1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <linux/kernel.h> 102 103 /*************************************************************** 104 * Backend cipher definitions available to DRBG 105 ***************************************************************/ 106 107 /* 108 * The order of the DRBG definitions here matter: every DRBG is registered 109 * as stdrng. Each DRBG receives an increasing cra_priority values the later 110 * they are defined in this array (see drbg_fill_array). 111 * 112 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113 * the SHA256 / AES 256 over other ciphers. Thus, the favored 114 * DRBGs are the latest entries in this array. 115 */ 116 static const struct drbg_core drbg_cores[] = { 117 #ifdef CONFIG_CRYPTO_DRBG_CTR 118 { 119 .flags = DRBG_CTR | DRBG_STRENGTH128, 120 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121 .blocklen_bytes = 16, 122 .cra_name = "ctr_aes128", 123 .backend_cra_name = "aes", 124 }, { 125 .flags = DRBG_CTR | DRBG_STRENGTH192, 126 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127 .blocklen_bytes = 16, 128 .cra_name = "ctr_aes192", 129 .backend_cra_name = "aes", 130 }, { 131 .flags = DRBG_CTR | DRBG_STRENGTH256, 132 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133 .blocklen_bytes = 16, 134 .cra_name = "ctr_aes256", 135 .backend_cra_name = "aes", 136 }, 137 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 138 #ifdef CONFIG_CRYPTO_DRBG_HASH 139 { 140 .flags = DRBG_HASH | DRBG_STRENGTH128, 141 .statelen = 55, /* 440 bits */ 142 .blocklen_bytes = 20, 143 .cra_name = "sha1", 144 .backend_cra_name = "sha1", 145 }, { 146 .flags = DRBG_HASH | DRBG_STRENGTH256, 147 .statelen = 111, /* 888 bits */ 148 .blocklen_bytes = 48, 149 .cra_name = "sha384", 150 .backend_cra_name = "sha384", 151 }, { 152 .flags = DRBG_HASH | DRBG_STRENGTH256, 153 .statelen = 111, /* 888 bits */ 154 .blocklen_bytes = 64, 155 .cra_name = "sha512", 156 .backend_cra_name = "sha512", 157 }, { 158 .flags = DRBG_HASH | DRBG_STRENGTH256, 159 .statelen = 55, /* 440 bits */ 160 .blocklen_bytes = 32, 161 .cra_name = "sha256", 162 .backend_cra_name = "sha256", 163 }, 164 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 165 #ifdef CONFIG_CRYPTO_DRBG_HMAC 166 { 167 .flags = DRBG_HMAC | DRBG_STRENGTH128, 168 .statelen = 20, /* block length of cipher */ 169 .blocklen_bytes = 20, 170 .cra_name = "hmac_sha1", 171 .backend_cra_name = "hmac(sha1)", 172 }, { 173 .flags = DRBG_HMAC | DRBG_STRENGTH256, 174 .statelen = 48, /* block length of cipher */ 175 .blocklen_bytes = 48, 176 .cra_name = "hmac_sha384", 177 .backend_cra_name = "hmac(sha384)", 178 }, { 179 .flags = DRBG_HMAC | DRBG_STRENGTH256, 180 .statelen = 64, /* block length of cipher */ 181 .blocklen_bytes = 64, 182 .cra_name = "hmac_sha512", 183 .backend_cra_name = "hmac(sha512)", 184 }, { 185 .flags = DRBG_HMAC | DRBG_STRENGTH256, 186 .statelen = 32, /* block length of cipher */ 187 .blocklen_bytes = 32, 188 .cra_name = "hmac_sha256", 189 .backend_cra_name = "hmac(sha256)", 190 }, 191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192 }; 193 194 static int drbg_uninstantiate(struct drbg_state *drbg); 195 196 /****************************************************************** 197 * Generic helper functions 198 ******************************************************************/ 199 200 /* 201 * Return strength of DRBG according to SP800-90A section 8.4 202 * 203 * @flags DRBG flags reference 204 * 205 * Return: normalized strength in *bytes* value or 32 as default 206 * to counter programming errors 207 */ 208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 209 { 210 switch (flags & DRBG_STRENGTH_MASK) { 211 case DRBG_STRENGTH128: 212 return 16; 213 case DRBG_STRENGTH192: 214 return 24; 215 case DRBG_STRENGTH256: 216 return 32; 217 default: 218 return 32; 219 } 220 } 221 222 /* 223 * Convert an integer into a byte representation of this integer. 224 * The byte representation is big-endian 225 * 226 * @val value to be converted 227 * @buf buffer holding the converted integer -- caller must ensure that 228 * buffer size is at least 32 bit 229 */ 230 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 231 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 232 { 233 struct s { 234 __be32 conv; 235 }; 236 struct s *conversion = (struct s *) buf; 237 238 conversion->conv = cpu_to_be32(val); 239 } 240 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 241 242 /****************************************************************** 243 * CTR DRBG callback functions 244 ******************************************************************/ 245 246 #ifdef CONFIG_CRYPTO_DRBG_CTR 247 #define CRYPTO_DRBG_CTR_STRING "CTR " 248 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 249 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 250 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 251 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 252 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 253 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 254 255 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 256 const unsigned char *key); 257 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 258 const struct drbg_string *in); 259 static int drbg_init_sym_kernel(struct drbg_state *drbg); 260 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 261 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 262 u8 *inbuf, u32 inbuflen, 263 u8 *outbuf, u32 outlen); 264 #define DRBG_CTR_NULL_LEN 128 265 #define DRBG_OUTSCRATCHLEN DRBG_CTR_NULL_LEN 266 267 /* BCC function for CTR DRBG as defined in 10.4.3 */ 268 static int drbg_ctr_bcc(struct drbg_state *drbg, 269 unsigned char *out, const unsigned char *key, 270 struct list_head *in) 271 { 272 int ret = 0; 273 struct drbg_string *curr = NULL; 274 struct drbg_string data; 275 short cnt = 0; 276 277 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 278 279 /* 10.4.3 step 2 / 4 */ 280 drbg_kcapi_symsetkey(drbg, key); 281 list_for_each_entry(curr, in, list) { 282 const unsigned char *pos = curr->buf; 283 size_t len = curr->len; 284 /* 10.4.3 step 4.1 */ 285 while (len) { 286 /* 10.4.3 step 4.2 */ 287 if (drbg_blocklen(drbg) == cnt) { 288 cnt = 0; 289 ret = drbg_kcapi_sym(drbg, out, &data); 290 if (ret) 291 return ret; 292 } 293 out[cnt] ^= *pos; 294 pos++; 295 cnt++; 296 len--; 297 } 298 } 299 /* 10.4.3 step 4.2 for last block */ 300 if (cnt) 301 ret = drbg_kcapi_sym(drbg, out, &data); 302 303 return ret; 304 } 305 306 /* 307 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 308 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 309 * the scratchpad is used as follows: 310 * drbg_ctr_update: 311 * temp 312 * start: drbg->scratchpad 313 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 314 * note: the cipher writing into this variable works 315 * blocklen-wise. Now, when the statelen is not a multiple 316 * of blocklen, the generateion loop below "spills over" 317 * by at most blocklen. Thus, we need to give sufficient 318 * memory. 319 * df_data 320 * start: drbg->scratchpad + 321 * drbg_statelen(drbg) + drbg_blocklen(drbg) 322 * length: drbg_statelen(drbg) 323 * 324 * drbg_ctr_df: 325 * pad 326 * start: df_data + drbg_statelen(drbg) 327 * length: drbg_blocklen(drbg) 328 * iv 329 * start: pad + drbg_blocklen(drbg) 330 * length: drbg_blocklen(drbg) 331 * temp 332 * start: iv + drbg_blocklen(drbg) 333 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 334 * note: temp is the buffer that the BCC function operates 335 * on. BCC operates blockwise. drbg_statelen(drbg) 336 * is sufficient when the DRBG state length is a multiple 337 * of the block size. For AES192 (and maybe other ciphers) 338 * this is not correct and the length for temp is 339 * insufficient (yes, that also means for such ciphers, 340 * the final output of all BCC rounds are truncated). 