1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <linux/kernel.h> 102 103 /*************************************************************** 104 * Backend cipher definitions available to DRBG 105 ***************************************************************/ 106 107 /* 108 * The order of the DRBG definitions here matter: every DRBG is registered 109 * as stdrng. Each DRBG receives an increasing cra_priority values the later 110 * they are defined in this array (see drbg_fill_array). 111 * 112 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113 * the SHA256 / AES 256 over other ciphers. Thus, the favored 114 * DRBGs are the latest entries in this array. 115 */ 116 static const struct drbg_core drbg_cores[] = { 117 #ifdef CONFIG_CRYPTO_DRBG_CTR 118 { 119 .flags = DRBG_CTR | DRBG_STRENGTH128, 120 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121 .blocklen_bytes = 16, 122 .cra_name = "ctr_aes128", 123 .backend_cra_name = "aes", 124 }, { 125 .flags = DRBG_CTR | DRBG_STRENGTH192, 126 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127 .blocklen_bytes = 16, 128 .cra_name = "ctr_aes192", 129 .backend_cra_name = "aes", 130 }, { 131 .flags = DRBG_CTR | DRBG_STRENGTH256, 132 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133 .blocklen_bytes = 16, 134 .cra_name = "ctr_aes256", 135 .backend_cra_name = "aes", 136 }, 137 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 138 #ifdef CONFIG_CRYPTO_DRBG_HASH 139 { 140 .flags = DRBG_HASH | DRBG_STRENGTH128, 141 .statelen = 55, /* 440 bits */ 142 .blocklen_bytes = 20, 143 .cra_name = "sha1", 144 .backend_cra_name = "sha1", 145 }, { 146 .flags = DRBG_HASH | DRBG_STRENGTH256, 147 .statelen = 111, /* 888 bits */ 148 .blocklen_bytes = 48, 149 .cra_name = "sha384", 150 .backend_cra_name = "sha384", 151 }, { 152 .flags = DRBG_HASH | DRBG_STRENGTH256, 153 .statelen = 111, /* 888 bits */ 154 .blocklen_bytes = 64, 155 .cra_name = "sha512", 156 .backend_cra_name = "sha512", 157 }, { 158 .flags = DRBG_HASH | DRBG_STRENGTH256, 159 .statelen = 55, /* 440 bits */ 160 .blocklen_bytes = 32, 161 .cra_name = "sha256", 162 .backend_cra_name = "sha256", 163 }, 164 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 165 #ifdef CONFIG_CRYPTO_DRBG_HMAC 166 { 167 .flags = DRBG_HMAC | DRBG_STRENGTH128, 168 .statelen = 20, /* block length of cipher */ 169 .blocklen_bytes = 20, 170 .cra_name = "hmac_sha1", 171 .backend_cra_name = "hmac(sha1)", 172 }, { 173 .flags = DRBG_HMAC | DRBG_STRENGTH256, 174 .statelen = 48, /* block length of cipher */ 175 .blocklen_bytes = 48, 176 .cra_name = "hmac_sha384", 177 .backend_cra_name = "hmac(sha384)", 178 }, { 179 .flags = DRBG_HMAC | DRBG_STRENGTH256, 180 .statelen = 64, /* block length of cipher */ 181 .blocklen_bytes = 64, 182 .cra_name = "hmac_sha512", 183 .backend_cra_name = "hmac(sha512)", 184 }, { 185 .flags = DRBG_HMAC | DRBG_STRENGTH256, 186 .statelen = 32, /* block length of cipher */ 187 .blocklen_bytes = 32, 188 .cra_name = "hmac_sha256", 189 .backend_cra_name = "hmac(sha256)", 190 }, 191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192 }; 193 194 static int drbg_uninstantiate(struct drbg_state *drbg); 195 196 /****************************************************************** 197 * Generic helper functions 198 ******************************************************************/ 199 200 /* 201 * Return strength of DRBG according to SP800-90A section 8.4 202 * 203 * @flags DRBG flags reference 204 * 205 * Return: normalized strength in *bytes* value or 32 as default 206 * to counter programming errors 207 */ 208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 209 { 210 switch (flags & DRBG_STRENGTH_MASK) { 211 case DRBG_STRENGTH128: 212 return 16; 213 case DRBG_STRENGTH192: 214 return 24; 215 case DRBG_STRENGTH256: 216 return 32; 217 default: 218 return 32; 219 } 220 } 221 222 /* 223 * FIPS 140-2 continuous self test 224 * The test is performed on the result of one round of the output 225 * function. Thus, the function implicitly knows the size of the 226 * buffer. 227 * 228 * @drbg DRBG handle 229 * @buf output buffer of random data to be checked 230 * 231 * return: 232 * true on success 233 * false on error 234 */ 235 static bool drbg_fips_continuous_test(struct drbg_state *drbg, 236 const unsigned char *buf) 237 { 238 #ifdef CONFIG_CRYPTO_FIPS 239 int ret = 0; 240 /* skip test if we test the overall system */ 241 if (list_empty(&drbg->test_data.list)) 242 return true; 243 /* only perform test in FIPS mode */ 244 if (0 == fips_enabled) 245 return true; 246 if (!drbg->fips_primed) { 247 /* Priming of FIPS test */ 248 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 249 drbg->fips_primed = true; 250 /* return false due to priming, i.e. another round is needed */ 251 return false; 252 } 253 ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); 254 if (!ret) 255 panic("DRBG continuous self test failed\n"); 256 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 257 /* the test shall pass when the two compared values are not equal */ 258 return ret != 0; 259 #else 260 return true; 261 #endif /* CONFIG_CRYPTO_FIPS */ 262 } 263 264 /* 265 * Convert an integer into a byte representation of this integer. 266 * The byte representation is big-endian 267 * 268 * @val value to be converted 269 * @buf buffer holding the converted integer -- caller must ensure that 270 * buffer size is at least 32 bit 271 */ 272 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 273 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 274 { 275 struct s { 276 __be32 conv; 277 }; 278 struct s *conversion = (struct s *) buf; 279 280 conversion->conv = cpu_to_be32(val); 281 } 282 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 283 284 /****************************************************************** 285 * CTR DRBG callback functions 286 ******************************************************************/ 287 288 #ifdef CONFIG_CRYPTO_DRBG_CTR 289 #define CRYPTO_DRBG_CTR_STRING "CTR " 290 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 291 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 292 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 293 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 294 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 295 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 296 297 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 298 unsigned char *outval, const struct drbg_string *in); 299 static int drbg_init_sym_kernel(struct drbg_state *drbg); 300 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 301 302 /* BCC function for CTR DRBG as defined in 10.4.3 */ 303 static int drbg_ctr_bcc(struct drbg_state *drbg, 304 unsigned char *out, const unsigned char *key, 305 struct list_head *in) 306 { 307 int ret = 0; 308 struct drbg_string *curr = NULL; 309 struct drbg_string data; 310 short cnt = 0; 311 312 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 313 314 /* 10.4.3 step 2 / 4 */ 315 list_for_each_entry(curr, in, list) { 316 const unsigned char *pos = curr->buf; 317 size_t len = curr->len; 318 /* 10.4.3 step 4.1 */ 319 while (len) { 320 /* 10.4.3 step 4.2 */ 321 if (drbg_blocklen(drbg) == cnt) { 322 cnt = 0; 323 ret = drbg_kcapi_sym(drbg, key, out, &data); 324 if (ret) 325 return ret; 326 } 327 out[cnt] ^= *pos; 328 pos++; 329 cnt++; 330 len--; 331 } 332 } 333 /* 10.4.3 step 4.2 for last block */ 334 if (cnt) 335 ret = drbg_kcapi_sym(drbg, key, out, &data); 336 337 return ret; 338 } 339 340 /* 341 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 342 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 343 * the scratchpad is used as follows: 344 * drbg_ctr_update: 345 * temp 346 * start: drbg->scratchpad 347 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 348 * note: the cipher writing into this variable works 349 * blocklen-wise. Now, when the statelen is not a multiple 350 * of blocklen, the generateion loop below "spills over" 351 * by at most blocklen. Thus, we need to give sufficient 352 * memory. 