xref: /openbmc/linux/crypto/drbg.c (revision 0edbfea5)
1 /*
2  * DRBG: Deterministic Random Bits Generator
3  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
4  *       properties:
5  *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6  *		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7  *		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8  *		* with and without prediction resistance
9  *
10  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, and the entire permission notice in its entirety,
17  *    including the disclaimer of warranties.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior
23  *    written permission.
24  *
25  * ALTERNATIVELY, this product may be distributed under the terms of
26  * the GNU General Public License, in which case the provisions of the GPL are
27  * required INSTEAD OF the above restrictions.  (This clause is
28  * necessary due to a potential bad interaction between the GPL and
29  * the restrictions contained in a BSD-style copyright.)
30  *
31  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
35  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42  * DAMAGE.
43  *
44  * DRBG Usage
45  * ==========
46  * The SP 800-90A DRBG allows the user to specify a personalization string
47  * for initialization as well as an additional information string for each
48  * random number request. The following code fragments show how a caller
49  * uses the kernel crypto API to use the full functionality of the DRBG.
50  *
51  * Usage without any additional data
52  * ---------------------------------
53  * struct crypto_rng *drng;
54  * int err;
55  * char data[DATALEN];
56  *
57  * drng = crypto_alloc_rng(drng_name, 0, 0);
58  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59  * crypto_free_rng(drng);
60  *
61  *
62  * Usage with personalization string during initialization
63  * -------------------------------------------------------
64  * struct crypto_rng *drng;
65  * int err;
66  * char data[DATALEN];
67  * struct drbg_string pers;
68  * char personalization[11] = "some-string";
69  *
70  * drbg_string_fill(&pers, personalization, strlen(personalization));
71  * drng = crypto_alloc_rng(drng_name, 0, 0);
72  * // The reset completely re-initializes the DRBG with the provided
73  * // personalization string
74  * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76  * crypto_free_rng(drng);
77  *
78  *
79  * Usage with additional information string during random number request
80  * ---------------------------------------------------------------------
81  * struct crypto_rng *drng;
82  * int err;
83  * char data[DATALEN];
84  * char addtl_string[11] = "some-string";
85  * string drbg_string addtl;
86  *
87  * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88  * drng = crypto_alloc_rng(drng_name, 0, 0);
89  * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90  * // the same error codes.
91  * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92  * crypto_free_rng(drng);
93  *
94  *
95  * Usage with personalization and additional information strings
96  * -------------------------------------------------------------
97  * Just mix both scenarios above.
98  */
99 
100 #include <crypto/drbg.h>
101 #include <linux/kernel.h>
102 
103 /***************************************************************
104  * Backend cipher definitions available to DRBG
105  ***************************************************************/
106 
107 /*
108  * The order of the DRBG definitions here matter: every DRBG is registered
109  * as stdrng. Each DRBG receives an increasing cra_priority values the later
110  * they are defined in this array (see drbg_fill_array).
111  *
112  * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
113  * the SHA256 / AES 256 over other ciphers. Thus, the favored
114  * DRBGs are the latest entries in this array.
115  */
116 static const struct drbg_core drbg_cores[] = {
117 #ifdef CONFIG_CRYPTO_DRBG_CTR
118 	{
119 		.flags = DRBG_CTR | DRBG_STRENGTH128,
120 		.statelen = 32, /* 256 bits as defined in 10.2.1 */
121 		.blocklen_bytes = 16,
122 		.cra_name = "ctr_aes128",
123 		.backend_cra_name = "aes",
124 	}, {
125 		.flags = DRBG_CTR | DRBG_STRENGTH192,
126 		.statelen = 40, /* 320 bits as defined in 10.2.1 */
127 		.blocklen_bytes = 16,
128 		.cra_name = "ctr_aes192",
129 		.backend_cra_name = "aes",
130 	}, {
131 		.flags = DRBG_CTR | DRBG_STRENGTH256,
132 		.statelen = 48, /* 384 bits as defined in 10.2.1 */
133 		.blocklen_bytes = 16,
134 		.cra_name = "ctr_aes256",
135 		.backend_cra_name = "aes",
136 	},
137 #endif /* CONFIG_CRYPTO_DRBG_CTR */
138 #ifdef CONFIG_CRYPTO_DRBG_HASH
139 	{
140 		.flags = DRBG_HASH | DRBG_STRENGTH128,
141 		.statelen = 55, /* 440 bits */
142 		.blocklen_bytes = 20,
143 		.cra_name = "sha1",
144 		.backend_cra_name = "sha1",
145 	}, {
146 		.flags = DRBG_HASH | DRBG_STRENGTH256,
147 		.statelen = 111, /* 888 bits */
148 		.blocklen_bytes = 48,
149 		.cra_name = "sha384",
150 		.backend_cra_name = "sha384",
151 	}, {
152 		.flags = DRBG_HASH | DRBG_STRENGTH256,
153 		.statelen = 111, /* 888 bits */
154 		.blocklen_bytes = 64,
155 		.cra_name = "sha512",
156 		.backend_cra_name = "sha512",
157 	}, {
158 		.flags = DRBG_HASH | DRBG_STRENGTH256,
159 		.statelen = 55, /* 440 bits */
160 		.blocklen_bytes = 32,
161 		.cra_name = "sha256",
162 		.backend_cra_name = "sha256",
163 	},
164 #endif /* CONFIG_CRYPTO_DRBG_HASH */
165 #ifdef CONFIG_CRYPTO_DRBG_HMAC
166 	{
167 		.flags = DRBG_HMAC | DRBG_STRENGTH128,
168 		.statelen = 20, /* block length of cipher */
169 		.blocklen_bytes = 20,
170 		.cra_name = "hmac_sha1",
171 		.backend_cra_name = "hmac(sha1)",
172 	}, {
173 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
174 		.statelen = 48, /* block length of cipher */
175 		.blocklen_bytes = 48,
176 		.cra_name = "hmac_sha384",
177 		.backend_cra_name = "hmac(sha384)",
178 	}, {
179 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
180 		.statelen = 64, /* block length of cipher */
181 		.blocklen_bytes = 64,
182 		.cra_name = "hmac_sha512",
183 		.backend_cra_name = "hmac(sha512)",
184 	}, {
185 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
186 		.statelen = 32, /* block length of cipher */
187 		.blocklen_bytes = 32,
188 		.cra_name = "hmac_sha256",
189 		.backend_cra_name = "hmac(sha256)",
190 	},
191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
192 };
193 
194 static int drbg_uninstantiate(struct drbg_state *drbg);
195 
196 /******************************************************************
197  * Generic helper functions
198  ******************************************************************/
199 
200 /*
201  * Return strength of DRBG according to SP800-90A section 8.4
202  *
203  * @flags DRBG flags reference
204  *
205  * Return: normalized strength in *bytes* value or 32 as default
206  *	   to counter programming errors
207  */
208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
209 {
210 	switch (flags & DRBG_STRENGTH_MASK) {
211 	case DRBG_STRENGTH128:
212 		return 16;
213 	case DRBG_STRENGTH192:
214 		return 24;
215 	case DRBG_STRENGTH256:
216 		return 32;
217 	default:
218 		return 32;
219 	}
220 }
221 
222 /*
223  * Convert an integer into a byte representation of this integer.
