1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <linux/kernel.h> 102 103 /*************************************************************** 104 * Backend cipher definitions available to DRBG 105 ***************************************************************/ 106 107 /* 108 * The order of the DRBG definitions here matter: every DRBG is registered 109 * as stdrng. Each DRBG receives an increasing cra_priority values the later 110 * they are defined in this array (see drbg_fill_array). 111 * 112 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113 * the SHA256 / AES 256 over other ciphers. Thus, the favored 114 * DRBGs are the latest entries in this array. 115 */ 116 static const struct drbg_core drbg_cores[] = { 117 #ifdef CONFIG_CRYPTO_DRBG_CTR 118 { 119 .flags = DRBG_CTR | DRBG_STRENGTH128, 120 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121 .blocklen_bytes = 16, 122 .cra_name = "ctr_aes128", 123 .backend_cra_name = "aes", 124 }, { 125 .flags = DRBG_CTR | DRBG_STRENGTH192, 126 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127 .blocklen_bytes = 16, 128 .cra_name = "ctr_aes192", 129 .backend_cra_name = "aes", 130 }, { 131 .flags = DRBG_CTR | DRBG_STRENGTH256, 132 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133 .blocklen_bytes = 16, 134 .cra_name = "ctr_aes256", 135 .backend_cra_name = "aes", 136 }, 137 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 138 #ifdef CONFIG_CRYPTO_DRBG_HASH 139 { 140 .flags = DRBG_HASH | DRBG_STRENGTH128, 141 .statelen = 55, /* 440 bits */ 142 .blocklen_bytes = 20, 143 .cra_name = "sha1", 144 .backend_cra_name = "sha1", 145 }, { 146 .flags = DRBG_HASH | DRBG_STRENGTH256, 147 .statelen = 111, /* 888 bits */ 148 .blocklen_bytes = 48, 149 .cra_name = "sha384", 150 .backend_cra_name = "sha384", 151 }, { 152 .flags = DRBG_HASH | DRBG_STRENGTH256, 153 .statelen = 111, /* 888 bits */ 154 .blocklen_bytes = 64, 155 .cra_name = "sha512", 156 .backend_cra_name = "sha512", 157 }, { 158 .flags = DRBG_HASH | DRBG_STRENGTH256, 159 .statelen = 55, /* 440 bits */ 160 .blocklen_bytes = 32, 161 .cra_name = "sha256", 162 .backend_cra_name = "sha256", 163 }, 164 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 165 #ifdef CONFIG_CRYPTO_DRBG_HMAC 166 { 167 .flags = DRBG_HMAC | DRBG_STRENGTH128, 168 .statelen = 20, /* block length of cipher */ 169 .blocklen_bytes = 20, 170 .cra_name = "hmac_sha1", 171 .backend_cra_name = "hmac(sha1)", 172 }, { 173 .flags = DRBG_HMAC | DRBG_STRENGTH256, 174 .statelen = 48, /* block length of cipher */ 175 .blocklen_bytes = 48, 176 .cra_name = "hmac_sha384", 177 .backend_cra_name = "hmac(sha384)", 178 }, { 179 .flags = DRBG_HMAC | DRBG_STRENGTH256, 180 .statelen = 64, /* block length of cipher */ 181 .blocklen_bytes = 64, 182 .cra_name = "hmac_sha512", 183 .backend_cra_name = "hmac(sha512)", 184 }, { 185 .flags = DRBG_HMAC | DRBG_STRENGTH256, 186 .statelen = 32, /* block length of cipher */ 187 .blocklen_bytes = 32, 188 .cra_name = "hmac_sha256", 189 .backend_cra_name = "hmac(sha256)", 190 }, 191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192 }; 193 194 static int drbg_uninstantiate(struct drbg_state *drbg); 195 196 /****************************************************************** 197 * Generic helper functions 198 ******************************************************************/ 199 200 /* 201 * Return strength of DRBG according to SP800-90A section 8.4 202 * 203 * @flags DRBG flags reference 204 * 205 * Return: normalized strength in *bytes* value or 32 as default 206 * to counter programming errors 207 */ 208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 209 { 210 switch (flags & DRBG_STRENGTH_MASK) { 211 case DRBG_STRENGTH128: 212 return 16; 213 case DRBG_STRENGTH192: 214 return 24; 215 case DRBG_STRENGTH256: 216 return 32; 217 default: 218 return 32; 219 } 220 } 221 222 /* 223 * Convert an integer into a byte representation of this integer. 224 * The byte representation is big-endian 225 * 226 * @val value to be converted 227 * @buf buffer holding the converted integer -- caller must ensure that 228 * buffer size is at least 32 bit 229 */ 230 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 231 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 232 { 233 struct s { 234 __be32 conv; 235 }; 236 struct s *conversion = (struct s *) buf; 237 238 conversion->conv = cpu_to_be32(val); 239 } 240 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 241 242 /****************************************************************** 243 * CTR DRBG callback functions 244 ******************************************************************/ 245 246 #ifdef CONFIG_CRYPTO_DRBG_CTR 247 #define CRYPTO_DRBG_CTR_STRING "CTR " 248 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 249 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 250 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 251 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 252 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 253 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 254 255 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 256 unsigned char *outval, const struct drbg_string *in); 257 static int drbg_init_sym_kernel(struct drbg_state *drbg); 258 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 259 260 /* BCC function for CTR DRBG as defined in 10.4.3 */ 261 static int drbg_ctr_bcc(struct drbg_state *drbg, 262 unsigned char *out, const unsigned char *key, 263 struct list_head *in) 264 { 265 int ret = 0; 266 struct drbg_string *curr = NULL; 267 struct drbg_string data; 268 short cnt = 0; 269 270 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 271 272 /* 10.4.3 step 2 / 4 */ 273 list_for_each_entry(curr, in, list) { 274 const unsigned char *pos = curr->buf; 275 size_t len = curr->len; 276 /* 10.4.3 step 4.1 */ 277 while (len) { 278 /* 10.4.3 step 4.2 */ 279 if (drbg_blocklen(drbg) == cnt) { 280 cnt = 0; 281 ret = drbg_kcapi_sym(drbg, key, out, &data); 282 if (ret) 283 return ret; 284 } 285 out[cnt] ^= *pos; 286 pos++; 287 cnt++; 288 len--; 289 } 290 } 291 /* 10.4.3 step 4.2 for last block */ 292 if (cnt) 293 ret = drbg_kcapi_sym(drbg, key, out, &data); 294 295 return ret; 296 } 297 298 /* 299 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 300 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 301 * the scratchpad is used as follows: 302 * drbg_ctr_update: 303 * temp 304 * start: drbg->scratchpad 305 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 306 * note: the cipher writing into this variable works 307 * blocklen-wise. Now, when the statelen is not a multiple 308 * of blocklen, the generateion loop below "spills over" 309 * by at most blocklen. Thus, we need to give sufficient 310 * memory. 