1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 102 /*************************************************************** 103 * Backend cipher definitions available to DRBG 104 ***************************************************************/ 105 106 /* 107 * The order of the DRBG definitions here matter: every DRBG is registered 108 * as stdrng. Each DRBG receives an increasing cra_priority values the later 109 * they are defined in this array (see drbg_fill_array). 110 * 111 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 112 * the SHA256 / AES 256 over other ciphers. Thus, the favored 113 * DRBGs are the latest entries in this array. 114 */ 115 static const struct drbg_core drbg_cores[] = { 116 #ifdef CONFIG_CRYPTO_DRBG_CTR 117 { 118 .flags = DRBG_CTR | DRBG_STRENGTH128, 119 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 120 .blocklen_bytes = 16, 121 .cra_name = "ctr_aes128", 122 .backend_cra_name = "ecb(aes)", 123 }, { 124 .flags = DRBG_CTR | DRBG_STRENGTH192, 125 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 126 .blocklen_bytes = 16, 127 .cra_name = "ctr_aes192", 128 .backend_cra_name = "ecb(aes)", 129 }, { 130 .flags = DRBG_CTR | DRBG_STRENGTH256, 131 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 132 .blocklen_bytes = 16, 133 .cra_name = "ctr_aes256", 134 .backend_cra_name = "ecb(aes)", 135 }, 136 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 137 #ifdef CONFIG_CRYPTO_DRBG_HASH 138 { 139 .flags = DRBG_HASH | DRBG_STRENGTH128, 140 .statelen = 55, /* 440 bits */ 141 .blocklen_bytes = 20, 142 .cra_name = "sha1", 143 .backend_cra_name = "sha1", 144 }, { 145 .flags = DRBG_HASH | DRBG_STRENGTH256, 146 .statelen = 111, /* 888 bits */ 147 .blocklen_bytes = 48, 148 .cra_name = "sha384", 149 .backend_cra_name = "sha384", 150 }, { 151 .flags = DRBG_HASH | DRBG_STRENGTH256, 152 .statelen = 111, /* 888 bits */ 153 .blocklen_bytes = 64, 154 .cra_name = "sha512", 155 .backend_cra_name = "sha512", 156 }, { 157 .flags = DRBG_HASH | DRBG_STRENGTH256, 158 .statelen = 55, /* 440 bits */ 159 .blocklen_bytes = 32, 160 .cra_name = "sha256", 161 .backend_cra_name = "sha256", 162 }, 163 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 164 #ifdef CONFIG_CRYPTO_DRBG_HMAC 165 { 166 .flags = DRBG_HMAC | DRBG_STRENGTH128, 167 .statelen = 20, /* block length of cipher */ 168 .blocklen_bytes = 20, 169 .cra_name = "hmac_sha1", 170 .backend_cra_name = "hmac(sha1)", 171 }, { 172 .flags = DRBG_HMAC | DRBG_STRENGTH256, 173 .statelen = 48, /* block length of cipher */ 174 .blocklen_bytes = 48, 175 .cra_name = "hmac_sha384", 176 .backend_cra_name = "hmac(sha384)", 177 }, { 178 .flags = DRBG_HMAC | DRBG_STRENGTH256, 179 .statelen = 64, /* block length of cipher */ 180 .blocklen_bytes = 64, 181 .cra_name = "hmac_sha512", 182 .backend_cra_name = "hmac(sha512)", 183 }, { 184 .flags = DRBG_HMAC | DRBG_STRENGTH256, 185 .statelen = 32, /* block length of cipher */ 186 .blocklen_bytes = 32, 187 .cra_name = "hmac_sha256", 188 .backend_cra_name = "hmac(sha256)", 189 }, 190 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 191 }; 192 193 /****************************************************************** 194 * Generic helper functions 195 ******************************************************************/ 196 197 /* 198 * Return strength of DRBG according to SP800-90A section 8.4 199 * 200 * @flags DRBG flags reference 201 * 202 * Return: normalized strength in *bytes* value or 32 as default 203 * to counter programming errors 204 */ 205 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 206 { 207 switch (flags & DRBG_STRENGTH_MASK) { 208 case DRBG_STRENGTH128: 209 return 16; 210 case DRBG_STRENGTH192: 211 return 24; 212 case DRBG_STRENGTH256: 213 return 32; 214 default: 215 return 32; 216 } 217 } 218 219 /* 220 * FIPS 140-2 continuous self test 221 * The test is performed on the result of one round of the output 222 * function. Thus, the function implicitly knows the size of the 223 * buffer. 224 * 225 * The FIPS test can be called in an endless loop until it returns 226 * true. Although the code looks like a potential for a deadlock, it 227 * is not the case, because returning a false cannot mathematically 228 * occur (except once when a reseed took place and the updated state 229 * would is now set up such that the generation of new value returns 230 * an identical one -- this is most unlikely and would happen only once). 231 * Thus, if this function repeatedly returns false and thus would cause 232 * a deadlock, the integrity of the entire kernel is lost. 233 * 234 * @drbg DRBG handle 235 * @buf output buffer of random data to be checked 236 * 237 * return: 238 * true on success 239 * false on error 240 */ 241 static bool drbg_fips_continuous_test(struct drbg_state *drbg, 242 const unsigned char *buf) 243 { 244 #ifdef CONFIG_CRYPTO_FIPS 245 int ret = 0; 246 /* skip test if we test the overall system */ 247 if (drbg->test_data) 248 return true; 249 /* only perform test in FIPS mode */ 250 if (0 == fips_enabled) 251 return true; 252 if (!drbg->fips_primed) { 253 /* Priming of FIPS test */ 254 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 255 drbg->fips_primed = true; 256 /* return false due to priming, i.e. another round is needed */ 257 return false; 258 } 259 ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); 260 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 261 /* the test shall pass when the two compared values are not equal */ 262 return ret != 0; 263 #else 264 return true; 265 #endif /* CONFIG_CRYPTO_FIPS */ 266 } 267 268 /* 269 * Convert an integer into a byte representation of this integer. 270 * The byte representation is big-endian 271 * 272 * @val value to be converted 273 * @buf buffer holding the converted integer -- caller must ensure that 274 * buffer size is at least 32 bit 275 */ 276 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 277 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 278 { 279 struct s { 280 __be32 conv; 281 }; 282 struct s *conversion = (struct s *) buf; 283 284 conversion->conv = cpu_to_be32(val); 285 } 286 287 /* 288 * Increment buffer 289 * 290 * @dst buffer to increment 291 * @add value to add 292 */ 293 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 294 const unsigned char *add, size_t addlen) 295 { 296 /* implied: dstlen > addlen */ 297 unsigned char *dstptr; 298 const unsigned char *addptr; 299 unsigned int remainder = 0; 300 size_t len = addlen; 301 302 dstptr = dst + (dstlen-1); 303 addptr = add + (addlen-1); 304 while (len) { 305 remainder += *dstptr + *addptr; 306 *dstptr = remainder & 0xff; 307 remainder >>= 8; 308 len--; dstptr--; addptr--; 309 } 310 len = dstlen - addlen; 311 while (len && remainder > 0) { 312 remainder = *dstptr + 1; 313 *dstptr = remainder & 0xff; 314 remainder >>= 8; 315 len--; dstptr--; 316 } 317 } 318 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 319 320 /****************************************************************** 321 * CTR DRBG callback functions 322 ******************************************************************/ 323 324 #ifdef CONFIG_CRYPTO_DRBG_CTR 325 #define CRYPTO_DRBG_CTR_STRING "CTR " 326 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 327 unsigned char *outval, const struct drbg_string *in); 328 static int drbg_init_sym_kernel(struct drbg_state *drbg); 329 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 330 331 /* BCC function for CTR DRBG as