xref: /openbmc/linux/crypto/drbg.c (revision 92a2c6b2)
1 /*
2  * DRBG: Deterministic Random Bits Generator
3  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
4  *       properties:
5  *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6  *		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7  *		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8  *		* with and without prediction resistance
9  *
10  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, and the entire permission notice in its entirety,
17  *    including the disclaimer of warranties.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior
23  *    written permission.
24  *
25  * ALTERNATIVELY, this product may be distributed under the terms of
26  * the GNU General Public License, in which case the provisions of the GPL are
27  * required INSTEAD OF the above restrictions.  (This clause is
28  * necessary due to a potential bad interaction between the GPL and
29  * the restrictions contained in a BSD-style copyright.)
30  *
31  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
35  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42  * DAMAGE.
43  *
44  * DRBG Usage
45  * ==========
46  * The SP 800-90A DRBG allows the user to specify a personalization string
47  * for initialization as well as an additional information string for each
48  * random number request. The following code fragments show how a caller
49  * uses the kernel crypto API to use the full functionality of the DRBG.
50  *
51  * Usage without any additional data
52  * ---------------------------------
53  * struct crypto_rng *drng;
54  * int err;
55  * char data[DATALEN];
56  *
57  * drng = crypto_alloc_rng(drng_name, 0, 0);
58  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59  * crypto_free_rng(drng);
60  *
61  *
62  * Usage with personalization string during initialization
63  * -------------------------------------------------------
64  * struct crypto_rng *drng;
65  * int err;
66  * char data[DATALEN];
67  * struct drbg_string pers;
68  * char personalization[11] = "some-string";
69  *
70  * drbg_string_fill(&pers, personalization, strlen(personalization));
71  * drng = crypto_alloc_rng(drng_name, 0, 0);
72  * // The reset completely re-initializes the DRBG with the provided
73  * // personalization string
74  * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76  * crypto_free_rng(drng);
77  *
78  *
79  * Usage with additional information string during random number request
80  * ---------------------------------------------------------------------
81  * struct crypto_rng *drng;
82  * int err;
83  * char data[DATALEN];
84  * char addtl_string[11] = "some-string";
85  * string drbg_string addtl;
86  *
87  * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88  * drng = crypto_alloc_rng(drng_name, 0, 0);
89  * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90  * // the same error codes.
91  * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92  * crypto_free_rng(drng);
93  *
94  *
95  * Usage with personalization and additional information strings
96  * -------------------------------------------------------------
97  * Just mix both scenarios above.
98  */
99 
100 #include <crypto/drbg.h>
101 
102 /***************************************************************
103  * Backend cipher definitions available to DRBG
104  ***************************************************************/
105 
106 /*
107  * The order of the DRBG definitions here matter: every DRBG is registered
108  * as stdrng. Each DRBG receives an increasing cra_priority values the later
109  * they are defined in this array (see drbg_fill_array).
110  *
111  * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
112  * the SHA256 / AES 256 over other ciphers. Thus, the favored
113  * DRBGs are the latest entries in this array.
114  */
115 static const struct drbg_core drbg_cores[] = {
116 #ifdef CONFIG_CRYPTO_DRBG_CTR
117 	{
118 		.flags = DRBG_CTR | DRBG_STRENGTH128,
119 		.statelen = 32, /* 256 bits as defined in 10.2.1 */
120 		.blocklen_bytes = 16,
121 		.cra_name = "ctr_aes128",
122 		.backend_cra_name = "ecb(aes)",
123 	}, {
124 		.flags = DRBG_CTR | DRBG_STRENGTH192,
125 		.statelen = 40, /* 320 bits as defined in 10.2.1 */
126 		.blocklen_bytes = 16,
127 		.cra_name = "ctr_aes192",
128 		.backend_cra_name = "ecb(aes)",
129 	}, {
130 		.flags = DRBG_CTR | DRBG_STRENGTH256,
131 		.statelen = 48, /* 384 bits as defined in 10.2.1 */
132 		.blocklen_bytes = 16,
133 		.cra_name = "ctr_aes256",
134 		.backend_cra_name = "ecb(aes)",
135 	},
136 #endif /* CONFIG_CRYPTO_DRBG_CTR */
137 #ifdef CONFIG_CRYPTO_DRBG_HASH
138 	{
139 		.flags = DRBG_HASH | DRBG_STRENGTH128,
140 		.statelen = 55, /* 440 bits */
141 		.blocklen_bytes = 20,
142 		.cra_name = "sha1",
143 		.backend_cra_name = "sha1",
144 	}, {
145 		.flags = DRBG_HASH | DRBG_STRENGTH256,
146 		.statelen = 111, /* 888 bits */
147 		.blocklen_bytes = 48,
148 		.cra_name = "sha384",
149 		.backend_cra_name = "sha384",
150 	}, {
151 		.flags = DRBG_HASH | DRBG_STRENGTH256,
152 		.statelen = 111, /* 888 bits */
153 		.blocklen_bytes = 64,
154 		.cra_name = "sha512",
155 		.backend_cra_name = "sha512",
156 	}, {
157 		.flags = DRBG_HASH | DRBG_STRENGTH256,
158 		.statelen = 55, /* 440 bits */
159 		.blocklen_bytes = 32,
160 		.cra_name = "sha256",
161 		.backend_cra_name = "sha256",
162 	},
163 #endif /* CONFIG_CRYPTO_DRBG_HASH */
164 #ifdef CONFIG_CRYPTO_DRBG_HMAC
165 	{
166 		.flags = DRBG_HMAC | DRBG_STRENGTH128,
167 		.statelen = 20, /* block length of cipher */
168 		.blocklen_bytes = 20,
169 		.cra_name = "hmac_sha1",
170 		.backend_cra_name = "hmac(sha1)",
171 	}, {
172 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
173 		.statelen = 48, /* block length of cipher */
174 		.blocklen_bytes = 48,
175 		.cra_name = "hmac_sha384",
176 		.backend_cra_name = "hmac(sha384)",
177 	}, {
178 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
179 		.statelen = 64, /* block length of cipher */
180 		.blocklen_bytes = 64,
181 		.cra_name = "hmac_sha512",
182 		.backend_cra_name = "hmac(sha512)",
183 	}, {
184 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
185 		.statelen = 32, /* block length of cipher */
186 		.blocklen_bytes = 32,
187 		.cra_name = "hmac_sha256",
188 		.backend_cra_name = "hmac(sha256)",
189 	},
190 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
191 };
192 
193 /******************************************************************
194  * Generic helper functions
195  ******************************************************************/
196 
197 /*
198  * Return strength of DRBG according to SP800-90A section 8.4
199  *
200  * @flags DRBG flags reference
201  *
202  * Return: normalized strength in *bytes* value or 32 as default
203  *	   to counter programming errors
204  */
205 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
206 {
207 	switch (flags & DRBG_STRENGTH_MASK) {
208 	case DRBG_STRENGTH128:
209 		return 16;
210 	case DRBG_STRENGTH192:
211 		return 24;
212 	case DRBG_STRENGTH256:
213 		return 32;
214 	default:
215 		return 32;
216 	}
217 }
218 
219 /*
220  * FIPS 140-2 continuous self test
221  * The test is performed on the result of one round of the output
222  * function. Thus, the function implicitly knows the size of the
223  * buffer.
224  *
225  * @drbg DRBG handle
226  * @buf output buffer of random data to be checked
227  *
228  * return:
229  *	true on success
230  *	false on error
231  */
232 static bool drbg_fips_continuous_test(struct drbg_state *drbg,
233 				      const unsigned char *buf)
234 {
235 #ifdef CONFIG_CRYPTO_FIPS
236 	int ret = 0;
237 	/* skip test if we test the overall system */
238 	if (drbg->test_data)
239 		return true;
240 	/* only perform test in FIPS mode */
241 	if (0 == fips_enabled)
242 		return true;
243 	if (!drbg->fips_primed) {
244 		/* Priming of FIPS test */
245 		memcpy(drbg->prev, buf, drbg_blocklen(drbg));
246 		drbg->fips_primed = true;
247 		/* return false due to priming, i.e. another round is needed */
248 		return false;
249 	}
250 	ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg));
251 	if (!ret)
252 		panic("DRBG continuous self test failed\n");
253 	memcpy(drbg->prev, buf, drbg_blocklen(drbg));
254 	/* the test shall pass when the two compared values are not equal */
255 	return ret != 0;
256 #else
257 	return true;
258 #endif /* CONFIG_CRYPTO_FIPS */
259 }
260 
261 /*
262  * Convert an integer into a byte representation of this integer.