311 * df_data 312 * start: drbg->scratchpad + 313 * drbg_statelen(drbg) + drbg_blocklen(drbg) 314 * length: drbg_statelen(drbg) 315 * 316 * drbg_ctr_df: 317 * pad 318 * start: df_data + drbg_statelen(drbg) 319 * length: drbg_blocklen(drbg) 320 * iv 321 * start: pad + drbg_blocklen(drbg) 322 * length: drbg_blocklen(drbg) 323 * temp 324 * start: iv + drbg_blocklen(drbg) 325 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 326 * note: temp is the buffer that the BCC function operates 327 * on. BCC operates blockwise. drbg_statelen(drbg) 328 * is sufficient when the DRBG state length is a multiple 329 * of the block size. For AES192 (and maybe other ciphers) 330 * this is not correct and the length for temp is 331 * insufficient (yes, that also means for such ciphers, 332 * the final output of all BCC rounds are truncated). 333 * Therefore, add drbg_blocklen(drbg) to cover all 334 * possibilities. 335 */ 336 337 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 338 static int drbg_ctr_df(struct drbg_state *drbg, 339 unsigned char *df_data, size_t bytes_to_return, 340 struct list_head *seedlist) 341 { 342 int ret = -EFAULT; 343 unsigned char L_N[8]; 344 /* S3 is input */ 345 struct drbg_string S1, S2, S4, cipherin; 346 LIST_HEAD(bcc_list); 347 unsigned char *pad = df_data + drbg_statelen(drbg); 348 unsigned char *iv = pad + drbg_blocklen(drbg); 349 unsigned char *temp = iv + drbg_blocklen(drbg); 350 size_t padlen = 0; 351 unsigned int templen = 0; 352 /* 10.4.2 step 7 */ 353 unsigned int i = 0; 354 /* 10.4.2 step 8 */ 355 const unsigned char *K = (unsigned char *) 356 "\x00\x01\x02\x03\x04\x05\x06\x07" 357 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 358 "\x10\x11\x12\x13\x14\x15\x16\x17" 359 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 360 unsigned char *X; 361 size_t generated_len = 0; 362 size_t inputlen = 0; 363 struct drbg_string *seed = NULL; 364 365 memset(pad, 0, drbg_blocklen(drbg)); 366 memset(iv, 0, drbg_blocklen(drbg)); 367 368 /* 10.4.2 step 1 is implicit as we work byte-wise */ 369 370 /* 10.4.2 step 2 */ 371 if ((512/8) < bytes_to_return) 372 return -EINVAL; 373 374 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 375 list_for_each_entry(seed, seedlist, list) 376 inputlen += seed->len; 377 drbg_cpu_to_be32(inputlen, &L_N[0]); 378 379 /* 10.4.2 step 3 */ 380 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 381 382 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 383 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 384 /* wrap the padlen appropriately */ 385 if (padlen) 386 padlen = drbg_blocklen(drbg) - padlen; 387 /* 388 * pad / padlen contains the 0x80 byte and the following zero bytes. 389 * As the calculated padlen value only covers the number of zero 390 * bytes, this value has to be incremented by one for the 0x80 byte. 391 */ 392 padlen++; 393 pad[0] = 0x80; 394 395 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 396 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 397 list_add_tail(&S1.list, &bcc_list); 398 drbg_string_fill(&S2, L_N, sizeof(L_N)); 399 list_add_tail(&S2.list, &bcc_list); 400 list_splice_tail(seedlist, &bcc_list); 401 drbg_string_fill(&S4, pad, padlen); 402 list_add_tail(&S4.list, &bcc_list); 403 404 /* 10.4.2 step 9 */ 405 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 406 /* 407 * 10.4.2 step 9.1 - the padding is implicit as the buffer 408 * holds zeros after allocation -- even the increment of i 409 * is irrelevant as the increment remains within length of i 410 */ 411 drbg_cpu_to_be32(i, iv); 412 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 413 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 414 if (ret) 415 goto out; 416 /* 10.4.2 step 9.3 */ 417 i++; 418 templen += drbg_blocklen(drbg); 419 } 420 421 /* 10.4.2 step 11 */ 422 X = temp + (drbg_keylen(drbg)); 423 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 424 425 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 426 427 /* 10.4.2 step 13 */ 428 while (generated_len < bytes_to_return) { 429 short blocklen = 0; 430 /* 431 * 10.4.2 step 13.1: the truncation of the key length is 432 * implicit as the key is only drbg_blocklen in size based on 433 * the implementation of the cipher function callback 434 */ 435 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 436 if (ret) 437 goto out; 438 blocklen = (drbg_blocklen(drbg) < 439 (bytes_to_return - generated_len)) ? 440 drbg_blocklen(drbg) : 441 (bytes_to_return - generated_len); 442 /* 10.4.2 step 13.2 and 14 */ 443 memcpy(df_data + generated_len, X, blocklen); 444 generated_len += blocklen; 445 } 446 447 ret = 0; 448 449 out: 450 memset(iv, 0, drbg_blocklen(drbg)); 451 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 452 memset(pad, 0, drbg_blocklen(drbg)); 453 return ret; 454 } 455 456 /* 457 * update function of CTR DRBG as defined in 10.2.1.2 458 * 459 * The reseed variable has an enhanced meaning compared to the update 460 * functions of the other DRBGs as follows: 461 * 0 => initial seed from initialization 462 * 1 => reseed via drbg_seed 463 * 2 => first invocation from drbg_ctr_update when addtl is present. In 464 * this case, the df_data scratchpad is not deleted so that it is 465 * available for another calls to prevent calling the DF function 466 * again. 467 * 3 => second invocation from drbg_ctr_update. When the update function 468 * was called with addtl, the df_data memory already contains the 469 * DFed addtl information and we do not need to call DF again. 470 */ 471 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 472 int reseed) 473 { 474 int ret = -EFAULT; 475 /* 10.2.1.2 step 1 */ 476 unsigned char *temp = drbg->scratchpad; 477 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 478 drbg_blocklen(drbg); 479 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 480 unsigned int len = 0; 481 struct drbg_string cipherin; 482 483 if (3 > reseed) 484 memset(df_data, 0, drbg_statelen(drbg)); 485 486 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 487 if (seed) { 488 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 489 if (ret) 490 goto out; 491 } 492 493 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 494 /* 495 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 496 * zeroizes all memory during initialization 497 */ 498 while (len < (drbg_statelen(drbg))) { 499 /* 10.2.1.2 step 2.1 */ 500 crypto_inc(drbg->V, drbg_blocklen(drbg)); 501 /* 502 * 10.2.1.2 step 2.2 */ 503 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 504 if (ret) 505 goto out; 506 /* 10.2.1.2 step 2.3 and 3 */ 507 len += drbg_blocklen(drbg); 508 } 509 510 /* 10.2.1.2 step 4 */ 511 temp_p = temp; 512 df_data_p = df_data; 513 for (len = 0; len < drbg_statelen(drbg); len++) { 514 *temp_p ^= *df_data_p; 515 df_data_p++; temp_p++; 516 } 517 518 /* 10.2.1.2 step 5 */ 519 memcpy(drbg->C, temp, drbg_keylen(drbg)); 520 /* 10.2.1.2 step 6 */ 521 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 522 ret = 0; 523 524 out: 525 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 526 if (2 != reseed) 527 memset(df_data, 0, drbg_statelen(drbg)); 528 return ret; 529 } 530 531 /* 532 * scratchpad use: drbg_ctr_update is called independently from 533 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 534 */ 535 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 536 static int drbg_ctr_generate(struct drbg_state *drbg, 537 unsigned char *buf, unsigned int buflen, 538 struct list_head *addtl) 539 { 540 