<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/crypto/drbg.c, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-05-15T10:08:47+00:00</updated>
<entry>
<title>crypto: drbg - Remove support for "prediction resistance"</title>
<updated>2026-05-15T10:08:47+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-05-06T00:02:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=bd13e630f9d03510012f1a530f08e9cf533e946a'/>
<id>urn:sha1:bd13e630f9d03510012f1a530f08e9cf533e946a</id>
<content type='text'>
"Prediction resistance", i.e. the property that the RNG's output is
unpredictable even after a state compromise, might sound like a nice
property to have.  In reality, it's not very practical, as it requires
that fresh entropy be pulled on every request.  (The normal Linux RNG
doesn't provide prediction resistance.)  In the case of drbg.c, that
means pulling from "jitterentropy", which is extremely slow.

For some perspective, running a simple benchmark, generating 32 random
bytes takes the following amount of time:

    get_random_bytes(): 90 ns
    drbg_nopr_hmac_sha512: 3707 ns
    drbg_pr_hmac_sha512: 773082 ns

So at least in this case, the "pr" (prediction-resistant) DRBG is over
200 times slower than the "nopr" (non-prediction-resistant) DRBG, or
over 8000 times slower than the normal Linux RNG.  While anyone using
drbg.c has always had to tolerate that it's slower than the normal Linux
RNG, the "pr" DRBG is clearly at another level of slowness.

Thus, the following is also entirely unsurprising:

  - FIPS 140-3 doesn't actually require that SP800-90A DRBG
    implementations support prediction resistance.  The non-prediction
    resistant DRBGs can be, and have been, certified.

  - drbg.c registers "drbg_nopr_hmac_sha512" with a higher cra_priority
    than "drbg_pr_hmac_sha512".  So "drbg_nopr_hmac_sha512" is already
    the one actually being used in practice.

Given these considerations, it's clear that "drbg_pr_hmac_sha512" isn't
actually useful, and it essentially just existed as another curiosity in
the museum of crypto algorithms.  Remove it to simplify the code.

Suggested-by: Joachim Vandersmissen &lt;joachim@jvdsn.com&gt;
Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Rename MAX_ADDTL =&gt; MAX_ADDTL_BYTES</title>
<updated>2026-05-15T10:08:47+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-05-06T00:02:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=97b376ac3c23cf7f64c38d04653b40a93414b94b'/>
<id>urn:sha1:97b376ac3c23cf7f64c38d04653b40a93414b94b</id>
<content type='text'>
Give this constant a name which is clearer and consistent with
DRBG_MAX_REQUEST_BYTES.  No functional change.

Suggested-by: Joachim Vandersmissen &lt;joachim@jvdsn.com&gt;
Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Clean up loop in drbg_hmac_update()</title>
<updated>2026-05-07T08:10:01+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=58d0b2b90796d603b01afb8eeaeb14c58131ad57'/>
<id>urn:sha1:58d0b2b90796d603b01afb8eeaeb14c58131ad57</id>
<content type='text'>
This loop is a bit hard to read, with the loop counter that's used in
the HMAC being separate from the actual loop counter, which counts
backwards for some reason.  Just replace it with a regular loop.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Clean up generation code</title>
<updated>2026-05-07T08:10:01+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=7cca456c3e6a0fefc752e9e93634aa63545d6a68'/>
<id>urn:sha1:7cca456c3e6a0fefc752e9e93634aa63545d6a68</id>
<content type='text'>
A few miscellaneous cleanups to make the code a bit more readable:

  - Replace (buf, buflen) with (out, outlen)
  - Update (out, outlen) as we go along
  - Use size_t for lengths
  - Use min()
  - Adjust some comments and log messages
  - Rename a variable named 'len' to 'err', since it isn't a length

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Remove redundant reseeding based on random.c state</title>
<updated>2026-05-07T08:10:01+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=a918c3680d2ea1d3c2df589397c0ffd4dac2ceaa'/>
<id>urn:sha1:a918c3680d2ea1d3c2df589397c0ffd4dac2ceaa</id>
<content type='text'>
We're now incorporating 32 bytes from get_random_bytes() in the
additional input string on every request.  The additional input string
is processed with a call to drbg_hmac_update(), which is exactly how the
seed is processed.  Thus, in reality this is as good as a reseed.

From the perspective of FIPS 140-3, it isn't as good as a reseed.  But
it doesn't actually matter, because from FIPS's point of view
get_random_bytes() provides zero entropy anyway.

Thus, neither the reseed with more get_random_bytes() every 300s, nor
the logic that reseeds more frequently before rng_is_initialized(), is
actually needed anymore.  Remove it to simplify the code significantly.

(Technically the use of get_random_bytes() in drbg_seed() itself could
be removed too.  But it's safer to keep it there for now.)

