From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-kernel@vger.kernel.org,
Stephan Mueller <smueller@chronox.de>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 10/38] crypto: drbg - Fold include/crypto/drbg.h into crypto/drbg.c
Date: Sun, 19 Apr 2026 23:33:54 -0700 [thread overview]
Message-ID: <20260420063422.324906-11-ebiggers@kernel.org> (raw)
In-Reply-To: <20260420063422.324906-1-ebiggers@kernel.org>
include/crypto/drbg.h no longer contains anything that is used
externally to crypto/drbg.c. Therefore, fold it into crypto/drbg.c.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/drbg.c | 132 ++++++++++++-
crypto/testmgr.c | 3 +-
include/crypto/drbg.h | 181 ------------------
.../crypto/chacha20-s390/test-cipher.c | 1 -
4 files changed, 132 insertions(+), 185 deletions(-)
delete mode 100644 include/crypto/drbg.h
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 66d7739469c6..fd1d75addaf7 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -90,18 +90,148 @@
* Usage with personalization and additional information strings
* -------------------------------------------------------------
* Just mix both scenarios above.
*/
-#include <crypto/drbg.h>
#include <crypto/df_sp80090a.h>
#include <crypto/internal/cipher.h>
+#include <crypto/internal/drbg.h>
+#include <crypto/internal/rng.h>
+#include <crypto/hash.h>
+#include <crypto/skcipher.h>
+#include <linux/fips.h>
#include <linux/kernel.h>
#include <linux/jiffies.h>
+#include <linux/module.h>
+#include <linux/mutex.h>
+#include <linux/scatterlist.h>
#include <linux/string_choices.h>
#include <linux/unaligned.h>
+struct drbg_state;
+typedef uint32_t drbg_flag_t;
+
+struct drbg_core {
+ drbg_flag_t flags; /* flags for the cipher */
+ __u8 statelen; /* maximum state length */
+ __u8 blocklen_bytes; /* block size of output in bytes */
+ char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */
+ /* kernel crypto API backend cipher name */
+ char backend_cra_name[CRYPTO_MAX_ALG_NAME];
+};
+
+struct drbg_state_ops {
+ int (*update)(struct drbg_state *drbg, struct list_head *seed,
+ int reseed);
+ int (*generate)(struct drbg_state *drbg,
+ unsigned char *buf, unsigned int buflen,
+ struct list_head *addtl);
+ int (*crypto_init)(struct drbg_state *drbg);
+ int (*crypto_fini)(struct drbg_state *drbg);
+
+};
+
+enum drbg_seed_state {
+ DRBG_SEED_STATE_UNSEEDED,
+ DRBG_SEED_STATE_PARTIAL, /* Seeded with !rng_is_initialized() */
+ DRBG_SEED_STATE_FULL,
+};
+
+struct drbg_state {
+ struct mutex drbg_mutex; /* lock around DRBG */
+ unsigned char *V; /* internal state 10.1.1.1 1a) */
+ unsigned char *Vbuf;
+ /* hash: static value 10.1.1.1 1b) hmac / ctr: key */
+ unsigned char *C;
+ unsigned char *Cbuf;
+ /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */
+ size_t reseed_ctr;
+ size_t reseed_threshold;
+ /* some memory the DRBG can use for its operation */
+ unsigned char *scratchpad;
+ unsigned char *scratchpadbuf;
+ void *priv_data; /* Cipher handle */
+
+ struct crypto_skcipher *ctr_handle; /* CTR mode cipher handle */
+ struct skcipher_request *ctr_req; /* CTR mode request handle */
+ __u8 *outscratchpadbuf; /* CTR mode output scratchpad */
+ __u8 *outscratchpad; /* CTR mode aligned outbuf */
+ struct crypto_wait ctr_wait; /* CTR mode async wait obj */
+ struct scatterlist sg_in, sg_out; /* CTR mode SGLs */
+