int len = 0; 541 int ret = 0; 542 struct drbg_string data; 543 544 /* 10.2.1.5.2 step 2 */ 545 if (addtl && !list_empty(addtl)) { 546 ret = drbg_ctr_update(drbg, addtl, 2); 547 if (ret) 548 return 0; 549 } 550 551 /* 10.2.1.5.2 step 4.1 */ 552 crypto_inc(drbg->V, drbg_blocklen(drbg)); 553 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 554 while (len < buflen) { 555 int outlen = 0; 556 /* 10.2.1.5.2 step 4.2 */ 557 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 558 if (ret) { 559 len = ret; 560 goto out; 561 } 562 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 563 drbg_blocklen(drbg) : (buflen - len); 564 /* 10.2.1.5.2 step 4.3 */ 565 memcpy(buf + len, drbg->scratchpad, outlen); 566 len += outlen; 567 /* 10.2.1.5.2 step 6 */ 568 if (len < buflen) 569 crypto_inc(drbg->V, drbg_blocklen(drbg)); 570 } 571 572 /* 10.2.1.5.2 step 6 */ 573 ret = drbg_ctr_update(drbg, NULL, 3); 574 if (ret) 575 len = ret; 576 577 out: 578 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 579 return len; 580 } 581 582 static const struct drbg_state_ops drbg_ctr_ops = { 583 .update = drbg_ctr_update, 584 .generate = drbg_ctr_generate, 585 .crypto_init = drbg_init_sym_kernel, 586 .crypto_fini = drbg_fini_sym_kernel, 587 }; 588 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 589 590 /****************************************************************** 591 * HMAC DRBG callback functions 592 ******************************************************************/ 593 594 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 595 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 596 const struct list_head *in); 597 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 598 const unsigned char *key); 599 static int drbg_init_hash_kernel(struct drbg_state *drbg); 600 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 601 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 602 603 #ifdef CONFIG_CRYPTO_DRBG_HMAC 604 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 605 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 606 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 607 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 608 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 609 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 610 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 611 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 612 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 613 614 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 615 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 616 int reseed) 617 { 618 int ret = -EFAULT; 619 int i = 0; 620 struct drbg_string seed1, seed2, vdata; 621 LIST_HEAD(seedlist); 622 LIST_HEAD(vdatalist); 623 624 if (!reseed) { 625 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 626 memset(drbg->V, 1, drbg_statelen(drbg)); 627 drbg_kcapi_hmacsetkey(drbg, drbg->C); 628 } 629 630 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 631 list_add_tail(&seed1.list, &seedlist); 632 /* buffer of seed2 will be filled in for loop below with one byte */ 633 drbg_string_fill(&seed2, NULL, 1); 634 list_add_tail(&seed2.list, &seedlist); 635 /* input data of seed is allowed to be NULL at this point */ 636 if (seed) 637 list_splice_tail(seed, &seedlist); 638 639 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 640 list_add_tail(&vdata.list, &vdatalist); 641 for (i = 2; 0 < i; i--) { 642 /* first round uses 0x0, second 0x1 */ 643 unsigned char prefix = DRBG_PREFIX0; 644 if (1 == i) 645 prefix = DRBG_PREFIX1; 646 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 647 seed2.buf = &prefix; 648 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 649 if (ret) 650 return ret; 651 drbg_kcapi_hmacsetkey(drbg, drbg->C); 652 653 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 654 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 655 if (ret) 656 return ret; 657 658 /* 10.1.2.2 step 3 */ 659 if (!seed) 660 return ret; 661 } 662 663 return 0; 664 } 665 666 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 667 static int drbg_hmac_generate(struct drbg_state *drbg, 668 unsigned char *buf, 669 unsigned int buflen, 670 struct list_head *addtl) 671 { 672 int len = 0; 673 int ret = 0; 674 struct drbg_string data; 675 LIST_HEAD(datalist); 676 677 /* 10.1.2.5 step 2 */ 678 if (addtl && !list_empty(addtl)) { 679 ret = drbg_hmac_update(drbg, addtl, 1); 680 if (ret) 681 return ret; 682 } 683 684 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 685 list_add_tail(&data.list, &datalist); 686 while (len < buflen) { 687 unsigned int outlen = 0; 688 /* 10.1.2.5 step 4.1 */ 689 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 690 if (ret) 691 return ret; 692 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 693 drbg_blocklen(drbg) : (buflen - len); 694 695 /* 10.1.2.5 step 4.2 */ 696 memcpy(buf + len, drbg->V, outlen); 697 len += outlen; 698 } 699 700 /* 10.1.2.5 step 6 */ 701 if (addtl && !list_empty(addtl)) 702 ret = drbg_hmac_update(drbg, addtl, 1); 703 else 704 ret = drbg_hmac_update(drbg, NULL, 1); 705 if (ret) 706 return ret; 707 708 return len; 709 } 710 711 static const struct drbg_state_ops drbg_hmac_ops = { 712 .update = drbg_hmac_update, 713 .generate = drbg_hmac_generate, 714 .crypto_init = drbg_init_hash_kernel, 715 .crypto_fini = drbg_fini_hash_kernel, 716 }; 717 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 718 719 /****************************************************************** 720 * Hash DRBG callback functions 721 ******************************************************************/ 722 723 #ifdef CONFIG_CRYPTO_DRBG_HASH 724 #define CRYPTO_DRBG_HASH_STRING "HASH " 725 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 726 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 727 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 728 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 729 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 730 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 731 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 732 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 733 734 /* 735 * Increment buffer 736 * 737 * @dst buffer to increment 738 * @add value to add 739 */ 740 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 741 const unsigned char *add, size_t addlen) 742 { 743 /* implied: dstlen > addlen */ 744 unsigned char *dstptr; 745 const unsigned char *addptr; 746 unsigned int remainder = 0; 747 size_t len = addlen; 748 749 dstptr = dst + (dstlen-1); 750 addptr = add + (addlen-1); 751 while (len) { 752 remainder += *dstptr + *addptr; 753 *dstptr = remainder & 0xff; 754 remainder >>= 8; 755 len--; dstptr--; addptr--; 756 } 757 len = dstlen - addlen; 758 while (len && remainder > 0) { 759 remainder = *dstptr + 1; 760 *dstptr = remainder & 0xff; 761 remainder >>= 8; 762 len--; dstptr--; 763 } 764 } 765 766 /* 767 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 768 * interlinked, the scratchpad is used as follows: 769 * drbg_hash_update 770 * start: drbg->scratchpad 771 * length: drbg_statelen(drbg) 772 * drbg_hash_df: 773 * start: drbg->scratchpad + drbg_statelen(drbg) 774 * length: drbg_blocklen(drbg) 775 * 776 * drbg_hash_process_addtl uses the scratchpad, but fully completes 777 * before either of the functions mentioned before are invoked. Therefore, 778 * drbg_hash_process_addtl does not need to be specifically considered. 