224  * The byte representation is big-endian
225  *
226  * @val value to be converted
227  * @buf buffer holding the converted integer -- caller must ensure that
228  *      buffer size is at least 32 bit
229  */
230 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
231 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
232 {
233 	struct s {
234 		__be32 conv;
235 	};
236 	struct s *conversion = (struct s *) buf;
237 
238 	conversion->conv = cpu_to_be32(val);
239 }
240 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
241 
242 /******************************************************************
243  * CTR DRBG callback functions
244  ******************************************************************/
245 
246 #ifdef CONFIG_CRYPTO_DRBG_CTR
247 #define CRYPTO_DRBG_CTR_STRING "CTR "
248 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
249 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
250 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
251 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
252 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
253 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
254 
255 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
256 			  unsigned char *outval, const struct drbg_string *in);
257 static int drbg_init_sym_kernel(struct drbg_state *drbg);
258 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
259 
260 /* BCC function for CTR DRBG as defined in 10.4.3 */
261 static int drbg_ctr_bcc(struct drbg_state *drbg,
262 			unsigned char *out, const unsigned char *key,
263 			struct list_head *in)
264 {
265 	int ret = 0;
266 	struct drbg_string *curr = NULL;
267 	struct drbg_string data;
268 	short cnt = 0;
269 
270 	drbg_string_fill(&data, out, drbg_blocklen(drbg));
271 
272 	/* 10.4.3 step 2 / 4 */
273 	list_for_each_entry(curr, in, list) {
274 		const unsigned char *pos = curr->buf;
275 		size_t len = curr->len;
276 		/* 10.4.3 step 4.1 */
277 		while (len) {
278 			/* 10.4.3 step 4.2 */
279 			if (drbg_blocklen(drbg) == cnt) {
280 				cnt = 0;
281 				ret = drbg_kcapi_sym(drbg, key, out, &data);
282 				if (ret)
283 					return ret;
284 			}
285 			out[cnt] ^= *pos;
286 			pos++;
287 			cnt++;
288 			len--;
289 		}
290 	}
291 	/* 10.4.3 step 4.2 for last block */
292 	if (cnt)
293 		ret = drbg_kcapi_sym(drbg, key, out, &data);
294 
295 	return ret;
296 }
297 
298 /*
299  * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
300  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
301  * the scratchpad is used as follows:
302  * drbg_ctr_update:
303  *	temp
304  *		start: drbg->scratchpad
305  *		length: drbg_statelen(drbg) + drbg_blocklen(drbg)
306  *			note: the cipher writing into this variable works
307  *			blocklen-wise. Now, when the statelen is not a multiple
308  *			of blocklen, the generateion loop below "spills over"
309  *			by at most blocklen. Thus, we need to give sufficient
310  *			memory.
311  *	df_data
312  *		start: drbg->scratchpad +
313  *				drbg_statelen(drbg) + drbg_blocklen(drbg)
314  *		length: drbg_statelen(drbg)
315  *
316  * drbg_ctr_df:
317  *	pad
318  *		start: df_data + drbg_statelen(drbg)
319  *		length: drbg_blocklen(drbg)
320  *	iv
321  *		start: pad + drbg_blocklen(drbg)
322  *		length: drbg_blocklen(drbg)
323  *	temp
324  *		start: iv + drbg_blocklen(drbg)
325  *		length: drbg_satelen(drbg) + drbg_blocklen(drbg)
326  *			note: temp is the buffer that the BCC function operates
327  *			on. BCC operates blockwise. drbg_statelen(drbg)
328  *			is sufficient when the DRBG state length is a multiple
329  *			of the block size. For AES192 (and maybe other ciphers)
330  *			this is not correct and the length for temp is
331  *			insufficient (yes, that also means for such ciphers,
332  *			the final output of all BCC rounds are truncated).
333  *			Therefore, add drbg_blocklen(drbg) to cover all
334  *			possibilities.
335  */
336 
337 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
338 static int drbg_ctr_df(struct drbg_state *drbg,
339 		       unsigned char *df_data, size_t bytes_to_return,
340 		       struct list_head *seedlist)
341 {
342 	int ret = -EFAULT;
343 	unsigned char L_N[8];
344 	/* S3 is input */
345 	struct drbg_string S1, S2, S4, cipherin;
346 	LIST_HEAD(bcc_list);
347 	unsigned char *pad = df_data + drbg_statelen(drbg);
348 	unsigned char *iv = pad + drbg_blocklen(drbg);
349 	unsigned char *temp = iv + drbg_blocklen(drbg);
350 	size_t padlen = 0;
351 	unsigned int templen = 0;
352 	/* 10.4.2 step 7 */
353 	unsigned int i = 0;
354 	/* 10.4.2 step 8 */
355 	const unsigned char *K = (unsigned char *)
356 			   "\x00\x01\x02\x03\x04\x05\x06\x07"
357 			   "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
358 			   "\x10\x11\x12\x13\x14\x15\x16\x17"
359 			   "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
360 	unsigned char *X;
361 	size_t generated_len = 0;
362 	size_t inputlen = 0;
363 	struct drbg_string *seed = NULL;
364 
365 	memset(pad, 0, drbg_blocklen(drbg));
366 	memset(iv, 0, drbg_blocklen(drbg));
367 
368 	/* 10.4.2 step 1 is implicit as we work byte-wise */
369 
370 	/* 10.4.2 step 2 */
371 	if ((512/8) < bytes_to_return)
372 		return -EINVAL;
373 
374 	/* 10.4.2 step 2 -- calculate the entire length of all input data */
375 	list_for_each_entry(seed, seedlist, list)
376 		inputlen += seed->len;
377 	drbg_cpu_to_be32(inputlen, &L_N[0]);
378 
379 	/* 10.4.2 step 3 */
380 	drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
381 
382 	/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
383 	padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
384 	/* wrap the padlen appropriately */
385 	if (padlen)
386 		padlen = drbg_blocklen(drbg) - padlen;
387 	/*
388 	 * pad / padlen contains the 0x80 byte and the following zero bytes.
389 	 * As the calculated padlen value only covers the number of zero
390 	 * bytes, this value has to be incremented by one for the 0x80 byte.
391 	 */
392 	padlen++;
393 	pad[0] = 0x80;
394 
395 	/* 10.4.2 step 4 -- first fill the linked list and then order it */
396 	drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
397 	list_add_tail(&S1.list, &bcc_list);
398 	drbg_string_fill(&S2, L_N, sizeof(L_N));
399 	list_add_tail(&S2.list, &bcc_list);
400 	list_splice_tail(seedlist, &bcc_list);
401 	drbg_string_fill(&S4, pad, padlen);
402 	list_add_tail(&S4.list, &bcc_list);
403 
404 	/* 10.4.2 step 9 */
405 	while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
406 		/*
407 		 * 10.4.2 step 9.1 - the padding is implicit as the buffer
408 		 * holds zeros after allocation -- even the increment of i
409 		 * is irrelevant as the increment remains within length of i
410 		 */
411 		drbg_cpu_to_be32(i, iv);
412 		/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
413 		ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
414 		if (ret)
415 			goto out;
416 		/* 10.4.2 step 9.3 */
417 		i++;
418 		templen += drbg_blocklen(drbg);
419 	}
420 
421 	/* 10.4.2 step 11 */
422 	X = temp + (drbg_keylen(drbg));
423 	drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
424 
425 	/* 10.4.2 step 12: overwriting of outval is implemented in next step */
426 
427 	/* 10.4.2 step 13 */
428 	while (generated_len < bytes_to_return) {
429 		short blocklen = 0;
430 		/*
431 		 * 10.4.2 step 13.1: the truncation of the key length is
432 		 * implicit as the key is only drbg_blocklen in size based on
433 		 * the implementation of the cipher function callback
434 		 */
435 		ret = drbg_kcapi_sym(drbg, temp, X, &cipherin);
436 		if (ret)
437 			goto out;
438 		blocklen = (drbg_blocklen(drbg) <
439 				(bytes_to_return - generated_len)) ?
440 			    drbg_blocklen(drbg) :
441 				(bytes_to_return - generated_len);
442 		/* 10.4.2 step 13.2 and 14 */
443 		memcpy(df_data + generated_len, X, blocklen);
444 		generated_len += blocklen;
445 	}
446 
447 	ret = 0;
448 
449 out:
450 	memset(iv, 0, drbg_blocklen(drbg));
451 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
452 	memset(pad, 0, drbg_blocklen(drbg));
453 	return ret;
454 }
455 
456 /*
457  * update function of CTR DRBG as defined in 10.2.1.2
458  *
459  * The reseed variable has an enhanced meaning compared to the update
460  * functions of the other DRBGs as follows:
461  * 0 => initial seed from initialization
462  * 1 => reseed via drbg_seed
463  * 2 => first invocation from drbg_ctr_update when addtl is present. In
464  *      this case, the df_data scratchpad is not deleted so that it is
465  *      available for another calls to prevent calling the DF function
466  *      again.
467  * 3 => second invocation from drbg_ctr_update. When the update function
468  *      was called with addtl, the df_data memory already contains the
469  *      DFed addtl information and we do not need to call DF again.