+ enum drbg_seed_state seeded; /* DRBG fully seeded? */
+ unsigned long last_seed_time;
+ bool pr; /* Prediction resistance enabled? */
+ struct crypto_rng *jent;
+ const struct drbg_state_ops *d_ops;
+ const struct drbg_core *core;
+ struct drbg_string test_data;
+};
+
+static inline __u8 drbg_statelen(struct drbg_state *drbg)
+{
+ if (drbg && drbg->core)
+ return drbg->core->statelen;
+ return 0;
+}
+
+static inline __u8 drbg_blocklen(struct drbg_state *drbg)
+{
+ if (drbg && drbg->core)
+ return drbg->core->blocklen_bytes;
+ return 0;
+}
+
+static inline __u8 drbg_keylen(struct drbg_state *drbg)
+{
+ if (drbg && drbg->core)
+ return (drbg->core->statelen - drbg->core->blocklen_bytes);
+ return 0;
+}
+
+static inline size_t drbg_max_request_bytes(struct drbg_state *drbg)
+{
+ /* SP800-90A requires the limit 2**19 bits, but we return bytes */
+ return (1 << 16);
+}
+
+/*
+ * SP800-90A allows implementations to support additional info / personalization
+ * strings of up to 2**35 bits. Implementations can have a smaller maximum. We
+ * use 2**35 - 16 bits == U32_MAX - 1 bytes so that the max + 1 always fits in a
+ * size_t, allowing drbg_healthcheck_sanity() to verify its enforcement.
+ */
+static inline size_t drbg_max_addtl(struct drbg_state *drbg)
+{
+ return U32_MAX - 1;
+}
+
+static inline size_t drbg_max_requests(struct drbg_state *drbg)
+{
+ /* SP800-90A requires 2**48 maximum requests before reseeding */
+ return (1<<20);
+}
+
+/* DRBG type flags */
+#define DRBG_CTR ((drbg_flag_t)1<<0)
+#define DRBG_HMAC ((drbg_flag_t)1<<1)
+#define DRBG_HASH ((drbg_flag_t)1<<2)
+#define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH)
+/* DRBG strength flags */
+#define DRBG_STRENGTH128 ((drbg_flag_t)1<<3)
+#define DRBG_STRENGTH192 ((drbg_flag_t)1<<4)
+#define DRBG_STRENGTH256 ((drbg_flag_t)1<<5)
+#define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \
+ DRBG_STRENGTH256)
+
+enum drbg_prefixes {
+ DRBG_PREFIX0 = 0x00,
+ DRBG_PREFIX1,
+ DRBG_PREFIX2,
+ DRBG_PREFIX3
+};
+
/***************************************************************
* Backend cipher definitions available to DRBG
***************************************************************/
/*
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 35ff2b50e3c2..480368a41cc0 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -26,17 +26,16 @@
#include <linux/prandom.h>
#include <linux/scatterlist.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/uio.h>
-#include <crypto/rng.h>
-#include <crypto/drbg.h>
#include <crypto/akcipher.h>
#include <crypto/kpp.h>
#include <crypto/acompress.h>
#include <crypto/sig.h>
#include <crypto/internal/cipher.h>
+#include <crypto/internal/rng.h>
#include <crypto/internal/simd.h>
#include "internal.h"
MODULE_IMPORT_NS("CRYPTO_INTERNAL");
diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h
deleted file mode 100644
index 4fafc69a8ee6..000000000000
--- a/include/crypto/drbg.h
+++ /dev/null
@@ -1,181 +0,0 @@
-/*
- * DRBG based on NIST SP800-90A
- *
- * Copyright Stephan Mueller <smueller@chronox.de>, 2014
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU General Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
- * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
- * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
- * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
- * DAMAGE.