779 */ 780 781 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 782 static int drbg_hash_df(struct drbg_state *drbg, 783 unsigned char *outval, size_t outlen, 784 struct list_head *entropylist) 785 { 786 int ret = 0; 787 size_t len = 0; 788 unsigned char input[5]; 789 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 790 struct drbg_string data; 791 792 /* 10.4.1 step 3 */ 793 input[0] = 1; 794 drbg_cpu_to_be32((outlen * 8), &input[1]); 795 796 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 797 drbg_string_fill(&data, input, 5); 798 list_add(&data.list, entropylist); 799 800 /* 10.4.1 step 4 */ 801 while (len < outlen) { 802 short blocklen = 0; 803 /* 10.4.1 step 4.1 */ 804 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 805 if (ret) 806 goto out; 807 /* 10.4.1 step 4.2 */ 808 input[0]++; 809 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 810 drbg_blocklen(drbg) : (outlen - len); 811 memcpy(outval + len, tmp, blocklen); 812 len += blocklen; 813 } 814 815 out: 816 memset(tmp, 0, drbg_blocklen(drbg)); 817 return ret; 818 } 819 820 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 821 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 822 int reseed) 823 { 824 int ret = 0; 825 struct drbg_string data1, data2; 826 LIST_HEAD(datalist); 827 LIST_HEAD(datalist2); 828 unsigned char *V = drbg->scratchpad; 829 unsigned char prefix = DRBG_PREFIX1; 830 831 if (!seed) 832 return -EINVAL; 833 834 if (reseed) { 835 /* 10.1.1.3 step 1 */ 836 memcpy(V, drbg->V, drbg_statelen(drbg)); 837 drbg_string_fill(&data1, &prefix, 1); 838 list_add_tail(&data1.list, &datalist); 839 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 840 list_add_tail(&data2.list, &datalist); 841 } 842 list_splice_tail(seed, &datalist); 843 844 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 845 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 846 if (ret) 847 goto out; 848 849 /* 10.1.1.2 / 10.1.1.3 step 4 */ 850 prefix = DRBG_PREFIX0; 851 drbg_string_fill(&data1, &prefix, 1); 852 list_add_tail(&data1.list, &datalist2); 853 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 854 list_add_tail(&data2.list, &datalist2); 855 /* 10.1.1.2 / 10.1.1.3 step 4 */ 856 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 857 858 out: 859 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 860 return ret; 861 } 862 863 /* processing of additional information string for Hash DRBG */ 864 static int drbg_hash_process_addtl(struct drbg_state *drbg, 865 struct list_head *addtl) 866 { 867 int ret = 0; 868 struct drbg_string data1, data2; 869 LIST_HEAD(datalist); 870 unsigned char prefix = DRBG_PREFIX2; 871 872 /* 10.1.1.4 step 2 */ 873 if (!addtl || list_empty(addtl)) 874 return 0; 875 876 /* 10.1.1.4 step 2a */ 877 drbg_string_fill(&data1, &prefix, 1); 878 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 879 list_add_tail(&data1.list, &datalist); 880 list_add_tail(&data2.list, &datalist); 881 list_splice_tail(addtl, &datalist); 882 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 883 if (ret) 884 goto out; 885 886 /* 10.1.1.4 step 2b */ 887 drbg_add_buf(drbg->V, drbg_statelen(drbg), 888 drbg->scratchpad, drbg_blocklen(drbg)); 889 890 out: 891 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 892 return ret; 893 } 894 895 /* Hashgen defined in 10.1.1.4 */ 896 static int drbg_hash_hashgen(struct drbg_state *drbg, 897 unsigned char *buf, 898 unsigned int buflen) 899 { 900 int len = 0; 901 int ret = 0; 902 unsigned char *src = drbg->scratchpad; 903 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 904 struct drbg_string data; 905 LIST_HEAD(datalist); 906 907 /* 10.1.1.4 step hashgen 2 */ 908 memcpy(src, drbg->V, drbg_statelen(drbg)); 909 910 drbg_string_fill(&data, src, drbg_statelen(drbg)); 911 list_add_tail(&data.list, &datalist); 912 while (len < buflen) { 913 unsigned int outlen = 0; 914 /* 10.1.1.4 step hashgen 4.1 */ 915 ret = drbg_kcapi_hash(drbg, dst, &datalist); 916 if (ret) { 917 len = ret; 918 goto out; 919 } 920 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 921 drbg_blocklen(drbg) : (buflen - len); 922 /* 10.1.1.4 step hashgen 4.2 */ 923 memcpy(buf + len, dst, outlen); 924 len += outlen; 925 /* 10.1.1.4 hashgen step 4.3 */ 926 if (len < buflen) 927 crypto_inc(src, drbg_statelen(drbg)); 928 } 929 930 out: 931 memset(drbg->scratchpad, 0, 932 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 933 return len; 934 } 935 936 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 937 static int drbg_hash_generate(struct drbg_state *drbg, 938 unsigned char *buf, unsigned int buflen, 939 struct list_head *addtl) 940 { 941 int len = 0; 942 int ret = 0; 943 union { 944 unsigned char req[8]; 945 __be64 req_int; 946 } u; 947 unsigned char prefix = DRBG_PREFIX3; 948 struct drbg_string data1, data2; 949 LIST_HEAD(datalist); 950 951 /* 10.1.1.4 step 2 */ 952 ret = drbg_hash_process_addtl(drbg, addtl); 953 if (ret) 954 return ret; 955 /* 10.1.1.4 step 3 */ 956 len = drbg_hash_hashgen(drbg, buf, buflen); 957 958 /* this is the value H as documented in 10.1.1.4 */ 959 /* 10.1.1.4 step 4 */ 960 drbg_string_fill(&data1, &prefix, 1); 961 list_add_tail(&data1.list, &datalist); 962 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 963 list_add_tail(&data2.list, &datalist); 964 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 965 if (ret) { 966 len = ret; 967 goto out; 968 } 969 970 /* 10.1.1.4 step 5 */ 971 drbg_add_buf(drbg->V, drbg_statelen(drbg), 972 drbg->scratchpad, drbg_blocklen(drbg)); 973 drbg_add_buf(drbg->V, drbg_statelen(drbg), 974 drbg->C, drbg_statelen(drbg)); 975 u.req_int = cpu_to_be64(drbg->reseed_ctr); 976 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 977 978 out: 979 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 980 return len; 981 } 982 983 /* 984 * scratchpad usage: as update and generate are used isolated, both 985 * can use the scratchpad 986 */ 987 static const struct drbg_state_ops drbg_hash_ops = { 988 .update = drbg_hash_update, 989 .generate = drbg_hash_generate, 990 .crypto_init = drbg_init_hash_kernel, 991 .crypto_fini = drbg_fini_hash_kernel, 992 }; 993 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 994 995 /****************************************************************** 996 * Functions common for DRBG implementations 997 ******************************************************************/ 998 999 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 1000 int reseed) 1001 { 1002 int ret = drbg->d_ops->update(drbg, seed, reseed); 1003 1004 if (ret) 1005 return ret; 1006 1007 drbg->seeded = true; 1008 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1009 drbg->reseed_ctr = 1; 1010 1011 return ret; 1012 } 1013 1014 static void drbg_async_seed(struct work_struct *work) 1015 { 1016 struct drbg_string data; 1017 LIST_HEAD(seedlist); 1018 struct drbg_state *drbg = container_of(work, struct drbg_state, 1019 seed_work); 1020 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1021 unsigned char entropy[32]; 1022 1023 BUG_ON(!entropylen); 1024 BUG_ON(entropylen > sizeof(entropy)); 1025 get_random_bytes(entropy, entropylen); 1026 1027 drbg_string_fill(&data, entropy, entropylen); 1028 list_add_tail(&data.list, &seedlist); 1029 1030 mutex_lock(&drbg->drbg_mutex); 1031 1032 /* If nonblocking pool is initialized, deactivate Jitter RNG */ 1033 crypto_free_rng(drbg->jent); 1034 drbg->jent = NULL; 1035 1036 /* Set seeded to false so that if __drbg_seed fails the 1037 * next generate call will trigger a reseed. 