Commit 0ed90597 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'random-5.17-rc1-for-linus' of... 

Merge branch 'random-5.17-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random

Pull random number generator fixes from Jason Donenfeld:

 - Some Kconfig changes resulted in BIG_KEYS being unselectable, which
   Justin sent a patch to fix.

 - Geert pointed out that moving to BLAKE2s bloated vmlinux on little
   machines, like m68k, so we now compensate for this.

 - Numerous style and house cleaning fixes, meant to have a cleaner base
   for future changes.

* 'random-5.17-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
  random: simplify arithmetic function flow in account()
  random: selectively clang-format where it makes sense
  random: access input_pool_data directly rather than through pointer
  random: cleanup fractional entropy shift constants
  random: prepend remaining pool constants with POOL_
  random: de-duplicate INPUT_POOL constants
  random: remove unused OUTPUT_POOL constants
  random: rather than entropy_store abstraction, use global
  random: remove unused extract_entropy() reserved argument
  random: remove incomplete last_data logic
  random: cleanup integer types
  random: cleanup poolinfo abstraction
  random: fix typo in comments
  lib/crypto: sha1: re-roll loops to reduce code size
  lib/crypto: blake2s: move hmac construction into wireguard
  lib/crypto: add prompts back to crypto libraries
parents 39b419ea a254a0e4

crypto/Kconfig

+0 −2
Original line number Diff line number Diff line
@@ -1928,5 +1928,3 @@ source "crypto/asymmetric_keys/Kconfig" 
source "certs/Kconfig"



endif	# if CRYPTO
 


source "lib/crypto/Kconfig"

drivers/char/random.c

+264 −363

File changed.

Preview size limit exceeded, changes collapsed.

drivers/net/wireguard/noise.c

+39 −6
Original line number Diff line number Diff line
@@ -302,6 +302,41 @@ void wg_noise_set_static_identity_private_key( 
		static_identity->static_public, private_key);

}



static void hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen, const size_t keylen)

{

	struct blake2s_state state;

	u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };

	u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));

	int i;



	if (keylen > BLAKE2S_BLOCK_SIZE) {

		blake2s_init(&state, BLAKE2S_HASH_SIZE);

		blake2s_update(&state, key, keylen);

		blake2s_final(&state, x_key);

	} else

		memcpy(x_key, key, keylen);



	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)

		x_key[i] ^= 0x36;



	blake2s_init(&state, BLAKE2S_HASH_SIZE);

	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);

	blake2s_update(&state, in, inlen);

	blake2s_final(&state, i_hash);



	for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)

		x_key[i] ^= 0x5c ^ 0x36;



	blake2s_init(&state, BLAKE2S_HASH_SIZE);

	blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);

	blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);

	blake2s_final(&state, i_hash);



	memcpy(out, i_hash, BLAKE2S_HASH_SIZE);

	memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);

	memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);

}



/* This is Hugo Krawczyk's HKDF:

 *  - https://eprint.iacr.org/2010/264.pdf

 *  - https://tools.ietf.org/html/rfc5869
@@ -322,14 +357,14 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data, 
		 ((third_len || third_dst) && (!second_len || !second_dst))));



	/* Extract entropy from data into secret */

	blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);

	hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);



	if (!first_dst || !first_len)

		goto out;



	/* Expand first key: key = secret, data = 0x1 */

	output[0] = 1;

	blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);

	hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);

	memcpy(first_dst, output, first_len);



	if (!second_dst || !second_len)
@@ -337,8 +372,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data, 


	/* Expand second key: key = secret, data = first-key || 0x2 */

	output[BLAKE2S_HASH_SIZE] = 2;

	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,

			BLAKE2S_HASH_SIZE);

	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);

	memcpy(second_dst, output, second_len);



	if (!third_dst || !third_len)
@@ -346,8 +380,7 @@ static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data, 


	/* Expand third key: key = secret, data = second-key || 0x3 */

	output[BLAKE2S_HASH_SIZE] = 3;

	blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,

			BLAKE2S_HASH_SIZE);

	hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1, BLAKE2S_HASH_SIZE);

	memcpy(third_dst, output, third_len);



out:

include/crypto/blake2s.h

+0 −3
Original line number Diff line number Diff line
@@ -101,7 +101,4 @@ static inline void blake2s(u8 *out, const u8 *in, const u8 *key, 
	blake2s_final(&state, out);

}



void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,

		     const size_t keylen);



#endif /* _CRYPTO_BLAKE2S_H */

include/trace/events/random.h

+21 −35
Original line number Diff line number Diff line
@@ -28,80 +28,71 @@ TRACE_EVENT(add_device_randomness, 
);



