1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <linux/kernel.h> 102 103 /*************************************************************** 104 * Backend cipher definitions available to DRBG 105 ***************************************************************/ 106 107 /* 108 * The order of the DRBG definitions here matter: every DRBG is registered 109 * as stdrng. Each DRBG receives an increasing cra_priority values the later 110 * they are defined in this array (see drbg_fill_array). 111 * 112 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113 * the SHA256 / AES 256 over other ciphers. Thus, the favored 114 * DRBGs are the latest entries in this array. 115 */ 116 static const struct drbg_core drbg_cores[] = { 117 #ifdef CONFIG_CRYPTO_DRBG_CTR 118 { 119 .flags = DRBG_CTR | DRBG_STRENGTH128, 120 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121 .blocklen_bytes = 16, 122 .cra_name = "ctr_aes128", 123 .backend_cra_name = "aes", 124 }, { 125 .flags = DRBG_CTR | DRBG_STRENGTH192, 126 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127 .blocklen_bytes = 16, 128 .cra_name = "ctr_aes192", 129 .backend_cra_name = "aes", 130 }, { 131 .flags = DRBG_CTR | DRBG_STRENGTH256, 132 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133 .blocklen_bytes = 16, 134 .cra_name = "ctr_aes256", 135 .backend_cra_name = "aes", 136 }, 137 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 138 #ifdef CONFIG_CRYPTO_DRBG_HASH 139 { 140 .flags = DRBG_HASH | DRBG_STRENGTH128, 141 .statelen = 55, /* 440 bits */ 142 .blocklen_bytes = 20, 143 .cra_name = "sha1", 144 .backend_cra_name = "sha1", 145 }, { 146 .flags = DRBG_HASH | DRBG_STRENGTH256, 147 .statelen = 111, /* 888 bits */ 148 .blocklen_bytes = 48, 149 .cra_name = "sha384", 150 .backend_cra_name = "sha384", 151 }, { 152 .flags = DRBG_HASH | DRBG_STRENGTH256, 153 .statelen = 111, /* 888 bits */ 154 .blocklen_bytes = 64, 155 .cra_name = "sha512", 156 .backend_cra_name = "sha512", 157 }, { 158 .flags = DRBG_HASH | DRBG_STRENGTH256, 159 .statelen = 55, /* 440 bits */ 160 .blocklen_bytes = 32, 161 .cra_name = "sha256", 162 .backend_cra_name = "sha256", 163 }, 164 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 165 #ifdef CONFIG_CRYPTO_DRBG_HMAC 166 { 167 .flags = DRBG_HMAC | DRBG_STRENGTH128, 168 .statelen = 20, /* block length of cipher */ 169 .blocklen_bytes = 20, 170 .cra_name = "hmac_sha1", 171 .backend_cra_name = "hmac(sha1)", 172 }, { 173 .flags = DRBG_HMAC | DRBG_STRENGTH256, 174 .statelen = 48, /* block length of cipher */ 175 .blocklen_bytes = 48, 176 .cra_name = "hmac_sha384", 177 .backend_cra_name = "hmac(sha384)", 178 }, { 179 .flags = DRBG_HMAC | DRBG_STRENGTH256, 180 .statelen = 64, /* block length of cipher */ 181 .blocklen_bytes = 64, 182 .cra_name = "hmac_sha512", 183 .backend_cra_name = "hmac(sha512)", 184 }, { 185 .flags = DRBG_HMAC | DRBG_STRENGTH256, 186 .statelen = 32, /* block length of cipher */ 187 .blocklen_bytes = 32, 188 .cra_name = "hmac_sha256", 189 .backend_cra_name = "hmac(sha256)", 190 }, 191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192 }; 193 194 static int drbg_uninstantiate(struct drbg_state *drbg); 195 196 /****************************************************************** 197 * Generic helper functions 198 ******************************************************************/ 199 200 /* 201 * Return strength of DRBG according to SP800-90A section 8.4 202 * 203 * @flags DRBG flags reference 204 * 205 * Return: normalized strength in *bytes* value or 32 as default 206 * to counter programming errors 207 */ 208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 209 { 210 switch (flags & DRBG_STRENGTH_MASK) { 211 case DRBG_STRENGTH128: 212 return 16; 213 case DRBG_STRENGTH192: 214 return 24; 215 case DRBG_STRENGTH256: 216 return 32; 217 default: 218 return 32; 219 } 220 } 221 222 /* 223 * Convert an integer into a byte representation of this integer. 224 * The byte representation is big-endian 225 * 226 * @val value to be converted 227 * @buf buffer holding the converted integer -- caller must ensure that 228 * buffer size is at least 32 bit 229 */ 230 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 231 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 232 { 233 struct s { 234 __be32 conv; 235 }; 236 struct s *conversion = (struct s *) buf; 237 238 conversion->conv = cpu_to_be32(val); 239 } 240 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 241 242 /****************************************************************** 243 * CTR DRBG callback functions 244 ******************************************************************/ 245 246 #ifdef CONFIG_CRYPTO_DRBG_CTR 247 #define CRYPTO_DRBG_CTR_STRING "CTR " 248 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 249 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 250 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 251 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 252 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 253 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 254 255 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 256 unsigned char *outval, const struct drbg_string *in); 257 static int drbg_init_sym_kernel(struct drbg_state *drbg); 258 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 259 260 /* BCC function for CTR DRBG as defined in 10.4.3 */ 261 static int drbg_ctr_bcc(struct drbg_state *drbg, 262 unsigned char *out, const unsigned char *key, 263 struct list_head *in) 264 { 265 int ret = 0; 266 struct drbg_string *curr = NULL; 267 struct drbg_string data; 268 short cnt = 0; 269 270 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 271 272 /* 10.4.3 step 2 / 4 */ 273 list_for_each_entry(curr, in, list) { 274 const unsigned char *pos = curr->buf; 275 size_t len = curr->len; 276 /* 10.4.3 step 4.1 */ 277 while (len) { 278 /* 10.4.3 step 4.2 */ 279 if (drbg_blocklen(drbg) == cnt) { 280 cnt = 0; 281 ret = drbg_kcapi_sym(drbg, key, out, &data); 282 if (ret) 283 return ret; 284 } 285 out[cnt] ^= *pos; 286 pos++; 287 cnt++; 288 len--; 289 } 290 } 291 /* 10.4.3 step 4.2 for last block */ 292 if (cnt) 293 ret = drbg_kcapi_sym(drbg, key, out, &data); 294 295 return ret; 296 } 297 298 /* 299 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 300 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 301 * the scratchpad is used as follows: 302 * drbg_ctr_update: 303 * temp 304 * start: drbg->scratchpad 305 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 306 * note: the cipher writing into this variable works 307 * blocklen-wise. Now, when the statelen is not a multiple 308 * of blocklen, the generateion loop below "spills over" 309 * by at most blocklen. Thus, we need to give sufficient 310 * memory. 