Lines Matching +full:fips +full:- +full:140 +full:- +full:2
3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following
5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
18 * 2. Redistributions in binary form must reproduce the above copyright
29 * the restrictions contained in a BSD-style copyright.)
46 * The SP 800-90A DRBG allows the user to specify a personalization string
52 * ---------------------------------
63 * -------------------------------------------------------
68 * char personalization[11] = "some-string";
72 * // The reset completely re-initializes the DRBG with the provided
80 * ---------------------------------------------------------------------
84 * char addtl_string[11] = "some-string";
96 * -------------------------------------------------------------
203 * Return strength of DRBG according to SP800-90A section 8.4
225 * FIPS 140-2 continuous self test for the noise source
233 * drbg->drbg_mutex must have been taken.
240 * -EAGAIN on when the CTRNG is not yet primed
246 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); in drbg_fips_continuous_test()
253 if (list_empty(&drbg->test_data.list)) in drbg_fips_continuous_test()
255 /* only perform test in FIPS mode */ in drbg_fips_continuous_test()
259 if (!drbg->fips_primed) { in drbg_fips_continuous_test()
260 /* Priming of FIPS test */ in drbg_fips_continuous_test()
261 memcpy(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
262 drbg->fips_primed = true; in drbg_fips_continuous_test()
264 return -EAGAIN; in drbg_fips_continuous_test()
266 ret = memcmp(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
269 memcpy(drbg->prev, entropy, entropylen); in drbg_fips_continuous_test()
277 * The byte representation is big-endian
280 * @buf buffer holding the converted integer -- caller must ensure that
291 conversion->conv = cpu_to_be32(val); in drbg_cpu_to_be32()
331 /* 10.4.3 step 2 / 4 */ in drbg_ctr_bcc()
334 const unsigned char *pos = curr->buf; in drbg_ctr_bcc()
335 size_t len = curr->len; in drbg_ctr_bcc()
348 len--; in drbg_ctr_bcc()
364 * start: drbg->scratchpad
367 * blocklen-wise. Now, when the statelen is not a multiple
372 * start: drbg->scratchpad +
397 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
402 int ret = -EFAULT; in drbg_ctr_df()
412 /* 10.4.2 step 7 */ in drbg_ctr_df()
414 /* 10.4.2 step 8 */ in drbg_ctr_df()
428 /* 10.4.2 step 1 is implicit as we work byte-wise */ in drbg_ctr_df()
430 /* 10.4.2 step 2 */ in drbg_ctr_df()
432 return -EINVAL; in drbg_ctr_df()
434 /* 10.4.2 step 2 -- calculate the entire length of all input data */ in drbg_ctr_df()
436 inputlen += seed->len; in drbg_ctr_df()
439 /* 10.4.2 step 3 */ in drbg_ctr_df()
442 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ in drbg_ctr_df()
446 padlen = drbg_blocklen(drbg) - padlen; in drbg_ctr_df()
455 /* 10.4.2 step 4 -- first fill the linked list and then order it */ in drbg_ctr_df()
464 /* 10.4.2 step 9 */ in drbg_ctr_df()
467 * 10.4.2 step 9.1 - the padding is implicit as the buffer in drbg_ctr_df()
468 * holds zeros after allocation -- even the increment of i in drbg_ctr_df()
472 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ in drbg_ctr_df()
476 /* 10.4.2 step 9.3 */ in drbg_ctr_df()
481 /* 10.4.2 step 11 */ in drbg_ctr_df()
485 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ in drbg_ctr_df()
487 /* 10.4.2 step 13 */ in drbg_ctr_df()
492 * 10.4.2 step 13.1: the truncation of the key length is in drbg_ctr_df()
500 (bytes_to_return - generated_len)) ? in drbg_ctr_df()
502 (bytes_to_return - generated_len); in drbg_ctr_df()
503 /* 10.4.2 step 13.2 and 14 */ in drbg_ctr_df()
524 * 2 => first invocation from drbg_ctr_update when addtl is present. In
535 int ret = -EFAULT; in drbg_ctr_update()
537 unsigned char *temp = drbg->scratchpad; in drbg_ctr_update()
538 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + in drbg_ctr_update()
548 * but SP800-90A requires that the counter is incremented before in drbg_ctr_update()