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Change DRBG_MAX_REQUESTS to 4096</title>
<updated>2026-05-07T08:10:01+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=005b19f18ea9fc51fc35fbcb27759ae83c7c89f8'/>
<id>urn:sha1:005b19f18ea9fc51fc35fbcb27759ae83c7c89f8</id>
<content type='text'>
Currently a formal reseed happens only after each 1048576 requests.

That's quite a high number.  Let's follow the example of BoringSSL and
use a more conservative value of 4096.

Note that in practice this makes little difference, now that we're
including 32 bytes from get_random_bytes() in the additional input on
every request anyway, which is a de facto reseed.

But for the same reason, we might as well decrease the actual reseed
interval to something more reasonable.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Include get_random_bytes() output in additional input</title>
<updated>2026-05-07T08:10:01+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ca659874af31c6c6e1c5992475b88be8cb65d484'/>
<id>urn:sha1:ca659874af31c6c6e1c5992475b88be8cb65d484</id>
<content type='text'>
Woodage &amp; Shumow (2018) (https://eprint.iacr.org/2018/349.pdf) showed
that contrary to the claims made by NIST in SP800-90A, HMAC_DRBG doesn't
satisfy the formal definition of forward secrecy (i.e. "backtracking
resistance") when it's called with an empty additional input string.

The actual attack seems pretty benign, as it doesn't actually give the
attacker any previous RNG output, but rather just allows them to test
whether their guess of the previous block of RNG output is correct.
Regardless, it's an annoying design flaw, and it's yet another example
of why NIST's DRBGs aren't all that great.

Meanwhile, the kernel's HMAC_DRBG code also tries to reseed itself
automatically after random.c has reseeded itself.  But the
implementation is buggy, as it just checks whether 300 seconds have
elapsed, rather than looking at the actual generation counter.

Let's just follow the example of BoringSSL and use the conservative
approach of always including 32 bytes of "regular" random data in the
additional input string.  This fixes both issues described above.

This does reduce performance.  But this should be tolerable, since:

  - Due to earlier changes, the kernel code that was previously using
    drbg.c regardless of FIPS mode is now using it only in FIPS mode.

  - The additional input string is processed only once per request.  So
    if a lot of bytes are generated at once, the cost is amortized.

  - The NIST DRBGs are notoriously slow anyway.

Note that this fix should have no impact (either positive or negative)
on FIPS 140 certifiability.  From FIPS's point of view the code added by
this commit simply doesn't matter: it adds zero entropy to something
that doesn't need to contain entropy.

Fixes: 541af946fe13 ("crypto: drbg - SP800-90A Deterministic Random Bit Generator")
Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Simplify "uninstantiate" logic</title>
<updated>2026-05-07T08:10:01+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=b87c8286bfe63c176b9af59b5ca1c98005312bd8'/>
<id>urn:sha1:b87c8286bfe63c176b9af59b5ca1c98005312bd8</id>
<content type='text'>
drbg_kcapi_seed() calls drbg_uninstantiate() only to free drbg-&gt;jent and
set drbg-&gt;instantiated = false.  However, the latter is necessary only
because drbg_kcapi_seed() sets drbg-&gt;instantiated = true too early.  Fix
that, then just inline the freeing of drbg-&gt;jent.

Then, simplify the actual "uninstantiate" in drbg_kcapi_exit().  Just
free drbg-&gt;jent (note that this is a no-op on error and null pointers),
then memzero_explicit() the entire drbg_state.

Note that in reality the memzero_explicit() is redundant, since the
crypto_rng API zeroizes the memory anyway.  But the way SP800-90A is
worded, it's easy to imagine that someone assessing conformance with it
would be looking for code in drbg.c that says it does an "Uninstantiate"
and does the zeroization.  So it's probably worth keeping it somewhat
explicit, even though that means double zeroization in practice.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Fold drbg_prepare_hrng() into drbg_kcapi_seed()</title>
<updated>2026-05-07T08:10:01+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=2b30c567603b6e12f153dc7f584d3be87a96be35'/>
<id>urn:sha1:2b30c567603b6e12f153dc7f584d3be87a96be35</id>
<content type='text'>
Fold drbg_prepare_hrng() into its only caller.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
<entry>
<title>crypto: drbg - Separate "reseed" case in drbg_kcapi_seed()</title>
<updated>2026-05-07T08:10:01+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@kernel.org</email>
</author>
<published>2026-04-20T06:34:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ad8883374f34809f04d6839b9e7efe0afa5e92cd'/>
<id>urn:sha1:ad8883374f34809f04d6839b9e7efe0afa5e92cd</id>
<content type='text'>
Clearly separate the code for the "reseed" and "instantiate" cases,
since what they need to do is quite different.

Note that the mutex guard makes the mutex start being held during the
call to drbg_uninstantiate(), which is fine.

Signed-off-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
</entry>
</feed>