1038 */ 1039 drbg->seeded = false; 1040 1041 __drbg_seed(drbg, &seedlist, true); 1042 1043 if (drbg->seeded) 1044 drbg->reseed_threshold = drbg_max_requests(drbg); 1045 1046 mutex_unlock(&drbg->drbg_mutex); 1047 1048 memzero_explicit(entropy, entropylen); 1049 } 1050 1051 /* 1052 * Seeding or reseeding of the DRBG 1053 * 1054 * @drbg: DRBG state struct 1055 * @pers: personalization / additional information buffer 1056 * @reseed: 0 for initial seed process, 1 for reseeding 1057 * 1058 * return: 1059 * 0 on success 1060 * error value otherwise 1061 */ 1062 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1063 bool reseed) 1064 { 1065 int ret; 1066 unsigned char entropy[((32 + 16) * 2)]; 1067 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1068 struct drbg_string data1; 1069 LIST_HEAD(seedlist); 1070 1071 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1072 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1073 pr_devel("DRBG: personalization string too long %zu\n", 1074 pers->len); 1075 return -EINVAL; 1076 } 1077 1078 if (list_empty(&drbg->test_data.list)) { 1079 drbg_string_fill(&data1, drbg->test_data.buf, 1080 drbg->test_data.len); 1081 pr_devel("DRBG: using test entropy\n"); 1082 } else { 1083 /* 1084 * Gather entropy equal to the security strength of the DRBG. 1085 * With a derivation function, a nonce is required in addition 1086 * to the entropy. A nonce must be at least 1/2 of the security 1087 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1088 * of the strength. The consideration of a nonce is only 1089 * applicable during initial seeding. 1090 */ 1091 BUG_ON(!entropylen); 1092 if (!reseed) 1093 entropylen = ((entropylen + 1) / 2) * 3; 1094 BUG_ON((entropylen * 2) > sizeof(entropy)); 1095 1096 /* Get seed from in-kernel /dev/urandom */ 1097 get_random_bytes(entropy, entropylen); 1098 1099 if (!drbg->jent) { 1100 drbg_string_fill(&data1, entropy, entropylen); 1101 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1102 entropylen); 1103 } else { 1104 /* Get seed from Jitter RNG */ 1105 ret = crypto_rng_get_bytes(drbg->jent, 1106 entropy + entropylen, 1107 entropylen); 1108 if (ret) { 1109 pr_devel("DRBG: jent failed with %d\n", ret); 1110 return ret; 1111 } 1112 1113 drbg_string_fill(&data1, entropy, entropylen * 2); 1114 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1115 entropylen * 2); 1116 } 1117 } 1118 list_add_tail(&data1.list, &seedlist); 1119 1120 /* 1121 * concatenation of entropy with personalization str / addtl input) 1122 * the variable pers is directly handed in by the caller, so check its 1123 * contents whether it is appropriate 1124 */ 1125 if (pers && pers->buf && 0 < pers->len) { 1126 list_add_tail(&pers->list, &seedlist); 1127 pr_devel("DRBG: using personalization string\n"); 1128 } 1129 1130 if (!reseed) { 1131 memset(drbg->V, 0, drbg_statelen(drbg)); 1132 memset(drbg->C, 0, drbg_statelen(drbg)); 1133 } 1134 1135 ret = __drbg_seed(drbg, &seedlist, reseed); 1136 1137 memzero_explicit(entropy, entropylen * 2); 1138 1139 return ret; 1140 } 1141 1142 /* Free all substructures in a DRBG state without the DRBG state structure */ 1143 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1144 { 1145 if (!drbg) 1146 return; 1147 kzfree(drbg->V); 1148 drbg->V = NULL; 1149 kzfree(drbg->C); 1150 drbg->C = NULL; 1151 kzfree(drbg->scratchpad); 1152 drbg->scratchpad = NULL; 1153 drbg->reseed_ctr = 0; 1154 drbg->d_ops = NULL; 1155 drbg->core = NULL; 1156 } 1157 1158 /* 1159 * Allocate all sub-structures for a DRBG state. 1160 * The DRBG state structure must already be allocated. 1161 */ 1162 static inline int drbg_alloc_state(struct drbg_state *drbg) 1163 { 1164 int ret = -ENOMEM; 1165 unsigned int sb_size = 0; 1166 1167 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1168 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1169 case DRBG_HMAC: 1170 drbg->d_ops = &drbg_hmac_ops; 1171 break; 1172 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1173 #ifdef CONFIG_CRYPTO_DRBG_HASH 1174 case DRBG_HASH: 1175 drbg->d_ops = &drbg_hash_ops; 1176 break; 1177 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1178 #ifdef CONFIG_CRYPTO_DRBG_CTR 1179 case DRBG_CTR: 1180 drbg->d_ops = &drbg_ctr_ops; 1181 break; 1182 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1183 default: 1184 ret = -EOPNOTSUPP; 1185 goto err; 1186 } 1187 1188 drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1189 if (!drbg->V) 1190 goto err; 1191 drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1192 if (!drbg->C) 1193 goto err; 1194 /* scratchpad is only generated for CTR and Hash */ 1195 if (drbg->core->flags & DRBG_HMAC) 1196 sb_size = 0; 1197 else if (drbg->core->flags & DRBG_CTR) 1198 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1199 drbg_statelen(drbg) + /* df_data */ 1200 drbg_blocklen(drbg) + /* pad */ 1201 drbg_blocklen(drbg) + /* iv */ 1202 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1203 else 1204 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1205 1206 if (0 < sb_size) { 1207 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1208 if (!drbg->scratchpad) 1209 goto err; 1210 } 1211 1212 return 0; 1213 1214 err: 1215 drbg_dealloc_state(drbg); 1216 return ret; 1217 } 1218 1219 /************************************************************************* 1220 * DRBG interface functions 1221 *************************************************************************/ 1222 1223 /* 1224 * DRBG generate function as required by SP800-90A - this function 1225 * generates random numbers 1226 * 1227 * @drbg DRBG state handle 1228 * @buf Buffer where to store the random numbers -- the buffer must already 1229 * be pre-allocated by caller 1230 * @buflen Length of output buffer - this value defines the number of random 1231 * bytes pulled from DRBG 1232 * @addtl Additional input that is mixed into state, may be NULL -- note 1233 * the entropy is pulled by the DRBG internally unconditionally 1234 * as defined in SP800-90A. The additional input is mixed into 1235 * the state in addition to the pulled entropy. 