341 * Therefore, add drbg_blocklen(drbg) to cover all 342 * possibilities. 343 */ 344 345 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 346 static int drbg_ctr_df(struct drbg_state *drbg, 347 unsigned char *df_data, size_t bytes_to_return, 348 struct list_head *seedlist) 349 { 350 int ret = -EFAULT; 351 unsigned char L_N[8]; 352 /* S3 is input */ 353 struct drbg_string S1, S2, S4, cipherin; 354 LIST_HEAD(bcc_list); 355 unsigned char *pad = df_data + drbg_statelen(drbg); 356 unsigned char *iv = pad + drbg_blocklen(drbg); 357 unsigned char *temp = iv + drbg_blocklen(drbg); 358 size_t padlen = 0; 359 unsigned int templen = 0; 360 /* 10.4.2 step 7 */ 361 unsigned int i = 0; 362 /* 10.4.2 step 8 */ 363 const unsigned char *K = (unsigned char *) 364 "\x00\x01\x02\x03\x04\x05\x06\x07" 365 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 366 "\x10\x11\x12\x13\x14\x15\x16\x17" 367 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 368 unsigned char *X; 369 size_t generated_len = 0; 370 size_t inputlen = 0; 371 struct drbg_string *seed = NULL; 372 373 memset(pad, 0, drbg_blocklen(drbg)); 374 memset(iv, 0, drbg_blocklen(drbg)); 375 376 /* 10.4.2 step 1 is implicit as we work byte-wise */ 377 378 /* 10.4.2 step 2 */ 379 if ((512/8) < bytes_to_return) 380 return -EINVAL; 381 382 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 383 list_for_each_entry(seed, seedlist, list) 384 inputlen += seed->len; 385 drbg_cpu_to_be32(inputlen, &L_N[0]); 386 387 /* 10.4.2 step 3 */ 388 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 389 390 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 391 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 392 /* wrap the padlen appropriately */ 393 if (padlen) 394 padlen = drbg_blocklen(drbg) - padlen; 395 /* 396 * pad / padlen contains the 0x80 byte and the following zero bytes. 397 * As the calculated padlen value only covers the number of zero 398 * bytes, this value has to be incremented by one for the 0x80 byte. 399 */ 400 padlen++; 401 pad[0] = 0x80; 402 403 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 404 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 405 list_add_tail(&S1.list, &bcc_list); 406 drbg_string_fill(&S2, L_N, sizeof(L_N)); 407 list_add_tail(&S2.list, &bcc_list); 408 list_splice_tail(seedlist, &bcc_list); 409 drbg_string_fill(&S4, pad, padlen); 410 list_add_tail(&S4.list, &bcc_list); 411 412 /* 10.4.2 step 9 */ 413 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 414 /* 415 * 10.4.2 step 9.1 - the padding is implicit as the buffer 416 * holds zeros after allocation -- even the increment of i 417 * is irrelevant as the increment remains within length of i 418 */ 419 drbg_cpu_to_be32(i, iv); 420 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 421 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 422 if (ret) 423 goto out; 424 /* 10.4.2 step 9.3 */ 425 i++; 426 templen += drbg_blocklen(drbg); 427 } 428 429 /* 10.4.2 step 11 */ 430 X = temp + (drbg_keylen(drbg)); 431 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 432 433 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 434 435 /* 10.4.2 step 13 */ 436 drbg_kcapi_symsetkey(drbg, temp); 437 while (generated_len < bytes_to_return) { 438 short blocklen = 0; 439 /* 440 * 10.4.2 step 13.1: the truncation of the key length is 441 * implicit as the key is only drbg_blocklen in size based on 442 * the implementation of the cipher function callback 443 */ 444 ret = drbg_kcapi_sym(drbg, X, &cipherin); 445 if (ret) 446 goto out; 447 blocklen = (drbg_blocklen(drbg) < 448 (bytes_to_return - generated_len)) ? 449 drbg_blocklen(drbg) : 450 (bytes_to_return - generated_len); 451 /* 10.4.2 step 13.2 and 14 */ 452 memcpy(df_data + generated_len, X, blocklen); 453 generated_len += blocklen; 454 } 455 456 ret = 0; 457 458 out: 459 memset(iv, 0, drbg_blocklen(drbg)); 460 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 461 memset(pad, 0, drbg_blocklen(drbg)); 462 return ret; 463 } 464 465 /* 466 * update function of CTR DRBG as defined in 10.2.1.2 467 * 468 * The reseed variable has an enhanced meaning compared to the update 469 * functions of the other DRBGs as follows: 470 * 0 => initial seed from initialization 471 * 1 => reseed via drbg_seed 472 * 2 => first invocation from drbg_ctr_update when addtl is present. In 473 * this case, the df_data scratchpad is not deleted so that it is 474 * available for another calls to prevent calling the DF function 475 * again. 476 * 3 => second invocation from drbg_ctr_update. When the update function 477 * was called with addtl, the df_data memory already contains the 478 * DFed addtl information and we do not need to call DF again. 479 */ 480 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 481 int reseed) 482 { 483 int ret = -EFAULT; 484 /* 10.2.1.2 step 1 */ 485 unsigned char *temp = drbg->scratchpad; 486 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 487 drbg_blocklen(drbg); 488 489 if (3 > reseed) 490 memset(df_data, 0, drbg_statelen(drbg)); 491 492 if (!reseed) { 493 /* 494 * The DRBG uses the CTR mode of the underlying AES cipher. The 495 * CTR mode increments the counter value after the AES operation 496 * but SP800-90A requires that the counter is incremented before 497 * the AES operation. Hence, we increment it at the time we set 498 * it by one. 499 */ 500 crypto_inc(drbg->V, drbg_blocklen(drbg)); 501 502 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 503 drbg_keylen(drbg)); 504 if (ret) 505 goto out; 506 } 507 508 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 509 if (seed) { 510 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 511 if (ret) 512 goto out; 513 } 514 515 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 516 temp, drbg_statelen(drbg)); 517 if (ret) 518 return ret; 519 520 /* 10.2.1.2 step 5 */ 521 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 522 drbg_keylen(drbg)); 523 if (ret) 524 goto out; 525 /* 10.2.1.2 step 6 */ 526 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 527 /* See above: increment counter by one to compensate timing of CTR op */ 528 crypto_inc(drbg->V, drbg_blocklen(drbg)); 529 ret = 0; 530 531 out: 532 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 533 if (2 != reseed) 534 memset(df_data, 0, drbg_statelen(drbg)); 535 return ret; 536 } 537 538 /* 539 * scratchpad use: drbg_ctr_update is called independently from 540 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 541 */ 542 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 543 static int drbg_ctr_generate(struct drbg_state *drbg, 544 unsigned char *buf, unsigned int buflen, 545 struct list_head *addtl) 546 { 547 int ret; 548 int len = min_t(int, buflen, INT_MAX); 549 550 /* 10.2.1.5.2 step 2 */ 551 if (addtl && !list_empty(addtl)) { 552 ret = drbg_ctr_update(drbg, addtl, 2); 553 if (ret) 554 return 0; 555 } 556 557 /* 10.2.1.5.2 step 4.1 */ 558 ret = drbg_kcapi_sym_ctr(drbg, drbg->ctr_null_value, DRBG_CTR_NULL_LEN, 559 buf, len); 560 if (ret) 561 return ret; 562 563 /* 10.2.1.5.2 step 6 */ 564 ret = drbg_ctr_update(drbg, NULL, 3); 