263  * The byte representation is big-endian
264  *
265  * @val value to be converted
266  * @buf buffer holding the converted integer -- caller must ensure that
267  *      buffer size is at least 32 bit
268  */
269 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
270 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
271 {
272 	struct s {
273 		__be32 conv;
274 	};
275 	struct s *conversion = (struct s *) buf;
276 
277 	conversion->conv = cpu_to_be32(val);
278 }
279 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
280 
281 /******************************************************************
282  * CTR DRBG callback functions
283  ******************************************************************/
284 
285 #ifdef CONFIG_CRYPTO_DRBG_CTR
286 #define CRYPTO_DRBG_CTR_STRING "CTR "
287 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
288 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
289 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
290 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
291 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
292 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
293 
294 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
295 			  unsigned char *outval, const struct drbg_string *in);
296 static int drbg_init_sym_kernel(struct drbg_state *drbg);
297 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
298 
299 /* BCC function for CTR DRBG as defined in 10.4.3 */
300 static int drbg_ctr_bcc(struct drbg_state *drbg,
301 			unsigned char *out, const unsigned char *key,
302 			struct list_head *in)
303 {
304 	int ret = 0;
305 	struct drbg_string *curr = NULL;
306 	struct drbg_string data;
307 	short cnt = 0;
308 
309 	drbg_string_fill(&data, out, drbg_blocklen(drbg));
310 
311 	/* 10.4.3 step 1 */
312 	memset(out, 0, drbg_blocklen(drbg));
313 
314 	/* 10.4.3 step 2 / 4 */
315 	list_for_each_entry(curr, in, list) {
316 		const unsigned char *pos = curr->buf;
317 		size_t len = curr->len;
318 		/* 10.4.3 step 4.1 */
319 		while (len) {
320 			/* 10.4.3 step 4.2 */
321 			if (drbg_blocklen(drbg) == cnt) {
322 				cnt = 0;
323 				ret = drbg_kcapi_sym(drbg, key, out, &data);
324 				if (ret)
325 					return ret;
326 			}
327 			out[cnt] ^= *pos;
328 			pos++;
329 			cnt++;
330 			len--;
331 		}
332 	}
333 	/* 10.4.3 step 4.2 for last block */
334 	if (cnt)
335 		ret = drbg_kcapi_sym(drbg, key, out, &data);
336 
337 	return ret;
338 }
339 
340 /*
341  * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
342  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
343  * the scratchpad is used as follows:
344  * drbg_ctr_update:
345  *	temp
346  *		start: drbg->scratchpad
347  *		length: drbg_statelen(drbg) + drbg_blocklen(drbg)
348  *			note: the cipher writing into this variable works
349  *			blocklen-wise. Now, when the statelen is not a multiple
350  *			of blocklen, the generateion loop below "spills over"
351  *			by at most blocklen. Thus, we need to give sufficient
352  *			memory.
353  *	df_data
354  *		start: drbg->scratchpad +
355  *				drbg_statelen(drbg) + drbg_blocklen(drbg)
356  *		length: drbg_statelen(drbg)
357  *
358  * drbg_ctr_df:
359  *	pad
360  *		start: df_data + drbg_statelen(drbg)
361  *		length: drbg_blocklen(drbg)
362  *	iv
363  *		start: pad + drbg_blocklen(drbg)
364  *		length: drbg_blocklen(drbg)
365  *	temp
366  *		start: iv + drbg_blocklen(drbg)
367  *		length: drbg_satelen(drbg) + drbg_blocklen(drbg)
368  *			note: temp is the buffer that the BCC function operates
369  *			on. BCC operates blockwise. drbg_statelen(drbg)
370  *			is sufficient when the DRBG state length is a multiple
371  *			of the block size. For AES192 (and maybe other ciphers)
372  *			this is not correct and the length for temp is
373  *			insufficient (yes, that also means for such ciphers,
374  *			the final output of all BCC rounds are truncated).
375  *			Therefore, add drbg_blocklen(drbg) to cover all
376  *			possibilities.
377  */
378 
379 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
380 static int drbg_ctr_df(struct drbg_state *drbg,
381 		       unsigned char *df_data, size_t bytes_to_return,
382 		       struct list_head *seedlist)
383 {
384 	int ret = -EFAULT;
385 	unsigned char L_N[8];
386 	/* S3 is input */
387 	struct drbg_string S1, S2, S4, cipherin;
388 	LIST_HEAD(bcc_list);
389 	unsigned char *pad = df_data + drbg_statelen(drbg);
390 	unsigned char *iv = pad + drbg_blocklen(drbg);
391 	unsigned char *temp = iv + drbg_blocklen(drbg);
392 	size_t padlen = 0;
393 	unsigned int templen = 0;
394 	/* 10.4.2 step 7 */
395 	unsigned int i = 0;
396 	/* 10.4.2 step 8 */
397 	const unsigned char *K = (unsigned char *)
398 			   "\x00\x01\x02\x03\x04\x05\x06\x07"
399 			   "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
400 			   "\x10\x11\x12\x13\x14\x15\x16\x17"
401 			   "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
402 	unsigned char *X;
403 	size_t generated_len = 0;
404 	size_t inputlen = 0;
405 	struct drbg_string *seed = NULL;
406 
407 	memset(pad, 0, drbg_blocklen(drbg));
408 	memset(iv, 0, drbg_blocklen(drbg));
409 	memset(temp, 0, drbg_statelen(drbg));
410 
411 	/* 10.4.2 step 1 is implicit as we work byte-wise */
412 
413 	/* 10.4.2 step 2 */
414 	if ((512/8) < bytes_to_return)
415 		return -EINVAL;
416 
417 	/* 10.4.2 step 2 -- calculate the entire length of all input data */
418 	list_for_each_entry(seed, seedlist, list)
419 		inputlen += seed->len;
420 	drbg_cpu_to_be32(inputlen, &L_N[0]);
421 
422 	/* 10.4.2 step 3 */
423 	drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
424 
425 	/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
426 	padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
427 	/* wrap the padlen appropriately */
428 	if (padlen)
429 		padlen = drbg_blocklen(drbg) - padlen;
430 	/*
431 	 * pad / padlen contains the 0x80 byte and the following zero bytes.
432 	 * As the calculated padlen value only covers the number of zero
433 	 * bytes, this value has to be incremented by one for the 0x80 byte.
434 	 */
435 	padlen++;
436 	pad[0] = 0x80;
437 
438 	/* 10.4.2 step 4 -- first fill the linked list and then order it */
439 	drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
440 	list_add_tail(&S1.list, &bcc_list);
441 	drbg_string_fill(&S2, L_N, sizeof(L_N));
442 	list_add_tail(&S2.list, &bcc_list);
443 	list_splice_tail(seedlist, &bcc_list);
444 	drbg_string_fill(&S4, pad, padlen);
445 	list_add_tail(&S4.list, &bcc_list);
446 
447 	/* 10.4.2 step 9 */
448 	while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
449 		/*
450 		 * 10.4.2 step 9.1 - the padding is implicit as the buffer
451 		 * holds zeros after allocation -- even the increment of i
452 		 * is irrelevant as the increment remains within length of i
453 		 */
454 		drbg_cpu_to_be32(i, iv);
455 		/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
456 		ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
457 		if (ret)
458 			goto out;
459 		/* 10.4.2 step 9.3 */
460 		i++;
461 		templen += drbg_blocklen(drbg);
462 	}
463 
464 	/* 10.4.2 step 11 */
465 	X = temp + (drbg_keylen(drbg));
466 	drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
467 
468 	/* 10.4.2 step 12: overwriting of outval is implemented in next step */
469 
470 	/* 10.4.2 step 13 */
471 	while (generated_len < bytes_to_return) {
472 		short blocklen = 0;
473 		/*
474 		 * 10.4.2 step 13.1: the truncation of the key length is
475 		 * implicit as the key is only drbg_blocklen in size based on
476 		 * the implementation of the cipher function callback
477 		 */
478 		ret = drbg_kcapi_sym(drbg, temp, X, &cipherin);
479 		if (ret)
480 			goto out;
481 		blocklen = (drbg_blocklen(drbg) <
482 				(bytes_to_return - generated_len)) ?
483 			    drbg_blocklen(drbg) :
484 				(bytes_to_return - generated_len);
485 		/* 10.4.2 step 13.2 and 14 */
486 		memcpy(df_data + generated_len, X, blocklen);
487 		generated_len += blocklen;
488 	}
489 
490 	ret = 0;
491 
492 out:
493 	memset(iv, 0, drbg_blocklen(drbg));
494 	memset(temp, 0, drbg_statelen(drbg));
495 	memset(pad, 0, drbg_blocklen(drbg));
496 	return ret;
497 }
498 
499 /*
500  * update function of CTR DRBG as defined in 10.2.1.2
501  *
502  * The reseed variable has an enhanced meaning compared to the update
503  * functions of the other DRBGs as follows:
504  * 0 => initial seed from initialization
505  * 1 => reseed via drbg_seed
506  * 2 => first invocation from drbg_ctr_update when addtl is present. In
507  *      this case, the df_data scratchpad is not deleted so that it is
508  *      available for another calls to prevent calling the DF function
509  *      again.