552 crypto_inc(drbg->V, drbg_blocklen(drbg)); in drbg_ctr_update()
554 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, in drbg_ctr_update()
560 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ in drbg_ctr_update()
573 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, in drbg_ctr_update()
578 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); in drbg_ctr_update()
580 crypto_inc(drbg->V, drbg_blocklen(drbg)); in drbg_ctr_update()
585 if (2 != reseed) in drbg_ctr_update()
594 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
602 /* 10.2.1.5.2 step 2 */ in drbg_ctr_generate()
604 ret = drbg_ctr_update(drbg, addtl, 2); in drbg_ctr_generate()
609 /* 10.2.1.5.2 step 4.1 */ in drbg_ctr_generate()
614 /* 10.2.1.5.2 step 6 */ in drbg_ctr_generate()
658 int ret = -EFAULT; in drbg_hmac_update()
665 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ in drbg_hmac_update()
666 memset(drbg->V, 1, drbg_statelen(drbg)); in drbg_hmac_update()
667 drbg_kcapi_hmacsetkey(drbg, drbg->C); in drbg_hmac_update()
670 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); in drbg_hmac_update()
679 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); in drbg_hmac_update()
681 for (i = 2; 0 < i; i--) { in drbg_hmac_update()
686 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ in drbg_hmac_update()
688 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); in drbg_hmac_update()
691 drbg_kcapi_hmacsetkey(drbg, drbg->C); in drbg_hmac_update()
693 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ in drbg_hmac_update()
694 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); in drbg_hmac_update()
717 /* 10.1.2.5 step 2 */ in drbg_hmac_generate()
724 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); in drbg_hmac_generate()
729 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); in drbg_hmac_generate()
732 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? in drbg_hmac_generate()
733 drbg_blocklen(drbg) : (buflen - len); in drbg_hmac_generate()
736 memcpy(buf + len, drbg->V, outlen); in drbg_hmac_generate()
789 dstptr = dst + (dstlen-1); in drbg_add_buf()
790 addptr = add + (addlen-1); in drbg_add_buf()
795 len--; dstptr--; addptr--; in drbg_add_buf()
797 len = dstlen - addlen; in drbg_add_buf()
802 len--; dstptr--; in drbg_add_buf()
810 * start: drbg->scratchpad
813 * start: drbg->scratchpad + drbg_statelen(drbg)
829 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); in drbg_hash_df()
836 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ in drbg_hash_df()
849 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? in drbg_hash_df()
850 drbg_blocklen(drbg) : (outlen - len); in drbg_hash_df()
868 unsigned char *V = drbg->scratchpad; in drbg_hash_update()
872 return -EINVAL; in drbg_hash_update()
876 memcpy(V, drbg->V, drbg_statelen(drbg)); in drbg_hash_update()
884 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ in drbg_hash_update()
885 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); in drbg_hash_update()
893 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_update()
896 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); in drbg_hash_update()
899 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); in drbg_hash_update()
912 /* 10.1.1.4 step 2 */ in drbg_hash_process_addtl()
916 /* 10.1.1.4 step 2a */ in drbg_hash_process_addtl()
918 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_process_addtl()
922 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); in drbg_hash_process_addtl()
926 /* 10.1.1.4 step 2b */ in drbg_hash_process_addtl()
927 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_process_addtl()
928 drbg->scratchpad, drbg_blocklen(drbg)); in drbg_hash_process_addtl()
931 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); in drbg_hash_process_addtl()
942 unsigned char *src = drbg->scratchpad; in drbg_hash_hashgen()
943 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); in drbg_hash_hashgen()
947 /* 10.1.1.4 step hashgen 2 */ in drbg_hash_hashgen()
