diff mbox

[03/17] crypto: ansi_cprng - Eliminate ctx->I

Message ID 20141202083707.17996.qmail@ns.horizon.com (mailing list archive)
State Superseded
Delegated to: Herbert Xu
Headers show

Commit Message

George Spelvin Dec. 2, 2014, 8:37 a.m. UTC
It's also not necessary.  We do have to change some debugging
output.

Signed-off-by: George Spelvin <linux@horizon.com>
---
 crypto/ansi_cprng.c | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

Comments

Neil Horman Dec. 2, 2014, 2:52 p.m. UTC | #1
On Tue, Dec 02, 2014 at 03:37:07AM -0500, George Spelvin wrote:
> It's also not necessary.  We do have to change some debugging
> output.
> 
> Signed-off-by: George Spelvin <linux@horizon.com>
> ---
>  crypto/ansi_cprng.c | 39 ++++++++++++++++++++-------------------
>  1 file changed, 20 insertions(+), 19 deletions(-)
> 
I'm only ok with removing I if you can continue to be able to output it.  given
that I is listed as part of the test sequences that NIST provides, I'd like to
be able to compare the values.
Neil

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
George Spelvin Dec. 2, 2014, 8:03 p.m. UTC | #2
> I'm only ok with removing I if you can continue to be able to output it.
> given that I is listed as part of the test sequences that NIST provides,
> I'd like to be able to compare the values.

I can do that easily, but I can't print the *input* I, which
is the result of encrypting the previous DT, as it's thrown
away earlier.

You'd have to look further back in the debug messages to find it.

Is changing the format of the debug messages okay?  I'd like the debug
messages to describe the code, but I don't know if you have something
that parses the current output.


The test output I see on p. 33 of
http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf
doesn't include I.  Can you point me to a sample that includes I?

It might be best to more significantly  rework the debug messages to
resemble the NIST test vectors.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Neil Horman Dec. 3, 2014, 11:08 a.m. UTC | #3
On Tue, Dec 02, 2014 at 03:03:38PM -0500, George Spelvin wrote:
> > I'm only ok with removing I if you can continue to be able to output it.
> > given that I is listed as part of the test sequences that NIST provides,
> > I'd like to be able to compare the values.
> 
> I can do that easily, but I can't print the *input* I, which
> is the result of encrypting the previous DT, as it's thrown
> away earlier.
> 
> You'd have to look further back in the debug messages to find it.
> 
> Is changing the format of the debug messages okay?  I'd like the debug
> messages to describe the code, but I don't know if you have something
> that parses the current output.
> 
I'm fine with changing the output, as I don't think anything particularly relies
on the format, but I cant' speak for others
Neil

> 
> The test output I see on p. 33 of
> http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf
> doesn't include I.  Can you point me to a sample that includes I?
> 
> It might be best to more significantly  rework the debug messages to
> resemble the NIST test vectors.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index c0a27288..6b844f13 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -35,19 +35,22 @@ 
 #define PRNG_NEED_RESET 0x2
 
 /*
- * Note: DT is our counter value
- *	 I is our intermediate value
- *	 V is our seed vector
+ * Note: In addition to the fixed encryption key, there are three
+ *	 block-sized state buffers:
+ * 1. rand_data is the current output data (R in the spec).
+ * 2. V is our main state vector
+ * 3. DT is the current "data/time" used for seeding.  The fact that
+ *    this is a deterministic counter rather than an actual timestamp
+ *    (with some small amount of seed entropy) means that this code is
+ *    NOT an implmentation of X9.31.
+ *
  * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
  * for implementation details
  */
-
-
 struct prng_context {
 	spinlock_t prng_lock;
 	unsigned char rand_data[DEFAULT_BLK_SZ];
 	unsigned char DT[DEFAULT_BLK_SZ];
-	unsigned char I[DEFAULT_BLK_SZ];
 	unsigned char V[DEFAULT_BLK_SZ];
 	u32 rand_read_pos;	/* Offset into rand_data[] */
 	struct crypto_cipher *tfm;
@@ -93,13 +96,13 @@  static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 		ctx);
 
 	hexdump("Input DT: ", ctx->DT, DEFAULT_BLK_SZ);
-	hexdump("Input I: ", ctx->I, DEFAULT_BLK_SZ);
 	hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ);
 
 	/*
 	 * This algorithm is a 3 stage state machine
 	 */
 	for (i = 0; i < 3; i++) {
+		unsigned char const *input;
 		unsigned char *output;
 
 		switch (i) {
@@ -108,9 +111,9 @@  static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 			 * Start by encrypting the counter value
 			 * This gives us an intermediate value I
 			 */
-			memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
-			output = ctx->I;
-			hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
+			input = ctx->DT;
+			output = tmp;
+			hexdump("input stage 0: ", ctx->DT, DEFAULT_BLK_SZ);
 			break;
 		case 1:
 			/*
@@ -120,9 +123,9 @@  static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 			 * in (no longer used) V until we have done the
 			 * anti-repetition compare.
 			 */
-			xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
-			hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ);
-			output = ctx->V;
+			xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
+			hexdump("input stage 1: ", ctx->V, DEFAULT_BLK_SZ);
+			input = output = ctx->V;
 			break;
 		case 2:
 			/*
@@ -148,15 +151,14 @@  static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 			 * Lastly xor the random data with I
 			 * and encrypt that to obtain a new secret vector V
 			 */
-			xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
-			output = ctx->V;
-			hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ);
+			xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ);
+			hexdump("input stage 2: ", ctx->V, DEFAULT_BLK_SZ);
+			input = output = ctx->V;
 			break;
 		}
 
-
 		/* do the encryption */
-		crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
+		crypto_cipher_encrypt_one(ctx->tfm, output, input);
 	}
 
 	/*
@@ -172,7 +174,6 @@  static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
 	ctx->rand_read_pos = 0;
 
 	hexdump("Output DT: ", ctx->DT, DEFAULT_BLK_SZ);
-	hexdump("Output I: ", ctx->I, DEFAULT_BLK_SZ);
 	hexdump("Output V: ", ctx->V, DEFAULT_BLK_SZ);
 	hexdump("New Random Data: ", ctx->rand_data, DEFAULT_BLK_SZ);