470  */
471 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
472 			   int reseed)
473 {
474 	int ret = -EFAULT;
475 	/* 10.2.1.2 step 1 */
476 	unsigned char *temp = drbg->scratchpad;
477 	unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
478 				 drbg_blocklen(drbg);
479 	unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */
480 	unsigned int len = 0;
481 	struct drbg_string cipherin;
482 
483 	if (3 > reseed)
484 		memset(df_data, 0, drbg_statelen(drbg));
485 
486 	/* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
487 	if (seed) {
488 		ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
489 		if (ret)
490 			goto out;
491 	}
492 
493 	drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg));
494 	/*
495 	 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation
496 	 * zeroizes all memory during initialization
497 	 */
498 	while (len < (drbg_statelen(drbg))) {
499 		/* 10.2.1.2 step 2.1 */
500 		crypto_inc(drbg->V, drbg_blocklen(drbg));
501 		/*
502 		 * 10.2.1.2 step 2.2 */
503 		ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin);
504 		if (ret)
505 			goto out;
506 		/* 10.2.1.2 step 2.3 and 3 */
507 		len += drbg_blocklen(drbg);
508 	}
509 
510 	/* 10.2.1.2 step 4 */
511 	temp_p = temp;
512 	df_data_p = df_data;
513 	for (len = 0; len < drbg_statelen(drbg); len++) {
514 		*temp_p ^= *df_data_p;
515 		df_data_p++; temp_p++;
516 	}
517 
518 	/* 10.2.1.2 step 5 */
519 	memcpy(drbg->C, temp, drbg_keylen(drbg));
520 	/* 10.2.1.2 step 6 */
521 	memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
522 	ret = 0;
523 
524 out:
525 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
526 	if (2 != reseed)
527 		memset(df_data, 0, drbg_statelen(drbg));
528 	return ret;
529 }
530 
531 /*
532  * scratchpad use: drbg_ctr_update is called independently from
533  * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
534  */
535 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
536 static int drbg_ctr_generate(struct drbg_state *drbg,
537 			     unsigned char *buf, unsigned int buflen,
538 			     struct list_head *addtl)
539 {
540 	int len = 0;
541 	int ret = 0;
542 	struct drbg_string data;
543 
544 	/* 10.2.1.5.2 step 2 */
545 	if (addtl && !list_empty(addtl)) {
546 		ret = drbg_ctr_update(drbg, addtl, 2);
547 		if (ret)
548 			return 0;
549 	}
550 
551 	/* 10.2.1.5.2 step 4.1 */
552 	crypto_inc(drbg->V, drbg_blocklen(drbg));
553 	drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg));
554 	while (len < buflen) {
555 		int outlen = 0;
556 		/* 10.2.1.5.2 step 4.2 */
557 		ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data);
558 		if (ret) {
559 			len = ret;
560 			goto out;
561 		}
562 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
563 			  drbg_blocklen(drbg) : (buflen - len);
564 		/* 10.2.1.5.2 step 4.3 */
565 		memcpy(buf + len, drbg->scratchpad, outlen);
566 		len += outlen;
567 		/* 10.2.1.5.2 step 6 */
568 		if (len < buflen)
569 			crypto_inc(drbg->V, drbg_blocklen(drbg));
570 	}
571 
572 	/* 10.2.1.5.2 step 6 */
573 	ret = drbg_ctr_update(drbg, NULL, 3);
574 	if (ret)
575 		len = ret;
576 
577 out:
578 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
579 	return len;
580 }
581 
582 static const struct drbg_state_ops drbg_ctr_ops = {
583 	.update		= drbg_ctr_update,
584 	.generate	= drbg_ctr_generate,
585 	.crypto_init	= drbg_init_sym_kernel,
586 	.crypto_fini	= drbg_fini_sym_kernel,
587 };
588 #endif /* CONFIG_CRYPTO_DRBG_CTR */
589 
590 /******************************************************************
591  * HMAC DRBG callback functions
592  ******************************************************************/
593 
594 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
595 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
596 			   const struct list_head *in);
597 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
598 				  const unsigned char *key);
599 static int drbg_init_hash_kernel(struct drbg_state *drbg);
600 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
601 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
602 
603 #ifdef CONFIG_CRYPTO_DRBG_HMAC
604 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
605 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
606 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
607 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
608 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
609 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
610 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
611 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
612 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
613 
614 /* update function of HMAC DRBG as defined in 10.1.2.2 */
615 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
616 			    int reseed)
617 {
618 	int ret = -EFAULT;
619 	int i = 0;
620 	struct drbg_string seed1, seed2, vdata;
621 	LIST_HEAD(seedlist);
622 	LIST_HEAD(vdatalist);
623 
624 	if (!reseed) {
625 		/* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
626 		memset(drbg->V, 1, drbg_statelen(drbg));
627 		drbg_kcapi_hmacsetkey(drbg, drbg->C);
628 	}
629 
630 	drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
631 	list_add_tail(&seed1.list, &seedlist);
632 	/* buffer of seed2 will be filled in for loop below with one byte */
633 	drbg_string_fill(&seed2, NULL, 1);
634 	list_add_tail(&seed2.list, &seedlist);
635 	/* input data of seed is allowed to be NULL at this point */
636 	if (seed)
637 		list_splice_tail(seed, &seedlist);
638 
639 	drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
640 	list_add_tail(&vdata.list, &vdatalist);
641 	for (i = 2; 0 < i; i--) {
642 		/* first round uses 0x0, second 0x1 */
643 		unsigned char prefix = DRBG_PREFIX0;
644 		if (1 == i)
645 			prefix = DRBG_PREFIX1;
646 		/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
647 		seed2.buf = &prefix;
648 		ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
649 		if (ret)
650 			return ret;
651 		drbg_kcapi_hmacsetkey(drbg, drbg->C);
652 
653 		/* 10.1.2.2 step 2 and 5 -- HMAC for V */
654 		ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
655 		if (ret)
656 			return ret;
657 
658 		/* 10.1.2.2 step 3 */
659 		if (!seed)
660 			return ret;
661 	}
662 
663 	return 0;
664 }
665 
666 /* generate function of HMAC DRBG as defined in 10.1.2.5 */
667 static int drbg_hmac_generate(struct drbg_state *drbg,
668 			      unsigned char *buf,
669 			      unsigned int buflen,
670 			      struct list_head *addtl)
671 {
672 	int len = 0;
673 	int ret = 0;
674 	struct drbg_string data;
675 	LIST_HEAD(datalist);
676 
677 	/* 10.1.2.5 step 2 */
678 	if (addtl && !list_empty(addtl)) {
679 		ret = drbg_hmac_update(drbg, addtl, 1);
680 		if (ret)
681 			return ret;
682 	}
683 
684 	drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
685 	list_add_tail(&data.list, &datalist);
686 	while (len < buflen) {
687 		unsigned int outlen = 0;
688 		/* 10.1.2.5 step 4.1 */
689 		ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
690 		if (ret)
691 			return ret;
692 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
693 			  drbg_blocklen(drbg) : (buflen - len);
694 
695 		/* 10.1.2.5 step 4.2 */
696 		memcpy(buf + len, drbg->V, outlen);
697 		len += outlen;
698 	}
699 
700 	/* 10.1.2.5 step 6 */
701 	if (addtl && !list_empty(addtl))
702 		ret = drbg_hmac_update(drbg, addtl, 1);
703 	else
704 		ret = drbg_hmac_update(drbg, NULL, 1);
705 	if (ret)
706 		return ret;
707 
708 	return len;
709 }
710 
711 static const struct drbg_state_ops drbg_hmac_ops = {
712 	.update		= drbg_hmac_update,
713 	.generate	= drbg_hmac_generate,
714 	.crypto_init	= drbg_init_hash_kernel,
715 	.crypto_fini	= drbg_fini_hash_kernel,
716 };
717 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
718 
719 /******************************************************************
720  * Hash DRBG callback functions
721  ******************************************************************/
722 
723 #ifdef CONFIG_CRYPTO_DRBG_HASH
724 #define CRYPTO_DRBG_HASH_STRING "HASH "
725 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
726 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
727 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
728 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
729 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
730 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
731 MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
732 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
733 
734 /*
735  * Increment buffer
736  *
737  * @dst buffer to increment
738  * @add value to add
739  */
740 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
741 				const unsigned char *add, size_t addlen)
742 {
743 	/* implied: dstlen > addlen */
744 	unsigned char *dstptr;
745 	const unsigned char *addptr;
746 	unsigned int remainder = 0;
747 	size_t len = addlen;
748 
749 	dstptr = dst + (dstlen-1);
750 	addptr = add + (addlen-1);
751 	while (len) {
752 		remainder += *dstptr + *addptr;
753 		*dstptr = remainder & 0xff;
754 		remainder >>= 8;
755 		len--; dstptr--; addptr--;
756 	}
757 	len = dstlen - addlen;
758 	while (len && remainder > 0) {
759 		remainder = *dstptr + 1;
760 		*dstptr = remainder & 0xff;
761 		remainder >>= 8;
762 		len--; dstptr--;
763 	}
764 }
765 
766 /*
767  * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
768  * interlinked, the scratchpad is used as follows:
769  * drbg_hash_update
770  *	start: drbg->scratchpad
771  *	length: drbg_statelen(drbg)
772  * drbg_hash_df:
773  *	start: drbg->scratchpad + drbg_statelen(drbg)
774  *	length: drbg_blocklen(drbg)
775  *
776  * drbg_hash_process_addtl uses the scratchpad, but fully completes
777  * before either of the functions mentioned before are invoked. Therefore,
778  * drbg_hash_process_addtl does not need to be specifically considered.