311 * df_data 312 * start: drbg->scratchpad + 313 * drbg_statelen(drbg) + drbg_blocklen(drbg) 314 * length: drbg_statelen(drbg) 315 * 316 * drbg_ctr_df: 317 * pad 318 * start: df_data + drbg_statelen(drbg) 319 * length: drbg_blocklen(drbg) 320 * iv 321 * start: pad + drbg_blocklen(drbg) 322 * length: drbg_blocklen(drbg) 323 * temp 324 * start: iv + drbg_blocklen(drbg) 325 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 326 * note: temp is the buffer that the BCC function operates 327 * on. BCC operates blockwise. drbg_statelen(drbg) 328 * is sufficient when the DRBG state length is a multiple 329 * of the block size. For AES192 (and maybe other ciphers) 330 * this is not correct and the length for temp is 331 * insufficient (yes, that also means for such ciphers, 332 * the final output of all BCC rounds are truncated). 333 * Therefore, add drbg_blocklen(drbg) to cover all 334 * possibilities. 335 */ 336 337 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 338 static int drbg_ctr_df(struct drbg_state *drbg, 339 unsigned char *df_data, size_t bytes_to_return, 340 struct list_head *seedlist) 341 { 342 int ret = -EFAULT; 343 unsigned char L_N[8]; 344 /* S3 is input */ 345 struct drbg_string S1, S2, S4, cipherin; 346 LIST_HEAD(bcc_list); 347 unsigned char *pad = df_data + drbg_statelen(drbg); 348 unsigned char *iv = pad + drbg_blocklen(drbg); 349 unsigned char *temp = iv + drbg_blocklen(drbg); 350 size_t padlen = 0; 351 unsigned int templen = 0; 352 /* 10.4.2 step 7 */ 353 unsigned int i = 0; 354 /* 10.4.2 step 8 */ 355 const unsigned char *K = (unsigned char *) 356 "\x00\x01\x02\x03\x04\x05\x06\x07" 357 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 358 "\x10\x11\x12\x13\x14\x15\x16\x17" 359 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 360 unsigned char *X; 361 size_t generated_len = 0; 362 size_t inputlen = 0; 363 struct drbg_string *seed = NULL; 364 365 memset(pad, 0, drbg_blocklen(drbg)); 366 memset(iv, 0, drbg_blocklen(drbg)); 367 368 /* 10.4.2 step 1 is implicit as we work byte-wise */ 369 370 /* 10.4.2 step 2 */ 371 if ((512/8) < bytes_to_return) 372 return -EINVAL; 373 374 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 375 list_for_each_entry(seed, seedlist, list) 376 inputlen += seed->len; 377 drbg_cpu_to_be32(inputlen, &L_N[0]); 378 379 /* 10.4.2 step 3 */ 380 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 381 382 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 383 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 384 /* wrap the padlen appropriately */ 385 if (padlen) 386 padlen = drbg_blocklen(drbg) - padlen; 387 /* 388 * pad / padlen contains the 0x80 byte and the following zero bytes. 389 * As the calculated padlen value only covers the number of zero 390 * bytes, this value has to be incremented by one for the 0x80 byte. 391 */ 392 padlen++; 393 pad[0] = 0x80; 394 395 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 396 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 397 list_add_tail(&S1.list, &bcc_list); 398 drbg_string_fill(&S2, L_N, sizeof(L_N)); 399 list_add_tail(&S2.list, &bcc_list); 400 list_splice_tail(seedlist, &bcc_list); 401 drbg_string_fill(&S4, pad, padlen); 402 list_add_tail(&S4.list, &bcc_list); 403 404 /* 10.4.2 step 9 */ 405 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 406 /* 407 * 10.4.2 step 9.1 - the padding is implicit as the buffer 408 * holds zeros after allocation -- even the increment of i 409 * is irrelevant as the increment remains within length of i 410 */ 411 drbg_cpu_to_be32(i, iv); 412 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 413 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 414 if (ret) 415 goto out; 416 /* 10.4.2 step 9.3 */ 417 i++; 418 templen += drbg_blocklen(drbg); 419 } 420 421 /* 10.4.2 step 11 */ 422 X = temp + (drbg_keylen(drbg)); 423 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 424 425 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 426 427 /* 10.4.2 step 13 */ 428 while (generated_len < bytes_to_return) { 429 short blocklen = 0; 430 /* 431 * 10.4.2 step 13.1: the truncation of the key length is 432 * implicit as the key is only drbg_blocklen in size based on 433 * the implementation of the cipher function callback 434 */ 435 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 436 if (ret) 437 goto out; 438 blocklen = (drbg_blocklen(drbg) < 439 (bytes_to_return - generated_len)) ? 440 drbg_blocklen(drbg) : 441 (bytes_to_return - generated_len); 442 /* 10.4.2 step 13.2 and 14 */ 443 memcpy(df_data + generated_len, X, blocklen); 444 generated_len += blocklen; 445 } 446 447 ret = 0; 448 449 out: 450 memset(iv, 0, drbg_blocklen(drbg)); 451 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 452 memset(pad, 0, drbg_blocklen(drbg)); 453 return ret; 454 } 455 456 /* 457 * update function of CTR DRBG as defined in 10.2.1.2 458 * 459 * The reseed variable has an enhanced meaning compared to the update 460 * functions of the other DRBGs as follows: 461 * 0 => initial seed from initialization 462 * 1 => reseed via drbg_seed 463 * 2 => first invocation from drbg_ctr_update when addtl is present. In 464 * this case, the df_data scratchpad is not deleted so that it is 465 * available for another calls to prevent calling the DF function 466 * again. 467 * 3 => second invocation from drbg_ctr_update. When the update function 468 * was called with addtl, the df_data memory already contains the 469 * DFed addtl information and we do not need to call DF again. 470 */ 471 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 472 int reseed) 473 { 474 int ret = -EFAULT; 475 /* 10.2.1.2 step 1 */ 476 unsigned char *temp = drbg->scratchpad; 477 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 478 drbg_blocklen(drbg); 479 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 480 unsigned int len = 0; 481 struct drbg_string cipherin; 482 483 if (3 > reseed) 484 memset(df_data, 0, drbg_statelen(drbg)); 485 486 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 487 if (seed) { 488 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 489 if (ret) 490 goto out; 491 } 492 493 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 494 /* 495 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 496 * zeroizes all memory during initialization 497 */ 498 while (len < (drbg_statelen(drbg))) { 499 /* 10.2.1.2 step 2.1 */ 500 crypto_inc(drbg->V, drbg_blocklen(drbg)); 501 /* 502 * 10.2.1.2 step 2.2 */ 503 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 504 if (ret) 505 goto out; 506 /* 10.2.1.2 step 2.3 and 3 */ 507 len += drbg_blocklen(drbg); 508 } 509 510 /* 10.2.1.2 step 4 */ 511 temp_p = temp; 512 df_data_p = df_data; 513 for (len = 0; len < drbg_statelen(drbg); len++) { 514 *temp_p ^= *df_data_p; 515 df_data_p++; temp_p++; 516 } 517 518 /* 10.2.1.2 step 5 */ 519 memcpy(drbg->C, temp, drbg_keylen(drbg)); 520 /* 10.2.1.2 step 6 */ 521 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 522 ret = 0; 523 524 out: 525 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 526 if (2 != reseed) 527 memset(df_data, 0, drbg_statelen(drbg)); 528 return ret; 529 } 530 531 /* 532 * scratchpad use: drbg_ctr_update is called independently from 533 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 534 */ 535 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 536 static int drbg_ctr_generate(struct drbg_state *drbg, 537 unsigned char *buf, unsigned int buflen, 538 struct list_head *addtl) 539 { 540 int len = 0; 541 int ret = 0; 542 struct drbg_string data; 543 544 /* 10.2.1.5.2 step 2 */ 545 if (addtl && !list_empty(addtl)) { 546 ret = drbg_ctr_update(drbg, addtl, 2); 547 if (ret) 548 return 0; 549 } 550 551 /* 10.2.1.5.2 step 4.1 */ 552 crypto_inc(drbg->V, drbg_blocklen(drbg)); 553 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 554 while (len < buflen) { 555 int outlen = 0; 556 /* 10.2.1.5.2 step 4.2 */ 557 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 558 if (ret) { 559 len = ret; 560 goto out; 561 } 562 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 563 drbg_blocklen(drbg) : (buflen - len); 564 /* 10.2.1.5.2 step 4.3 */ 565 memcpy(buf + len, drbg->scratchpad, outlen); 566 len += outlen; 567 /* 10.2.1.5.2 step 6 */ 568 if (len < buflen) 569 crypto_inc(drbg->V, drbg_blocklen(drbg)); 570 } 571 572 /* 10.2.1.5.2 step 6 */ 573 ret = drbg_ctr_update(drbg, NULL, 3); 574 if (ret) 575 len = ret; 576 577 out: 578 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 579 return len; 580 } 581 582 static const struct drbg_state_ops drbg_ctr_ops = { 583 .update = drbg_ctr_update, 584 .generate = drbg_ctr_generate, 585 .crypto_init = drbg_init_sym_kernel, 586 .crypto_fini = drbg_fini_sym_kernel, 587 }; 588 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 589 590 /****************************************************************** 591 * HMAC DRBG callback functions 592 ******************************************************************/ 593 594 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 595 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 596 unsigned char *outval, const struct list_head *in); 597 static int drbg_init_hash_kernel(struct drbg_state *drbg); 598 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 599 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 600 601 #ifdef CONFIG_CRYPTO_DRBG_HMAC 602 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 603 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 604 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 605 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 606 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 607 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 608 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 609 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 610 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 611 612 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 613 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 614 int reseed) 615 { 616 int ret = -EFAULT; 617 int i = 0; 618 struct drbg_string seed1, seed2, vdata; 619 LIST_HEAD(seedlist); 620 LIST_HEAD(vdatalist); 621 622 if (!reseed) 623 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 624 memset(drbg->V, 1, drbg_statelen(drbg)); 625 626 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 627 list_add_tail(&seed1.list, &seedlist); 628 /* buffer of seed2 will be filled in for loop below with one byte */ 629 drbg_string_fill(&seed2, NULL, 1); 630 list_add_tail(&seed2.list, &seedlist); 631 /* input data of seed is allowed to be NULL at this point */ 632 if (seed) 633 list_splice_tail(seed, &seedlist); 634 635 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 636 list_add_tail(&vdata.list, &vdatalist); 637 for (i = 2; 0 < i; i--) { 638 /* first round uses 0x0, second 0x1 */ 639 unsigned char prefix = DRBG_PREFIX0; 640 if (1 == i) 641 prefix = DRBG_PREFIX1; 642 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 643 seed2.buf = &prefix; 644 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist); 645 if (ret) 646 return ret; 647 648 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 649 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist); 650 if (ret) 651 return ret; 652 653 /* 10.1.2.2 step 3 */ 654 if (!seed) 655 return ret; 656 } 657 658 return 0; 659 } 660 661 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 662 static int drbg_hmac_generate(struct drbg_state *drbg, 663 unsigned char *buf, 664 unsigned int buflen, 665 struct list_head *addtl) 666 { 667 int len = 0; 668 int ret = 0; 669 struct drbg_string data; 670 LIST_HEAD(datalist); 671 672 /* 10.1.2.5 step 2 */ 673 if (addtl && !list_empty(addtl)) { 674 ret = drbg_hmac_update(drbg, addtl, 1); 675 if (ret) 676 return ret; 677 } 678 679 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 680 list_add_tail(&data.list, &datalist); 681 while (len < buflen) { 682 unsigned int outlen = 0; 683 /* 10.1.2.5 step 4.1 */ 684 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist); 685 if (ret) 686 return ret; 687 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 688 drbg_blocklen(drbg) : (buflen - len); 689 690 /* 10.1.2.5 step 4.2 */ 691 memcpy(buf + len, drbg->V, outlen); 692 len += outlen; 693 } 694 695 /* 10.1.2.5 step 6 */ 696 if (addtl && !list_empty(addtl)) 697 ret = drbg_hmac_update(drbg, addtl, 1); 698 else 699 ret = drbg_hmac_update(drbg, NULL, 1); 700 if (ret) 701 return ret; 702 703 return len; 704 } 705 706 static const struct drbg_state_ops drbg_hmac_ops = { 707 .update = drbg_hmac_update, 708 .generate = drbg_hmac_generate, 709 .crypto_init = drbg_init_hash_kernel, 710 .crypto_fini = drbg_fini_hash_kernel, 711 }; 712 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 713 714 /****************************************************************** 715 * Hash DRBG callback functions 716 ******************************************************************/ 717 718 #ifdef CONFIG_CRYPTO_DRBG_HASH 719 #define CRYPTO_DRBG_HASH_STRING "HASH " 720 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 721 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 722 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 723 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 724 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 725 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 726 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 727 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 728 729 /* 730 * Increment buffer 731 * 732 * @dst buffer to increment 733 * @add value to add 734 */ 735 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 736 const unsigned char *add, size_t addlen) 737 { 738 /* implied: dstlen > addlen */ 739 unsigned char *dstptr; 740 const unsigned char *addptr; 741 unsigned int remainder = 0; 742 size_t len = addlen; 743 744 dstptr = dst + (dstlen-1); 745 addptr = add + (addlen-1); 746 while (len) { 747 remainder += *dstptr + *addptr; 748 *dstptr = remainder & 0xff; 749 remainder >>= 8; 750 len--; dstptr--; addptr--; 751 } 752 len = dstlen - addlen; 753 while (len && remainder > 0) { 754 remainder = *dstptr + 1; 755 *dstptr = remainder & 0xff; 756 remainder >>= 8; 757 len--; dstptr--; 758 } 759 } 760 761 /* 762 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 763 * interlinked, the scratchpad is used as follows: 764 * drbg_hash_update 765 * start: drbg->scratchpad 766 * length: drbg_statelen(drbg) 767 * drbg_hash_df: 768 * start: drbg->scratchpad + drbg_statelen(drbg) 769 * length: drbg_blocklen(drbg) 770 * 771 * drbg_hash_process_addtl uses the scratchpad, but fully completes 772 * before either of the functions mentioned before are invoked. Therefore, 773 * drbg_hash_process_addtl does not need to be specifically considered. 