565 if (ret) 566 len = ret; 567 568 return len; 569 } 570 571 static const struct drbg_state_ops drbg_ctr_ops = { 572 .update = drbg_ctr_update, 573 .generate = drbg_ctr_generate, 574 .crypto_init = drbg_init_sym_kernel, 575 .crypto_fini = drbg_fini_sym_kernel, 576 }; 577 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 578 579 /****************************************************************** 580 * HMAC DRBG callback functions 581 ******************************************************************/ 582 583 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 584 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 585 const struct list_head *in); 586 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 587 const unsigned char *key); 588 static int drbg_init_hash_kernel(struct drbg_state *drbg); 589 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 590 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 591 592 #ifdef CONFIG_CRYPTO_DRBG_HMAC 593 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 594 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 595 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 596 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 597 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 598 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 599 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 600 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 601 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 602 603 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 604 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 605 int reseed) 606 { 607 int ret = -EFAULT; 608 int i = 0; 609 struct drbg_string seed1, seed2, vdata; 610 LIST_HEAD(seedlist); 611 LIST_HEAD(vdatalist); 612 613 if (!reseed) { 614 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 615 memset(drbg->V, 1, drbg_statelen(drbg)); 616 drbg_kcapi_hmacsetkey(drbg, drbg->C); 617 } 618 619 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 620 list_add_tail(&seed1.list, &seedlist); 621 /* buffer of seed2 will be filled in for loop below with one byte */ 622 drbg_string_fill(&seed2, NULL, 1); 623 list_add_tail(&seed2.list, &seedlist); 624 /* input data of seed is allowed to be NULL at this point */ 625 if (seed) 626 list_splice_tail(seed, &seedlist); 627 628 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 629 list_add_tail(&vdata.list, &vdatalist); 630 for (i = 2; 0 < i; i--) { 631 /* first round uses 0x0, second 0x1 */ 632 unsigned char prefix = DRBG_PREFIX0; 633 if (1 == i) 634 prefix = DRBG_PREFIX1; 635 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 636 seed2.buf = &prefix; 637 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 638 if (ret) 639 return ret; 640 drbg_kcapi_hmacsetkey(drbg, drbg->C); 641 642 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 643 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 644 if (ret) 645 return ret; 646 647 /* 10.1.2.2 step 3 */ 648 if (!seed) 649 return ret; 650 } 651 652 return 0; 653 } 654 655 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 656 static int drbg_hmac_generate(struct drbg_state *drbg, 657 unsigned char *buf, 658 unsigned int buflen, 659 struct list_head *addtl) 660 { 661 int len = 0; 662 int ret = 0; 663 struct drbg_string data; 664 LIST_HEAD(datalist); 665 666 /* 10.1.2.5 step 2 */ 667 if (addtl && !list_empty(addtl)) { 668 ret = drbg_hmac_update(drbg, addtl, 1); 669 if (ret) 670 return ret; 671 } 672 673 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 674 list_add_tail(&data.list, &datalist); 675 while (len < buflen) { 676 unsigned int outlen = 0; 677 /* 10.1.2.5 step 4.1 */ 678 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 679 if (ret) 680 return ret; 681 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 682 drbg_blocklen(drbg) : (buflen - len); 683 684 /* 10.1.2.5 step 4.2 */ 685 memcpy(buf + len, drbg->V, outlen); 686 len += outlen; 687 } 688 689 /* 10.1.2.5 step 6 */ 690 if (addtl && !list_empty(addtl)) 691 ret = drbg_hmac_update(drbg, addtl, 1); 692 else 693 ret = drbg_hmac_update(drbg, NULL, 1); 694 if (ret) 695 return ret; 696 697 return len; 698 } 699 700 static const struct drbg_state_ops drbg_hmac_ops = { 701 .update = drbg_hmac_update, 702 .generate = drbg_hmac_generate, 703 .crypto_init = drbg_init_hash_kernel, 704 .crypto_fini = drbg_fini_hash_kernel, 705 }; 706 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 707 708 /****************************************************************** 709 * Hash DRBG callback functions 710 ******************************************************************/ 711 712 #ifdef CONFIG_CRYPTO_DRBG_HASH 713 #define CRYPTO_DRBG_HASH_STRING "HASH " 714 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 715 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 716 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 717 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 718 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 719 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 720 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 721 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 722 723 /* 724 * Increment buffer 725 * 726 * @dst buffer to increment 727 * @add value to add 728 */ 729 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 730 const unsigned char *add, size_t addlen) 731 { 732 /* implied: dstlen > addlen */ 733 unsigned char *dstptr; 734 const unsigned char *addptr; 735 unsigned int remainder = 0; 736 size_t len = addlen; 737 738 dstptr = dst + (dstlen-1); 739 addptr = add + (addlen-1); 740 while (len) { 741 remainder += *dstptr + *addptr; 742 *dstptr = remainder & 0xff; 743 remainder >>= 8; 744 len--; dstptr--; addptr--; 745 } 746 len = dstlen - addlen; 747 while (len && remainder > 0) { 748 remainder = *dstptr + 1; 749 *dstptr = remainder & 0xff; 750 remainder >>= 8; 751 len--; dstptr--; 752 } 753 } 754 755 /* 756 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 757 * interlinked, the scratchpad is used as follows: 758 * drbg_hash_update 759 * start: drbg->scratchpad 760 * length: drbg_statelen(drbg) 761 * drbg_hash_df: 762 * start: drbg->scratchpad + drbg_statelen(drbg) 763 * length: drbg_blocklen(drbg) 764 * 765 * drbg_hash_process_addtl uses the scratchpad, but fully completes 766 * before either of the functions mentioned before are invoked. Therefore, 767 * drbg_hash_process_addtl does not need to be specifically considered. 