779  */
780 
781 /* Derivation Function for Hash DRBG as defined in 10.4.1 */
782 static int drbg_hash_df(struct drbg_state *drbg,
783 			unsigned char *outval, size_t outlen,
784 			struct list_head *entropylist)
785 {
786 	int ret = 0;
787 	size_t len = 0;
788 	unsigned char input[5];
789 	unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
790 	struct drbg_string data;
791 
792 	/* 10.4.1 step 3 */
793 	input[0] = 1;
794 	drbg_cpu_to_be32((outlen * 8), &input[1]);
795 
796 	/* 10.4.1 step 4.1 -- concatenation of data for input into hash */
797 	drbg_string_fill(&data, input, 5);
798 	list_add(&data.list, entropylist);
799 
800 	/* 10.4.1 step 4 */
801 	while (len < outlen) {
802 		short blocklen = 0;
803 		/* 10.4.1 step 4.1 */
804 		ret = drbg_kcapi_hash(drbg, tmp, entropylist);
805 		if (ret)
806 			goto out;
807 		/* 10.4.1 step 4.2 */
808 		input[0]++;
809 		blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
810 			    drbg_blocklen(drbg) : (outlen - len);
811 		memcpy(outval + len, tmp, blocklen);
812 		len += blocklen;
813 	}
814 
815 out:
816 	memset(tmp, 0, drbg_blocklen(drbg));
817 	return ret;
818 }
819 
820 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
821 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
822 			    int reseed)
823 {
824 	int ret = 0;
825 	struct drbg_string data1, data2;
826 	LIST_HEAD(datalist);
827 	LIST_HEAD(datalist2);
828 	unsigned char *V = drbg->scratchpad;
829 	unsigned char prefix = DRBG_PREFIX1;
830 
831 	if (!seed)
832 		return -EINVAL;
833 
834 	if (reseed) {
835 		/* 10.1.1.3 step 1 */
836 		memcpy(V, drbg->V, drbg_statelen(drbg));
837 		drbg_string_fill(&data1, &prefix, 1);
838 		list_add_tail(&data1.list, &datalist);
839 		drbg_string_fill(&data2, V, drbg_statelen(drbg));
840 		list_add_tail(&data2.list, &datalist);
841 	}
842 	list_splice_tail(seed, &datalist);
843 
844 	/* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
845 	ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
846 	if (ret)
847 		goto out;
848 
849 	/* 10.1.1.2 / 10.1.1.3 step 4  */
850 	prefix = DRBG_PREFIX0;
851 	drbg_string_fill(&data1, &prefix, 1);
852 	list_add_tail(&data1.list, &datalist2);
853 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
854 	list_add_tail(&data2.list, &datalist2);
855 	/* 10.1.1.2 / 10.1.1.3 step 4 */
856 	ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
857 
858 out:
859 	memset(drbg->scratchpad, 0, drbg_statelen(drbg));
860 	return ret;
861 }
862 
863 /* processing of additional information string for Hash DRBG */
864 static int drbg_hash_process_addtl(struct drbg_state *drbg,
865 				   struct list_head *addtl)
866 {
867 	int ret = 0;
868 	struct drbg_string data1, data2;
869 	LIST_HEAD(datalist);
870 	unsigned char prefix = DRBG_PREFIX2;
871 
872 	/* 10.1.1.4 step 2 */
873 	if (!addtl || list_empty(addtl))
874 		return 0;
875 
876 	/* 10.1.1.4 step 2a */
877 	drbg_string_fill(&data1, &prefix, 1);
878 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
879 	list_add_tail(&data1.list, &datalist);
880 	list_add_tail(&data2.list, &datalist);
881 	list_splice_tail(addtl, &datalist);
882 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
883 	if (ret)
884 		goto out;
885 
886 	/* 10.1.1.4 step 2b */
887 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
888 		     drbg->scratchpad, drbg_blocklen(drbg));
889 
890 out:
891 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
892 	return ret;
893 }
894 
895 /* Hashgen defined in 10.1.1.4 */
896 static int drbg_hash_hashgen(struct drbg_state *drbg,
897 			     unsigned char *buf,
898 			     unsigned int buflen)
899 {
900 	int len = 0;
901 	int ret = 0;
902 	unsigned char *src = drbg->scratchpad;
903 	unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
904 	struct drbg_string data;
905 	LIST_HEAD(datalist);
906 
907 	/* 10.1.1.4 step hashgen 2 */
908 	memcpy(src, drbg->V, drbg_statelen(drbg));
909 
910 	drbg_string_fill(&data, src, drbg_statelen(drbg));
911 	list_add_tail(&data.list, &datalist);
912 	while (len < buflen) {
913 		unsigned int outlen = 0;
914 		/* 10.1.1.4 step hashgen 4.1 */
915 		ret = drbg_kcapi_hash(drbg, dst, &datalist);
916 		if (ret) {
917 			len = ret;
918 			goto out;
919 		}
920 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
921 			  drbg_blocklen(drbg) : (buflen - len);
922 		/* 10.1.1.4 step hashgen 4.2 */
923 		memcpy(buf + len, dst, outlen);
924 		len += outlen;
925 		/* 10.1.1.4 hashgen step 4.3 */
926 		if (len < buflen)
927 			crypto_inc(src, drbg_statelen(drbg));
928 	}
929 
930 out:
931 	memset(drbg->scratchpad, 0,
932 	       (drbg_statelen(drbg) + drbg_blocklen(drbg)));
933 	return len;
934 }
935 
936 /* generate function for Hash DRBG as defined in  10.1.1.4 */
937 static int drbg_hash_generate(struct drbg_state *drbg,
938 			      unsigned char *buf, unsigned int buflen,
939 			      struct list_head *addtl)
940 {
941 	int len = 0;
942 	int ret = 0;
943 	union {
944 		unsigned char req[8];
945 		__be64 req_int;
946 	} u;
947 	unsigned char prefix = DRBG_PREFIX3;
948 	struct drbg_string data1, data2;
949 	LIST_HEAD(datalist);
950 
951 	/* 10.1.1.4 step 2 */
952 	ret = drbg_hash_process_addtl(drbg, addtl);
953 	if (ret)
954 		return ret;
955 	/* 10.1.1.4 step 3 */
956 	len = drbg_hash_hashgen(drbg, buf, buflen);
957 
958 	/* this is the value H as documented in 10.1.1.4 */
959 	/* 10.1.1.4 step 4 */
960 	drbg_string_fill(&data1, &prefix, 1);
961 	list_add_tail(&data1.list, &datalist);
962 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
963 	list_add_tail(&data2.list, &datalist);
964 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
965 	if (ret) {
966 		len = ret;
967 		goto out;
968 	}
969 
970 	/* 10.1.1.4 step 5 */
971 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
972 		     drbg->scratchpad, drbg_blocklen(drbg));
973 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
974 		     drbg->C, drbg_statelen(drbg));
975 	u.req_int = cpu_to_be64(drbg->reseed_ctr);
976 	drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
977 
978 out:
979 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
980 	return len;
981 }
982 
983 /*
984  * scratchpad usage: as update and generate are used isolated, both
985  * can use the scratchpad
986  */
987 static const struct drbg_state_ops drbg_hash_ops = {
988 	.update		= drbg_hash_update,
989 	.generate	= drbg_hash_generate,
990 	.crypto_init	= drbg_init_hash_kernel,
991 	.crypto_fini	= drbg_fini_hash_kernel,
992 };
993 #endif /* CONFIG_CRYPTO_DRBG_HASH */
994 
995 /******************************************************************
996  * Functions common for DRBG implementations
997  ******************************************************************/
998 
999 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1000 			      int reseed)
1001 {
1002 	int ret = drbg->d_ops->update(drbg, seed, reseed);
1003 
1004 	if (ret)
1005 		return ret;
1006 
1007 	drbg->seeded = true;
1008 	/* 10.1.1.2 / 10.1.1.3 step 5 */
1009 	drbg->reseed_ctr = 1;
1010 
1011 	return ret;
1012 }
1013 
1014 static void drbg_async_seed(struct work_struct *work)
1015 {
1016 	struct drbg_string data;
1017 	LIST_HEAD(seedlist);
1018 	struct drbg_state *drbg = container_of(work, struct drbg_state,
1019 					       seed_work);
1020 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1021 	unsigned char entropy[32];
1022 
1023 	BUG_ON(!entropylen);
1024 	BUG_ON(entropylen > sizeof(entropy));
1025 	get_random_bytes(entropy, entropylen);
1026 
1027 	drbg_string_fill(&data, entropy, entropylen);
1028 	list_add_tail(&data.list, &seedlist);
1029 
1030 	mutex_lock(&drbg->drbg_mutex);
1031 
1032 	/* If nonblocking pool is initialized, deactivate Jitter RNG */
1033 	crypto_free_rng(drbg->jent);
1034 	drbg->jent = NULL;
1035 
1036 	/* Set seeded to false so that if __drbg_seed fails the
1037 	 * next generate call will trigger a reseed.