774 */ 775 776 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 777 static int drbg_hash_df(struct drbg_state *drbg, 778 unsigned char *outval, size_t outlen, 779 struct list_head *entropylist) 780 { 781 int ret = 0; 782 size_t len = 0; 783 unsigned char input[5]; 784 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 785 struct drbg_string data; 786 787 /* 10.4.1 step 3 */ 788 input[0] = 1; 789 drbg_cpu_to_be32((outlen * 8), &input[1]); 790 791 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 792 drbg_string_fill(&data, input, 5); 793 list_add(&data.list, entropylist); 794 795 /* 10.4.1 step 4 */ 796 while (len < outlen) { 797 short blocklen = 0; 798 /* 10.4.1 step 4.1 */ 799 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist); 800 if (ret) 801 goto out; 802 /* 10.4.1 step 4.2 */ 803 input[0]++; 804 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 805 drbg_blocklen(drbg) : (outlen - len); 806 memcpy(outval + len, tmp, blocklen); 807 len += blocklen; 808 } 809 810 out: 811 memset(tmp, 0, drbg_blocklen(drbg)); 812 return ret; 813 } 814 815 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 816 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 817 int reseed) 818 { 819 int ret = 0; 820 struct drbg_string data1, data2; 821 LIST_HEAD(datalist); 822 LIST_HEAD(datalist2); 823 unsigned char *V = drbg->scratchpad; 824 unsigned char prefix = DRBG_PREFIX1; 825 826 if (!seed) 827 return -EINVAL; 828 829 if (reseed) { 830 /* 10.1.1.3 step 1 */ 831 memcpy(V, drbg->V, drbg_statelen(drbg)); 832 drbg_string_fill(&data1, &prefix, 1); 833 list_add_tail(&data1.list, &datalist); 834 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 835 list_add_tail(&data2.list, &datalist); 836 } 837 list_splice_tail(seed, &datalist); 838 839 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 840 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 841 if (ret) 842 goto out; 843 844 /* 10.1.1.2 / 10.1.1.3 step 4 */ 845 prefix = DRBG_PREFIX0; 846 drbg_string_fill(&data1, &prefix, 1); 847 list_add_tail(&data1.list, &datalist2); 848 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 849 list_add_tail(&data2.list, &datalist2); 850 /* 10.1.1.2 / 10.1.1.3 step 4 */ 851 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 852 853 out: 854 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 855 return ret; 856 } 857 858 /* processing of additional information string for Hash DRBG */ 859 static int drbg_hash_process_addtl(struct drbg_state *drbg, 860 struct list_head *addtl) 861 { 862 int ret = 0; 863 struct drbg_string data1, data2; 864 LIST_HEAD(datalist); 865 unsigned char prefix = DRBG_PREFIX2; 866 867 /* 10.1.1.4 step 2 */ 868 if (!addtl || list_empty(addtl)) 869 return 0; 870 871 /* 10.1.1.4 step 2a */ 872 drbg_string_fill(&data1, &prefix, 1); 873 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 874 list_add_tail(&data1.list, &datalist); 875 list_add_tail(&data2.list, &datalist); 876 list_splice_tail(addtl, &datalist); 877 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 878 if (ret) 879 goto out; 880 881 /* 10.1.1.4 step 2b */ 882 drbg_add_buf(drbg->V, drbg_statelen(drbg), 883 drbg->scratchpad, drbg_blocklen(drbg)); 884 885 out: 886 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 887 return ret; 888 } 889 890 /* Hashgen defined in 10.1.1.4 */ 891 static int drbg_hash_hashgen(struct drbg_state *drbg, 892 unsigned char *buf, 893 unsigned int buflen) 894 { 895 int len = 0; 896 int ret = 0; 897 unsigned char *src = drbg->scratchpad; 898 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 899 struct drbg_string data; 900 LIST_HEAD(datalist); 901 902 /* 10.1.1.4 step hashgen 2 */ 903 memcpy(src, drbg->V, drbg_statelen(drbg)); 904 905 drbg_string_fill(&data, src, drbg_statelen(drbg)); 906 list_add_tail(&data.list, &datalist); 907 while (len < buflen) { 908 unsigned int outlen = 0; 909 /* 10.1.1.4 step hashgen 4.1 */ 910 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist); 911 if (ret) { 912 len = ret; 913 goto out; 914 } 915 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 916 drbg_blocklen(drbg) : (buflen - len); 917 /* 10.1.1.4 step hashgen 4.2 */ 918 memcpy(buf + len, dst, outlen); 919 len += outlen; 920 /* 10.1.1.4 hashgen step 4.3 */ 921 if (len < buflen) 922 crypto_inc(src, drbg_statelen(drbg)); 923 } 924 925 out: 926 memset(drbg->scratchpad, 0, 927 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 928 return len; 929 } 930 931 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 932 static int drbg_hash_generate(struct drbg_state *drbg, 933 unsigned char *buf, unsigned int buflen, 934 struct list_head *addtl) 935 { 936 int len = 0; 937 int ret = 0; 938 union { 939 unsigned char req[8]; 940 __be64 req_int; 941 } u; 942 unsigned char prefix = DRBG_PREFIX3; 943 struct drbg_string data1, data2; 944 LIST_HEAD(datalist); 945 946 /* 10.1.1.4 step 2 */ 947 ret = drbg_hash_process_addtl(drbg, addtl); 948 if (ret) 949 return ret; 950 /* 10.1.1.4 step 3 */ 951 len = drbg_hash_hashgen(drbg, buf, buflen); 952 953 /* this is the value H as documented in 10.1.1.4 */ 954 /* 10.1.1.4 step 4 */ 955 drbg_string_fill(&data1, &prefix, 1); 956 list_add_tail(&data1.list, &datalist); 957 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 958 list_add_tail(&data2.list, &datalist); 959 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 960 if (ret) { 961 len = ret; 962 goto out; 963 } 964 965 /* 10.1.1.4 step 5 */ 966 drbg_add_buf(drbg->V, drbg_statelen(drbg), 967 drbg->scratchpad, drbg_blocklen(drbg)); 968 drbg_add_buf(drbg->V, drbg_statelen(drbg), 969 drbg->C, drbg_statelen(drbg)); 970 u.req_int = cpu_to_be64(drbg->reseed_ctr); 971 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 972 973 out: 974 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 975 return len; 976 } 977 978 /* 979 * scratchpad usage: as update and generate are used isolated, both 980 * can use the scratchpad 981 */ 982 static const struct drbg_state_ops drbg_hash_ops = { 983 .update = drbg_hash_update, 984 .generate = drbg_hash_generate, 985 .crypto_init = drbg_init_hash_kernel, 986 .crypto_fini = drbg_fini_hash_kernel, 987 }; 988 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 989 990 /****************************************************************** 991 * Functions common for DRBG implementations 992 ******************************************************************/ 993 994 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 995 int reseed) 996 { 997 int ret = drbg->d_ops->update(drbg, seed, reseed); 998 999 if (ret) 1000 return ret; 1001 1002 drbg->seeded = true; 1003 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1004 drbg->reseed_ctr = 1; 1005 1006 return ret; 1007 } 1008 1009 static void drbg_async_seed(struct work_struct *work) 1010 { 1011 struct drbg_string data; 1012 LIST_HEAD(seedlist); 1013 struct drbg_state *drbg = container_of(work, struct drbg_state, 1014 seed_work); 1015 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1016 unsigned char entropy[32]; 1017 1018 BUG_ON(!entropylen); 1019 BUG_ON(entropylen > sizeof(entropy)); 1020 get_random_bytes(entropy, entropylen); 1021 1022 drbg_string_fill(&data, entropy, entropylen); 1023 list_add_tail(&data.list, &seedlist); 1024 1025 mutex_lock(&drbg->drbg_mutex); 1026 1027 /* If nonblocking pool is initialized, deactivate Jitter RNG */ 1028 crypto_free_rng(drbg->jent); 1029 drbg->jent = NULL; 1030 1031 /* Set seeded to false so that if __drbg_seed fails the 1032 * next generate call will trigger a reseed. 