DECLARE_EVENT_CLASS(random__mix_pool_bytes,

	TP_PROTO(const char *pool_name, int bytes, unsigned long IP),

	TP_PROTO(int bytes, unsigned long IP),



	TP_ARGS(pool_name, bytes, IP),

	TP_ARGS(bytes, IP),



	TP_STRUCT__entry(

		__field( const char *,	pool_name		)

		__field(	  int,	bytes			)

		__field(unsigned long,	IP			)

	),



	TP_fast_assign(

		__entry->pool_name	= pool_name;

		__entry->bytes		= bytes;

		__entry->IP		= IP;

	),



	TP_printk("%s pool: bytes %d caller %pS",

		  __entry->pool_name, __entry->bytes, (void *)__entry->IP)

	TP_printk("input pool: bytes %d caller %pS",

		  __entry->bytes, (void *)__entry->IP)

);



DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes,

	TP_PROTO(const char *pool_name, int bytes, unsigned long IP),

	TP_PROTO(int bytes, unsigned long IP),



	TP_ARGS(pool_name, bytes, IP)

	TP_ARGS(bytes, IP)

);



DEFINE_EVENT(random__mix_pool_bytes, mix_pool_bytes_nolock,

	TP_PROTO(const char *pool_name, int bytes, unsigned long IP),

	TP_PROTO(int bytes, unsigned long IP),



	TP_ARGS(pool_name, bytes, IP)

	TP_ARGS(bytes, IP)

);



TRACE_EVENT(credit_entropy_bits,

	TP_PROTO(const char *pool_name, int bits, int entropy_count,

		 unsigned long IP),

	TP_PROTO(int bits, int entropy_count, unsigned long IP),



	TP_ARGS(pool_name, bits, entropy_count, IP),

	TP_ARGS(bits, entropy_count, IP),



	TP_STRUCT__entry(

		__field( const char *,	pool_name		)

		__field(	  int,	bits			)

		__field(	  int,	entropy_count		)

		__field(unsigned long,	IP			)

	),



	TP_fast_assign(

		__entry->pool_name	= pool_name;

		__entry->bits		= bits;

		__entry->entropy_count	= entropy_count;

		__entry->IP		= IP;

	),



	TP_printk("%s pool: bits %d entropy_count %d caller %pS",

		  __entry->pool_name, __entry->bits,

		  __entry->entropy_count, (void *)__entry->IP)

	TP_printk("input pool: bits %d entropy_count %d caller %pS",

		  __entry->bits, __entry->entropy_count, (void *)__entry->IP)

);



TRACE_EVENT(debit_entropy,

	TP_PROTO(const char *pool_name, int debit_bits),

	TP_PROTO(int debit_bits),



	TP_ARGS(pool_name, debit_bits),

	TP_ARGS( debit_bits),



	TP_STRUCT__entry(

		__field( const char *,	pool_name		)

		__field(	  int,	debit_bits		)

	),



	TP_fast_assign(

		__entry->pool_name	= pool_name;

		__entry->debit_bits	= debit_bits;

	),



	TP_printk("%s: debit_bits %d", __entry->pool_name,

		  __entry->debit_bits)

	TP_printk("input pool: debit_bits %d", __entry->debit_bits)

);



TRACE_EVENT(add_input_randomness,
@@ -170,36 +161,31 @@ DEFINE_EVENT(random__get_random_bytes, get_random_bytes_arch, 
);



DECLARE_EVENT_CLASS(random__extract_entropy,

	TP_PROTO(const char *pool_name, int nbytes, int entropy_count,

		 unsigned long IP),

	TP_PROTO(int nbytes, int entropy_count, unsigned long IP),



	TP_ARGS(pool_name, nbytes, entropy_count, IP),

	TP_ARGS(nbytes, entropy_count, IP),



	TP_STRUCT__entry(

		__field( const char *,	pool_name		)

		__field(	  int,	nbytes			)

		__field(	  int,	entropy_count		)

		__field(unsigned long,	IP			)

	),



	TP_fast_assign(

		__entry->pool_name	= pool_name;

		__entry->nbytes		= nbytes;

		__entry->entropy_count	= entropy_count;

		__entry->IP		= IP;

	),



	TP_printk("%s pool: nbytes %d entropy_count %d caller %pS",

		  __entry->pool_name, __entry->nbytes, __entry->entropy_count,

		  (void *)__entry->IP)

	TP_printk("input pool: nbytes %d entropy_count %d caller %pS",

		  __entry->nbytes, __entry->entropy_count, (void *)__entry->IP)

);





DEFINE_EVENT(random__extract_entropy, extract_entropy,

	TP_PROTO(const char *pool_name, int nbytes, int entropy_count,

		 unsigned long IP),

	TP_PROTO(int nbytes, int entropy_count, unsigned long IP),



	TP_ARGS(pool_name, nbytes, entropy_count, IP)

	TP_ARGS(nbytes, entropy_count, IP)

);



TRACE_EVENT(urandom_read,