1038 	 */
1039 	drbg->seeded = false;
1040 
1041 	__drbg_seed(drbg, &seedlist, true);
1042 
1043 	if (drbg->seeded)
1044 		drbg->reseed_threshold = drbg_max_requests(drbg);
1045 
1046 	mutex_unlock(&drbg->drbg_mutex);
1047 
1048 	memzero_explicit(entropy, entropylen);
1049 }
1050 
1051 /*
1052  * Seeding or reseeding of the DRBG
1053  *
1054  * @drbg: DRBG state struct
1055  * @pers: personalization / additional information buffer
1056  * @reseed: 0 for initial seed process, 1 for reseeding
1057  *
1058  * return:
1059  *	0 on success
1060  *	error value otherwise
1061  */
1062 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1063 		     bool reseed)
1064 {
1065 	int ret;
1066 	unsigned char entropy[((32 + 16) * 2)];
1067 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1068 	struct drbg_string data1;
1069 	LIST_HEAD(seedlist);
1070 
1071 	/* 9.1 / 9.2 / 9.3.1 step 3 */
1072 	if (pers && pers->len > (drbg_max_addtl(drbg))) {
1073 		pr_devel("DRBG: personalization string too long %zu\n",
1074 			 pers->len);
1075 		return -EINVAL;
1076 	}
1077 
1078 	if (list_empty(&drbg->test_data.list)) {
1079 		drbg_string_fill(&data1, drbg->test_data.buf,
1080 				 drbg->test_data.len);
1081 		pr_devel("DRBG: using test entropy\n");
1082 	} else {
1083 		/*
1084 		 * Gather entropy equal to the security strength of the DRBG.
1085 		 * With a derivation function, a nonce is required in addition
1086 		 * to the entropy. A nonce must be at least 1/2 of the security
1087 		 * strength of the DRBG in size. Thus, entropy + nonce is 3/2
1088 		 * of the strength. The consideration of a nonce is only
1089 		 * applicable during initial seeding.
1090 		 */
1091 		BUG_ON(!entropylen);
1092 		if (!reseed)
1093 			entropylen = ((entropylen + 1) / 2) * 3;
1094 		BUG_ON((entropylen * 2) > sizeof(entropy));
1095 
1096 		/* Get seed from in-kernel /dev/urandom */
1097 		get_random_bytes(entropy, entropylen);
1098 
1099 		if (!drbg->jent) {
1100 			drbg_string_fill(&data1, entropy, entropylen);
1101 			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1102 				 entropylen);
1103 		} else {
1104 			/* Get seed from Jitter RNG */
1105 			ret = crypto_rng_get_bytes(drbg->jent,
1106 						   entropy + entropylen,
1107 						   entropylen);
1108 			if (ret) {
1109 				pr_devel("DRBG: jent failed with %d\n", ret);
1110 				return ret;
1111 			}
1112 
1113 			drbg_string_fill(&data1, entropy, entropylen * 2);
1114 			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1115 				 entropylen * 2);
1116 		}
1117 	}
1118 	list_add_tail(&data1.list, &seedlist);
1119 
1120 	/*
1121 	 * concatenation of entropy with personalization str / addtl input)
1122 	 * the variable pers is directly handed in by the caller, so check its
1123 	 * contents whether it is appropriate
1124 	 */
1125 	if (pers && pers->buf && 0 < pers->len) {
1126 		list_add_tail(&pers->list, &seedlist);
1127 		pr_devel("DRBG: using personalization string\n");
1128 	}
1129 
1130 	if (!reseed) {
1131 		memset(drbg->V, 0, drbg_statelen(drbg));
1132 		memset(drbg->C, 0, drbg_statelen(drbg));
1133 	}
1134 
1135 	ret = __drbg_seed(drbg, &seedlist, reseed);
1136 
1137 	memzero_explicit(entropy, entropylen * 2);
1138 
1139 	return ret;
1140 }
1141 
1142 /* Free all substructures in a DRBG state without the DRBG state structure */
1143 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1144 {
1145 	if (!drbg)
1146 		return;
1147 	kzfree(drbg->V);
1148 	drbg->V = NULL;
1149 	kzfree(drbg->C);
1150 	drbg->C = NULL;
1151 	kzfree(drbg->scratchpad);
1152 	drbg->scratchpad = NULL;
1153 	drbg->reseed_ctr = 0;
1154 	drbg->d_ops = NULL;
1155 	drbg->core = NULL;
1156 }
1157 
1158 /*
1159  * Allocate all sub-structures for a DRBG state.
1160  * The DRBG state structure must already be allocated.
1161  */
1162 static inline int drbg_alloc_state(struct drbg_state *drbg)
1163 {
1164 	int ret = -ENOMEM;
1165 	unsigned int sb_size = 0;
1166 
1167 	switch (drbg->core->flags & DRBG_TYPE_MASK) {
1168 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1169 	case DRBG_HMAC:
1170 		drbg->d_ops = &drbg_hmac_ops;
1171 		break;
1172 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
1173 #ifdef CONFIG_CRYPTO_DRBG_HASH
1174 	case DRBG_HASH:
1175 		drbg->d_ops = &drbg_hash_ops;
1176 		break;
1177 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1178 #ifdef CONFIG_CRYPTO_DRBG_CTR
1179 	case DRBG_CTR:
1180 		drbg->d_ops = &drbg_ctr_ops;
1181 		break;
1182 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1183 	default:
1184 		ret = -EOPNOTSUPP;
1185 		goto err;
1186 	}
1187 
1188 	drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL);
1189 	if (!drbg->V)
1190 		goto err;
1191 	drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL);
1192 	if (!drbg->C)
1193 		goto err;
1194 	/* scratchpad is only generated for CTR and Hash */
1195 	if (drbg->core->flags & DRBG_HMAC)
1196 		sb_size = 0;
1197 	else if (drbg->core->flags & DRBG_CTR)
1198 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1199 			  drbg_statelen(drbg) +	/* df_data */
1200 			  drbg_blocklen(drbg) +	/* pad */
1201 			  drbg_blocklen(drbg) +	/* iv */
1202 			  drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1203 	else
1204 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1205 
1206 	if (0 < sb_size) {
1207 		drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL);
1208 		if (!drbg->scratchpad)
1209 			goto err;
1210 	}
1211 
1212 	return 0;
1213 
1214 err:
1215 	drbg_dealloc_state(drbg);
1216 	return ret;
1217 }
1218 
1219 /*************************************************************************
1220  * DRBG interface functions
1221  *************************************************************************/
1222 
1223 /*
1224  * DRBG generate function as required by SP800-90A - this function
1225  * generates random numbers
1226  *
1227  * @drbg DRBG state handle
1228  * @buf Buffer where to store the random numbers -- the buffer must already
1229  *      be pre-allocated by caller
1230  * @buflen Length of output buffer - this value defines the number of random
1231  *	   bytes pulled from DRBG
1232  * @addtl Additional input that is mixed into state, may be NULL -- note
1233  *	  the entropy is pulled by the DRBG internally unconditionally
1234  *	  as defined in SP800-90A. The additional input is mixed into
1235  *	  the state in addition to the pulled entropy.
