xref: /openbmc/linux/crypto/algif_rng.c (revision de3a9980)
1 /*
2  * algif_rng: User-space interface for random number generators
3  *
4  * This file provides the user-space API for random number generators.
5  *
6  * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, and the entire permission notice in its entirety,
13  *    including the disclaimer of warranties.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. The name of the author may not be used to endorse or promote
18  *    products derived from this software without specific prior
19  *    written permission.
20  *
21  * ALTERNATIVELY, this product may be distributed under the terms of
22  * the GNU General Public License, in which case the provisions of the GPL2
23  * are required INSTEAD OF the above restrictions.  (This clause is
24  * necessary due to a potential bad interaction between the GPL and
25  * the restrictions contained in a BSD-style copyright.)
26  *
27  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
28  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
30  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
31  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
32  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
33  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
34  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
35  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
37  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
38  * DAMAGE.
39  */
40 
41 #include <linux/capability.h>
42 #include <linux/module.h>
43 #include <crypto/rng.h>
44 #include <linux/random.h>
45 #include <crypto/if_alg.h>
46 #include <linux/net.h>
47 #include <net/sock.h>
48 
49 MODULE_LICENSE("GPL");
50 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
51 MODULE_DESCRIPTION("User-space interface for random number generators");
52 
53 struct rng_ctx {
54 #define MAXSIZE 128
55 	unsigned int len;
56 	struct crypto_rng *drng;
57 	u8 *addtl;
58 	size_t addtl_len;
59 };
60 
61 struct rng_parent_ctx {
62 	struct crypto_rng *drng;
63 	u8 *entropy;
64 };
65 
66 static void rng_reset_addtl(struct rng_ctx *ctx)
67 {
68 	kfree_sensitive(ctx->addtl);
69 	ctx->addtl = NULL;
70 	ctx->addtl_len = 0;
71 }
72 
73 static int _rng_recvmsg(struct crypto_rng *drng, struct msghdr *msg, size_t len,
74 			u8 *addtl, size_t addtl_len)
75 {
76 	int err = 0;
77 	int genlen = 0;
78 	u8 result[MAXSIZE];
79 
80 	if (len == 0)
81 		return 0;
82 	if (len > MAXSIZE)
83 		len = MAXSIZE;
84 
85 	/*
86 	 * although not strictly needed, this is a precaution against coding
87 	 * errors
88 	 */
89 	memset(result, 0, len);
90 
91 	/*
92 	 * The enforcement of a proper seeding of an RNG is done within an
93 	 * RNG implementation. Some RNGs (DRBG, krng) do not need specific
94 	 * seeding as they automatically seed. The X9.31 DRNG will return
95 	 * an error if it was not seeded properly.
96 	 */
97 	genlen = crypto_rng_generate(drng, addtl, addtl_len, result, len);
98 	if (genlen < 0)
99 		return genlen;
100 
101 	err = memcpy_to_msg(msg, result, len);
102 	memzero_explicit(result, len);
103 
104 	return err ? err : len;
105 }
106 
107 static int rng_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
108 		       int flags)
109 {
110 	struct sock *sk = sock->sk;
111 	struct alg_sock *ask = alg_sk(sk);
112 	struct rng_ctx *ctx = ask->private;
113 
114 	return _rng_recvmsg(ctx->drng, msg, len, NULL, 0);
115 }
116 
117 static int rng_test_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
118 			    int flags)
119 {
120 	struct sock *sk = sock->sk;
121 	struct alg_sock *ask = alg_sk(sk);
122 	struct rng_ctx *ctx = ask->private;
123 	int ret;
124 
125 	lock_sock(sock->sk);
126 	ret = _rng_recvmsg(ctx->drng, msg, len, ctx->addtl, ctx->addtl_len);
127 	rng_reset_addtl(ctx);
128 	release_sock(sock->sk);
129 
130 	return ret;
131 }
132 
133 static int rng_test_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
134 {
135 	int err;
136 	struct alg_sock *ask = alg_sk(sock->sk);
137 	struct rng_ctx *ctx = ask->private;
138 
139 	lock_sock(sock->sk);
140 	if (len > MAXSIZE) {
141 		err = -EMSGSIZE;
142 		goto unlock;
143 	}
144 
145 	rng_reset_addtl(ctx);
146 	ctx->addtl = kmalloc(len, GFP_KERNEL);
147 	if (!ctx->addtl) {
148 		err = -ENOMEM;
149 		goto unlock;
150 	}
151 
152 	err = memcpy_from_msg(ctx->addtl, msg, len);
153 	if (err) {
154 		rng_reset_addtl(ctx);
155 		goto unlock;
156 	}
157 	ctx->addtl_len = len;
158 
159 unlock:
160 	release_sock(sock->sk);
161 	return err ? err : len;
162 }
163 
164 static struct proto_ops algif_rng_ops = {
165 	.family		=	PF_ALG,