353 * df_data 354 * start: drbg->scratchpad + 355 * drbg_statelen(drbg) + drbg_blocklen(drbg) 356 * length: drbg_statelen(drbg) 357 * 358 * drbg_ctr_df: 359 * pad 360 * start: df_data + drbg_statelen(drbg) 361 * length: drbg_blocklen(drbg) 362 * iv 363 * start: pad + drbg_blocklen(drbg) 364 * length: drbg_blocklen(drbg) 365 * temp 366 * start: iv + drbg_blocklen(drbg) 367 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 368 * note: temp is the buffer that the BCC function operates 369 * on. BCC operates blockwise. drbg_statelen(drbg) 370 * is sufficient when the DRBG state length is a multiple 371 * of the block size. For AES192 (and maybe other ciphers) 372 * this is not correct and the length for temp is 373 * insufficient (yes, that also means for such ciphers, 374 * the final output of all BCC rounds are truncated). 375 * Therefore, add drbg_blocklen(drbg) to cover all 376 * possibilities. 377 */ 378 379 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 380 static int drbg_ctr_df(struct drbg_state *drbg, 381 unsigned char *df_data, size_t bytes_to_return, 382 struct list_head *seedlist) 383 { 384 int ret = -EFAULT; 385 unsigned char L_N[8]; 386 /* S3 is input */ 387 struct drbg_string S1, S2, S4, cipherin; 388 LIST_HEAD(bcc_list); 389 unsigned char *pad = df_data + drbg_statelen(drbg); 390 unsigned char *iv = pad + drbg_blocklen(drbg); 391 unsigned char *temp = iv + drbg_blocklen(drbg); 392 size_t padlen = 0; 393 unsigned int templen = 0; 394 /* 10.4.2 step 7 */ 395 unsigned int i = 0; 396 /* 10.4.2 step 8 */ 397 const unsigned char *K = (unsigned char *) 398 "\x00\x01\x02\x03\x04\x05\x06\x07" 399 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 400 "\x10\x11\x12\x13\x14\x15\x16\x17" 401 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 402 unsigned char *X; 403 size_t generated_len = 0; 404 size_t inputlen = 0; 405 struct drbg_string *seed = NULL; 406 407 memset(pad, 0, drbg_blocklen(drbg)); 408 memset(iv, 0, drbg_blocklen(drbg)); 409 410 /* 10.4.2 step 1 is implicit as we work byte-wise */ 411 412 /* 10.4.2 step 2 */ 413 if ((512/8) < bytes_to_return) 414 return -EINVAL; 415 416 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 417 list_for_each_entry(seed, seedlist, list) 418 inputlen += seed->len; 419 drbg_cpu_to_be32(inputlen, &L_N[0]); 420 421 /* 10.4.2 step 3 */ 422 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 423 424 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 425 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 426 /* wrap the padlen appropriately */ 427 if (padlen) 428 padlen = drbg_blocklen(drbg) - padlen; 429 /* 430 * pad / padlen contains the 0x80 byte and the following zero bytes. 431 * As the calculated padlen value only covers the number of zero 432 * bytes, this value has to be incremented by one for the 0x80 byte. 433 */ 434 padlen++; 435 pad[0] = 0x80; 436 437 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 438 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 439 list_add_tail(&S1.list, &bcc_list); 440 drbg_string_fill(&S2, L_N, sizeof(L_N)); 441 list_add_tail(&S2.list, &bcc_list); 442 list_splice_tail(seedlist, &bcc_list); 443 drbg_string_fill(&S4, pad, padlen); 444 list_add_tail(&S4.list, &bcc_list); 445 446 /* 10.4.2 step 9 */ 447 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 448 /* 449 * 10.4.2 step 9.1 - the padding is implicit as the buffer 450 * holds zeros after allocation -- even the increment of i 451 * is irrelevant as the increment remains within length of i 452 */ 453 drbg_cpu_to_be32(i, iv); 454 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 455 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 456 if (ret) 457 goto out; 458 /* 10.4.2 step 9.3 */ 459 i++; 460 templen += drbg_blocklen(drbg); 461 } 462 463 /* 10.4.2 step 11 */ 464 X = temp + (drbg_keylen(drbg)); 465 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 466 467 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 468 469 /* 10.4.2 step 13 */ 470 while (generated_len < bytes_to_return) { 471 short blocklen = 0; 472 /* 473 * 10.4.2 step 13.1: the truncation of the key length is 474 * implicit as the key is only drbg_blocklen in size based on 475 * the implementation of the cipher function callback 476 */ 477 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 478 if (ret) 479 goto out; 480 blocklen = (drbg_blocklen(drbg) < 481 (bytes_to_return - generated_len)) ? 482 drbg_blocklen(drbg) : 483 (bytes_to_return - generated_len); 484 /* 10.4.2 step 13.2 and 14 */ 485 memcpy(df_data + generated_len, X, blocklen); 486 generated_len += blocklen; 487 } 488 489 ret = 0; 490 491 out: 492 memset(iv, 0, drbg_blocklen(drbg)); 493 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 494 memset(pad, 0, drbg_blocklen(drbg)); 495 return ret; 496 } 497 498 /* 499 * update function of CTR DRBG as defined in 10.2.1.2 500 * 501 * The reseed variable has an enhanced meaning compared to the update 502 * functions of the other DRBGs as follows: 503 * 0 => initial seed from initialization 504 * 1 => reseed via drbg_seed 505 * 2 => first invocation from drbg_ctr_update when addtl is present. In 506 * this case, the df_data scratchpad is not deleted so that it is 507 * available for another calls to prevent calling the DF function 508 * again. 509 * 3 => second invocation from drbg_ctr_update. When the update function 510 * was called with addtl, the df_data memory already contains the 511 * DFed addtl information and we do not need to call DF again. 512 */ 513 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 514 int reseed) 515 { 516 int ret = -EFAULT; 517 /* 10.2.1.2 step 1 */ 518 unsigned char *temp = drbg->scratchpad; 519 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 520 drbg_blocklen(drbg); 521 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 522 unsigned int len = 0; 523 struct drbg_string cipherin; 524 525 if (3 > reseed) 526 memset(df_data, 0, drbg_statelen(drbg)); 527 528 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 529 if (seed) { 530 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 531 if (ret) 532 goto out; 533 } 534 535 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 536 /* 537 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 538 * zeroizes all memory during initialization 539 */ 540 while (len < (drbg_statelen(drbg))) { 541 /* 10.2.1.2 step 2.1 */ 542 crypto_inc(drbg->V, drbg_blocklen(drbg)); 543 /* 544 * 10.2.1.2 step 2.2 */ 545 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 546 if (ret) 547 goto out; 548 /* 10.2.1.2 step 2.3 and 3 */ 549 len += drbg_blocklen(drbg); 550 } 551 