1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 102 /*************************************************************** 103 * Backend cipher definitions available to DRBG 104 ***************************************************************/ 105 106 /* 107 * The order of the DRBG definitions here matter: every DRBG is registered 108 * as stdrng. Each DRBG receives an increasing cra_priority values the later 109 * they are defined in this array (see drbg_fill_array). 110 * 111 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 112 * the SHA256 / AES 256 over other ciphers. Thus, the favored 113 * DRBGs are the latest entries in this array. 114 */ 115 static const struct drbg_core drbg_cores[] = { 116 #ifdef CONFIG_CRYPTO_DRBG_CTR 117 { 118 .flags = DRBG_CTR | DRBG_STRENGTH128, 119 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 120 .blocklen_bytes = 16, 121 .cra_name = "ctr_aes128", 122 .backend_cra_name = "ecb(aes)", 123 }, { 124 .flags = DRBG_CTR | DRBG_STRENGTH192, 125 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 126 .blocklen_bytes = 16, 127 .cra_name = "ctr_aes192", 128 .backend_cra_name = "ecb(aes)", 129 }, { 130 .flags = DRBG_CTR | DRBG_STRENGTH256, 131 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 132 .blocklen_bytes = 16, 133 .cra_name = "ctr_aes256", 134 .backend_cra_name = "ecb(aes)", 135 }, 136 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 137 #ifdef CONFIG_CRYPTO_DRBG_HASH 138 { 139 .flags = DRBG_HASH | DRBG_STRENGTH128, 140 .statelen = 55, /* 440 bits */ 141 .blocklen_bytes = 20, 142 .cra_name = "sha1", 143 .backend_cra_name = "sha1", 144 }, { 145 .flags = DRBG_HASH | DRBG_STRENGTH256, 146 .statelen = 111, /* 888 bits */ 147 .blocklen_bytes = 48, 148 .cra_name = "sha384", 149 .backend_cra_name = "sha384", 150 }, { 151 .flags = DRBG_HASH | DRBG_STRENGTH256, 152 .statelen = 111, /* 888 bits */ 153 .blocklen_bytes = 64, 154 .cra_name = "sha512", 155 .backend_cra_name = "sha512", 156 }, { 157 .flags = DRBG_HASH | DRBG_STRENGTH256, 158 .statelen = 55, /* 440 bits */ 159 .blocklen_bytes = 32, 160 .cra_name = "sha256", 161 .backend_cra_name = "sha256", 162 }, 163 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 164 #ifdef CONFIG_CRYPTO_DRBG_HMAC 165 { 166 .flags = DRBG_HMAC | DRBG_STRENGTH128, 167 .statelen = 20, /* block length of cipher */ 168 .blocklen_bytes = 20, 169 .cra_name = "hmac_sha1", 170 .backend_cra_name = "hmac(sha1)", 171 }, { 172 .flags = DRBG_HMAC | DRBG_STRENGTH256, 173 .statelen = 48, /* block length of cipher */ 174 .blocklen_bytes = 48, 175 .cra_name = "hmac_sha384", 176 .backend_cra_name = "hmac(sha384)", 177 }, { 178 .flags = DRBG_HMAC | DRBG_STRENGTH256, 179 .statelen = 64, /* block length of cipher */ 180 .blocklen_bytes = 64, 181 .cra_name = "hmac_sha512", 182 .backend_cra_name = "hmac(sha512)", 183 }, { 184 .flags = DRBG_HMAC | DRBG_STRENGTH256, 185 .statelen = 32, /* block length of cipher */ 186 .blocklen_bytes = 32, 187 .cra_name = "hmac_sha256", 188 .backend_cra_name = "hmac(sha256)", 189 }, 190 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 191 }; 192 193 /****************************************************************** 194 * Generic helper functions 195 ******************************************************************/ 196 197 /* 198 * Return strength of DRBG according to SP800-90A section 8.4 199 * 200 * @flags DRBG flags reference 201 * 202 * Return: normalized strength in *bytes* value or 32 as default 203 * to counter programming errors 204 */ 205 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 206 { 207 switch (flags & DRBG_STRENGTH_MASK) { 208 case DRBG_STRENGTH128: 209 return 16; 210 case DRBG_STRENGTH192: 211 return 24; 212 case DRBG_STRENGTH256: 213 return 32; 214 default: 215 return 32; 216 } 217 } 218 219 /* 220 * FIPS 140-2 continuous self test 221 * The test is performed on the result of one round of the output 222 * function. Thus, the function implicitly knows the size of the 223 * buffer. 224 * 225 * @drbg DRBG handle 226 * @buf output buffer of random data to be checked 227 * 228 * return: 229 * true on success 230 * false on error 231 */ 232 static bool drbg_fips_continuous_test(struct drbg_state *drbg, 233 const unsigned char *buf) 234 { 235 #ifdef CONFIG_CRYPTO_FIPS 236 int ret = 0; 237 /* skip test if we test the overall system */ 238 if (drbg->test_data) 239 return true; 240 /* only perform test in FIPS mode */ 241 if (0 == fips_enabled) 242 return true; 243 if (!drbg->fips_primed) { 244 /* Priming of FIPS test */ 245 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 246 drbg->fips_primed = true; 247 /* return false due to priming, i.e. another round is needed */ 248 return false; 249 } 250 ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); 251 if (!ret) 252 panic("DRBG continuous self test failed\n"); 253 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 254 /* the test shall pass when the two compared values are not equal */ 255 return ret != 0; 256 #else 257 return true; 258 #endif /* CONFIG_CRYPTO_FIPS */ 259 } 260 261 /* 262 * Convert an integer into a byte representation of this integer. 263 * The byte representation is big-endian 264 * 265 * @val value to be converted 266 * @buf buffer holding the converted integer -- caller must ensure that 267 * buffer size is at least 32 bit 268 */ 269 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 270 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 271 { 272 struct s { 273 __be32 conv; 274 }; 275 struct s *conversion = (struct s *) buf; 276 277 conversion->conv = cpu_to_be32(val); 278 } 279 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 280 281 /****************************************************************** 282 * CTR DRBG callback functions 283 ******************************************************************/ 284 285 #ifdef CONFIG_CRYPTO_DRBG_CTR 286 #define CRYPTO_DRBG_CTR_STRING "CTR " 287 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 288 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 289 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 290 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 291 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 292 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 293 294 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 295 unsigned char *outval, const struct drbg_string *in); 296 static int drbg_init_sym_kernel(struct drbg_state *drbg); 297 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 298 299 /* BCC function for CTR DRBG as defined in 10.4.3 */ 300 static int drbg_ctr_bcc(struct drbg_state *drbg, 301 unsigned char *out, const unsigned char *key, 302 struct list_head *in) 303 { 304 int ret = 0; 305 struct drbg_string *curr = NULL; 306 struct drbg_string data; 307 short cnt = 0; 308 309 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 310 311 /* 10.4.3 step 1 */ 312 memset(out, 0, drbg_blocklen(drbg)); 313 314 /* 10.4.3 step 2 / 4 */ 315 list_for_each_entry(curr, in, list) { 316 const unsigned char *pos = curr->buf; 317 size_t len = curr->len; 318 /* 10.4.3 step 4.1 */ 319 while (len) { 320 /* 10.4.3 step 4.2 */ 321 if (drbg_blocklen(drbg) == cnt) { 322 cnt = 0; 323 ret = drbg_kcapi_sym(drbg, key, out, &data); 324 if (ret) 325 return ret; 326 } 327 out[cnt] ^= *pos; 328 pos++; 329 cnt++; 330 len--; 331 } 332 } 333 /* 10.4.3 step 4.2 for last block */ 334 if (cnt) 335 ret = drbg_kcapi_sym(drbg, key, out, &data); 336 337 return ret; 338 } 339 340 /* 341 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 342 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 343 * the scratchpad is used as follows: 344 * drbg_ctr_update: 345 * temp 346 * start: drbg->scratchpad 347 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 348 * note: the cipher writing into this variable works 349 * blocklen-wise. Now, when the statelen is not a multiple 350 * of blocklen, the generateion loop below "spills over" 351 * by at most blocklen. Thus, we need to give sufficient 352 * memory. 