| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251017144311.817771-7-dhowells@redhat.com>
Date: Fri, 17 Oct 2025 15:42:50 +0100
From: David Howells <dhowells@...hat.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: David Howells <dhowells@...hat.com>,
"Jason A . Donenfeld" <Jason@...c4.com>,
Ard Biesheuvel <ardb@...nel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
Stephan Mueller <smueller@...onox.de>,
Lukas Wunner <lukas@...ner.de>,
Ignat Korchagin <ignat@...udflare.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Petr Pavlu <petr.pavlu@...e.com>,
Daniel Gomez <da.gomez@...nel.org>,
Sami Tolvanen <samitolvanen@...gle.com>,
linux-crypto@...r.kernel.org,
keyrings@...r.kernel.org,
linux-modules@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH v6 06/17] crypto/jitterentropy: Use lib/crypto/sha3
Make the jitterentropy RNG use lib/crypto/sha3 rather than crypto/sha3.
For some reason it goes absolutely wild if crypto/sha3 is reimplemented
to use lib/crypto/sha3, but it's fine if it uses lib directly.
Signed-off-by: David Howells <dhowells@...hat.com>
cc: Stephan Mueller <smueller@...onox.de>
cc: Herbert Xu <herbert@...dor.apana.org.au>
cc: linux-crypto@...r.kernel.org
---
crypto/jitterentropy-kcapi.c | 100 ++++++++++-------------------------
crypto/jitterentropy.c | 7 +--
crypto/jitterentropy.h | 8 +--
3 files changed, 36 insertions(+), 79 deletions(-)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index a53de7affe8d..b38118fe51cd 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -101,23 +101,13 @@ void jent_get_nstime(__u64 *out)
jent_raw_hires_entropy_store(tmp);
}
-int jent_hash_time(void *hash_state, __u64 time, u8 *addtl,
+int jent_hash_time(struct sha3_256_ctx *hash_state, __u64 time, u8 *addtl,
unsigned int addtl_len, __u64 hash_loop_cnt,
unsigned int stuck)
{
- struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state;
- SHASH_DESC_ON_STACK(desc, hash_state_desc->tfm);
+ struct sha3_256_ctx desc;
u8 intermediary[SHA3_256_DIGEST_SIZE];
__u64 j = 0;
- int ret;
-
- desc->tfm = hash_state_desc->tfm;
-
- if (sizeof(intermediary) != crypto_shash_digestsize(desc->tfm)) {
- pr_warn_ratelimited("Unexpected digest size\n");
- return -EINVAL;
- }
- kmsan_unpoison_memory(intermediary, sizeof(intermediary));
/*
* This loop fills a buffer which is injected into the entropy pool.
@@ -130,24 +120,20 @@ int jent_hash_time(void *hash_state, __u64 time, u8 *addtl,
*
* Note, it does not matter which or how much data you inject, we are
* interested in one Keccack1600 compression operation performed with
- * the crypto_shash_final.
+ * the sha3_256_final.
*/
for (j = 0; j < hash_loop_cnt; j++) {
- ret = crypto_shash_init(desc) ?:
- crypto_shash_update(desc, intermediary,
- sizeof(intermediary)) ?:
- crypto_shash_finup(desc, addtl, addtl_len, intermediary);
- if (ret)
- goto err;
+ sha3_256_init(&desc);
+ sha3_256_update(&desc, intermediary, sizeof(intermediary));
+ sha3_256_update(&desc, addtl, addtl_len);
+ sha3_256_final(&desc, intermediary);
}
/*
* Inject the data from the previous loop into the pool. This data is
* not considered to contain any entropy, but it stirs the pool a bit.
*/
- ret = crypto_shash_update(hash_state_desc, intermediary, sizeof(intermediary));
- if (ret)
- goto err;
+ sha3_256_update(hash_state, intermediary, sizeof(intermediary));
/*
* Insert the time stamp into the hash context representing the pool.
@@ -162,30 +148,25 @@ int jent_hash_time(void *hash_state, __u64 time, u8 *addtl,
time = 0;
}
- ret = crypto_shash_update(hash_state_desc, (u8 *)&time, sizeof(__u64));
-
-err:
- shash_desc_zero(desc);
+ sha3_256_update(hash_state, (u8 *)&time, sizeof(__u64));
memzero_explicit(intermediary, sizeof(intermediary));
-
- return ret;
+ return 0;
}
-int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len)
+int jent_read_random_block(struct sha3_256_ctx *hash_state, char *dst, unsigned int dst_len)
{
- struct shash_desc *hash_state_desc = (struct shash_desc *)hash_state;
u8 jent_block[SHA3_256_DIGEST_SIZE];
+
/* Obtain data from entropy pool and re-initialize it */
- int ret = crypto_shash_final(hash_state_desc, jent_block) ?:
- crypto_shash_init(hash_state_desc) ?:
- crypto_shash_update(hash_state_desc, jent_block,
- sizeof(jent_block));
+ sha3_256_final(hash_state, jent_block);
+ sha3_256_init(hash_state);
+ sha3_256_update(hash_state, jent_block, sizeof(jent_block));
- if (!ret && dst_len)
+ if (dst_len)
memcpy(dst, jent_block, dst_len);
memzero_explicit(jent_block, sizeof(jent_block));
- return ret;
+ return 0;
}
/***************************************************************************
@@ -195,8 +176,7 @@ int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len)
struct jitterentropy {
spinlock_t jent_lock;
struct rand_data *entropy_collector;
- struct crypto_shash *tfm;
- struct shash_desc *sdesc;
+ struct sha3_256_ctx *sdesc;
};
static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
@@ -205,16 +185,10 @@ static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
spin_lock(&rng->jent_lock);
- if (rng->sdesc) {
- shash_desc_zero(rng->sdesc);
- kfree(rng->sdesc);
- }
+ if (rng->sdesc)
+ kfree_sensitive(rng->sdesc);
rng->sdesc = NULL;
- if (rng->tfm)
- crypto_free_shash(rng->tfm);
- rng->tfm = NULL;
-
if (rng->entropy_collector)
jent_entropy_collector_free(rng->entropy_collector);
rng->entropy_collector = NULL;
@@ -224,9 +198,8 @@ static void jent_kcapi_cleanup(struct crypto_tfm *tfm)
static int jent_kcapi_init(struct crypto_tfm *tfm)
{
struct jitterentropy *rng = crypto_tfm_ctx(tfm);
- struct crypto_shash *hash;
- struct shash_desc *sdesc;
- int size, ret = 0;
+ struct sha3_256_ctx *sdesc;
+ int ret = 0;
spin_lock_init(&rng->jent_lock);
@@ -239,22 +212,13 @@ static int jent_kcapi_init(struct crypto_tfm *tfm)
* using a fast implementation, we would need to call it more often
* as its variations are lower.