510  * 3 => second invocation from drbg_ctr_update. When the update function
511  *      was called with addtl, the df_data memory already contains the
512  *      DFed addtl information and we do not need to call DF again.
513  */
514 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
515 			   int reseed)
516 {
517 	int ret = -EFAULT;
518 	/* 10.2.1.2 step 1 */
519 	unsigned char *temp = drbg->scratchpad;
520 	unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
521 				 drbg_blocklen(drbg);
522 	unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */
523 	unsigned int len = 0;
524 	struct drbg_string cipherin;
525 
526 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
527 	if (3 > reseed)
528 		memset(df_data, 0, drbg_statelen(drbg));
529 
530 	/* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
531 	if (seed) {
532 		ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
533 		if (ret)
534 			goto out;
535 	}
536 
537 	drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg));
538 	/*
539 	 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation
540 	 * zeroizes all memory during initialization
541 	 */
542 	while (len < (drbg_statelen(drbg))) {
543 		/* 10.2.1.2 step 2.1 */
544 		crypto_inc(drbg->V, drbg_blocklen(drbg));
545 		/*
546 		 * 10.2.1.2 step 2.2 */
547 		ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin);
548 		if (ret)
549 			goto out;
550 		/* 10.2.1.2 step 2.3 and 3 */
551 		len += drbg_blocklen(drbg);
552 	}
553 
554 	/* 10.2.1.2 step 4 */
555 	temp_p = temp;
556 	df_data_p = df_data;
557 	for (len = 0; len < drbg_statelen(drbg); len++) {
558 		*temp_p ^= *df_data_p;
559 		df_data_p++; temp_p++;
560 	}
561 
562 	/* 10.2.1.2 step 5 */
563 	memcpy(drbg->C, temp, drbg_keylen(drbg));
564 	/* 10.2.1.2 step 6 */
565 	memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
566 	ret = 0;
567 
568 out:
569 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
570 	if (2 != reseed)
571 		memset(df_data, 0, drbg_statelen(drbg));
572 	return ret;
573 }
574 
575 /*
576  * scratchpad use: drbg_ctr_update is called independently from
577  * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
578  */
579 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
580 static int drbg_ctr_generate(struct drbg_state *drbg,
581 			     unsigned char *buf, unsigned int buflen,
582 			     struct list_head *addtl)
583 {
584 	int len = 0;
585 	int ret = 0;
586 	struct drbg_string data;
587 
588 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
589 
590 	/* 10.2.1.5.2 step 2 */
591 	if (addtl && !list_empty(addtl)) {
592 		ret = drbg_ctr_update(drbg, addtl, 2);
593 		if (ret)
594 			return 0;
595 	}
596 
597 	/* 10.2.1.5.2 step 4.1 */
598 	crypto_inc(drbg->V, drbg_blocklen(drbg));
599 	drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg));
600 	while (len < buflen) {
601 		int outlen = 0;
602 		/* 10.2.1.5.2 step 4.2 */
603 		ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data);
604 		if (ret) {
605 			len = ret;
606 			goto out;
607 		}
608 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
609 			  drbg_blocklen(drbg) : (buflen - len);
610 		if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) {
611 			/* 10.2.1.5.2 step 6 */
612 			crypto_inc(drbg->V, drbg_blocklen(drbg));
613 			continue;
614 		}
615 		/* 10.2.1.5.2 step 4.3 */
616 		memcpy(buf + len, drbg->scratchpad, outlen);
617 		len += outlen;
618 		/* 10.2.1.5.2 step 6 */
619 		if (len < buflen)
620 			crypto_inc(drbg->V, drbg_blocklen(drbg));
621 	}
622 
623 	/* 10.2.1.5.2 step 6 */
624 	ret = drbg_ctr_update(drbg, NULL, 3);
625 	if (ret)
626 		len = ret;
627 
628 out:
629 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
630 	return len;
631 }
632 
633 static struct drbg_state_ops drbg_ctr_ops = {
634 	.update		= drbg_ctr_update,
635 	.generate	= drbg_ctr_generate,
636 	.crypto_init	= drbg_init_sym_kernel,
637 	.crypto_fini	= drbg_fini_sym_kernel,
638 };
639 #endif /* CONFIG_CRYPTO_DRBG_CTR */
640 
641 /******************************************************************
642  * HMAC DRBG callback functions
643  ******************************************************************/
644 
645 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
646 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key,
647 			   unsigned char *outval, const struct list_head *in);
648 static int drbg_init_hash_kernel(struct drbg_state *drbg);
649 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
650 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
651 
652 #ifdef CONFIG_CRYPTO_DRBG_HMAC
653 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
654 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
655 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
656 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
657 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
658 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
659 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
660 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
661 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
662 
663 /* update function of HMAC DRBG as defined in 10.1.2.2 */
664 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
665 			    int reseed)
666 {
667 	int ret = -EFAULT;
668 	int i = 0;
669 	struct drbg_string seed1, seed2, vdata;
670 	LIST_HEAD(seedlist);
671 	LIST_HEAD(vdatalist);
672 
673 	if (!reseed)
674 		/* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
675 		memset(drbg->V, 1, drbg_statelen(drbg));
676 
677 	drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
678 	list_add_tail(&seed1.list, &seedlist);
679 	/* buffer of seed2 will be filled in for loop below with one byte */
680 	drbg_string_fill(&seed2, NULL, 1);
681 	list_add_tail(&seed2.list, &seedlist);
682 	/* input data of seed is allowed to be NULL at this point */
683 	if (seed)
684 		list_splice_tail(seed, &seedlist);
685 
686 	drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
687 	list_add_tail(&vdata.list, &vdatalist);
688 	for (i = 2; 0 < i; i--) {
689 		/* first round uses 0x0, second 0x1 */
690 		unsigned char prefix = DRBG_PREFIX0;
691 		if (1 == i)
692 			prefix = DRBG_PREFIX1;
693 		/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
694 		seed2.buf = &prefix;
695 		ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist);
696 		if (ret)
697 			return ret;
698 
699 		/* 10.1.2.2 step 2 and 5 -- HMAC for V */
700 		ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist);
701 		if (ret)
702 			return ret;
703 
704 		/* 10.1.2.2 step 3 */
705 		if (!seed)
706 			return ret;
707 	}
708 
709 	return 0;
710 }
711 
712 /* generate function of HMAC DRBG as defined in 10.1.2.5 */
713 static int drbg_hmac_generate(struct drbg_state *drbg,
714 			      unsigned char *buf,
715 			      unsigned int buflen,
716 			      struct list_head *addtl)
717 {
718 	int len = 0;
719 	int ret = 0;
720 	struct drbg_string data;
721 	LIST_HEAD(datalist);
722 
723 	/* 10.1.2.5 step 2 */
724 	if (addtl && !list_empty(addtl)) {
725 		ret = drbg_hmac_update(drbg, addtl, 1);
726 		if (ret)
727 			return ret;
728 	}
729 
730 	drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
731 	list_add_tail(&data.list, &datalist);
732 	while (len < buflen) {
733 		unsigned int outlen = 0;
734 		/* 10.1.2.5 step 4.1 */
735 		ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist);
736 		if (ret)
737 			return ret;
738 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
739 			  drbg_blocklen(drbg) : (buflen - len);
740 		if (!drbg_fips_continuous_test(drbg, drbg->V))
741 			continue;
742 
743 		/* 10.1.2.5 step 4.2 */
744 		memcpy(buf + len, drbg->V, outlen);
745 		len += outlen;
746 	}
747 
748 	/* 10.1.2.5 step 6 */
749 	if (addtl && !list_empty(addtl))
750 		ret = drbg_hmac_update(drbg, addtl, 1);
751 	else
752 		ret = drbg_hmac_update(drbg, NULL, 1);
753 	if (ret)
754 		return ret;
755 
756 	return len;
757 }
758 
759 static struct drbg_state_ops drbg_hmac_ops = {
760 	.update		= drbg_hmac_update,
761 	.generate	= drbg_hmac_generate,
762 	.crypto_init	= drbg_init_hash_kernel,
763 	.crypto_fini	= drbg_fini_hash_kernel,
764 
765 };
766 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
767 
768 /******************************************************************
769  * Hash DRBG callback functions
770  ******************************************************************/
771 
772 #ifdef CONFIG_CRYPTO_DRBG_HASH
773 #define CRYPTO_DRBG_HASH_STRING "HASH "
774 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
775 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
776 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
777 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
778 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
779 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
780 MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
781 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
782 
783 /*
784  * Increment buffer
785  *
786  * @dst buffer to increment
787  * @add value to add
788  */
789 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
790 				const unsigned char *add, size_t addlen)
791 {
792 	/* implied: dstlen > addlen */
793 	unsigned char *dstptr;
794 	const unsigned char *addptr;
795 	unsigned int remainder = 0;
796 	size_t len = addlen;
797 
798 	dstptr = dst + (dstlen-1);
799 	addptr = add + (addlen-1);
800 	while (len) {
801 		remainder += *dstptr + *addptr;
802 		*dstptr = remainder & 0xff;
803 		remainder >>= 8;
804 		len--; dstptr--; addptr--;
805 	}
806 	len = dstlen - addlen;
807 	while (len && remainder > 0) {
808 		remainder = *dstptr + 1;
809 		*dstptr = remainder & 0xff;
810 		remainder >>= 8;
811 		len--; dstptr--;
812 	}
813 }
814 
815 /*
816  * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
817  * interlinked, the scratchpad is used as follows:
818  * drbg_hash_update
819  *	start: drbg->scratchpad
820  *	length: drbg_statelen(drbg)
821  * drbg_hash_df:
822  *	start: drbg->scratchpad + drbg_statelen(drbg)
823  *	length: drbg_blocklen(drbg)
824  *
825  * drbg_hash_process_addtl uses the scratchpad, but fully completes
826  * before either of the functions mentioned before are invoked. Therefore,
827  * drbg_hash_process_addtl does not need to be specifically considered.