768 */ 769 770 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 771 static int drbg_hash_df(struct drbg_state *drbg, 772 unsigned char *outval, size_t outlen, 773 struct list_head *entropylist) 774 { 775 int ret = 0; 776 size_t len = 0; 777 unsigned char input[5]; 778 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 779 struct drbg_string data; 780 781 /* 10.4.1 step 3 */ 782 input[0] = 1; 783 drbg_cpu_to_be32((outlen * 8), &input[1]); 784 785 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 786 drbg_string_fill(&data, input, 5); 787 list_add(&data.list, entropylist); 788 789 /* 10.4.1 step 4 */ 790 while (len < outlen) { 791 short blocklen = 0; 792 /* 10.4.1 step 4.1 */ 793 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 794 if (ret) 795 goto out; 796 /* 10.4.1 step 4.2 */ 797 input[0]++; 798 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 799 drbg_blocklen(drbg) : (outlen - len); 800 memcpy(outval + len, tmp, blocklen); 801 len += blocklen; 802 } 803 804 out: 805 memset(tmp, 0, drbg_blocklen(drbg)); 806 return ret; 807 } 808 809 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 810 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 811 int reseed) 812 { 813 int ret = 0; 814 struct drbg_string data1, data2; 815 LIST_HEAD(datalist); 816 LIST_HEAD(datalist2); 817 unsigned char *V = drbg->scratchpad; 818 unsigned char prefix = DRBG_PREFIX1; 819 820 if (!seed) 821 return -EINVAL; 822 823 if (reseed) { 824 /* 10.1.1.3 step 1 */ 825 memcpy(V, drbg->V, drbg_statelen(drbg)); 826 drbg_string_fill(&data1, &prefix, 1); 827 list_add_tail(&data1.list, &datalist); 828 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 829 list_add_tail(&data2.list, &datalist); 830 } 831 list_splice_tail(seed, &datalist); 832 833 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 834 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 835 if (ret) 836 goto out; 837 838 /* 10.1.1.2 / 10.1.1.3 step 4 */ 839 prefix = DRBG_PREFIX0; 840 drbg_string_fill(&data1, &prefix, 1); 841 list_add_tail(&data1.list, &datalist2); 842 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 843 list_add_tail(&data2.list, &datalist2); 844 /* 10.1.1.2 / 10.1.1.3 step 4 */ 845 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 846 847 out: 848 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 849 return ret; 850 } 851 852 /* processing of additional information string for Hash DRBG */ 853 static int drbg_hash_process_addtl(struct drbg_state *drbg, 854 struct list_head *addtl) 855 { 856 int ret = 0; 857 struct drbg_string data1, data2; 858 LIST_HEAD(datalist); 859 unsigned char prefix = DRBG_PREFIX2; 860 861 /* 10.1.1.4 step 2 */ 862 if (!addtl || list_empty(addtl)) 863 return 0; 864 865 /* 10.1.1.4 step 2a */ 866 drbg_string_fill(&data1, &prefix, 1); 867 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 868 list_add_tail(&data1.list, &datalist); 869 list_add_tail(&data2.list, &datalist); 870 list_splice_tail(addtl, &datalist); 871 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 872 if (ret) 873 goto out; 874 875 /* 10.1.1.4 step 2b */ 876 drbg_add_buf(drbg->V, drbg_statelen(drbg), 877 drbg->scratchpad, drbg_blocklen(drbg)); 878 879 out: 880 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 881 return ret; 882 } 883 884 /* Hashgen defined in 10.1.1.4 */ 885 static int drbg_hash_hashgen(struct drbg_state *drbg, 886 unsigned char *buf, 887 unsigned int buflen) 888 { 889 int len = 0; 890 int ret = 0; 891 unsigned char *src = drbg->scratchpad; 892 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 893 struct drbg_string data; 894 LIST_HEAD(datalist); 895 896 /* 10.1.1.4 step hashgen 2 */ 897 memcpy(src, drbg->V, drbg_statelen(drbg)); 898 899 drbg_string_fill(&data, src, drbg_statelen(drbg)); 900 list_add_tail(&data.list, &datalist); 901 while (len < buflen) { 902 unsigned int outlen = 0; 903 /* 10.1.1.4 step hashgen 4.1 */ 904 ret = drbg_kcapi_hash(drbg, dst, &datalist); 905 if (ret) { 906 len = ret; 907 goto out; 908 } 909 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 910 drbg_blocklen(drbg) : (buflen - len); 911 /* 10.1.1.4 step hashgen 4.2 */ 912 memcpy(buf + len, dst, outlen); 913 len += outlen; 914 /* 10.1.1.4 hashgen step 4.3 */ 915 if (len < buflen) 916 crypto_inc(src, drbg_statelen(drbg)); 917 } 918 919 out: 920 memset(drbg->scratchpad, 0, 921 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 922 return len; 923 } 924 925 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 926 static int drbg_hash_generate(struct drbg_state *drbg, 927 unsigned char *buf, unsigned int buflen, 928 struct list_head *addtl) 929 { 930 int len = 0; 931 int ret = 0; 932 union { 933 unsigned char req[8]; 934 __be64 req_int; 935 } u; 936 unsigned char prefix = DRBG_PREFIX3; 937 struct drbg_string data1, data2; 938 LIST_HEAD(datalist); 939 940 /* 10.1.1.4 step 2 */ 941 ret = drbg_hash_process_addtl(drbg, addtl); 942 if (ret) 943 return ret; 944 /* 10.1.1.4 step 3 */ 945 len = drbg_hash_hashgen(drbg, buf, buflen); 946 947 /* this is the value H as documented in 10.1.1.4 */ 948 /* 10.1.1.4 step 4 */ 949 drbg_string_fill(&data1, &prefix, 1); 950 list_add_tail(&data1.list, &datalist); 951 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 952 list_add_tail(&data2.list, &datalist); 953 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 954 if (ret) { 955 len = ret; 956 goto out; 957 } 958 959 /* 10.1.1.4 step 5 */ 960 drbg_add_buf(drbg->V, drbg_statelen(drbg), 961 drbg->scratchpad, drbg_blocklen(drbg)); 962 drbg_add_buf(drbg->V, drbg_statelen(drbg), 963 drbg->C, drbg_statelen(drbg)); 964 u.req_int = cpu_to_be64(drbg->reseed_ctr); 965 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 966 967 out: 968 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 969 return len; 970 } 971 972 /* 973 * scratchpad usage: as update and generate are used isolated, both 974 * can use the scratchpad 975 */ 976 static const struct drbg_state_ops drbg_hash_ops = { 977 .update = drbg_hash_update, 978 .generate = drbg_hash_generate, 979 .crypto_init = drbg_init_hash_kernel, 980 .crypto_fini = drbg_fini_hash_kernel, 981 }; 982 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 983 984 /****************************************************************** 985 * Functions common for DRBG implementations 986 ******************************************************************/ 987 988 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 989 int reseed) 990 { 991 int ret = drbg->d_ops->update(drbg, seed, reseed); 992 993 if (ret) 994 return ret; 995 996 drbg->seeded = true; 997 /* 10.1.1.2 / 10.1.1.3 step 5 */ 998 drbg->reseed_ctr = 1; 999 1000 return ret; 1001 } 1002 1003 static void drbg_async_seed(struct work_struct *work) 1004 { 1005 struct drbg_string data; 1006 LIST_HEAD(seedlist); 1007 struct drbg_state *drbg = container_of(work, struct drbg_state, 1008 seed_work); 1009 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1010 unsigned char entropy[32]; 1011 1012 BUG_ON(!entropylen); 1013 BUG_ON(entropylen > sizeof(entropy)); 1014 get_random_bytes(entropy, entropylen); 1015 1016 drbg_string_fill(&data, entropy, entropylen); 1017 list_add_tail(&data.list, &seedlist); 1018 1019 mutex_lock(&drbg->drbg_mutex); 1020 1021 /* If nonblocking pool is initialized, deactivate Jitter RNG */ 1022 crypto_free_rng(drbg->jent); 1023 drbg->jent = NULL; 1024 1025 /* Set seeded to false so that if __drbg_seed fails the 1026 * next generate call will trigger a reseed. 1027 */ 1028 drbg->seeded = false; 1029 1030 __drbg_seed(drbg, &seedlist, true); 1031 1032 if (drbg->seeded) 1033 drbg->reseed_threshold = drbg_max_requests(drbg); 1034 1035 mutex_unlock(&drbg->drbg_mutex); 1036 1037 memzero_explicit(entropy, entropylen); 1038 } 1039 1040 /* 1041 * Seeding or reseeding of the DRBG 1042 * 1043 * @drbg: DRBG state struct 1044 * @pers: personalization / additional information buffer 1045 * @reseed: 0 for initial seed process, 1 for reseeding 1046 * 1047 * return: 1048 * 0 on success 1049 * error value otherwise 1050 */ 1051 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1052 bool reseed) 1053 { 1054 int ret; 1055 unsigned char entropy[((32 + 16) * 2)]; 1056 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1057 struct drbg_string data1; 1058 LIST_HEAD(seedlist); 1059 1060 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1061 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1062 pr_devel("DRBG: personalization string too long %zu\n", 1063 pers->len); 1064 return -EINVAL; 1065 } 1066 1067 if (list_empty(&drbg->test_data.list)) { 1068 drbg_string_fill(&data1, drbg->test_data.buf, 1069 drbg->test_data.len); 1070 pr_devel("DRBG: using test entropy\n"); 1071 } else { 1072 /* 1073 * Gather entropy equal to the security strength of the DRBG. 1074 * With a derivation function, a nonce is required in addition 1075 * to the entropy. A nonce must be at least 1/2 of the security 1076 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1077 * of the strength. The consideration of a nonce is only 1078 * applicable during initial seeding. 