Skip to content

Commit 074bcd4

Browse files
nicstangeherbertx
authored andcommitted
crypto: drbg - make reseeding from get_random_bytes() synchronous
get_random_bytes() usually hasn't full entropy available by the time DRBG instances are first getting seeded from it during boot. Thus, the DRBG implementation registers random_ready_callbacks which would in turn schedule some work for reseeding the DRBGs once get_random_bytes() has sufficient entropy available. For reference, the relevant history around handling DRBG (re)seeding in the context of a not yet fully seeded get_random_bytes() is: commit 16b369a ("random: Blocking API for accessing nonblocking_pool") commit 4c78799 ("crypto: drbg - add async seeding operation") commit 205a525 ("random: Add callback API for random pool readiness") commit 57225e6 ("crypto: drbg - Use callback API for random readiness") commit c271950 ("random: Remove kernel blocking API") However, some time later, the initialization state of get_random_bytes() has been made queryable via rng_is_initialized() introduced with commit 9a47249 ("random: Make crng state queryable"). This primitive now allows for streamlining the DRBG reseeding from get_random_bytes() by replacing that aforementioned asynchronous work scheduling from random_ready_callbacks with some simpler, synchronous code in drbg_generate() next to the related logic already present therein. Apart from improving overall code readability, this change will also enable DRBG users to rely on wait_for_random_bytes() for ensuring that the initial seeding has completed, if desired. The previous patches already laid the grounds by making drbg_seed() to record at each DRBG instance whether it was being seeded at a time when rng_is_initialized() still had been false as indicated by ->seeded == DRBG_SEED_STATE_PARTIAL. All that remains to be done now is to make drbg_generate() check for this condition, determine whether rng_is_initialized() has flipped to true in the meanwhile and invoke a reseed from get_random_bytes() if so. Make this move: - rename the former drbg_async_seed() work handler, i.e. the one in charge of reseeding a DRBG instance from get_random_bytes(), to "drbg_seed_from_random()", - change its signature as appropriate, i.e. make it take a struct drbg_state rather than a work_struct and change its return type from "void" to "int" in order to allow for passing error information from e.g. its __drbg_seed() invocation onwards to callers, - make drbg_generate() invoke this drbg_seed_from_random() once it encounters a DRBG instance with ->seeded == DRBG_SEED_STATE_PARTIAL by the time rng_is_initialized() has flipped to true and - prune everything related to the former, random_ready_callback based mechanism. As drbg_seed_from_random() is now getting invoked from drbg_generate() with the ->drbg_mutex being held, it must not attempt to recursively grab it once again. Remove the corresponding mutex operations from what is now drbg_seed_from_random(). Furthermore, as drbg_seed_from_random() can now report errors directly to its caller, there's no need for it to temporarily switch the DRBG's ->seeded state to DRBG_SEED_STATE_UNSEEDED so that a failure of the subsequently invoked __drbg_seed() will get signaled to drbg_generate(). Don't do it then. Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
1 parent 262d83a commit 074bcd4

2 files changed

Lines changed: 11 additions & 53 deletions

File tree

crypto/drbg.c

Lines changed: 11 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -1087,12 +1087,10 @@ static inline int drbg_get_random_bytes(struct drbg_state *drbg,
10871087
return 0;
10881088
}
10891089

1090-
static void drbg_async_seed(struct work_struct *work)
1090+
static int drbg_seed_from_random(struct drbg_state *drbg)
10911091
{
10921092
struct drbg_string data;
10931093
LIST_HEAD(seedlist);
1094-
struct drbg_state *drbg = container_of(work, struct drbg_state,
1095-
seed_work);
10961094
unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
10971095
unsigned char entropy[32];
10981096
int ret;
@@ -1103,23 +1101,15 @@ static void drbg_async_seed(struct work_struct *work)
11031101
drbg_string_fill(&data, entropy, entropylen);
11041102
list_add_tail(&data.list, &seedlist);
11051103

1106-
mutex_lock(&drbg->drbg_mutex);
1107-
11081104
ret = drbg_get_random_bytes(drbg, entropy, entropylen);
11091105
if (ret)
1110-
goto unlock;
1111-
1112-
/* Reset ->seeded so that if __drbg_seed fails the next
1113-
* generate call will trigger a reseed.
1114-
*/
1115-
drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1116-
1117-
__drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
1106+
goto out;
11181107

1119-
unlock:
1120-
mutex_unlock(&drbg->drbg_mutex);
1108+
ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
11211109

1110+
out:
11221111
memzero_explicit(entropy, entropylen);
1112+
return ret;
11231113
}
11241114

11251115
/*
@@ -1422,6 +1412,11 @@ static int drbg_generate(struct drbg_state *drbg,
14221412
goto err;
14231413
/* 9.3.1 step 7.4 */
14241414
addtl = NULL;
1415+
} else if (rng_is_initialized() &&
1416+
drbg->seeded == DRBG_SEED_STATE_PARTIAL) {
1417+
len = drbg_seed_from_random(drbg);
1418+
if (len)
1419+
goto err;
14251420
}
14261421

14271422
if (addtl && 0 < addtl->len)
@@ -1514,45 +1509,15 @@ static int drbg_generate_long(struct drbg_state *drbg,
15141509
return 0;
15151510
}
15161511

1517-
static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1518-
{
1519-
struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1520-
random_ready);
1521-
1522-
schedule_work(&drbg->seed_work);
1523-
}
1524-
15251512
static int drbg_prepare_hrng(struct drbg_state *drbg)
15261513
{
1527-
int err;
1528-
15291514
/* We do not need an HRNG in test mode. */
15301515
if (list_empty(&drbg->test_data.list))
15311516
return 0;
15321517

15331518
drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
15341519

1535-
INIT_WORK(&drbg->seed_work, drbg_async_seed);
1536-
1537-
drbg->random_ready.owner = THIS_MODULE;
1538-
drbg->random_ready.func = drbg_schedule_async_seed;
1539-
1540-
err = add_random_ready_callback(&drbg->random_ready);
1541-
1542-
switch (err) {
1543-
case 0:
1544-
break;
1545-
1546-
case -EALREADY:
1547-
err = 0;
1548-
fallthrough;
1549-
1550-
default:
1551-
drbg->random_ready.func = NULL;
1552-
return err;
1553-
}
1554-
1555-
return err;
1520+
return 0;
15561521
}
15571522

15581523
/*
@@ -1646,11 +1611,6 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
16461611
*/
16471612
static int drbg_uninstantiate(struct drbg_state *drbg)
16481613
{
1649-
if (drbg->random_ready.func) {
1650-
del_random_ready_callback(&drbg->random_ready);
1651-
cancel_work_sync(&drbg->seed_work);
1652-
}
1653-
16541614
if (!IS_ERR_OR_NULL(drbg->jent))
16551615
crypto_free_rng(drbg->jent);
16561616
drbg->jent = NULL;

include/crypto/drbg.h

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -137,12 +137,10 @@ struct drbg_state {
137137
bool pr; /* Prediction resistance enabled? */
138138
bool fips_primed; /* Continuous test primed? */
139139
unsigned char *prev; /* FIPS 140-2 continuous test value */
140-
struct work_struct seed_work; /* asynchronous seeding support */
141140
struct crypto_rng *jent;
142141
const struct drbg_state_ops *d_ops;
143142
const struct drbg_core *core;
144143
struct drbg_string test_data;
145-
struct random_ready_callback random_ready;
146144
};
147145

148146
static inline __u8 drbg_statelen(struct drbg_state *drbg)

0 commit comments

Comments
 (0)