552 /* 10.2.1.2 step 4 */ 553 temp_p = temp; 554 df_data_p = df_data; 555 for (len = 0; len < drbg_statelen(drbg); len++) { 556 *temp_p ^= *df_data_p; 557 df_data_p++; temp_p++; 558 } 559 560 /* 10.2.1.2 step 5 */ 561 memcpy(drbg->C, temp, drbg_keylen(drbg)); 562 /* 10.2.1.2 step 6 */ 563 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 564 ret = 0; 565 566 out: 567 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 568 if (2 != reseed) 569 memset(df_data, 0, drbg_statelen(drbg)); 570 return ret; 571 } 572 573 /* 574 * scratchpad use: drbg_ctr_update is called independently from 575 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 576 */ 577 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 578 static int drbg_ctr_generate(struct drbg_state *drbg, 579 unsigned char *buf, unsigned int buflen, 580 struct list_head *addtl) 581 { 582 int len = 0; 583 int ret = 0; 584 struct drbg_string data; 585 586 /* 10.2.1.5.2 step 2 */ 587 if (addtl && !list_empty(addtl)) { 588 ret = drbg_ctr_update(drbg, addtl, 2); 589 if (ret) 590 return 0; 591 } 592 593 /* 10.2.1.5.2 step 4.1 */ 594 crypto_inc(drbg->V, drbg_blocklen(drbg)); 595 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 596 while (len < buflen) { 597 int outlen = 0; 598 /* 10.2.1.5.2 step 4.2 */ 599 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 600 if (ret) { 601 len = ret; 602 goto out; 603 } 604 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 605 drbg_blocklen(drbg) : (buflen - len); 606 if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) { 607 /* 10.2.1.5.2 step 6 */ 608 crypto_inc(drbg->V, drbg_blocklen(drbg)); 609 continue; 610 } 611 /* 10.2.1.5.2 step 4.3 */ 612 memcpy(buf + len, drbg->scratchpad, outlen); 613 len += outlen; 614 /* 10.2.1.5.2 step 6 */ 615 if (len < buflen) 616 crypto_inc(drbg->V, drbg_blocklen(drbg)); 617 } 618 619 /* 10.2.1.5.2 step 6 */ 620 ret = drbg_ctr_update(drbg, NULL, 3); 621 if (ret) 622 len = ret; 623 624 out: 625 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 626 return len; 627 } 628 629 static struct drbg_state_ops drbg_ctr_ops = { 630 .update = drbg_ctr_update, 631 .generate = drbg_ctr_generate, 632 .crypto_init = drbg_init_sym_kernel, 633 .crypto_fini = drbg_fini_sym_kernel, 634 }; 635 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 636 637 /****************************************************************** 638 * HMAC DRBG callback functions 639 ******************************************************************/ 640 641 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 642 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 643 unsigned char *outval, const struct list_head *in); 644 static int drbg_init_hash_kernel(struct drbg_state *drbg); 645 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 646 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 647 648 #ifdef CONFIG_CRYPTO_DRBG_HMAC 649 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 650 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 651 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 652 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 653 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 654 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 655 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 656 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 657 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 658 659 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 660 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 661 int reseed) 662 { 663 int ret = -EFAULT; 664 int i = 0; 665 struct drbg_string seed1, seed2, vdata; 666 LIST_HEAD(seedlist); 667 LIST_HEAD(vdatalist); 668 669 if (!reseed) 670 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 671 memset(drbg->V, 1, drbg_statelen(drbg)); 672 673 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 674 list_add_tail(&seed1.list, &seedlist); 675 /* buffer of seed2 will be filled in for loop below with one byte */ 676 drbg_string_fill(&seed2, NULL, 1); 677 list_add_tail(&seed2.list, &seedlist); 678 /* input data of seed is allowed to be NULL at this point */ 679 if (seed) 680 list_splice_tail(seed, &seedlist); 681 682 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 683 list_add_tail(&vdata.list, &vdatalist); 684 for (i = 2; 0 < i; i--) { 685 /* first round uses 0x0, second 0x1 */ 686 unsigned char prefix = DRBG_PREFIX0; 687 if (1 == i) 688 prefix = DRBG_PREFIX1; 689 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 690 seed2.buf = &prefix; 691 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist); 692 if (ret) 693 return ret; 694 695 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 696 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist); 697 if (ret) 698 return ret; 699 700 /* 10.1.2.2 step 3 */ 701 if (!seed) 702 return ret; 703 } 704 705 return 0; 706 } 707 708 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 709 static int drbg_hmac_generate(struct drbg_state *drbg, 710 unsigned char *buf, 711 unsigned int buflen, 712 struct list_head *addtl) 713 { 714 int len = 0; 715 int ret = 0; 716 struct drbg_string data; 717 LIST_HEAD(datalist); 718 719 /* 10.1.2.5 step 2 */ 720 if (addtl && !list_empty(addtl)) { 721 ret = drbg_hmac_update(drbg, addtl, 1); 722 if (ret) 723 return ret; 724 } 725 726 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 727 list_add_tail(&data.list, &datalist); 728 while (len < buflen) { 729 unsigned int outlen = 0; 730 /* 10.1.2.5 step 4.1 */ 731 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist); 732 if (ret) 733 return ret; 734 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 735 drbg_blocklen(drbg) : (buflen - len); 736 if (!drbg_fips_continuous_test(drbg, drbg->V)) 737 continue; 738 739 /* 10.1.2.5 step 4.2 */ 740 memcpy(buf + len, drbg->V, outlen); 741 len += outlen; 742 } 743 744 /* 10.1.2.5 step 6 */ 745 if (addtl && !list_empty(addtl)) 746 ret = drbg_hmac_update(drbg, addtl, 1); 747 else 748 ret = drbg_hmac_update(drbg, NULL, 1); 749 if (ret) 750 return ret; 751 752 return len; 753 } 754 755 static struct drbg_state_ops drbg_hmac_ops = { 756 .update = drbg_hmac_update, 757 .generate = drbg_hmac_generate, 758 .crypto_init = drbg_init_hash_kernel, 759 .crypto_fini = drbg_fini_hash_kernel, 760 }; 761 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 762 763 /****************************************************************** 764 * Hash DRBG callback functions 765 ******************************************************************/ 766 767 #ifdef CONFIG_CRYPTO_DRBG_HASH 768 #define CRYPTO_DRBG_HASH_STRING "HASH " 769 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 770 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 771 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 772 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 773 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 774 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 775 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 776 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 777 778 /* 779 * Increment buffer 780 * 781 * @dst buffer to increment 782 * @add value to add 783 */ 784 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 785 const unsigned char *add, size_t addlen) 786 { 787 /* implied: dstlen > addlen */ 788 unsigned char *dstptr; 789 const unsigned char *addptr; 790 unsigned int remainder = 0; 791 size_t len = addlen; 792 793 dstptr = dst + (dstlen-1); 794 addptr = add + (addlen-1); 795 while (len) { 796 remainder += *dstptr + *addptr; 797 *dstptr = remainder & 0xff; 798 remainder >>= 8; 799 len--; dstptr--; addptr--; 800 } 801 len = dstlen - addlen; 802 while (len && remainder > 0) { 803 remainder = *dstptr + 1; 804 *dstptr = remainder & 0xff; 805 remainder >>= 8; 806 len--; dstptr--; 807 } 808 } 809 810 /* 811 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 812 * interlinked, the scratchpad is used as follows: 813 * drbg_hash_update 814 * start: drbg->scratchpad 815 * length: drbg_statelen(drbg) 816 * drbg_hash_df: 817 * start: drbg->scratchpad + drbg_statelen(drbg) 818 * length: drbg_blocklen(drbg) 819 * 820 * drbg_hash_process_addtl uses the scratchpad, but fully completes 821 * before either of the functions mentioned before are invoked. Therefore, 822 * drbg_hash_process_addtl does not need to be specifically considered. 