828  */
829 
830 /* Derivation Function for Hash DRBG as defined in 10.4.1 */
831 static int drbg_hash_df(struct drbg_state *drbg,
832 			unsigned char *outval, size_t outlen,
833 			struct list_head *entropylist)
834 {
835 	int ret = 0;
836 	size_t len = 0;
837 	unsigned char input[5];
838 	unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
839 	struct drbg_string data;
840 
841 	memset(tmp, 0, drbg_blocklen(drbg));
842 
843 	/* 10.4.1 step 3 */
844 	input[0] = 1;
845 	drbg_cpu_to_be32((outlen * 8), &input[1]);
846 
847 	/* 10.4.1 step 4.1 -- concatenation of data for input into hash */
848 	drbg_string_fill(&data, input, 5);
849 	list_add(&data.list, entropylist);
850 
851 	/* 10.4.1 step 4 */
852 	while (len < outlen) {
853 		short blocklen = 0;
854 		/* 10.4.1 step 4.1 */
855 		ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist);
856 		if (ret)
857 			goto out;
858 		/* 10.4.1 step 4.2 */
859 		input[0]++;
860 		blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
861 			    drbg_blocklen(drbg) : (outlen - len);
862 		memcpy(outval + len, tmp, blocklen);
863 		len += blocklen;
864 	}
865 
866 out:
867 	memset(tmp, 0, drbg_blocklen(drbg));
868 	return ret;
869 }
870 
871 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
872 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
873 			    int reseed)
874 {
875 	int ret = 0;
876 	struct drbg_string data1, data2;
877 	LIST_HEAD(datalist);
878 	LIST_HEAD(datalist2);
879 	unsigned char *V = drbg->scratchpad;
880 	unsigned char prefix = DRBG_PREFIX1;
881 
882 	memset(drbg->scratchpad, 0, drbg_statelen(drbg));
883 	if (!seed)
884 		return -EINVAL;
885 
886 	if (reseed) {
887 		/* 10.1.1.3 step 1 */
888 		memcpy(V, drbg->V, drbg_statelen(drbg));
889 		drbg_string_fill(&data1, &prefix, 1);
890 		list_add_tail(&data1.list, &datalist);
891 		drbg_string_fill(&data2, V, drbg_statelen(drbg));
892 		list_add_tail(&data2.list, &datalist);
893 	}
894 	list_splice_tail(seed, &datalist);
895 
896 	/* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
897 	ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
898 	if (ret)
899 		goto out;
900 
901 	/* 10.1.1.2 / 10.1.1.3 step 4  */
902 	prefix = DRBG_PREFIX0;
903 	drbg_string_fill(&data1, &prefix, 1);
904 	list_add_tail(&data1.list, &datalist2);
905 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
906 	list_add_tail(&data2.list, &datalist2);
907 	/* 10.1.1.2 / 10.1.1.3 step 4 */
908 	ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
909 
910 out:
911 	memset(drbg->scratchpad, 0, drbg_statelen(drbg));
912 	return ret;
913 }
914 
915 /* processing of additional information string for Hash DRBG */
916 static int drbg_hash_process_addtl(struct drbg_state *drbg,
917 				   struct list_head *addtl)
918 {
919 	int ret = 0;
920 	struct drbg_string data1, data2;
921 	LIST_HEAD(datalist);
922 	unsigned char prefix = DRBG_PREFIX2;
923 
924 	/* this is value w as per documentation */
925 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
926 
927 	/* 10.1.1.4 step 2 */
928 	if (!addtl || list_empty(addtl))
929 		return 0;
930 
931 	/* 10.1.1.4 step 2a */
932 	drbg_string_fill(&data1, &prefix, 1);
933 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
934 	list_add_tail(&data1.list, &datalist);
935 	list_add_tail(&data2.list, &datalist);
936 	list_splice_tail(addtl, &datalist);
937 	ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist);
938 	if (ret)
939 		goto out;
940 
941 	/* 10.1.1.4 step 2b */
942 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
943 		     drbg->scratchpad, drbg_blocklen(drbg));
944 
945 out:
946 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
947 	return ret;
948 }
949 
950 /* Hashgen defined in 10.1.1.4 */
951 static int drbg_hash_hashgen(struct drbg_state *drbg,
952 			     unsigned char *buf,
953 			     unsigned int buflen)
954 {
955 	int len = 0;
956 	int ret = 0;
957 	unsigned char *src = drbg->scratchpad;
958 	unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
959 	struct drbg_string data;
960 	LIST_HEAD(datalist);
961 
962 	memset(src, 0, drbg_statelen(drbg));
963 	memset(dst, 0, drbg_blocklen(drbg));
964 
965 	/* 10.1.1.4 step hashgen 2 */
966 	memcpy(src, drbg->V, drbg_statelen(drbg));
967 
968 	drbg_string_fill(&data, src, drbg_statelen(drbg));
969 	list_add_tail(&data.list, &datalist);
970 	while (len < buflen) {
971 		unsigned int outlen = 0;
972 		/* 10.1.1.4 step hashgen 4.1 */
973 		ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist);
974 		if (ret) {
975 			len = ret;
976 			goto out;
977 		}
978 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
979 			  drbg_blocklen(drbg) : (buflen - len);
980 		if (!drbg_fips_continuous_test(drbg, dst)) {
981 			crypto_inc(src, drbg_statelen(drbg));
982 			continue;
983 		}
984 		/* 10.1.1.4 step hashgen 4.2 */
985 		memcpy(buf + len, dst, outlen);
986 		len += outlen;
987 		/* 10.1.1.4 hashgen step 4.3 */
988 		if (len < buflen)
989 			crypto_inc(src, drbg_statelen(drbg));
990 	}
991 
992 out:
993 	memset(drbg->scratchpad, 0,
994 	       (drbg_statelen(drbg) + drbg_blocklen(drbg)));
995 	return len;
996 }
997 
998 /* generate function for Hash DRBG as defined in  10.1.1.4 */
999 static int drbg_hash_generate(struct drbg_state *drbg,
1000 			      unsigned char *buf, unsigned int buflen,
1001 			      struct list_head *addtl)
1002 {
1003 	int len = 0;
1004 	int ret = 0;
1005 	union {
1006 		unsigned char req[8];
1007 		__be64 req_int;
1008 	} u;
1009 	unsigned char prefix = DRBG_PREFIX3;
1010 	struct drbg_string data1, data2;
1011 	LIST_HEAD(datalist);
1012 
1013 	/* 10.1.1.4 step 2 */
1014 	ret = drbg_hash_process_addtl(drbg, addtl);
1015 	if (ret)
1016 		return ret;
1017 	/* 10.1.1.4 step 3 */
1018 	len = drbg_hash_hashgen(drbg, buf, buflen);
1019 
1020 	/* this is the value H as documented in 10.1.1.4 */
1021 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1022 	/* 10.1.1.4 step 4 */
1023 	drbg_string_fill(&data1, &prefix, 1);
1024 	list_add_tail(&data1.list, &datalist);
1025 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1026 	list_add_tail(&data2.list, &datalist);
1027 	ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist);
1028 	if (ret) {
1029 		len = ret;
1030 		goto out;
1031 	}
1032 
1033 	/* 10.1.1.4 step 5 */
1034 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
1035 		     drbg->scratchpad, drbg_blocklen(drbg));
1036 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
1037 		     drbg->C, drbg_statelen(drbg));
1038 	u.req_int = cpu_to_be64(drbg->reseed_ctr);
1039 	drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1040 
1041 out:
1042 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1043 	return len;
1044 }
1045 
1046 /*
1047  * scratchpad usage: as update and generate are used isolated, both
1048  * can use the scratchpad
1049  */
1050 static struct drbg_state_ops drbg_hash_ops = {
1051 	.update		= drbg_hash_update,
1052 	.generate	= drbg_hash_generate,
1053 	.crypto_init	= drbg_init_hash_kernel,
1054 	.crypto_fini	= drbg_fini_hash_kernel,
1055 };
1056 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1057 
1058 /******************************************************************
1059  * Functions common for DRBG implementations
1060  ******************************************************************/
1061 
1062 /*
1063  * Seeding or reseeding of the DRBG
1064  *
1065  * @drbg: DRBG state struct
1066  * @pers: personalization / additional information buffer
1067  * @reseed: 0 for initial seed process, 1 for reseeding
1068  *
1069  * return:
1070  *	0 on success
1071  *	error value otherwise
1072  */
1073 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1074 		     bool reseed)
1075 {
1076 	int ret = 0;
1077 	unsigned char *entropy = NULL;
1078 	size_t entropylen = 0;
1079 	struct drbg_string data1;
1080 	LIST_HEAD(seedlist);
1081 
1082 	/* 9.1 / 9.2 / 9.3.1 step 3 */
1083 	if (pers && pers->len > (drbg_max_addtl(drbg))) {
1084 		pr_devel("DRBG: personalization string too long %zu\n",
1085 			 pers->len);
1086 		return -EINVAL;
1087 	}
1088 
1089 	if (drbg->test_data && drbg->test_data->testentropy) {
1090 		drbg_string_fill(&data1, drbg->test_data->testentropy->buf,
1091 				 drbg->test_data->testentropy->len);
1092 		pr_devel("DRBG: using test entropy\n");
1093 	} else {
1094 		/*
1095 		 * Gather entropy equal to the security strength of the DRBG.
