| Message ID | 20141202083707.17996.qmail@ns.horizon.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Herbert Xu |
| Headers | show |
On Tue, Dec 02, 2014 at 03:37:07AM -0500, George Spelvin wrote: > It's also not necessary. We do have to change some debugging > output. > > Signed-off-by: George Spelvin <linux@horizon.com> > --- > crypto/ansi_cprng.c | 39 ++++++++++++++++++++------------------- > 1 file changed, 20 insertions(+), 19 deletions(-) > I'm only ok with removing I if you can continue to be able to output it. given that I is listed as part of the test sequences that NIST provides, I'd like to be able to compare the values. Neil -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> I'm only ok with removing I if you can continue to be able to output it. > given that I is listed as part of the test sequences that NIST provides, > I'd like to be able to compare the values. I can do that easily, but I can't print the *input* I, which is the result of encrypting the previous DT, as it's thrown away earlier. You'd have to look further back in the debug messages to find it. Is changing the format of the debug messages okay? I'd like the debug messages to describe the code, but I don't know if you have something that parses the current output. The test output I see on p. 33 of http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf doesn't include I. Can you point me to a sample that includes I? It might be best to more significantly rework the debug messages to resemble the NIST test vectors. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Dec 02, 2014 at 03:03:38PM -0500, George Spelvin wrote: > > I'm only ok with removing I if you can continue to be able to output it. > > given that I is listed as part of the test sequences that NIST provides, > > I'd like to be able to compare the values. > > I can do that easily, but I can't print the *input* I, which > is the result of encrypting the previous DT, as it's thrown > away earlier. > > You'd have to look further back in the debug messages to find it. > > Is changing the format of the debug messages okay? I'd like the debug > messages to describe the code, but I don't know if you have something > that parses the current output. > I'm fine with changing the output, as I don't think anything particularly relies on the format, but I cant' speak for others Neil > > The test output I see on p. 33 of > http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf > doesn't include I. Can you point me to a sample that includes I? > > It might be best to more significantly rework the debug messages to > resemble the NIST test vectors. > -- > To unsubscribe from this list: send the line "unsubscribe linux-crypto" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c index c0a27288..6b844f13 100644 --- a/crypto/ansi_cprng.c +++ b/crypto/ansi_cprng.c @@ -35,19 +35,22 @@ #define PRNG_NEED_RESET 0x2 /* - * Note: DT is our counter value - * I is our intermediate value - * V is our seed vector + * Note: In addition to the fixed encryption key, there are three + * block-sized state buffers: + * 1. rand_data is the current output data (R in the spec). + * 2. V is our main state vector + * 3. DT is the current "data/time" used for seeding. The fact that + * this is a deterministic counter rather than an actual timestamp + * (with some small amount of seed entropy) means that this code is + * NOT an implmentation of X9.31. + * * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf * for implementation details */ - - struct prng_context { spinlock_t prng_lock; unsigned char rand_data[DEFAULT_BLK_SZ]; unsigned char DT[DEFAULT_BLK_SZ]; - unsigned char I[DEFAULT_BLK_SZ]; unsigned char V[DEFAULT_BLK_SZ]; u32 rand_read_pos; /* Offset into rand_data[] */ struct crypto_cipher *tfm; @@ -93,13 +96,13 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test) ctx); hexdump("Input DT: ", ctx->DT, DEFAULT_BLK_SZ); - hexdump("Input I: ", ctx->I, DEFAULT_BLK_SZ); hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ); /* * This algorithm is a 3 stage state machine */ for (i = 0; i < 3; i++) { + unsigned char const *input; unsigned char *output; switch (i) { @@ -108,9 +111,9 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test) * Start by encrypting the counter value * This gives us an intermediate value I */ - memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ); - output = ctx->I; - hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ); + input = ctx->DT; + output = tmp; + hexdump("input stage 0: ", ctx->DT, DEFAULT_BLK_SZ); break; case 1: /* @@ -120,9 +123,9 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test) * in (no longer used) V until we have done the * anti-repetition compare. */ - xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ); - hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ); - output = ctx->V; + xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ); + hexdump("input stage 1: ", ctx->V, DEFAULT_BLK_SZ); + input = output = ctx->V; break; case 2: /* @@ -148,15 +151,14 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test) * Lastly xor the random data with I * and encrypt that to obtain a new secret vector V */ - xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ); - output = ctx->V; - hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ); + xor_vectors(tmp, ctx->V, ctx->V, DEFAULT_BLK_SZ); + hexdump("input stage 2: ", ctx->V, DEFAULT_BLK_SZ); + input = output = ctx->V; break; } - /* do the encryption */ - crypto_cipher_encrypt_one(ctx->tfm, output, tmp); + crypto_cipher_encrypt_one(ctx->tfm, output, input); } /* @@ -172,7 +174,6 @@ static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test) ctx->rand_read_pos = 0; hexdump("Output DT: ", ctx->DT, DEFAULT_BLK_SZ); - hexdump("Output I: ", ctx->I, DEFAULT_BLK_SZ); hexdump("Output V: ", ctx->V, DEFAULT_BLK_SZ); hexdump("New Random Data: ", ctx->rand_data, DEFAULT_BLK_SZ);
It's also not necessary. We do have to change some debugging output. Signed-off-by: George Spelvin <linux@horizon.com> --- crypto/ansi_cprng.c | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-)