1236  *
1237  * return: 0 when all bytes are generated; < 0 in case of an error
1238  */
1239 static int drbg_generate(struct drbg_state *drbg,
1240 			 unsigned char *buf, unsigned int buflen,
1241 			 struct drbg_string *addtl)
1242 {
1243 	int len = 0;
1244 	LIST_HEAD(addtllist);
1245 
1246 	if (!drbg->core) {
1247 		pr_devel("DRBG: not yet seeded\n");
1248 		return -EINVAL;
1249 	}
1250 	if (0 == buflen || !buf) {
1251 		pr_devel("DRBG: no output buffer provided\n");
1252 		return -EINVAL;
1253 	}
1254 	if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1255 		pr_devel("DRBG: wrong format of additional information\n");
1256 		return -EINVAL;
1257 	}
1258 
1259 	/* 9.3.1 step 2 */
1260 	len = -EINVAL;
1261 	if (buflen > (drbg_max_request_bytes(drbg))) {
1262 		pr_devel("DRBG: requested random numbers too large %u\n",
1263 			 buflen);
1264 		goto err;
1265 	}
1266 
1267 	/* 9.3.1 step 3 is implicit with the chosen DRBG */
1268 
1269 	/* 9.3.1 step 4 */
1270 	if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1271 		pr_devel("DRBG: additional information string too long %zu\n",
1272 			 addtl->len);
1273 		goto err;
1274 	}
1275 	/* 9.3.1 step 5 is implicit with the chosen DRBG */
1276 
1277 	/*
1278 	 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1279 	 * here. The spec is a bit convoluted here, we make it simpler.
1280 	 */
1281 	if (drbg->reseed_threshold < drbg->reseed_ctr)
1282 		drbg->seeded = false;
1283 
1284 	if (drbg->pr || !drbg->seeded) {
1285 		pr_devel("DRBG: reseeding before generation (prediction "
1286 			 "resistance: %s, state %s)\n",
1287 			 drbg->pr ? "true" : "false",
1288 			 drbg->seeded ? "seeded" : "unseeded");
1289 		/* 9.3.1 steps 7.1 through 7.3 */
1290 		len = drbg_seed(drbg, addtl, true);
1291 		if (len)
1292 			goto err;
1293 		/* 9.3.1 step 7.4 */
1294 		addtl = NULL;
1295 	}
1296 
1297 	if (addtl && 0 < addtl->len)
1298 		list_add_tail(&addtl->list, &addtllist);
1299 	/* 9.3.1 step 8 and 10 */
1300 	len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1301 
1302 	/* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1303 	drbg->reseed_ctr++;
1304 	if (0 >= len)
1305 		goto err;
1306 
1307 	/*
1308 	 * Section 11.3.3 requires to re-perform self tests after some
1309 	 * generated random numbers. The chosen value after which self
1310 	 * test is performed is arbitrary, but it should be reasonable.
1311 	 * However, we do not perform the self tests because of the following
1312 	 * reasons: it is mathematically impossible that the initial self tests
1313 	 * were successfully and the following are not. If the initial would
1314 	 * pass and the following would not, the kernel integrity is violated.
1315 	 * In this case, the entire kernel operation is questionable and it
1316 	 * is unlikely that the integrity violation only affects the
1317 	 * correct operation of the DRBG.
1318 	 *
1319 	 * Albeit the following code is commented out, it is provided in
1320 	 * case somebody has a need to implement the test of 11.3.3.
1321 	 */
1322 #if 0
1323 	if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1324 		int err = 0;
1325 		pr_devel("DRBG: start to perform self test\n");
1326 		if (drbg->core->flags & DRBG_HMAC)
1327 			err = alg_test("drbg_pr_hmac_sha256",
1328 				       "drbg_pr_hmac_sha256", 0, 0);
1329 		else if (drbg->core->flags & DRBG_CTR)
1330 			err = alg_test("drbg_pr_ctr_aes128",
1331 				       "drbg_pr_ctr_aes128", 0, 0);
1332 		else
1333 			err = alg_test("drbg_pr_sha256",
1334 				       "drbg_pr_sha256", 0, 0);
1335 		if (err) {
1336 			pr_err("DRBG: periodical self test failed\n");
1337 			/*
1338 			 * uninstantiate implies that from now on, only errors
1339 			 * are returned when reusing this DRBG cipher handle
1340 			 */
1341 			drbg_uninstantiate(drbg);
1342 			return 0;
1343 		} else {
1344 			pr_devel("DRBG: self test successful\n");
1345 		}
1346 	}
1347 #endif
1348 
1349 	/*
1350 	 * All operations were successful, return 0 as mandated by
1351 	 * the kernel crypto API interface.
1352 	 */
1353 	len = 0;
1354 err:
1355 	return len;
1356 }
1357 
1358 /*
1359  * Wrapper around drbg_generate which can pull arbitrary long strings
1360  * from the DRBG without hitting the maximum request limitation.
1361  *
1362  * Parameters: see drbg_generate
1363  * Return codes: see drbg_generate -- if one drbg_generate request fails,
1364  *		 the entire drbg_generate_long request fails
1365  */
1366 static int drbg_generate_long(struct drbg_state *drbg,
1367 			      unsigned char *buf, unsigned int buflen,
1368 			      struct drbg_string *addtl)
1369 {
1370 	unsigned int len = 0;
1371 	unsigned int slice = 0;
1372 	do {
1373 		int err = 0;
1374 		unsigned int chunk = 0;
1375 		slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1376 		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1377 		mutex_lock(&drbg->drbg_mutex);
1378 		err = drbg_generate(drbg, buf + len, chunk, addtl);
1379 		mutex_unlock(&drbg->drbg_mutex);
1380 		if (0 > err)
1381 			return err;
1382 		len += chunk;
1383 	} while (slice > 0 && (len < buflen));
1384 	return 0;
1385 }
1386 
1387 static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1388 {
1389 	struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1390 					       random_ready);
1391 
1392 	schedule_work(&drbg->seed_work);
1393 }
1394 
1395 static int drbg_prepare_hrng(struct drbg_state *drbg)
1396 {
1397 	int err;
1398 
1399 	/* We do not need an HRNG in test mode. */
1400 	if (list_empty(&drbg->test_data.list))
1401 		return 0;
1402 
1403 	INIT_WORK(&drbg->seed_work, drbg_async_seed);
1404 
1405 	drbg->random_ready.owner = THIS_MODULE;
1406 	drbg->random_ready.func = drbg_schedule_async_seed;
1407 
1408 	err = add_random_ready_callback(&drbg->random_ready);
1409 
1410 	switch (err) {
1411 	case 0:
1412 		break;
1413 
1414 	case -EALREADY:
1415 		err = 0;
1416 		/* fall through */
1417 
1418 	default:
1419 		drbg->random_ready.func = NULL;
1420 		return err;
1421 	}
1422 
1423 	drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1424 
1425 	/*
1426 	 * Require frequent reseeds until the seed source is fully
1427 	 * initialized.
1428 	 */
1429 	drbg->reseed_threshold = 50;
1430 
1431 	return err;
1432 }
1433 
1434 /*
1435  * DRBG instantiation function as required by SP800-90A - this function
1436  * sets up the DRBG handle, performs the initial seeding and all sanity
1437  * checks required by SP800-90A
1438  *
1439  * @drbg memory of state -- if NULL, new memory is allocated
1440  * @pers Personalization string that is mixed into state, may be NULL -- note
1441  *	 the entropy is pulled by the DRBG internally unconditionally
1442  *	 as defined in SP800-90A. The additional input is mixed into
1443  *	 the state in addition to the pulled entropy.
