e2 0c c6 54 4b 
New Random Data: 00000000: e2 af e0 d7 94 12 01 03 d6 e8 6a 2b 50 3b df aa 
returning 16 from get_prng_bytes in context ffff810033fb2b10
----8<----

The expected result is there, in the first "New Random Data", but we're
incorrectly making a second call to _get_more_prng_bytes, due to some checks
that are slightly off, which resulted in our original bytes never being
returned anywhere.

One approach to fixing this would be to alter some byte_count checks in
get_prng_bytes, but it would mean the last DEFAULT_BLK_SZ bytes would be
copied a byte at a time, rather than in a single memcpy, so a slightly more
involved, equally functional, and ultimately more efficient way of fixing this
was suggested to me by Neil, which I'm submitting here. All of the RNGVS ANSI
X9.31 AES128 VST test vectors I've passed through ansi_cprng are now returning
the expected results with this change.

Signed-off-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:47 +11:00
..
async_tx async_xor: dma_map destination DMA_BIDIRECTIONAL 2008-12-08 13:46:00 -07:00
ablkcipher.c [CRYPTO] skcipher: Move chainiv/seqiv into crypto_blkcipher module 2008-02-23 11:12:06 +08:00
aead.c [CRYPTO] api: Show async type 2008-01-11 08:16:56 +11:00
aes_generic.c [CRYPTO] aes: Export generic setkey 2008-04-21 10:19:34 +08:00
ahash.c crypto: hash - Export shash through hash 2008-12-25 11:01:33 +11:00
algapi.c crypto: api - Use test infrastructure 2008-08-29 15:49:57 +10:00
algboss.c crypto: cryptomgr - Test ciphers using ECB 2008-08-29 15:49:58 +10:00
ansi_cprng.c crypto: ansi_cprng - Avoid incorrect extra call to _get_more_prng_bytes 2008-12-25 11:01:47 +11:00
anubis.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
api.c crypto: api - Rebirth of crypto_alloc_tfm 2008-12-25 11:01:24 +11:00
arc4.c [CRYPTO] api: Get rid of flags argument to setkey 2006-09-21 11:41:02 +10:00
authenc.c crypto: hash - Export shash through hash 2008-12-25 11:01:33 +11:00
blkcipher.c crypto: skcipher - Move IV generators into their own modules 2008-08-29 15:50:00 +10:00
blowfish.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
camellia.c crypto: camellia - use kernel-provided bitops, unaligned access 2008-12-25 11:01:15 +11:00
cast5.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
cast6.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
cbc.c Convert ERR_PTR(PTR_ERR(p)) instances to ERR_CAST(p) 2008-02-07 08:42:26 -08:00
ccm.c [CRYPTO] ccm: Added CCM mode 2008-01-11 08:16:53 +11:00
chainiv.c crypto: skcipher - Use RNG interface instead of get_random_bytes 2008-08-29 15:50:06 +10:00
cipher.c [CRYPTO] api: Add missing headers for setkey_unaligned 2007-10-10 16:55:40 -07:00
compress.c cleanup asm/scatterlist.h includes 2007-11-02 08:47:06 +01:00
crc32c.c libcrc32c: Move implementation to crypto crc32c 2008-12-25 11:01:40 +11:00
cryptd.c crypto: hash - Move ahash functions into crypto/hash.h 2008-07-10 20:35:18 +08:00
crypto_null.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
ctr.c [CRYPTO] seqiv: Add Sequence Number IV Generator 2008-01-11 08:16:48 +11:00
cts.c [CRYPTO] cts: Init SG tables 2008-06-02 15:46:51 +10:00
deflate.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
des_generic.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
digest.c crypto: hash - Fix digest size check for digest type 2008-08-13 20:08:38 +10:00
ecb.c Convert ERR_PTR(PTR_ERR(p)) instances to ERR_CAST(p) 2008-02-07 08:42:26 -08:00
eseqiv.c crypto: skcipher - Use RNG interface instead of get_random_bytes 2008-08-29 15:50:06 +10:00