1033 */ 1034 drbg->seeded = false; 1035 1036 __drbg_seed(drbg, &seedlist, true); 1037 1038 if (drbg->seeded) 1039 drbg->reseed_threshold = drbg_max_requests(drbg); 1040 1041 mutex_unlock(&drbg->drbg_mutex); 1042 1043 memzero_explicit(entropy, entropylen); 1044 } 1045 1046 /* 1047 * Seeding or reseeding of the DRBG 1048 * 1049 * @drbg: DRBG state struct 1050 * @pers: personalization / additional information buffer 1051 * @reseed: 0 for initial seed process, 1 for reseeding 1052 * 1053 * return: 1054 * 0 on success 1055 * error value otherwise 1056 */ 1057 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1058 bool reseed) 1059 { 1060 int ret; 1061 unsigned char entropy[((32 + 16) * 2)]; 1062 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1063 struct drbg_string data1; 1064 LIST_HEAD(seedlist); 1065 1066 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1067 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1068 pr_devel("DRBG: personalization string too long %zu\n", 1069 pers->len); 1070 return -EINVAL; 1071 } 1072 1073 if (list_empty(&drbg->test_data.list)) { 1074 drbg_string_fill(&data1, drbg->test_data.buf, 1075 drbg->test_data.len); 1076 pr_devel("DRBG: using test entropy\n"); 1077 } else { 1078 /* 1079 * Gather entropy equal to the security strength of the DRBG. 1080 * With a derivation function, a nonce is required in addition 1081 * to the entropy. A nonce must be at least 1/2 of the security 1082 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1083 * of the strength. The consideration of a nonce is only 1084 * applicable during initial seeding. 1085 */ 1086 BUG_ON(!entropylen); 1087 if (!reseed) 1088 entropylen = ((entropylen + 1) / 2) * 3; 1089 BUG_ON((entropylen * 2) > sizeof(entropy)); 1090 1091 /* Get seed from in-kernel /dev/urandom */ 1092 get_random_bytes(entropy, entropylen); 1093 1094 if (!drbg->jent) { 1095 drbg_string_fill(&data1, entropy, entropylen); 1096 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1097 entropylen); 1098 } else { 1099 /* Get seed from Jitter RNG */ 1100 ret = crypto_rng_get_bytes(drbg->jent, 1101 entropy + entropylen, 1102 entropylen); 1103 if (ret) { 1104 pr_devel("DRBG: jent failed with %d\n", ret); 1105 return ret; 1106 } 1107 1108 drbg_string_fill(&data1, entropy, entropylen * 2); 1109 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1110 entropylen * 2); 1111 } 1112 } 1113 list_add_tail(&data1.list, &seedlist); 1114 1115 /* 1116 * concatenation of entropy with personalization str / addtl input) 1117 * the variable pers is directly handed in by the caller, so check its 1118 * contents whether it is appropriate 1119 */ 1120 if (pers && pers->buf && 0 < pers->len) { 1121 list_add_tail(&pers->list, &seedlist); 1122 pr_devel("DRBG: using personalization string\n"); 1123 } 1124 1125 if (!reseed) { 1126 memset(drbg->V, 0, drbg_statelen(drbg)); 1127 memset(drbg->C, 0, drbg_statelen(drbg)); 1128 } 1129 1130 ret = __drbg_seed(drbg, &seedlist, reseed); 1131 1132 memzero_explicit(entropy, entropylen * 2); 1133 1134 return ret; 1135 } 1136 1137 /* Free all substructures in a DRBG state without the DRBG state structure */ 1138 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1139 { 1140 if (!drbg) 1141 return; 1142 kzfree(drbg->V); 1143 drbg->V = NULL; 1144 kzfree(drbg->C); 1145 drbg->C = NULL; 1146 kzfree(drbg->scratchpad); 1147 drbg->scratchpad = NULL; 1148 drbg->reseed_ctr = 0; 1149 drbg->d_ops = NULL; 1150 drbg->core = NULL; 1151 } 1152 1153 /* 1154 * Allocate all sub-structures for a DRBG state. 1155 * The DRBG state structure must already be allocated. 1156 */ 1157 static inline int drbg_alloc_state(struct drbg_state *drbg) 1158 { 1159 int ret = -ENOMEM; 1160 unsigned int sb_size = 0; 1161 1162 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1163 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1164 case DRBG_HMAC: 1165 drbg->d_ops = &drbg_hmac_ops; 1166 break; 1167 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1168 #ifdef CONFIG_CRYPTO_DRBG_HASH 1169 case DRBG_HASH: 1170 drbg->d_ops = &drbg_hash_ops; 1171 break; 1172 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1173 #ifdef CONFIG_CRYPTO_DRBG_CTR 1174 case DRBG_CTR: 1175 drbg->d_ops = &drbg_ctr_ops; 1176 break; 1177 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1178 default: 1179 ret = -EOPNOTSUPP; 1180 goto err; 1181 } 1182 1183 drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1184 if (!drbg->V) 1185 goto err; 1186 drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1187 if (!drbg->C) 1188 goto err; 1189 /* scratchpad is only generated for CTR and Hash */ 1190 if (drbg->core->flags & DRBG_HMAC) 1191 sb_size = 0; 1192 else if (drbg->core->flags & DRBG_CTR) 1193 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1194 drbg_statelen(drbg) + /* df_data */ 1195 drbg_blocklen(drbg) + /* pad */ 1196 drbg_blocklen(drbg) + /* iv */ 1197 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1198 else 1199 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1200 1201 if (0 < sb_size) { 1202 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1203 if (!drbg->scratchpad) 1204 goto err; 1205 } 1206 1207 return 0; 1208 1209 err: 1210 drbg_dealloc_state(drbg); 1211 return ret; 1212 } 1213 1214 /************************************************************************* 1215 * DRBG interface functions 1216 *************************************************************************/ 1217 1218 /* 1219 * DRBG generate function as required by SP800-90A - this function 1220 * generates random numbers 1221 * 1222 * @drbg DRBG state handle 1223 * @buf Buffer where to store the random numbers -- the buffer must already 1224 * be pre-allocated by caller 1225 * @buflen Length of output buffer - this value defines the number of random 1226 * bytes pulled from DRBG 1227 * @addtl Additional input that is mixed into state, may be NULL -- note 1228 * the entropy is pulled by the DRBG internally unconditionally 1229 * as defined in SP800-90A. The additional input is mixed into 1230 * the state in addition to the pulled entropy. 