1444  * @coreref reference to core
1445  * @pr prediction resistance enabled
1446  *
1447  * return
1448  *	0 on success
1449  *	error value otherwise
1450  */
1451 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1452 			    int coreref, bool pr)
1453 {
1454 	int ret;
1455 	bool reseed = true;
1456 
1457 	pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1458 		 "%s\n", coreref, pr ? "enabled" : "disabled");
1459 	mutex_lock(&drbg->drbg_mutex);
1460 
1461 	/* 9.1 step 1 is implicit with the selected DRBG type */
1462 
1463 	/*
1464 	 * 9.1 step 2 is implicit as caller can select prediction resistance
1465 	 * and the flag is copied into drbg->flags --
1466 	 * all DRBG types support prediction resistance
1467 	 */
1468 
1469 	/* 9.1 step 4 is implicit in  drbg_sec_strength */
1470 
1471 	if (!drbg->core) {
1472 		drbg->core = &drbg_cores[coreref];
1473 		drbg->pr = pr;
1474 		drbg->seeded = false;
1475 		drbg->reseed_threshold = drbg_max_requests(drbg);
1476 
1477 		ret = drbg_alloc_state(drbg);
1478 		if (ret)
1479 			goto unlock;
1480 
1481 		ret = -EFAULT;
1482 		if (drbg->d_ops->crypto_init(drbg))
1483 			goto err;
1484 
1485 		ret = drbg_prepare_hrng(drbg);
1486 		if (ret)
1487 			goto free_everything;
1488 
1489 		if (IS_ERR(drbg->jent)) {
1490 			ret = PTR_ERR(drbg->jent);
1491 			drbg->jent = NULL;
1492 			if (fips_enabled || ret != -ENOENT)
1493 				goto free_everything;
1494 			pr_info("DRBG: Continuing without Jitter RNG\n");
1495 		}
1496 
1497 		reseed = false;
1498 	}
1499 
1500 	ret = drbg_seed(drbg, pers, reseed);
1501 
1502 	if (ret && !reseed)
1503 		goto free_everything;
1504 
1505 	mutex_unlock(&drbg->drbg_mutex);
1506 	return ret;
1507 
1508 err:
1509 	drbg_dealloc_state(drbg);
1510 unlock:
1511 	mutex_unlock(&drbg->drbg_mutex);
1512 	return ret;
1513 
1514 free_everything:
1515 	mutex_unlock(&drbg->drbg_mutex);
1516 	drbg_uninstantiate(drbg);
1517 	return ret;
1518 }
1519 
1520 /*
1521  * DRBG uninstantiate function as required by SP800-90A - this function
1522  * frees all buffers and the DRBG handle
1523  *
1524  * @drbg DRBG state handle
1525  *
1526  * return
1527  *	0 on success
1528  */
1529 static int drbg_uninstantiate(struct drbg_state *drbg)
1530 {
1531 	if (drbg->random_ready.func) {
1532 		del_random_ready_callback(&drbg->random_ready);
1533 		cancel_work_sync(&drbg->seed_work);
1534 		crypto_free_rng(drbg->jent);
1535 		drbg->jent = NULL;
1536 	}
1537 
1538 	if (drbg->d_ops)
1539 		drbg->d_ops->crypto_fini(drbg);
1540 	drbg_dealloc_state(drbg);
1541 	/* no scrubbing of test_data -- this shall survive an uninstantiate */
1542 	return 0;
1543 }
1544 
1545 /*
1546  * Helper function for setting the test data in the DRBG
1547  *
1548  * @drbg DRBG state handle
1549  * @data test data
1550  * @len test data length
1551  */
1552 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1553 				   const u8 *data, unsigned int len)
1554 {
1555 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1556 
1557 	mutex_lock(&drbg->drbg_mutex);
1558 	drbg_string_fill(&drbg->test_data, data, len);
1559 	mutex_unlock(&drbg->drbg_mutex);
1560 }
1561 
1562 /***************************************************************
1563  * Kernel crypto API cipher invocations requested by DRBG
1564  ***************************************************************/
1565 
1566 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1567 struct sdesc {
1568 	struct shash_desc shash;
1569 	char ctx[];
1570 };
1571 
1572 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1573 {
1574 	struct sdesc *sdesc;
1575 	struct crypto_shash *tfm;
1576 
1577 	tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1578 	if (IS_ERR(tfm)) {
1579 		pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1580 				drbg->core->backend_cra_name);
1581 		return PTR_ERR(tfm);
1582 	}
1583 	BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1584 	sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1585 			GFP_KERNEL);
1586 	if (!sdesc) {
1587 		crypto_free_shash(tfm);
1588 		return -ENOMEM;
1589 	}
1590 
1591 	sdesc->shash.tfm = tfm;
1592 	sdesc->shash.flags = 0;
1593 	drbg->priv_data = sdesc;
1594 	return 0;
1595 }
1596 
1597 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1598 {
1599 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1600 	if (sdesc) {
1601 		crypto_free_shash(sdesc->shash.tfm);
1602 		kzfree(sdesc);
1603 	}
1604 	drbg->priv_data = NULL;
1605 	return 0;
1606 }
1607 
1608 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1609 				  const unsigned char *key)
1610 {
1611 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1612 
1613 	crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1614 }
1615 
1616 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1617 			   const struct list_head *in)
1618 {
1619 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1620 	struct drbg_string *input = NULL;
1621 
1622 	crypto_shash_init(&sdesc->shash);
1623 	list_for_each_entry(input, in, list)
1624 		crypto_shash_update(&sdesc->shash, input->buf, input->len);
1625 	return crypto_shash_final(&sdesc->shash, outval);
1626 }
1627 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1628 
1629 #ifdef CONFIG_CRYPTO_DRBG_CTR
1630 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1631 {
1632 	int ret = 0;
1633 	struct crypto_cipher *tfm;
1634 
1635 	tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1636 	if (IS_ERR(tfm)) {
1637 		pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1638 				drbg->core->backend_cra_name);
1639 		return PTR_ERR(tfm);
1640 	}
1641 	BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1642 	drbg->priv_data = tfm;
1643 	return ret;
1644 }
1645 
1646 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1647 {
1648 	struct crypto_cipher *tfm =
1649 		(struct crypto_cipher *)drbg->priv_data;
1650 	if (tfm)
1651 		crypto_free_cipher(tfm);
1652 	drbg->priv_data = NULL;
1653 	return 0;
1654 }
1655 
1656 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
1657 			  unsigned char *outval, const struct drbg_string *in)
1658 {
1659 	struct crypto_cipher *tfm =
1660 		(struct crypto_cipher *)drbg->priv_data;
1661 
1662 	crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1663 	/* there is only component in *in */
1664 	BUG_ON(in->len < drbg_blocklen(drbg));
1665 	crypto_cipher_encrypt_one(tfm, outval, in->buf);
1666 	return 0;
1667 }
1668 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1669 
1670 /***************************************************************
1671  * Kernel crypto API interface to register DRBG
1672  ***************************************************************/
1673 
1674 /*
1675  * Look up the DRBG flags by given kernel crypto API cra_name
1676  * The code uses the drbg_cores definition to do this
1677  *
1678  * @cra_name kernel crypto API cra_name
1679  * @coreref reference to integer which is filled with the pointer to
1680  *  the applicable core
1681  * @pr reference for setting prediction resistance
1682  *
1683  * return: flags
1684  */
1685 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1686 					 int *coreref, bool *pr)
1687 {
1688 	int i = 0;
1689 	size_t start = 0;
1690 	int len = 0;
1691 
1692 	*pr = true;
1693 	/* disassemble the names */
1694 	if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1695 		start = 10;
1696 		*pr = false;
1697 	} else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1698 		start = 8;
1699 	} else {
1700 		return;
1701 	}
1702 
1703 	/* remove the first part */
1704 	len = strlen(cra_driver_name) - start;
1705 	for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1706 		if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1707 			    len)) {
1708 			*coreref = i;
1709 			return;
1710 		}
1711 	}
1712 }
1713 
1714 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1715 {
1716 	struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1717 
1718 	mutex_init(&drbg->drbg_mutex);
1719 
1720 	return 0;
1721 }
1722 
1723 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1724 {
1725 	drbg_uninstantiate(crypto_tfm_ctx(tfm));
1726 }
1727 
1728 /*
1729  * Generate random numbers invoked by the kernel crypto API:
1730  * The API of the kernel crypto API is extended as follows:
1731  *
1732  * src is additional input supplied to the RNG.