1079 */ 1080 BUG_ON(!entropylen); 1081 if (!reseed) 1082 entropylen = ((entropylen + 1) / 2) * 3; 1083 BUG_ON((entropylen * 2) > sizeof(entropy)); 1084 1085 /* Get seed from in-kernel /dev/urandom */ 1086 get_random_bytes(entropy, entropylen); 1087 1088 if (!drbg->jent) { 1089 drbg_string_fill(&data1, entropy, entropylen); 1090 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1091 entropylen); 1092 } else { 1093 /* Get seed from Jitter RNG */ 1094 ret = crypto_rng_get_bytes(drbg->jent, 1095 entropy + entropylen, 1096 entropylen); 1097 if (ret) { 1098 pr_devel("DRBG: jent failed with %d\n", ret); 1099 return ret; 1100 } 1101 1102 drbg_string_fill(&data1, entropy, entropylen * 2); 1103 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1104 entropylen * 2); 1105 } 1106 } 1107 list_add_tail(&data1.list, &seedlist); 1108 1109 /* 1110 * concatenation of entropy with personalization str / addtl input) 1111 * the variable pers is directly handed in by the caller, so check its 1112 * contents whether it is appropriate 1113 */ 1114 if (pers && pers->buf && 0 < pers->len) { 1115 list_add_tail(&pers->list, &seedlist); 1116 pr_devel("DRBG: using personalization string\n"); 1117 } 1118 1119 if (!reseed) { 1120 memset(drbg->V, 0, drbg_statelen(drbg)); 1121 memset(drbg->C, 0, drbg_statelen(drbg)); 1122 } 1123 1124 ret = __drbg_seed(drbg, &seedlist, reseed); 1125 1126 memzero_explicit(entropy, entropylen * 2); 1127 1128 return ret; 1129 } 1130 1131 /* Free all substructures in a DRBG state without the DRBG state structure */ 1132 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1133 { 1134 if (!drbg) 1135 return; 1136 kzfree(drbg->Vbuf); 1137 drbg->Vbuf = NULL; 1138 drbg->V = NULL; 1139 kzfree(drbg->Cbuf); 1140 drbg->Cbuf = NULL; 1141 drbg->C = NULL; 1142 kzfree(drbg->scratchpadbuf); 1143 drbg->scratchpadbuf = NULL; 1144 drbg->reseed_ctr = 0; 1145 drbg->d_ops = NULL; 1146 drbg->core = NULL; 1147 } 1148 1149 /* 1150 * Allocate all sub-structures for a DRBG state. 1151 * The DRBG state structure must already be allocated. 1152 */ 1153 static inline int drbg_alloc_state(struct drbg_state *drbg) 1154 { 1155 int ret = -ENOMEM; 1156 unsigned int sb_size = 0; 1157 1158 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1159 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1160 case DRBG_HMAC: 1161 drbg->d_ops = &drbg_hmac_ops; 1162 break; 1163 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1164 #ifdef CONFIG_CRYPTO_DRBG_HASH 1165 case DRBG_HASH: 1166 drbg->d_ops = &drbg_hash_ops; 1167 break; 1168 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1169 #ifdef CONFIG_CRYPTO_DRBG_CTR 1170 case DRBG_CTR: 1171 drbg->d_ops = &drbg_ctr_ops; 1172 break; 1173 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1174 default: 1175 ret = -EOPNOTSUPP; 1176 goto err; 1177 } 1178 1179 ret = drbg->d_ops->crypto_init(drbg); 1180 if (ret < 0) 1181 goto err; 1182 1183 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1184 if (!drbg->Vbuf) { 1185 ret = -ENOMEM; 1186 goto fini; 1187 } 1188 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1189 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1190 if (!drbg->Cbuf) { 1191 ret = -ENOMEM; 1192 goto fini; 1193 } 1194 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1195 /* scratchpad is only generated for CTR and Hash */ 1196 if (drbg->core->flags & DRBG_HMAC) 1197 sb_size = 0; 1198 else if (drbg->core->flags & DRBG_CTR) 1199 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1200 drbg_statelen(drbg) + /* df_data */ 1201 drbg_blocklen(drbg) + /* pad */ 1202 drbg_blocklen(drbg) + /* iv */ 1203 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1204 else 1205 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1206 1207 if (0 < sb_size) { 1208 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1209 if (!drbg->scratchpadbuf) { 1210 ret = -ENOMEM; 1211 goto fini; 1212 } 1213 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1214 } 1215 1216 return 0; 1217 1218 fini: 1219 drbg->d_ops->crypto_fini(drbg); 1220 err: 1221 drbg_dealloc_state(drbg); 1222 return ret; 1223 } 1224 1225 /************************************************************************* 1226 * DRBG interface functions 1227 *************************************************************************/ 1228 1229 /* 1230 * DRBG generate function as required by SP800-90A - this function 1231 * generates random numbers 1232 * 1233 * @drbg DRBG state handle 1234 * @buf Buffer where to store the random numbers -- the buffer must already 1235 * be pre-allocated by caller 1236 * @buflen Length of output buffer - this value defines the number of random 1237 * bytes pulled from DRBG 1238 * @addtl Additional input that is mixed into state, may be NULL -- note 1239 * the entropy is pulled by the DRBG internally unconditionally 1240 * as defined in SP800-90A. The additional input is mixed into 1241 * the state in addition to the pulled entropy. 1242 * 1243 * return: 0 when all bytes are generated; < 0 in case of an error 1244 */ 1245 static int drbg_generate(struct drbg_state *drbg, 1246 unsigned char *buf, unsigned int buflen, 1247 struct drbg_string *addtl) 1248 { 1249 int len = 0; 1250 LIST_HEAD(addtllist); 1251 1252 if (!drbg->core) { 1253 pr_devel("DRBG: not yet seeded\n"); 1254 return -EINVAL; 1255 } 1256 if (0 == buflen || !buf) { 1257 pr_devel("DRBG: no output buffer provided\n"); 1258 return -EINVAL; 1259 } 1260 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1261 pr_devel("DRBG: wrong format of additional information\n"); 1262 return -EINVAL; 1263 } 1264 1265 /* 9.3.1 step 2 */ 1266 len = -EINVAL; 1267 if (buflen > (drbg_max_request_bytes(drbg))) { 1268 pr_devel("DRBG: requested random numbers too large %u\n", 1269 buflen); 1270 goto err; 1271 } 1272 1273 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1274 1275 /* 9.3.1 step 4 */ 1276 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1277 pr_devel("DRBG: additional information string too long %zu\n", 1278 addtl->len); 1279 goto err; 1280 } 1281 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1282 1283 /* 1284 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1285 * here. The spec is a bit convoluted here, we make it simpler. 1286 */ 1287 if (drbg->reseed_threshold < drbg->reseed_ctr) 1288 drbg->seeded = false; 1289 1290 if (drbg->pr || !drbg->seeded) { 1291 pr_devel("DRBG: reseeding before generation (prediction " 1292 "resistance: %s, state %s)\n", 1293 drbg->pr ? "true" : "false", 1294 drbg->seeded ? "seeded" : "unseeded"); 1295 /* 9.3.1 steps 7.1 through 7.3 */ 1296 len = drbg_seed(drbg, addtl, true); 1297 if (len) 1298 goto err; 1299 /* 9.3.1 step 7.4 */ 1300 addtl = NULL; 1301 } 1302 1303 if (addtl && 0 < addtl->len) 1304 list_add_tail(&addtl->list, &addtllist); 1305 /* 9.3.1 step 8 and 10 */ 1306 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1307 1308 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1309 drbg->reseed_ctr++; 1310 if (0 >= len) 1311 goto err; 1312 1313 /* 1314 * Section 11.3.3 requires to re-perform self tests after some 1315 * generated random numbers. The chosen value after which self 1316 * test is performed is arbitrary, but it should be reasonable. 