948 memcpy(src, drbg->V, drbg_statelen(drbg)); in drbg_hash_hashgen()
960 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? in drbg_hash_hashgen()
961 drbg_blocklen(drbg) : (buflen - len); in drbg_hash_hashgen()
971 memset(drbg->scratchpad, 0, in drbg_hash_hashgen()
991 /* 10.1.1.4 step 2 */ in drbg_hash_generate()
1002 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); in drbg_hash_generate()
1004 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); in drbg_hash_generate()
1011 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_generate()
1012 drbg->scratchpad, drbg_blocklen(drbg)); in drbg_hash_generate()
1013 drbg_add_buf(drbg->V, drbg_statelen(drbg), in drbg_hash_generate()
1014 drbg->C, drbg_statelen(drbg)); in drbg_hash_generate()
1015 u.req_int = cpu_to_be64(drbg->reseed_ctr); in drbg_hash_generate()
1016 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); in drbg_hash_generate()
1019 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); in drbg_hash_generate()
1042 int ret = drbg->d_ops->update(drbg, seed, reseed); in __drbg_seed()
1047 drbg->seeded = new_seed_state; in __drbg_seed()
1048 drbg->last_seed_time = jiffies; in __drbg_seed()
1050 drbg->reseed_ctr = 1; in __drbg_seed()
1052 switch (drbg->seeded) { in __drbg_seed()
1061 drbg->reseed_threshold = 50; in __drbg_seed()
1069 drbg->reseed_threshold = drbg_max_requests(drbg); in __drbg_seed()
1085 if (ret && ret != -EAGAIN) in drbg_get_random_bytes()
1096 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); in drbg_seed_from_random()
1122 if (list_empty(&drbg->test_data.list)) in drbg_nopr_reseed_interval_elapsed()
1133 next_reseed = drbg->last_seed_time + 300 * HZ; in drbg_nopr_reseed_interval_elapsed()
1152 unsigned char entropy[((32 + 16) * 2)]; in drbg_seed()
1153 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); in drbg_seed()
1159 if (pers && pers->len > (drbg_max_addtl(drbg))) { in drbg_seed()
1161 pers->len); in drbg_seed()
1162 return -EINVAL; in drbg_seed()
1165 if (list_empty(&drbg->test_data.list)) { in drbg_seed()
1166 drbg_string_fill(&data1, drbg->test_data.buf, in drbg_seed()
1167 drbg->test_data.len); in drbg_seed()
1173 * to the entropy. A nonce must be at least 1/2 of the security in drbg_seed()
1174 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 in drbg_seed()
1180 entropylen = ((entropylen + 1) / 2) * 3; in drbg_seed()
1181 BUG_ON((entropylen * 2) > sizeof(entropy)); in drbg_seed()
1183 /* Get seed from in-kernel /dev/urandom */ in drbg_seed()
1191 if (!drbg->jent) { in drbg_seed()
1198 * fatal only in FIPS mode. in drbg_seed()
1200 ret = crypto_rng_get_bytes(drbg->jent, in drbg_seed()
1213 * SP800-90A allowing us to treat the in drbg_seed()
1220 if (!reseed || ret != -EAGAIN) in drbg_seed()
1224 drbg_string_fill(&data1, entropy, entropylen * 2); in drbg_seed()
1226 entropylen * 2); in drbg_seed()
1236 if (pers && pers->buf && 0 < pers->len) { in drbg_seed()
1237 list_add_tail(&pers->list, &seedlist); in drbg_seed()
1242 memset(drbg->V, 0, drbg_statelen(drbg)); in drbg_seed()
1243 memset(drbg->C, 0, drbg_statelen(drbg)); in drbg_seed()
1249 memzero_explicit(entropy, entropylen * 2); in drbg_seed()
1259 kfree_sensitive(drbg->Vbuf); in drbg_dealloc_state()
1260 drbg->Vbuf = NULL; in drbg_dealloc_state()
1261 drbg->V = NULL; in drbg_dealloc_state()
1262 kfree_sensitive(drbg->Cbuf); in drbg_dealloc_state()
1263 drbg->Cbuf = NULL; in drbg_dealloc_state()
1264 drbg->C = NULL; in drbg_dealloc_state()
1265 kfree_sensitive(drbg->scratchpadbuf); in drbg_dealloc_state()
1266 drbg->scratchpadbuf = NULL; in drbg_dealloc_state()
1267 drbg->reseed_ctr = 0; in drbg_dealloc_state()
1268 drbg->d_ops = NULL; in drbg_dealloc_state()
1269 drbg->core = NULL; in drbg_dealloc_state()
1271 kfree_sensitive(drbg->prev); in drbg_dealloc_state()
1272 drbg->prev = NULL; in drbg_dealloc_state()
1273 drbg->fips_primed = false; in drbg_dealloc_state()
1278 * Allocate all sub-structures for a DRBG state.