defined in 10.4.3 */ 332 static int drbg_ctr_bcc(struct drbg_state *drbg, 333 unsigned char *out, const unsigned char *key, 334 struct list_head *in) 335 { 336 int ret = 0; 337 struct drbg_string *curr = NULL; 338 struct drbg_string data; 339 short cnt = 0; 340 341 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 342 343 /* 10.4.3 step 1 */ 344 memset(out, 0, drbg_blocklen(drbg)); 345 346 /* 10.4.3 step 2 / 4 */ 347 list_for_each_entry(curr, in, list) { 348 const unsigned char *pos = curr->buf; 349 size_t len = curr->len; 350 /* 10.4.3 step 4.1 */ 351 while (len) { 352 /* 10.4.3 step 4.2 */ 353 if (drbg_blocklen(drbg) == cnt) { 354 cnt = 0; 355 ret = drbg_kcapi_sym(drbg, key, out, &data); 356 if (ret) 357 return ret; 358 } 359 out[cnt] ^= *pos; 360 pos++; 361 cnt++; 362 len--; 363 } 364 } 365 /* 10.4.3 step 4.2 for last block */ 366 if (cnt) 367 ret = drbg_kcapi_sym(drbg, key, out, &data); 368 369 return ret; 370 } 371 372 /* 373 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 374 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 375 * the scratchpad is used as follows: 376 * drbg_ctr_update: 377 * temp 378 * start: drbg->scratchpad 379 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 380 * note: the cipher writing into this variable works 381 * blocklen-wise. Now, when the statelen is not a multiple 382 * of blocklen, the generateion loop below "spills over" 383 * by at most blocklen. Thus, we need to give sufficient 384 * memory. 385 * df_data 386 * start: drbg->scratchpad + 387 * drbg_statelen(drbg) + drbg_blocklen(drbg) 388 * length: drbg_statelen(drbg) 389 * 390 * drbg_ctr_df: 391 * pad 392 * start: df_data + drbg_statelen(drbg) 393 * length: drbg_blocklen(drbg) 394 * iv 395 * start: pad + drbg_blocklen(drbg) 396 * length: drbg_blocklen(drbg) 397 * temp 398 * start: iv + drbg_blocklen(drbg) 399 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 400 * note: temp is the buffer that the BCC function operates 401 * on. BCC operates blockwise. drbg_statelen(drbg) 402 * is sufficient when the DRBG state length is a multiple 403 * of the block size. For AES192 (and maybe other ciphers) 404 * this is not correct and the length for temp is 405 * insufficient (yes, that also means for such ciphers, 406 * the final output of all BCC rounds are truncated). 407 * Therefore, add drbg_blocklen(drbg) to cover all 408 * possibilities. 409 */ 410 411 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 412 static int drbg_ctr_df(struct drbg_state *drbg, 413 unsigned char *df_data, size_t bytes_to_return, 414 struct list_head *seedlist) 415 { 416 int ret = -EFAULT; 417 unsigned char L_N[8]; 418 /* S3 is input */ 419 struct drbg_string S1, S2, S4, cipherin; 420 LIST_HEAD(bcc_list); 421 unsigned char *pad = df_data + drbg_statelen(drbg); 422 unsigned char *iv = pad + drbg_blocklen(drbg); 423 unsigned char *temp = iv + drbg_blocklen(drbg); 424 size_t padlen = 0; 425 unsigned int templen = 0; 426 /* 10.4.2 step 7 */ 427 unsigned int i = 0; 428 /* 10.4.2 step 8 */ 429 const unsigned char *K = (unsigned char *) 430 "\x00\x01\x02\x03\x04\x05\x06\x07" 431 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 432 "\x10\x11\x12\x13\x14\x15\x16\x17" 433 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 434 unsigned char *X; 435 size_t generated_len = 0; 436 size_t inputlen = 0; 437 struct drbg_string *seed = NULL; 438 439 memset(pad, 0, drbg_blocklen(drbg)); 440 memset(iv, 0, drbg_blocklen(drbg)); 441 memset(temp, 0, drbg_statelen(drbg)); 442 443 /* 10.4.2 step 1 is implicit as we work byte-wise */ 444 445 /* 10.4.2 step 2 */ 446 if ((512/8) < bytes_to_return) 447 return -EINVAL; 448 449 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 450 list_for_each_entry(seed, seedlist, list) 451 inputlen += seed->len; 452 drbg_cpu_to_be32(inputlen, &L_N[0]); 453 454 /* 10.4.2 step 3 */ 455 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 456 457 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 458 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 459 /* wrap the padlen appropriately */ 460 if (padlen) 461 padlen = drbg_blocklen(drbg) - padlen; 462 /* 463 * pad / padlen contains the 0x80 byte and the following zero bytes. 464 * As the calculated padlen value only covers the number of zero 465 * bytes, this value has to be incremented by one for the 0x80 byte. 466 */ 467 padlen++; 468 pad[0] = 0x80; 469 470 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 471 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 472 list_add_tail(&S1.list, &bcc_list); 473 drbg_string_fill(&S2, L_N, sizeof(L_N)); 474 list_add_tail(&S2.list, &bcc_list); 475 list_splice_tail(seedlist, &bcc_list); 476 drbg_string_fill(&S4, pad, padlen); 477 list_add_tail(&S4.list, &bcc_list); 478 479 /* 10.4.2 step 9 */ 480 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 481 /* 482 * 10.4.2 step 9.1 - the padding is implicit as the buffer 483 * holds zeros after allocation -- even the increment of i 484 * is irrelevant as the increment remains within length of i 485 */ 486 drbg_cpu_to_be32(i, iv); 487 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 488 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 489 if (ret) 490 goto out; 491 /* 10.4.2 step 9.3 */ 492 i++; 493 templen += drbg_blocklen(drbg); 494 } 495 496 /* 10.4.2 step 11 */ 497 X = temp + (drbg_keylen(drbg)); 498 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 499 500 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 501 502 /* 10.4.2 step 13 */ 503 while (generated_len < bytes_to_return) { 504 short blocklen = 0; 505 /* 506 * 10.4.2 step 13.1: the truncation of the key length is 507 * implicit as the key is only drbg_blocklen in size based on 508 * the implementation of the cipher function callback 509 */ 510 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 511 if (ret) 512 goto out; 513 blocklen = (drbg_blocklen(drbg) < 514 (bytes_to_return - generated_len)) ? 515 drbg_blocklen(drbg) : 516 (bytes_to_return - generated_len); 517 /* 10.4.2 step 13.2 and 14 */ 518 memcpy(df_data + generated_len, X, blocklen); 519 generated_len += blocklen; 520 } 521 522 ret = 0; 523 524 out: 525 memset(iv, 0, drbg_blocklen(drbg)); 526 memset(temp, 0, drbg_statelen(drbg)); 527 memset(pad, 0, drbg_blocklen(drbg)); 528 return ret; 529 } 530 531 /* 532 * update function of CTR DRBG as defined in 10.2.1.2 533 * 534 * The reseed variable has an enhanced meaning compared to the update 535 * functions of the other DRBGs as follows: 536 * 0 => initial seed from initialization 537 * 1 => reseed via drbg_seed 538 * 2 => first invocation from drbg_ctr_update when addtl is present. In 539 * this case, the df_data scratchpad is not deleted so that it is 540 * available for another calls to prevent calling the DF function 541 * again. 542 * 3 => second invocation from drbg_ctr_update. When the update function 543 * was called with addtl, the df_data memory already contains the 544 * DFed addtl information and we do not need to call DF again. 