1317 * However, we do not perform the self tests because of the following 1318 * reasons: it is mathematically impossible that the initial self tests 1319 * were successfully and the following are not. If the initial would 1320 * pass and the following would not, the kernel integrity is violated. 1321 * In this case, the entire kernel operation is questionable and it 1322 * is unlikely that the integrity violation only affects the 1323 * correct operation of the DRBG. 1324 * 1325 * Albeit the following code is commented out, it is provided in 1326 * case somebody has a need to implement the test of 11.3.3. 1327 */ 1328 #if 0 1329 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1330 int err = 0; 1331 pr_devel("DRBG: start to perform self test\n"); 1332 if (drbg->core->flags & DRBG_HMAC) 1333 err = alg_test("drbg_pr_hmac_sha256", 1334 "drbg_pr_hmac_sha256", 0, 0); 1335 else if (drbg->core->flags & DRBG_CTR) 1336 err = alg_test("drbg_pr_ctr_aes128", 1337 "drbg_pr_ctr_aes128", 0, 0); 1338 else 1339 err = alg_test("drbg_pr_sha256", 1340 "drbg_pr_sha256", 0, 0); 1341 if (err) { 1342 pr_err("DRBG: periodical self test failed\n"); 1343 /* 1344 * uninstantiate implies that from now on, only errors 1345 * are returned when reusing this DRBG cipher handle 1346 */ 1347 drbg_uninstantiate(drbg); 1348 return 0; 1349 } else { 1350 pr_devel("DRBG: self test successful\n"); 1351 } 1352 } 1353 #endif 1354 1355 /* 1356 * All operations were successful, return 0 as mandated by 1357 * the kernel crypto API interface. 1358 */ 1359 len = 0; 1360 err: 1361 return len; 1362 } 1363 1364 /* 1365 * Wrapper around drbg_generate which can pull arbitrary long strings 1366 * from the DRBG without hitting the maximum request limitation. 1367 * 1368 * Parameters: see drbg_generate 1369 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1370 * the entire drbg_generate_long request fails 1371 */ 1372 static int drbg_generate_long(struct drbg_state *drbg, 1373 unsigned char *buf, unsigned int buflen, 1374 struct drbg_string *addtl) 1375 { 1376 unsigned int len = 0; 1377 unsigned int slice = 0; 1378 do { 1379 int err = 0; 1380 unsigned int chunk = 0; 1381 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1382 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1383 mutex_lock(&drbg->drbg_mutex); 1384 err = drbg_generate(drbg, buf + len, chunk, addtl); 1385 mutex_unlock(&drbg->drbg_mutex); 1386 if (0 > err) 1387 return err; 1388 len += chunk; 1389 } while (slice > 0 && (len < buflen)); 1390 return 0; 1391 } 1392 1393 static void drbg_schedule_async_seed(struct random_ready_callback *rdy) 1394 { 1395 struct drbg_state *drbg = container_of(rdy, struct drbg_state, 1396 random_ready); 1397 1398 schedule_work(&drbg->seed_work); 1399 } 1400 1401 static int drbg_prepare_hrng(struct drbg_state *drbg) 1402 { 1403 int err; 1404 1405 /* We do not need an HRNG in test mode. */ 1406 if (list_empty(&drbg->test_data.list)) 1407 return 0; 1408 1409 INIT_WORK(&drbg->seed_work, drbg_async_seed); 1410 1411 drbg->random_ready.owner = THIS_MODULE; 1412 drbg->random_ready.func = drbg_schedule_async_seed; 1413 1414 err = add_random_ready_callback(&drbg->random_ready); 1415 1416 switch (err) { 1417 case 0: 1418 break; 1419 1420 case -EALREADY: 1421 err = 0; 1422 /* fall through */ 1423 1424 default: 1425 drbg->random_ready.func = NULL; 1426 return err; 1427 } 1428 1429 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1430 1431 /* 1432 * Require frequent reseeds until the seed source is fully 1433 * initialized. 1434 */ 1435 drbg->reseed_threshold = 50; 1436 1437 return err; 1438 } 1439 1440 /* 1441 * DRBG instantiation function as required by SP800-90A - this function 1442 * sets up the DRBG handle, performs the initial seeding and all sanity 1443 * checks required by SP800-90A 1444 * 1445 * @drbg memory of state -- if NULL, new memory is allocated 1446 * @pers Personalization string that is mixed into state, may be NULL -- note 1447 * the entropy is pulled by the DRBG internally unconditionally 1448 * as defined in SP800-90A. The additional input is mixed into 1449 * the state in addition to the pulled entropy. 1450 * @coreref reference to core 1451 * @pr prediction resistance enabled 1452 * 1453 * return 1454 * 0 on success 1455 * error value otherwise 1456 */ 1457 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1458 int coreref, bool pr) 1459 { 1460 int ret; 1461 bool reseed = true; 1462 1463 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1464 "%s\n", coreref, pr ? "enabled" : "disabled"); 1465 mutex_lock(&drbg->drbg_mutex); 1466 1467 /* 9.1 step 1 is implicit with the selected DRBG type */ 1468 1469 /* 1470 * 9.1 step 2 is implicit as caller can select prediction resistance 1471 * and the flag is copied into drbg->flags -- 1472 * all DRBG types support prediction resistance 1473 */ 1474 1475 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1476 1477 if (!drbg->core) { 1478 drbg->core = &drbg_cores[coreref]; 1479 drbg->pr = pr; 1480 drbg->seeded = false; 1481 drbg->reseed_threshold = drbg_max_requests(drbg); 1482 1483 ret = drbg_alloc_state(drbg); 1484 if (ret) 1485 goto unlock; 1486 1487 ret = drbg_prepare_hrng(drbg); 1488 if (ret) 1489 goto free_everything; 1490 1491 if (IS_ERR(drbg->jent)) { 1492 ret = PTR_ERR(drbg->jent); 1493 drbg->jent = NULL; 1494 if (fips_enabled || ret != -ENOENT) 1495 goto free_everything; 1496 pr_info("DRBG: Continuing without Jitter RNG\n"); 1497 } 1498 1499 reseed = false; 1500 } 1501 1502 ret = drbg_seed(drbg, pers, reseed); 1503 1504 if (ret && !reseed) 1505 goto free_everything; 1506 1507 mutex_unlock(&drbg->drbg_mutex); 1508 return ret; 1509 1510 unlock: 1511 mutex_unlock(&drbg->drbg_mutex); 1512 return ret; 1513 1514 free_everything: 1515 mutex_unlock(&drbg->drbg_mutex); 1516 drbg_uninstantiate(drbg); 1517 return ret; 1518 } 1519 1520 /* 1521 * DRBG uninstantiate function as required by SP800-90A - this function 1522 * frees all buffers and the DRBG handle 1523 * 1524 * @drbg DRBG state handle 1525 * 1526 * return 1527 * 0 on success 1528 */ 1529 static int drbg_uninstantiate(struct drbg_state *drbg) 1530 { 1531 if (drbg->random_ready.func) { 1532 del_random_ready_callback(&drbg->random_ready); 1533 cancel_work_sync(&drbg->seed_work); 1534 crypto_free_rng(drbg->jent); 1535 drbg->jent = NULL; 1536 } 1537 1538 if (drbg->d_ops) 1539 drbg->d_ops->crypto_fini(drbg); 1540 drbg_dealloc_state(drbg); 1541 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1542 return 0; 1543 } 1544 1545 /* 1546 * Helper function for setting the test data in the DRBG 1547 * 1548 * @drbg DRBG state handle 1549 * @data test data 1550 * @len test data length 1551 */ 1552 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1553 const u8 *data, unsigned int len) 1554 { 1555 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1556 1557 mutex_lock(&drbg->drbg_mutex); 1558 drbg_string_fill(&drbg->test_data, data, len); 1559 mutex_unlock(&drbg->drbg_mutex); 1560 } 1561 1562 /*************************************************************** 1563 * Kernel crypto API cipher invocations requested by DRBG 1564 ***************************************************************/ 