- */
-
-#ifndef _DRBG_H
-#define _DRBG_H
-
-
-#include <linux/random.h>
-#include <linux/scatterlist.h>
-#include <crypto/hash.h>
-#include <crypto/skcipher.h>
-#include <linux/module.h>
-#include <linux/crypto.h>
-#include <linux/slab.h>
-#include <crypto/internal/drbg.h>
-#include <crypto/internal/rng.h>
-#include <crypto/rng.h>
-#include <linux/fips.h>
-#include <linux/mutex.h>
-#include <linux/list.h>
-#include <linux/workqueue.h>
-
-struct drbg_state;
-typedef uint32_t drbg_flag_t;
-
-struct drbg_core {
- drbg_flag_t flags; /* flags for the cipher */
- __u8 statelen; /* maximum state length */
- __u8 blocklen_bytes; /* block size of output in bytes */
- char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */
- /* kernel crypto API backend cipher name */
- char backend_cra_name[CRYPTO_MAX_ALG_NAME];
-};
-
-struct drbg_state_ops {
- int (*update)(struct drbg_state *drbg, struct list_head *seed,
- int reseed);
- int (*generate)(struct drbg_state *drbg,
- unsigned char *buf, unsigned int buflen,
- struct list_head *addtl);
- int (*crypto_init)(struct drbg_state *drbg);
- int (*crypto_fini)(struct drbg_state *drbg);
-
-};
-
-enum drbg_seed_state {
- DRBG_SEED_STATE_UNSEEDED,
- DRBG_SEED_STATE_PARTIAL, /* Seeded with !rng_is_initialized() */
- DRBG_SEED_STATE_FULL,
-};
-
-struct drbg_state {
- struct mutex drbg_mutex; /* lock around DRBG */
- unsigned char *V; /* internal state 10.1.1.1 1a) */
- unsigned char *Vbuf;
- /* hash: static value 10.1.1.1 1b) hmac / ctr: key */
- unsigned char *C;
- unsigned char *Cbuf;
- /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */
- size_t reseed_ctr;
- size_t reseed_threshold;
- /* some memory the DRBG can use for its operation */
- unsigned char *scratchpad;
- unsigned char *scratchpadbuf;
- void *priv_data; /* Cipher handle */
-
- struct crypto_skcipher *ctr_handle; /* CTR mode cipher handle */
- struct skcipher_request *ctr_req; /* CTR mode request handle */
- __u8 *outscratchpadbuf; /* CTR mode output scratchpad */
- __u8 *outscratchpad; /* CTR mode aligned outbuf */
- struct crypto_wait ctr_wait; /* CTR mode async wait obj */
- struct scatterlist sg_in, sg_out; /* CTR mode SGLs */
-
- enum drbg_seed_state seeded; /* DRBG fully seeded? */
- unsigned long last_seed_time;
- bool pr; /* Prediction resistance enabled? */
- struct crypto_rng *jent;
- const struct drbg_state_ops *d_ops;
- const struct drbg_core *core;
- struct drbg_string test_data;
-};
-
-static inline __u8 drbg_statelen(struct drbg_state *drbg)
-{
- if (drbg && drbg->core)
- return drbg->core->statelen;
- return 0;
-}
-
-static inline __u8 drbg_blocklen(struct drbg_state *drbg)
-{
- if (drbg && drbg->core)
- return drbg->core->blocklen_bytes;
- return 0;
-}
-
-static inline __u8 drbg_keylen(struct drbg_state *drbg)
-{
- if (drbg && drbg->core)
- return (drbg->core->statelen - drbg->core->blocklen_bytes);
- return 0;
-}
-
-static inline size_t drbg_max_request_bytes(struct drbg_state *drbg)
-{
- /* SP800-90A requires the limit 2**19 bits, but we return bytes */
- return (1 << 16);
-}
-
-/*
- * SP800-90A allows implementations to support additional info / personalization
- * strings of up to 2**35 bits. Implementations can have a smaller maximum. We
- * use 2**35 - 16 bits == U32_MAX - 1 bytes so that the max + 1 always fits in a
- * size_t, allowing drbg_healthcheck_sanity() to verify its enforcement.