1231 * 1232 * return: 0 when all bytes are generated; < 0 in case of an error 1233 */ 1234 static int drbg_generate(struct drbg_state *drbg, 1235 unsigned char *buf, unsigned int buflen, 1236 struct drbg_string *addtl) 1237 { 1238 int len = 0; 1239 LIST_HEAD(addtllist); 1240 1241 if (!drbg->core) { 1242 pr_devel("DRBG: not yet seeded\n"); 1243 return -EINVAL; 1244 } 1245 if (0 == buflen || !buf) { 1246 pr_devel("DRBG: no output buffer provided\n"); 1247 return -EINVAL; 1248 } 1249 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1250 pr_devel("DRBG: wrong format of additional information\n"); 1251 return -EINVAL; 1252 } 1253 1254 /* 9.3.1 step 2 */ 1255 len = -EINVAL; 1256 if (buflen > (drbg_max_request_bytes(drbg))) { 1257 pr_devel("DRBG: requested random numbers too large %u\n", 1258 buflen); 1259 goto err; 1260 } 1261 1262 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1263 1264 /* 9.3.1 step 4 */ 1265 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1266 pr_devel("DRBG: additional information string too long %zu\n", 1267 addtl->len); 1268 goto err; 1269 } 1270 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1271 1272 /* 1273 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1274 * here. The spec is a bit convoluted here, we make it simpler. 1275 */ 1276 if (drbg->reseed_threshold < drbg->reseed_ctr) 1277 drbg->seeded = false; 1278 1279 if (drbg->pr || !drbg->seeded) { 1280 pr_devel("DRBG: reseeding before generation (prediction " 1281 "resistance: %s, state %s)\n", 1282 drbg->pr ? "true" : "false", 1283 drbg->seeded ? "seeded" : "unseeded"); 1284 /* 9.3.1 steps 7.1 through 7.3 */ 1285 len = drbg_seed(drbg, addtl, true); 1286 if (len) 1287 goto err; 1288 /* 9.3.1 step 7.4 */ 1289 addtl = NULL; 1290 } 1291 1292 if (addtl && 0 < addtl->len) 1293 list_add_tail(&addtl->list, &addtllist); 1294 /* 9.3.1 step 8 and 10 */ 1295 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1296 1297 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1298 drbg->reseed_ctr++; 1299 if (0 >= len) 1300 goto err; 1301 1302 /* 1303 * Section 11.3.3 requires to re-perform self tests after some 1304 * generated random numbers. The chosen value after which self 1305 * test is performed is arbitrary, but it should be reasonable. 1306 * However, we do not perform the self tests because of the following 1307 * reasons: it is mathematically impossible that the initial self tests 1308 * were successfully and the following are not. If the initial would 1309 * pass and the following would not, the kernel integrity is violated. 1310 * In this case, the entire kernel operation is questionable and it 1311 * is unlikely that the integrity violation only affects the 1312 * correct operation of the DRBG. 1313 * 1314 * Albeit the following code is commented out, it is provided in 1315 * case somebody has a need to implement the test of 11.3.3. 1316 */ 1317 #if 0 1318 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1319 int err = 0; 1320 pr_devel("DRBG: start to perform self test\n"); 1321 if (drbg->core->flags & DRBG_HMAC) 1322 err = alg_test("drbg_pr_hmac_sha256", 1323 "drbg_pr_hmac_sha256", 0, 0); 1324 else if (drbg->core->flags & DRBG_CTR) 1325 err = alg_test("drbg_pr_ctr_aes128", 1326 "drbg_pr_ctr_aes128", 0, 0); 1327 else 1328 err = alg_test("drbg_pr_sha256", 1329 "drbg_pr_sha256", 0, 0); 1330 if (err) { 1331 pr_err("DRBG: periodical self test failed\n"); 1332 /* 1333 * uninstantiate implies that from now on, only errors 1334 * are returned when reusing this DRBG cipher handle 1335 */ 1336 drbg_uninstantiate(drbg); 1337 return 0; 1338 } else { 1339 pr_devel("DRBG: self test successful\n"); 1340 } 1341 } 1342 #endif 1343 1344 /* 1345 * All operations were successful, return 0 as mandated by 1346 * the kernel crypto API interface. 1347 */ 1348 len = 0; 1349 err: 1350 return len; 1351 } 1352 1353 /* 1354 * Wrapper around drbg_generate which can pull arbitrary long strings 1355 * from the DRBG without hitting the maximum request limitation. 1356 * 1357 * Parameters: see drbg_generate 1358 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1359 * the entire drbg_generate_long request fails 1360 */ 1361 static int drbg_generate_long(struct drbg_state *drbg, 1362 unsigned char *buf, unsigned int buflen, 1363 struct drbg_string *addtl) 1364 { 1365 unsigned int len = 0; 1366 unsigned int slice = 0; 1367 do { 1368 int err = 0; 1369 unsigned int chunk = 0; 1370 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1371 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1372 mutex_lock(&drbg->drbg_mutex); 1373 err = drbg_generate(drbg, buf + len, chunk, addtl); 1374 mutex_unlock(&drbg->drbg_mutex); 1375 if (0 > err) 1376 return err; 1377 len += chunk; 1378 } while (slice > 0 && (len < buflen)); 1379 return 0; 1380 } 1381 1382 static void drbg_schedule_async_seed(struct random_ready_callback *rdy) 1383 { 1384 struct drbg_state *drbg = container_of(rdy, struct drbg_state, 1385 random_ready); 1386 1387 schedule_work(&drbg->seed_work); 1388 } 1389 1390 static int drbg_prepare_hrng(struct drbg_state *drbg) 1391 { 1392 int err; 1393 1394 /* We do not need an HRNG in test mode. */ 1395 if (list_empty(&drbg->test_data.list)) 1396 return 0; 1397 1398 INIT_WORK(&drbg->seed_work, drbg_async_seed); 1399 1400 drbg->random_ready.owner = THIS_MODULE; 1401 drbg->random_ready.func = drbg_schedule_async_seed; 1402 1403 err = add_random_ready_callback(&drbg->random_ready); 1404 1405 switch (err) { 1406 case 0: 1407 break; 1408 1409 case -EALREADY: 1410 err = 0; 1411 /* fall through */ 1412 1413 default: 1414 drbg->random_ready.func = NULL; 1415 return err; 1416 } 1417 1418 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1419 1420 /* 1421 * Require frequent reseeds until the seed source is fully 1422 * initialized. 1423 */ 1424 drbg->reseed_threshold = 50; 1425 1426 return err; 1427 } 1428 1429 /* 1430 * DRBG instantiation function as required by SP800-90A - this function 1431 * sets up the DRBG handle, performs the initial seeding and all sanity 1432 * checks required by SP800-90A 1433 * 1434 * @drbg memory of state -- if NULL, new memory is allocated 1435 * @pers Personalization string that is mixed into state, may be NULL -- note 1436 * the entropy is pulled by the DRBG internally unconditionally 1437 * as defined in SP800-90A. The additional input is mixed into 1438 * the state in addition to the pulled entropy. 