fcrypt.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
fips.c crypto: api - Add fips_enable flag 2008-08-29 15:50:02 +10:00
gcm.c [CRYPTO] gcm: Introduce rfc4106 2008-01-11 08:16:56 +11:00
gf128mul.c [CRYPTO] xts: XTS blockcipher mode implementation without partial blocks 2007-10-10 16:55:45 -07:00
hash.c crypto: hash - Move ahash functions into crypto/hash.h 2008-07-10 20:35:18 +08:00
hmac.c crypto: hash - Export shash through hash 2008-12-25 11:01:33 +11:00
internal.h crypto: api - Rebirth of crypto_alloc_tfm 2008-12-25 11:01:24 +11:00
Kconfig libcrc32c: Move implementation to crypto crc32c 2008-12-25 11:01:40 +11:00
khazad.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
krng.c crypto: rng - RNG interface and implementation 2008-08-29 15:50:04 +10:00
lrw.c [CRYPTO] lrw: Replace all adds to big endians variables with be*_add_cpu 2008-04-21 10:19:22 +08:00
lzo.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
Makefile crypto: hash - Add shash interface 2008-12-25 11:01:26 +11:00
md4.c crypto: md4 - Use ARRAY_SIZE 2008-12-25 11:01:45 +11:00
md5.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
michael_mic.c [PATCH] Update my email address from jkmaline@cc.hut.fi to j@w1.fi 2007-04-28 11:01:01 -04:00
pcbc.c Convert ERR_PTR(PTR_ERR(p)) instances to ERR_CAST(p) 2008-02-07 08:42:26 -08:00
proc.c crypto: api - Call type show function before legacy for proc 2008-12-25 11:01:32 +11:00
ripemd.h [CRYPTO] ripemd: Put all common RIPEMD values in header file 2008-07-10 20:35:12 +08:00
rmd128.c crypto: rmd128 - sparse annotations 2008-07-10 20:35:17 +08:00
rmd160.c crypto: rmd - sparse annotations 2008-07-10 20:35:17 +08:00
rmd256.c crypto: rmd - sparse annotations 2008-07-10 20:35:17 +08:00
rmd320.c crypto: rmd - sparse annotations 2008-07-10 20:35:17 +08:00
rng.c crypto: rng - RNG interface and implementation 2008-08-29 15:50:04 +10:00
salsa20_generic.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
scatterwalk.c [CRYPTO] scatterwalk: Handle zero nbytes in scatterwalk_map_and_copy 2008-01-11 08:16:54 +11:00
seed.c [CRYPTO] seed: New cipher algorithm 2007-10-10 16:55:38 -07:00
seqiv.c crypto: skcipher - Use RNG interface instead of get_random_bytes 2008-08-29 15:50:06 +10:00
serpent.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
sha1_generic.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
sha256_generic.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
sha512_generic.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
shash.c crypto: hash - Export shash through hash 2008-12-25 11:01:33 +11:00
tcrypt.c crypto: cryptomgr - Add test infrastructure 2008-08-29 15:49:55 +10:00
tcrypt.h crypto: cryptomgr - Add test infrastructure 2008-08-29 15:49:55 +10:00
tea.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
testmgr.c crypto: crc32c - Test descriptor context format 2008-12-25 11:01:38 +11:00
testmgr.h crypto: cryptomgr - Add test infrastructure 2008-08-29 15:49:55 +10:00
tgr192.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
twofish.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
twofish_common.c [CRYPTO] twofish: Do not unroll big stuff in twofish key setup 2008-01-11 08:16:06 +11:00
wp512.c [CRYPTO] all: Clean up init()/fini() 2008-04-21 10:19:34 +08:00
xcbc.c [CRYPTO] xcbc: Fix crash when ipsec uses xcbc-mac with big data chunk 2008-04-02 14:36:09 +08:00
xor.c async_tx: add the async_tx api 2007-07-13 08:06:14 -07:00
xts.c [CRYPTO] xts: Use proper alignment 2008-03-06 18:56:19 +08:00