823 */ 824 825 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 826 static int drbg_hash_df(struct drbg_state *drbg, 827 unsigned char *outval, size_t outlen, 828 struct list_head *entropylist) 829 { 830 int ret = 0; 831 size_t len = 0; 832 unsigned char input[5]; 833 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 834 struct drbg_string data; 835 836 /* 10.4.1 step 3 */ 837 input[0] = 1; 838 drbg_cpu_to_be32((outlen * 8), &input[1]); 839 840 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 841 drbg_string_fill(&data, input, 5); 842 list_add(&data.list, entropylist); 843 844 /* 10.4.1 step 4 */ 845 while (len < outlen) { 846 short blocklen = 0; 847 /* 10.4.1 step 4.1 */ 848 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist); 849 if (ret) 850 goto out; 851 /* 10.4.1 step 4.2 */ 852 input[0]++; 853 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 854 drbg_blocklen(drbg) : (outlen - len); 855 memcpy(outval + len, tmp, blocklen); 856 len += blocklen; 857 } 858 859 out: 860 memset(tmp, 0, drbg_blocklen(drbg)); 861 return ret; 862 } 863 864 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 865 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 866 int reseed) 867 { 868 int ret = 0; 869 struct drbg_string data1, data2; 870 LIST_HEAD(datalist); 871 LIST_HEAD(datalist2); 872 unsigned char *V = drbg->scratchpad; 873 unsigned char prefix = DRBG_PREFIX1; 874 875 if (!seed) 876 return -EINVAL; 877 878 if (reseed) { 879 /* 10.1.1.3 step 1 */ 880 memcpy(V, drbg->V, drbg_statelen(drbg)); 881 drbg_string_fill(&data1, &prefix, 1); 882 list_add_tail(&data1.list, &datalist); 883 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 884 list_add_tail(&data2.list, &datalist); 885 } 886 list_splice_tail(seed, &datalist); 887 888 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 889 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 890 if (ret) 891 goto out; 892 893 /* 10.1.1.2 / 10.1.1.3 step 4 */ 894 prefix = DRBG_PREFIX0; 895 drbg_string_fill(&data1, &prefix, 1); 896 list_add_tail(&data1.list, &datalist2); 897 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 898 list_add_tail(&data2.list, &datalist2); 899 /* 10.1.1.2 / 10.1.1.3 step 4 */ 900 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 901 902 out: 903 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 904 return ret; 905 } 906 907 /* processing of additional information string for Hash DRBG */ 908 static int drbg_hash_process_addtl(struct drbg_state *drbg, 909 struct list_head *addtl) 910 { 911 int ret = 0; 912 struct drbg_string data1, data2; 913 LIST_HEAD(datalist); 914 unsigned char prefix = DRBG_PREFIX2; 915 916 /* 10.1.1.4 step 2 */ 917 if (!addtl || list_empty(addtl)) 918 return 0; 919 920 /* 10.1.1.4 step 2a */ 921 drbg_string_fill(&data1, &prefix, 1); 922 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 923 list_add_tail(&data1.list, &datalist); 924 list_add_tail(&data2.list, &datalist); 925 list_splice_tail(addtl, &datalist); 926 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 927 if (ret) 928 goto out; 929 930 /* 10.1.1.4 step 2b */ 931 drbg_add_buf(drbg->V, drbg_statelen(drbg), 932 drbg->scratchpad, drbg_blocklen(drbg)); 933 934 out: 935 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 936 return ret; 937 } 938 939 /* Hashgen defined in 10.1.1.4 */ 940 static int drbg_hash_hashgen(struct drbg_state *drbg, 941 unsigned char *buf, 942 unsigned int buflen) 943 { 944 int len = 0; 945 int ret = 0; 946 unsigned char *src = drbg->scratchpad; 947 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 948 struct drbg_string data; 949 LIST_HEAD(datalist); 950 951 /* 10.1.1.4 step hashgen 2 */ 952 memcpy(src, drbg->V, drbg_statelen(drbg)); 953 954 drbg_string_fill(&data, src, drbg_statelen(drbg)); 955 list_add_tail(&data.list, &datalist); 956 while (len < buflen) { 957 unsigned int outlen = 0; 958 /* 10.1.1.4 step hashgen 4.1 */ 959 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist); 960 if (ret) { 961 len = ret; 962 goto out; 963 } 964 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 965 drbg_blocklen(drbg) : (buflen - len); 966 if (!drbg_fips_continuous_test(drbg, dst)) { 967 crypto_inc(src, drbg_statelen(drbg)); 968 continue; 969 } 970 /* 10.1.1.4 step hashgen 4.2 */ 971 memcpy(buf + len, dst, outlen); 972 len += outlen; 973 /* 10.1.1.4 hashgen step 4.3 */ 974 if (len < buflen) 975 crypto_inc(src, drbg_statelen(drbg)); 976 } 977 978 out: 979 memset(drbg->scratchpad, 0, 980 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 981 return len; 982 } 983 984 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 985 static int drbg_hash_generate(struct drbg_state *drbg, 986 unsigned char *buf, unsigned int buflen, 987 struct list_head *addtl) 988 { 989 int len = 0; 990 int ret = 0; 991 union { 992 unsigned char req[8]; 993 __be64 req_int; 994 } u; 995 unsigned char prefix = DRBG_PREFIX3; 996 struct drbg_string data1, data2; 997 LIST_HEAD(datalist); 998 999 /* 10.1.1.4 step 2 */ 1000 ret = drbg_hash_process_addtl(drbg, addtl); 1001 if (ret) 1002 return ret; 1003 /* 10.1.1.4 step 3 */ 1004 len = drbg_hash_hashgen(drbg, buf, buflen); 1005 1006 /* this is the value H as documented in 10.1.1.4 */ 1007 /* 10.1.1.4 step 4 */ 1008 drbg_string_fill(&data1, &prefix, 1); 1009 list_add_tail(&data1.list, &datalist); 1010 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1011 list_add_tail(&data2.list, &datalist); 1012 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 1013 if (ret) { 1014 len = ret; 1015 goto out; 1016 } 1017 1018 /* 10.1.1.4 step 5 */ 1019 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1020 drbg->scratchpad, drbg_blocklen(drbg)); 1021 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1022 drbg->C, drbg_statelen(drbg)); 1023 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1024 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1025 1026 out: 1027 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1028 return len; 1029 } 1030 1031 /* 1032 * scratchpad usage: as update and generate are used isolated, both 1033 * can use the scratchpad 1034 */ 1035 static struct drbg_state_ops drbg_hash_ops = { 1036 .update = drbg_hash_update, 1037 .generate = drbg_hash_generate, 1038 .crypto_init = drbg_init_hash_kernel, 