1565 1566 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1567 struct sdesc { 1568 struct shash_desc shash; 1569 char ctx[]; 1570 }; 1571 1572 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1573 { 1574 struct sdesc *sdesc; 1575 struct crypto_shash *tfm; 1576 1577 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1578 if (IS_ERR(tfm)) { 1579 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1580 drbg->core->backend_cra_name); 1581 return PTR_ERR(tfm); 1582 } 1583 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1584 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1585 GFP_KERNEL); 1586 if (!sdesc) { 1587 crypto_free_shash(tfm); 1588 return -ENOMEM; 1589 } 1590 1591 sdesc->shash.tfm = tfm; 1592 sdesc->shash.flags = 0; 1593 drbg->priv_data = sdesc; 1594 1595 return crypto_shash_alignmask(tfm); 1596 } 1597 1598 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1599 { 1600 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1601 if (sdesc) { 1602 crypto_free_shash(sdesc->shash.tfm); 1603 kzfree(sdesc); 1604 } 1605 drbg->priv_data = NULL; 1606 return 0; 1607 } 1608 1609 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1610 const unsigned char *key) 1611 { 1612 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1613 1614 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1615 } 1616 1617 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1618 const struct list_head *in) 1619 { 1620 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1621 struct drbg_string *input = NULL; 1622 1623 crypto_shash_init(&sdesc->shash); 1624 list_for_each_entry(input, in, list) 1625 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1626 return crypto_shash_final(&sdesc->shash, outval); 1627 } 1628 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1629 1630 #ifdef CONFIG_CRYPTO_DRBG_CTR 1631 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1632 { 1633 struct crypto_cipher *tfm = 1634 (struct crypto_cipher *)drbg->priv_data; 1635 if (tfm) 1636 crypto_free_cipher(tfm); 1637 drbg->priv_data = NULL; 1638 1639 if (drbg->ctr_handle) 1640 crypto_free_skcipher(drbg->ctr_handle); 1641 drbg->ctr_handle = NULL; 1642 1643 if (drbg->ctr_req) 1644 skcipher_request_free(drbg->ctr_req); 1645 drbg->ctr_req = NULL; 1646 1647 kfree(drbg->ctr_null_value_buf); 1648 drbg->ctr_null_value = NULL; 1649 1650 kfree(drbg->outscratchpadbuf); 1651 drbg->outscratchpadbuf = NULL; 1652 1653 return 0; 1654 } 1655 1656 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1657 { 1658 struct crypto_cipher *tfm; 1659 struct crypto_skcipher *sk_tfm; 1660 struct skcipher_request *req; 1661 unsigned int alignmask; 1662 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1663 1664 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1665 if (IS_ERR(tfm)) { 1666 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1667 drbg->core->backend_cra_name); 1668 return PTR_ERR(tfm); 1669 } 1670 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1671 drbg->priv_data = tfm; 1672 1673 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1674 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1675 drbg_fini_sym_kernel(drbg); 1676 return -EINVAL; 1677 } 1678 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1679 if (IS_ERR(sk_tfm)) { 1680 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1681 ctr_name); 1682 drbg_fini_sym_kernel(drbg); 1683 return PTR_ERR(sk_tfm); 1684 } 1685 drbg->ctr_handle = sk_tfm; 1686 crypto_init_wait(&drbg->ctr_wait); 1687 1688 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1689 if (!req) { 1690 pr_info("DRBG: could not allocate request queue\n"); 1691 drbg_fini_sym_kernel(drbg); 1692 return -ENOMEM; 1693 } 1694 drbg->ctr_req = req; 1695 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1696 CRYPTO_TFM_REQ_MAY_SLEEP, 1697 crypto_req_done, &drbg->ctr_wait); 1698 1699 alignmask = crypto_skcipher_alignmask(sk_tfm); 1700 drbg->ctr_null_value_buf = kzalloc(DRBG_CTR_NULL_LEN + alignmask, 1701 GFP_KERNEL); 1702 if (!drbg->ctr_null_value_buf) { 1703 drbg_fini_sym_kernel(drbg); 1704 return -ENOMEM; 1705 } 1706 drbg->ctr_null_value = (u8 *)PTR_ALIGN(drbg->ctr_null_value_buf, 1707 alignmask + 1); 1708 1709 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1710 GFP_KERNEL); 1711 if (!drbg->outscratchpadbuf) { 1712 drbg_fini_sym_kernel(drbg); 1713 return -ENOMEM; 1714 } 1715 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1716 alignmask + 1); 1717 1718 return alignmask; 1719 } 1720 1721 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1722 const unsigned char *key) 1723 { 1724 struct crypto_cipher *tfm = 1725 (struct crypto_cipher *)drbg->priv_data; 1726 1727 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1728 } 1729 1730 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1731 const struct drbg_string *in) 1732 { 1733 struct crypto_cipher *tfm = 1734 (struct crypto_cipher *)drbg->priv_data; 1735 1736 /* there is only component in *in */ 1737 BUG_ON(in->len < drbg_blocklen(drbg)); 1738 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1739 return 0; 1740 } 1741 1742 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1743 u8 *inbuf, u32 inlen, 1744 u8 *outbuf, u32 outlen) 1745 { 1746 struct scatterlist sg_in, sg_out; 1747 int ret; 1748 1749 sg_init_one(&sg_in, inbuf, inlen); 1750 sg_init_one(&sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1751 1752 while (outlen) { 1753 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1754 1755 /* Output buffer may not be valid for SGL, use scratchpad */ 1756 skcipher_request_set_crypt(drbg->ctr_req, &sg_in, &sg_out, 1757 cryptlen, drbg->V); 1758 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1759 &drbg->ctr_wait); 1760 if (ret) 1761 goto out; 1762 1763 crypto_init_wait(&drbg->ctr_wait); 1764 1765 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1766 1767 outlen -= cryptlen; 1768 outbuf += cryptlen; 1769 } 1770 ret = 0; 1771 1772 out: 1773 memzero_explicit(drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1774 return ret; 1775 } 1776 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1777 1778 /*************************************************************** 1779 * Kernel crypto API interface to register DRBG 1780 ***************************************************************/ 1781 1782 /* 1783 * Look up the DRBG flags by given kernel crypto API cra_name 1784 * The code uses the drbg_cores definition to do this 1785 * 1786 * @cra_name kernel crypto API cra_name 1787 * @coreref reference to integer which is filled with the pointer to 1788 * the applicable core 1789 * @pr reference for setting prediction resistance 1790 * 1791 * return: flags 1792 */ 1793 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1794 int *coreref, bool *pr) 1795 { 1796 int i = 0; 1797 size_t start = 0; 1798 int len = 0; 1799 1800 *pr = true; 1801 /* disassemble the names */ 1802 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1803 start = 10; 1804 *pr = false; 1805 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1806 start = 8; 1807 } else { 1808 return; 1809 } 1810 1811 /* remove the first part */ 1812 len = strlen(cra_driver_name) - start; 1813 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1814 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1815 len)) { 1816 *coreref = i; 1817 return; 1818 } 1819 } 1820 } 1821 1822 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1823 { 1824 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1825 1826 mutex_init(&drbg->drbg_mutex); 1827 1828 return 0; 1829 } 1830 1831 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1832 { 1833 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1834 } 1835 1836 /* 1837 * Generate random numbers invoked by the kernel crypto API: 1838 * The API of the kernel crypto API is extended as follows: 1839 * 1840 * src is additional input supplied to the RNG. 1841 * slen is the length of src. 1842 * dst is the output buffer where random data is to be stored. 