545 */ 546 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 547 int reseed) 548 { 549 int ret = -EFAULT; 550 /* 10.2.1.2 step 1 */ 551 unsigned char *temp = drbg->scratchpad; 552 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 553 drbg_blocklen(drbg); 554 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 555 unsigned int len = 0; 556 struct drbg_string cipherin; 557 unsigned char prefix = DRBG_PREFIX1; 558 559 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 560 if (3 > reseed) 561 memset(df_data, 0, drbg_statelen(drbg)); 562 563 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 564 if (seed) { 565 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 566 if (ret) 567 goto out; 568 } 569 570 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 571 /* 572 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 573 * zeroizes all memory during initialization 574 */ 575 while (len < (drbg_statelen(drbg))) { 576 /* 10.2.1.2 step 2.1 */ 577 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); 578 /* 579 * 10.2.1.2 step 2.2 */ 580 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 581 if (ret) 582 goto out; 583 /* 10.2.1.2 step 2.3 and 3 */ 584 len += drbg_blocklen(drbg); 585 } 586 587 /* 10.2.1.2 step 4 */ 588 temp_p = temp; 589 df_data_p = df_data; 590 for (len = 0; len < drbg_statelen(drbg); len++) { 591 *temp_p ^= *df_data_p; 592 df_data_p++; temp_p++; 593 } 594 595 /* 10.2.1.2 step 5 */ 596 memcpy(drbg->C, temp, drbg_keylen(drbg)); 597 /* 10.2.1.2 step 6 */ 598 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 599 ret = 0; 600 601 out: 602 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 603 if (2 != reseed) 604 memset(df_data, 0, drbg_statelen(drbg)); 605 return ret; 606 } 607 608 /* 609 * scratchpad use: drbg_ctr_update is called independently from 610 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 611 */ 612 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 613 static int drbg_ctr_generate(struct drbg_state *drbg, 614 unsigned char *buf, unsigned int buflen, 615 struct list_head *addtl) 616 { 617 int len = 0; 618 int ret = 0; 619 struct drbg_string data; 620 unsigned char prefix = DRBG_PREFIX1; 621 622 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 623 624 /* 10.2.1.5.2 step 2 */ 625 if (addtl && !list_empty(addtl)) { 626 ret = drbg_ctr_update(drbg, addtl, 2); 627 if (ret) 628 return 0; 629 } 630 631 /* 10.2.1.5.2 step 4.1 */ 632 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); 633 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 634 while (len < buflen) { 635 int outlen = 0; 636 /* 10.2.1.5.2 step 4.2 */ 637 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 638 if (ret) { 639 len = ret; 640 goto out; 641 } 642 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 643 drbg_blocklen(drbg) : (buflen - len); 644 if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) { 645 /* 10.2.1.5.2 step 6 */ 646 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); 647 continue; 648 } 649 /* 10.2.1.5.2 step 4.3 */ 650 memcpy(buf + len, drbg->scratchpad, outlen); 651 len += outlen; 652 /* 10.2.1.5.2 step 6 */ 653 if (len < buflen) 654 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1); 655 } 656 657 /* 10.2.1.5.2 step 6 */ 658 ret = drbg_ctr_update(drbg, NULL, 3); 659 if (ret) 660 len = ret; 661 662 out: 663 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 664 return len; 665 } 666 667 static struct drbg_state_ops drbg_ctr_ops = { 668 .update = drbg_ctr_update, 669 .generate = drbg_ctr_generate, 670 .crypto_init = drbg_init_sym_kernel, 671 .crypto_fini = drbg_fini_sym_kernel, 672 }; 673 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 674 675 /****************************************************************** 676 * HMAC DRBG callback functions 677 ******************************************************************/ 678 679 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 680 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 681 unsigned char *outval, const struct list_head *in); 682 static int drbg_init_hash_kernel(struct drbg_state *drbg); 683 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 684 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 685 686 #ifdef CONFIG_CRYPTO_DRBG_HMAC 687 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 688 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 689 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 690 int reseed) 691 { 692 int ret = -EFAULT; 693 int i = 0; 694 struct drbg_string seed1, seed2, vdata; 695 LIST_HEAD(seedlist); 696 LIST_HEAD(vdatalist); 697 698 if (!reseed) 699 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 700 memset(drbg->V, 1, drbg_statelen(drbg)); 701 702 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 703 list_add_tail(&seed1.list, &seedlist); 704 /* buffer of seed2 will be filled in for loop below with one byte */ 705 drbg_string_fill(&seed2, NULL, 1); 706 list_add_tail(&seed2.list, &seedlist); 707 /* input data of seed is allowed to be NULL at this point */ 708 if (seed) 709 list_splice_tail(seed, &seedlist); 710 711 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 712 list_add_tail(&vdata.list, &vdatalist); 713 for (i = 2; 0 < i; i--) { 714 /* first round uses 0x0, second 0x1 */ 715 unsigned char prefix = DRBG_PREFIX0; 716 if (1 == i) 717 prefix = DRBG_PREFIX1; 718 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 719 seed2.buf = &prefix; 720 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist); 721 if (ret) 722 return ret; 723 724 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 725 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist); 726 if (ret) 727 return ret; 728 729 /* 10.1.2.2 step 3 */ 730 if (!seed) 731 return ret; 732 } 733 734 return 0; 735 } 736 737 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 738 static int drbg_hmac_generate(struct drbg_state *drbg, 739 unsigned char *buf, 740 unsigned int buflen, 741 struct list_head *addtl) 742 { 743 int len = 0; 744 int ret = 0; 745 struct drbg_string data; 746 LIST_HEAD(datalist); 747 748 /* 10.1.2.5 step 2 */ 749 if (addtl && !list_empty(addtl)) { 750 ret = drbg_hmac_update(drbg, addtl, 1); 751 if (ret) 752 return ret; 753 } 754 755 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 756 list_add_tail(&data.list, &datalist); 757 while (len < buflen) { 758 unsigned int outlen = 0; 759 /* 10.1.2.5 step 4.1 */ 760 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist); 761 if (ret) 762 return ret; 763 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 764 drbg_blocklen(drbg) : (buflen - len); 765 if (!drbg_fips_continuous_test(drbg, drbg->V)) 766 continue; 767 768 /* 10.1.2.5 step 4.2 */ 769 memcpy(buf + len, drbg->V, outlen); 770 len += outlen; 771 } 772 773 /* 10.1.2.5 step 6 */ 774 if (addtl && !list_empty(addtl)) 775 ret = drbg_hmac_update(drbg, addtl, 1); 776 else 777 ret = drbg_hmac_update(drbg, NULL, 1); 778 if (ret) 779 return ret; 780 781 return len; 782 } 783 784 static struct drbg_state_ops drbg_hmac_ops = { 785 .update = drbg_hmac_update, 786 .generate = drbg_hmac_generate, 787 .crypto_init = drbg_init_hash_kernel, 788 .crypto_fini = drbg_fini_hash_kernel, 789 790 }; 791 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 792 793 /****************************************************************** 794 * Hash DRBG callback functions 795 ******************************************************************/ 796 797 #ifdef CONFIG_CRYPTO_DRBG_HASH 798 #define CRYPTO_DRBG_HASH_STRING "HASH " 799 /* 800 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 801 * interlinked, the scratchpad is used as follows: 802 * drbg_hash_update 803 * start: drbg->scratchpad 804 * length: drbg_statelen(drbg) 805 * drbg_hash_df: 806 * start: drbg->scratchpad + drbg_statelen(drbg) 807 * length: drbg_blocklen(drbg) 808 * 809 * drbg_hash_process_addtl uses the scratchpad, but fully completes 810 * before either of the functions mentioned before are invoked. Therefore, 811 * drbg_hash_process_addtl does not need to be specifically considered. 