353 * df_data 354 * start: drbg->scratchpad + 355 * drbg_statelen(drbg) + drbg_blocklen(drbg) 356 * length: drbg_statelen(drbg) 357 * 358 * drbg_ctr_df: 359 * pad 360 * start: df_data + drbg_statelen(drbg) 361 * length: drbg_blocklen(drbg) 362 * iv 363 * start: pad + drbg_blocklen(drbg) 364 * length: drbg_blocklen(drbg) 365 * temp 366 * start: iv + drbg_blocklen(drbg) 367 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 368 * note: temp is the buffer that the BCC function operates 369 * on. BCC operates blockwise. drbg_statelen(drbg) 370 * is sufficient when the DRBG state length is a multiple 371 * of the block size. For AES192 (and maybe other ciphers) 372 * this is not correct and the length for temp is 373 * insufficient (yes, that also means for such ciphers, 374 * the final output of all BCC rounds are truncated). 375 * Therefore, add drbg_blocklen(drbg) to cover all 376 * possibilities. 377 */ 378 379 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 380 static int drbg_ctr_df(struct drbg_state *drbg, 381 unsigned char *df_data, size_t bytes_to_return, 382 struct list_head *seedlist) 383 { 384 int ret = -EFAULT; 385 unsigned char L_N[8]; 386 /* S3 is input */ 387 struct drbg_string S1, S2, S4, cipherin; 388 LIST_HEAD(bcc_list); 389 unsigned char *pad = df_data + drbg_statelen(drbg); 390 unsigned char *iv = pad + drbg_blocklen(drbg); 391 unsigned char *temp = iv + drbg_blocklen(drbg); 392 size_t padlen = 0; 393 unsigned int templen = 0; 394 /* 10.4.2 step 7 */ 395 unsigned int i = 0; 396 /* 10.4.2 step 8 */ 397 const unsigned char *K = (unsigned char *) 398 "\x00\x01\x02\x03\x04\x05\x06\x07" 399 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 400 "\x10\x11\x12\x13\x14\x15\x16\x17" 401 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 402 unsigned char *X; 403 size_t generated_len = 0; 404 size_t inputlen = 0; 405 struct drbg_string *seed = NULL; 406 407 memset(pad, 0, drbg_blocklen(drbg)); 408 memset(iv, 0, drbg_blocklen(drbg)); 409 memset(temp, 0, drbg_statelen(drbg)); 410 411 /* 10.4.2 step 1 is implicit as we work byte-wise */ 412 413 /* 10.4.2 step 2 */ 414 if ((512/8) < bytes_to_return) 415 return -EINVAL; 416 417 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 418 list_for_each_entry(seed, seedlist, list) 419 inputlen += seed->len; 420 drbg_cpu_to_be32(inputlen, &L_N[0]); 421 422 /* 10.4.2 step 3 */ 423 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 424 425 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 426 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 427 /* wrap the padlen appropriately */ 428 if (padlen) 429 padlen = drbg_blocklen(drbg) - padlen; 430 /* 431 * pad / padlen contains the 0x80 byte and the following zero bytes. 432 * As the calculated padlen value only covers the number of zero 433 * bytes, this value has to be incremented by one for the 0x80 byte. 434 */ 435 padlen++; 436 pad[0] = 0x80; 437 438 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 439 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 440 list_add_tail(&S1.list, &bcc_list); 441 drbg_string_fill(&S2, L_N, sizeof(L_N)); 442 list_add_tail(&S2.list, &bcc_list); 443 list_splice_tail(seedlist, &bcc_list); 444 drbg_string_fill(&S4, pad, padlen); 445 list_add_tail(&S4.list, &bcc_list); 446 447 /* 10.4.2 step 9 */ 448 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 449 /* 450 * 10.4.2 step 9.1 - the padding is implicit as the buffer 451 * holds zeros after allocation -- even the increment of i 452 * is irrelevant as the increment remains within length of i 453 */ 454 drbg_cpu_to_be32(i, iv); 455 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 456 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 457 if (ret) 458 goto out; 459 /* 10.4.2 step 9.3 */ 460 i++; 461 templen += drbg_blocklen(drbg); 462 } 463 464 /* 10.4.2 step 11 */ 465 X = temp + (drbg_keylen(drbg)); 466 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 467 468 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 469 470 /* 10.4.2 step 13 */ 471 while (generated_len < bytes_to_return) { 472 short blocklen = 0; 473 /* 474 * 10.4.2 step 13.1: the truncation of the key length is 475 * implicit as the key is only drbg_blocklen in size based on 476 * the implementation of the cipher function callback 477 */ 478 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 479 if (ret) 480 goto out; 481 blocklen = (drbg_blocklen(drbg) < 482 (bytes_to_return - generated_len)) ? 483 drbg_blocklen(drbg) : 484 (bytes_to_return - generated_len); 485 /* 10.4.2 step 13.2 and 14 */ 486 memcpy(df_data + generated_len, X, blocklen); 487 generated_len += blocklen; 488 } 489 490 ret = 0; 491 492 out: 493 memset(iv, 0, drbg_blocklen(drbg)); 494 memset(temp, 0, drbg_statelen(drbg)); 495 memset(pad, 0, drbg_blocklen(drbg)); 496 return ret; 497 } 498 499 /* 500 * update function of CTR DRBG as defined in 10.2.1.2 501 * 502 * The reseed variable has an enhanced meaning compared to the update 503 * functions of the other DRBGs as follows: 504 * 0 => initial seed from initialization 505 * 1 => reseed via drbg_seed 506 * 2 => first invocation from drbg_ctr_update when addtl is present. In 507 * this case, the df_data scratchpad is not deleted so that it is 508 * available for another calls to prevent calling the DF function 509 * again. 510 * 3 => second invocation from drbg_ctr_update. When the update function 511 * was called with addtl, the df_data memory already contains the 512 * DFed addtl information and we do not need to call DF again. 513 */ 514 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 515 int reseed) 516 { 517 int ret = -EFAULT; 518 /* 10.2.1.2 step 1 */ 519 unsigned char *temp = drbg->scratchpad; 520 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 521 drbg_blocklen(drbg); 522 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 523 unsigned int len = 0; 524 struct drbg_string cipherin; 525 526 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 527 if (3 > reseed) 528 memset(df_data, 0, drbg_statelen(drbg)); 529 530 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 531 if (seed) { 532 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 533 if (ret) 534 goto out; 535 } 536 537 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 538 /* 539 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 540 * zeroizes all memory during initialization 541 */ 542 while (len < (drbg_statelen(drbg))) { 543 /* 10.2.1.2 step 2.1 */ 544 crypto_inc(drbg->V, drbg_blocklen(drbg)); 545 /* 546 * 10.2.1.2 step 2.2 */ 547 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 548 if (ret) 549 goto out; 550 /* 10.2.1.2 step 2.3 and 3 */ 551 len += drbg_blocklen(drbg); 552 } 553 554 /* 10.2.1.2 step 4 */ 555 temp_p = temp; 556 df_data_p = df_data; 557 for (len = 0; len < drbg_statelen(drbg); len++) { 558 *temp_p ^= *df_data_p; 559 df_data_p++; temp_p++; 560 } 561 562 /* 10.2.1.2 step 5 */ 563 memcpy(drbg->C, temp, drbg_keylen(drbg)); 564 /* 10.2.1.2 step 6 */ 565 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 