1039 .crypto_fini = drbg_fini_hash_kernel, 1040 }; 1041 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1042 1043 /****************************************************************** 1044 * Functions common for DRBG implementations 1045 ******************************************************************/ 1046 1047 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 1048 int reseed) 1049 { 1050 int ret = drbg->d_ops->update(drbg, seed, reseed); 1051 1052 if (ret) 1053 return ret; 1054 1055 drbg->seeded = true; 1056 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1057 drbg->reseed_ctr = 1; 1058 1059 return ret; 1060 } 1061 1062 static void drbg_async_seed(struct work_struct *work) 1063 { 1064 struct drbg_string data; 1065 LIST_HEAD(seedlist); 1066 struct drbg_state *drbg = container_of(work, struct drbg_state, 1067 seed_work); 1068 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1069 unsigned char entropy[32]; 1070 1071 BUG_ON(!entropylen); 1072 BUG_ON(entropylen > sizeof(entropy)); 1073 get_random_bytes(entropy, entropylen); 1074 1075 drbg_string_fill(&data, entropy, entropylen); 1076 list_add_tail(&data.list, &seedlist); 1077 1078 mutex_lock(&drbg->drbg_mutex); 1079 1080 /* If nonblocking pool is initialized, deactivate Jitter RNG */ 1081 crypto_free_rng(drbg->jent); 1082 drbg->jent = NULL; 1083 1084 /* Set seeded to false so that if __drbg_seed fails the 1085 * next generate call will trigger a reseed. 1086 */ 1087 drbg->seeded = false; 1088 1089 __drbg_seed(drbg, &seedlist, true); 1090 1091 if (drbg->seeded) 1092 drbg->reseed_threshold = drbg_max_requests(drbg); 1093 1094 mutex_unlock(&drbg->drbg_mutex); 1095 1096 memzero_explicit(entropy, entropylen); 1097 } 1098 1099 /* 1100 * Seeding or reseeding of the DRBG 1101 * 1102 * @drbg: DRBG state struct 1103 * @pers: personalization / additional information buffer 1104 * @reseed: 0 for initial seed process, 1 for reseeding 1105 * 1106 * return: 1107 * 0 on success 1108 * error value otherwise 1109 */ 1110 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1111 bool reseed) 1112 { 1113 int ret; 1114 unsigned char entropy[((32 + 16) * 2)]; 1115 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1116 struct drbg_string data1; 1117 LIST_HEAD(seedlist); 1118 1119 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1120 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1121 pr_devel("DRBG: personalization string too long %zu\n", 1122 pers->len); 1123 return -EINVAL; 1124 } 1125 1126 if (list_empty(&drbg->test_data.list)) { 1127 drbg_string_fill(&data1, drbg->test_data.buf, 1128 drbg->test_data.len); 1129 pr_devel("DRBG: using test entropy\n"); 1130 } else { 1131 /* 1132 * Gather entropy equal to the security strength of the DRBG. 1133 * With a derivation function, a nonce is required in addition 1134 * to the entropy. A nonce must be at least 1/2 of the security 1135 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1136 * of the strength. The consideration of a nonce is only 1137 * applicable during initial seeding. 1138 */ 1139 BUG_ON(!entropylen); 1140 if (!reseed) 1141 entropylen = ((entropylen + 1) / 2) * 3; 1142 BUG_ON((entropylen * 2) > sizeof(entropy)); 1143 1144 /* Get seed from in-kernel /dev/urandom */ 1145 get_random_bytes(entropy, entropylen); 1146 1147 if (!drbg->jent) { 1148 drbg_string_fill(&data1, entropy, entropylen); 1149 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1150 entropylen); 1151 } else { 1152 /* Get seed from Jitter RNG */ 1153 ret = crypto_rng_get_bytes(drbg->jent, 1154 entropy + entropylen, 1155 entropylen); 1156 if (ret) { 1157 pr_devel("DRBG: jent failed with %d\n", ret); 1158 return ret; 1159 } 1160 1161 drbg_string_fill(&data1, entropy, entropylen * 2); 1162 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1163 entropylen * 2); 1164 } 1165 } 1166 list_add_tail(&data1.list, &seedlist); 1167 1168 /* 1169 * concatenation of entropy with personalization str / addtl input) 1170 * the variable pers is directly handed in by the caller, so check its 1171 * contents whether it is appropriate 1172 */ 1173 if (pers && pers->buf && 0 < pers->len) { 1174 list_add_tail(&pers->list, &seedlist); 1175 pr_devel("DRBG: using personalization string\n"); 1176 } 1177 1178 if (!reseed) { 1179 memset(drbg->V, 0, drbg_statelen(drbg)); 1180 memset(drbg->C, 0, drbg_statelen(drbg)); 1181 } 1182 1183 ret = __drbg_seed(drbg, &seedlist, reseed); 1184 1185 memzero_explicit(entropy, entropylen * 2); 1186 1187 return ret; 1188 } 1189 1190 /* Free all substructures in a DRBG state without the DRBG state structure */ 1191 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1192 { 1193 if (!drbg) 1194 return; 1195 kzfree(drbg->V); 1196 drbg->V = NULL; 1197 kzfree(drbg->C); 1198 drbg->C = NULL; 1199 kzfree(drbg->scratchpad); 1200 drbg->scratchpad = NULL; 1201 drbg->reseed_ctr = 0; 1202 drbg->d_ops = NULL; 1203 drbg->core = NULL; 1204 #ifdef CONFIG_CRYPTO_FIPS 1205 kzfree(drbg->prev); 1206 drbg->prev = NULL; 1207 drbg->fips_primed = false; 1208 #endif 1209 } 1210 1211 /* 1212 * Allocate all sub-structures for a DRBG state. 1213 * The DRBG state structure must already be allocated. 1214 */ 1215 static inline int drbg_alloc_state(struct drbg_state *drbg) 1216 { 1217 int ret = -ENOMEM; 1218 unsigned int sb_size = 0; 1219 1220 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1221 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1222 case DRBG_HMAC: 1223 drbg->d_ops = &drbg_hmac_ops; 1224 break; 1225 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1226 #ifdef CONFIG_CRYPTO_DRBG_HASH 1227 case DRBG_HASH: 1228 drbg->d_ops = &drbg_hash_ops; 1229 break; 1230 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1231 #ifdef CONFIG_CRYPTO_DRBG_CTR 1232 case DRBG_CTR: 1233 drbg->d_ops = &drbg_ctr_ops; 1234 break; 1235 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1236 default: 1237 ret = -EOPNOTSUPP; 1238 goto err; 1239 } 1240 1241 drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1242 if (!drbg->V) 1243 goto err; 1244 drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1245 if (!drbg->C) 1246 goto err; 1247 #ifdef CONFIG_CRYPTO_FIPS 1248 drbg->prev = kmalloc(drbg_blocklen(drbg), GFP_KERNEL); 1249 if (!drbg->prev) 1250 goto err; 1251 drbg->fips_primed = false; 1252 #endif 1253 /* scratchpad is only generated for CTR and Hash */ 1254 if (drbg->core->flags & DRBG_HMAC) 1255 sb_size = 0; 1256 else if (drbg->core->flags & DRBG_CTR) 1257 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1258 drbg_statelen(drbg) + /* df_data */ 1259 drbg_blocklen(drbg) + /* pad */ 1260 drbg_blocklen(drbg) + /* iv */ 1261 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1262 else 1263 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1264 1265 if (0 < sb_size) { 1266 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1267 if (!drbg->scratchpad) 1268 goto err; 1269 } 1270 1271 return 0; 1272 1273 err: 1274 drbg_dealloc_state(drbg); 1275 return ret; 1276 } 1277 1278 /************************************************************************* 1279 * DRBG interface functions 1280 *************************************************************************/ 1281 1282 /* 1283 * DRBG generate function as required by SP800-90A - this function 1284 * generates random numbers 1285 * 1286 * @drbg DRBG state handle 1287 * @buf Buffer where to store the random numbers -- the buffer must already 1288 * be pre-allocated by caller 1289 * @buflen Length of output buffer - this value defines the number of random 1290 * bytes pulled from DRBG 1291 * @addtl Additional input that is mixed into state, may be NULL -- note 1292 * the entropy is pulled by the DRBG internally unconditionally 1293 * as defined in SP800-90A. The additional input is mixed into 1294 * the state in addition to the pulled entropy. 