812 */ 813 814 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 815 static int drbg_hash_df(struct drbg_state *drbg, 816 unsigned char *outval, size_t outlen, 817 struct list_head *entropylist) 818 { 819 int ret = 0; 820 size_t len = 0; 821 unsigned char input[5]; 822 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 823 struct drbg_string data; 824 825 memset(tmp, 0, drbg_blocklen(drbg)); 826 827 /* 10.4.1 step 3 */ 828 input[0] = 1; 829 drbg_cpu_to_be32((outlen * 8), &input[1]); 830 831 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 832 drbg_string_fill(&data, input, 5); 833 list_add(&data.list, entropylist); 834 835 /* 10.4.1 step 4 */ 836 while (len < outlen) { 837 short blocklen = 0; 838 /* 10.4.1 step 4.1 */ 839 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist); 840 if (ret) 841 goto out; 842 /* 10.4.1 step 4.2 */ 843 input[0]++; 844 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 845 drbg_blocklen(drbg) : (outlen - len); 846 memcpy(outval + len, tmp, blocklen); 847 len += blocklen; 848 } 849 850 out: 851 memset(tmp, 0, drbg_blocklen(drbg)); 852 return ret; 853 } 854 855 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 856 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 857 int reseed) 858 { 859 int ret = 0; 860 struct drbg_string data1, data2; 861 LIST_HEAD(datalist); 862 LIST_HEAD(datalist2); 863 unsigned char *V = drbg->scratchpad; 864 unsigned char prefix = DRBG_PREFIX1; 865 866 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 867 if (!seed) 868 return -EINVAL; 869 870 if (reseed) { 871 /* 10.1.1.3 step 1 */ 872 memcpy(V, drbg->V, drbg_statelen(drbg)); 873 drbg_string_fill(&data1, &prefix, 1); 874 list_add_tail(&data1.list, &datalist); 875 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 876 list_add_tail(&data2.list, &datalist); 877 } 878 list_splice_tail(seed, &datalist); 879 880 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 881 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 882 if (ret) 883 goto out; 884 885 /* 10.1.1.2 / 10.1.1.3 step 4 */ 886 prefix = DRBG_PREFIX0; 887 drbg_string_fill(&data1, &prefix, 1); 888 list_add_tail(&data1.list, &datalist2); 889 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 890 list_add_tail(&data2.list, &datalist2); 891 /* 10.1.1.2 / 10.1.1.3 step 4 */ 892 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 893 894 out: 895 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 896 return ret; 897 } 898 899 /* processing of additional information string for Hash DRBG */ 900 static int drbg_hash_process_addtl(struct drbg_state *drbg, 901 struct list_head *addtl) 902 { 903 int ret = 0; 904 struct drbg_string data1, data2; 905 LIST_HEAD(datalist); 906 unsigned char prefix = DRBG_PREFIX2; 907 908 /* this is value w as per documentation */ 909 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 910 911 /* 10.1.1.4 step 2 */ 912 if (!addtl || list_empty(addtl)) 913 return 0; 914 915 /* 10.1.1.4 step 2a */ 916 drbg_string_fill(&data1, &prefix, 1); 917 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 918 list_add_tail(&data1.list, &datalist); 919 list_add_tail(&data2.list, &datalist); 920 list_splice_tail(addtl, &datalist); 921 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 922 if (ret) 923 goto out; 924 925 /* 10.1.1.4 step 2b */ 926 drbg_add_buf(drbg->V, drbg_statelen(drbg), 927 drbg->scratchpad, drbg_blocklen(drbg)); 928 929 out: 930 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 931 return ret; 932 } 933 934 /* Hashgen defined in 10.1.1.4 */ 935 static int drbg_hash_hashgen(struct drbg_state *drbg, 936 unsigned char *buf, 937 unsigned int buflen) 938 { 939 int len = 0; 940 int ret = 0; 941 unsigned char *src = drbg->scratchpad; 942 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 943 struct drbg_string data; 944 LIST_HEAD(datalist); 945 unsigned char prefix = DRBG_PREFIX1; 946 947 memset(src, 0, drbg_statelen(drbg)); 948 memset(dst, 0, drbg_blocklen(drbg)); 949 950 /* 10.1.1.4 step hashgen 2 */ 951 memcpy(src, drbg->V, drbg_statelen(drbg)); 952 953 drbg_string_fill(&data, src, drbg_statelen(drbg)); 954 list_add_tail(&data.list, &datalist); 955 while (len < buflen) { 956 unsigned int outlen = 0; 957 /* 10.1.1.4 step hashgen 4.1 */ 958 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist); 959 if (ret) { 960 len = ret; 961 goto out; 962 } 963 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 964 drbg_blocklen(drbg) : (buflen - len); 965 if (!drbg_fips_continuous_test(drbg, dst)) { 966 drbg_add_buf(src, drbg_statelen(drbg), &prefix, 1); 967 continue; 968 } 969 /* 10.1.1.4 step hashgen 4.2 */ 970 memcpy(buf + len, dst, outlen); 971 len += outlen; 972 /* 10.1.1.4 hashgen step 4.3 */ 973 if (len < buflen) 974 drbg_add_buf(src, drbg_statelen(drbg), &prefix, 1); 975 } 976 977 out: 978 memset(drbg->scratchpad, 0, 979 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 980 return len; 981 } 982 983 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 984 static int drbg_hash_generate(struct drbg_state *drbg, 985 unsigned char *buf, unsigned int buflen, 986 struct list_head *addtl) 987 { 988 int len = 0; 989 int ret = 0; 990 union { 991 unsigned char req[8]; 992 __be64 req_int; 993 } u; 994 unsigned char prefix = DRBG_PREFIX3; 995 struct drbg_string data1, data2; 996 LIST_HEAD(datalist); 997 998 /* 10.1.1.4 step 2 */ 999 ret = drbg_hash_process_addtl(drbg, addtl); 1000 if (ret) 1001 return ret; 1002 /* 10.1.1.4 step 3 */ 1003 len = drbg_hash_hashgen(drbg, buf, buflen); 1004 1005 /* this is the value H as documented in 10.1.1.4 */ 1006 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1007 /* 10.1.1.4 step 4 */ 1008 drbg_string_fill(&data1, &prefix, 1); 1009 list_add_tail(&data1.list, &datalist); 1010 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1011 list_add_tail(&data2.list, &datalist); 1012 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 1013 if (ret) { 1014 len = ret; 1015 goto out; 1016 } 1017 1018 /* 10.1.1.4 step 5 */ 1019 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1020 drbg->scratchpad, drbg_blocklen(drbg)); 1021 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1022 drbg->C, drbg_statelen(drbg)); 1023 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1024 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1025 1026 out: 1027 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1028 return len; 1029 } 1030 1031 /* 1032 * scratchpad usage: as update and generate are used isolated, both 1033 * can use the scratchpad 1034 */ 1035 static struct drbg_state_ops drbg_hash_ops = { 1036 .update = drbg_hash_update, 1037 .generate = drbg_hash_generate, 1038 .crypto_init = drbg_init_hash_kernel, 1039 .crypto_fini = drbg_fini_hash_kernel, 1040 }; 1041 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1042 1043 /****************************************************************** 1044 * Functions common for DRBG implementations 1045 ******************************************************************/ 1046 1047 /* 1048 * Seeding or reseeding of the DRBG 1049 * 1050 * @drbg: DRBG state struct 1051 * @pers: personalization / additional information buffer 1052 * @reseed: 0 for initial seed process, 1 for reseeding 1053 * 1054 * return: 1055 * 0 on success 1056 * error value otherwise 1057 */ 1058 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1059 bool reseed) 1060 { 1061 int ret = 0; 1062 unsigned char *entropy = NULL; 1063 size_t entropylen = 0; 1064 struct drbg_string data1; 1065 LIST_HEAD(seedlist); 1066 1067 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1068 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1069 pr_devel("DRBG: personalization string too long %zu\n", 1070 pers->len); 1071 return -EINVAL; 1072 } 1073 1074 if (drbg->test_data && drbg->test_data->testentropy) { 1075 drbg_string_fill(&data1, drbg->test_data->testentropy->buf, 1076 drbg->test_data->testentropy->len); 1077 pr_devel("DRBG: using test entropy\n"); 1078 } else { 1079 /* 1080 * Gather entropy equal to the security strength of the DRBG. 1081 * With a derivation function, a nonce is required in addition 1082 * to the entropy. A nonce must be at least 1/2 of the security 1083 * strength of the DRBG in size. Thus, entropy * nonce is 3/2 1084 * of the strength. The consideration of a nonce is only 1085 * applicable during initial seeding. 1086 */ 1087 entropylen = drbg_sec_strength(drbg->core->flags); 1088 if (!entropylen) 1089 return -EFAULT; 1090 if (!reseed) 1091 entropylen = ((entropylen + 1) / 2) * 3; 1092 pr_devel("DRBG: (re)seeding with %zu bytes of entropy\n", 1093 entropylen); 1094 entropy = kzalloc(entropylen, GFP_KERNEL); 1095 if (!entropy) 1096 return -ENOMEM; 1097 get_random_bytes(entropy, entropylen); 1098 drbg_string_fill(&data1, entropy, entropylen); 1099 } 1100 list_add_tail(&data1.list, &seedlist); 1101 1102 /* 1103 * concatenation of entropy with personalization str / addtl input) 1104 * the variable pers is directly handed in by the caller, so check its 1105 * contents whether it is appropriate 1106 */ 1107 if (pers && pers->buf && 0 < pers->len) { 1108 list_add_tail(&pers->list, &seedlist); 1109 pr_devel("DRBG: using personalization string\n"); 1110 } 1111 1112 if (!reseed) { 1113 memset(drbg->V, 0, drbg_statelen(drbg)); 1114 memset(drbg->C, 0, drbg_statelen(drbg)); 1115 } 1116 1117 ret = drbg->d_ops->update(drbg, &seedlist, reseed); 1118 if (ret) 1119 goto out; 1120 1121 drbg->seeded = true; 1122 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1123 drbg->reseed_ctr = 1; 1124 1125 out: 1126 kzfree(entropy); 1127 return ret; 1128 } 1129 1130 /* Free all substructures in a DRBG state without the DRBG state structure */ 1131 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1132 { 1133 if (!drbg) 1134 return; 1135 kzfree(drbg->V); 1136 drbg->V = NULL; 1137 kzfree(drbg->C); 1138 drbg->C = NULL; 1139 kzfree(drbg->scratchpad); 1140 drbg->scratchpad = NULL; 1141 drbg->reseed_ctr = 0; 1142 #ifdef CONFIG_CRYPTO_FIPS 1143 kzfree(drbg->prev); 1144 drbg->prev = NULL; 1145 drbg->fips_primed = false; 1146 #endif 1147 } 1148 1149 /* 1150 * Allocate all sub-structures for a DRBG state. 1151 * The DRBG state structure must already be allocated. 1152 */ 1153 static inline int drbg_alloc_state(struct drbg_state *drbg) 1154 { 1155 int ret = -ENOMEM; 1156 unsigned int sb_size = 0; 1157 1158 drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1159 if (!drbg->V) 1160 goto err; 1161 drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1162 if (!drbg->C) 1163 goto err; 1164 #ifdef CONFIG_CRYPTO_FIPS 1165 drbg->prev = kmalloc(drbg_blocklen(drbg), GFP_KERNEL); 1166 if (!drbg->prev) 1167 goto err; 1168 drbg->fips_primed = false; 1169 #endif 1170 /* scratchpad is only generated for CTR and Hash */ 1171 if (drbg->core->flags & DRBG_HMAC) 1172 sb_size = 0; 1173 else if (drbg->core->flags & DRBG_CTR) 1174 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1175 drbg_statelen(drbg) + /* df_data */ 1176 drbg_blocklen(drbg) + /* pad */ 1177 drbg_blocklen(drbg) + /* iv */ 1178 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1179 else 1180 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1181 1182 if (0 < sb_size) { 1183 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1184 if (!drbg->scratchpad) 1185 goto err; 1186 } 1187 spin_lock_init(&drbg->drbg_lock); 1188 return 0; 1189 1190 err: 1191 drbg_dealloc_state(drbg); 1192 return ret; 1193 } 1194 1195 /* 1196 * Strategy to avoid holding long term locks: generate a shadow copy of DRBG 1197 * and perform all operations on this shadow copy. After finishing, restore 1198 * the updated state of the shadow copy into original drbg state. This way, 1199 * only the read and write operations of the original drbg state must be 1200 * locked 1201 */ 1202 static inline void drbg_copy_drbg(struct drbg_state *src, 1203 struct drbg_state *dst) 1204 { 1205 if (!src || !dst) 1206 return; 1207 memcpy(dst->V, src->V, drbg_statelen(src)); 1208 memcpy(dst->C, src->C, drbg_statelen(src)); 1209 dst->reseed_ctr = src->reseed_ctr; 1210 dst->seeded = src->seeded; 1211 dst->pr = src->pr; 1212 #ifdef CONFIG_CRYPTO_FIPS 1213 dst->fips_primed = src->fips_primed; 1214 memcpy(dst->prev, src->prev, drbg_blocklen(src)); 1215 #endif 1216 /* 1217 * Not copied: 1218 * scratchpad is initialized drbg_alloc_state; 1219 * priv_data is initialized with call to crypto_init; 1220 * d_ops and core are set outside, as these parameters are const; 1221 * test_data is set outside to prevent it being copied back. 1222 */ 1223 } 1224 1225 static int drbg_make_shadow(struct drbg_state *drbg, struct drbg_state **shadow) 1226 { 1227 int ret = -ENOMEM; 1228 struct drbg_state *tmp = NULL; 1229 1230 tmp = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1231 if (!tmp) 1232 return -ENOMEM; 1233 1234 /* read-only data as they are defined as const, no lock needed */ 1235 tmp->core = drbg->core; 1236 tmp->d_ops = drbg->d_ops; 1237 1238 ret = drbg_alloc_state(tmp); 1239 if (ret) 1240 goto err; 1241 1242 spin_lock_bh(&drbg->drbg_lock); 1243 drbg_copy_drbg(drbg, tmp); 1244 /* only make a link to the test buffer, as we only read that data */ 1245 tmp->test_data = drbg->test_data; 1246 spin_unlock_bh(&drbg->drbg_lock); 1247 *shadow = tmp; 1248 return 0; 1249 1250 err: 1251 kzfree(tmp); 1252 return ret; 1253 } 1254 1255 static void drbg_restore_shadow(struct drbg_state *drbg, 1256 struct drbg_state **shadow) 1257 { 1258 struct drbg_state *tmp = *shadow; 1259 1260 spin_lock_bh(&drbg->drbg_lock); 1261 drbg_copy_drbg(tmp, drbg); 1262 spin_unlock_bh(&drbg->drbg_lock); 1263 drbg_dealloc_state(tmp); 1264 kzfree(tmp); 1265 *shadow = NULL; 1266 } 1267 1268 /************************************************************************* 1269 * DRBG interface functions 1270 *************************************************************************/ 1271 1272 /* 1273 * DRBG generate function as required by SP800-90A - this function 1274 * generates random numbers 1275 * 1276 * @drbg DRBG state handle 1277 * @buf Buffer where to store the random numbers -- the buffer must already 1278 * be pre-allocated by caller 1279 * @buflen Length of output buffer - this value defines the number of random 1280 * bytes pulled from DRBG 1281 * @addtl Additional input that is mixed into state, may be NULL -- note 1282 * the entropy is pulled by the DRBG internally unconditionally 1283 * as defined in SP800-90A. The additional input is mixed into 1284 * the state in addition to the pulled entropy. 1285 * 1286 * return: generated number of bytes 1287 */ 1288 static int drbg_generate(struct drbg_state *drbg, 1289 unsigned char *buf, unsigned int buflen, 1290 struct drbg_string *addtl) 1291 { 1292 int len = 0; 1293 struct drbg_state *shadow = NULL; 1294 LIST_HEAD(addtllist); 1295 struct drbg_string timestamp; 1296 union { 1297 cycles_t cycles; 1298 unsigned char char_cycles[sizeof(cycles_t)]; 1299 } now; 1300 1301 if (0 == buflen || !buf) { 1302 pr_devel("DRBG: no output buffer provided\n"); 1303 return -EINVAL; 1304 } 1305 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1306 pr_devel("DRBG: wrong format of additional information\n"); 1307 return -EINVAL; 1308 } 1309 1310 len = drbg_make_shadow(drbg, &shadow); 1311 if (len) { 1312 pr_devel("DRBG: shadow copy cannot be generated\n"); 1313 return len; 1314 } 1315 1316 /* 9.3.1 step 2 */ 1317 len = -EINVAL; 1318 if (buflen > (drbg_max_request_bytes(shadow))) { 1319 pr_devel("DRBG: requested random numbers too large %u\n", 1320 buflen); 1321 goto err; 1322 } 1323 1324 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1325 1326 /* 9.3.1 step 4 */ 1327 if (addtl && addtl->len > (drbg_max_addtl(shadow))) { 1328 pr_devel("DRBG: additional information string too long %zu\n", 1329 addtl->len); 1330 goto err; 1331 } 1332 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1333 1334 /* 1335 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1336 * here. The spec is a bit convoluted here, we make it simpler. 1337 */ 1338 if ((drbg_max_requests(shadow)) < shadow->reseed_ctr) 1339 shadow->seeded = false; 1340 1341 /* allocate cipher handle */ 1342 len = shadow->d_ops->crypto_init(shadow); 1343 if (len) 1344 goto err; 1345 1346 if (shadow->pr || !shadow->seeded) { 1347 pr_devel("DRBG: reseeding before generation (prediction " 1348 "resistance: %s, state %s)\n", 1349 drbg->pr ? "true" : "false", 1350 drbg->seeded ? "seeded" : "unseeded"); 1351 /* 9.3.1 steps 7.1 through 7.3 */ 1352 len = drbg_seed(shadow, addtl, true); 1353 if (len) 1354 goto err; 1355 /* 9.3.1 step 7.4 */ 1356 addtl = NULL; 1357 } 1358 1359 /* 1360 * Mix the time stamp into the DRBG state if the DRBG is not in 1361 * test mode. If there are two callers invoking the DRBG at the same 1362 * time, i.e. before the first caller merges its shadow state back, 1363 * both callers would obtain the same random number stream without 1364 * changing the state here. 1365 */ 1366 if (!drbg->test_data) { 1367 now.cycles = random_get_entropy(); 1368 drbg_string_fill(×tamp, now.char_cycles, sizeof(cycles_t)); 1369 list_add_tail(×tamp.list, &addtllist); 1370 } 1371 if (addtl && 0 < addtl->len) 1372 list_add_tail(&addtl->list, &addtllist); 1373 /* 9.3.1 step 8 and 10 */ 1374 len = shadow->d_ops->generate(shadow, buf, buflen, &addtllist); 1375 1376 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1377 shadow->reseed_ctr++; 1378 if (0 >= len) 1379 goto err; 1380 1381 /* 1382 * Section 11.3.3 requires to re-perform self tests after some 1383 * generated random numbers. The chosen value after which self 1384 * test is performed is arbitrary, but it should be reasonable. 1385 * However, we do not perform the self tests because of the following 1386 * reasons: it is mathematically impossible that the initial self tests 1387 * were successfully and the following are not. If the initial would 1388 * pass and the following would not, the kernel integrity is violated. 1389 * In this case, the entire kernel operation is questionable and it 1390 * is unlikely that the integrity violation only affects the 1391 * correct operation of the DRBG. 1392 * 1393 * Albeit the following code is commented out, it is provided in 1394 * case somebody has a need to implement the test of 11.3.3. 1395 */ 1396 #if 0 1397 if (shadow->reseed_ctr && !(shadow->reseed_ctr % 4096)) { 1398 int err = 0; 1399 pr_devel("DRBG: start to perform self test\n"); 1400 if (drbg->core->flags & DRBG_HMAC) 1401 err = alg_test("drbg_pr_hmac_sha256", 1402 "drbg_pr_hmac_sha256", 0, 0); 1403 else if (drbg->core->flags & DRBG_CTR) 1404 err = alg_test("drbg_pr_ctr_aes128", 1405 "drbg_pr_ctr_aes128", 0, 0); 1406 else 1407 err = alg_test("drbg_pr_sha256", 1408 "drbg_pr_sha256", 0, 0); 1409 if (err) { 1410 pr_err("DRBG: periodical self test failed\n"); 1411 /* 1412 * uninstantiate implies that from now on, only errors 1413 * are returned when reusing this DRBG cipher handle 1414 */ 1415 drbg_uninstantiate(drbg); 1416 drbg_dealloc_state(shadow); 1417 kzfree(shadow); 1418 return 0; 1419 } else { 1420 pr_devel("DRBG: self test successful\n"); 1421 } 1422 } 1423 #endif 1424 1425 err: 1426 shadow->d_ops->crypto_fini(shadow); 1427 drbg_restore_shadow(drbg, &shadow); 1428 return len; 1429 } 1430 1431 /* 1432 * Wrapper around drbg_generate which can pull arbitrary long strings 1433 * from the DRBG without hitting the maximum request limitation. 1434 * 1435 * Parameters: see drbg_generate 1436 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1437 * the entire drbg_generate_long request fails 1438 */ 1439 static int drbg_generate_long(struct drbg_state *drbg, 1440 unsigned char *buf, unsigned int buflen, 1441 struct drbg_string *addtl) 1442 { 1443 int len = 0; 1444 unsigned int slice = 0; 1445 do { 1446 int tmplen = 0; 1447 unsigned int chunk = 0; 1448 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1449 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1450 tmplen = drbg_generate(drbg, buf + len, chunk, addtl); 1451 if (0 >= tmplen) 1452 return tmplen; 1453 len += tmplen; 1454 } while (slice > 0 && (len < buflen)); 1455 return len; 1456 } 1457 1458 /* 1459 * DRBG instantiation function as required by SP800-90A - this function 1460 * sets up the DRBG handle, performs the initial seeding and all sanity 1461 * checks required by SP800-90A 1462 * 1463 * @drbg memory of state -- if NULL, new memory is allocated 1464 * @pers Personalization string that is mixed into state, may be NULL -- note 1465 * the entropy is pulled by the DRBG internally unconditionally 1466 * as defined in SP800-90A. The additional input is mixed into 1467 * the state in addition to the pulled entropy. 1468 * @coreref reference to core 1469 * @pr prediction resistance enabled 1470 * 1471 * return 1472 * 0 on success 1473 * error value otherwise 1474 */ 1475 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1476 int coreref, bool pr) 1477 { 1478 int ret = -ENOMEM; 1479 1480 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1481 "%s\n", coreref, pr ? "enabled" : "disabled"); 1482 drbg->core = &drbg_cores[coreref]; 1483 drbg->pr = pr; 1484 drbg->seeded = false; 1485 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1486 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1487 case DRBG_HMAC: 1488 drbg->d_ops = &drbg_hmac_ops; 1489 break; 1490 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1491 #ifdef CONFIG_CRYPTO_DRBG_HASH 1492 case DRBG_HASH: 1493 drbg->d_ops = &drbg_hash_ops; 1494 break; 1495 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1496 #ifdef CONFIG_CRYPTO_DRBG_CTR 1497 case DRBG_CTR: 1498 drbg->d_ops = &drbg_ctr_ops; 1499 break; 1500 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1501 default: 1502 return -EOPNOTSUPP; 1503 } 1504 1505 /* 9.1 step 1 is implicit with the selected DRBG type */ 1506 1507 /* 1508 * 9.1 step 2 is implicit as caller can select prediction resistance 1509 * and the flag is copied into drbg->flags -- 1510 * all DRBG types support prediction resistance 1511 */ 1512 1513 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1514 1515 ret = drbg_alloc_state(drbg); 1516 if (ret) 1517 return ret; 1518 1519 ret = -EFAULT; 1520 if (drbg->d_ops->crypto_init(drbg)) 1521 goto err; 1522 ret = drbg_seed(drbg, pers, false); 1523 drbg->d_ops->crypto_fini(drbg); 1524 if (ret) 1525 goto err; 1526 1527 return 0; 1528 1529 err: 1530 drbg_dealloc_state(drbg); 1531 return ret; 1532 } 1533 1534 /* 1535 * DRBG uninstantiate function as required by SP800-90A - this function 1536 * frees all buffers and the DRBG handle 1537 * 1538 * @drbg DRBG state handle 1539 * 1540 * return 1541 * 0 on success 1542 */ 1543 static int drbg_uninstantiate(struct drbg_state *drbg) 1544 { 1545 spin_lock_bh(&drbg->drbg_lock); 1546 drbg_dealloc_state(drbg); 1547 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1548 spin_unlock_bh(&drbg->drbg_lock); 1549 return 0; 1550 } 1551 1552 /* 1553 * Helper function for setting the test data in the DRBG 1554 * 1555 * @drbg DRBG state handle 1556 * @test_data test data to sets 1557 */ 1558 static inline void drbg_set_testdata(struct drbg_state *drbg, 1559 struct drbg_test_data *test_data) 1560 { 1561 if (!test_data || !test_data->testentropy) 1562 return; 1563 spin_lock_bh(&drbg->drbg_lock); 1564 drbg->test_data = test_data; 1565 spin_unlock_bh(&drbg->drbg_lock); 1566 } 1567 1568 /*************************************************************** 1569 * Kernel crypto API cipher invocations requested by DRBG 1570 ***************************************************************/ 1571 1572 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1573 struct sdesc { 1574 struct shash_desc shash; 1575 char ctx[]; 1576 }; 1577 1578 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1579 { 1580 struct sdesc *sdesc; 1581 struct crypto_shash *tfm; 1582 1583 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1584 if (IS_ERR(tfm)) { 1585 pr_info("DRBG: could not allocate digest TFM handle\n"); 1586 return PTR_ERR(tfm); 1587 } 1588 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1589 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1590 GFP_KERNEL); 1591 if (!sdesc) { 1592 crypto_free_shash(tfm); 1593 return -ENOMEM; 1594 } 1595 1596 sdesc->shash.tfm = tfm; 1597 sdesc->shash.flags = 0; 1598 drbg->priv_data = sdesc; 1599 return 0; 1600 } 1601 1602 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1603 { 1604 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1605 if (sdesc) { 1606 crypto_free_shash(sdesc->shash.tfm); 1607 kzfree(sdesc); 1608 } 1609 drbg->priv_data = NULL; 1610 return 0; 1611 } 1612 1613 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 1614 unsigned char *outval, const struct list_head *in) 1615 { 1616 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1617 struct drbg_string *input = NULL; 1618 1619 if (key) 1620 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1621 crypto_shash_init(&sdesc->shash); 1622 list_for_each_entry(input, in, list) 1623 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1624 return crypto_shash_final(&sdesc->shash, outval); 1625 } 1626 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1627 1628 #ifdef CONFIG_CRYPTO_DRBG_CTR 1629 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1630 { 1631 int ret = 0; 1632 struct crypto_blkcipher *tfm; 1633 1634 tfm = crypto_alloc_blkcipher(drbg->core->backend_cra_name, 0, 0); 1635 if (IS_ERR(tfm)) { 1636 pr_info("DRBG: could not allocate cipher TFM handle\n"); 1637 return PTR_ERR(tfm); 1638 } 1639 BUG_ON(drbg_blocklen(drbg) != crypto_blkcipher_blocksize(tfm)); 1640 drbg->priv_data = tfm; 1641 return ret; 1642 } 1643 1644 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1645 { 1646 struct crypto_blkcipher *tfm = 1647 (struct crypto_blkcipher *)drbg->priv_data; 1648 if (tfm) 1649 crypto_free_blkcipher(tfm); 1650 drbg->priv_data = NULL; 1651 return 0; 1652 } 1653 1654 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1655 unsigned char *outval, const struct drbg_string *in) 1656 { 1657 int ret = 0; 1658 struct scatterlist sg_in, sg_out; 1659 struct blkcipher_desc desc; 1660 struct crypto_blkcipher *tfm = 1661 (struct crypto_blkcipher *)drbg->priv_data; 1662 1663 desc.tfm = tfm; 1664 desc.flags = 0; 1665 crypto_blkcipher_setkey(tfm, key, (drbg_keylen(drbg))); 1666 /* there is only component in *in */ 1667 sg_init_one(&sg_in, in->buf, in->len); 1668 sg_init_one(&sg_out, outval, drbg_blocklen(drbg)); 1669 ret = crypto_blkcipher_encrypt(&desc, &sg_out, &sg_in, in->len); 1670 1671 return ret; 1672 } 1673 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1674 1675 /*************************************************************** 1676 * Kernel crypto API interface to register DRBG 1677 ***************************************************************/ 1678 1679 /* 1680 * Look up the DRBG flags by given kernel crypto API cra_name 1681 * The code uses the drbg_cores definition to do this 1682 * 1683 * @cra_name kernel crypto API cra_name 1684 * @coreref reference to integer which is filled with the pointer to 1685 * the applicable core 1686 * @pr reference for setting prediction resistance 1687 * 1688 * return: flags 1689 */ 1690 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1691 int *coreref, bool *pr) 1692 { 1693 int i = 0; 1694 size_t start = 0; 1695 int len = 0; 1696 1697 *pr = true; 1698 /* disassemble the names */ 1699 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1700 start = 10; 1701 *pr = false; 1702 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1703 start = 8; 1704 } else { 1705 return; 1706 } 1707 1708 /* remove the first part */ 1709 len = strlen(cra_driver_name) - start; 1710 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1711 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1712 len)) { 1713 *coreref = i; 1714 return; 1715 } 1716 } 1717 } 1718 1719 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1720 { 1721 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1722 bool pr = false; 1723 int coreref = 0; 1724 1725 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm), &coreref, &pr); 1726 /* 1727 * when personalization string is needed, the caller must call reset 1728 * and provide the personalization string as seed information 1729 */ 1730 return drbg_instantiate(drbg, NULL, coreref, pr); 1731 } 1732 1733 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1734 { 1735 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1736 } 1737 1738 /* 1739 * Generate random numbers invoked by the kernel crypto API: 1740 * The API of the kernel crypto API is extended as follows: 1741 * 1742 * If dlen is larger than zero, rdata is interpreted as the output buffer 1743 * where random data is to be stored. 1744 * 1745 * If dlen is zero, rdata is interpreted as a pointer to a struct drbg_gen 1746 * which holds the additional information string that is used for the 1747 * DRBG generation process. The output buffer that is to be used to store 1748 * data is also pointed to by struct drbg_gen. 1749 */ 1750 static int drbg_kcapi_random(struct crypto_rng *tfm, u8 *rdata, 1751 unsigned int dlen) 1752 { 1753 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1754 if (0 < dlen) { 1755 return drbg_generate_long(drbg, rdata, dlen, NULL); 1756 } else { 1757 struct drbg_gen *data = (struct drbg_gen *)rdata; 1758 struct drbg_string addtl; 1759 /* catch NULL pointer */ 1760 if (!data) 1761 return 0; 1762 drbg_set_testdata(drbg, data->test_data); 1763 /* linked list variable is now local to allow modification */ 1764 drbg_string_fill(&addtl, data->addtl->buf, data->addtl->len); 1765 return drbg_generate_long(drbg, data->outbuf, data->outlen, 1766 &addtl); 1767 } 1768 } 1769 1770 /* 1771 * Reset the DRBG invoked by the kernel crypto API 1772 * The reset implies a full re-initialization of the DRBG. Similar to the 1773 * generate function of drbg_kcapi_random, this function extends the 1774 * kernel crypto API interface with struct drbg_gen 1775 */ 1776 static int drbg_kcapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) 1777 { 1778 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1779 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1780 bool pr = false; 1781 struct drbg_string seed_string; 1782 int coreref = 0; 1783 1784 drbg_uninstantiate(drbg); 1785 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1786 &pr); 1787 if (0 < slen) { 1788 drbg_string_fill(&seed_string, seed, slen); 1789 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1790 } else { 1791 struct drbg_gen *data = (struct drbg_gen *)seed; 1792 /* allow invocation of API call with NULL, 0 */ 1793 if (!data) 1794 return drbg_instantiate(drbg, NULL, coreref, pr); 1795 drbg_set_testdata(drbg, data->test_data); 1796 /* linked list variable is now local to allow modification */ 1797 drbg_string_fill(&seed_string, data->addtl->buf, 1798 data->addtl->len); 1799 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1800 } 1801 } 1802 1803 /*************************************************************** 1804 * Kernel module: code to load the module 1805 ***************************************************************/ 1806 1807 /* 1808 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1809 * of the error handling. 1810 * 1811 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1812 * as seed source of get_random_bytes does not fail. 1813 * 1814 * Note 2: There is no sensible way of testing the reseed counter 1815 * enforcement, so skip it. 1816 */ 1817 static inline int __init drbg_healthcheck_sanity(void) 1818 { 1819 #ifdef CONFIG_CRYPTO_FIPS 1820 int len = 0; 1821 #define OUTBUFLEN 16 1822 unsigned char buf[OUTBUFLEN]; 1823 struct drbg_state *drbg = NULL; 1824 int ret = -EFAULT; 1825 int rc = -EFAULT; 1826 bool pr = false; 1827 int coreref = 0; 1828 struct drbg_string addtl; 1829 size_t max_addtllen, max_request_bytes; 1830 1831 /* only perform test in FIPS mode */ 1832 if (!fips_enabled) 1833 return 0; 1834 1835 #ifdef CONFIG_CRYPTO_DRBG_CTR 1836 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1837 #elif defined CONFIG_CRYPTO_DRBG_HASH 1838 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1839 #else 1840 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1841 #endif 1842 1843 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1844 if (!drbg) 1845 return -ENOMEM; 1846 1847 /* 1848 * if the following tests fail, it is likely that there is a buffer 1849 * overflow as buf is much smaller than the requested or provided 1850 * string lengths -- in case the error handling does not succeed 1851 * we may get an OOPS. And we want to get an OOPS as this is a 1852 * grave bug. 1853 */ 1854 1855 /* get a valid instance of DRBG for following tests */ 1856 ret = drbg_instantiate(drbg, NULL, coreref, pr); 1857 if (ret) { 1858 rc = ret; 1859 goto outbuf; 1860 } 1861 max_addtllen = drbg_max_addtl(drbg); 1862 max_request_bytes = drbg_max_request_bytes(drbg); 1863 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1864 /* overflow addtllen with additonal info string */ 1865 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1866 BUG_ON(0 < len); 1867 /* overflow max_bits */ 1868 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1869 BUG_ON(0 < len); 1870 drbg_uninstantiate(drbg); 1871 1872 /* overflow max addtllen with personalization string */ 1873 ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1874 BUG_ON(0 == ret); 1875 /* all tests passed */ 1876 rc = 0; 1877 1878 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1879 "completed\n"); 1880 1881 drbg_uninstantiate(drbg); 1882 outbuf: 1883 kzfree(drbg); 1884 return rc; 1885 #else /* CONFIG_CRYPTO_FIPS */ 1886 return 0; 1887 #endif /* CONFIG_CRYPTO_FIPS */ 1888 } 1889 1890 static struct crypto_alg drbg_algs[22]; 1891 1892 /* 1893 * Fill the array drbg_algs used to register the different DRBGs 1894 * with the kernel crypto API. To fill the array, the information 1895 * from drbg_cores[] is used. 1896 */ 1897 static inline void __init drbg_fill_array(struct crypto_alg *alg, 1898 const struct drbg_core *core, int pr) 1899 { 1900 int pos = 0; 1901 static int priority = 100; 1902 1903 memset(alg, 0, sizeof(struct crypto_alg)); 1904 memcpy(alg->cra_name, "stdrng", 6); 1905 if (pr) { 1906 memcpy(alg->cra_driver_name, "drbg_pr_", 8); 1907 pos = 8; 1908 } else { 1909 memcpy(alg->cra_driver_name, "drbg_nopr_", 10); 1910 pos = 10; 1911 } 1912 memcpy(alg->cra_driver_name + pos, core->cra_name, 1913 strlen(core->cra_name)); 1914 1915 alg->cra_priority = priority; 1916 priority++; 1917 /* 1918 * If FIPS mode enabled, the selected DRBG shall have the 1919 * highest cra_priority over other stdrng instances to ensure 1920 * it is selected. 1921 */ 1922 if (fips_enabled) 1923 alg->cra_priority += 200; 1924 1925 alg->cra_flags = CRYPTO_ALG_TYPE_RNG; 1926 alg->cra_ctxsize = sizeof(struct drbg_state); 1927 alg->cra_type = &crypto_rng_type; 1928 alg->cra_module = THIS_MODULE; 1929 alg->cra_init = drbg_kcapi_init; 1930 alg->cra_exit = drbg_kcapi_cleanup; 1931 alg->cra_u.rng.rng_make_random = drbg_kcapi_random; 1932 alg->cra_u.rng.rng_reset = drbg_kcapi_reset; 1933 alg->cra_u.rng.seedsize = 0; 1934 } 1935 1936 static int __init drbg_init(void) 1937 { 1938 unsigned int i = 0; /* pointer to drbg_algs */ 1939 unsigned int j = 0; /* pointer to drbg_cores */ 1940 int ret = -EFAULT; 1941 1942 ret = drbg_healthcheck_sanity(); 1943 if (ret) 1944 return ret; 1945 1946 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1947 pr_info("DRBG: Cannot register all DRBG types" 1948 "(slots needed: %zu, slots available: %zu)\n", 1949 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1950 return ret; 1951 } 1952 1953 /* 1954 * each DRBG definition can be used with PR and without PR, thus 1955 * we instantiate each DRBG in drbg_cores[] twice. 1956 * 1957 * As the order of placing them into the drbg_algs array matters 1958 * (the later DRBGs receive a higher cra_priority) we register the 1959 * prediction resistance DRBGs first as the should not be too 1960 * interesting. 1961 */ 1962 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1963 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1964 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1965 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1966 return crypto_register_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1967 } 1968 1969 static void __exit drbg_exit(void) 1970 { 1971 crypto_unregister_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1972 } 1973 1974 module_init(drbg_init); 1975 module_exit(drbg_exit); 1976 #ifndef CRYPTO_DRBG_HASH_STRING 1977 #define CRYPTO_DRBG_HASH_STRING "" 1978 #endif 1979 #ifndef CRYPTO_DRBG_HMAC_STRING 1980 #define CRYPTO_DRBG_HMAC_STRING "" 1981 #endif 1982 #ifndef CRYPTO_DRBG_CTR_STRING 1983 #define CRYPTO_DRBG_CTR_STRING "" 1984 #endif 1985 MODULE_LICENSE("GPL"); 1986 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 1987 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 1988 "using following cores: " 1989 CRYPTO_DRBG_HASH_STRING 1990 CRYPTO_DRBG_HMAC_STRING 1991 CRYPTO_DRBG_CTR_STRING); 1992