1439 * @coreref reference to core 1440 * @pr prediction resistance enabled 1441 * 1442 * return 1443 * 0 on success 1444 * error value otherwise 1445 */ 1446 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1447 int coreref, bool pr) 1448 { 1449 int ret; 1450 bool reseed = true; 1451 1452 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1453 "%s\n", coreref, pr ? "enabled" : "disabled"); 1454 mutex_lock(&drbg->drbg_mutex); 1455 1456 /* 9.1 step 1 is implicit with the selected DRBG type */ 1457 1458 /* 1459 * 9.1 step 2 is implicit as caller can select prediction resistance 1460 * and the flag is copied into drbg->flags -- 1461 * all DRBG types support prediction resistance 1462 */ 1463 1464 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1465 1466 if (!drbg->core) { 1467 drbg->core = &drbg_cores[coreref]; 1468 drbg->pr = pr; 1469 drbg->seeded = false; 1470 drbg->reseed_threshold = drbg_max_requests(drbg); 1471 1472 ret = drbg_alloc_state(drbg); 1473 if (ret) 1474 goto unlock; 1475 1476 ret = -EFAULT; 1477 if (drbg->d_ops->crypto_init(drbg)) 1478 goto err; 1479 1480 ret = drbg_prepare_hrng(drbg); 1481 if (ret) 1482 goto free_everything; 1483 1484 if (IS_ERR(drbg->jent)) { 1485 ret = PTR_ERR(drbg->jent); 1486 drbg->jent = NULL; 1487 if (fips_enabled || ret != -ENOENT) 1488 goto free_everything; 1489 pr_info("DRBG: Continuing without Jitter RNG\n"); 1490 } 1491 1492 reseed = false; 1493 } 1494 1495 ret = drbg_seed(drbg, pers, reseed); 1496 1497 if (ret && !reseed) 1498 goto free_everything; 1499 1500 mutex_unlock(&drbg->drbg_mutex); 1501 return ret; 1502 1503 err: 1504 drbg_dealloc_state(drbg); 1505 unlock: 1506 mutex_unlock(&drbg->drbg_mutex); 1507 return ret; 1508 1509 free_everything: 1510 mutex_unlock(&drbg->drbg_mutex); 1511 drbg_uninstantiate(drbg); 1512 return ret; 1513 } 1514 1515 /* 1516 * DRBG uninstantiate function as required by SP800-90A - this function 1517 * frees all buffers and the DRBG handle 1518 * 1519 * @drbg DRBG state handle 1520 * 1521 * return 1522 * 0 on success 1523 */ 1524 static int drbg_uninstantiate(struct drbg_state *drbg) 1525 { 1526 if (drbg->random_ready.func) { 1527 del_random_ready_callback(&drbg->random_ready); 1528 cancel_work_sync(&drbg->seed_work); 1529 crypto_free_rng(drbg->jent); 1530 drbg->jent = NULL; 1531 } 1532 1533 if (drbg->d_ops) 1534 drbg->d_ops->crypto_fini(drbg); 1535 drbg_dealloc_state(drbg); 1536 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1537 return 0; 1538 } 1539 1540 /* 1541 * Helper function for setting the test data in the DRBG 1542 * 1543 * @drbg DRBG state handle 1544 * @data test data 1545 * @len test data length 1546 */ 1547 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1548 const u8 *data, unsigned int len) 1549 { 1550 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1551 1552 mutex_lock(&drbg->drbg_mutex); 1553 drbg_string_fill(&drbg->test_data, data, len); 1554 mutex_unlock(&drbg->drbg_mutex); 1555 } 1556 1557 /*************************************************************** 1558 * Kernel crypto API cipher invocations requested by DRBG 1559 ***************************************************************/ 1560 1561 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1562 struct sdesc { 1563 struct shash_desc shash; 1564 char ctx[]; 1565 }; 1566 1567 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1568 { 1569 struct sdesc *sdesc; 1570 struct crypto_shash *tfm; 1571 1572 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1573 if (IS_ERR(tfm)) { 1574 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1575 drbg->core->backend_cra_name); 1576 return PTR_ERR(tfm); 1577 } 1578 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1579 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1580 GFP_KERNEL); 1581 if (!sdesc) { 1582 crypto_free_shash(tfm); 1583 return -ENOMEM; 1584 } 1585 1586 sdesc->shash.tfm = tfm; 1587 sdesc->shash.flags = 0; 1588 drbg->priv_data = sdesc; 1589 return 0; 1590 } 1591 1592 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1593 { 1594 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1595 if (sdesc) { 1596 crypto_free_shash(sdesc->shash.tfm); 1597 kzfree(sdesc); 1598 } 1599 drbg->priv_data = NULL; 1600 return 0; 1601 } 1602 1603 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 1604 unsigned char *outval, const struct list_head *in) 1605 { 1606 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1607 struct drbg_string *input = NULL; 1608 1609 if (key) 1610 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1611 crypto_shash_init(&sdesc->shash); 1612 list_for_each_entry(input, in, list) 1613 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1614 return crypto_shash_final(&sdesc->shash, outval); 1615 } 1616 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1617 1618 #ifdef CONFIG_CRYPTO_DRBG_CTR 1619 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1620 { 1621 int ret = 0; 1622 struct crypto_cipher *tfm; 1623 1624 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1625 if (IS_ERR(tfm)) { 1626 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1627 drbg->core->backend_cra_name); 1628 return PTR_ERR(tfm); 1629 } 1630 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1631 drbg->priv_data = tfm; 1632 return ret; 1633 } 1634 1635 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1636 { 1637 struct crypto_cipher *tfm = 1638 (struct crypto_cipher *)drbg->priv_data; 1639 if (tfm) 1640 crypto_free_cipher(tfm); 1641 drbg->priv_data = NULL; 1642 return 0; 1643 } 1644 1645 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1646 unsigned char *outval, const struct drbg_string *in) 1647 { 1648 struct crypto_cipher *tfm = 1649 (struct crypto_cipher *)drbg->priv_data; 1650 1651 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1652 /* there is only component in *in */ 1653 BUG_ON(in->len < drbg_blocklen(drbg)); 1654 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1655 return 0; 1656 } 1657 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1658 1659 /*************************************************************** 1660 * Kernel crypto API interface to register DRBG 1661 ***************************************************************/ 1662 1663 /* 1664 * Look up the DRBG flags by given kernel crypto API cra_name 1665 * The code uses the drbg_cores definition to do this 1666 * 1667 * @cra_name kernel crypto API cra_name 1668 * @coreref reference to integer which is filled with the pointer to 1669 * the applicable core 1670 * @pr reference for setting prediction resistance 1671 * 1672 * return: flags 1673 */ 1674 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1675 int *coreref, bool *pr) 1676 { 1677 int i = 0; 1678 size_t start = 0; 1679 int len = 0; 1680 1681 *pr = true; 1682 /* disassemble the names */ 1683 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1684 start = 10; 1685 *pr = false; 1686 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1687 start = 8; 1688 } else { 1689 return; 1690 } 1691 1692 /* remove the first part */ 1693 len = strlen(cra_driver_name) - start; 1694 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1695 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1696 len)) { 1697 *coreref = i; 1698 return; 1699 } 1700 } 1701 } 1702 1703 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1704 { 1705 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1706 1707 mutex_init(&drbg->drbg_mutex); 1708 1709 return 0; 1710 } 1711 1712 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1713 { 1714 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1715 } 1716 1717 /* 1718 * Generate random numbers invoked by the kernel crypto API: 1719 * The API of the kernel crypto API is extended as follows: 1720 * 1721 * src is additional input supplied to the RNG. 1722 * slen is the length of src. 1723 * dst is the output buffer where random data is to be stored. 