1295 * 1296 * return: 0 when all bytes are generated; < 0 in case of an error 1297 */ 1298 static int drbg_generate(struct drbg_state *drbg, 1299 unsigned char *buf, unsigned int buflen, 1300 struct drbg_string *addtl) 1301 { 1302 int len = 0; 1303 LIST_HEAD(addtllist); 1304 1305 if (!drbg->core) { 1306 pr_devel("DRBG: not yet seeded\n"); 1307 return -EINVAL; 1308 } 1309 if (0 == buflen || !buf) { 1310 pr_devel("DRBG: no output buffer provided\n"); 1311 return -EINVAL; 1312 } 1313 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1314 pr_devel("DRBG: wrong format of additional information\n"); 1315 return -EINVAL; 1316 } 1317 1318 /* 9.3.1 step 2 */ 1319 len = -EINVAL; 1320 if (buflen > (drbg_max_request_bytes(drbg))) { 1321 pr_devel("DRBG: requested random numbers too large %u\n", 1322 buflen); 1323 goto err; 1324 } 1325 1326 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1327 1328 /* 9.3.1 step 4 */ 1329 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1330 pr_devel("DRBG: additional information string too long %zu\n", 1331 addtl->len); 1332 goto err; 1333 } 1334 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1335 1336 /* 1337 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1338 * here. The spec is a bit convoluted here, we make it simpler. 1339 */ 1340 if (drbg->reseed_threshold < drbg->reseed_ctr) 1341 drbg->seeded = false; 1342 1343 if (drbg->pr || !drbg->seeded) { 1344 pr_devel("DRBG: reseeding before generation (prediction " 1345 "resistance: %s, state %s)\n", 1346 drbg->pr ? "true" : "false", 1347 drbg->seeded ? "seeded" : "unseeded"); 1348 /* 9.3.1 steps 7.1 through 7.3 */ 1349 len = drbg_seed(drbg, addtl, true); 1350 if (len) 1351 goto err; 1352 /* 9.3.1 step 7.4 */ 1353 addtl = NULL; 1354 } 1355 1356 if (addtl && 0 < addtl->len) 1357 list_add_tail(&addtl->list, &addtllist); 1358 /* 9.3.1 step 8 and 10 */ 1359 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1360 1361 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1362 drbg->reseed_ctr++; 1363 if (0 >= len) 1364 goto err; 1365 1366 /* 1367 * Section 11.3.3 requires to re-perform self tests after some 1368 * generated random numbers. The chosen value after which self 1369 * test is performed is arbitrary, but it should be reasonable. 1370 * However, we do not perform the self tests because of the following 1371 * reasons: it is mathematically impossible that the initial self tests 1372 * were successfully and the following are not. If the initial would 1373 * pass and the following would not, the kernel integrity is violated. 1374 * In this case, the entire kernel operation is questionable and it 1375 * is unlikely that the integrity violation only affects the 1376 * correct operation of the DRBG. 1377 * 1378 * Albeit the following code is commented out, it is provided in 1379 * case somebody has a need to implement the test of 11.3.3. 1380 */ 1381 #if 0 1382 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1383 int err = 0; 1384 pr_devel("DRBG: start to perform self test\n"); 1385 if (drbg->core->flags & DRBG_HMAC) 1386 err = alg_test("drbg_pr_hmac_sha256", 1387 "drbg_pr_hmac_sha256", 0, 0); 1388 else if (drbg->core->flags & DRBG_CTR) 1389 err = alg_test("drbg_pr_ctr_aes128", 1390 "drbg_pr_ctr_aes128", 0, 0); 1391 else 1392 err = alg_test("drbg_pr_sha256", 1393 "drbg_pr_sha256", 0, 0); 1394 if (err) { 1395 pr_err("DRBG: periodical self test failed\n"); 1396 /* 1397 * uninstantiate implies that from now on, only errors 1398 * are returned when reusing this DRBG cipher handle 1399 */ 1400 drbg_uninstantiate(drbg); 1401 return 0; 1402 } else { 1403 pr_devel("DRBG: self test successful\n"); 1404 } 1405 } 1406 #endif 1407 1408 /* 1409 * All operations were successful, return 0 as mandated by 1410 * the kernel crypto API interface. 1411 */ 1412 len = 0; 1413 err: 1414 return len; 1415 } 1416 1417 /* 1418 * Wrapper around drbg_generate which can pull arbitrary long strings 1419 * from the DRBG without hitting the maximum request limitation. 1420 * 1421 * Parameters: see drbg_generate 1422 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1423 * the entire drbg_generate_long request fails 1424 */ 1425 static int drbg_generate_long(struct drbg_state *drbg, 1426 unsigned char *buf, unsigned int buflen, 1427 struct drbg_string *addtl) 1428 { 1429 unsigned int len = 0; 1430 unsigned int slice = 0; 1431 do { 1432 int err = 0; 1433 unsigned int chunk = 0; 1434 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1435 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1436 mutex_lock(&drbg->drbg_mutex); 1437 err = drbg_generate(drbg, buf + len, chunk, addtl); 1438 mutex_unlock(&drbg->drbg_mutex); 1439 if (0 > err) 1440 return err; 1441 len += chunk; 1442 } while (slice > 0 && (len < buflen)); 1443 return 0; 1444 } 1445 1446 static void drbg_schedule_async_seed(struct random_ready_callback *rdy) 1447 { 1448 struct drbg_state *drbg = container_of(rdy, struct drbg_state, 1449 random_ready); 1450 1451 schedule_work(&drbg->seed_work); 1452 } 1453 1454 static int drbg_prepare_hrng(struct drbg_state *drbg) 1455 { 1456 int err; 1457 1458 /* We do not need an HRNG in test mode. */ 1459 if (list_empty(&drbg->test_data.list)) 1460 return 0; 1461 1462 INIT_WORK(&drbg->seed_work, drbg_async_seed); 1463 1464 drbg->random_ready.owner = THIS_MODULE; 1465 drbg->random_ready.func = drbg_schedule_async_seed; 1466 1467 err = add_random_ready_callback(&drbg->random_ready); 1468 1469 switch (err) { 1470 case 0: 1471 break; 1472 1473 case -EALREADY: 1474 err = 0; 1475 /* fall through */ 1476 1477 default: 1478 drbg->random_ready.func = NULL; 1479 return err; 1480 } 1481 1482 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1483 1484 /* 1485 * Require frequent reseeds until the seed source is fully 1486 * initialized. 1487 */ 1488 drbg->reseed_threshold = 50; 1489 1490 return err; 1491 } 1492 1493 /* 1494 * DRBG instantiation function as required by SP800-90A - this function 1495 * sets up the DRBG handle, performs the initial seeding and all sanity 1496 * checks required by SP800-90A 1497 * 1498 * @drbg memory of state -- if NULL, new memory is allocated 1499 * @pers Personalization string that is mixed into state, may be NULL -- note 1500 * the entropy is pulled by the DRBG internally unconditionally 1501 * as defined in SP800-90A. The additional input is mixed into 1502 * the state in addition to the pulled entropy. 