kernel_optimize_test/include/crypto
Nicolai Stange 44f1ce5530 crypto: drbg - make reseeding from get_random_bytes() synchronous
commit 074bcd4000e0d812bc253f86fedc40f81ed59ccc upstream.

get_random_bytes() usually hasn't full entropy available by the time DRBG
instances are first getting seeded from it during boot. Thus, the DRBG
implementation registers random_ready_callbacks which would in turn
schedule some work for reseeding the DRBGs once get_random_bytes() has
sufficient entropy available.

For reference, the relevant history around handling DRBG (re)seeding in
the context of a not yet fully seeded get_random_bytes() is:

  commit 16b369a91d ("random: Blocking API for accessing
                        nonblocking_pool")
  commit 4c7879907e ("crypto: drbg - add async seeding operation")

  commit 205a525c33 ("random: Add callback API for random pool
                        readiness")
  commit 57225e6797 ("crypto: drbg - Use callback API for random
                        readiness")
  commit c2719503f5 ("random: Remove kernel blocking API")

However, some time later, the initialization state of get_random_bytes()
has been made queryable via rng_is_initialized() introduced with commit
9a47249d44 ("random: Make crng state queryable"). This primitive now
allows for streamlining the DRBG reseeding from get_random_bytes() by
replacing that aforementioned asynchronous work scheduling from
random_ready_callbacks with some simpler, synchronous code in
drbg_generate() next to the related logic already present therein. Apart
from improving overall code readability, this change will also enable DRBG
users to rely on wait_for_random_bytes() for ensuring that the initial
seeding has completed, if desired.

The previous patches already laid the grounds by making drbg_seed() to
record at each DRBG instance whether it was being seeded at a time when
rng_is_initialized() still had been false as indicated by
->seeded == DRBG_SEED_STATE_PARTIAL.

All that remains to be done now is to make drbg_generate() check for this
condition, determine whether rng_is_initialized() has flipped to true in
the meanwhile and invoke a reseed from get_random_bytes() if so.

Make this move:
- rename the former drbg_async_seed() work handler, i.e. the one in charge
  of reseeding a DRBG instance from get_random_bytes(), to
  "drbg_seed_from_random()",
- change its signature as appropriate, i.e. make it take a struct
  drbg_state rather than a work_struct and change its return type from
  "void" to "int" in order to allow for passing error information from
  e.g. its __drbg_seed() invocation onwards to callers,
- make drbg_generate() invoke this drbg_seed_from_random() once it
  encounters a DRBG instance with ->seeded == DRBG_SEED_STATE_PARTIAL by
  the time rng_is_initialized() has flipped to true and
- prune everything related to the former, random_ready_callback based
  mechanism.

As drbg_seed_from_random() is now getting invoked from drbg_generate() with
the ->drbg_mutex being held, it must not attempt to recursively grab it
once again. Remove the corresponding mutex operations from what is now
drbg_seed_from_random(). Furthermore, as drbg_seed_from_random() can now
report errors directly to its caller, there's no need for it to temporarily
switch the DRBG's ->seeded state to DRBG_SEED_STATE_UNSEEDED so that a
failure of the subsequently invoked __drbg_seed() will get signaled to
drbg_generate(). Don't do it then.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[Jason: for stable, undid the modifications for the backport of 5acd3548.]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-06-06 08:42:42 +02:00
..
internal lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI 2022-05-30 09:33:26 +02:00
acompress.h crypto: api - check for ERR pointers in crypto_destroy_tfm() 2021-05-11 14:47:16 +02:00
aead.h crypto: api - check for ERR pointers in crypto_destroy_tfm() 2021-05-11 14:47:16 +02:00
aes.h
akcipher.h crypto: api - check for ERR pointers in crypto_destroy_tfm() 2021-05-11 14:47:16 +02:00
algapi.h crypto: algapi - Remove skbuff.h inclusion 2020-08-20 14:04:28 +10:00
arc4.h
asym_tpm_subtype.h
authenc.h
b128ops.h
blake2s.h lib/crypto: blake2s: move hmac construction into wireguard 2022-05-30 09:33:26 +02:00
blowfish.h
cast_common.h
cast5.h
cast6.h crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN 2020-01-09 11:30:53 +08:00
chacha.h random: early initialization of ChaCha constants 2022-05-30 09:33:28 +02:00
chacha20poly1305.h crypto: lib/chacha20poly1305 - Add missing function declaration 2020-07-16 21:49:04 +10:00
cryptd.h
ctr.h
curve25519.h crypto: curve25519 - do not pollute dispatcher based on assembler 2020-04-09 00:01:59 +09:00
des.h
dh.h
drbg.h crypto: drbg - make reseeding from get_random_bytes() synchronous 2022-06-06 08:42:42 +02:00
ecdh.h
engine.h crypto: engine - support for batch requests 2020-05-08 15:30:40 +10:00
gcm.h
gf128mul.h mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
ghash.h
hash_info.h
hash.h crypto: api - check for ERR pointers in crypto_destroy_tfm() 2021-05-11 14:47:16 +02:00
hmac.h
if_alg.h crypto: af_alg - add extra parameters for DRBG interface 2020-09-25 17:48:52 +10:00
kpp.h crypto: api - check for ERR pointers in crypto_destroy_tfm() 2021-05-11 14:47:16 +02:00
md5.h
nhpoly1305.h crypto: poly1305 - add new 32 and 64-bit generic versions 2020-01-16 15:18:12 +08:00
null.h
padlock.h
pcrypt.h
pkcs7.h
poly1305.h crypto: poly1305 - fix poly1305_core_setkey() declaration 2021-05-14 09:50:13 +02:00
public_key.h crypto: public_key: fix overflow during implicit conversion 2021-09-18 13:40:08 +02:00
rng.h crypto: api - check for ERR pointers in crypto_destroy_tfm() 2021-05-11 14:47:16 +02:00
scatterwalk.h
serpent.h crypto: x86 - Regularize glue function prototypes 2019-12-11 16:36:54 +08:00
sha.h crypto: lib/sha256 - add sha256() function 2020-07-16 21:49:05 +10:00
sha1_base.h
sha3.h
sha256_base.h crypto: lib/sha256 - return void 2020-05-08 15:32:12 +10:00
sha512_base.h
skcipher.h crypto: api - check for ERR pointers in crypto_destroy_tfm() 2021-05-11 14:47:16 +02:00
sm2.h crypto: sm2 - introduce OSCCA SM2 asymmetric cipher algorithm 2020-09-25 17:48:54 +10:00
sm3_base.h
sm3.h crypto: sm3 - export crypto_sm3_final function 2020-09-25 17:48:53 +10:00
sm4.h
streebog.h
twofish.h crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN 2020-01-09 11:30:53 +08:00
xts.h crypto: remove CRYPTO_TFM_RES_WEAK_KEY 2020-01-09 11:30:53 +08:00