1283 int ret = -ENOMEM; in drbg_alloc_state()
1286 switch (drbg->core->flags & DRBG_TYPE_MASK) { in drbg_alloc_state()
1289 drbg->d_ops = &drbg_hmac_ops; in drbg_alloc_state()
1294 drbg->d_ops = &drbg_hash_ops; in drbg_alloc_state()
1299 drbg->d_ops = &drbg_ctr_ops; in drbg_alloc_state()
1303 ret = -EOPNOTSUPP; in drbg_alloc_state()
1307 ret = drbg->d_ops->crypto_init(drbg); in drbg_alloc_state()
1311 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); in drbg_alloc_state()
1312 if (!drbg->Vbuf) { in drbg_alloc_state()
1313 ret = -ENOMEM; in drbg_alloc_state()
1316 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); in drbg_alloc_state()
1317 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); in drbg_alloc_state()
1318 if (!drbg->Cbuf) { in drbg_alloc_state()
1319 ret = -ENOMEM; in drbg_alloc_state()
1322 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); in drbg_alloc_state()
1324 if (drbg->core->flags & DRBG_HMAC) in drbg_alloc_state()
1326 else if (drbg->core->flags & DRBG_CTR) in drbg_alloc_state()
1336 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); in drbg_alloc_state()
1337 if (!drbg->scratchpadbuf) { in drbg_alloc_state()
1338 ret = -ENOMEM; in drbg_alloc_state()
1341 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); in drbg_alloc_state()
1345 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), in drbg_alloc_state()
1347 if (!drbg->prev) { in drbg_alloc_state()
1348 ret = -ENOMEM; in drbg_alloc_state()
1351 drbg->fips_primed = false; in drbg_alloc_state()
1357 drbg->d_ops->crypto_fini(drbg); in drbg_alloc_state()
1368 * DRBG generate function as required by SP800-90A - this function
1372 * @buf Buffer where to store the random numbers -- the buffer must already
1373 * be pre-allocated by caller
1374 * @buflen Length of output buffer - this value defines the number of random
1376 * @addtl Additional input that is mixed into state, may be NULL -- note
1378 * as defined in SP800-90A. The additional input is mixed into
1390 if (!drbg->core) { in drbg_generate()
1392 return -EINVAL; in drbg_generate()
1396 return -EINVAL; in drbg_generate()
1398 if (addtl && NULL == addtl->buf && 0 < addtl->len) { in drbg_generate()
1400 return -EINVAL; in drbg_generate()
1403 /* 9.3.1 step 2 */ in drbg_generate()
1404 len = -EINVAL; in drbg_generate()
1414 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { in drbg_generate()
1416 addtl->len); in drbg_generate()
1422 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented in drbg_generate()
1425 if (drbg->reseed_threshold < drbg->reseed_ctr) in drbg_generate()
1426 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; in drbg_generate()
1428 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { in drbg_generate()
1431 drbg->pr ? "true" : "false", in drbg_generate()
1432 (drbg->seeded == DRBG_SEED_STATE_FULL ? in drbg_generate()
1441 (drbg->seeded == DRBG_SEED_STATE_PARTIAL || in drbg_generate()
1448 if (addtl && 0 < addtl->len) in drbg_generate()
1449 list_add_tail(&addtl->list, &addtllist); in drbg_generate()
1451 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); in drbg_generate()
1453 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ in drbg_generate()
1454 drbg->reseed_ctr++; in drbg_generate()
1459 * Section 11.3.3 requires to re-perform self tests after some in drbg_generate()
1474 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { in drbg_generate()
1477 if (drbg->core->flags & DRBG_HMAC) in drbg_generate()
1480 else if (drbg->core->flags & DRBG_CTR) in drbg_generate()
1514 * Return codes: see drbg_generate -- if one drbg_generate request fails,
1526 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); in drbg_generate_long()
1527 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); in drbg_generate_long()
1528 mutex_lock(&drbg->drbg_mutex); in drbg_generate_long()
1530 mutex_unlock(&drbg->drbg_mutex); in drbg_generate_long()
1541 if (list_empty(&drbg->test_data.list)) in drbg_prepare_hrng()
1544 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); in drbg_prepare_hrng()