1503 * @coreref reference to core 1504 * @pr prediction resistance enabled 1505 * 1506 * return 1507 * 0 on success 1508 * error value otherwise 1509 */ 1510 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1511 int coreref, bool pr) 1512 { 1513 int ret; 1514 bool reseed = true; 1515 1516 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1517 "%s\n", coreref, pr ? "enabled" : "disabled"); 1518 mutex_lock(&drbg->drbg_mutex); 1519 1520 /* 9.1 step 1 is implicit with the selected DRBG type */ 1521 1522 /* 1523 * 9.1 step 2 is implicit as caller can select prediction resistance 1524 * and the flag is copied into drbg->flags -- 1525 * all DRBG types support prediction resistance 1526 */ 1527 1528 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1529 1530 if (!drbg->core) { 1531 drbg->core = &drbg_cores[coreref]; 1532 drbg->pr = pr; 1533 drbg->seeded = false; 1534 drbg->reseed_threshold = drbg_max_requests(drbg); 1535 1536 ret = drbg_alloc_state(drbg); 1537 if (ret) 1538 goto unlock; 1539 1540 ret = -EFAULT; 1541 if (drbg->d_ops->crypto_init(drbg)) 1542 goto err; 1543 1544 ret = drbg_prepare_hrng(drbg); 1545 if (ret) 1546 goto free_everything; 1547 1548 if (IS_ERR(drbg->jent)) { 1549 ret = PTR_ERR(drbg->jent); 1550 drbg->jent = NULL; 1551 if (fips_enabled || ret != -ENOENT) 1552 goto free_everything; 1553 pr_info("DRBG: Continuing without Jitter RNG\n"); 1554 } 1555 1556 reseed = false; 1557 } 1558 1559 ret = drbg_seed(drbg, pers, reseed); 1560 1561 if (ret && !reseed) 1562 goto free_everything; 1563 1564 mutex_unlock(&drbg->drbg_mutex); 1565 return ret; 1566 1567 err: 1568 drbg_dealloc_state(drbg); 1569 unlock: 1570 mutex_unlock(&drbg->drbg_mutex); 1571 return ret; 1572 1573 free_everything: 1574 mutex_unlock(&drbg->drbg_mutex); 1575 drbg_uninstantiate(drbg); 1576 return ret; 1577 } 1578 1579 /* 1580 * DRBG uninstantiate function as required by SP800-90A - this function 1581 * frees all buffers and the DRBG handle 1582 * 1583 * @drbg DRBG state handle 1584 * 1585 * return 1586 * 0 on success 1587 */ 1588 static int drbg_uninstantiate(struct drbg_state *drbg) 1589 { 1590 if (drbg->random_ready.func) { 1591 del_random_ready_callback(&drbg->random_ready); 1592 cancel_work_sync(&drbg->seed_work); 1593 crypto_free_rng(drbg->jent); 1594 drbg->jent = NULL; 1595 } 1596 1597 if (drbg->d_ops) 1598 drbg->d_ops->crypto_fini(drbg); 1599 drbg_dealloc_state(drbg); 1600 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1601 return 0; 1602 } 1603 1604 /* 1605 * Helper function for setting the test data in the DRBG 1606 * 1607 * @drbg DRBG state handle 1608 * @data test data 1609 * @len test data length 1610 */ 1611 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1612 const u8 *data, unsigned int len) 1613 { 1614 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1615 1616 mutex_lock(&drbg->drbg_mutex); 1617 drbg_string_fill(&drbg->test_data, data, len); 1618 mutex_unlock(&drbg->drbg_mutex); 1619 } 1620 1621 /*************************************************************** 1622 * Kernel crypto API cipher invocations requested by DRBG 1623 ***************************************************************/ 1624 1625 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1626 struct sdesc { 1627 struct shash_desc shash; 1628 char ctx[]; 1629 }; 1630 1631 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1632 { 1633 struct sdesc *sdesc; 1634 struct crypto_shash *tfm; 1635 1636 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1637 if (IS_ERR(tfm)) { 1638 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1639 drbg->core->backend_cra_name); 1640 return PTR_ERR(tfm); 1641 } 1642 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1643 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1644 GFP_KERNEL); 1645 if (!sdesc) { 1646 crypto_free_shash(tfm); 1647 return -ENOMEM; 1648 } 1649 1650 sdesc->shash.tfm = tfm; 1651 sdesc->shash.flags = 0; 1652 drbg->priv_data = sdesc; 1653 return 0; 1654 } 1655 1656 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1657 { 1658 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1659 if (sdesc) { 1660 crypto_free_shash(sdesc->shash.tfm); 1661 kzfree(sdesc); 1662 } 1663 drbg->priv_data = NULL; 1664 return 0; 1665 } 1666 1667 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 1668 unsigned char *outval, const struct list_head *in) 1669 { 1670 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1671 struct drbg_string *input = NULL; 1672 1673 if (key) 1674 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1675 crypto_shash_init(&sdesc->shash); 1676 list_for_each_entry(input, in, list) 1677 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1678 return crypto_shash_final(&sdesc->shash, outval); 1679 } 1680 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1681 1682 #ifdef CONFIG_CRYPTO_DRBG_CTR 1683 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1684 { 1685 int ret = 0; 1686 struct crypto_cipher *tfm; 1687 1688 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1689 if (IS_ERR(tfm)) { 1690 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1691 drbg->core->backend_cra_name); 1692 return PTR_ERR(tfm); 1693 } 1694 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1695 drbg->priv_data = tfm; 1696 return ret; 1697 } 1698 1699 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1700 { 1701 struct crypto_cipher *tfm = 1702 (struct crypto_cipher *)drbg->priv_data; 1703 if (tfm) 1704 crypto_free_cipher(tfm); 1705 drbg->priv_data = NULL; 1706 return 0; 1707 } 1708 1709 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1710 unsigned char *outval, const struct drbg_string *in) 1711 { 1712 struct crypto_cipher *tfm = 1713 (struct crypto_cipher *)drbg->priv_data; 1714 1715 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1716 /* there is only component in *in */ 1717 BUG_ON(in->len < drbg_blocklen(drbg)); 1718 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1719 return 0; 1720 } 1721 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1722 1723 /*************************************************************** 1724 * Kernel crypto API interface to register DRBG 1725 ***************************************************************/ 1726 1727 /* 1728 * Look up the DRBG flags by given kernel crypto API cra_name 1729 * The code uses the drbg_cores definition to do this 1730 * 1731 * @cra_name kernel crypto API cra_name 1732 * @coreref reference to integer which is filled with the pointer to 1733 * the applicable core 1734 * @pr reference for setting prediction resistance 1735 * 1736 * return: flags 1737 */ 1738 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1739 int *coreref, bool *pr) 1740 { 1741 int i = 0; 1742 size_t start = 0; 1743 int len = 0; 1744 1745 *pr = true; 1746 /* disassemble the names */ 1747 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1748 start = 10; 1749 *pr = false; 1750 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1751 start = 8; 1752 } else { 1753 return; 1754 } 1755 1756 /* remove the first part */ 1757 len = strlen(cra_driver_name) - start; 1758 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1759 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1760 len)) { 1761 *coreref = i; 1762 return; 1763 } 1764 } 1765 } 1766 1767 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1768 { 1769 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1770 1771 mutex_init(&drbg->drbg_mutex); 1772 1773 return 0; 1774 } 1775 1776 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1777 { 1778 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1779 } 1780 1781 /* 1782 * Generate random numbers invoked by the kernel crypto API: 1783 * The API of the kernel crypto API is extended as follows: 1784 * 1785 * src is additional input supplied to the RNG. 1786 * slen is the length of src. 1787 * dst is the output buffer where random data is to be stored. 