1096 		 * With a derivation function, a nonce is required in addition
1097 		 * to the entropy. A nonce must be at least 1/2 of the security
1098 		 * strength of the DRBG in size. Thus, entropy * nonce is 3/2
1099 		 * of the strength. The consideration of a nonce is only
1100 		 * applicable during initial seeding.
1101 		 */
1102 		entropylen = drbg_sec_strength(drbg->core->flags);
1103 		if (!entropylen)
1104 			return -EFAULT;
1105 		if (!reseed)
1106 			entropylen = ((entropylen + 1) / 2) * 3;
1107 		pr_devel("DRBG: (re)seeding with %zu bytes of entropy\n",
1108 			 entropylen);
1109 		entropy = kzalloc(entropylen, GFP_KERNEL);
1110 		if (!entropy)
1111 			return -ENOMEM;
1112 		get_random_bytes(entropy, entropylen);
1113 		drbg_string_fill(&data1, entropy, entropylen);
1114 	}
1115 	list_add_tail(&data1.list, &seedlist);
1116 
1117 	/*
1118 	 * concatenation of entropy with personalization str / addtl input)
1119 	 * the variable pers is directly handed in by the caller, so check its
1120 	 * contents whether it is appropriate
1121 	 */
1122 	if (pers && pers->buf && 0 < pers->len) {
1123 		list_add_tail(&pers->list, &seedlist);
1124 		pr_devel("DRBG: using personalization string\n");
1125 	}
1126 
1127 	if (!reseed) {
1128 		memset(drbg->V, 0, drbg_statelen(drbg));
1129 		memset(drbg->C, 0, drbg_statelen(drbg));
1130 	}
1131 
1132 	ret = drbg->d_ops->update(drbg, &seedlist, reseed);
1133 	if (ret)
1134 		goto out;
1135 
1136 	drbg->seeded = true;
1137 	/* 10.1.1.2 / 10.1.1.3 step 5 */
1138 	drbg->reseed_ctr = 1;
1139 
1140 out:
1141 	kzfree(entropy);
1142 	return ret;
1143 }
1144 
1145 /* Free all substructures in a DRBG state without the DRBG state structure */
1146 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1147 {
1148 	if (!drbg)
1149 		return;
1150 	kzfree(drbg->V);
1151 	drbg->V = NULL;
1152 	kzfree(drbg->C);
1153 	drbg->C = NULL;
1154 	kzfree(drbg->scratchpad);
1155 	drbg->scratchpad = NULL;
1156 	drbg->reseed_ctr = 0;
1157 #ifdef CONFIG_CRYPTO_FIPS
1158 	kzfree(drbg->prev);
1159 	drbg->prev = NULL;
1160 	drbg->fips_primed = false;
1161 #endif
1162 }
1163 
1164 /*
1165  * Allocate all sub-structures for a DRBG state.
1166  * The DRBG state structure must already be allocated.
1167  */
1168 static inline int drbg_alloc_state(struct drbg_state *drbg)
1169 {
1170 	int ret = -ENOMEM;
1171 	unsigned int sb_size = 0;
1172 
1173 	drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL);
1174 	if (!drbg->V)
1175 		goto err;
1176 	drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL);
1177 	if (!drbg->C)
1178 		goto err;
1179 #ifdef CONFIG_CRYPTO_FIPS
1180 	drbg->prev = kmalloc(drbg_blocklen(drbg), GFP_KERNEL);
1181 	if (!drbg->prev)
1182 		goto err;
1183 	drbg->fips_primed = false;
1184 #endif
1185 	/* scratchpad is only generated for CTR and Hash */
1186 	if (drbg->core->flags & DRBG_HMAC)
1187 		sb_size = 0;
1188 	else if (drbg->core->flags & DRBG_CTR)
1189 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1190 			  drbg_statelen(drbg) +	/* df_data */
1191 			  drbg_blocklen(drbg) +	/* pad */
1192 			  drbg_blocklen(drbg) +	/* iv */
1193 			  drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1194 	else
1195 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1196 
1197 	if (0 < sb_size) {
1198 		drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL);
1199 		if (!drbg->scratchpad)
1200 			goto err;
1201 	}
1202 	spin_lock_init(&drbg->drbg_lock);
1203 	return 0;
1204 
1205 err:
1206 	drbg_dealloc_state(drbg);
1207 	return ret;
1208 }
1209 
1210 /*
1211  * Strategy to avoid holding long term locks: generate a shadow copy of DRBG
1212  * and perform all operations on this shadow copy. After finishing, restore
1213  * the updated state of the shadow copy into original drbg state. This way,
1214  * only the read and write operations of the original drbg state must be
1215  * locked
1216  */
1217 static inline void drbg_copy_drbg(struct drbg_state *src,
1218 				  struct drbg_state *dst)
1219 {
1220 	if (!src || !dst)
1221 		return;
1222 	memcpy(dst->V, src->V, drbg_statelen(src));
1223 	memcpy(dst->C, src->C, drbg_statelen(src));
1224 	dst->reseed_ctr = src->reseed_ctr;
1225 	dst->seeded = src->seeded;
1226 	dst->pr = src->pr;
1227 #ifdef CONFIG_CRYPTO_FIPS
1228 	dst->fips_primed = src->fips_primed;
1229 	memcpy(dst->prev, src->prev, drbg_blocklen(src));
1230 #endif
1231 	/*
1232 	 * Not copied:
1233 	 * scratchpad is initialized drbg_alloc_state;
1234 	 * priv_data is initialized with call to crypto_init;
1235 	 * d_ops and core are set outside, as these parameters are const;
1236 	 * test_data is set outside to prevent it being copied back.
1237 	 */
1238 }
1239 
1240 static int drbg_make_shadow(struct drbg_state *drbg, struct drbg_state **shadow)
1241 {
1242 	int ret = -ENOMEM;
1243 	struct drbg_state *tmp = NULL;
1244 
1245 	tmp = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1246 	if (!tmp)
1247 		return -ENOMEM;
1248 
1249 	/* read-only data as they are defined as const, no lock needed */
1250 	tmp->core = drbg->core;
1251 	tmp->d_ops = drbg->d_ops;
1252 
1253 	ret = drbg_alloc_state(tmp);
1254 	if (ret)
1255 		goto err;
1256 
1257 	spin_lock_bh(&drbg->drbg_lock);
1258 	drbg_copy_drbg(drbg, tmp);
1259 	/* only make a link to the test buffer, as we only read that data */
1260 	tmp->test_data = drbg->test_data;
1261 	spin_unlock_bh(&drbg->drbg_lock);
1262 	*shadow = tmp;
1263 	return 0;
1264 
1265 err:
1266 	kzfree(tmp);
1267 	return ret;
1268 }
1269 
1270 static void drbg_restore_shadow(struct drbg_state *drbg,
1271 				struct drbg_state **shadow)
1272 {
1273 	struct drbg_state *tmp = *shadow;
1274 
1275 	spin_lock_bh(&drbg->drbg_lock);
1276 	drbg_copy_drbg(tmp, drbg);
1277 	spin_unlock_bh(&drbg->drbg_lock);
1278 	drbg_dealloc_state(tmp);
1279 	kzfree(tmp);
1280 	*shadow = NULL;
1281 }
1282 
1283 /*************************************************************************
1284  * DRBG interface functions
1285  *************************************************************************/
1286 
1287 /*
1288  * DRBG generate function as required by SP800-90A - this function
1289  * generates random numbers
1290  *
1291  * @drbg DRBG state handle
1292  * @buf Buffer where to store the random numbers -- the buffer must already
1293  *      be pre-allocated by caller
1294  * @buflen Length of output buffer - this value defines the number of random
1295  *	   bytes pulled from DRBG
1296  * @addtl Additional input that is mixed into state, may be NULL -- note
1297  *	  the entropy is pulled by the DRBG internally unconditionally
1298  *	  as defined in SP800-90A. The additional input is mixed into
1299  *	  the state in addition to the pulled entropy.