166 
167 	.connect	=	sock_no_connect,
168 	.socketpair	=	sock_no_socketpair,
169 	.getname	=	sock_no_getname,
170 	.ioctl		=	sock_no_ioctl,
171 	.listen		=	sock_no_listen,
172 	.shutdown	=	sock_no_shutdown,
173 	.mmap		=	sock_no_mmap,
174 	.bind		=	sock_no_bind,
175 	.accept		=	sock_no_accept,
176 	.sendmsg	=	sock_no_sendmsg,
177 	.sendpage	=	sock_no_sendpage,
178 
179 	.release	=	af_alg_release,
180 	.recvmsg	=	rng_recvmsg,
181 };
182 
183 static struct proto_ops __maybe_unused algif_rng_test_ops = {
184 	.family		=	PF_ALG,
185 
186 	.connect	=	sock_no_connect,
187 	.socketpair	=	sock_no_socketpair,
188 	.getname	=	sock_no_getname,
189 	.ioctl		=	sock_no_ioctl,
190 	.listen		=	sock_no_listen,
191 	.shutdown	=	sock_no_shutdown,
192 	.mmap		=	sock_no_mmap,
193 	.bind		=	sock_no_bind,
194 	.accept		=	sock_no_accept,
195 	.sendpage	=	sock_no_sendpage,
196 
197 	.release	=	af_alg_release,
198 	.recvmsg	=	rng_test_recvmsg,
199 	.sendmsg	=	rng_test_sendmsg,
200 };
201 
202 static void *rng_bind(const char *name, u32 type, u32 mask)
203 {
204 	struct rng_parent_ctx *pctx;
205 	struct crypto_rng *rng;
206 
207 	pctx = kzalloc(sizeof(*pctx), GFP_KERNEL);
208 	if (!pctx)
209 		return ERR_PTR(-ENOMEM);
210 
211 	rng = crypto_alloc_rng(name, type, mask);
212 	if (IS_ERR(rng)) {
213 		kfree(pctx);
214 		return ERR_CAST(rng);
215 	}
216 
217 	pctx->drng = rng;
218 	return pctx;
219 }
220 
221 static void rng_release(void *private)
222 {
223 	struct rng_parent_ctx *pctx = private;
224 
225 	if (unlikely(!pctx))
226 		return;
227 	crypto_free_rng(pctx->drng);
228 	kfree_sensitive(pctx->entropy);
229 	kfree_sensitive(pctx);
230 }
231 
232 static void rng_sock_destruct(struct sock *sk)
233 {
234 	struct alg_sock *ask = alg_sk(sk);
235 	struct rng_ctx *ctx = ask->private;
236 
237 	rng_reset_addtl(ctx);
238 	sock_kfree_s(sk, ctx, ctx->len);
239 	af_alg_release_parent(sk);
240 }
241 
242 static int rng_accept_parent(void *private, struct sock *sk)
243 {
244 	struct rng_ctx *ctx;
245 	struct rng_parent_ctx *pctx = private;
246 	struct alg_sock *ask = alg_sk(sk);
247 	unsigned int len = sizeof(*ctx);
248 
249 	ctx = sock_kmalloc(sk, len, GFP_KERNEL);
250 	if (!ctx)
251 		return -ENOMEM;
252 
253 	ctx->len = len;
254 	ctx->addtl = NULL;
255 	ctx->addtl_len = 0;
256 
257 	/*
258 	 * No seeding done at that point -- if multiple accepts are
259 	 * done on one RNG instance, each resulting FD points to the same
260 	 * state of the RNG.
261 	 */
262 
263 	ctx->drng = pctx->drng;
264 	ask->private = ctx;
265 	sk->sk_destruct = rng_sock_destruct;
266 
267 	/*
268 	 * Non NULL pctx->entropy means that CAVP test has been initiated on
269 	 * this socket, replace proto_ops algif_rng_ops with algif_rng_test_ops.
270 	 */
271 	if (IS_ENABLED(CONFIG_CRYPTO_USER_API_RNG_CAVP) && pctx->entropy)
272 		sk->sk_socket->ops = &algif_rng_test_ops;
273 
274 	return 0;
275 }
276 
277 static int rng_setkey(void *private, const u8 *seed, unsigned int seedlen)
278 {
279 	struct rng_parent_ctx *pctx = private;
280 	/*
281 	 * Check whether seedlen is of sufficient size is done in RNG
282 	 * implementations.
283 	 */
284 	return crypto_rng_reset(pctx->drng, seed, seedlen);
285 }
286 
287 static int __maybe_unused rng_setentropy(void *private, sockptr_t entropy,
288 					 unsigned int len)
289 {
290 	struct rng_parent_ctx *pctx = private;
291 	u8 *kentropy = NULL;
292 
293 	if (!capable(CAP_SYS_ADMIN))
294 		return -EACCES;
295 
296 	if (pctx->entropy)
297 		return -EINVAL;
298 
299 	if (len > MAXSIZE)
300 		return -EMSGSIZE;
301 
302 	if (len) {
303 		kentropy = memdup_sockptr(entropy, len);
304 		if (IS_ERR(kentropy))
305 			return PTR_ERR(kentropy);
306 	}
307 
308 	crypto_rng_alg(pctx->drng)->set_ent(pctx->drng, kentropy, len);
309 	/*
310 	 * Since rng doesn't perform any memory management for the entropy
311 	 * buffer, save kentropy pointer to pctx now to free it after use.
312 	 */
313 	pctx->entropy = kentropy;
314 	return 0;
315 }
316 
317 static const struct af_alg_type algif_type_rng = {
318 	.bind		=	rng_bind,
319 	.release	=	rng_release,
320 	.accept		=	rng_accept_parent,
321 	.setkey		=	rng_setkey,
322 #ifdef CONFIG_CRYPTO_USER_API_RNG_CAVP
323 	.setentropy	=	rng_setentropy,
324 #endif
325 	.ops		=	&algif_rng_ops,
326 	.name		=	"rng",
327 	.owner		=	THIS_MODULE
328 };
329 
330 static int __init rng_init(void)
331 {
332 	return af_alg_register_type(&algif_type_rng);
333 }
334 
335 static void __exit rng_exit(void)
336 {
337 	int err = af_alg_unregister_type(&algif_type_rng);
338 	BUG_ON(err);
339 }
340 
341 module_init(rng_init);
342 module_exit(rng_exit);
343