1724 * dlen is the length of dst. 1725 */ 1726 static int drbg_kcapi_random(struct crypto_rng *tfm, 1727 const u8 *src, unsigned int slen, 1728 u8 *dst, unsigned int dlen) 1729 { 1730 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1731 struct drbg_string *addtl = NULL; 1732 struct drbg_string string; 1733 1734 if (slen) { 1735 /* linked list variable is now local to allow modification */ 1736 drbg_string_fill(&string, src, slen); 1737 addtl = &string; 1738 } 1739 1740 return drbg_generate_long(drbg, dst, dlen, addtl); 1741 } 1742 1743 /* 1744 * Seed the DRBG invoked by the kernel crypto API 1745 */ 1746 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1747 const u8 *seed, unsigned int slen) 1748 { 1749 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1750 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1751 bool pr = false; 1752 struct drbg_string string; 1753 struct drbg_string *seed_string = NULL; 1754 int coreref = 0; 1755 1756 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1757 &pr); 1758 if (0 < slen) { 1759 drbg_string_fill(&string, seed, slen); 1760 seed_string = &string; 1761 } 1762 1763 return drbg_instantiate(drbg, seed_string, coreref, pr); 1764 } 1765 1766 /*************************************************************** 1767 * Kernel module: code to load the module 1768 ***************************************************************/ 1769 1770 /* 1771 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1772 * of the error handling. 1773 * 1774 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1775 * as seed source of get_random_bytes does not fail. 1776 * 1777 * Note 2: There is no sensible way of testing the reseed counter 1778 * enforcement, so skip it. 1779 */ 1780 static inline int __init drbg_healthcheck_sanity(void) 1781 { 1782 int len = 0; 1783 #define OUTBUFLEN 16 1784 unsigned char buf[OUTBUFLEN]; 1785 struct drbg_state *drbg = NULL; 1786 int ret = -EFAULT; 1787 int rc = -EFAULT; 1788 bool pr = false; 1789 int coreref = 0; 1790 struct drbg_string addtl; 1791 size_t max_addtllen, max_request_bytes; 1792 1793 /* only perform test in FIPS mode */ 1794 if (!fips_enabled) 1795 return 0; 1796 1797 #ifdef CONFIG_CRYPTO_DRBG_CTR 1798 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1799 #elif defined CONFIG_CRYPTO_DRBG_HASH 1800 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1801 #else 1802 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1803 #endif 1804 1805 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1806 if (!drbg) 1807 return -ENOMEM; 1808 1809 mutex_init(&drbg->drbg_mutex); 1810 1811 /* 1812 * if the following tests fail, it is likely that there is a buffer 1813 * overflow as buf is much smaller than the requested or provided 1814 * string lengths -- in case the error handling does not succeed 1815 * we may get an OOPS. And we want to get an OOPS as this is a 1816 * grave bug. 1817 */ 1818 1819 /* get a valid instance of DRBG for following tests */ 1820 ret = drbg_instantiate(drbg, NULL, coreref, pr); 1821 if (ret) { 1822 rc = ret; 1823 goto outbuf; 1824 } 1825 max_addtllen = drbg_max_addtl(drbg); 1826 max_request_bytes = drbg_max_request_bytes(drbg); 1827 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1828 /* overflow addtllen with additonal info string */ 1829 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1830 BUG_ON(0 < len); 1831 /* overflow max_bits */ 1832 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1833 BUG_ON(0 < len); 1834 drbg_uninstantiate(drbg); 1835 1836 /* overflow max addtllen with personalization string */ 1837 ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1838 BUG_ON(0 == ret); 1839 /* all tests passed */ 1840 rc = 0; 1841 1842 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1843 "completed\n"); 1844 1845 drbg_uninstantiate(drbg); 1846 outbuf: 1847 kzfree(drbg); 1848 return rc; 1849 } 1850 1851 static struct rng_alg drbg_algs[22]; 1852 1853 /* 1854 * Fill the array drbg_algs used to register the different DRBGs 1855 * with the kernel crypto API. To fill the array, the information 1856 * from drbg_cores[] is used. 1857 */ 1858 static inline void __init drbg_fill_array(struct rng_alg *alg, 1859 const struct drbg_core *core, int pr) 1860 { 1861 int pos = 0; 1862 static int priority = 200; 1863 1864 memcpy(alg->base.cra_name, "stdrng", 6); 1865 if (pr) { 1866 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1867 pos = 8; 1868 } else { 1869 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1870 pos = 10; 1871 } 1872 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1873 strlen(core->cra_name)); 1874 1875 alg->base.cra_priority = priority; 1876 priority++; 1877 /* 1878 * If FIPS mode enabled, the selected DRBG shall have the 1879 * highest cra_priority over other stdrng instances to ensure 1880 * it is selected. 1881 */ 1882 if (fips_enabled) 1883 alg->base.cra_priority += 200; 1884 1885 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1886 alg->base.cra_module = THIS_MODULE; 1887 alg->base.cra_init = drbg_kcapi_init; 1888 alg->base.cra_exit = drbg_kcapi_cleanup; 1889 alg->generate = drbg_kcapi_random; 1890 alg->seed = drbg_kcapi_seed; 1891 alg->set_ent = drbg_kcapi_set_entropy; 1892 alg->seedsize = 0; 1893 } 1894 1895 static int __init drbg_init(void) 1896 { 1897 unsigned int i = 0; /* pointer to drbg_algs */ 1898 unsigned int j = 0; /* pointer to drbg_cores */ 1899 int ret = -EFAULT; 1900 1901 ret = drbg_healthcheck_sanity(); 1902 if (ret) 1903 return ret; 1904 1905 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1906 pr_info("DRBG: Cannot register all DRBG types" 1907 "(slots needed: %zu, slots available: %zu)\n", 1908 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1909 return ret; 1910 } 1911 1912 /* 1913 * each DRBG definition can be used with PR and without PR, thus 1914 * we instantiate each DRBG in drbg_cores[] twice. 1915 * 1916 * As the order of placing them into the drbg_algs array matters 1917 * (the later DRBGs receive a higher cra_priority) we register the 1918 * prediction resistance DRBGs first as the should not be too 1919 * interesting. 1920 */ 1921 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1922 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1923 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1924 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1925 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1926 } 1927 1928 static void __exit drbg_exit(void) 1929 { 1930 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1931 } 1932 1933 module_init(drbg_init); 1934 module_exit(drbg_exit); 1935 #ifndef CRYPTO_DRBG_HASH_STRING 1936 #define CRYPTO_DRBG_HASH_STRING "" 1937 #endif 1938 #ifndef CRYPTO_DRBG_HMAC_STRING 1939 #define CRYPTO_DRBG_HMAC_STRING "" 1940 #endif 1941 #ifndef CRYPTO_DRBG_CTR_STRING 1942 #define CRYPTO_DRBG_CTR_STRING "" 1943 #endif 1944 MODULE_LICENSE("GPL"); 1945 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 1946 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 1947 "using following cores: " 1948 CRYPTO_DRBG_HASH_STRING 1949 CRYPTO_DRBG_HMAC_STRING 1950 CRYPTO_DRBG_CTR_STRING); 1951 MODULE_ALIAS_CRYPTO("stdrng"); 1952