1733  * slen is the length of src.
1734  * dst is the output buffer where random data is to be stored.
1735  * dlen is the length of dst.
1736  */
1737 static int drbg_kcapi_random(struct crypto_rng *tfm,
1738 			     const u8 *src, unsigned int slen,
1739 			     u8 *dst, unsigned int dlen)
1740 {
1741 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1742 	struct drbg_string *addtl = NULL;
1743 	struct drbg_string string;
1744 
1745 	if (slen) {
1746 		/* linked list variable is now local to allow modification */
1747 		drbg_string_fill(&string, src, slen);
1748 		addtl = &string;
1749 	}
1750 
1751 	return drbg_generate_long(drbg, dst, dlen, addtl);
1752 }
1753 
1754 /*
1755  * Seed the DRBG invoked by the kernel crypto API
1756  */
1757 static int drbg_kcapi_seed(struct crypto_rng *tfm,
1758 			   const u8 *seed, unsigned int slen)
1759 {
1760 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1761 	struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1762 	bool pr = false;
1763 	struct drbg_string string;
1764 	struct drbg_string *seed_string = NULL;
1765 	int coreref = 0;
1766 
1767 	drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1768 			      &pr);
1769 	if (0 < slen) {
1770 		drbg_string_fill(&string, seed, slen);
1771 		seed_string = &string;
1772 	}
1773 
1774 	return drbg_instantiate(drbg, seed_string, coreref, pr);
1775 }
1776 
1777 /***************************************************************
1778  * Kernel module: code to load the module
1779  ***************************************************************/
1780 
1781 /*
1782  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1783  * of the error handling.
1784  *
1785  * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1786  * as seed source of get_random_bytes does not fail.
1787  *
1788  * Note 2: There is no sensible way of testing the reseed counter
1789  * enforcement, so skip it.
1790  */
1791 static inline int __init drbg_healthcheck_sanity(void)
1792 {
1793 	int len = 0;
1794 #define OUTBUFLEN 16
1795 	unsigned char buf[OUTBUFLEN];
1796 	struct drbg_state *drbg = NULL;
1797 	int ret = -EFAULT;
1798 	int rc = -EFAULT;
1799 	bool pr = false;
1800 	int coreref = 0;
1801 	struct drbg_string addtl;
1802 	size_t max_addtllen, max_request_bytes;
1803 
1804 	/* only perform test in FIPS mode */
1805 	if (!fips_enabled)
1806 		return 0;
1807 
1808 #ifdef CONFIG_CRYPTO_DRBG_CTR
1809 	drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
1810 #elif defined CONFIG_CRYPTO_DRBG_HASH
1811 	drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1812 #else
1813 	drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
1814 #endif
1815 
1816 	drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1817 	if (!drbg)
1818 		return -ENOMEM;
1819 
1820 	mutex_init(&drbg->drbg_mutex);
1821 
1822 	/*
1823 	 * if the following tests fail, it is likely that there is a buffer
1824 	 * overflow as buf is much smaller than the requested or provided
1825 	 * string lengths -- in case the error handling does not succeed
1826 	 * we may get an OOPS. And we want to get an OOPS as this is a
1827 	 * grave bug.
1828 	 */
1829 
1830 	/* get a valid instance of DRBG for following tests */
1831 	ret = drbg_instantiate(drbg, NULL, coreref, pr);
1832 	if (ret) {
1833 		rc = ret;
1834 		goto outbuf;
1835 	}
1836 	max_addtllen = drbg_max_addtl(drbg);
1837 	max_request_bytes = drbg_max_request_bytes(drbg);
1838 	drbg_string_fill(&addtl, buf, max_addtllen + 1);
1839 	/* overflow addtllen with additonal info string */
1840 	len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1841 	BUG_ON(0 < len);
1842 	/* overflow max_bits */
1843 	len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1844 	BUG_ON(0 < len);
1845 	drbg_uninstantiate(drbg);
1846 
1847 	/* overflow max addtllen with personalization string */
1848 	ret = drbg_instantiate(drbg, &addtl, coreref, pr);
1849 	BUG_ON(0 == ret);
1850 	/* all tests passed */
1851 	rc = 0;
1852 
1853 	pr_devel("DRBG: Sanity tests for failure code paths successfully "
1854 		 "completed\n");
1855 
1856 	drbg_uninstantiate(drbg);
1857 outbuf:
1858 	kzfree(drbg);
1859 	return rc;
1860 }
1861 
1862 static struct rng_alg drbg_algs[22];
1863 
1864 /*
1865  * Fill the array drbg_algs used to register the different DRBGs
1866  * with the kernel crypto API. To fill the array, the information
1867  * from drbg_cores[] is used.
1868  */
1869 static inline void __init drbg_fill_array(struct rng_alg *alg,
1870 					  const struct drbg_core *core, int pr)
1871 {
1872 	int pos = 0;
1873 	static int priority = 200;
1874 
1875 	memcpy(alg->base.cra_name, "stdrng", 6);
1876 	if (pr) {
1877 		memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
1878 		pos = 8;
1879 	} else {
1880 		memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
1881 		pos = 10;
1882 	}
1883 	memcpy(alg->base.cra_driver_name + pos, core->cra_name,
1884 	       strlen(core->cra_name));
1885 
1886 	alg->base.cra_priority = priority;
1887 	priority++;
1888 	/*
1889 	 * If FIPS mode enabled, the selected DRBG shall have the
1890 	 * highest cra_priority over other stdrng instances to ensure
1891 	 * it is selected.
1892 	 */
1893 	if (fips_enabled)
1894 		alg->base.cra_priority += 200;
1895 
1896 	alg->base.cra_ctxsize 	= sizeof(struct drbg_state);
1897 	alg->base.cra_module	= THIS_MODULE;
1898 	alg->base.cra_init	= drbg_kcapi_init;
1899 	alg->base.cra_exit	= drbg_kcapi_cleanup;
1900 	alg->generate		= drbg_kcapi_random;
1901 	alg->seed		= drbg_kcapi_seed;
1902 	alg->set_ent		= drbg_kcapi_set_entropy;
1903 	alg->seedsize		= 0;
1904 }
1905 
1906 static int __init drbg_init(void)
1907 {
1908 	unsigned int i = 0; /* pointer to drbg_algs */
1909 	unsigned int j = 0; /* pointer to drbg_cores */
1910 	int ret = -EFAULT;
1911 
1912 	ret = drbg_healthcheck_sanity();
1913 	if (ret)
1914 		return ret;
1915 
1916 	if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
1917 		pr_info("DRBG: Cannot register all DRBG types"
1918 			"(slots needed: %zu, slots available: %zu)\n",
1919 			ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
1920 		return ret;
1921 	}
1922 
1923 	/*
1924 	 * each DRBG definition can be used with PR and without PR, thus
1925 	 * we instantiate each DRBG in drbg_cores[] twice.
1926 	 *
1927 	 * As the order of placing them into the drbg_algs array matters
1928 	 * (the later DRBGs receive a higher cra_priority) we register the
1929 	 * prediction resistance DRBGs first as the should not be too
1930 	 * interesting.
1931 	 */
1932 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1933 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
1934 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1935 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
1936 	return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1937 }
1938 
1939 static void __exit drbg_exit(void)
1940 {
1941 	crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1942 }
1943 
1944 module_init(drbg_init);
1945 module_exit(drbg_exit);
1946 #ifndef CRYPTO_DRBG_HASH_STRING
1947 #define CRYPTO_DRBG_HASH_STRING ""
1948 #endif
1949 #ifndef CRYPTO_DRBG_HMAC_STRING
1950 #define CRYPTO_DRBG_HMAC_STRING ""
1951 #endif
1952 #ifndef CRYPTO_DRBG_CTR_STRING
1953 #define CRYPTO_DRBG_CTR_STRING ""
1954 #endif
1955 MODULE_LICENSE("GPL");
1956 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
1957 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
1958 		   "using following cores: "
1959 		   CRYPTO_DRBG_HASH_STRING
1960 		   CRYPTO_DRBG_HMAC_STRING
1961 		   CRYPTO_DRBG_CTR_STRING);
1962 MODULE_ALIAS_CRYPTO("stdrng");
1963