1843 * dlen is the length of dst. 1844 */ 1845 static int drbg_kcapi_random(struct crypto_rng *tfm, 1846 const u8 *src, unsigned int slen, 1847 u8 *dst, unsigned int dlen) 1848 { 1849 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1850 struct drbg_string *addtl = NULL; 1851 struct drbg_string string; 1852 1853 if (slen) { 1854 /* linked list variable is now local to allow modification */ 1855 drbg_string_fill(&string, src, slen); 1856 addtl = &string; 1857 } 1858 1859 return drbg_generate_long(drbg, dst, dlen, addtl); 1860 } 1861 1862 /* 1863 * Seed the DRBG invoked by the kernel crypto API 1864 */ 1865 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1866 const u8 *seed, unsigned int slen) 1867 { 1868 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1869 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1870 bool pr = false; 1871 struct drbg_string string; 1872 struct drbg_string *seed_string = NULL; 1873 int coreref = 0; 1874 1875 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1876 &pr); 1877 if (0 < slen) { 1878 drbg_string_fill(&string, seed, slen); 1879 seed_string = &string; 1880 } 1881 1882 return drbg_instantiate(drbg, seed_string, coreref, pr); 1883 } 1884 1885 /*************************************************************** 1886 * Kernel module: code to load the module 1887 ***************************************************************/ 1888 1889 /* 1890 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1891 * of the error handling. 1892 * 1893 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1894 * as seed source of get_random_bytes does not fail. 1895 * 1896 * Note 2: There is no sensible way of testing the reseed counter 1897 * enforcement, so skip it. 1898 */ 1899 static inline int __init drbg_healthcheck_sanity(void) 1900 { 1901 int len = 0; 1902 #define OUTBUFLEN 16 1903 unsigned char buf[OUTBUFLEN]; 1904 struct drbg_state *drbg = NULL; 1905 int ret = -EFAULT; 1906 int rc = -EFAULT; 1907 bool pr = false; 1908 int coreref = 0; 1909 struct drbg_string addtl; 1910 size_t max_addtllen, max_request_bytes; 1911 1912 /* only perform test in FIPS mode */ 1913 if (!fips_enabled) 1914 return 0; 1915 1916 #ifdef CONFIG_CRYPTO_DRBG_CTR 1917 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1918 #elif defined CONFIG_CRYPTO_DRBG_HASH 1919 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1920 #else 1921 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1922 #endif 1923 1924 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1925 if (!drbg) 1926 return -ENOMEM; 1927 1928 mutex_init(&drbg->drbg_mutex); 1929 drbg->core = &drbg_cores[coreref]; 1930 drbg->reseed_threshold = drbg_max_requests(drbg); 1931 1932 /* 1933 * if the following tests fail, it is likely that there is a buffer 1934 * overflow as buf is much smaller than the requested or provided 1935 * string lengths -- in case the error handling does not succeed 1936 * we may get an OOPS. And we want to get an OOPS as this is a 1937 * grave bug. 1938 */ 1939 1940 max_addtllen = drbg_max_addtl(drbg); 1941 max_request_bytes = drbg_max_request_bytes(drbg); 1942 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1943 /* overflow addtllen with additonal info string */ 1944 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1945 BUG_ON(0 < len); 1946 /* overflow max_bits */ 1947 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1948 BUG_ON(0 < len); 1949 1950 /* overflow max addtllen with personalization string */ 1951 ret = drbg_seed(drbg, &addtl, false); 1952 BUG_ON(0 == ret); 1953 /* all tests passed */ 1954 rc = 0; 1955 1956 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1957 "completed\n"); 1958 1959 kfree(drbg); 1960 return rc; 1961 } 1962 1963 static struct rng_alg drbg_algs[22]; 1964 1965 /* 1966 * Fill the array drbg_algs used to register the different DRBGs 1967 * with the kernel crypto API. To fill the array, the information 1968 * from drbg_cores[] is used. 1969 */ 1970 static inline void __init drbg_fill_array(struct rng_alg *alg, 1971 const struct drbg_core *core, int pr) 1972 { 1973 int pos = 0; 1974 static int priority = 200; 1975 1976 memcpy(alg->base.cra_name, "stdrng", 6); 1977 if (pr) { 1978 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1979 pos = 8; 1980 } else { 1981 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1982 pos = 10; 1983 } 1984 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1985 strlen(core->cra_name)); 1986 1987 alg->base.cra_priority = priority; 1988 priority++; 1989 /* 1990 * If FIPS mode enabled, the selected DRBG shall have the 1991 * highest cra_priority over other stdrng instances to ensure 1992 * it is selected. 1993 */ 1994 if (fips_enabled) 1995 alg->base.cra_priority += 200; 1996 1997 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1998 alg->base.cra_module = THIS_MODULE; 1999 alg->base.cra_init = drbg_kcapi_init; 2000 alg->base.cra_exit = drbg_kcapi_cleanup; 2001 alg->generate = drbg_kcapi_random; 2002 alg->seed = drbg_kcapi_seed; 2003 alg->set_ent = drbg_kcapi_set_entropy; 2004 alg->seedsize = 0; 2005 } 2006 2007 static int __init drbg_init(void) 2008 { 2009 unsigned int i = 0; /* pointer to drbg_algs */ 2010 unsigned int j = 0; /* pointer to drbg_cores */ 2011 int ret; 2012 2013 ret = drbg_healthcheck_sanity(); 2014 if (ret) 2015 return ret; 2016 2017 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2018 pr_info("DRBG: Cannot register all DRBG types" 2019 "(slots needed: %zu, slots available: %zu)\n", 2020 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2021 return -EFAULT; 2022 } 2023 2024 /* 2025 * each DRBG definition can be used with PR and without PR, thus 2026 * we instantiate each DRBG in drbg_cores[] twice. 2027 * 2028 * As the order of placing them into the drbg_algs array matters 2029 * (the later DRBGs receive a higher cra_priority) we register the 2030 * prediction resistance DRBGs first as the should not be too 2031 * interesting. 2032 */ 2033 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2034 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2035 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2036 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2037 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2038 } 2039 2040 static void __exit drbg_exit(void) 2041 { 2042 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2043 } 2044 2045 module_init(drbg_init); 2046 module_exit(drbg_exit); 2047 #ifndef CRYPTO_DRBG_HASH_STRING 2048 #define CRYPTO_DRBG_HASH_STRING "" 2049 #endif 2050 #ifndef CRYPTO_DRBG_HMAC_STRING 2051 #define CRYPTO_DRBG_HMAC_STRING "" 2052 #endif 2053 #ifndef CRYPTO_DRBG_CTR_STRING 2054 #define CRYPTO_DRBG_CTR_STRING "" 2055 #endif 2056 MODULE_LICENSE("GPL"); 2057 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2058 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2059 "using following cores: " 2060 CRYPTO_DRBG_HASH_STRING 2061 CRYPTO_DRBG_HMAC_STRING 2062 CRYPTO_DRBG_CTR_STRING); 2063 MODULE_ALIAS_CRYPTO("stdrng"); 2064