1788 * dlen is the length of dst. 1789 */ 1790 static int drbg_kcapi_random(struct crypto_rng *tfm, 1791 const u8 *src, unsigned int slen, 1792 u8 *dst, unsigned int dlen) 1793 { 1794 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1795 struct drbg_string *addtl = NULL; 1796 struct drbg_string string; 1797 1798 if (slen) { 1799 /* linked list variable is now local to allow modification */ 1800 drbg_string_fill(&string, src, slen); 1801 addtl = &string; 1802 } 1803 1804 return drbg_generate_long(drbg, dst, dlen, addtl); 1805 } 1806 1807 /* 1808 * Seed the DRBG invoked by the kernel crypto API 1809 */ 1810 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1811 const u8 *seed, unsigned int slen) 1812 { 1813 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1814 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1815 bool pr = false; 1816 struct drbg_string string; 1817 struct drbg_string *seed_string = NULL; 1818 int coreref = 0; 1819 1820 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1821 &pr); 1822 if (0 < slen) { 1823 drbg_string_fill(&string, seed, slen); 1824 seed_string = &string; 1825 } 1826 1827 return drbg_instantiate(drbg, seed_string, coreref, pr); 1828 } 1829 1830 /*************************************************************** 1831 * Kernel module: code to load the module 1832 ***************************************************************/ 1833 1834 /* 1835 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1836 * of the error handling. 1837 * 1838 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1839 * as seed source of get_random_bytes does not fail. 1840 * 1841 * Note 2: There is no sensible way of testing the reseed counter 1842 * enforcement, so skip it. 1843 */ 1844 static inline int __init drbg_healthcheck_sanity(void) 1845 { 1846 int len = 0; 1847 #define OUTBUFLEN 16 1848 unsigned char buf[OUTBUFLEN]; 1849 struct drbg_state *drbg = NULL; 1850 int ret = -EFAULT; 1851 int rc = -EFAULT; 1852 bool pr = false; 1853 int coreref = 0; 1854 struct drbg_string addtl; 1855 size_t max_addtllen, max_request_bytes; 1856 1857 /* only perform test in FIPS mode */ 1858 if (!fips_enabled) 1859 return 0; 1860 1861 #ifdef CONFIG_CRYPTO_DRBG_CTR 1862 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1863 #elif defined CONFIG_CRYPTO_DRBG_HASH 1864 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1865 #else 1866 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1867 #endif 1868 1869 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1870 if (!drbg) 1871 return -ENOMEM; 1872 1873 mutex_init(&drbg->drbg_mutex); 1874 1875 /* 1876 * if the following tests fail, it is likely that there is a buffer 1877 * overflow as buf is much smaller than the requested or provided 1878 * string lengths -- in case the error handling does not succeed 1879 * we may get an OOPS. And we want to get an OOPS as this is a 1880 * grave bug. 1881 */ 1882 1883 /* get a valid instance of DRBG for following tests */ 1884 ret = drbg_instantiate(drbg, NULL, coreref, pr); 1885 if (ret) { 1886 rc = ret; 1887 goto outbuf; 1888 } 1889 max_addtllen = drbg_max_addtl(drbg); 1890 max_request_bytes = drbg_max_request_bytes(drbg); 1891 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1892 /* overflow addtllen with additonal info string */ 1893 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1894 BUG_ON(0 < len); 1895 /* overflow max_bits */ 1896 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1897 BUG_ON(0 < len); 1898 drbg_uninstantiate(drbg); 1899 1900 /* overflow max addtllen with personalization string */ 1901 ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1902 BUG_ON(0 == ret); 1903 /* all tests passed */ 1904 rc = 0; 1905 1906 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1907 "completed\n"); 1908 1909 drbg_uninstantiate(drbg); 1910 outbuf: 1911 kzfree(drbg); 1912 return rc; 1913 } 1914 1915 static struct rng_alg drbg_algs[22]; 1916 1917 /* 1918 * Fill the array drbg_algs used to register the different DRBGs 1919 * with the kernel crypto API. To fill the array, the information 1920 * from drbg_cores[] is used. 1921 */ 1922 static inline void __init drbg_fill_array(struct rng_alg *alg, 1923 const struct drbg_core *core, int pr) 1924 { 1925 int pos = 0; 1926 static int priority = 200; 1927 1928 memcpy(alg->base.cra_name, "stdrng", 6); 1929 if (pr) { 1930 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1931 pos = 8; 1932 } else { 1933 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1934 pos = 10; 1935 } 1936 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1937 strlen(core->cra_name)); 1938 1939 alg->base.cra_priority = priority; 1940 priority++; 1941 /* 1942 * If FIPS mode enabled, the selected DRBG shall have the 1943 * highest cra_priority over other stdrng instances to ensure 1944 * it is selected. 1945 */ 1946 if (fips_enabled) 1947 alg->base.cra_priority += 200; 1948 1949 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1950 alg->base.cra_module = THIS_MODULE; 1951 alg->base.cra_init = drbg_kcapi_init; 1952 alg->base.cra_exit = drbg_kcapi_cleanup; 1953 alg->generate = drbg_kcapi_random; 1954 alg->seed = drbg_kcapi_seed; 1955 alg->set_ent = drbg_kcapi_set_entropy; 1956 alg->seedsize = 0; 1957 } 1958 1959 static int __init drbg_init(void) 1960 { 1961 unsigned int i = 0; /* pointer to drbg_algs */ 1962 unsigned int j = 0; /* pointer to drbg_cores */ 1963 int ret = -EFAULT; 1964 1965 ret = drbg_healthcheck_sanity(); 1966 if (ret) 1967 return ret; 1968 1969 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1970 pr_info("DRBG: Cannot register all DRBG types" 1971 "(slots needed: %zu, slots available: %zu)\n", 1972 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1973 return ret; 1974 } 1975 1976 /* 1977 * each DRBG definition can be used with PR and without PR, thus 1978 * we instantiate each DRBG in drbg_cores[] twice. 1979 * 1980 * As the order of placing them into the drbg_algs array matters 1981 * (the later DRBGs receive a higher cra_priority) we register the 1982 * prediction resistance DRBGs first as the should not be too 1983 * interesting. 1984 */ 1985 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1986 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1987 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1988 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1989 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1990 } 1991 1992 static void __exit drbg_exit(void) 1993 { 1994 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1995 } 1996 1997 module_init(drbg_init); 1998 module_exit(drbg_exit); 1999 #ifndef CRYPTO_DRBG_HASH_STRING 2000 #define CRYPTO_DRBG_HASH_STRING "" 2001 #endif 2002 #ifndef CRYPTO_DRBG_HMAC_STRING 2003 #define CRYPTO_DRBG_HMAC_STRING "" 2004 #endif 2005 #ifndef CRYPTO_DRBG_CTR_STRING 2006 #define CRYPTO_DRBG_CTR_STRING "" 2007 #endif 2008 MODULE_LICENSE("GPL"); 2009 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2010 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2011 "using following cores: " 2012 CRYPTO_DRBG_HASH_STRING 2013 CRYPTO_DRBG_HMAC_STRING 2014 CRYPTO_DRBG_CTR_STRING); 2015 MODULE_ALIAS_CRYPTO("stdrng"); 2016