1545 if (IS_ERR(drbg->jent)) { in drbg_prepare_hrng()
1546 const int err = PTR_ERR(drbg->jent); in drbg_prepare_hrng()
1548 drbg->jent = NULL; in drbg_prepare_hrng()
1558 * DRBG instantiation function as required by SP800-90A - this function
1560 * checks required by SP800-90A
1562 * @drbg memory of state -- if NULL, new memory is allocated
1563 * @pers Personalization string that is mixed into state, may be NULL -- note
1565 * as defined in SP800-90A. The additional input is mixed into
1582 mutex_lock(&drbg->drbg_mutex); in drbg_instantiate()
1587 * 9.1 step 2 is implicit as caller can select prediction resistance in drbg_instantiate()
1588 * and the flag is copied into drbg->flags -- in drbg_instantiate()
1594 if (!drbg->core) { in drbg_instantiate()
1595 drbg->core = &drbg_cores[coreref]; in drbg_instantiate()
1596 drbg->pr = pr; in drbg_instantiate()
1597 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; in drbg_instantiate()
1598 drbg->last_seed_time = 0; in drbg_instantiate()
1599 drbg->reseed_threshold = drbg_max_requests(drbg); in drbg_instantiate()
1617 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1621 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1625 mutex_unlock(&drbg->drbg_mutex); in drbg_instantiate()
1631 * DRBG uninstantiate function as required by SP800-90A - this function
1641 if (!IS_ERR_OR_NULL(drbg->jent)) in drbg_uninstantiate()
1642 crypto_free_rng(drbg->jent); in drbg_uninstantiate()
1643 drbg->jent = NULL; in drbg_uninstantiate()
1645 if (drbg->d_ops) in drbg_uninstantiate()
1646 drbg->d_ops->crypto_fini(drbg); in drbg_uninstantiate()
1648 /* no scrubbing of test_data -- this shall survive an uninstantiate */ in drbg_uninstantiate()
1664 mutex_lock(&drbg->drbg_mutex); in drbg_kcapi_set_entropy()
1665 drbg_string_fill(&drbg->test_data, data, len); in drbg_kcapi_set_entropy()
1666 mutex_unlock(&drbg->drbg_mutex); in drbg_kcapi_set_entropy()
1684 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); in drbg_init_hash_kernel()
1687 drbg->core->backend_cra_name); in drbg_init_hash_kernel()
1695 return -ENOMEM; in drbg_init_hash_kernel()
1698 sdesc->shash.tfm = tfm; in drbg_init_hash_kernel()
1699 drbg->priv_data = sdesc; in drbg_init_hash_kernel()
1706 struct sdesc *sdesc = drbg->priv_data; in drbg_fini_hash_kernel()
1708 crypto_free_shash(sdesc->shash.tfm); in drbg_fini_hash_kernel()
1711 drbg->priv_data = NULL; in drbg_fini_hash_kernel()
1718 struct sdesc *sdesc = drbg->priv_data; in drbg_kcapi_hmacsetkey()
1720 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); in drbg_kcapi_hmacsetkey()
1726 struct sdesc *sdesc = drbg->priv_data; in drbg_kcapi_hash()
1729 crypto_shash_init(&sdesc->shash); in drbg_kcapi_hash()
1731 crypto_shash_update(&sdesc->shash, input->buf, input->len); in drbg_kcapi_hash()
1732 return crypto_shash_final(&sdesc->shash, outval); in drbg_kcapi_hash()
1740 (struct crypto_cipher *)drbg->priv_data; in drbg_fini_sym_kernel()
1743 drbg->priv_data = NULL; in drbg_fini_sym_kernel()
1745 if (drbg->ctr_handle) in drbg_fini_sym_kernel()
1746 crypto_free_skcipher(drbg->ctr_handle); in drbg_fini_sym_kernel()
1747 drbg->ctr_handle = NULL; in drbg_fini_sym_kernel()
1749 if (drbg->ctr_req) in drbg_fini_sym_kernel()
1750 skcipher_request_free(drbg->ctr_req); in drbg_fini_sym_kernel()
1751 drbg->ctr_req = NULL; in drbg_fini_sym_kernel()
1753 kfree(drbg->outscratchpadbuf); in drbg_fini_sym_kernel()
1754 drbg->outscratchpadbuf = NULL; in drbg_fini_sym_kernel()
1767 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); in drbg_init_sym_kernel()
1770 drbg->core->backend_cra_name); in drbg_init_sym_kernel()
1774 drbg->priv_data = tfm; in drbg_init_sym_kernel()
1777 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { in drbg_init_sym_kernel()
1779 return -EINVAL; in drbg_init_sym_kernel()
1788 drbg->ctr_handle = sk_tfm; in drbg_init_sym_kernel()
1789 crypto_init_wait(&drbg->ctr_wait); in drbg_init_sym_kernel()
1795 return -ENOMEM; in drbg_init_sym_kernel()