1236 * 1237 * return: 0 when all bytes are generated; < 0 in case of an error 1238 */ 1239 static int drbg_generate(struct drbg_state *drbg, 1240 unsigned char *buf, unsigned int buflen, 1241 struct drbg_string *addtl) 1242 { 1243 int len = 0; 1244 LIST_HEAD(addtllist); 1245 1246 if (!drbg->core) { 1247 pr_devel("DRBG: not yet seeded\n"); 1248 return -EINVAL; 1249 } 1250 if (0 == buflen || !buf) { 1251 pr_devel("DRBG: no output buffer provided\n"); 1252 return -EINVAL; 1253 } 1254 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1255 pr_devel("DRBG: wrong format of additional information\n"); 1256 return -EINVAL; 1257 } 1258 1259 /* 9.3.1 step 2 */ 1260 len = -EINVAL; 1261 if (buflen > (drbg_max_request_bytes(drbg))) { 1262 pr_devel("DRBG: requested random numbers too large %u\n", 1263 buflen); 1264 goto err; 1265 } 1266 1267 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1268 1269 /* 9.3.1 step 4 */ 1270 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1271 pr_devel("DRBG: additional information string too long %zu\n", 1272 addtl->len); 1273 goto err; 1274 } 1275 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1276 1277 /* 1278 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1279 * here. The spec is a bit convoluted here, we make it simpler. 1280 */ 1281 if (drbg->reseed_threshold < drbg->reseed_ctr) 1282 drbg->seeded = false; 1283 1284 if (drbg->pr || !drbg->seeded) { 1285 pr_devel("DRBG: reseeding before generation (prediction " 1286 "resistance: %s, state %s)\n", 1287 drbg->pr ? "true" : "false", 1288 drbg->seeded ? "seeded" : "unseeded"); 1289 /* 9.3.1 steps 7.1 through 7.3 */ 1290 len = drbg_seed(drbg, addtl, true); 1291 if (len) 1292 goto err; 1293 /* 9.3.1 step 7.4 */ 1294 addtl = NULL; 1295 } 1296 1297 if (addtl && 0 < addtl->len) 1298 list_add_tail(&addtl->list, &addtllist); 1299 /* 9.3.1 step 8 and 10 */ 1300 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1301 1302 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1303 drbg->reseed_ctr++; 1304 if (0 >= len) 1305 goto err; 1306 1307 /* 1308 * Section 11.3.3 requires to re-perform self tests after some 1309 * generated random numbers. The chosen value after which self 1310 * test is performed is arbitrary, but it should be reasonable. 1311 * However, we do not perform the self tests because of the following 1312 * reasons: it is mathematically impossible that the initial self tests 1313 * were successfully and the following are not. If the initial would 1314 * pass and the following would not, the kernel integrity is violated. 1315 * In this case, the entire kernel operation is questionable and it 1316 * is unlikely that the integrity violation only affects the 1317 * correct operation of the DRBG. 1318 * 1319 * Albeit the following code is commented out, it is provided in 1320 * case somebody has a need to implement the test of 11.3.3. 1321 */ 1322 #if 0 1323 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1324 int err = 0; 1325 pr_devel("DRBG: start to perform self test\n"); 1326 if (drbg->core->flags & DRBG_HMAC) 1327 err = alg_test("drbg_pr_hmac_sha256", 1328 "drbg_pr_hmac_sha256", 0, 0); 1329 else if (drbg->core->flags & DRBG_CTR) 1330 err = alg_test("drbg_pr_ctr_aes128", 1331 "drbg_pr_ctr_aes128", 0, 0); 1332 else 1333 err = alg_test("drbg_pr_sha256", 1334 "drbg_pr_sha256", 0, 0); 1335 if (err) { 1336 pr_err("DRBG: periodical self test failed\n"); 1337 /* 1338 * uninstantiate implies that from now on, only errors 1339 * are returned when reusing this DRBG cipher handle 1340 */ 1341 drbg_uninstantiate(drbg); 1342 return 0; 1343 } else { 1344 pr_devel("DRBG: self test successful\n"); 1345 } 1346 } 1347 #endif 1348 1349 /* 1350 * All operations were successful, return 0 as mandated by 1351 * the kernel crypto API interface. 1352 */ 1353 len = 0; 1354 err: 1355 return len; 1356 } 1357 1358 /* 1359 * Wrapper around drbg_generate which can pull arbitrary long strings 1360 * from the DRBG without hitting the maximum request limitation. 1361 * 1362 * Parameters: see drbg_generate 1363 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1364 * the entire drbg_generate_long request fails 1365 */ 1366 static int drbg_generate_long(struct drbg_state *drbg, 1367 unsigned char *buf, unsigned int buflen, 1368 struct drbg_string *addtl) 1369 { 1370 unsigned int len = 0; 1371 unsigned int slice = 0; 1372 do { 1373 int err = 0; 1374 unsigned int chunk = 0; 1375 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1376 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1377 mutex_lock(&drbg->drbg_mutex); 1378 err = drbg_generate(drbg, buf + len, chunk, addtl); 1379 mutex_unlock(&drbg->drbg_mutex); 1380 if (0 > err) 1381 return err; 1382 len += chunk; 1383 } while (slice > 0 && (len < buflen)); 1384 return 0; 1385 } 1386 1387 static void drbg_schedule_async_seed(struct random_ready_callback *rdy) 1388 { 1389 struct drbg_state *drbg = container_of(rdy, struct drbg_state, 1390 random_ready); 1391 1392 schedule_work(&drbg->seed_work); 1393 } 1394 1395 static int drbg_prepare_hrng(struct drbg_state *drbg) 1396 { 1397 int err; 1398 1399 /* We do not need an HRNG in test mode. */ 1400 if (list_empty(&drbg->test_data.list)) 1401 return 0; 1402 1403 INIT_WORK(&drbg->seed_work, drbg_async_seed); 1404 1405 drbg->random_ready.owner = THIS_MODULE; 1406 drbg->random_ready.func = drbg_schedule_async_seed; 1407 1408 err = add_random_ready_callback(&drbg->random_ready); 1409 1410 switch (err) { 1411 case 0: 1412 break; 1413 1414 case -EALREADY: 1415 err = 0; 1416 /* fall through */ 1417 1418 default: 1419 drbg->random_ready.func = NULL; 1420 return err; 1421 } 1422 1423 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1424 1425 /* 1426 * Require frequent reseeds until the seed source is fully 1427 * initialized. 1428 */ 1429 drbg->reseed_threshold = 50; 1430 1431 return err; 1432 } 1433 1434 /* 1435 * DRBG instantiation function as required by SP800-90A - this function 1436 * sets up the DRBG handle, performs the initial seeding and all sanity 1437 * checks required by SP800-90A 1438 * 1439 * @drbg memory of state -- if NULL, new memory is allocated 1440 * @pers Personalization string that is mixed into state, may be NULL -- note 1441 * the entropy is pulled by the DRBG internally unconditionally 1442 * as defined in SP800-90A. The additional input is mixed into 1443 * the state in addition to the pulled entropy. 