- */
-static inline size_t drbg_max_addtl(struct drbg_state *drbg)
-{
- return U32_MAX - 1;
-}
-
-static inline size_t drbg_max_requests(struct drbg_state *drbg)
-{
- /* SP800-90A requires 2**48 maximum requests before reseeding */
- return (1<<20);
-}
-
-/* DRBG type flags */
-#define DRBG_CTR ((drbg_flag_t)1<<0)
-#define DRBG_HMAC ((drbg_flag_t)1<<1)
-#define DRBG_HASH ((drbg_flag_t)1<<2)
-#define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH)
-/* DRBG strength flags */
-#define DRBG_STRENGTH128 ((drbg_flag_t)1<<3)
-#define DRBG_STRENGTH192 ((drbg_flag_t)1<<4)
-#define DRBG_STRENGTH256 ((drbg_flag_t)1<<5)
-#define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \
- DRBG_STRENGTH256)
-
-enum drbg_prefixes {
- DRBG_PREFIX0 = 0x00,
- DRBG_PREFIX1,
- DRBG_PREFIX2,
- DRBG_PREFIX3
-};
-
-#endif /* _DRBG_H */
diff --git a/tools/testing/crypto/chacha20-s390/test-cipher.c b/tools/testing/crypto/chacha20-s390/test-cipher.c
index 827507844e8f..9f61454ed077 100644
--- a/tools/testing/crypto/chacha20-s390/test-cipher.c
+++ b/tools/testing/crypto/chacha20-s390/test-cipher.c
@@ -9,11 +9,10 @@
#include <asm/smp.h>
#include <crypto/skcipher.h>
#include <crypto/akcipher.h>
#include <crypto/acompress.h>
#include <crypto/rng.h>
-#include <crypto/drbg.h>
#include <crypto/kpp.h>
#include <crypto/internal/simd.h>
#include <crypto/chacha.h>
#include <crypto/aead.h>
#include <crypto/hash.h>
--
2.53.0
next prev parent reply other threads:[~2026-04-20 6:37 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 6:33 [PATCH 00/38] Fix and simplify the NIST DRBG implementation Eric Biggers
2026-04-20 6:33 ` [PATCH 01/38] crypto: drbg - Fix returning success on failure in CTR_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 02/38] crypto: drbg - Fix misaligned writes in CTR_DRBG and HASH_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 03/38] crypto: drbg - Fix ineffective sanity check Eric Biggers
2026-04-20 6:33 ` [PATCH 04/38] crypto: drbg - Fix drbg_max_addtl() on 64-bit kernels Eric Biggers
2026-04-20 6:33 ` [PATCH 05/38] crypto: drbg - Fix the fips_enabled priority boost Eric Biggers
2026-04-20 6:33 ` [PATCH 06/38] crypto: drbg - Remove always-enabled symbol CRYPTO_DRBG_HMAC Eric Biggers
2026-04-20 6:33 ` [PATCH 07/38] crypto: drbg - Remove broken commented-out code Eric Biggers
2026-04-20 6:33 ` [PATCH 08/38] crypto: drbg - Remove unhelpful helper functions Eric Biggers
2026-04-20 6:33 ` [PATCH 09/38] crypto: drbg - Remove obsolete FIPS 140-2 continuous test Eric Biggers
2026-04-20 6:33 ` Eric Biggers [this message]
2026-04-20 6:33 ` [PATCH 11/38] crypto: drbg - Remove import of crypto_cipher functions Eric Biggers
2026-04-20 6:33 ` [PATCH 12/38] crypto: drbg - Remove support for CTR_DRBG Eric Biggers
2026-04-20 8:07 ` Geert Uytterhoeven
2026-04-20 14:40 ` Stephan Mueller
2026-04-20 17:47 ` Eric Biggers
2026-04-20 19:54 ` Stephan Mueller