1797 drbg->ctr_req = req; in drbg_init_sym_kernel()
1800 crypto_req_done, &drbg->ctr_wait); in drbg_init_sym_kernel()
1803 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, in drbg_init_sym_kernel()
1805 if (!drbg->outscratchpadbuf) { in drbg_init_sym_kernel()
1807 return -ENOMEM; in drbg_init_sym_kernel()
1809 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, in drbg_init_sym_kernel()
1812 sg_init_table(&drbg->sg_in, 1); in drbg_init_sym_kernel()
1813 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); in drbg_init_sym_kernel()
1821 struct crypto_cipher *tfm = drbg->priv_data; in drbg_kcapi_symsetkey()
1829 struct crypto_cipher *tfm = drbg->priv_data; in drbg_kcapi_sym()
1832 BUG_ON(in->len < drbg_blocklen(drbg)); in drbg_kcapi_sym()
1833 crypto_cipher_encrypt_one(tfm, outval, in->buf); in drbg_kcapi_sym()
1841 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; in drbg_kcapi_sym_ctr()
1846 /* Use caller-provided input buffer */ in drbg_kcapi_sym_ctr()
1849 /* Use scratchpad for in-place operation */ in drbg_kcapi_sym_ctr()
1851 memset(drbg->outscratchpad, 0, scratchpad_use); in drbg_kcapi_sym_ctr()
1852 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); in drbg_kcapi_sym_ctr()
1859 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, in drbg_kcapi_sym_ctr()
1860 cryptlen, drbg->V); in drbg_kcapi_sym_ctr()
1861 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), in drbg_kcapi_sym_ctr()
1862 &drbg->ctr_wait); in drbg_kcapi_sym_ctr()
1866 crypto_init_wait(&drbg->ctr_wait); in drbg_kcapi_sym_ctr()
1868 memcpy(outbuf, drbg->outscratchpad, cryptlen); in drbg_kcapi_sym_ctr()
1869 memzero_explicit(drbg->outscratchpad, cryptlen); in drbg_kcapi_sym_ctr()
1871 outlen -= cryptlen; in drbg_kcapi_sym_ctr()
1915 len = strlen(cra_driver_name) - start; in drbg_convert_tfm_core()
1929 mutex_init(&drbg->drbg_mutex); in drbg_kcapi_init()
1993 * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1996 * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1999 * Note 2: There is no sensible way of testing the reseed counter
2009 int rc = -EFAULT; in drbg_healthcheck_sanity()
2015 /* only perform test in FIPS mode */ in drbg_healthcheck_sanity()
2029 return -ENOMEM; in drbg_healthcheck_sanity()
2031 mutex_init(&drbg->drbg_mutex); in drbg_healthcheck_sanity()
2032 drbg->core = &drbg_cores[coreref]; in drbg_healthcheck_sanity()
2033 drbg->reseed_threshold = drbg_max_requests(drbg); in drbg_healthcheck_sanity()
2038 * string lengths -- in case the error handling does not succeed in drbg_healthcheck_sanity()
2079 memcpy(alg->base.cra_name, "stdrng", 6); in drbg_fill_array()
2081 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); in drbg_fill_array()
2084 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); in drbg_fill_array()
2087 memcpy(alg->base.cra_driver_name + pos, core->cra_name, in drbg_fill_array()
2088 strlen(core->cra_name)); in drbg_fill_array()
2090 alg->base.cra_priority = priority; in drbg_fill_array()
2093 * If FIPS mode enabled, the selected DRBG shall have the in drbg_fill_array()
2098 alg->base.cra_priority += 200; in drbg_fill_array()
2100 alg->base.cra_ctxsize = sizeof(struct drbg_state); in drbg_fill_array()
2101 alg->base.cra_module = THIS_MODULE; in drbg_fill_array()
2102 alg->base.cra_init = drbg_kcapi_init; in drbg_fill_array()
2103 alg->base.cra_exit = drbg_kcapi_cleanup; in drbg_fill_array()
2104 alg->generate = drbg_kcapi_random; in drbg_fill_array()
2105 alg->seed = drbg_kcapi_seed; in drbg_fill_array()
2106 alg->set_ent = drbg_kcapi_set_entropy; in drbg_fill_array()
2107 alg->seedsize = 0; in drbg_fill_array()
2120 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { in drbg_init()
2123 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); in drbg_init()
2124 return -EFAULT; in drbg_init()
2140 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); in drbg_init()
2145 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); in drbg_exit()
2161 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "