1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 102 /*************************************************************** 103 * Backend cipher definitions available to DRBG 104 ***************************************************************/ 105 106 /* 107 * The order of the DRBG definitions here matter: every DRBG is registered 108 * as stdrng. Each DRBG receives an increasing cra_priority values the later 109 * they are defined in this array (see drbg_fill_array). 110 * 111 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 112 * the SHA256 / AES 256 over other ciphers. Thus, the favored 113 * DRBGs are the latest entries in this array. 114 */ 115 static const struct drbg_core drbg_cores[] = { 116 #ifdef CONFIG_CRYPTO_DRBG_CTR 117 { 118 .flags = DRBG_CTR | DRBG_STRENGTH128, 119 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 120 .max_addtllen = 35, 121 .max_bits = 19, 122 .max_req = 48, 123 .blocklen_bytes = 16, 124 .cra_name = "ctr_aes128", 125 .backend_cra_name = "ecb(aes)", 126 }, { 127 .flags = DRBG_CTR | DRBG_STRENGTH192, 128 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 129 .max_addtllen = 35, 130 .max_bits = 19, 131 .max_req = 48, 132 .blocklen_bytes = 16, 133 .cra_name = "ctr_aes192", 134 .backend_cra_name = "ecb(aes)", 135 }, { 136 .flags = DRBG_CTR | DRBG_STRENGTH256, 137 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 138 .max_addtllen = 35, 139 .max_bits = 19, 140 .max_req = 48, 141 .blocklen_bytes = 16, 142 .cra_name = "ctr_aes256", 143 .backend_cra_name = "ecb(aes)", 144 }, 145 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 146 #ifdef CONFIG_CRYPTO_DRBG_HASH 147 { 148 .flags = DRBG_HASH | DRBG_STRENGTH128, 149 .statelen = 55, /* 440 bits */ 150 .max_addtllen = 35, 151 .max_bits = 19, 152 .max_req = 48, 153 .blocklen_bytes = 20, 154 .cra_name = "sha1", 155 .backend_cra_name = "sha1", 156 }, { 157 .flags = DRBG_HASH | DRBG_STRENGTH256, 158 .statelen = 111, /* 888 bits */ 159 .max_addtllen = 35, 160 .max_bits = 19, 161 .max_req = 48, 162 .blocklen_bytes = 48, 163 .cra_name = "sha384", 164 .backend_cra_name = "sha384", 165 }, { 166 .flags = DRBG_HASH | DRBG_STRENGTH256, 167 .statelen = 111, /* 888 bits */ 168 .max_addtllen = 35, 169 .max_bits = 19, 170 .max_req = 48, 171 .blocklen_bytes = 64, 172 .cra_name = "sha512", 173 .backend_cra_name = "sha512", 174 }, { 175 .flags = DRBG_HASH | DRBG_STRENGTH256, 176 .statelen = 55, /* 440 bits */ 177 .max_addtllen = 35, 178 .max_bits = 19, 179 .max_req = 48, 180 .blocklen_bytes = 32, 181 .cra_name = "sha256", 182 .backend_cra_name = "sha256", 183 }, 184 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 185 #ifdef CONFIG_CRYPTO_DRBG_HMAC 186 { 187 .flags = DRBG_HMAC | DRBG_STRENGTH128, 188 .statelen = 20, /* block length of cipher */ 189 .max_addtllen = 35, 190 .max_bits = 19, 191 .max_req = 48, 192 .blocklen_bytes = 20, 193 .cra_name = "hmac_sha1", 194 .backend_cra_name = "hmac(sha1)", 195 }, { 196 .flags = DRBG_HMAC | DRBG_STRENGTH256, 197 .statelen = 48, /* block length of cipher */ 198 .max_addtllen = 35, 199 .max_bits = 19, 200 .max_req = 48, 201 .blocklen_bytes = 48, 202 .cra_name = "hmac_sha384", 203 .backend_cra_name = "hmac(sha384)", 204 }, { 205 .flags = DRBG_HMAC | DRBG_STRENGTH256, 206 .statelen = 64, /* block length of cipher */ 207 .max_addtllen = 35, 208 .max_bits = 19, 209 .max_req = 48, 210 .blocklen_bytes = 64, 211 .cra_name = "hmac_sha512", 212 .backend_cra_name = "hmac(sha512)", 213 }, { 214 .flags = DRBG_HMAC | DRBG_STRENGTH256, 215 .statelen = 32, /* block length of cipher */ 216 .max_addtllen = 35, 217 .max_bits = 19, 218 .max_req = 48, 219 .blocklen_bytes = 32, 220 .cra_name = "hmac_sha256", 221 .backend_cra_name = "hmac(sha256)", 222 }, 223 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 224 }; 225 226 /****************************************************************** 227 * Generic helper functions 228 ******************************************************************/ 229 230 /* 231 * Return strength of DRBG according to SP800-90A section 8.4 232 * 233 * @flags DRBG flags reference 234 * 235 * Return: normalized strength in *bytes* value or 32 as default 236 * to counter programming errors 237 */ 238 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 239 { 240 switch (flags & DRBG_STRENGTH_MASK) { 241 case DRBG_STRENGTH128: 242 return 16; 243 case DRBG_STRENGTH192: 244 return 24; 245 case DRBG_STRENGTH256: 246 return 32; 247 default: 248 return 32; 249 } 250 } 251 252 /* 253 * FIPS 140-2 continuous self test 254 * The test is performed on the result of one round of the output 255 * function. Thus, the function implicitly knows the size of the 256 * buffer. 257 * 258 * The FIPS test can be called in an endless loop until it returns 259 * true. Although the code looks like a potential for a deadlock, it 260 * is not the case, because returning a false cannot mathematically 261 * occur (except once when a reseed took place and the updated state 262 * would is now set up such that the generation of new value returns 263 * an identical one -- this is most unlikely and would happen only once). 264 * Thus, if this function repeatedly returns false and thus would cause 265 * a deadlock, the integrity of the entire kernel is lost. 266 * 267 * @drbg DRBG handle 268 * @buf output buffer of random data to be checked 269 * 270 * return: 271 * true on success 272 * false on error 273 */ 274 static bool drbg_fips_continuous_test(struct drbg_state *drbg, 275 const unsigned char *buf) 276 { 277 #ifdef CONFIG_CRYPTO_FIPS 278 int ret = 0; 279 /* skip test if we test the overall system */ 280 if (drbg->test_data) 281 return true; 282 /* only perform test in FIPS mode */ 283 if (0 == fips_enabled) 284 return true; 285 if (!drbg->fips_primed) { 286 /* Priming of FIPS test */ 287 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 288 drbg->fips_primed = true; 289 /* return false due to priming, i.e. another round is needed */ 290 return false; 291 } 292 ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); 293 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 294 /* the test shall pass when the two compared values are not equal */ 295 return ret != 0; 296 #else 297 return true; 298 #endif /* CONFIG_CRYPTO_FIPS */ 299 } 300 301 /* 302 * Convert an integer into a byte representation of this integer. 303 * The byte representation is big-endian 304 * 305 * @buf buffer holding the converted integer 306 * @val value to be converted 307 * @buflen length of buffer 308 */ 309 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 310 static inline void drbg_int2byte(unsigned char *buf, uint64_t val, 311 size_t buflen) 312 { 313 unsigned char *byte; 314 uint64_t i; 315 316 byte = buf + (buflen - 1); 317 for (i = 0; i < buflen; i++) 318 *(byte--) = val >> (i * 8) & 0xff; 319 } 320 321 /* 322 * Increment buffer 323 * 324 * @dst buffer to increment 325 * @add value to add 326 */ 327 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 328 const unsigned char *add, size_t addlen) 329 { 330 /* implied: dstlen > addlen */ 331 unsigned char *dstptr; 332 const unsigned char *addptr; 333 unsigned int remainder = 0; 334 size_t len = addlen; 335 336 dstptr = dst + (dstlen-1); 337 addptr = add + (addlen-1); 338 while (len) { 339 remainder += *dstptr + *addptr; 340 *dstptr = remainder & 0xff; 341 remainder >>= 8; 342 len--; dstptr--; addptr--; 343 } 344 len = dstlen - addlen; 345 while (len && remainder > 0) { 346 remainder = *dstptr + 1; 347 *dstptr = remainder & 0xff; 348 remainder >>= 8; 349 len--; dstptr--; 350 } 351 } 352 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 353 354 /****************************************************************** 355 * CTR DRBG callback functions 356 ******************************************************************/ 357 358 #ifdef CONFIG_CRYPTO_DRBG_CTR 359 #define CRYPTO_DRBG_CTR_STRING "CTR " 360 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 361 unsigned char *outval, const struct drbg_string *in); 362 static int drbg_init_sym_kernel(struct drbg_state *drbg); 363 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 364 365 /* BCC function for CTR DRBG as defined in 10.4.3 */ 366 static int drbg_ctr_bcc(struct drbg_state *drbg, 367 unsigned char *out, const unsigned char *key, 368 struct list_head *in) 369 { 370 int ret = 0; 371 struct drbg_string *curr = NULL; 372 struct drbg_string data; 373 short cnt = 0; 374 375 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 376 377 /* 10.4.3 step 1 */ 378 memset(out, 0, drbg_blocklen(drbg)); 379 380 /* 10.4.3 step 2 / 4 */ 381 list_for_each_entry(curr, in, list) { 382 const unsigned char *pos = curr->buf; 383 size_t len = curr->len; 384 /* 10.4.3 step 4.1 */ 385 while (len) { 386 /* 10.4.3 step 4.2 */ 387 if (drbg_blocklen(drbg) == cnt) { 388 cnt = 0; 389 ret = drbg_kcapi_sym(drbg, key, out, &data); 390 if (ret) 391 return ret; 392 } 393 out[cnt] ^= *pos; 394 pos++; 395 cnt++; 396 len--; 397 } 398 } 399 /* 10.4.3 step 4.2 for last block */ 400 if (cnt) 401 ret = drbg_kcapi_sym(drbg, key, out, &data); 402 403 return ret; 404 } 405 406 /* 407 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 408 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 409 * the scratchpad is used as follows: 410 * drbg_ctr_update: 411 * temp 412 * start: drbg->scratchpad 413 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 414 * note: the cipher writing into this variable works 415 * blocklen-wise. Now, when the statelen is not a multiple 416 * of blocklen, the generateion loop below "spills over" 417 * by at most blocklen. Thus, we need to give sufficient 418 * memory. 419 * df_data 420 * start: drbg->scratchpad + 421 * drbg_statelen(drbg) + drbg_blocklen(drbg) 422 * length: drbg_statelen(drbg) 423 * 424 * drbg_ctr_df: 425 * pad 426 * start: df_data + drbg_statelen(drbg) 427 * length: drbg_blocklen(drbg) 428 * iv 429 * start: pad + drbg_blocklen(drbg) 430 * length: drbg_blocklen(drbg) 431 * temp 432 * start: iv + drbg_blocklen(drbg) 433 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 434 * note: temp is the buffer that the BCC function operates 435 * on. BCC operates blockwise. drbg_statelen(drbg) 436 * is sufficient when the DRBG state length is a multiple 437 * of the block size. For AES192 (and maybe other ciphers) 438 * this is not correct and the length for temp is 439 * insufficient (yes, that also means for such ciphers, 440 * the final output of all BCC rounds are truncated). 441 * Therefore, add drbg_blocklen(drbg) to cover all 442 * possibilities. 443 */ 444 445 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 446 static int drbg_ctr_df(struct drbg_state *drbg, 447 unsigned char *df_data, size_t bytes_to_return, 448 struct list_head *seedlist) 449 { 450 int ret = -EFAULT; 451 unsigned char L_N[8]; 452 /* S3 is input */ 453 struct drbg_string S1, S2, S4, cipherin; 454 LIST_HEAD(bcc_list); 455 unsigned char *pad = df_data + drbg_statelen(drbg); 456 unsigned char *iv = pad + drbg_blocklen(drbg); 457 unsigned char *temp = iv + drbg_blocklen(drbg); 458 size_t padlen = 0; 459 unsigned int templen = 0; 460 /* 10.4.2 step 7 */ 461 unsigned int i = 0; 462 /* 10.4.2 step 8 */ 463 const unsigned char *K = (unsigned char *) 464 "\x00\x01\x02\x03\x04\x05\x06\x07" 465 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 466 "\x10\x11\x12\x13\x14\x15\x16\x17" 467 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 468 unsigned char *X; 469 size_t generated_len = 0; 470 size_t inputlen = 0; 471 struct drbg_string *seed = NULL; 472 473 memset(pad, 0, drbg_blocklen(drbg)); 474 memset(iv, 0, drbg_blocklen(drbg)); 475 memset(temp, 0, drbg_statelen(drbg)); 476 477 /* 10.4.2 step 1 is implicit as we work byte-wise */ 478 479 /* 10.4.2 step 2 */ 480 if ((512/8) < bytes_to_return) 481 return -EINVAL; 482 483 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 484 list_for_each_entry(seed, seedlist, list) 485 inputlen += seed->len; 486 drbg_int2byte(&L_N[0], inputlen, 4); 487 488 /* 10.4.2 step 3 */ 489 drbg_int2byte(&L_N[4], bytes_to_return, 4); 490 491 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 492 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 493 /* wrap the padlen appropriately */ 494 if (padlen) 495 padlen = drbg_blocklen(drbg) - padlen; 496 /* 497 * pad / padlen contains the 0x80 byte and the following zero bytes. 498 * As the calculated padlen value only covers the number of zero 499 * bytes, this value has to be incremented by one for the 0x80 byte. 500 */ 501 padlen++; 502 pad[0] = 0x80; 503 504 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 505 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 506 list_add_tail(&S1.list, &bcc_list); 507 drbg_string_fill(&S2, L_N, sizeof(L_N)); 508 list_add_tail(&S2.list, &bcc_list); 509 list_splice_tail(seedlist, &bcc_list); 510 drbg_string_fill(&S4, pad, padlen); 511 list_add_tail(&S4.list, &bcc_list); 512 513 /* 10.4.2 step 9 */ 514 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 515 /* 516 * 10.4.2 step 9.1 - the padding is implicit as the buffer 517 * holds zeros after allocation -- even the increment of i 518 * is irrelevant as the increment remains within length of i 519 */ 520 drbg_int2byte(iv, i, 4); 521 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 522 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 523 if (ret) 524 goto out; 525 /* 10.4.2 step 9.3 */ 526 i++; 527 templen += drbg_blocklen(drbg); 528 } 529 530 /* 10.4.2 step 11 */ 531 X = temp + (drbg_keylen(drbg)); 532 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 533 534 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 535 536 /* 10.4.2 step 13 */ 537 while (generated_len < bytes_to_return) { 538 short blocklen = 0; 539 /* 540 * 10.4.2 step 13.1: the truncation of the key length is 541 * implicit as the key is only drbg_blocklen in size based on 542 * the implementation of the cipher function callback 543 */ 544 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 545 if (ret) 546 goto out; 547 blocklen = (drbg_blocklen(drbg) < 548 (bytes_to_return - generated_len)) ? 549 drbg_blocklen(drbg) : 550 (bytes_to_return - generated_len); 551 /* 10.4.2 step 13.2 and 14 */ 552 memcpy(df_data + generated_len, X, blocklen); 553 generated_len += blocklen; 554 } 555 556 ret = 0; 557 558 out: 559 memset(iv, 0, drbg_blocklen(drbg)); 560 memset(temp, 0, drbg_statelen(drbg)); 561 memset(pad, 0, drbg_blocklen(drbg)); 562 return ret; 563 } 564 565 /* 566 * update function of CTR DRBG as defined in 10.2.1.2 567 * 568 * The reseed variable has an enhanced meaning compared to the update 569 * functions of the other DRBGs as follows: 570 * 0 => initial seed from initialization 571 * 1 => reseed via drbg_seed 572 * 2 => first invocation from drbg_ctr_update when addtl is present. In 573 * this case, the df_data scratchpad is not deleted so that it is 574 * available for another calls to prevent calling the DF function 575 * again. 576 * 3 => second invocation from drbg_ctr_update. When the update function 577 * was called with addtl, the df_data memory already contains the 578 * DFed addtl information and we do not need to call DF again. 579 */ 580 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 581 int reseed) 582 { 583 int ret = -EFAULT; 584 /* 10.2.1.2 step 1 */ 585 unsigned char *temp = drbg->scratchpad; 586 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 587 drbg_blocklen(drbg); 588 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 589 unsigned int len = 0; 590 struct drbg_string cipherin; 591 unsigned char prefix = DRBG_PREFIX1; 592 593 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 594 if (3 > reseed) 595 memset(df_data, 0, drbg_statelen(drbg)); 596 597 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 598 if (seed) { 599 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 600 if (ret) 601 goto out; 602 } 603 604 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 605 /* 606 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 607 * zeroizes all memory during initialization 608 */ 609 while (len < (drbg_statelen(drbg))) { 610 /* 10.2.1.2 step 2.1 */ 611 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); 612 /* 613 * 10.2.1.2 step 2.2 */ 614 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 615 if (ret) 616 goto out; 617 /* 10.2.1.2 step 2.3 and 3 */ 618 len += drbg_blocklen(drbg); 619 } 620 621 /* 10.2.1.2 step 4 */ 622 temp_p = temp; 623 df_data_p = df_data; 624 for (len = 0; len < drbg_statelen(drbg); len++) { 625 *temp_p ^= *df_data_p; 626 df_data_p++; temp_p++; 627 } 628 629 /* 10.2.1.2 step 5 */ 630 memcpy(drbg->C, temp, drbg_keylen(drbg)); 631 /* 10.2.1.2 step 6 */ 632 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 633 ret = 0; 634 635 out: 636 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 637 if (2 != reseed) 638 memset(df_data, 0, drbg_statelen(drbg)); 639 return ret; 640 } 641 642 /* 643 * scratchpad use: drbg_ctr_update is called independently from 644 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 645 */ 646 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 647 static int drbg_ctr_generate(struct drbg_state *drbg, 648 unsigned char *buf, unsigned int buflen, 649 struct list_head *addtl) 650 { 651 int len = 0; 652 int ret = 0; 653 struct drbg_string data; 654 unsigned char prefix = DRBG_PREFIX1; 655 656 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 657 658 /* 10.2.1.5.2 step 2 */ 659 if (addtl && !list_empty(addtl)) { 660 ret = drbg_ctr_update(drbg, addtl, 2); 661 if (ret) 662 return 0; 663 } 664 665 /* 10.2.1.5.2 step 4.1 */ 666 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); 667 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 668 while (len < buflen) { 669 int outlen = 0; 670 /* 10.2.1.5.2 step 4.2 */ 671 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 672 if (ret) { 673 len = ret; 674 goto out; 675 } 676 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 677 drbg_blocklen(drbg) : (buflen - len); 678 if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) { 679 /* 10.2.1.5.2 step 6 */ 680 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); 681 continue; 682 } 683 /* 10.2.1.5.2 step 4.3 */ 684 memcpy(buf + len, drbg->scratchpad, outlen); 685 len += outlen; 686 /* 10.2.1.5.2 step 6 */ 687 if (len < buflen) 688 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); 689 } 690 691 /* 10.2.1.5.2 step 6 */ 692 ret = drbg_ctr_update(drbg, NULL, 3); 693 if (ret) 694 len = ret; 695 696 out: 697 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 698 return len; 699 } 700 701 static struct drbg_state_ops drbg_ctr_ops = { 702 .update = drbg_ctr_update, 703 .generate = drbg_ctr_generate, 704 .crypto_init = drbg_init_sym_kernel, 705 .crypto_fini = drbg_fini_sym_kernel, 706 }; 707 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 708 709 /****************************************************************** 710 * HMAC DRBG callback functions 711 ******************************************************************/ 712 713 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 714 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 715 unsigned char *outval, const struct list_head *in); 716 static int drbg_init_hash_kernel(struct drbg_state *drbg); 717 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 718 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 719 720 #ifdef CONFIG_CRYPTO_DRBG_HMAC 721 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 722 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 723 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 724 int reseed) 725 { 726 int ret = -EFAULT; 727 int i = 0; 728 struct drbg_string seed1, seed2, vdata; 729 LIST_HEAD(seedlist); 730 LIST_HEAD(vdatalist); 731 732 if (!reseed) { 733 /* 10.1.2.3 step 2 */ 734 memset(drbg->C, 0, drbg_statelen(drbg)); 735 memset(drbg->V, 1, drbg_statelen(drbg)); 736 } 737 738 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 739 list_add_tail(&seed1.list, &seedlist); 740 /* buffer of seed2 will be filled in for loop below with one byte */ 741 drbg_string_fill(&seed2, NULL, 1); 742 list_add_tail(&seed2.list, &seedlist); 743 /* input data of seed is allowed to be NULL at this point */ 744 if (seed) 745 list_splice_tail(seed, &seedlist); 746 747 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 748 list_add_tail(&vdata.list, &vdatalist); 749 for (i = 2; 0 < i; i--) { 750 /* first round uses 0x0, second 0x1 */ 751 unsigned char prefix = DRBG_PREFIX0; 752 if (1 == i) 753 prefix = DRBG_PREFIX1; 754 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 755 seed2.buf = &prefix; 756 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist); 757 if (ret) 758 return ret; 759 760 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 761 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist); 762 if (ret) 763 return ret; 764 765 /* 10.1.2.2 step 3 */ 766 if (!seed) 767 return ret; 768 } 769 770 return 0; 771 } 772 773 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 774 static int drbg_hmac_generate(struct drbg_state *drbg, 775 unsigned char *buf, 776 unsigned int buflen, 777 struct list_head *addtl) 778 { 779 int len = 0; 780 int ret = 0; 781 struct drbg_string data; 782 LIST_HEAD(datalist); 783 784 /* 10.1.2.5 step 2 */ 785 if (addtl && !list_empty(addtl)) { 786 ret = drbg_hmac_update(drbg, addtl, 1); 787 if (ret) 788 return ret; 789 } 790 791 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 792 list_add_tail(&data.list, &datalist); 793 while (len < buflen) { 794 unsigned int outlen = 0; 795 /* 10.1.2.5 step 4.1 */ 796 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist); 797 if (ret) 798 return ret; 799 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 800 drbg_blocklen(drbg) : (buflen - len); 801 if (!drbg_fips_continuous_test(drbg, drbg->V)) 802 continue; 803 804 /* 10.1.2.5 step 4.2 */ 805 memcpy(buf + len, drbg->V, outlen); 806 len += outlen; 807 } 808 809 /* 10.1.2.5 step 6 */ 810 if (addtl && !list_empty(addtl)) 811 ret = drbg_hmac_update(drbg, addtl, 1); 812 else 813 ret = drbg_hmac_update(drbg, NULL, 1); 814 if (ret) 815 return ret; 816 817 return len; 818 } 819 820 static struct drbg_state_ops drbg_hmac_ops = { 821 .update = drbg_hmac_update, 822 .generate = drbg_hmac_generate, 823 .crypto_init = drbg_init_hash_kernel, 824 .crypto_fini = drbg_fini_hash_kernel, 825 826 }; 827 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 828 829 /****************************************************************** 830 * Hash DRBG callback functions 831 ******************************************************************/ 832 833 #ifdef CONFIG_CRYPTO_DRBG_HASH 834 #define CRYPTO_DRBG_HASH_STRING "HASH " 835 /* 836 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 837 * interlinked, the scratchpad is used as follows: 838 * drbg_hash_update 839 * start: drbg->scratchpad 840 * length: drbg_statelen(drbg) 841 * drbg_hash_df: 842 * start: drbg->scratchpad + drbg_statelen(drbg) 843 * length: drbg_blocklen(drbg) 844 * 845 * drbg_hash_process_addtl uses the scratchpad, but fully completes 846 * before either of the functions mentioned before are invoked. Therefore, 847 * drbg_hash_process_addtl does not need to be specifically considered. 848 */ 849 850 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 851 static int drbg_hash_df(struct drbg_state *drbg, 852 unsigned char *outval, size_t outlen, 853 struct list_head *entropylist) 854 { 855 int ret = 0; 856 size_t len = 0; 857 unsigned char input[5]; 858 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 859 struct drbg_string data; 860 861 memset(tmp, 0, drbg_blocklen(drbg)); 862 863 /* 10.4.1 step 3 */ 864 input[0] = 1; 865 drbg_int2byte(&input[1], (outlen * 8), 4); 866 867 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 868 drbg_string_fill(&data, input, 5); 869 list_add(&data.list, entropylist); 870 871 /* 10.4.1 step 4 */ 872 while (len < outlen) { 873 short blocklen = 0; 874 /* 10.4.1 step 4.1 */ 875 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist); 876 if (ret) 877 goto out; 878 /* 10.4.1 step 4.2 */ 879 input[0]++; 880 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 881 drbg_blocklen(drbg) : (outlen - len); 882 memcpy(outval + len, tmp, blocklen); 883 len += blocklen; 884 } 885 886 out: 887 memset(tmp, 0, drbg_blocklen(drbg)); 888 return ret; 889 } 890 891 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 892 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 893 int reseed) 894 { 895 int ret = 0; 896 struct drbg_string data1, data2; 897 LIST_HEAD(datalist); 898 LIST_HEAD(datalist2); 899 unsigned char *V = drbg->scratchpad; 900 unsigned char prefix = DRBG_PREFIX1; 901 902 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 903 if (!seed) 904 return -EINVAL; 905 906 if (reseed) { 907 /* 10.1.1.3 step 1 */ 908 memcpy(V, drbg->V, drbg_statelen(drbg)); 909 drbg_string_fill(&data1, &prefix, 1); 910 list_add_tail(&data1.list, &datalist); 911 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 912 list_add_tail(&data2.list, &datalist); 913 } 914 list_splice_tail(seed, &datalist); 915 916 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 917 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 918 if (ret) 919 goto out; 920 921 /* 10.1.1.2 / 10.1.1.3 step 4 */ 922 prefix = DRBG_PREFIX0; 923 drbg_string_fill(&data1, &prefix, 1); 924 list_add_tail(&data1.list, &datalist2); 925 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 926 list_add_tail(&data2.list, &datalist2); 927 /* 10.1.1.2 / 10.1.1.3 step 4 */ 928 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 929 930 out: 931 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 932 return ret; 933 } 934 935 /* processing of additional information string for Hash DRBG */ 936 static int drbg_hash_process_addtl(struct drbg_state *drbg, 937 struct list_head *addtl) 938 { 939 int ret = 0; 940 struct drbg_string data1, data2; 941 LIST_HEAD(datalist); 942 unsigned char prefix = DRBG_PREFIX2; 943 944 /* this is value w as per documentation */ 945 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 946 947 /* 10.1.1.4 step 2 */ 948 if (!addtl || list_empty(addtl)) 949 return 0; 950 951 /* 10.1.1.4 step 2a */ 952 drbg_string_fill(&data1, &prefix, 1); 953 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 954 list_add_tail(&data1.list, &datalist); 955 list_add_tail(&data2.list, &datalist); 956 list_splice_tail(addtl, &datalist); 957 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 958 if (ret) 959 goto out; 960 961 /* 10.1.1.4 step 2b */ 962 drbg_add_buf(drbg->V, drbg_statelen(drbg), 963 drbg->scratchpad, drbg_blocklen(drbg)); 964 965 out: 966 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 967 return ret; 968 } 969 970 /* Hashgen defined in 10.1.1.4 */ 971 static int drbg_hash_hashgen(struct drbg_state *drbg, 972 unsigned char *buf, 973 unsigned int buflen) 974 { 975 int len = 0; 976 int ret = 0; 977 unsigned char *src = drbg->scratchpad; 978 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 979 struct drbg_string data; 980 LIST_HEAD(datalist); 981 unsigned char prefix = DRBG_PREFIX1; 982 983 memset(src, 0, drbg_statelen(drbg)); 984 memset(dst, 0, drbg_blocklen(drbg)); 985 986 /* 10.1.1.4 step hashgen 2 */ 987 memcpy(src, drbg->V, drbg_statelen(drbg)); 988 989 drbg_string_fill(&data, src, drbg_statelen(drbg)); 990 list_add_tail(&data.list, &datalist); 991 while (len < buflen) { 992 unsigned int outlen = 0; 993 /* 10.1.1.4 step hashgen 4.1 */ 994 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist); 995 if (ret) { 996 len = ret; 997 goto out; 998 } 999 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 1000 drbg_blocklen(drbg) : (buflen - len); 1001 if (!drbg_fips_continuous_test(drbg, dst)) { 1002 drbg_add_buf(src, drbg_statelen(drbg), &prefix, 1); 1003 continue; 1004 } 1005 /* 10.1.1.4 step hashgen 4.2 */ 1006 memcpy(buf + len, dst, outlen); 1007 len += outlen; 1008 /* 10.1.1.4 hashgen step 4.3 */ 1009 if (len < buflen) 1010 drbg_add_buf(src, drbg_statelen(drbg), &prefix, 1); 1011 } 1012 1013 out: 1014 memset(drbg->scratchpad, 0, 1015 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 1016 return len; 1017 } 1018 1019 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 1020 static int drbg_hash_generate(struct drbg_state *drbg, 1021 unsigned char *buf, unsigned int buflen, 1022 struct list_head *addtl) 1023 { 1024 int len = 0; 1025 int ret = 0; 1026 unsigned char req[8]; 1027 unsigned char prefix = DRBG_PREFIX3; 1028 struct drbg_string data1, data2; 1029 LIST_HEAD(datalist); 1030 1031 /* 10.1.1.4 step 2 */ 1032 ret = drbg_hash_process_addtl(drbg, addtl); 1033 if (ret) 1034 return ret; 1035 /* 10.1.1.4 step 3 */ 1036 len = drbg_hash_hashgen(drbg, buf, buflen); 1037 1038 /* this is the value H as documented in 10.1.1.4 */ 1039 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1040 /* 10.1.1.4 step 4 */ 1041 drbg_string_fill(&data1, &prefix, 1); 1042 list_add_tail(&data1.list, &datalist); 1043 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1044 list_add_tail(&data2.list, &datalist); 1045 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 1046 if (ret) { 1047 len = ret; 1048 goto out; 1049 } 1050 1051 /* 10.1.1.4 step 5 */ 1052 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1053 drbg->scratchpad, drbg_blocklen(drbg)); 1054 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1055 drbg->C, drbg_statelen(drbg)); 1056 drbg_int2byte(req, drbg->reseed_ctr, sizeof(req)); 1057 drbg_add_buf(drbg->V, drbg_statelen(drbg), req, 8); 1058 1059 out: 1060 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1061 return len; 1062 } 1063 1064 /* 1065 * scratchpad usage: as update and generate are used isolated, both 1066 * can use the scratchpad 1067 */ 1068 static struct drbg_state_ops drbg_hash_ops = { 1069 .update = drbg_hash_update, 1070 .generate = drbg_hash_generate, 1071 .crypto_init = drbg_init_hash_kernel, 1072 .crypto_fini = drbg_fini_hash_kernel, 1073 }; 1074 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1075 1076 /****************************************************************** 1077 * Functions common for DRBG implementations 1078 ******************************************************************/ 1079 1080 /* 1081 * Seeding or reseeding of the DRBG 1082 * 1083 * @drbg: DRBG state struct 1084 * @pers: personalization / additional information buffer 1085 * @reseed: 0 for initial seed process, 1 for reseeding 1086 * 1087 * return: 1088 * 0 on success 1089 * error value otherwise 1090 */ 1091 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1092 bool reseed) 1093 { 1094 int ret = 0; 1095 unsigned char *entropy = NULL; 1096 size_t entropylen = 0; 1097 struct drbg_string data1; 1098 LIST_HEAD(seedlist); 1099 1100 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1101 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1102 pr_devel("DRBG: personalization string too long %zu\n", 1103 pers->len); 1104 return -EINVAL; 1105 } 1106 1107 if (drbg->test_data && drbg->test_data->testentropy) { 1108 drbg_string_fill(&data1, drbg->test_data->testentropy->buf, 1109 drbg->test_data->testentropy->len); 1110 pr_devel("DRBG: using test entropy\n"); 1111 } else { 1112 /* 1113 * Gather entropy equal to the security strength of the DRBG. 1114 * With a derivation function, a nonce is required in addition 1115 * to the entropy. A nonce must be at least 1/2 of the security 1116 * strength of the DRBG in size. Thus, entropy * nonce is 3/2 1117 * of the strength. The consideration of a nonce is only 1118 * applicable during initial seeding. 1119 */ 1120 entropylen = drbg_sec_strength(drbg->core->flags); 1121 if (!entropylen) 1122 return -EFAULT; 1123 if (!reseed) 1124 entropylen = ((entropylen + 1) / 2) * 3; 1125 pr_devel("DRBG: (re)seeding with %zu bytes of entropy\n", 1126 entropylen); 1127 entropy = kzalloc(entropylen, GFP_KERNEL); 1128 if (!entropy) 1129 return -ENOMEM; 1130 get_random_bytes(entropy, entropylen); 1131 drbg_string_fill(&data1, entropy, entropylen); 1132 } 1133 list_add_tail(&data1.list, &seedlist); 1134 1135 /* 1136 * concatenation of entropy with personalization str / addtl input) 1137 * the variable pers is directly handed in by the caller, so check its 1138 * contents whether it is appropriate 1139 */ 1140 if (pers && pers->buf && 0 < pers->len) { 1141 list_add_tail(&pers->list, &seedlist); 1142 pr_devel("DRBG: using personalization string\n"); 1143 } 1144 1145 ret = drbg->d_ops->update(drbg, &seedlist, reseed); 1146 if (ret) 1147 goto out; 1148 1149 drbg->seeded = true; 1150 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1151 drbg->reseed_ctr = 1; 1152 1153 out: 1154 if (entropy) 1155 kzfree(entropy); 1156 return ret; 1157 } 1158 1159 /* Free all substructures in a DRBG state without the DRBG state structure */ 1160 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1161 { 1162 if (!drbg) 1163 return; 1164 if (drbg->V) 1165 kzfree(drbg->V); 1166 drbg->V = NULL; 1167 if (drbg->C) 1168 kzfree(drbg->C); 1169 drbg->C = NULL; 1170 if (drbg->scratchpad) 1171 kzfree(drbg->scratchpad); 1172 drbg->scratchpad = NULL; 1173 drbg->reseed_ctr = 0; 1174 #ifdef CONFIG_CRYPTO_FIPS 1175 if (drbg->prev) 1176 kzfree(drbg->prev); 1177 drbg->prev = NULL; 1178 drbg->fips_primed = false; 1179 #endif 1180 } 1181 1182 /* 1183 * Allocate all sub-structures for a DRBG state. 1184 * The DRBG state structure must already be allocated. 1185 */ 1186 static inline int drbg_alloc_state(struct drbg_state *drbg) 1187 { 1188 int ret = -ENOMEM; 1189 unsigned int sb_size = 0; 1190 1191 if (!drbg) 1192 return -EINVAL; 1193 1194 drbg->V = kzalloc(drbg_statelen(drbg), GFP_KERNEL); 1195 if (!drbg->V) 1196 goto err; 1197 drbg->C = kzalloc(drbg_statelen(drbg), GFP_KERNEL); 1198 if (!drbg->C) 1199 goto err; 1200 #ifdef CONFIG_CRYPTO_FIPS 1201 drbg->prev = kzalloc(drbg_blocklen(drbg), GFP_KERNEL); 1202 if (!drbg->prev) 1203 goto err; 1204 drbg->fips_primed = false; 1205 #endif 1206 /* scratchpad is only generated for CTR and Hash */ 1207 if (drbg->core->flags & DRBG_HMAC) 1208 sb_size = 0; 1209 else if (drbg->core->flags & DRBG_CTR) 1210 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1211 drbg_statelen(drbg) + /* df_data */ 1212 drbg_blocklen(drbg) + /* pad */ 1213 drbg_blocklen(drbg) + /* iv */ 1214 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1215 else 1216 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1217 1218 if (0 < sb_size) { 1219 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1220 if (!drbg->scratchpad) 1221 goto err; 1222 } 1223 spin_lock_init(&drbg->drbg_lock); 1224 return 0; 1225 1226 err: 1227 drbg_dealloc_state(drbg); 1228 return ret; 1229 } 1230 1231 /* 1232 * Strategy to avoid holding long term locks: generate a shadow copy of DRBG 1233 * and perform all operations on this shadow copy. After finishing, restore 1234 * the updated state of the shadow copy into original drbg state. This way, 1235 * only the read and write operations of the original drbg state must be 1236 * locked 1237 */ 1238 static inline void drbg_copy_drbg(struct drbg_state *src, 1239 struct drbg_state *dst) 1240 { 1241 if (!src || !dst) 1242 return; 1243 memcpy(dst->V, src->V, drbg_statelen(src)); 1244 memcpy(dst->C, src->C, drbg_statelen(src)); 1245 dst->reseed_ctr = src->reseed_ctr; 1246 dst->seeded = src->seeded; 1247 dst->pr = src->pr; 1248 #ifdef CONFIG_CRYPTO_FIPS 1249 dst->fips_primed = src->fips_primed; 1250 memcpy(dst->prev, src->prev, drbg_blocklen(src)); 1251 #endif 1252 /* 1253 * Not copied: 1254 * scratchpad is initialized drbg_alloc_state; 1255 * priv_data is initialized with call to crypto_init; 1256 * d_ops and core are set outside, as these parameters are const; 1257 * test_data is set outside to prevent it being copied back. 1258 */ 1259 } 1260 1261 static int drbg_make_shadow(struct drbg_state *drbg, struct drbg_state **shadow) 1262 { 1263 int ret = -ENOMEM; 1264 struct drbg_state *tmp = NULL; 1265 1266 if (!drbg || !drbg->core || !drbg->V || !drbg->C) { 1267 pr_devel("DRBG: attempt to generate shadow copy for " 1268 "uninitialized DRBG state rejected\n"); 1269 return -EINVAL; 1270 } 1271 /* HMAC does not have a scratchpad */ 1272 if (!(drbg->core->flags & DRBG_HMAC) && NULL == drbg->scratchpad) 1273 return -EINVAL; 1274 1275 tmp = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1276 if (!tmp) 1277 return -ENOMEM; 1278 1279 /* read-only data as they are defined as const, no lock needed */ 1280 tmp->core = drbg->core; 1281 tmp->d_ops = drbg->d_ops; 1282 1283 ret = drbg_alloc_state(tmp); 1284 if (ret) 1285 goto err; 1286 1287 spin_lock_bh(&drbg->drbg_lock); 1288 drbg_copy_drbg(drbg, tmp); 1289 /* only make a link to the test buffer, as we only read that data */ 1290 tmp->test_data = drbg->test_data; 1291 spin_unlock_bh(&drbg->drbg_lock); 1292 *shadow = tmp; 1293 return 0; 1294 1295 err: 1296 if (tmp) 1297 kzfree(tmp); 1298 return ret; 1299 } 1300 1301 static void drbg_restore_shadow(struct drbg_state *drbg, 1302 struct drbg_state **shadow) 1303 { 1304 struct drbg_state *tmp = *shadow; 1305 1306 spin_lock_bh(&drbg->drbg_lock); 1307 drbg_copy_drbg(tmp, drbg); 1308 spin_unlock_bh(&drbg->drbg_lock); 1309 drbg_dealloc_state(tmp); 1310 kzfree(tmp); 1311 *shadow = NULL; 1312 } 1313 1314 /************************************************************************* 1315 * DRBG interface functions 1316 *************************************************************************/ 1317 1318 /* 1319 * DRBG generate function as required by SP800-90A - this function 1320 * generates random numbers 1321 * 1322 * @drbg DRBG state handle 1323 * @buf Buffer where to store the random numbers -- the buffer must already 1324 * be pre-allocated by caller 1325 * @buflen Length of output buffer - this value defines the number of random 1326 * bytes pulled from DRBG 1327 * @addtl Additional input that is mixed into state, may be NULL -- note 1328 * the entropy is pulled by the DRBG internally unconditionally 1329 * as defined in SP800-90A. The additional input is mixed into 1330 * the state in addition to the pulled entropy. 1331 * 1332 * return: generated number of bytes 1333 */ 1334 static int drbg_generate(struct drbg_state *drbg, 1335 unsigned char *buf, unsigned int buflen, 1336 struct drbg_string *addtl) 1337 { 1338 int len = 0; 1339 struct drbg_state *shadow = NULL; 1340 LIST_HEAD(addtllist); 1341 struct drbg_string timestamp; 1342 union { 1343 cycles_t cycles; 1344 unsigned char char_cycles[sizeof(cycles_t)]; 1345 } now; 1346 1347 if (0 == buflen || !buf) { 1348 pr_devel("DRBG: no output buffer provided\n"); 1349 return -EINVAL; 1350 } 1351 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1352 pr_devel("DRBG: wrong format of additional information\n"); 1353 return -EINVAL; 1354 } 1355 1356 len = drbg_make_shadow(drbg, &shadow); 1357 if (len) { 1358 pr_devel("DRBG: shadow copy cannot be generated\n"); 1359 return len; 1360 } 1361 1362 /* 9.3.1 step 2 */ 1363 len = -EINVAL; 1364 if (buflen > (drbg_max_request_bytes(shadow))) { 1365 pr_devel("DRBG: requested random numbers too large %u\n", 1366 buflen); 1367 goto err; 1368 } 1369 1370 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1371 1372 /* 9.3.1 step 4 */ 1373 if (addtl && addtl->len > (drbg_max_addtl(shadow))) { 1374 pr_devel("DRBG: additional information string too long %zu\n", 1375 addtl->len); 1376 goto err; 1377 } 1378 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1379 1380 /* 1381 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1382 * here. The spec is a bit convoluted here, we make it simpler. 1383 */ 1384 if ((drbg_max_requests(shadow)) < shadow->reseed_ctr) 1385 shadow->seeded = false; 1386 1387 /* allocate cipher handle */ 1388 if (shadow->d_ops->crypto_init) { 1389 len = shadow->d_ops->crypto_init(shadow); 1390 if (len) 1391 goto err; 1392 } 1393 1394 if (shadow->pr || !shadow->seeded) { 1395 pr_devel("DRBG: reseeding before generation (prediction " 1396 "resistance: %s, state %s)\n", 1397 drbg->pr ? "true" : "false", 1398 drbg->seeded ? "seeded" : "unseeded"); 1399 /* 9.3.1 steps 7.1 through 7.3 */ 1400 len = drbg_seed(shadow, addtl, true); 1401 if (len) 1402 goto err; 1403 /* 9.3.1 step 7.4 */ 1404 addtl = NULL; 1405 } 1406 1407 /* 1408 * Mix the time stamp into the DRBG state if the DRBG is not in 1409 * test mode. If there are two callers invoking the DRBG at the same 1410 * time, i.e. before the first caller merges its shadow state back, 1411 * both callers would obtain the same random number stream without 1412 * changing the state here. 1413 */ 1414 if (!drbg->test_data) { 1415 now.cycles = random_get_entropy(); 1416 drbg_string_fill(×tamp, now.char_cycles, sizeof(cycles_t)); 1417 list_add_tail(×tamp.list, &addtllist); 1418 } 1419 if (addtl && 0 < addtl->len) 1420 list_add_tail(&addtl->list, &addtllist); 1421 /* 9.3.1 step 8 and 10 */ 1422 len = shadow->d_ops->generate(shadow, buf, buflen, &addtllist); 1423 1424 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1425 shadow->reseed_ctr++; 1426 if (0 >= len) 1427 goto err; 1428 1429 /* 1430 * Section 11.3.3 requires to re-perform self tests after some 1431 * generated random numbers. The chosen value after which self 1432 * test is performed is arbitrary, but it should be reasonable. 1433 * However, we do not perform the self tests because of the following 1434 * reasons: it is mathematically impossible that the initial self tests 1435 * were successfully and the following are not. If the initial would 1436 * pass and the following would not, the kernel integrity is violated. 1437 * In this case, the entire kernel operation is questionable and it 1438 * is unlikely that the integrity violation only affects the 1439 * correct operation of the DRBG. 1440 * 1441 * Albeit the following code is commented out, it is provided in 1442 * case somebody has a need to implement the test of 11.3.3. 1443 */ 1444 #if 0 1445 if (shadow->reseed_ctr && !(shadow->reseed_ctr % 4096)) { 1446 int err = 0; 1447 pr_devel("DRBG: start to perform self test\n"); 1448 if (drbg->core->flags & DRBG_HMAC) 1449 err = alg_test("drbg_pr_hmac_sha256", 1450 "drbg_pr_hmac_sha256", 0, 0); 1451 else if (drbg->core->flags & DRBG_CTR) 1452 err = alg_test("drbg_pr_ctr_aes128", 1453 "drbg_pr_ctr_aes128", 0, 0); 1454 else 1455 err = alg_test("drbg_pr_sha256", 1456 "drbg_pr_sha256", 0, 0); 1457 if (err) { 1458 pr_err("DRBG: periodical self test failed\n"); 1459 /* 1460 * uninstantiate implies that from now on, only errors 1461 * are returned when reusing this DRBG cipher handle 1462 */ 1463 drbg_uninstantiate(drbg); 1464 drbg_dealloc_state(shadow); 1465 kzfree(shadow); 1466 return 0; 1467 } else { 1468 pr_devel("DRBG: self test successful\n"); 1469 } 1470 } 1471 #endif 1472 1473 err: 1474 if (shadow->d_ops->crypto_fini) 1475 shadow->d_ops->crypto_fini(shadow); 1476 drbg_restore_shadow(drbg, &shadow); 1477 return len; 1478 } 1479 1480 /* 1481 * Wrapper around drbg_generate which can pull arbitrary long strings 1482 * from the DRBG without hitting the maximum request limitation. 1483 * 1484 * Parameters: see drbg_generate 1485 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1486 * the entire drbg_generate_long request fails 1487 */ 1488 static int drbg_generate_long(struct drbg_state *drbg, 1489 unsigned char *buf, unsigned int buflen, 1490 struct drbg_string *addtl) 1491 { 1492 int len = 0; 1493 unsigned int slice = 0; 1494 do { 1495 int tmplen = 0; 1496 unsigned int chunk = 0; 1497 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1498 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1499 tmplen = drbg_generate(drbg, buf + len, chunk, addtl); 1500 if (0 >= tmplen) 1501 return tmplen; 1502 len += tmplen; 1503 } while (slice > 0 && (len < buflen)); 1504 return len; 1505 } 1506 1507 /* 1508 * DRBG instantiation function as required by SP800-90A - this function 1509 * sets up the DRBG handle, performs the initial seeding and all sanity 1510 * checks required by SP800-90A 1511 * 1512 * @drbg memory of state -- if NULL, new memory is allocated 1513 * @pers Personalization string that is mixed into state, may be NULL -- note 1514 * the entropy is pulled by the DRBG internally unconditionally 1515 * as defined in SP800-90A. The additional input is mixed into 1516 * the state in addition to the pulled entropy. 1517 * @coreref reference to core 1518 * @pr prediction resistance enabled 1519 * 1520 * return 1521 * 0 on success 1522 * error value otherwise 1523 */ 1524 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1525 int coreref, bool pr) 1526 { 1527 int ret = -ENOMEM; 1528 1529 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1530 "%s\n", coreref, pr ? "enabled" : "disabled"); 1531 drbg->core = &drbg_cores[coreref]; 1532 drbg->pr = pr; 1533 drbg->seeded = false; 1534 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1535 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1536 case DRBG_HMAC: 1537 drbg->d_ops = &drbg_hmac_ops; 1538 break; 1539 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1540 #ifdef CONFIG_CRYPTO_DRBG_HASH 1541 case DRBG_HASH: 1542 drbg->d_ops = &drbg_hash_ops; 1543 break; 1544 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1545 #ifdef CONFIG_CRYPTO_DRBG_CTR 1546 case DRBG_CTR: 1547 drbg->d_ops = &drbg_ctr_ops; 1548 break; 1549 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1550 default: 1551 return -EOPNOTSUPP; 1552 } 1553 1554 /* 9.1 step 1 is implicit with the selected DRBG type */ 1555 1556 /* 1557 * 9.1 step 2 is implicit as caller can select prediction resistance 1558 * and the flag is copied into drbg->flags -- 1559 * all DRBG types support prediction resistance 1560 */ 1561 1562 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1563 1564 ret = drbg_alloc_state(drbg); 1565 if (ret) 1566 return ret; 1567 1568 ret = -EFAULT; 1569 if (drbg->d_ops->crypto_init && drbg->d_ops->crypto_init(drbg)) 1570 goto err; 1571 ret = drbg_seed(drbg, pers, false); 1572 if (drbg->d_ops->crypto_fini) 1573 drbg->d_ops->crypto_fini(drbg); 1574 if (ret) 1575 goto err; 1576 1577 return 0; 1578 1579 err: 1580 drbg_dealloc_state(drbg); 1581 return ret; 1582 } 1583 1584 /* 1585 * DRBG uninstantiate function as required by SP800-90A - this function 1586 * frees all buffers and the DRBG handle 1587 * 1588 * @drbg DRBG state handle 1589 * 1590 * return 1591 * 0 on success 1592 */ 1593 static int drbg_uninstantiate(struct drbg_state *drbg) 1594 { 1595 spin_lock_bh(&drbg->drbg_lock); 1596 drbg_dealloc_state(drbg); 1597 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1598 spin_unlock_bh(&drbg->drbg_lock); 1599 return 0; 1600 } 1601 1602 /* 1603 * Helper function for setting the test data in the DRBG 1604 * 1605 * @drbg DRBG state handle 1606 * @test_data test data to sets 1607 */ 1608 static inline void drbg_set_testdata(struct drbg_state *drbg, 1609 struct drbg_test_data *test_data) 1610 { 1611 if (!test_data || !test_data->testentropy) 1612 return; 1613 spin_lock_bh(&drbg->drbg_lock); 1614 drbg->test_data = test_data; 1615 spin_unlock_bh(&drbg->drbg_lock); 1616 } 1617 1618 /*************************************************************** 1619 * Kernel crypto API cipher invocations requested by DRBG 1620 ***************************************************************/ 1621 1622 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1623 struct sdesc { 1624 struct shash_desc shash; 1625 char ctx[]; 1626 }; 1627 1628 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1629 { 1630 struct sdesc *sdesc; 1631 struct crypto_shash *tfm; 1632 1633 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1634 if (IS_ERR(tfm)) { 1635 pr_info("DRBG: could not allocate digest TFM handle\n"); 1636 return PTR_ERR(tfm); 1637 } 1638 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1639 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1640 GFP_KERNEL); 1641 if (!sdesc) { 1642 crypto_free_shash(tfm); 1643 return -ENOMEM; 1644 } 1645 1646 sdesc->shash.tfm = tfm; 1647 sdesc->shash.flags = 0; 1648 drbg->priv_data = sdesc; 1649 return 0; 1650 } 1651 1652 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1653 { 1654 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1655 if (sdesc) { 1656 crypto_free_shash(sdesc->shash.tfm); 1657 kzfree(sdesc); 1658 } 1659 drbg->priv_data = NULL; 1660 return 0; 1661 } 1662 1663 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 1664 unsigned char *outval, const struct list_head *in) 1665 { 1666 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1667 struct drbg_string *input = NULL; 1668 1669 if (key) 1670 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1671 crypto_shash_init(&sdesc->shash); 1672 list_for_each_entry(input, in, list) 1673 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1674 return crypto_shash_final(&sdesc->shash, outval); 1675 } 1676 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1677 1678 #ifdef CONFIG_CRYPTO_DRBG_CTR 1679 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1680 { 1681 int ret = 0; 1682 struct crypto_blkcipher *tfm; 1683 1684 tfm = crypto_alloc_blkcipher(drbg->core->backend_cra_name, 0, 0); 1685 if (IS_ERR(tfm)) { 1686 pr_info("DRBG: could not allocate cipher TFM handle\n"); 1687 return PTR_ERR(tfm); 1688 } 1689 BUG_ON(drbg_blocklen(drbg) != crypto_blkcipher_blocksize(tfm)); 1690 drbg->priv_data = tfm; 1691 return ret; 1692 } 1693 1694 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1695 { 1696 struct crypto_blkcipher *tfm = 1697 (struct crypto_blkcipher *)drbg->priv_data; 1698 if (tfm) 1699 crypto_free_blkcipher(tfm); 1700 drbg->priv_data = NULL; 1701 return 0; 1702 } 1703 1704 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1705 unsigned char *outval, const struct drbg_string *in) 1706 { 1707 int ret = 0; 1708 struct scatterlist sg_in, sg_out; 1709 struct blkcipher_desc desc; 1710 struct crypto_blkcipher *tfm = 1711 (struct crypto_blkcipher *)drbg->priv_data; 1712 1713 desc.tfm = tfm; 1714 desc.flags = 0; 1715 crypto_blkcipher_setkey(tfm, key, (drbg_keylen(drbg))); 1716 /* there is only component in *in */ 1717 sg_init_one(&sg_in, in->buf, in->len); 1718 sg_init_one(&sg_out, outval, drbg_blocklen(drbg)); 1719 ret = crypto_blkcipher_encrypt(&desc, &sg_out, &sg_in, in->len); 1720 1721 return ret; 1722 } 1723 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1724 1725 /*************************************************************** 1726 * Kernel crypto API interface to register DRBG 1727 ***************************************************************/ 1728 1729 /* 1730 * Look up the DRBG flags by given kernel crypto API cra_name 1731 * The code uses the drbg_cores definition to do this 1732 * 1733 * @cra_name kernel crypto API cra_name 1734 * @coreref reference to integer which is filled with the pointer to 1735 * the applicable core 1736 * @pr reference for setting prediction resistance 1737 * 1738 * return: flags 1739 */ 1740 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1741 int *coreref, bool *pr) 1742 { 1743 int i = 0; 1744 size_t start = 0; 1745 int len = 0; 1746 1747 *pr = true; 1748 /* disassemble the names */ 1749 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1750 start = 10; 1751 *pr = false; 1752 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1753 start = 8; 1754 } else { 1755 return; 1756 } 1757 1758 /* remove the first part */ 1759 len = strlen(cra_driver_name) - start; 1760 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1761 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1762 len)) { 1763 *coreref = i; 1764 return; 1765 } 1766 } 1767 } 1768 1769 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1770 { 1771 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1772 bool pr = false; 1773 int coreref = 0; 1774 1775 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm), &coreref, &pr); 1776 /* 1777 * when personalization string is needed, the caller must call reset 1778 * and provide the personalization string as seed information 1779 */ 1780 return drbg_instantiate(drbg, NULL, coreref, pr); 1781 } 1782 1783 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1784 { 1785 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1786 } 1787 1788 /* 1789 * Generate random numbers invoked by the kernel crypto API: 1790 * The API of the kernel crypto API is extended as follows: 1791 * 1792 * If dlen is larger than zero, rdata is interpreted as the output buffer 1793 * where random data is to be stored. 1794 * 1795 * If dlen is zero, rdata is interpreted as a pointer to a struct drbg_gen 1796 * which holds the additional information string that is used for the 1797 * DRBG generation process. The output buffer that is to be used to store 1798 * data is also pointed to by struct drbg_gen. 1799 */ 1800 static int drbg_kcapi_random(struct crypto_rng *tfm, u8 *rdata, 1801 unsigned int dlen) 1802 { 1803 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1804 if (0 < dlen) { 1805 return drbg_generate_long(drbg, rdata, dlen, NULL); 1806 } else { 1807 struct drbg_gen *data = (struct drbg_gen *)rdata; 1808 struct drbg_string addtl; 1809 /* catch NULL pointer */ 1810 if (!data) 1811 return 0; 1812 drbg_set_testdata(drbg, data->test_data); 1813 /* linked list variable is now local to allow modification */ 1814 drbg_string_fill(&addtl, data->addtl->buf, data->addtl->len); 1815 return drbg_generate_long(drbg, data->outbuf, data->outlen, 1816 &addtl); 1817 } 1818 } 1819 1820 /* 1821 * Reset the DRBG invoked by the kernel crypto API 1822 * The reset implies a full re-initialization of the DRBG. Similar to the 1823 * generate function of drbg_kcapi_random, this function extends the 1824 * kernel crypto API interface with struct drbg_gen 1825 */ 1826 static int drbg_kcapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) 1827 { 1828 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1829 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1830 bool pr = false; 1831 struct drbg_string seed_string; 1832 int coreref = 0; 1833 1834 drbg_uninstantiate(drbg); 1835 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1836 &pr); 1837 if (0 < slen) { 1838 drbg_string_fill(&seed_string, seed, slen); 1839 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1840 } else { 1841 struct drbg_gen *data = (struct drbg_gen *)seed; 1842 /* allow invocation of API call with NULL, 0 */ 1843 if (!data) 1844 return drbg_instantiate(drbg, NULL, coreref, pr); 1845 drbg_set_testdata(drbg, data->test_data); 1846 /* linked list variable is now local to allow modification */ 1847 drbg_string_fill(&seed_string, data->addtl->buf, 1848 data->addtl->len); 1849 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1850 } 1851 } 1852 1853 /*************************************************************** 1854 * Kernel module: code to load the module 1855 ***************************************************************/ 1856 1857 /* 1858 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1859 * of the error handling. 1860 * 1861 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1862 * as seed source of get_random_bytes does not fail. 1863 * 1864 * Note 2: There is no sensible way of testing the reseed counter 1865 * enforcement, so skip it. 1866 */ 1867 static inline int __init drbg_healthcheck_sanity(void) 1868 { 1869 #ifdef CONFIG_CRYPTO_FIPS 1870 int len = 0; 1871 #define OUTBUFLEN 16 1872 unsigned char buf[OUTBUFLEN]; 1873 struct drbg_state *drbg = NULL; 1874 int ret = -EFAULT; 1875 int rc = -EFAULT; 1876 bool pr = false; 1877 int coreref = 0; 1878 struct drbg_string addtl; 1879 size_t max_addtllen, max_request_bytes; 1880 1881 /* only perform test in FIPS mode */ 1882 if (!fips_enabled) 1883 return 0; 1884 1885 #ifdef CONFIG_CRYPTO_DRBG_CTR 1886 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1887 #elif defined CONFIG_CRYPTO_DRBG_HASH 1888 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1889 #else 1890 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1891 #endif 1892 1893 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1894 if (!drbg) 1895 return -ENOMEM; 1896 1897 /* 1898 * if the following tests fail, it is likely that there is a buffer 1899 * overflow as buf is much smaller than the requested or provided 1900 * string lengths -- in case the error handling does not succeed 1901 * we may get an OOPS. And we want to get an OOPS as this is a 1902 * grave bug. 1903 */ 1904 1905 /* get a valid instance of DRBG for following tests */ 1906 ret = drbg_instantiate(drbg, NULL, coreref, pr); 1907 if (ret) { 1908 rc = ret; 1909 goto outbuf; 1910 } 1911 max_addtllen = drbg_max_addtl(drbg); 1912 max_request_bytes = drbg_max_request_bytes(drbg); 1913 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1914 /* overflow addtllen with additonal info string */ 1915 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1916 BUG_ON(0 < len); 1917 /* overflow max_bits */ 1918 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1919 BUG_ON(0 < len); 1920 drbg_uninstantiate(drbg); 1921 1922 /* overflow max addtllen with personalization string */ 1923 ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1924 BUG_ON(0 == ret); 1925 /* test uninstantated DRBG */ 1926 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1927 BUG_ON(0 < len); 1928 /* all tests passed */ 1929 rc = 0; 1930 1931 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1932 "completed\n"); 1933 1934 drbg_uninstantiate(drbg); 1935 outbuf: 1936 kzfree(drbg); 1937 return rc; 1938 #else /* CONFIG_CRYPTO_FIPS */ 1939 return 0; 1940 #endif /* CONFIG_CRYPTO_FIPS */ 1941 } 1942 1943 static struct crypto_alg drbg_algs[22]; 1944 1945 /* 1946 * Fill the array drbg_algs used to register the different DRBGs 1947 * with the kernel crypto API. To fill the array, the information 1948 * from drbg_cores[] is used. 1949 */ 1950 static inline void __init drbg_fill_array(struct crypto_alg *alg, 1951 const struct drbg_core *core, int pr) 1952 { 1953 int pos = 0; 1954 static int priority = 100; 1955 1956 memset(alg, 0, sizeof(struct crypto_alg)); 1957 memcpy(alg->cra_name, "stdrng", 6); 1958 if (pr) { 1959 memcpy(alg->cra_driver_name, "drbg_pr_", 8); 1960 pos = 8; 1961 } else { 1962 memcpy(alg->cra_driver_name, "drbg_nopr_", 10); 1963 pos = 10; 1964 } 1965 memcpy(alg->cra_driver_name + pos, core->cra_name, 1966 strlen(core->cra_name)); 1967 1968 alg->cra_priority = priority; 1969 priority++; 1970 /* 1971 * If FIPS mode enabled, the selected DRBG shall have the 1972 * highest cra_priority over other stdrng instances to ensure 1973 * it is selected. 1974 */ 1975 if (fips_enabled) 1976 alg->cra_priority += 200; 1977 1978 alg->cra_flags = CRYPTO_ALG_TYPE_RNG; 1979 alg->cra_ctxsize = sizeof(struct drbg_state); 1980 alg->cra_type = &crypto_rng_type; 1981 alg->cra_module = THIS_MODULE; 1982 alg->cra_init = drbg_kcapi_init; 1983 alg->cra_exit = drbg_kcapi_cleanup; 1984 alg->cra_u.rng.rng_make_random = drbg_kcapi_random; 1985 alg->cra_u.rng.rng_reset = drbg_kcapi_reset; 1986 alg->cra_u.rng.seedsize = 0; 1987 } 1988 1989 static int __init drbg_init(void) 1990 { 1991 unsigned int i = 0; /* pointer to drbg_algs */ 1992 unsigned int j = 0; /* pointer to drbg_cores */ 1993 int ret = -EFAULT; 1994 1995 ret = drbg_healthcheck_sanity(); 1996 if (ret) 1997 return ret; 1998 1999 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2000 pr_info("DRBG: Cannot register all DRBG types" 2001 "(slots needed: %zu, slots available: %zu)\n", 2002 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2003 return ret; 2004 } 2005 2006 /* 2007 * each DRBG definition can be used with PR and without PR, thus 2008 * we instantiate each DRBG in drbg_cores[] twice. 2009 * 2010 * As the order of placing them into the drbg_algs array matters 2011 * (the later DRBGs receive a higher cra_priority) we register the 2012 * prediction resistance DRBGs first as the should not be too 2013 * interesting. 2014 */ 2015 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2016 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2017 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2018 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2019 return crypto_register_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2020 } 2021 2022 static void __exit drbg_exit(void) 2023 { 2024 crypto_unregister_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2025 } 2026 2027 module_init(drbg_init); 2028 module_exit(drbg_exit); 2029 #ifndef CRYPTO_DRBG_HASH_STRING 2030 #define CRYPTO_DRBG_HASH_STRING "" 2031 #endif 2032 #ifndef CRYPTO_DRBG_HMAC_STRING 2033 #define CRYPTO_DRBG_HMAC_STRING "" 2034 #endif 2035 #ifndef CRYPTO_DRBG_CTR_STRING 2036 #define CRYPTO_DRBG_CTR_STRING "" 2037 #endif 2038 MODULE_LICENSE("GPL"); 2039 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2040 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2041 "using following cores: " 2042 CRYPTO_DRBG_HASH_STRING 2043 CRYPTO_DRBG_HMAC_STRING 2044 CRYPTO_DRBG_CTR_STRING); 2045