1300  *
1301  * return: generated number of bytes
1302  */
1303 static int drbg_generate(struct drbg_state *drbg,
1304 			 unsigned char *buf, unsigned int buflen,
1305 			 struct drbg_string *addtl)
1306 {
1307 	int len = 0;
1308 	struct drbg_state *shadow = NULL;
1309 	LIST_HEAD(addtllist);
1310 	struct drbg_string timestamp;
1311 	union {
1312 		cycles_t cycles;
1313 		unsigned char char_cycles[sizeof(cycles_t)];
1314 	} now;
1315 
1316 	if (0 == buflen || !buf) {
1317 		pr_devel("DRBG: no output buffer provided\n");
1318 		return -EINVAL;
1319 	}
1320 	if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1321 		pr_devel("DRBG: wrong format of additional information\n");
1322 		return -EINVAL;
1323 	}
1324 
1325 	len = drbg_make_shadow(drbg, &shadow);
1326 	if (len) {
1327 		pr_devel("DRBG: shadow copy cannot be generated\n");
1328 		return len;
1329 	}
1330 
1331 	/* 9.3.1 step 2 */
1332 	len = -EINVAL;
1333 	if (buflen > (drbg_max_request_bytes(shadow))) {
1334 		pr_devel("DRBG: requested random numbers too large %u\n",
1335 			 buflen);
1336 		goto err;
1337 	}
1338 
1339 	/* 9.3.1 step 3 is implicit with the chosen DRBG */
1340 
1341 	/* 9.3.1 step 4 */
1342 	if (addtl && addtl->len > (drbg_max_addtl(shadow))) {
1343 		pr_devel("DRBG: additional information string too long %zu\n",
1344 			 addtl->len);
1345 		goto err;
1346 	}
1347 	/* 9.3.1 step 5 is implicit with the chosen DRBG */
1348 
1349 	/*
1350 	 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1351 	 * here. The spec is a bit convoluted here, we make it simpler.
1352 	 */
1353 	if ((drbg_max_requests(shadow)) < shadow->reseed_ctr)
1354 		shadow->seeded = false;
1355 
1356 	/* allocate cipher handle */
1357 	len = shadow->d_ops->crypto_init(shadow);
1358 	if (len)
1359 		goto err;
1360 
1361 	if (shadow->pr || !shadow->seeded) {
1362 		pr_devel("DRBG: reseeding before generation (prediction "
1363 			 "resistance: %s, state %s)\n",
1364 			 drbg->pr ? "true" : "false",
1365 			 drbg->seeded ? "seeded" : "unseeded");
1366 		/* 9.3.1 steps 7.1 through 7.3 */
1367 		len = drbg_seed(shadow, addtl, true);
1368 		if (len)
1369 			goto err;
1370 		/* 9.3.1 step 7.4 */
1371 		addtl = NULL;
1372 	}
1373 
1374 	/*
1375 	 * Mix the time stamp into the DRBG state if the DRBG is not in
1376 	 * test mode. If there are two callers invoking the DRBG at the same
1377 	 * time, i.e. before the first caller merges its shadow state back,
1378 	 * both callers would obtain the same random number stream without
1379 	 * changing the state here.
1380 	 */
1381 	if (!drbg->test_data) {
1382 		now.cycles = random_get_entropy();
1383 		drbg_string_fill(&timestamp, now.char_cycles, sizeof(cycles_t));
1384 		list_add_tail(&timestamp.list, &addtllist);
1385 	}
1386 	if (addtl && 0 < addtl->len)
1387 		list_add_tail(&addtl->list, &addtllist);
1388 	/* 9.3.1 step 8 and 10 */
1389 	len = shadow->d_ops->generate(shadow, buf, buflen, &addtllist);
1390 
1391 	/* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1392 	shadow->reseed_ctr++;
1393 	if (0 >= len)
1394 		goto err;
1395 
1396 	/*
1397 	 * Section 11.3.3 requires to re-perform self tests after some
1398 	 * generated random numbers. The chosen value after which self
1399 	 * test is performed is arbitrary, but it should be reasonable.
1400 	 * However, we do not perform the self tests because of the following
1401 	 * reasons: it is mathematically impossible that the initial self tests
1402 	 * were successfully and the following are not. If the initial would
1403 	 * pass and the following would not, the kernel integrity is violated.
1404 	 * In this case, the entire kernel operation is questionable and it
1405 	 * is unlikely that the integrity violation only affects the
1406 	 * correct operation of the DRBG.
1407 	 *
1408 	 * Albeit the following code is commented out, it is provided in
1409 	 * case somebody has a need to implement the test of 11.3.3.
1410 	 */
1411 #if 0
1412 	if (shadow->reseed_ctr && !(shadow->reseed_ctr % 4096)) {
1413 		int err = 0;
1414 		pr_devel("DRBG: start to perform self test\n");
1415 		if (drbg->core->flags & DRBG_HMAC)
1416 			err = alg_test("drbg_pr_hmac_sha256",
1417 				       "drbg_pr_hmac_sha256", 0, 0);
1418 		else if (drbg->core->flags & DRBG_CTR)
1419 			err = alg_test("drbg_pr_ctr_aes128",
1420 				       "drbg_pr_ctr_aes128", 0, 0);
1421 		else
1422 			err = alg_test("drbg_pr_sha256",
1423 				       "drbg_pr_sha256", 0, 0);
1424 		if (err) {
1425 			pr_err("DRBG: periodical self test failed\n");
1426 			/*
1427 			 * uninstantiate implies that from now on, only errors
1428 			 * are returned when reusing this DRBG cipher handle
1429 			 */
1430 			drbg_uninstantiate(drbg);
1431 			drbg_dealloc_state(shadow);
1432 			kzfree(shadow);
1433 			return 0;
1434 		} else {
1435 			pr_devel("DRBG: self test successful\n");
1436 		}
1437 	}
1438 #endif
1439 
1440 err:
1441 	shadow->d_ops->crypto_fini(shadow);
1442 	drbg_restore_shadow(drbg, &shadow);
1443 	return len;
1444 }
1445 
1446 /*
1447  * Wrapper around drbg_generate which can pull arbitrary long strings
1448  * from the DRBG without hitting the maximum request limitation.
1449  *
1450  * Parameters: see drbg_generate
1451  * Return codes: see drbg_generate -- if one drbg_generate request fails,
1452  *		 the entire drbg_generate_long request fails
1453  */
1454 static int drbg_generate_long(struct drbg_state *drbg,
1455 			      unsigned char *buf, unsigned int buflen,
1456 			      struct drbg_string *addtl)
1457 {
1458 	int len = 0;
1459 	unsigned int slice = 0;
1460 	do {
1461 		int tmplen = 0;
1462 		unsigned int chunk = 0;
1463 		slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1464 		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1465 		tmplen = drbg_generate(drbg, buf + len, chunk, addtl);
1466 		if (0 >= tmplen)
1467 			return tmplen;
1468 		len += tmplen;
1469 	} while (slice > 0 && (len < buflen));
1470 	return len;
1471 }
1472 
1473 /*
1474  * DRBG instantiation function as required by SP800-90A - this function
1475  * sets up the DRBG handle, performs the initial seeding and all sanity
1476  * checks required by SP800-90A
1477  *
1478  * @drbg memory of state -- if NULL, new memory is allocated
1479  * @pers Personalization string that is mixed into state, may be NULL -- note
1480  *	 the entropy is pulled by the DRBG internally unconditionally
1481  *	 as defined in SP800-90A. The additional input is mixed into
1482  *	 the state in addition to the pulled entropy.