*/
- hash = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0);
- if (IS_ERR(hash)) {
- pr_err("Cannot allocate conditioning digest\n");
- return PTR_ERR(hash);
- }
- rng->tfm = hash;
-
- size = sizeof(struct shash_desc) + crypto_shash_descsize(hash);
- sdesc = kmalloc(size, GFP_KERNEL);
+ sdesc = kmalloc(sizeof(struct sha3_256_ctx), GFP_KERNEL);
if (!sdesc) {
ret = -ENOMEM;
goto err;
}
- sdesc->tfm = hash;
- crypto_shash_init(sdesc);
+ sha3_256_init(sdesc);
rng->sdesc = sdesc;
rng->entropy_collector =
@@ -334,23 +298,15 @@ static struct rng_alg jent_alg = {
static int __init jent_mod_init(void)
{
- SHASH_DESC_ON_STACK(desc, tfm);
- struct crypto_shash *tfm;
+ struct sha3_256_ctx desc;
int ret = 0;
jent_testing_init();
- tfm = crypto_alloc_shash(JENT_CONDITIONING_HASH, 0, 0);
- if (IS_ERR(tfm)) {
- jent_testing_exit();
- return PTR_ERR(tfm);
- }
+ sha3_256_init(&desc);
- desc->tfm = tfm;
- crypto_shash_init(desc);
- ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, desc, NULL);
- shash_desc_zero(desc);
- crypto_free_shash(tfm);
+ ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, &desc, NULL);
+ memzero_explicit(&desc, sizeof(desc));
if (ret) {
/* Handle permanent health test error */
if (fips_enabled)
diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
index 3f93cdc9a7af..36701447cc85 100644
--- a/crypto/jitterentropy.c
+++ b/crypto/jitterentropy.c
@@ -68,7 +68,7 @@ struct rand_data {
* of the RNG are marked as SENSITIVE. A user must not
* access that information while the RNG executes its loops to
* calculate the next random value. */
- void *hash_state; /* SENSITIVE hash state entropy pool */
+ struct sha3_256_ctx *hash_state; /* SENSITIVE hash state entropy pool */
__u64 prev_time; /* SENSITIVE Previous time stamp */
__u64 last_delta; /* SENSITIVE stuck test */
__s64 last_delta2; /* SENSITIVE stuck test */
@@ -656,7 +656,7 @@ int jent_read_entropy(struct rand_data *ec, unsigned char *data,
struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
unsigned int flags,
- void *hash_state)
+ struct sha3_256_ctx *hash_state)
{
struct rand_data *entropy_collector;
@@ -704,7 +704,8 @@ void jent_entropy_collector_free(struct rand_data *entropy_collector)
jent_zfree(entropy_collector);
}
-int jent_entropy_init(unsigned int osr, unsigned int flags, void *hash_state,
+int jent_entropy_init(unsigned int osr, unsigned int flags,
+ struct sha3_256_ctx *hash_state,
struct rand_data *p_ec)
{
/*
diff --git a/crypto/jitterentropy.h b/crypto/jitterentropy.h
index 4c5dbf2a8d8f..e4acbce79d9d 100644
--- a/crypto/jitterentropy.h
+++ b/crypto/jitterentropy.h
@@ -5,20 +5,20 @@ extern void jent_kvzfree(void *ptr, unsigned int len);
extern void *jent_zalloc(unsigned int len);
extern void jent_zfree(void *ptr);
extern void jent_get_nstime(__u64 *out);
-extern int jent_hash_time(void *hash_state, __u64 time, u8 *addtl,
+extern int jent_hash_time(struct sha3_256_ctx *hash_state, __u64 time, u8 *addtl,
unsigned int addtl_len, __u64 hash_loop_cnt,
unsigned int stuck);
-int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len);
+int jent_read_random_block(struct sha3_256_ctx *hash_state, char *dst, unsigned int dst_len);
struct rand_data;
extern int jent_entropy_init(unsigned int osr, unsigned int flags,
- void *hash_state, struct rand_data *p_ec);
+ struct sha3_256_ctx *hash_state, struct rand_data *p_ec);
extern int jent_read_entropy(struct rand_data *ec, unsigned char *data,
unsigned int len);
extern struct rand_data *jent_entropy_collector_alloc(unsigned int osr,
unsigned int flags,
- void *hash_state);
+ struct sha3_256_ctx *hash_state);
extern void jent_entropy_collector_free(struct rand_data *entropy_collector);
#ifdef CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE
Powered by blists - more mailing lists