1444 * @coreref reference to core 1445 * @pr prediction resistance enabled 1446 * 1447 * return 1448 * 0 on success 1449 * error value otherwise 1450 */ 1451 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1452 int coreref, bool pr) 1453 { 1454 int ret; 1455 bool reseed = true; 1456 1457 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1458 "%s\n", coreref, pr ? "enabled" : "disabled"); 1459 mutex_lock(&drbg->drbg_mutex); 1460 1461 /* 9.1 step 1 is implicit with the selected DRBG type */ 1462 1463 /* 1464 * 9.1 step 2 is implicit as caller can select prediction resistance 1465 * and the flag is copied into drbg->flags -- 1466 * all DRBG types support prediction resistance 1467 */ 1468 1469 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1470 1471 if (!drbg->core) { 1472 drbg->core = &drbg_cores[coreref]; 1473 drbg->pr = pr; 1474 drbg->seeded = false; 1475 drbg->reseed_threshold = drbg_max_requests(drbg); 1476 1477 ret = drbg_alloc_state(drbg); 1478 if (ret) 1479 goto unlock; 1480 1481 ret = -EFAULT; 1482 if (drbg->d_ops->crypto_init(drbg)) 1483 goto err; 1484 1485 ret = drbg_prepare_hrng(drbg); 1486 if (ret) 1487 goto free_everything; 1488 1489 if (IS_ERR(drbg->jent)) { 1490 ret = PTR_ERR(drbg->jent); 1491 drbg->jent = NULL; 1492 if (fips_enabled || ret != -ENOENT) 1493 goto free_everything; 1494 pr_info("DRBG: Continuing without Jitter RNG\n"); 1495 } 1496 1497 reseed = false; 1498 } 1499 1500 ret = drbg_seed(drbg, pers, reseed); 1501 1502 if (ret && !reseed) 1503 goto free_everything; 1504 1505 mutex_unlock(&drbg->drbg_mutex); 1506 return ret; 1507 1508 err: 1509 drbg_dealloc_state(drbg); 1510 unlock: 1511 mutex_unlock(&drbg->drbg_mutex); 1512 return ret; 1513 1514 free_everything: 1515 mutex_unlock(&drbg->drbg_mutex); 1516 drbg_uninstantiate(drbg); 1517 return ret; 1518 } 1519 1520 /* 1521 * DRBG uninstantiate function as required by SP800-90A - this function 1522 * frees all buffers and the DRBG handle 1523 * 1524 * @drbg DRBG state handle 1525 * 1526 * return 1527 * 0 on success 1528 */ 1529 static int drbg_uninstantiate(struct drbg_state *drbg) 1530 { 1531 if (drbg->random_ready.func) { 1532 del_random_ready_callback(&drbg->random_ready); 1533 cancel_work_sync(&drbg->seed_work); 1534 crypto_free_rng(drbg->jent); 1535 drbg->jent = NULL; 1536 } 1537 1538 if (drbg->d_ops) 1539 drbg->d_ops->crypto_fini(drbg); 1540 drbg_dealloc_state(drbg); 1541 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1542 return 0; 1543 } 1544 1545 /* 1546 * Helper function for setting the test data in the DRBG 1547 * 1548 * @drbg DRBG state handle 1549 * @data test data 1550 * @len test data length 1551 */ 1552 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1553 const u8 *data, unsigned int len) 1554 { 1555 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1556 1557 mutex_lock(&drbg->drbg_mutex); 1558 drbg_string_fill(&drbg->test_data, data, len); 1559 mutex_unlock(&drbg->drbg_mutex); 1560 } 1561 1562 /*************************************************************** 1563 * Kernel crypto API cipher invocations requested by DRBG 1564 ***************************************************************/ 1565 1566 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1567 struct sdesc { 1568 struct shash_desc shash; 1569 char ctx[]; 1570 }; 1571 1572 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1573 { 1574 struct sdesc *sdesc; 1575 struct crypto_shash *tfm; 1576 1577 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1578 if (IS_ERR(tfm)) { 1579 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1580 drbg->core->backend_cra_name); 1581 return PTR_ERR(tfm); 1582 } 1583 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1584 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1585 GFP_KERNEL); 1586 if (!sdesc) { 1587 crypto_free_shash(tfm); 1588 return -ENOMEM; 1589 } 1590 1591 sdesc->shash.tfm = tfm; 1592 sdesc->shash.flags = 0; 1593 drbg->priv_data = sdesc; 1594 return 0; 1595 } 1596 1597 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1598 { 1599 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1600 if (sdesc) { 1601 crypto_free_shash(sdesc->shash.tfm); 1602 kzfree(sdesc); 1603 } 1604 drbg->priv_data = NULL; 1605 return 0; 1606 } 1607 1608 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1609 const unsigned char *key) 1610 { 1611 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1612 1613 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1614 } 1615 1616 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1617 const struct list_head *in) 1618 { 1619 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1620 struct drbg_string *input = NULL; 1621 1622 crypto_shash_init(&sdesc->shash); 1623 list_for_each_entry(input, in, list) 1624 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1625 return crypto_shash_final(&sdesc->shash, outval); 1626 } 1627 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1628 1629 #ifdef CONFIG_CRYPTO_DRBG_CTR 1630 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1631 { 1632 int ret = 0; 1633 struct crypto_cipher *tfm; 1634 1635 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1636 if (IS_ERR(tfm)) { 1637 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1638 drbg->core->backend_cra_name); 1639 return PTR_ERR(tfm); 1640 } 1641 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1642 drbg->priv_data = tfm; 1643 return ret; 1644 } 1645 1646 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1647 { 1648 struct crypto_cipher *tfm = 1649 (struct crypto_cipher *)drbg->priv_data; 1650 if (tfm) 1651 crypto_free_cipher(tfm); 1652 drbg->priv_data = NULL; 1653 return 0; 1654 } 1655 1656 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1657 unsigned char *outval, const struct drbg_string *in) 1658 { 1659 struct crypto_cipher *tfm = 1660 (struct crypto_cipher *)drbg->priv_data; 1661 1662 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1663 /* there is only component in *in */ 1664 BUG_ON(in->len < drbg_blocklen(drbg)); 1665 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1666 return 0; 1667 } 1668 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1669 1670 /*************************************************************** 1671 * Kernel crypto API interface to register DRBG 1672 ***************************************************************/ 1673 1674 /* 1675 * Look up the DRBG flags by given kernel crypto API cra_name 1676 * The code uses the drbg_cores definition to do this 1677 * 1678 * @cra_name kernel crypto API cra_name 1679 * @coreref reference to integer which is filled with the pointer to 1680 * the applicable core 1681 * @pr reference for setting prediction resistance 1682 * 1683 * return: flags 1684 */ 1685 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1686 int *coreref, bool *pr) 1687 { 1688 int i = 0; 1689 size_t start = 0; 1690 int len = 0; 1691 1692 *pr = true; 1693 /* disassemble the names */ 1694 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1695 start = 10; 1696 *pr = false; 1697 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1698 start = 8; 1699 } else { 1700 return; 1701 } 1702 1703 /* remove the first part */ 1704 len = strlen(cra_driver_name) - start; 1705 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1706 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1707 len)) { 1708 *coreref = i; 1709 return; 1710 } 1711 } 1712 } 1713 1714 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1715 { 1716 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1717 1718 mutex_init(&drbg->drbg_mutex); 1719 1720 return 0; 1721 } 1722 1723 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1724 { 1725 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1726 } 1727 1728 /* 1729 * Generate random numbers invoked by the kernel crypto API: 1730 * The API of the kernel crypto API is extended as follows: 1731 * 1732 * src is additional input supplied to the RNG. 1733 * slen is the length of src. 1734 * dst is the output buffer where random data is to be stored. 