1483  * @coreref reference to core
1484  * @pr prediction resistance enabled
1485  *
1486  * return
1487  *	0 on success
1488  *	error value otherwise
1489  */
1490 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1491 			    int coreref, bool pr)
1492 {
1493 	int ret = -ENOMEM;
1494 
1495 	pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1496 		 "%s\n", coreref, pr ? "enabled" : "disabled");
1497 	drbg->core = &drbg_cores[coreref];
1498 	drbg->pr = pr;
1499 	drbg->seeded = false;
1500 	switch (drbg->core->flags & DRBG_TYPE_MASK) {
1501 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1502 	case DRBG_HMAC:
1503 		drbg->d_ops = &drbg_hmac_ops;
1504 		break;
1505 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
1506 #ifdef CONFIG_CRYPTO_DRBG_HASH
1507 	case DRBG_HASH:
1508 		drbg->d_ops = &drbg_hash_ops;
1509 		break;
1510 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1511 #ifdef CONFIG_CRYPTO_DRBG_CTR
1512 	case DRBG_CTR:
1513 		drbg->d_ops = &drbg_ctr_ops;
1514 		break;
1515 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1516 	default:
1517 		return -EOPNOTSUPP;
1518 	}
1519 
1520 	/* 9.1 step 1 is implicit with the selected DRBG type */
1521 
1522 	/*
1523 	 * 9.1 step 2 is implicit as caller can select prediction resistance
1524 	 * and the flag is copied into drbg->flags --
1525 	 * all DRBG types support prediction resistance
1526 	 */
1527 
1528 	/* 9.1 step 4 is implicit in  drbg_sec_strength */
1529 
1530 	ret = drbg_alloc_state(drbg);
1531 	if (ret)
1532 		return ret;
1533 
1534 	ret = -EFAULT;
1535 	if (drbg->d_ops->crypto_init(drbg))
1536 		goto err;
1537 	ret = drbg_seed(drbg, pers, false);
1538 	drbg->d_ops->crypto_fini(drbg);
1539 	if (ret)
1540 		goto err;
1541 
1542 	return 0;
1543 
1544 err:
1545 	drbg_dealloc_state(drbg);
1546 	return ret;
1547 }
1548 
1549 /*
1550  * DRBG uninstantiate function as required by SP800-90A - this function
1551  * frees all buffers and the DRBG handle
1552  *
1553  * @drbg DRBG state handle
1554  *
1555  * return
1556  *	0 on success
1557  */
1558 static int drbg_uninstantiate(struct drbg_state *drbg)
1559 {
1560 	spin_lock_bh(&drbg->drbg_lock);
1561 	drbg_dealloc_state(drbg);
1562 	/* no scrubbing of test_data -- this shall survive an uninstantiate */
1563 	spin_unlock_bh(&drbg->drbg_lock);
1564 	return 0;
1565 }
1566 
1567 /*
1568  * Helper function for setting the test data in the DRBG
1569  *
1570  * @drbg DRBG state handle
1571  * @test_data test data to sets
1572  */
1573 static inline void drbg_set_testdata(struct drbg_state *drbg,
1574 				     struct drbg_test_data *test_data)
1575 {
1576 	if (!test_data || !test_data->testentropy)
1577 		return;
1578 	spin_lock_bh(&drbg->drbg_lock);
1579 	drbg->test_data = test_data;
1580 	spin_unlock_bh(&drbg->drbg_lock);
1581 }
1582 
1583 /***************************************************************
1584  * Kernel crypto API cipher invocations requested by DRBG
1585  ***************************************************************/
1586 
1587 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1588 struct sdesc {
1589 	struct shash_desc shash;
1590 	char ctx[];
1591 };
1592 
1593 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1594 {
1595 	struct sdesc *sdesc;
1596 	struct crypto_shash *tfm;
1597 
1598 	tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1599 	if (IS_ERR(tfm)) {
1600 		pr_info("DRBG: could not allocate digest TFM handle\n");
1601 		return PTR_ERR(tfm);
1602 	}
1603 	BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1604 	sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1605 			GFP_KERNEL);
1606 	if (!sdesc) {
1607 		crypto_free_shash(tfm);
1608 		return -ENOMEM;
1609 	}
1610 
1611 	sdesc->shash.tfm = tfm;
1612 	sdesc->shash.flags = 0;
1613 	drbg->priv_data = sdesc;
1614 	return 0;
1615 }
1616 
1617 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1618 {
1619 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1620 	if (sdesc) {
1621 		crypto_free_shash(sdesc->shash.tfm);
1622 		kzfree(sdesc);
1623 	}
1624 	drbg->priv_data = NULL;
1625 	return 0;
1626 }
1627 
1628 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key,
1629 			   unsigned char *outval, const struct list_head *in)
1630 {
1631 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1632 	struct drbg_string *input = NULL;
1633 
1634 	if (key)
1635 		crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1636 	crypto_shash_init(&sdesc->shash);
1637 	list_for_each_entry(input, in, list)
1638 		crypto_shash_update(&sdesc->shash, input->buf, input->len);
1639 	return crypto_shash_final(&sdesc->shash, outval);
1640 }
1641 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1642 
1643 #ifdef CONFIG_CRYPTO_DRBG_CTR
1644 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1645 {
1646 	int ret = 0;
1647 	struct crypto_blkcipher *tfm;
1648 
1649 	tfm = crypto_alloc_blkcipher(drbg->core->backend_cra_name, 0, 0);
1650 	if (IS_ERR(tfm)) {
1651 		pr_info("DRBG: could not allocate cipher TFM handle\n");
1652 		return PTR_ERR(tfm);
1653 	}
1654 	BUG_ON(drbg_blocklen(drbg) != crypto_blkcipher_blocksize(tfm));
1655 	drbg->priv_data = tfm;
1656 	return ret;
1657 }
1658 
1659 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1660 {
1661 	struct crypto_blkcipher *tfm =
1662 		(struct crypto_blkcipher *)drbg->priv_data;
1663 	if (tfm)
1664 		crypto_free_blkcipher(tfm);
1665 	drbg->priv_data = NULL;
1666 	return 0;
1667 }
1668 
1669 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
1670 			  unsigned char *outval, const struct drbg_string *in)
1671 {
1672 	int ret = 0;
1673 	struct scatterlist sg_in, sg_out;
1674 	struct blkcipher_desc desc;
1675 	struct crypto_blkcipher *tfm =
1676 		(struct crypto_blkcipher *)drbg->priv_data;
1677 
1678 	desc.tfm = tfm;
1679 	desc.flags = 0;
1680 	crypto_blkcipher_setkey(tfm, key, (drbg_keylen(drbg)));
1681 	/* there is only component in *in */
1682 	sg_init_one(&sg_in, in->buf, in->len);
1683 	sg_init_one(&sg_out, outval, drbg_blocklen(drbg));
1684 	ret = crypto_blkcipher_encrypt(&desc, &sg_out, &sg_in, in->len);
1685 
1686 	return ret;
1687 }
1688 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1689 
1690 /***************************************************************
1691  * Kernel crypto API interface to register DRBG
1692  ***************************************************************/
1693 
1694 /*
1695  * Look up the DRBG flags by given kernel crypto API cra_name
1696  * The code uses the drbg_cores definition to do this
1697  *
1698  * @cra_name kernel crypto API cra_name
1699  * @coreref reference to integer which is filled with the pointer to
1700  *  the applicable core
1701  * @pr reference for setting prediction resistance
1702  *
1703  * return: flags
1704  */
1705 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1706 					 int *coreref, bool *pr)
1707 {
1708 	int i = 0;
1709 	size_t start = 0;
1710 	int len = 0;
1711 
1712 	*pr = true;
1713 	/* disassemble the names */
1714 	if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1715 		start = 10;
1716 		*pr = false;
1717 	} else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1718 		start = 8;
1719 	} else {
1720 		return;
1721 	}
1722 
1723 	/* remove the first part */
1724 	len = strlen(cra_driver_name) - start;
1725 	for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1726 		if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1727 			    len)) {
1728 			*coreref = i;
1729 			return;
1730 		}
1731 	}
1732 }
1733 
1734 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1735 {
1736 	struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1737 	bool pr = false;
1738 	int coreref = 0;
1739 
1740 	drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm), &coreref, &pr);
1741 	/*
1742 	 * when personalization string is needed, the caller must call reset
1743 	 * and provide the personalization string as seed information
1744 	 */
1745 	return drbg_instantiate(drbg, NULL, coreref, pr);
1746 }
1747 
1748 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1749 {
1750 	drbg_uninstantiate(crypto_tfm_ctx(tfm));
1751 }
1752 
1753 /*
1754  * Generate random numbers invoked by the kernel crypto API:
1755  * The API of the kernel crypto API is extended as follows:
1756  *
1757  * If dlen is larger than zero, rdata is interpreted as the output buffer
1758  * where random data is to be stored.
1759  *
1760  * If dlen is zero, rdata is interpreted as a pointer to a struct drbg_gen
1761  * which holds the additional information string that is used for the
1762  * DRBG generation process. The output buffer that is to be used to store
1763  * data is also pointed to by struct drbg_gen.