566 ret = 0; 567 568 out: 569 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 570 if (2 != reseed) 571 memset(df_data, 0, drbg_statelen(drbg)); 572 return ret; 573 } 574 575 /* 576 * scratchpad use: drbg_ctr_update is called independently from 577 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 578 */ 579 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 580 static int drbg_ctr_generate(struct drbg_state *drbg, 581 unsigned char *buf, unsigned int buflen, 582 struct list_head *addtl) 583 { 584 int len = 0; 585 int ret = 0; 586 struct drbg_string data; 587 588 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 589 590 /* 10.2.1.5.2 step 2 */ 591 if (addtl && !list_empty(addtl)) { 592 ret = drbg_ctr_update(drbg, addtl, 2); 593 if (ret) 594 return 0; 595 } 596 597 /* 10.2.1.5.2 step 4.1 */ 598 crypto_inc(drbg->V, drbg_blocklen(drbg)); 599 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 600 while (len < buflen) { 601 int outlen = 0; 602 /* 10.2.1.5.2 step 4.2 */ 603 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 604 if (ret) { 605 len = ret; 606 goto out; 607 } 608 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 609 drbg_blocklen(drbg) : (buflen - len); 610 if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) { 611 /* 10.2.1.5.2 step 6 */ 612 crypto_inc(drbg->V, drbg_blocklen(drbg)); 613 continue; 614 } 615 /* 10.2.1.5.2 step 4.3 */ 616 memcpy(buf + len, drbg->scratchpad, outlen); 617 len += outlen; 618 /* 10.2.1.5.2 step 6 */ 619 if (len < buflen) 620 crypto_inc(drbg->V, drbg_blocklen(drbg)); 621 } 622 623 /* 10.2.1.5.2 step 6 */ 624 ret = drbg_ctr_update(drbg, NULL, 3); 625 if (ret) 626 len = ret; 627 628 out: 629 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 630 return len; 631 } 632 633 static struct drbg_state_ops drbg_ctr_ops = { 634 .update = drbg_ctr_update, 635 .generate = drbg_ctr_generate, 636 .crypto_init = drbg_init_sym_kernel, 637 .crypto_fini = drbg_fini_sym_kernel, 638 }; 639 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 640 641 /****************************************************************** 642 * HMAC DRBG callback functions 643 ******************************************************************/ 644 645 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 646 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 647 unsigned char *outval, const struct list_head *in); 648 static int drbg_init_hash_kernel(struct drbg_state *drbg); 649 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 650 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 651 652 #ifdef CONFIG_CRYPTO_DRBG_HMAC 653 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 654 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 655 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 656 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 657 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 658 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 659 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 660 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 661 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 662 663 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 664 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 665 int reseed) 666 { 667 int ret = -EFAULT; 668 int i = 0; 669 struct drbg_string seed1, seed2, vdata; 670 LIST_HEAD(seedlist); 671 LIST_HEAD(vdatalist); 672 673 if (!reseed) 674 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 675 memset(drbg->V, 1, drbg_statelen(drbg)); 676 677 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 678 list_add_tail(&seed1.list, &seedlist); 679 /* buffer of seed2 will be filled in for loop below with one byte */ 680 drbg_string_fill(&seed2, NULL, 1); 681 list_add_tail(&seed2.list, &seedlist); 682 /* input data of seed is allowed to be NULL at this point */ 683 if (seed) 684 list_splice_tail(seed, &seedlist); 685 686 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 687 list_add_tail(&vdata.list, &vdatalist); 688 for (i = 2; 0 < i; i--) { 689 /* first round uses 0x0, second 0x1 */ 690 unsigned char prefix = DRBG_PREFIX0; 691 if (1 == i) 692 prefix = DRBG_PREFIX1; 693 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 694 seed2.buf = &prefix; 695 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist); 696 if (ret) 697 return ret; 698 699 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 700 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist); 701 if (ret) 702 return ret; 703 704 /* 10.1.2.2 step 3 */ 705 if (!seed) 706 return ret; 707 } 708 709 return 0; 710 } 711 712 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 713 static int drbg_hmac_generate(struct drbg_state *drbg, 714 unsigned char *buf, 715 unsigned int buflen, 716 struct list_head *addtl) 717 { 718 int len = 0; 719 int ret = 0; 720 struct drbg_string data; 721 LIST_HEAD(datalist); 722 723 /* 10.1.2.5 step 2 */ 724 if (addtl && !list_empty(addtl)) { 725 ret = drbg_hmac_update(drbg, addtl, 1); 726 if (ret) 727 return ret; 728 } 729 730 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 731 list_add_tail(&data.list, &datalist); 732 while (len < buflen) { 733 unsigned int outlen = 0; 734 /* 10.1.2.5 step 4.1 */ 735 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist); 736 if (ret) 737 return ret; 738 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 739 drbg_blocklen(drbg) : (buflen - len); 740 if (!drbg_fips_continuous_test(drbg, drbg->V)) 741 continue; 742 743 /* 10.1.2.5 step 4.2 */ 744 memcpy(buf + len, drbg->V, outlen); 745 len += outlen; 746 } 747 748 /* 10.1.2.5 step 6 */ 749 if (addtl && !list_empty(addtl)) 750 ret = drbg_hmac_update(drbg, addtl, 1); 751 else 752 ret = drbg_hmac_update(drbg, NULL, 1); 753 if (ret) 754 return ret; 755 756 return len; 757 } 758 759 static struct drbg_state_ops drbg_hmac_ops = { 760 .update = drbg_hmac_update, 761 .generate = drbg_hmac_generate, 762 .crypto_init = drbg_init_hash_kernel, 763 .crypto_fini = drbg_fini_hash_kernel, 764 765 }; 766 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 767 768 /****************************************************************** 769 * Hash DRBG callback functions 770 ******************************************************************/ 771 772 #ifdef CONFIG_CRYPTO_DRBG_HASH 773 #define CRYPTO_DRBG_HASH_STRING "HASH " 774 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 775 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 776 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 777 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 778 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 779 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 780 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 781 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 782 783 /* 784 * Increment buffer 785 * 786 * @dst buffer to increment 787 * @add value to add 788 */ 789 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 790 const unsigned char *add, size_t addlen) 791 { 792 /* implied: dstlen > addlen */ 793 unsigned char *dstptr; 794 const unsigned char *addptr; 795 unsigned int remainder = 0; 796 size_t len = addlen; 797 798 dstptr = dst + (dstlen-1); 799 addptr = add + (addlen-1); 800 while (len) { 801 remainder += *dstptr + *addptr; 802 *dstptr = remainder & 0xff; 803 remainder >>= 8; 804 len--; dstptr--; addptr--; 805 } 806 len = dstlen - addlen; 807 while (len && remainder > 0) { 808 remainder = *dstptr + 1; 809 *dstptr = remainder & 0xff; 810 remainder >>= 8; 811 len--; dstptr--; 812 } 813 } 814 815 /* 816 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 817 * interlinked, the scratchpad is used as follows: 818 * drbg_hash_update 819 * start: drbg->scratchpad 820 * length: drbg_statelen(drbg) 821 * drbg_hash_df: 822 * start: drbg->scratchpad + drbg_statelen(drbg) 823 * length: drbg_blocklen(drbg) 824 * 825 * drbg_hash_process_addtl uses the scratchpad, but fully completes 826 * before either of the functions mentioned before are invoked. Therefore, 827 * drbg_hash_process_addtl does not need to be specifically considered. 828 */ 829 830 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 831 static int drbg_hash_df(struct drbg_state *drbg, 832 unsigned char *outval, size_t outlen, 833 struct list_head *entropylist) 834 { 835 int ret = 0; 836 size_t len = 0; 837 unsigned char input[5]; 838 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 839 struct drbg_string data; 840 841 memset(tmp, 0, drbg_blocklen(drbg)); 842 843 /* 10.4.1 step 3 */ 844 input[0] = 1; 845 drbg_cpu_to_be32((outlen * 8), &input[1]); 846 847 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 848 drbg_string_fill(&data, input, 5); 849 list_add(&data.list, entropylist); 850 851 /* 10.4.1 step 4 */ 852 while (len < outlen) { 853 short blocklen = 0; 854 /* 10.4.1 step 4.1 */ 855 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist); 856 if (ret) 857 goto out; 858 /* 10.4.1 step 4.2 */ 859 input[0]++; 860 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 861 drbg_blocklen(drbg) : (outlen - len); 862 memcpy(outval + len, tmp, blocklen); 863 len += blocklen; 864 } 865 866 out: 867 memset(tmp, 0, drbg_blocklen(drbg)); 868 return ret; 869 } 870 871 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 872 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 873 int reseed) 874 { 875 int ret = 0; 876 struct drbg_string data1, data2; 877 LIST_HEAD(datalist); 878 LIST_HEAD(datalist2); 879 unsigned char *V = drbg->scratchpad; 880 unsigned char prefix = DRBG_PREFIX1; 881 882 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 883 if (!seed) 884 return -EINVAL; 885 886 if (reseed) { 887 /* 10.1.1.3 step 1 */ 888 memcpy(V, drbg->V, drbg_statelen(drbg)); 889 drbg_string_fill(&data1, &prefix, 1); 890 list_add_tail(&data1.list, &datalist); 891 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 892 list_add_tail(&data2.list, &datalist); 893 } 894 list_splice_tail(seed, &datalist); 895 896 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 897 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 898 if (ret) 899 goto out; 900 901 /* 10.1.1.2 / 10.1.1.3 step 4 */ 902 prefix = DRBG_PREFIX0; 903 drbg_string_fill(&data1, &prefix, 1); 904 list_add_tail(&data1.list, &datalist2); 905 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 906 list_add_tail(&data2.list, &datalist2); 907 /* 10.1.1.2 / 10.1.1.3 step 4 */ 908 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 909 910 out: 911 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 912 return ret; 913 } 914 915 /* processing of additional information string for Hash DRBG */ 916 static int drbg_hash_process_addtl(struct drbg_state *drbg, 917 struct list_head *addtl) 918 { 919 int ret = 0; 920 struct drbg_string data1, data2; 921 LIST_HEAD(datalist); 922 unsigned char prefix = DRBG_PREFIX2; 923 924 /* this is value w as per documentation */ 925 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 926 927 /* 10.1.1.4 step 2 */ 928 if (!addtl || list_empty(addtl)) 929 return 0; 930 931 /* 10.1.1.4 step 2a */ 932 drbg_string_fill(&data1, &prefix, 1); 933 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 934 list_add_tail(&data1.list, &datalist); 935 list_add_tail(&data2.list, &datalist); 936 list_splice_tail(addtl, &datalist); 937 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 938 if (ret) 939 goto out; 940 941 /* 10.1.1.4 step 2b */ 942 drbg_add_buf(drbg->V, drbg_statelen(drbg), 943 drbg->scratchpad, drbg_blocklen(drbg)); 944 945 out: 946 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 947 return ret; 948 } 949 950 /* Hashgen defined in 10.1.1.4 */ 951 static int drbg_hash_hashgen(struct drbg_state *drbg, 952 unsigned char *buf, 953 unsigned int buflen) 954 { 955 int len = 0; 956 int ret = 0; 957 unsigned char *src = drbg->scratchpad; 958 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 959 struct drbg_string data; 960 LIST_HEAD(datalist); 961 962 memset(src, 0, drbg_statelen(drbg)); 963 memset(dst, 0, drbg_blocklen(drbg)); 964 965 /* 10.1.1.4 step hashgen 2 */ 966 memcpy(src, drbg->V, drbg_statelen(drbg)); 967 968 drbg_string_fill(&data, src, drbg_statelen(drbg)); 969 list_add_tail(&data.list, &datalist); 970 while (len < buflen) { 971 unsigned int outlen = 0; 972 /* 10.1.1.4 step hashgen 4.1 */ 973 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist); 974 if (ret) { 975 len = ret; 976 goto out; 977 } 978 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 979 drbg_blocklen(drbg) : (buflen - len); 980 if (!drbg_fips_continuous_test(drbg, dst)) { 981 crypto_inc(src, drbg_statelen(drbg)); 982 continue; 983 } 984 /* 10.1.1.4 step hashgen 4.2 */ 985 memcpy(buf + len, dst, outlen); 986 len += outlen; 987 /* 10.1.1.4 hashgen step 4.3 */ 988 if (len < buflen) 989 crypto_inc(src, drbg_statelen(drbg)); 990 } 991 992 out: 993 memset(drbg->scratchpad, 0, 994 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 995 return len; 996 } 997 998 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 999 static int drbg_hash_generate(struct drbg_state *drbg, 1000 unsigned char *buf, unsigned int buflen, 1001 struct list_head *addtl) 1002 { 1003 int len = 0; 1004 int ret = 0; 1005 union { 1006 unsigned char req[8]; 1007 __be64 req_int; 1008 } u; 1009 unsigned char prefix = DRBG_PREFIX3; 1010 struct drbg_string data1, data2; 1011 LIST_HEAD(datalist); 1012 1013 /* 10.1.1.4 step 2 */ 1014 ret = drbg_hash_process_addtl(drbg, addtl); 1015 if (ret) 1016 return ret; 1017 /* 10.1.1.4 step 3 */ 1018 len = drbg_hash_hashgen(drbg, buf, buflen); 1019 1020 /* this is the value H as documented in 10.1.1.4 */ 1021 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1022 /* 10.1.1.4 step 4 */ 1023 drbg_string_fill(&data1, &prefix, 1); 1024 list_add_tail(&data1.list, &datalist); 1025 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1026 list_add_tail(&data2.list, &datalist); 1027 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 1028 if (ret) { 1029 len = ret; 1030 goto out; 1031 } 1032 1033 /* 10.1.1.4 step 5 */ 1034 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1035 drbg->scratchpad, drbg_blocklen(drbg)); 1036 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1037 drbg->C, drbg_statelen(drbg)); 1038 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1039 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1040 1041 out: 1042 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1043 return len; 1044 } 1045 1046 /* 1047 * scratchpad usage: as update and generate are used isolated, both 1048 * can use the scratchpad 1049 */ 1050 static struct drbg_state_ops drbg_hash_ops = { 1051 .update = drbg_hash_update, 1052 .generate = drbg_hash_generate, 1053 .crypto_init = drbg_init_hash_kernel, 1054 .crypto_fini = drbg_fini_hash_kernel, 1055 }; 1056 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1057 1058 /****************************************************************** 1059 * Functions common for DRBG implementations 1060 ******************************************************************/ 1061 1062 /* 1063 * Seeding or reseeding of the DRBG 1064 * 1065 * @drbg: DRBG state struct 1066 * @pers: personalization / additional information buffer 1067 * @reseed: 0 for initial seed process, 1 for reseeding 1068 * 1069 * return: 1070 * 0 on success 1071 * error value otherwise 1072 */ 1073 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1074 bool reseed) 1075 { 1076 int ret = 0; 1077 unsigned char *entropy = NULL; 1078 size_t entropylen = 0; 1079 struct drbg_string data1; 1080 LIST_HEAD(seedlist); 1081 1082 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1083 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1084 pr_devel("DRBG: personalization string too long %zu\n", 1085 pers->len); 1086 return -EINVAL; 1087 } 1088 1089 if (drbg->test_data && drbg->test_data->testentropy) { 1090 drbg_string_fill(&data1, drbg->test_data->testentropy->buf, 1091 drbg->test_data->testentropy->len); 1092 pr_devel("DRBG: using test entropy\n"); 1093 } else { 1094 /* 1095 * Gather entropy equal to the security strength of the DRBG. 1096 * With a derivation function, a nonce is required in addition 1097 * to the entropy. A nonce must be at least 1/2 of the security 1098 * strength of the DRBG in size. Thus, entropy * nonce is 3/2 1099 * of the strength. The consideration of a nonce is only 1100 * applicable during initial seeding. 1101 */ 1102 entropylen = drbg_sec_strength(drbg->core->flags); 1103 if (!entropylen) 1104 return -EFAULT; 1105 if (!reseed) 1106 entropylen = ((entropylen + 1) / 2) * 3; 1107 pr_devel("DRBG: (re)seeding with %zu bytes of entropy\n", 1108 entropylen); 1109 entropy = kzalloc(entropylen, GFP_KERNEL); 1110 if (!entropy) 1111 return -ENOMEM; 1112 get_random_bytes(entropy, entropylen); 1113 drbg_string_fill(&data1, entropy, entropylen); 1114 } 1115 list_add_tail(&data1.list, &seedlist); 1116 1117 /* 1118 * concatenation of entropy with personalization str / addtl input) 1119 * the variable pers is directly handed in by the caller, so check its 1120 * contents whether it is appropriate 1121 */ 1122 if (pers && pers->buf && 0 < pers->len) { 1123 list_add_tail(&pers->list, &seedlist); 1124 pr_devel("DRBG: using personalization string\n"); 1125 } 1126 1127 if (!reseed) { 1128 memset(drbg->V, 0, drbg_statelen(drbg)); 1129 memset(drbg->C, 0, drbg_statelen(drbg)); 1130 } 1131 1132 ret = drbg->d_ops->update(drbg, &seedlist, reseed); 1133 if (ret) 1134 goto out; 1135 1136 drbg->seeded = true; 1137 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1138 drbg->reseed_ctr = 1; 1139 1140 out: 1141 kzfree(entropy); 1142 return ret; 1143 } 1144 1145 /* Free all substructures in a DRBG state without the DRBG state structure */ 1146 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1147 { 1148 if (!drbg) 1149 return; 1150 kzfree(drbg->V); 1151 drbg->V = NULL; 1152 kzfree(drbg->C); 1153 drbg->C = NULL; 1154 kzfree(drbg->scratchpad); 1155 drbg->scratchpad = NULL; 1156 drbg->reseed_ctr = 0; 1157 #ifdef CONFIG_CRYPTO_FIPS 1158 kzfree(drbg->prev); 1159 drbg->prev = NULL; 1160 drbg->fips_primed = false; 1161 #endif 1162 } 1163 1164 /* 1165 * Allocate all sub-structures for a DRBG state. 1166 * The DRBG state structure must already be allocated. 1167 */ 1168 static inline int drbg_alloc_state(struct drbg_state *drbg) 1169 { 1170 int ret = -ENOMEM; 1171 unsigned int sb_size = 0; 1172 1173 drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1174 if (!drbg->V) 1175 goto err; 1176 drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1177 if (!drbg->C) 1178 goto err; 1179 #ifdef CONFIG_CRYPTO_FIPS 1180 drbg->prev = kmalloc(drbg_blocklen(drbg), GFP_KERNEL); 1181 if (!drbg->prev) 1182 goto err; 1183 drbg->fips_primed = false; 1184 #endif 1185 /* scratchpad is only generated for CTR and Hash */ 1186 if (drbg->core->flags & DRBG_HMAC) 1187 sb_size = 0; 1188 else if (drbg->core->flags & DRBG_CTR) 1189 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1190 drbg_statelen(drbg) + /* df_data */ 1191 drbg_blocklen(drbg) + /* pad */ 1192 drbg_blocklen(drbg) + /* iv */ 1193 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1194 else 1195 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1196 1197 if (0 < sb_size) { 1198 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1199 if (!drbg->scratchpad) 1200 goto err; 1201 } 1202 spin_lock_init(&drbg->drbg_lock); 1203 return 0; 1204 1205 err: 1206 drbg_dealloc_state(drbg); 1207 return ret; 1208 } 1209 1210 /* 1211 * Strategy to avoid holding long term locks: generate a shadow copy of DRBG 1212 * and perform all operations on this shadow copy. After finishing, restore 1213 * the updated state of the shadow copy into original drbg state. This way, 1214 * only the read and write operations of the original drbg state must be 1215 * locked 1216 */ 1217 static inline void drbg_copy_drbg(struct drbg_state *src, 1218 struct drbg_state *dst) 1219 { 1220 if (!src || !dst) 1221 return; 1222 memcpy(dst->V, src->V, drbg_statelen(src)); 1223 memcpy(dst->C, src->C, drbg_statelen(src)); 1224 dst->reseed_ctr = src->reseed_ctr; 1225 dst->seeded = src->seeded; 1226 dst->pr = src->pr; 1227 #ifdef CONFIG_CRYPTO_FIPS 1228 dst->fips_primed = src->fips_primed; 1229 memcpy(dst->prev, src->prev, drbg_blocklen(src)); 1230 #endif 1231 /* 1232 * Not copied: 1233 * scratchpad is initialized drbg_alloc_state; 1234 * priv_data is initialized with call to crypto_init; 1235 * d_ops and core are set outside, as these parameters are const; 1236 * test_data is set outside to prevent it being copied back. 1237 */ 1238 } 1239 1240 static int drbg_make_shadow(struct drbg_state *drbg, struct drbg_state **shadow) 1241 { 1242 int ret = -ENOMEM; 1243 struct drbg_state *tmp = NULL; 1244 1245 tmp = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1246 if (!tmp) 1247 return -ENOMEM; 1248 1249 /* read-only data as they are defined as const, no lock needed */ 1250 tmp->core = drbg->core; 1251 tmp->d_ops = drbg->d_ops; 1252 1253 ret = drbg_alloc_state(tmp); 1254 if (ret) 1255 goto err; 1256 1257 spin_lock_bh(&drbg->drbg_lock); 1258 drbg_copy_drbg(drbg, tmp); 1259 /* only make a link to the test buffer, as we only read that data */ 1260 tmp->test_data = drbg->test_data; 1261 spin_unlock_bh(&drbg->drbg_lock); 1262 *shadow = tmp; 1263 return 0; 1264 1265 err: 1266 kzfree(tmp); 1267 return ret; 1268 } 1269 1270 static void drbg_restore_shadow(struct drbg_state *drbg, 1271 struct drbg_state **shadow) 1272 { 1273 struct drbg_state *tmp = *shadow; 1274 1275 spin_lock_bh(&drbg->drbg_lock); 1276 drbg_copy_drbg(tmp, drbg); 1277 spin_unlock_bh(&drbg->drbg_lock); 1278 drbg_dealloc_state(tmp); 1279 kzfree(tmp); 1280 *shadow = NULL; 1281 } 1282 1283 /************************************************************************* 1284 * DRBG interface functions 1285 *************************************************************************/ 1286 1287 /* 1288 * DRBG generate function as required by SP800-90A - this function 1289 * generates random numbers 1290 * 1291 * @drbg DRBG state handle 1292 * @buf Buffer where to store the random numbers -- the buffer must already 1293 * be pre-allocated by caller 1294 * @buflen Length of output buffer - this value defines the number of random 1295 * bytes pulled from DRBG 1296 * @addtl Additional input that is mixed into state, may be NULL -- note 1297 * the entropy is pulled by the DRBG internally unconditionally 1298 * as defined in SP800-90A. The additional input is mixed into 1299 * the state in addition to the pulled entropy. 1300 * 1301 * return: generated number of bytes 1302 */ 1303 static int drbg_generate(struct drbg_state *drbg, 1304 unsigned char *buf, unsigned int buflen, 1305 struct drbg_string *addtl) 1306 { 1307 int len = 0; 1308 struct drbg_state *shadow = NULL; 1309 LIST_HEAD(addtllist); 1310 struct drbg_string timestamp; 1311 union { 1312 cycles_t cycles; 1313 unsigned char char_cycles[sizeof(cycles_t)]; 1314 } now; 1315 1316 if (0 == buflen || !buf) { 1317 pr_devel("DRBG: no output buffer provided\n"); 1318 return -EINVAL; 1319 } 1320 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1321 pr_devel("DRBG: wrong format of additional information\n"); 1322 return -EINVAL; 1323 } 1324 1325 len = drbg_make_shadow(drbg, &shadow); 1326 if (len) { 1327 pr_devel("DRBG: shadow copy cannot be generated\n"); 1328 return len; 1329 } 1330 1331 /* 9.3.1 step 2 */ 1332 len = -EINVAL; 1333 if (buflen > (drbg_max_request_bytes(shadow))) { 1334 pr_devel("DRBG: requested random numbers too large %u\n", 1335 buflen); 1336 goto err; 1337 } 1338 1339 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1340 1341 /* 9.3.1 step 4 */ 1342 if (addtl && addtl->len > (drbg_max_addtl(shadow))) { 1343 pr_devel("DRBG: additional information string too long %zu\n", 1344 addtl->len); 1345 goto err; 1346 } 1347 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1348 1349 /* 1350 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1351 * here. The spec is a bit convoluted here, we make it simpler. 1352 */ 1353 if ((drbg_max_requests(shadow)) < shadow->reseed_ctr) 1354 shadow->seeded = false; 1355 1356 /* allocate cipher handle */ 1357 len = shadow->d_ops->crypto_init(shadow); 1358 if (len) 1359 goto err; 1360 1361 if (shadow->pr || !shadow->seeded) { 1362 pr_devel("DRBG: reseeding before generation (prediction " 1363 "resistance: %s, state %s)\n", 1364 drbg->pr ? "true" : "false", 1365 drbg->seeded ? "seeded" : "unseeded"); 1366 /* 9.3.1 steps 7.1 through 7.3 */ 1367 len = drbg_seed(shadow, addtl, true); 1368 if (len) 1369 goto err; 1370 /* 9.3.1 step 7.4 */ 1371 addtl = NULL; 1372 } 1373 1374 /* 1375 * Mix the time stamp into the DRBG state if the DRBG is not in 1376 * test mode. If there are two callers invoking the DRBG at the same 1377 * time, i.e. before the first caller merges its shadow state back, 1378 * both callers would obtain the same random number stream without 1379 * changing the state here. 1380 */ 1381 if (!drbg->test_data) { 1382 now.cycles = random_get_entropy(); 1383 drbg_string_fill(×tamp, now.char_cycles, sizeof(cycles_t)); 1384 list_add_tail(×tamp.list, &addtllist); 1385 } 1386 if (addtl && 0 < addtl->len) 1387 list_add_tail(&addtl->list, &addtllist); 1388 /* 9.3.1 step 8 and 10 */ 1389 len = shadow->d_ops->generate(shadow, buf, buflen, &addtllist); 1390 1391 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1392 shadow->reseed_ctr++; 1393 if (0 >= len) 1394 goto err; 1395 1396 /* 1397 * Section 11.3.3 requires to re-perform self tests after some 1398 * generated random numbers. The chosen value after which self 1399 * test is performed is arbitrary, but it should be reasonable. 1400 * However, we do not perform the self tests because of the following 1401 * reasons: it is mathematically impossible that the initial self tests 1402 * were successfully and the following are not. If the initial would 1403 * pass and the following would not, the kernel integrity is violated. 1404 * In this case, the entire kernel operation is questionable and it 1405 * is unlikely that the integrity violation only affects the 1406 * correct operation of the DRBG. 1407 * 1408 * Albeit the following code is commented out, it is provided in 1409 * case somebody has a need to implement the test of 11.3.3. 1410 */ 1411 #if 0 1412 if (shadow->reseed_ctr && !(shadow->reseed_ctr % 4096)) { 1413 int err = 0; 1414 pr_devel("DRBG: start to perform self test\n"); 1415 if (drbg->core->flags & DRBG_HMAC) 1416 err = alg_test("drbg_pr_hmac_sha256", 1417 "drbg_pr_hmac_sha256", 0, 0); 1418 else if (drbg->core->flags & DRBG_CTR) 1419 err = alg_test("drbg_pr_ctr_aes128", 1420 "drbg_pr_ctr_aes128", 0, 0); 1421 else 1422 err = alg_test("drbg_pr_sha256", 1423 "drbg_pr_sha256", 0, 0); 1424 if (err) { 1425 pr_err("DRBG: periodical self test failed\n"); 1426 /* 1427 * uninstantiate implies that from now on, only errors 1428 * are returned when reusing this DRBG cipher handle 1429 */ 1430 drbg_uninstantiate(drbg); 1431 drbg_dealloc_state(shadow); 1432 kzfree(shadow); 1433 return 0; 1434 } else { 1435 pr_devel("DRBG: self test successful\n"); 1436 } 1437 } 1438 #endif 1439 1440 err: 1441 shadow->d_ops->crypto_fini(shadow); 1442 drbg_restore_shadow(drbg, &shadow); 1443 return len; 1444 } 1445 1446 /* 1447 * Wrapper around drbg_generate which can pull arbitrary long strings 1448 * from the DRBG without hitting the maximum request limitation. 1449 * 1450 * Parameters: see drbg_generate 1451 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1452 * the entire drbg_generate_long request fails 1453 */ 1454 static int drbg_generate_long(struct drbg_state *drbg, 1455 unsigned char *buf, unsigned int buflen, 1456 struct drbg_string *addtl) 1457 { 1458 int len = 0; 1459 unsigned int slice = 0; 1460 do { 1461 int tmplen = 0; 1462 unsigned int chunk = 0; 1463 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1464 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1465 tmplen = drbg_generate(drbg, buf + len, chunk, addtl); 1466 if (0 >= tmplen) 1467 return tmplen; 1468 len += tmplen; 1469 } while (slice > 0 && (len < buflen)); 1470 return len; 1471 } 1472 1473 /* 1474 * DRBG instantiation function as required by SP800-90A - this function 1475 * sets up the DRBG handle, performs the initial seeding and all sanity 1476 * checks required by SP800-90A 1477 * 1478 * @drbg memory of state -- if NULL, new memory is allocated 1479 * @pers Personalization string that is mixed into state, may be NULL -- note 1480 * the entropy is pulled by the DRBG internally unconditionally 1481 * as defined in SP800-90A. The additional input is mixed into 1482 * the state in addition to the pulled entropy. 1483 * @coreref reference to core 1484 * @pr prediction resistance enabled 1485 * 1486 * return 1487 * 0 on success 1488 * error value otherwise 1489 */ 1490 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1491 int coreref, bool pr) 1492 { 1493 int ret = -ENOMEM; 1494 1495 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1496 "%s\n", coreref, pr ? "enabled" : "disabled"); 1497 drbg->core = &drbg_cores[coreref]; 1498 drbg->pr = pr; 1499 drbg->seeded = false; 1500 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1501 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1502 case DRBG_HMAC: 1503 drbg->d_ops = &drbg_hmac_ops; 1504 break; 1505 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1506 #ifdef CONFIG_CRYPTO_DRBG_HASH 1507 case DRBG_HASH: 1508 drbg->d_ops = &drbg_hash_ops; 1509 break; 1510 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1511 #ifdef CONFIG_CRYPTO_DRBG_CTR 1512 case DRBG_CTR: 1513 drbg->d_ops = &drbg_ctr_ops; 1514 break; 1515 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1516 default: 1517 return -EOPNOTSUPP; 1518 } 1519 1520 /* 9.1 step 1 is implicit with the selected DRBG type */ 1521 1522 /* 1523 * 9.1 step 2 is implicit as caller can select prediction resistance 1524 * and the flag is copied into drbg->flags -- 1525 * all DRBG types support prediction resistance 1526 */ 1527 1528 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1529 1530 ret = drbg_alloc_state(drbg); 1531 if (ret) 1532 return ret; 1533 1534 ret = -EFAULT; 1535 if (drbg->d_ops->crypto_init(drbg)) 1536 goto err; 1537 ret = drbg_seed(drbg, pers, false); 1538 drbg->d_ops->crypto_fini(drbg); 1539 if (ret) 1540 goto err; 1541 1542 return 0; 1543 1544 err: 1545 drbg_dealloc_state(drbg); 1546 return ret; 1547 } 1548 1549 /* 1550 * DRBG uninstantiate function as required by SP800-90A - this function 1551 * frees all buffers and the DRBG handle 1552 * 1553 * @drbg DRBG state handle 1554 * 1555 * return 1556 * 0 on success 1557 */ 1558 static int drbg_uninstantiate(struct drbg_state *drbg) 1559 { 1560 spin_lock_bh(&drbg->drbg_lock); 1561 drbg_dealloc_state(drbg); 1562 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1563 spin_unlock_bh(&drbg->drbg_lock); 1564 return 0; 1565 } 1566 1567 /* 1568 * Helper function for setting the test data in the DRBG 1569 * 1570 * @drbg DRBG state handle 1571 * @test_data test data to sets 1572 */ 1573 static inline void drbg_set_testdata(struct drbg_state *drbg, 1574 struct drbg_test_data *test_data) 1575 { 1576 if (!test_data || !test_data->testentropy) 1577 return; 1578 spin_lock_bh(&drbg->drbg_lock); 1579 drbg->test_data = test_data; 1580 spin_unlock_bh(&drbg->drbg_lock); 1581 } 1582 1583 /*************************************************************** 1584 * Kernel crypto API cipher invocations requested by DRBG 1585 ***************************************************************/ 1586 1587 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1588 struct sdesc { 1589 struct shash_desc shash; 1590 char ctx[]; 1591 }; 1592 1593 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1594 { 1595 struct sdesc *sdesc; 1596 struct crypto_shash *tfm; 1597 1598 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1599 if (IS_ERR(tfm)) { 1600 pr_info("DRBG: could not allocate digest TFM handle\n"); 1601 return PTR_ERR(tfm); 1602 } 1603 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1604 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1605 GFP_KERNEL); 1606 if (!sdesc) { 1607 crypto_free_shash(tfm); 1608 return -ENOMEM; 1609 } 1610 1611 sdesc->shash.tfm = tfm; 1612 sdesc->shash.flags = 0; 1613 drbg->priv_data = sdesc; 1614 return 0; 1615 } 1616 1617 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1618 { 1619 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1620 if (sdesc) { 1621 crypto_free_shash(sdesc->shash.tfm); 1622 kzfree(sdesc); 1623 } 1624 drbg->priv_data = NULL; 1625 return 0; 1626 } 1627 1628 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 1629 unsigned char *outval, const struct list_head *in) 1630 { 1631 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1632 struct drbg_string *input = NULL; 1633 1634 if (key) 1635 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1636 crypto_shash_init(&sdesc->shash); 1637 list_for_each_entry(input, in, list) 1638 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1639 return crypto_shash_final(&sdesc->shash, outval); 1640 } 1641 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1642 1643 #ifdef CONFIG_CRYPTO_DRBG_CTR 1644 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1645 { 1646 int ret = 0; 1647 struct crypto_blkcipher *tfm; 1648 1649 tfm = crypto_alloc_blkcipher(drbg->core->backend_cra_name, 0, 0); 1650 if (IS_ERR(tfm)) { 1651 pr_info("DRBG: could not allocate cipher TFM handle\n"); 1652 return PTR_ERR(tfm); 1653 } 1654 BUG_ON(drbg_blocklen(drbg) != crypto_blkcipher_blocksize(tfm)); 1655 drbg->priv_data = tfm; 1656 return ret; 1657 } 1658 1659 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1660 { 1661 struct crypto_blkcipher *tfm = 1662 (struct crypto_blkcipher *)drbg->priv_data; 1663 if (tfm) 1664 crypto_free_blkcipher(tfm); 1665 drbg->priv_data = NULL; 1666 return 0; 1667 } 1668 1669 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1670 unsigned char *outval, const struct drbg_string *in) 1671 { 1672 int ret = 0; 1673 struct scatterlist sg_in, sg_out; 1674 struct blkcipher_desc desc; 1675 struct crypto_blkcipher *tfm = 1676 (struct crypto_blkcipher *)drbg->priv_data; 1677 1678 desc.tfm = tfm; 1679 desc.flags = 0; 1680 crypto_blkcipher_setkey(tfm, key, (drbg_keylen(drbg))); 1681 /* there is only component in *in */ 1682 sg_init_one(&sg_in, in->buf, in->len); 1683 sg_init_one(&sg_out, outval, drbg_blocklen(drbg)); 1684 ret = crypto_blkcipher_encrypt(&desc, &sg_out, &sg_in, in->len); 1685 1686 return ret; 1687 } 1688 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1689 1690 /*************************************************************** 1691 * Kernel crypto API interface to register DRBG 1692 ***************************************************************/ 1693 1694 /* 1695 * Look up the DRBG flags by given kernel crypto API cra_name 1696 * The code uses the drbg_cores definition to do this 1697 * 1698 * @cra_name kernel crypto API cra_name 1699 * @coreref reference to integer which is filled with the pointer to 1700 * the applicable core 1701 * @pr reference for setting prediction resistance 1702 * 1703 * return: flags 1704 */ 1705 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1706 int *coreref, bool *pr) 1707 { 1708 int i = 0; 1709 size_t start = 0; 1710 int len = 0; 1711 1712 *pr = true; 1713 /* disassemble the names */ 1714 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1715 start = 10; 1716 *pr = false; 1717 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1718 start = 8; 1719 } else { 1720 return; 1721 } 1722 1723 /* remove the first part */ 1724 len = strlen(cra_driver_name) - start; 1725 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1726 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1727 len)) { 1728 *coreref = i; 1729 return; 1730 } 1731 } 1732 } 1733 1734 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1735 { 1736 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1737 bool pr = false; 1738 int coreref = 0; 1739 1740 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm), &coreref, &pr); 1741 /* 1742 * when personalization string is needed, the caller must call reset 1743 * and provide the personalization string as seed information 1744 */ 1745 return drbg_instantiate(drbg, NULL, coreref, pr); 1746 } 1747 1748 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1749 { 1750 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1751 } 1752 1753 /* 1754 * Generate random numbers invoked by the kernel crypto API: 1755 * The API of the kernel crypto API is extended as follows: 1756 * 1757 * If dlen is larger than zero, rdata is interpreted as the output buffer 1758 * where random data is to be stored. 1759 * 1760 * If dlen is zero, rdata is interpreted as a pointer to a struct drbg_gen 1761 * which holds the additional information string that is used for the 1762 * DRBG generation process. The output buffer that is to be used to store 1763 * data is also pointed to by struct drbg_gen. 1764 */ 1765 static int drbg_kcapi_random(struct crypto_rng *tfm, u8 *rdata, 1766 unsigned int dlen) 1767 { 1768 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1769 if (0 < dlen) { 1770 return drbg_generate_long(drbg, rdata, dlen, NULL); 1771 } else { 1772 struct drbg_gen *data = (struct drbg_gen *)rdata; 1773 struct drbg_string addtl; 1774 /* catch NULL pointer */ 1775 if (!data) 1776 return 0; 1777 drbg_set_testdata(drbg, data->test_data); 1778 /* linked list variable is now local to allow modification */ 1779 drbg_string_fill(&addtl, data->addtl->buf, data->addtl->len); 1780 return drbg_generate_long(drbg, data->outbuf, data->outlen, 1781 &addtl); 1782 } 1783 } 1784 1785 /* 1786 * Reset the DRBG invoked by the kernel crypto API 1787 * The reset implies a full re-initialization of the DRBG. Similar to the 1788 * generate function of drbg_kcapi_random, this function extends the 1789 * kernel crypto API interface with struct drbg_gen 1790 */ 1791 static int drbg_kcapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) 1792 { 1793 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1794 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1795 bool pr = false; 1796 struct drbg_string seed_string; 1797 int coreref = 0; 1798 1799 drbg_uninstantiate(drbg); 1800 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1801 &pr); 1802 if (0 < slen) { 1803 drbg_string_fill(&seed_string, seed, slen); 1804 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1805 } else { 1806 struct drbg_gen *data = (struct drbg_gen *)seed; 1807 /* allow invocation of API call with NULL, 0 */ 1808 if (!data) 1809 return drbg_instantiate(drbg, NULL, coreref, pr); 1810 drbg_set_testdata(drbg, data->test_data); 1811 /* linked list variable is now local to allow modification */ 1812 drbg_string_fill(&seed_string, data->addtl->buf, 1813 data->addtl->len); 1814 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1815 } 1816 } 1817 1818 /*************************************************************** 1819 * Kernel module: code to load the module 1820 ***************************************************************/ 1821 1822 /* 1823 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1824 * of the error handling. 1825 * 1826 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1827 * as seed source of get_random_bytes does not fail. 1828 * 1829 * Note 2: There is no sensible way of testing the reseed counter 1830 * enforcement, so skip it. 1831 */ 1832 static inline int __init drbg_healthcheck_sanity(void) 1833 { 1834 #ifdef CONFIG_CRYPTO_FIPS 1835 int len = 0; 1836 #define OUTBUFLEN 16 1837 unsigned char buf[OUTBUFLEN]; 1838 struct drbg_state *drbg = NULL; 1839 int ret = -EFAULT; 1840 int rc = -EFAULT; 1841 bool pr = false; 1842 int coreref = 0; 1843 struct drbg_string addtl; 1844 size_t max_addtllen, max_request_bytes; 1845 1846 /* only perform test in FIPS mode */ 1847 if (!fips_enabled) 1848 return 0; 1849 1850 #ifdef CONFIG_CRYPTO_DRBG_CTR 1851 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1852 #elif defined CONFIG_CRYPTO_DRBG_HASH 1853 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1854 #else 1855 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1856 #endif 1857 1858 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1859 if (!drbg) 1860 return -ENOMEM; 1861 1862 /* 1863 * if the following tests fail, it is likely that there is a buffer 1864 * overflow as buf is much smaller than the requested or provided 1865 * string lengths -- in case the error handling does not succeed 1866 * we may get an OOPS. And we want to get an OOPS as this is a 1867 * grave bug. 1868 */ 1869 1870 /* get a valid instance of DRBG for following tests */ 1871 ret = drbg_instantiate(drbg, NULL, coreref, pr); 1872 if (ret) { 1873 rc = ret; 1874 goto outbuf; 1875 } 1876 max_addtllen = drbg_max_addtl(drbg); 1877 max_request_bytes = drbg_max_request_bytes(drbg); 1878 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1879 /* overflow addtllen with additonal info string */ 1880 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1881 BUG_ON(0 < len); 1882 /* overflow max_bits */ 1883 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1884 BUG_ON(0 < len); 1885 drbg_uninstantiate(drbg); 1886 1887 /* overflow max addtllen with personalization string */ 1888 ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1889 BUG_ON(0 == ret); 1890 /* all tests passed */ 1891 rc = 0; 1892 1893 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1894 "completed\n"); 1895 1896 drbg_uninstantiate(drbg); 1897 outbuf: 1898 kzfree(drbg); 1899 return rc; 1900 #else /* CONFIG_CRYPTO_FIPS */ 1901 return 0; 1902 #endif /* CONFIG_CRYPTO_FIPS */ 1903 } 1904 1905 static struct crypto_alg drbg_algs[22]; 1906 1907 /* 1908 * Fill the array drbg_algs used to register the different DRBGs 1909 * with the kernel crypto API. To fill the array, the information 1910 * from drbg_cores[] is used. 1911 */ 1912 static inline void __init drbg_fill_array(struct crypto_alg *alg, 1913 const struct drbg_core *core, int pr) 1914 { 1915 int pos = 0; 1916 static int priority = 100; 1917 1918 memset(alg, 0, sizeof(struct crypto_alg)); 1919 memcpy(alg->cra_name, "stdrng", 6); 1920 if (pr) { 1921 memcpy(alg->cra_driver_name, "drbg_pr_", 8); 1922 pos = 8; 1923 } else { 1924 memcpy(alg->cra_driver_name, "drbg_nopr_", 10); 1925 pos = 10; 1926 } 1927 memcpy(alg->cra_driver_name + pos, core->cra_name, 1928 strlen(core->cra_name)); 1929 1930 alg->cra_priority = priority; 1931 priority++; 1932 /* 1933 * If FIPS mode enabled, the selected DRBG shall have the 1934 * highest cra_priority over other stdrng instances to ensure 1935 * it is selected. 1936 */ 1937 if (fips_enabled) 1938 alg->cra_priority += 200; 1939 1940 alg->cra_flags = CRYPTO_ALG_TYPE_RNG; 1941 alg->cra_ctxsize = sizeof(struct drbg_state); 1942 alg->cra_type = &crypto_rng_type; 1943 alg->cra_module = THIS_MODULE; 1944 alg->cra_init = drbg_kcapi_init; 1945 alg->cra_exit = drbg_kcapi_cleanup; 1946 alg->cra_u.rng.rng_make_random = drbg_kcapi_random; 1947 alg->cra_u.rng.rng_reset = drbg_kcapi_reset; 1948 alg->cra_u.rng.seedsize = 0; 1949 } 1950 1951 static int __init drbg_init(void) 1952 { 1953 unsigned int i = 0; /* pointer to drbg_algs */ 1954 unsigned int j = 0; /* pointer to drbg_cores */ 1955 int ret = -EFAULT; 1956 1957 ret = drbg_healthcheck_sanity(); 1958 if (ret) 1959 return ret; 1960 1961 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1962 pr_info("DRBG: Cannot register all DRBG types" 1963 "(slots needed: %zu, slots available: %zu)\n", 1964 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1965 return ret; 1966 } 1967 1968 /* 1969 * each DRBG definition can be used with PR and without PR, thus 1970 * we instantiate each DRBG in drbg_cores[] twice. 1971 * 1972 * As the order of placing them into the drbg_algs array matters 1973 * (the later DRBGs receive a higher cra_priority) we register the 1974 * prediction resistance DRBGs first as the should not be too 1975 * interesting. 1976 */ 1977 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1978 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1979 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1980 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1981 return crypto_register_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1982 } 1983 1984 static void __exit drbg_exit(void) 1985 { 1986 crypto_unregister_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1987 } 1988 1989 module_init(drbg_init); 1990 module_exit(drbg_exit); 1991 #ifndef CRYPTO_DRBG_HASH_STRING 1992 #define CRYPTO_DRBG_HASH_STRING "" 1993 #endif 1994 #ifndef CRYPTO_DRBG_HMAC_STRING 1995 #define CRYPTO_DRBG_HMAC_STRING "" 1996 #endif 1997 #ifndef CRYPTO_DRBG_CTR_STRING 1998 #define CRYPTO_DRBG_CTR_STRING "" 1999 #endif 2000 MODULE_LICENSE("GPL"); 2001 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2002 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2003 "using following cores: " 2004 CRYPTO_DRBG_HASH_STRING 2005 CRYPTO_DRBG_HMAC_STRING 2006 CRYPTO_DRBG_CTR_STRING); 2007