1735 * dlen is the length of dst. 1736 */ 1737 static int drbg_kcapi_random(struct crypto_rng *tfm, 1738 const u8 *src, unsigned int slen, 1739 u8 *dst, unsigned int dlen) 1740 { 1741 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1742 struct drbg_string *addtl = NULL; 1743 struct drbg_string string; 1744 1745 if (slen) { 1746 /* linked list variable is now local to allow modification */ 1747 drbg_string_fill(&string, src, slen); 1748 addtl = &string; 1749 } 1750 1751 return drbg_generate_long(drbg, dst, dlen, addtl); 1752 } 1753 1754 /* 1755 * Seed the DRBG invoked by the kernel crypto API 1756 */ 1757 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1758 const u8 *seed, unsigned int slen) 1759 { 1760 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1761 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1762 bool pr = false; 1763 struct drbg_string string; 1764 struct drbg_string *seed_string = NULL; 1765 int coreref = 0; 1766 1767 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1768 &pr); 1769 if (0 < slen) { 1770 drbg_string_fill(&string, seed, slen); 1771 seed_string = &string; 1772 } 1773 1774 return drbg_instantiate(drbg, seed_string, coreref, pr); 1775 } 1776 1777 /*************************************************************** 1778 * Kernel module: code to load the module 1779 ***************************************************************/ 1780 1781 /* 1782 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1783 * of the error handling. 1784 * 1785 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1786 * as seed source of get_random_bytes does not fail. 1787 * 1788 * Note 2: There is no sensible way of testing the reseed counter 1789 * enforcement, so skip it. 1790 */ 1791 static inline int __init drbg_healthcheck_sanity(void) 1792 { 1793 int len = 0; 1794 #define OUTBUFLEN 16 1795 unsigned char buf[OUTBUFLEN]; 1796 struct drbg_state *drbg = NULL; 1797 int ret = -EFAULT; 1798 int rc = -EFAULT; 1799 bool pr = false; 1800 int coreref = 0; 1801 struct drbg_string addtl; 1802 size_t max_addtllen, max_request_bytes; 1803 1804 /* only perform test in FIPS mode */ 1805 if (!fips_enabled) 1806 return 0; 1807 1808 #ifdef CONFIG_CRYPTO_DRBG_CTR 1809 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1810 #elif defined CONFIG_CRYPTO_DRBG_HASH 1811 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1812 #else 1813 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1814 #endif 1815 1816 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1817 if (!drbg) 1818 return -ENOMEM; 1819 1820 mutex_init(&drbg->drbg_mutex); 1821 1822 /* 1823 * if the following tests fail, it is likely that there is a buffer 1824 * overflow as buf is much smaller than the requested or provided 1825 * string lengths -- in case the error handling does not succeed 1826 * we may get an OOPS. And we want to get an OOPS as this is a 1827 * grave bug. 1828 */ 1829 1830 /* get a valid instance of DRBG for following tests */ 1831 ret = drbg_instantiate(drbg, NULL, coreref, pr); 1832 if (ret) { 1833 rc = ret; 1834 goto outbuf; 1835 } 1836 max_addtllen = drbg_max_addtl(drbg); 1837 max_request_bytes = drbg_max_request_bytes(drbg); 1838 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1839 /* overflow addtllen with additonal info string */ 1840 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1841 BUG_ON(0 < len); 1842 /* overflow max_bits */ 1843 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1844 BUG_ON(0 < len); 1845 drbg_uninstantiate(drbg); 1846 1847 /* overflow max addtllen with personalization string */ 1848 ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1849 BUG_ON(0 == ret); 1850 /* all tests passed */ 1851 rc = 0; 1852 1853 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1854 "completed\n"); 1855 1856 drbg_uninstantiate(drbg); 1857 outbuf: 1858 kzfree(drbg); 1859 return rc; 1860 } 1861 1862 static struct rng_alg drbg_algs[22]; 1863 1864 /* 1865 * Fill the array drbg_algs used to register the different DRBGs 1866 * with the kernel crypto API. To fill the array, the information 1867 * from drbg_cores[] is used. 1868 */ 1869 static inline void __init drbg_fill_array(struct rng_alg *alg, 1870 const struct drbg_core *core, int pr) 1871 { 1872 int pos = 0; 1873 static int priority = 200; 1874 1875 memcpy(alg->base.cra_name, "stdrng", 6); 1876 if (pr) { 1877 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1878 pos = 8; 1879 } else { 1880 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1881 pos = 10; 1882 } 1883 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1884 strlen(core->cra_name)); 1885 1886 alg->base.cra_priority = priority; 1887 priority++; 1888 /* 1889 * If FIPS mode enabled, the selected DRBG shall have the 1890 * highest cra_priority over other stdrng instances to ensure 1891 * it is selected. 1892 */ 1893 if (fips_enabled) 1894 alg->base.cra_priority += 200; 1895 1896 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1897 alg->base.cra_module = THIS_MODULE; 1898 alg->base.cra_init = drbg_kcapi_init; 1899 alg->base.cra_exit = drbg_kcapi_cleanup; 1900 alg->generate = drbg_kcapi_random; 1901 alg->seed = drbg_kcapi_seed; 1902 alg->set_ent = drbg_kcapi_set_entropy; 1903 alg->seedsize = 0; 1904 } 1905 1906 static int __init drbg_init(void) 1907 { 1908 unsigned int i = 0; /* pointer to drbg_algs */ 1909 unsigned int j = 0; /* pointer to drbg_cores */ 1910 int ret = -EFAULT; 1911 1912 ret = drbg_healthcheck_sanity(); 1913 if (ret) 1914 return ret; 1915 1916 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1917 pr_info("DRBG: Cannot register all DRBG types" 1918 "(slots needed: %zu, slots available: %zu)\n", 1919 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1920 return ret; 1921 } 1922 1923 /* 1924 * each DRBG definition can be used with PR and without PR, thus 1925 * we instantiate each DRBG in drbg_cores[] twice. 1926 * 1927 * As the order of placing them into the drbg_algs array matters 1928 * (the later DRBGs receive a higher cra_priority) we register the 1929 * prediction resistance DRBGs first as the should not be too 1930 * interesting. 1931 */ 1932 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1933 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1934 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1935 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1936 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1937 } 1938 1939 static void __exit drbg_exit(void) 1940 { 1941 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1942 } 1943 1944 module_init(drbg_init); 1945 module_exit(drbg_exit); 1946 #ifndef CRYPTO_DRBG_HASH_STRING 1947 #define CRYPTO_DRBG_HASH_STRING "" 1948 #endif 1949 #ifndef CRYPTO_DRBG_HMAC_STRING 1950 #define CRYPTO_DRBG_HMAC_STRING "" 1951 #endif 1952 #ifndef CRYPTO_DRBG_CTR_STRING 1953 #define CRYPTO_DRBG_CTR_STRING "" 1954 #endif 1955 MODULE_LICENSE("GPL"); 1956 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 1957 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 1958 "using following cores: " 1959 CRYPTO_DRBG_HASH_STRING 1960 CRYPTO_DRBG_HMAC_STRING 1961 CRYPTO_DRBG_CTR_STRING); 1962 MODULE_ALIAS_CRYPTO("stdrng"); 1963