1764  */
1765 static int drbg_kcapi_random(struct crypto_rng *tfm, u8 *rdata,
1766 			     unsigned int dlen)
1767 {
1768 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1769 	if (0 < dlen) {
1770 		return drbg_generate_long(drbg, rdata, dlen, NULL);
1771 	} else {
1772 		struct drbg_gen *data = (struct drbg_gen *)rdata;
1773 		struct drbg_string addtl;
1774 		/* catch NULL pointer */
1775 		if (!data)
1776 			return 0;
1777 		drbg_set_testdata(drbg, data->test_data);
1778 		/* linked list variable is now local to allow modification */
1779 		drbg_string_fill(&addtl, data->addtl->buf, data->addtl->len);
1780 		return drbg_generate_long(drbg, data->outbuf, data->outlen,
1781 					  &addtl);
1782 	}
1783 }
1784 
1785 /*
1786  * Reset the DRBG invoked by the kernel crypto API
1787  * The reset implies a full re-initialization of the DRBG. Similar to the
1788  * generate function of drbg_kcapi_random, this function extends the
1789  * kernel crypto API interface with struct drbg_gen
1790  */
1791 static int drbg_kcapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
1792 {
1793 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1794 	struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1795 	bool pr = false;
1796 	struct drbg_string seed_string;
1797 	int coreref = 0;
1798 
1799 	drbg_uninstantiate(drbg);
1800 	drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1801 			      &pr);
1802 	if (0 < slen) {
1803 		drbg_string_fill(&seed_string, seed, slen);
1804 		return drbg_instantiate(drbg, &seed_string, coreref, pr);
1805 	} else {
1806 		struct drbg_gen *data = (struct drbg_gen *)seed;
1807 		/* allow invocation of API call with NULL, 0 */
1808 		if (!data)
1809 			return drbg_instantiate(drbg, NULL, coreref, pr);
1810 		drbg_set_testdata(drbg, data->test_data);
1811 		/* linked list variable is now local to allow modification */
1812 		drbg_string_fill(&seed_string, data->addtl->buf,
1813 				 data->addtl->len);
1814 		return drbg_instantiate(drbg, &seed_string, coreref, pr);
1815 	}
1816 }
1817 
1818 /***************************************************************
1819  * Kernel module: code to load the module
1820  ***************************************************************/
1821 
1822 /*
1823  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1824  * of the error handling.
1825  *
1826  * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1827  * as seed source of get_random_bytes does not fail.
1828  *
1829  * Note 2: There is no sensible way of testing the reseed counter
1830  * enforcement, so skip it.
1831  */
1832 static inline int __init drbg_healthcheck_sanity(void)
1833 {
1834 #ifdef CONFIG_CRYPTO_FIPS
1835 	int len = 0;
1836 #define OUTBUFLEN 16
1837 	unsigned char buf[OUTBUFLEN];
1838 	struct drbg_state *drbg = NULL;
1839 	int ret = -EFAULT;
1840 	int rc = -EFAULT;
1841 	bool pr = false;
1842 	int coreref = 0;
1843 	struct drbg_string addtl;
1844 	size_t max_addtllen, max_request_bytes;
1845 
1846 	/* only perform test in FIPS mode */
1847 	if (!fips_enabled)
1848 		return 0;
1849 
1850 #ifdef CONFIG_CRYPTO_DRBG_CTR
1851 	drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
1852 #elif defined CONFIG_CRYPTO_DRBG_HASH
1853 	drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1854 #else
1855 	drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
1856 #endif
1857 
1858 	drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1859 	if (!drbg)
1860 		return -ENOMEM;
1861 
1862 	/*
1863 	 * if the following tests fail, it is likely that there is a buffer
1864 	 * overflow as buf is much smaller than the requested or provided
1865 	 * string lengths -- in case the error handling does not succeed
1866 	 * we may get an OOPS. And we want to get an OOPS as this is a
1867 	 * grave bug.
1868 	 */
1869 
1870 	/* get a valid instance of DRBG for following tests */
1871 	ret = drbg_instantiate(drbg, NULL, coreref, pr);
1872 	if (ret) {
1873 		rc = ret;
1874 		goto outbuf;
1875 	}
1876 	max_addtllen = drbg_max_addtl(drbg);
1877 	max_request_bytes = drbg_max_request_bytes(drbg);
1878 	drbg_string_fill(&addtl, buf, max_addtllen + 1);
1879 	/* overflow addtllen with additonal info string */
1880 	len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1881 	BUG_ON(0 < len);
1882 	/* overflow max_bits */
1883 	len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1884 	BUG_ON(0 < len);
1885 	drbg_uninstantiate(drbg);
1886 
1887 	/* overflow max addtllen with personalization string */
1888 	ret = drbg_instantiate(drbg, &addtl, coreref, pr);
1889 	BUG_ON(0 == ret);
1890 	/* all tests passed */
1891 	rc = 0;
1892 
1893 	pr_devel("DRBG: Sanity tests for failure code paths successfully "
1894 		 "completed\n");
1895 
1896 	drbg_uninstantiate(drbg);
1897 outbuf:
1898 	kzfree(drbg);
1899 	return rc;
1900 #else /* CONFIG_CRYPTO_FIPS */
1901 	return 0;
1902 #endif /* CONFIG_CRYPTO_FIPS */
1903 }
1904 
1905 static struct crypto_alg drbg_algs[22];
1906 
1907 /*
1908  * Fill the array drbg_algs used to register the different DRBGs
1909  * with the kernel crypto API. To fill the array, the information
1910  * from drbg_cores[] is used.
1911  */
1912 static inline void __init drbg_fill_array(struct crypto_alg *alg,
1913 					  const struct drbg_core *core, int pr)
1914 {
1915 	int pos = 0;
1916 	static int priority = 100;
1917 
1918 	memset(alg, 0, sizeof(struct crypto_alg));
1919 	memcpy(alg->cra_name, "stdrng", 6);
1920 	if (pr) {
1921 		memcpy(alg->cra_driver_name, "drbg_pr_", 8);
1922 		pos = 8;
1923 	} else {
1924 		memcpy(alg->cra_driver_name, "drbg_nopr_", 10);
1925 		pos = 10;
1926 	}
1927 	memcpy(alg->cra_driver_name + pos, core->cra_name,
1928 	       strlen(core->cra_name));
1929 
1930 	alg->cra_priority = priority;
1931 	priority++;
1932 	/*
1933 	 * If FIPS mode enabled, the selected DRBG shall have the
1934 	 * highest cra_priority over other stdrng instances to ensure
1935 	 * it is selected.
1936 	 */
1937 	if (fips_enabled)
1938 		alg->cra_priority += 200;
1939 
1940 	alg->cra_flags		= CRYPTO_ALG_TYPE_RNG;
1941 	alg->cra_ctxsize 	= sizeof(struct drbg_state);
1942 	alg->cra_type		= &crypto_rng_type;
1943 	alg->cra_module		= THIS_MODULE;
1944 	alg->cra_init		= drbg_kcapi_init;
1945 	alg->cra_exit		= drbg_kcapi_cleanup;
1946 	alg->cra_u.rng.rng_make_random	= drbg_kcapi_random;
1947 	alg->cra_u.rng.rng_reset	= drbg_kcapi_reset;
1948 	alg->cra_u.rng.seedsize	= 0;
1949 }
1950 
1951 static int __init drbg_init(void)
1952 {
1953 	unsigned int i = 0; /* pointer to drbg_algs */
1954 	unsigned int j = 0; /* pointer to drbg_cores */
1955 	int ret = -EFAULT;
1956 
1957 	ret = drbg_healthcheck_sanity();
1958 	if (ret)
1959 		return ret;
1960 
1961 	if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
1962 		pr_info("DRBG: Cannot register all DRBG types"
1963 			"(slots needed: %zu, slots available: %zu)\n",
1964 			ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
1965 		return ret;
1966 	}
1967 
1968 	/*
1969 	 * each DRBG definition can be used with PR and without PR, thus
1970 	 * we instantiate each DRBG in drbg_cores[] twice.
1971 	 *
1972 	 * As the order of placing them into the drbg_algs array matters
1973 	 * (the later DRBGs receive a higher cra_priority) we register the
1974 	 * prediction resistance DRBGs first as the should not be too
1975 	 * interesting.
1976 	 */
1977 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1978 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
1979 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1980 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
1981 	return crypto_register_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1982 }
1983 
1984 static void __exit drbg_exit(void)
1985 {
1986 	crypto_unregister_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1987 }
1988 
1989 module_init(drbg_init);
1990 module_exit(drbg_exit);
1991 #ifndef CRYPTO_DRBG_HASH_STRING
1992 #define CRYPTO_DRBG_HASH_STRING ""
1993 #endif
1994 #ifndef CRYPTO_DRBG_HMAC_STRING
1995 #define CRYPTO_DRBG_HMAC_STRING ""
1996 #endif
1997 #ifndef CRYPTO_DRBG_CTR_STRING
1998 #define CRYPTO_DRBG_CTR_STRING ""
1999 #endif
2000 MODULE_LICENSE("GPL");
2001 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2002 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2003 		   "using following cores: "
2004 		   CRYPTO_DRBG_HASH_STRING
2005 		   CRYPTO_DRBG_HMAC_STRING
2006 		   CRYPTO_DRBG_CTR_STRING);
2007