2026-04-20 20:56 ` Eric Biggers
2026-04-20 20:58 ` Stephan Mueller
2026-04-20 6:33 ` [PATCH 13/38] crypto: drbg - Remove support for HASH_DRBG Eric Biggers
2026-04-20 6:33 ` [PATCH 14/38] crypto: drbg - Flatten the DRBG menu Eric Biggers
2026-04-20 6:33 ` [PATCH 15/38] crypto: testmgr - Add test for drbg_pr_hmac_sha512 Eric Biggers
2026-04-20 16:04 ` Joachim Vandersmissen
2026-04-20 17:06 ` Eric Biggers
2026-04-20 6:34 ` [PATCH 16/38] crypto: testmgr - Update test for drbg_nopr_hmac_sha512 Eric Biggers
2026-04-20 6:34 ` [PATCH 17/38] crypto: drbg - Remove support for HMAC-SHA256 and HMAC-SHA384 Eric Biggers
2026-04-20 6:34 ` [PATCH 18/38] crypto: drbg - Simplify algorithm registration Eric Biggers
2026-04-20 6:34 ` [PATCH 19/38] crypto: drbg - De-virtualize drbg_state_ops Eric Biggers
2026-04-20 6:34 ` [PATCH 20/38] crypto: drbg - Move fixed values into constants Eric Biggers
2026-04-20 16:06 ` Joachim Vandersmissen
2026-04-20 6:34 ` [PATCH 21/38] crypto: drbg - Embed V and C into struct drbg_state Eric Biggers
2026-04-20 6:34 ` [PATCH 22/38] crypto: drbg - Use HMAC-SHA512 library API Eric Biggers
2026-04-20 6:34 ` [PATCH 23/38] crypto: drbg - Remove drbg_core Eric Biggers
2026-04-20 6:34 ` [PATCH 24/38] crypto: drbg - Install separate seed functions for pr and nopr Eric Biggers
2026-04-20 6:34 ` [PATCH 25/38] crypto: drbg - Move module aliases to end of file Eric Biggers
2026-04-20 6:34 ` [PATCH 26/38] crypto: drbg - Consolidate "instantiate" logic and remove drbg_state::C Eric Biggers
2026-04-20 6:34 ` [PATCH 27/38] crypto: drbg - Eliminate use of 'drbg_string' and lists Eric Biggers
2026-04-20 6:34 ` [PATCH 28/38] crypto: drbg - Simplify drbg_generate_long() and fold into caller Eric Biggers
2026-04-20 6:34 ` [PATCH 29/38] crypto: drbg - Put rng_alg methods in logical order Eric Biggers
2026-04-20 6:34 ` [PATCH 30/38] crypto: drbg - Fold drbg_instantiate() into drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 31/38] crypto: drbg - Separate "reseed" case in drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 32/38] crypto: drbg - Fold drbg_prepare_hrng() into drbg_kcapi_seed() Eric Biggers
2026-04-20 6:34 ` [PATCH 33/38] crypto: drbg - Simplify "uninstantiate" logic Eric Biggers
2026-04-20 6:34 ` [PATCH 34/38] crypto: drbg - Include get_random_bytes() output in additional input Eric Biggers
2026-04-20 6:34 ` [PATCH 35/38] crypto: drbg - Change DRBG_MAX_REQUESTS to 4096 Eric Biggers
2026-04-20 6:34 ` [PATCH 36/38] crypto: drbg - Remove redundant reseeding based on random.c state Eric Biggers
2026-04-20 16:48 ` Joachim Vandersmissen
2026-04-20 17:25 ` Eric Biggers
2026-04-20 6:34 ` [PATCH 37/38] crypto: drbg - Clean up generation code Eric Biggers
2026-04-20 6:34 ` [PATCH 38/38] crypto: drbg - Clean up loop in drbg_hmac_update() Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420063422.324906-11-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox