1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <crypto/internal/cipher.h> 102 #include <linux/kernel.h> 103 104 /*************************************************************** 105 * Backend cipher definitions available to DRBG 106 ***************************************************************/ 107 108 /* 109 * The order of the DRBG definitions here matter: every DRBG is registered 110 * as stdrng. Each DRBG receives an increasing cra_priority values the later 111 * they are defined in this array (see drbg_fill_array). 112 * 113 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 114 * the SHA256 / AES 256 over other ciphers. Thus, the favored 115 * DRBGs are the latest entries in this array. 116 */ 117 static const struct drbg_core drbg_cores[] = { 118 #ifdef CONFIG_CRYPTO_DRBG_CTR 119 { 120 .flags = DRBG_CTR | DRBG_STRENGTH128, 121 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 122 .blocklen_bytes = 16, 123 .cra_name = "ctr_aes128", 124 .backend_cra_name = "aes", 125 }, { 126 .flags = DRBG_CTR | DRBG_STRENGTH192, 127 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 128 .blocklen_bytes = 16, 129 .cra_name = "ctr_aes192", 130 .backend_cra_name = "aes", 131 }, { 132 .flags = DRBG_CTR | DRBG_STRENGTH256, 133 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 134 .blocklen_bytes = 16, 135 .cra_name = "ctr_aes256", 136 .backend_cra_name = "aes", 137 }, 138 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 139 #ifdef CONFIG_CRYPTO_DRBG_HASH 140 { 141 .flags = DRBG_HASH | DRBG_STRENGTH128, 142 .statelen = 55, /* 440 bits */ 143 .blocklen_bytes = 20, 144 .cra_name = "sha1", 145 .backend_cra_name = "sha1", 146 }, { 147 .flags = DRBG_HASH | DRBG_STRENGTH256, 148 .statelen = 111, /* 888 bits */ 149 .blocklen_bytes = 48, 150 .cra_name = "sha384", 151 .backend_cra_name = "sha384", 152 }, { 153 .flags = DRBG_HASH | DRBG_STRENGTH256, 154 .statelen = 111, /* 888 bits */ 155 .blocklen_bytes = 64, 156 .cra_name = "sha512", 157 .backend_cra_name = "sha512", 158 }, { 159 .flags = DRBG_HASH | DRBG_STRENGTH256, 160 .statelen = 55, /* 440 bits */ 161 .blocklen_bytes = 32, 162 .cra_name = "sha256", 163 .backend_cra_name = "sha256", 164 }, 165 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 166 #ifdef CONFIG_CRYPTO_DRBG_HMAC 167 { 168 .flags = DRBG_HMAC | DRBG_STRENGTH128, 169 .statelen = 20, /* block length of cipher */ 170 .blocklen_bytes = 20, 171 .cra_name = "hmac_sha1", 172 .backend_cra_name = "hmac(sha1)", 173 }, { 174 .flags = DRBG_HMAC | DRBG_STRENGTH256, 175 .statelen = 48, /* block length of cipher */ 176 .blocklen_bytes = 48, 177 .cra_name = "hmac_sha384", 178 .backend_cra_name = "hmac(sha384)", 179 }, { 180 .flags = DRBG_HMAC | DRBG_STRENGTH256, 181 .statelen = 64, /* block length of cipher */ 182 .blocklen_bytes = 64, 183 .cra_name = "hmac_sha512", 184 .backend_cra_name = "hmac(sha512)", 185 }, { 186 .flags = DRBG_HMAC | DRBG_STRENGTH256, 187 .statelen = 32, /* block length of cipher */ 188 .blocklen_bytes = 32, 189 .cra_name = "hmac_sha256", 190 .backend_cra_name = "hmac(sha256)", 191 }, 192 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 193 }; 194 195 static int drbg_uninstantiate(struct drbg_state *drbg); 196 197 /****************************************************************** 198 * Generic helper functions 199 ******************************************************************/ 200 201 /* 202 * Return strength of DRBG according to SP800-90A section 8.4 203 * 204 * @flags DRBG flags reference 205 * 206 * Return: normalized strength in *bytes* value or 32 as default 207 * to counter programming errors 208 */ 209 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 210 { 211 switch (flags & DRBG_STRENGTH_MASK) { 212 case DRBG_STRENGTH128: 213 return 16; 214 case DRBG_STRENGTH192: 215 return 24; 216 case DRBG_STRENGTH256: 217 return 32; 218 default: 219 return 32; 220 } 221 } 222 223 /* 224 * FIPS 140-2 continuous self test for the noise source 225 * The test is performed on the noise source input data. Thus, the function 226 * implicitly knows the size of the buffer to be equal to the security 227 * strength. 228 * 229 * Note, this function disregards the nonce trailing the entropy data during 230 * initial seeding. 231 * 232 * drbg->drbg_mutex must have been taken. 233 * 234 * @drbg DRBG handle 235 * @entropy buffer of seed data to be checked 236 * 237 * return: 238 * 0 on success 239 * -EAGAIN on when the CTRNG is not yet primed 240 * < 0 on error 241 */ 242 static int drbg_fips_continuous_test(struct drbg_state *drbg, 243 const unsigned char *entropy) 244 { 245 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 246 int ret = 0; 247 248 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 249 return 0; 250 251 /* skip test if we test the overall system */ 252 if (list_empty(&drbg->test_data.list)) 253 return 0; 254 /* only perform test in FIPS mode */ 255 if (!fips_enabled) 256 return 0; 257 258 if (!drbg->fips_primed) { 259 /* Priming of FIPS test */ 260 memcpy(drbg->prev, entropy, entropylen); 261 drbg->fips_primed = true; 262 /* priming: another round is needed */ 263 return -EAGAIN; 264 } 265 ret = memcmp(drbg->prev, entropy, entropylen); 266 if (!ret) 267 panic("DRBG continuous self test failed\n"); 268 memcpy(drbg->prev, entropy, entropylen); 269 270 /* the test shall pass when the two values are not equal */ 271 return 0; 272 } 273 274 /* 275 * Convert an integer into a byte representation of this integer. 276 * The byte representation is big-endian 277 * 278 * @val value to be converted 279 * @buf buffer holding the converted integer -- caller must ensure that 280 * buffer size is at least 32 bit 281 */ 282 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 283 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 284 { 285 struct s { 286 __be32 conv; 287 }; 288 struct s *conversion = (struct s *) buf; 289 290 conversion->conv = cpu_to_be32(val); 291 } 292 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 293 294 /****************************************************************** 295 * CTR DRBG callback functions 296 ******************************************************************/ 297 298 #ifdef CONFIG_CRYPTO_DRBG_CTR 299 #define CRYPTO_DRBG_CTR_STRING "CTR " 300 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 301 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 302 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 303 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 304 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 305 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 306 307 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 308 const unsigned char *key); 309 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 310 const struct drbg_string *in); 311 static int drbg_init_sym_kernel(struct drbg_state *drbg); 312 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 313 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 314 u8 *inbuf, u32 inbuflen, 315 u8 *outbuf, u32 outlen); 316 #define DRBG_OUTSCRATCHLEN 256 317 318 /* BCC function for CTR DRBG as defined in 10.4.3 */ 319 static int drbg_ctr_bcc(struct drbg_state *drbg, 320 unsigned char *out, const unsigned char *key, 321 struct list_head *in) 322 { 323 int ret = 0; 324 struct drbg_string *curr = NULL; 325 struct drbg_string data; 326 short cnt = 0; 327 328 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 329 330 /* 10.4.3 step 2 / 4 */ 331 drbg_kcapi_symsetkey(drbg, key); 332 list_for_each_entry(curr, in, list) { 333 const unsigned char *pos = curr->buf; 334 size_t len = curr->len; 335 /* 10.4.3 step 4.1 */ 336 while (len) { 337 /* 10.4.3 step 4.2 */ 338 if (drbg_blocklen(drbg) == cnt) { 339 cnt = 0; 340 ret = drbg_kcapi_sym(drbg, out, &data); 341 if (ret) 342 return ret; 343 } 344 out[cnt] ^= *pos; 345 pos++; 346 cnt++; 347 len--; 348 } 349 } 350 /* 10.4.3 step 4.2 for last block */ 351 if (cnt) 352 ret = drbg_kcapi_sym(drbg, out, &data); 353 354 return ret; 355 } 356 357 /* 358 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 359 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 360 * the scratchpad is used as follows: 361 * drbg_ctr_update: 362 * temp 363 * start: drbg->scratchpad 364 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 365 * note: the cipher writing into this variable works 366 * blocklen-wise. Now, when the statelen is not a multiple 367 * of blocklen, the generateion loop below "spills over" 368 * by at most blocklen. Thus, we need to give sufficient 369 * memory. 370 * df_data 371 * start: drbg->scratchpad + 372 * drbg_statelen(drbg) + drbg_blocklen(drbg) 373 * length: drbg_statelen(drbg) 374 * 375 * drbg_ctr_df: 376 * pad 377 * start: df_data + drbg_statelen(drbg) 378 * length: drbg_blocklen(drbg) 379 * iv 380 * start: pad + drbg_blocklen(drbg) 381 * length: drbg_blocklen(drbg) 382 * temp 383 * start: iv + drbg_blocklen(drbg) 384 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 385 * note: temp is the buffer that the BCC function operates 386 * on. BCC operates blockwise. drbg_statelen(drbg) 387 * is sufficient when the DRBG state length is a multiple 388 * of the block size. For AES192 (and maybe other ciphers) 389 * this is not correct and the length for temp is 390 * insufficient (yes, that also means for such ciphers, 391 * the final output of all BCC rounds are truncated). 392 * Therefore, add drbg_blocklen(drbg) to cover all 393 * possibilities. 394 */ 395 396 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 397 static int drbg_ctr_df(struct drbg_state *drbg, 398 unsigned char *df_data, size_t bytes_to_return, 399 struct list_head *seedlist) 400 { 401 int ret = -EFAULT; 402 unsigned char L_N[8]; 403 /* S3 is input */ 404 struct drbg_string S1, S2, S4, cipherin; 405 LIST_HEAD(bcc_list); 406 unsigned char *pad = df_data + drbg_statelen(drbg); 407 unsigned char *iv = pad + drbg_blocklen(drbg); 408 unsigned char *temp = iv + drbg_blocklen(drbg); 409 size_t padlen = 0; 410 unsigned int templen = 0; 411 /* 10.4.2 step 7 */ 412 unsigned int i = 0; 413 /* 10.4.2 step 8 */ 414 const unsigned char *K = (unsigned char *) 415 "\x00\x01\x02\x03\x04\x05\x06\x07" 416 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 417 "\x10\x11\x12\x13\x14\x15\x16\x17" 418 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 419 unsigned char *X; 420 size_t generated_len = 0; 421 size_t inputlen = 0; 422 struct drbg_string *seed = NULL; 423 424 memset(pad, 0, drbg_blocklen(drbg)); 425 memset(iv, 0, drbg_blocklen(drbg)); 426 427 /* 10.4.2 step 1 is implicit as we work byte-wise */ 428 429 /* 10.4.2 step 2 */ 430 if ((512/8) < bytes_to_return) 431 return -EINVAL; 432 433 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 434 list_for_each_entry(seed, seedlist, list) 435 inputlen += seed->len; 436 drbg_cpu_to_be32(inputlen, &L_N[0]); 437 438 /* 10.4.2 step 3 */ 439 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 440 441 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 442 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 443 /* wrap the padlen appropriately */ 444 if (padlen) 445 padlen = drbg_blocklen(drbg) - padlen; 446 /* 447 * pad / padlen contains the 0x80 byte and the following zero bytes. 448 * As the calculated padlen value only covers the number of zero 449 * bytes, this value has to be incremented by one for the 0x80 byte. 450 */ 451 padlen++; 452 pad[0] = 0x80; 453 454 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 455 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 456 list_add_tail(&S1.list, &bcc_list); 457 drbg_string_fill(&S2, L_N, sizeof(L_N)); 458 list_add_tail(&S2.list, &bcc_list); 459 list_splice_tail(seedlist, &bcc_list); 460 drbg_string_fill(&S4, pad, padlen); 461 list_add_tail(&S4.list, &bcc_list); 462 463 /* 10.4.2 step 9 */ 464 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 465 /* 466 * 10.4.2 step 9.1 - the padding is implicit as the buffer 467 * holds zeros after allocation -- even the increment of i 468 * is irrelevant as the increment remains within length of i 469 */ 470 drbg_cpu_to_be32(i, iv); 471 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 472 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 473 if (ret) 474 goto out; 475 /* 10.4.2 step 9.3 */ 476 i++; 477 templen += drbg_blocklen(drbg); 478 } 479 480 /* 10.4.2 step 11 */ 481 X = temp + (drbg_keylen(drbg)); 482 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 483 484 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 485 486 /* 10.4.2 step 13 */ 487 drbg_kcapi_symsetkey(drbg, temp); 488 while (generated_len < bytes_to_return) { 489 short blocklen = 0; 490 /* 491 * 10.4.2 step 13.1: the truncation of the key length is 492 * implicit as the key is only drbg_blocklen in size based on 493 * the implementation of the cipher function callback 494 */ 495 ret = drbg_kcapi_sym(drbg, X, &cipherin); 496 if (ret) 497 goto out; 498 blocklen = (drbg_blocklen(drbg) < 499 (bytes_to_return - generated_len)) ? 500 drbg_blocklen(drbg) : 501 (bytes_to_return - generated_len); 502 /* 10.4.2 step 13.2 and 14 */ 503 memcpy(df_data + generated_len, X, blocklen); 504 generated_len += blocklen; 505 } 506 507 ret = 0; 508 509 out: 510 memset(iv, 0, drbg_blocklen(drbg)); 511 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 512 memset(pad, 0, drbg_blocklen(drbg)); 513 return ret; 514 } 515 516 /* 517 * update function of CTR DRBG as defined in 10.2.1.2 518 * 519 * The reseed variable has an enhanced meaning compared to the update 520 * functions of the other DRBGs as follows: 521 * 0 => initial seed from initialization 522 * 1 => reseed via drbg_seed 523 * 2 => first invocation from drbg_ctr_update when addtl is present. In 524 * this case, the df_data scratchpad is not deleted so that it is 525 * available for another calls to prevent calling the DF function 526 * again. 527 * 3 => second invocation from drbg_ctr_update. When the update function 528 * was called with addtl, the df_data memory already contains the 529 * DFed addtl information and we do not need to call DF again. 530 */ 531 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 532 int reseed) 533 { 534 int ret = -EFAULT; 535 /* 10.2.1.2 step 1 */ 536 unsigned char *temp = drbg->scratchpad; 537 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 538 drbg_blocklen(drbg); 539 540 if (3 > reseed) 541 memset(df_data, 0, drbg_statelen(drbg)); 542 543 if (!reseed) { 544 /* 545 * The DRBG uses the CTR mode of the underlying AES cipher. The 546 * CTR mode increments the counter value after the AES operation 547 * but SP800-90A requires that the counter is incremented before 548 * the AES operation. Hence, we increment it at the time we set 549 * it by one. 550 */ 551 crypto_inc(drbg->V, drbg_blocklen(drbg)); 552 553 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 554 drbg_keylen(drbg)); 555 if (ret) 556 goto out; 557 } 558 559 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 560 if (seed) { 561 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 562 if (ret) 563 goto out; 564 } 565 566 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 567 temp, drbg_statelen(drbg)); 568 if (ret) 569 return ret; 570 571 /* 10.2.1.2 step 5 */ 572 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 573 drbg_keylen(drbg)); 574 if (ret) 575 goto out; 576 /* 10.2.1.2 step 6 */ 577 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 578 /* See above: increment counter by one to compensate timing of CTR op */ 579 crypto_inc(drbg->V, drbg_blocklen(drbg)); 580 ret = 0; 581 582 out: 583 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 584 if (2 != reseed) 585 memset(df_data, 0, drbg_statelen(drbg)); 586 return ret; 587 } 588 589 /* 590 * scratchpad use: drbg_ctr_update is called independently from 591 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 592 */ 593 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 594 static int drbg_ctr_generate(struct drbg_state *drbg, 595 unsigned char *buf, unsigned int buflen, 596 struct list_head *addtl) 597 { 598 int ret; 599 int len = min_t(int, buflen, INT_MAX); 600 601 /* 10.2.1.5.2 step 2 */ 602 if (addtl && !list_empty(addtl)) { 603 ret = drbg_ctr_update(drbg, addtl, 2); 604 if (ret) 605 return 0; 606 } 607 608 /* 10.2.1.5.2 step 4.1 */ 609 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 610 if (ret) 611 return ret; 612 613 /* 10.2.1.5.2 step 6 */ 614 ret = drbg_ctr_update(drbg, NULL, 3); 615 if (ret) 616 len = ret; 617 618 return len; 619 } 620 621 static const struct drbg_state_ops drbg_ctr_ops = { 622 .update = drbg_ctr_update, 623 .generate = drbg_ctr_generate, 624 .crypto_init = drbg_init_sym_kernel, 625 .crypto_fini = drbg_fini_sym_kernel, 626 }; 627 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 628 629 /****************************************************************** 630 * HMAC DRBG callback functions 631 ******************************************************************/ 632 633 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 634 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 635 const struct list_head *in); 636 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 637 const unsigned char *key); 638 static int drbg_init_hash_kernel(struct drbg_state *drbg); 639 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 640 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 641 642 #ifdef CONFIG_CRYPTO_DRBG_HMAC 643 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 644 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 645 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 646 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 647 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 648 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 649 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 650 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 651 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 652 653 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 654 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 655 int reseed) 656 { 657 int ret = -EFAULT; 658 int i = 0; 659 struct drbg_string seed1, seed2, vdata; 660 LIST_HEAD(seedlist); 661 LIST_HEAD(vdatalist); 662 663 if (!reseed) { 664 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 665 memset(drbg->V, 1, drbg_statelen(drbg)); 666 drbg_kcapi_hmacsetkey(drbg, drbg->C); 667 } 668 669 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 670 list_add_tail(&seed1.list, &seedlist); 671 /* buffer of seed2 will be filled in for loop below with one byte */ 672 drbg_string_fill(&seed2, NULL, 1); 673 list_add_tail(&seed2.list, &seedlist); 674 /* input data of seed is allowed to be NULL at this point */ 675 if (seed) 676 list_splice_tail(seed, &seedlist); 677 678 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 679 list_add_tail(&vdata.list, &vdatalist); 680 for (i = 2; 0 < i; i--) { 681 /* first round uses 0x0, second 0x1 */ 682 unsigned char prefix = DRBG_PREFIX0; 683 if (1 == i) 684 prefix = DRBG_PREFIX1; 685 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 686 seed2.buf = &prefix; 687 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 688 if (ret) 689 return ret; 690 drbg_kcapi_hmacsetkey(drbg, drbg->C); 691 692 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 693 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 694 if (ret) 695 return ret; 696 697 /* 10.1.2.2 step 3 */ 698 if (!seed) 699 return ret; 700 } 701 702 return 0; 703 } 704 705 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 706 static int drbg_hmac_generate(struct drbg_state *drbg, 707 unsigned char *buf, 708 unsigned int buflen, 709 struct list_head *addtl) 710 { 711 int len = 0; 712 int ret = 0; 713 struct drbg_string data; 714 LIST_HEAD(datalist); 715 716 /* 10.1.2.5 step 2 */ 717 if (addtl && !list_empty(addtl)) { 718 ret = drbg_hmac_update(drbg, addtl, 1); 719 if (ret) 720 return ret; 721 } 722 723 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 724 list_add_tail(&data.list, &datalist); 725 while (len < buflen) { 726 unsigned int outlen = 0; 727 /* 10.1.2.5 step 4.1 */ 728 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 729 if (ret) 730 return ret; 731 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 732 drbg_blocklen(drbg) : (buflen - len); 733 734 /* 10.1.2.5 step 4.2 */ 735 memcpy(buf + len, drbg->V, outlen); 736 len += outlen; 737 } 738 739 /* 10.1.2.5 step 6 */ 740 if (addtl && !list_empty(addtl)) 741 ret = drbg_hmac_update(drbg, addtl, 1); 742 else 743 ret = drbg_hmac_update(drbg, NULL, 1); 744 if (ret) 745 return ret; 746 747 return len; 748 } 749 750 static const struct drbg_state_ops drbg_hmac_ops = { 751 .update = drbg_hmac_update, 752 .generate = drbg_hmac_generate, 753 .crypto_init = drbg_init_hash_kernel, 754 .crypto_fini = drbg_fini_hash_kernel, 755 }; 756 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 757 758 /****************************************************************** 759 * Hash DRBG callback functions 760 ******************************************************************/ 761 762 #ifdef CONFIG_CRYPTO_DRBG_HASH 763 #define CRYPTO_DRBG_HASH_STRING "HASH " 764 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 765 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 766 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 767 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 768 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 769 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 770 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 771 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 772 773 /* 774 * Increment buffer 775 * 776 * @dst buffer to increment 777 * @add value to add 778 */ 779 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 780 const unsigned char *add, size_t addlen) 781 { 782 /* implied: dstlen > addlen */ 783 unsigned char *dstptr; 784 const unsigned char *addptr; 785 unsigned int remainder = 0; 786 size_t len = addlen; 787 788 dstptr = dst + (dstlen-1); 789 addptr = add + (addlen-1); 790 while (len) { 791 remainder += *dstptr + *addptr; 792 *dstptr = remainder & 0xff; 793 remainder >>= 8; 794 len--; dstptr--; addptr--; 795 } 796 len = dstlen - addlen; 797 while (len && remainder > 0) { 798 remainder = *dstptr + 1; 799 *dstptr = remainder & 0xff; 800 remainder >>= 8; 801 len--; dstptr--; 802 } 803 } 804 805 /* 806 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 807 * interlinked, the scratchpad is used as follows: 808 * drbg_hash_update 809 * start: drbg->scratchpad 810 * length: drbg_statelen(drbg) 811 * drbg_hash_df: 812 * start: drbg->scratchpad + drbg_statelen(drbg) 813 * length: drbg_blocklen(drbg) 814 * 815 * drbg_hash_process_addtl uses the scratchpad, but fully completes 816 * before either of the functions mentioned before are invoked. Therefore, 817 * drbg_hash_process_addtl does not need to be specifically considered. 818 */ 819 820 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 821 static int drbg_hash_df(struct drbg_state *drbg, 822 unsigned char *outval, size_t outlen, 823 struct list_head *entropylist) 824 { 825 int ret = 0; 826 size_t len = 0; 827 unsigned char input[5]; 828 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 829 struct drbg_string data; 830 831 /* 10.4.1 step 3 */ 832 input[0] = 1; 833 drbg_cpu_to_be32((outlen * 8), &input[1]); 834 835 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 836 drbg_string_fill(&data, input, 5); 837 list_add(&data.list, entropylist); 838 839 /* 10.4.1 step 4 */ 840 while (len < outlen) { 841 short blocklen = 0; 842 /* 10.4.1 step 4.1 */ 843 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 844 if (ret) 845 goto out; 846 /* 10.4.1 step 4.2 */ 847 input[0]++; 848 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 849 drbg_blocklen(drbg) : (outlen - len); 850 memcpy(outval + len, tmp, blocklen); 851 len += blocklen; 852 } 853 854 out: 855 memset(tmp, 0, drbg_blocklen(drbg)); 856 return ret; 857 } 858 859 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 860 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 861 int reseed) 862 { 863 int ret = 0; 864 struct drbg_string data1, data2; 865 LIST_HEAD(datalist); 866 LIST_HEAD(datalist2); 867 unsigned char *V = drbg->scratchpad; 868 unsigned char prefix = DRBG_PREFIX1; 869 870 if (!seed) 871 return -EINVAL; 872 873 if (reseed) { 874 /* 10.1.1.3 step 1 */ 875 memcpy(V, drbg->V, drbg_statelen(drbg)); 876 drbg_string_fill(&data1, &prefix, 1); 877 list_add_tail(&data1.list, &datalist); 878 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 879 list_add_tail(&data2.list, &datalist); 880 } 881 list_splice_tail(seed, &datalist); 882 883 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 884 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 885 if (ret) 886 goto out; 887 888 /* 10.1.1.2 / 10.1.1.3 step 4 */ 889 prefix = DRBG_PREFIX0; 890 drbg_string_fill(&data1, &prefix, 1); 891 list_add_tail(&data1.list, &datalist2); 892 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 893 list_add_tail(&data2.list, &datalist2); 894 /* 10.1.1.2 / 10.1.1.3 step 4 */ 895 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 896 897 out: 898 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 899 return ret; 900 } 901 902 /* processing of additional information string for Hash DRBG */ 903 static int drbg_hash_process_addtl(struct drbg_state *drbg, 904 struct list_head *addtl) 905 { 906 int ret = 0; 907 struct drbg_string data1, data2; 908 LIST_HEAD(datalist); 909 unsigned char prefix = DRBG_PREFIX2; 910 911 /* 10.1.1.4 step 2 */ 912 if (!addtl || list_empty(addtl)) 913 return 0; 914 915 /* 10.1.1.4 step 2a */ 916 drbg_string_fill(&data1, &prefix, 1); 917 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 918 list_add_tail(&data1.list, &datalist); 919 list_add_tail(&data2.list, &datalist); 920 list_splice_tail(addtl, &datalist); 921 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 922 if (ret) 923 goto out; 924 925 /* 10.1.1.4 step 2b */ 926 drbg_add_buf(drbg->V, drbg_statelen(drbg), 927 drbg->scratchpad, drbg_blocklen(drbg)); 928 929 out: 930 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 931 return ret; 932 } 933 934 /* Hashgen defined in 10.1.1.4 */ 935 static int drbg_hash_hashgen(struct drbg_state *drbg, 936 unsigned char *buf, 937 unsigned int buflen) 938 { 939 int len = 0; 940 int ret = 0; 941 unsigned char *src = drbg->scratchpad; 942 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 943 struct drbg_string data; 944 LIST_HEAD(datalist); 945 946 /* 10.1.1.4 step hashgen 2 */ 947 memcpy(src, drbg->V, drbg_statelen(drbg)); 948 949 drbg_string_fill(&data, src, drbg_statelen(drbg)); 950 list_add_tail(&data.list, &datalist); 951 while (len < buflen) { 952 unsigned int outlen = 0; 953 /* 10.1.1.4 step hashgen 4.1 */ 954 ret = drbg_kcapi_hash(drbg, dst, &datalist); 955 if (ret) { 956 len = ret; 957 goto out; 958 } 959 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 960 drbg_blocklen(drbg) : (buflen - len); 961 /* 10.1.1.4 step hashgen 4.2 */ 962 memcpy(buf + len, dst, outlen); 963 len += outlen; 964 /* 10.1.1.4 hashgen step 4.3 */ 965 if (len < buflen) 966 crypto_inc(src, drbg_statelen(drbg)); 967 } 968 969 out: 970 memset(drbg->scratchpad, 0, 971 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 972 return len; 973 } 974 975 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 976 static int drbg_hash_generate(struct drbg_state *drbg, 977 unsigned char *buf, unsigned int buflen, 978 struct list_head *addtl) 979 { 980 int len = 0; 981 int ret = 0; 982 union { 983 unsigned char req[8]; 984 __be64 req_int; 985 } u; 986 unsigned char prefix = DRBG_PREFIX3; 987 struct drbg_string data1, data2; 988 LIST_HEAD(datalist); 989 990 /* 10.1.1.4 step 2 */ 991 ret = drbg_hash_process_addtl(drbg, addtl); 992 if (ret) 993 return ret; 994 /* 10.1.1.4 step 3 */ 995 len = drbg_hash_hashgen(drbg, buf, buflen); 996 997 /* this is the value H as documented in 10.1.1.4 */ 998 /* 10.1.1.4 step 4 */ 999 drbg_string_fill(&data1, &prefix, 1); 1000 list_add_tail(&data1.list, &datalist); 1001 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1002 list_add_tail(&data2.list, &datalist); 1003 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 1004 if (ret) { 1005 len = ret; 1006 goto out; 1007 } 1008 1009 /* 10.1.1.4 step 5 */ 1010 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1011 drbg->scratchpad, drbg_blocklen(drbg)); 1012 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1013 drbg->C, drbg_statelen(drbg)); 1014 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1015 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1016 1017 out: 1018 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1019 return len; 1020 } 1021 1022 /* 1023 * scratchpad usage: as update and generate are used isolated, both 1024 * can use the scratchpad 1025 */ 1026 static const struct drbg_state_ops drbg_hash_ops = { 1027 .update = drbg_hash_update, 1028 .generate = drbg_hash_generate, 1029 .crypto_init = drbg_init_hash_kernel, 1030 .crypto_fini = drbg_fini_hash_kernel, 1031 }; 1032 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1033 1034 /****************************************************************** 1035 * Functions common for DRBG implementations 1036 ******************************************************************/ 1037 1038 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 1039 int reseed) 1040 { 1041 int ret = drbg->d_ops->update(drbg, seed, reseed); 1042 1043 if (ret) 1044 return ret; 1045 1046 drbg->seeded = true; 1047 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1048 drbg->reseed_ctr = 1; 1049 1050 return ret; 1051 } 1052 1053 static inline int drbg_get_random_bytes(struct drbg_state *drbg, 1054 unsigned char *entropy, 1055 unsigned int entropylen) 1056 { 1057 int ret; 1058 1059 do { 1060 get_random_bytes(entropy, entropylen); 1061 ret = drbg_fips_continuous_test(drbg, entropy); 1062 if (ret && ret != -EAGAIN) 1063 return ret; 1064 } while (ret); 1065 1066 return 0; 1067 } 1068 1069 static void drbg_async_seed(struct work_struct *work) 1070 { 1071 struct drbg_string data; 1072 LIST_HEAD(seedlist); 1073 struct drbg_state *drbg = container_of(work, struct drbg_state, 1074 seed_work); 1075 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1076 unsigned char entropy[32]; 1077 int ret; 1078 1079 BUG_ON(!entropylen); 1080 BUG_ON(entropylen > sizeof(entropy)); 1081 1082 drbg_string_fill(&data, entropy, entropylen); 1083 list_add_tail(&data.list, &seedlist); 1084 1085 mutex_lock(&drbg->drbg_mutex); 1086 1087 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1088 if (ret) 1089 goto unlock; 1090 1091 /* Set seeded to false so that if __drbg_seed fails the 1092 * next generate call will trigger a reseed. 1093 */ 1094 drbg->seeded = false; 1095 1096 __drbg_seed(drbg, &seedlist, true); 1097 1098 if (drbg->seeded) 1099 drbg->reseed_threshold = drbg_max_requests(drbg); 1100 1101 unlock: 1102 mutex_unlock(&drbg->drbg_mutex); 1103 1104 memzero_explicit(entropy, entropylen); 1105 } 1106 1107 /* 1108 * Seeding or reseeding of the DRBG 1109 * 1110 * @drbg: DRBG state struct 1111 * @pers: personalization / additional information buffer 1112 * @reseed: 0 for initial seed process, 1 for reseeding 1113 * 1114 * return: 1115 * 0 on success 1116 * error value otherwise 1117 */ 1118 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1119 bool reseed) 1120 { 1121 int ret; 1122 unsigned char entropy[((32 + 16) * 2)]; 1123 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1124 struct drbg_string data1; 1125 LIST_HEAD(seedlist); 1126 1127 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1128 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1129 pr_devel("DRBG: personalization string too long %zu\n", 1130 pers->len); 1131 return -EINVAL; 1132 } 1133 1134 if (list_empty(&drbg->test_data.list)) { 1135 drbg_string_fill(&data1, drbg->test_data.buf, 1136 drbg->test_data.len); 1137 pr_devel("DRBG: using test entropy\n"); 1138 } else { 1139 /* 1140 * Gather entropy equal to the security strength of the DRBG. 1141 * With a derivation function, a nonce is required in addition 1142 * to the entropy. A nonce must be at least 1/2 of the security 1143 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1144 * of the strength. The consideration of a nonce is only 1145 * applicable during initial seeding. 1146 */ 1147 BUG_ON(!entropylen); 1148 if (!reseed) 1149 entropylen = ((entropylen + 1) / 2) * 3; 1150 BUG_ON((entropylen * 2) > sizeof(entropy)); 1151 1152 /* Get seed from in-kernel /dev/urandom */ 1153 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1154 if (ret) 1155 goto out; 1156 1157 if (!drbg->jent) { 1158 drbg_string_fill(&data1, entropy, entropylen); 1159 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1160 entropylen); 1161 } else { 1162 /* Get seed from Jitter RNG */ 1163 ret = crypto_rng_get_bytes(drbg->jent, 1164 entropy + entropylen, 1165 entropylen); 1166 if (ret) { 1167 pr_devel("DRBG: jent failed with %d\n", ret); 1168 1169 /* 1170 * Do not treat the transient failure of the 1171 * Jitter RNG as an error that needs to be 1172 * reported. The combined number of the 1173 * maximum reseed threshold times the maximum 1174 * number of Jitter RNG transient errors is 1175 * less than the reseed threshold required by 1176 * SP800-90A allowing us to treat the 1177 * transient errors as such. 1178 * 1179 * However, we mandate that at least the first 1180 * seeding operation must succeed with the 1181 * Jitter RNG. 1182 */ 1183 if (!reseed || ret != -EAGAIN) 1184 goto out; 1185 } 1186 1187 drbg_string_fill(&data1, entropy, entropylen * 2); 1188 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1189 entropylen * 2); 1190 } 1191 } 1192 list_add_tail(&data1.list, &seedlist); 1193 1194 /* 1195 * concatenation of entropy with personalization str / addtl input) 1196 * the variable pers is directly handed in by the caller, so check its 1197 * contents whether it is appropriate 1198 */ 1199 if (pers && pers->buf && 0 < pers->len) { 1200 list_add_tail(&pers->list, &seedlist); 1201 pr_devel("DRBG: using personalization string\n"); 1202 } 1203 1204 if (!reseed) { 1205 memset(drbg->V, 0, drbg_statelen(drbg)); 1206 memset(drbg->C, 0, drbg_statelen(drbg)); 1207 } 1208 1209 ret = __drbg_seed(drbg, &seedlist, reseed); 1210 1211 out: 1212 memzero_explicit(entropy, entropylen * 2); 1213 1214 return ret; 1215 } 1216 1217 /* Free all substructures in a DRBG state without the DRBG state structure */ 1218 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1219 { 1220 if (!drbg) 1221 return; 1222 kfree_sensitive(drbg->Vbuf); 1223 drbg->Vbuf = NULL; 1224 drbg->V = NULL; 1225 kfree_sensitive(drbg->Cbuf); 1226 drbg->Cbuf = NULL; 1227 drbg->C = NULL; 1228 kfree_sensitive(drbg->scratchpadbuf); 1229 drbg->scratchpadbuf = NULL; 1230 drbg->reseed_ctr = 0; 1231 drbg->d_ops = NULL; 1232 drbg->core = NULL; 1233 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1234 kfree_sensitive(drbg->prev); 1235 drbg->prev = NULL; 1236 drbg->fips_primed = false; 1237 } 1238 } 1239 1240 /* 1241 * Allocate all sub-structures for a DRBG state. 1242 * The DRBG state structure must already be allocated. 1243 */ 1244 static inline int drbg_alloc_state(struct drbg_state *drbg) 1245 { 1246 int ret = -ENOMEM; 1247 unsigned int sb_size = 0; 1248 1249 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1250 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1251 case DRBG_HMAC: 1252 drbg->d_ops = &drbg_hmac_ops; 1253 break; 1254 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1255 #ifdef CONFIG_CRYPTO_DRBG_HASH 1256 case DRBG_HASH: 1257 drbg->d_ops = &drbg_hash_ops; 1258 break; 1259 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1260 #ifdef CONFIG_CRYPTO_DRBG_CTR 1261 case DRBG_CTR: 1262 drbg->d_ops = &drbg_ctr_ops; 1263 break; 1264 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1265 default: 1266 ret = -EOPNOTSUPP; 1267 goto err; 1268 } 1269 1270 ret = drbg->d_ops->crypto_init(drbg); 1271 if (ret < 0) 1272 goto err; 1273 1274 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1275 if (!drbg->Vbuf) { 1276 ret = -ENOMEM; 1277 goto fini; 1278 } 1279 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1280 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1281 if (!drbg->Cbuf) { 1282 ret = -ENOMEM; 1283 goto fini; 1284 } 1285 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1286 /* scratchpad is only generated for CTR and Hash */ 1287 if (drbg->core->flags & DRBG_HMAC) 1288 sb_size = 0; 1289 else if (drbg->core->flags & DRBG_CTR) 1290 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1291 drbg_statelen(drbg) + /* df_data */ 1292 drbg_blocklen(drbg) + /* pad */ 1293 drbg_blocklen(drbg) + /* iv */ 1294 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1295 else 1296 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1297 1298 if (0 < sb_size) { 1299 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1300 if (!drbg->scratchpadbuf) { 1301 ret = -ENOMEM; 1302 goto fini; 1303 } 1304 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1305 } 1306 1307 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1308 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1309 GFP_KERNEL); 1310 if (!drbg->prev) { 1311 ret = -ENOMEM; 1312 goto fini; 1313 } 1314 drbg->fips_primed = false; 1315 } 1316 1317 return 0; 1318 1319 fini: 1320 drbg->d_ops->crypto_fini(drbg); 1321 err: 1322 drbg_dealloc_state(drbg); 1323 return ret; 1324 } 1325 1326 /************************************************************************* 1327 * DRBG interface functions 1328 *************************************************************************/ 1329 1330 /* 1331 * DRBG generate function as required by SP800-90A - this function 1332 * generates random numbers 1333 * 1334 * @drbg DRBG state handle 1335 * @buf Buffer where to store the random numbers -- the buffer must already 1336 * be pre-allocated by caller 1337 * @buflen Length of output buffer - this value defines the number of random 1338 * bytes pulled from DRBG 1339 * @addtl Additional input that is mixed into state, may be NULL -- note 1340 * the entropy is pulled by the DRBG internally unconditionally 1341 * as defined in SP800-90A. The additional input is mixed into 1342 * the state in addition to the pulled entropy. 1343 * 1344 * return: 0 when all bytes are generated; < 0 in case of an error 1345 */ 1346 static int drbg_generate(struct drbg_state *drbg, 1347 unsigned char *buf, unsigned int buflen, 1348 struct drbg_string *addtl) 1349 { 1350 int len = 0; 1351 LIST_HEAD(addtllist); 1352 1353 if (!drbg->core) { 1354 pr_devel("DRBG: not yet seeded\n"); 1355 return -EINVAL; 1356 } 1357 if (0 == buflen || !buf) { 1358 pr_devel("DRBG: no output buffer provided\n"); 1359 return -EINVAL; 1360 } 1361 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1362 pr_devel("DRBG: wrong format of additional information\n"); 1363 return -EINVAL; 1364 } 1365 1366 /* 9.3.1 step 2 */ 1367 len = -EINVAL; 1368 if (buflen > (drbg_max_request_bytes(drbg))) { 1369 pr_devel("DRBG: requested random numbers too large %u\n", 1370 buflen); 1371 goto err; 1372 } 1373 1374 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1375 1376 /* 9.3.1 step 4 */ 1377 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1378 pr_devel("DRBG: additional information string too long %zu\n", 1379 addtl->len); 1380 goto err; 1381 } 1382 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1383 1384 /* 1385 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1386 * here. The spec is a bit convoluted here, we make it simpler. 1387 */ 1388 if (drbg->reseed_threshold < drbg->reseed_ctr) 1389 drbg->seeded = false; 1390 1391 if (drbg->pr || !drbg->seeded) { 1392 pr_devel("DRBG: reseeding before generation (prediction " 1393 "resistance: %s, state %s)\n", 1394 drbg->pr ? "true" : "false", 1395 drbg->seeded ? "seeded" : "unseeded"); 1396 /* 9.3.1 steps 7.1 through 7.3 */ 1397 len = drbg_seed(drbg, addtl, true); 1398 if (len) 1399 goto err; 1400 /* 9.3.1 step 7.4 */ 1401 addtl = NULL; 1402 } 1403 1404 if (addtl && 0 < addtl->len) 1405 list_add_tail(&addtl->list, &addtllist); 1406 /* 9.3.1 step 8 and 10 */ 1407 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1408 1409 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1410 drbg->reseed_ctr++; 1411 if (0 >= len) 1412 goto err; 1413 1414 /* 1415 * Section 11.3.3 requires to re-perform self tests after some 1416 * generated random numbers. The chosen value after which self 1417 * test is performed is arbitrary, but it should be reasonable. 1418 * However, we do not perform the self tests because of the following 1419 * reasons: it is mathematically impossible that the initial self tests 1420 * were successfully and the following are not. If the initial would 1421 * pass and the following would not, the kernel integrity is violated. 1422 * In this case, the entire kernel operation is questionable and it 1423 * is unlikely that the integrity violation only affects the 1424 * correct operation of the DRBG. 1425 * 1426 * Albeit the following code is commented out, it is provided in 1427 * case somebody has a need to implement the test of 11.3.3. 1428 */ 1429 #if 0 1430 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1431 int err = 0; 1432 pr_devel("DRBG: start to perform self test\n"); 1433 if (drbg->core->flags & DRBG_HMAC) 1434 err = alg_test("drbg_pr_hmac_sha256", 1435 "drbg_pr_hmac_sha256", 0, 0); 1436 else if (drbg->core->flags & DRBG_CTR) 1437 err = alg_test("drbg_pr_ctr_aes128", 1438 "drbg_pr_ctr_aes128", 0, 0); 1439 else 1440 err = alg_test("drbg_pr_sha256", 1441 "drbg_pr_sha256", 0, 0); 1442 if (err) { 1443 pr_err("DRBG: periodical self test failed\n"); 1444 /* 1445 * uninstantiate implies that from now on, only errors 1446 * are returned when reusing this DRBG cipher handle 1447 */ 1448 drbg_uninstantiate(drbg); 1449 return 0; 1450 } else { 1451 pr_devel("DRBG: self test successful\n"); 1452 } 1453 } 1454 #endif 1455 1456 /* 1457 * All operations were successful, return 0 as mandated by 1458 * the kernel crypto API interface. 1459 */ 1460 len = 0; 1461 err: 1462 return len; 1463 } 1464 1465 /* 1466 * Wrapper around drbg_generate which can pull arbitrary long strings 1467 * from the DRBG without hitting the maximum request limitation. 1468 * 1469 * Parameters: see drbg_generate 1470 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1471 * the entire drbg_generate_long request fails 1472 */ 1473 static int drbg_generate_long(struct drbg_state *drbg, 1474 unsigned char *buf, unsigned int buflen, 1475 struct drbg_string *addtl) 1476 { 1477 unsigned int len = 0; 1478 unsigned int slice = 0; 1479 do { 1480 int err = 0; 1481 unsigned int chunk = 0; 1482 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1483 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1484 mutex_lock(&drbg->drbg_mutex); 1485 err = drbg_generate(drbg, buf + len, chunk, addtl); 1486 mutex_unlock(&drbg->drbg_mutex); 1487 if (0 > err) 1488 return err; 1489 len += chunk; 1490 } while (slice > 0 && (len < buflen)); 1491 return 0; 1492 } 1493 1494 static void drbg_schedule_async_seed(struct random_ready_callback *rdy) 1495 { 1496 struct drbg_state *drbg = container_of(rdy, struct drbg_state, 1497 random_ready); 1498 1499 schedule_work(&drbg->seed_work); 1500 } 1501 1502 static int drbg_prepare_hrng(struct drbg_state *drbg) 1503 { 1504 int err; 1505 1506 /* We do not need an HRNG in test mode. */ 1507 if (list_empty(&drbg->test_data.list)) 1508 return 0; 1509 1510 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1511 1512 INIT_WORK(&drbg->seed_work, drbg_async_seed); 1513 1514 drbg->random_ready.owner = THIS_MODULE; 1515 drbg->random_ready.func = drbg_schedule_async_seed; 1516 1517 err = add_random_ready_callback(&drbg->random_ready); 1518 1519 switch (err) { 1520 case 0: 1521 break; 1522 1523 case -EALREADY: 1524 err = 0; 1525 fallthrough; 1526 1527 default: 1528 drbg->random_ready.func = NULL; 1529 return err; 1530 } 1531 1532 /* 1533 * Require frequent reseeds until the seed source is fully 1534 * initialized. 1535 */ 1536 drbg->reseed_threshold = 50; 1537 1538 return err; 1539 } 1540 1541 /* 1542 * DRBG instantiation function as required by SP800-90A - this function 1543 * sets up the DRBG handle, performs the initial seeding and all sanity 1544 * checks required by SP800-90A 1545 * 1546 * @drbg memory of state -- if NULL, new memory is allocated 1547 * @pers Personalization string that is mixed into state, may be NULL -- note 1548 * the entropy is pulled by the DRBG internally unconditionally 1549 * as defined in SP800-90A. The additional input is mixed into 1550 * the state in addition to the pulled entropy. 1551 * @coreref reference to core 1552 * @pr prediction resistance enabled 1553 * 1554 * return 1555 * 0 on success 1556 * error value otherwise 1557 */ 1558 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1559 int coreref, bool pr) 1560 { 1561 int ret; 1562 bool reseed = true; 1563 1564 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1565 "%s\n", coreref, pr ? "enabled" : "disabled"); 1566 mutex_lock(&drbg->drbg_mutex); 1567 1568 /* 9.1 step 1 is implicit with the selected DRBG type */ 1569 1570 /* 1571 * 9.1 step 2 is implicit as caller can select prediction resistance 1572 * and the flag is copied into drbg->flags -- 1573 * all DRBG types support prediction resistance 1574 */ 1575 1576 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1577 1578 if (!drbg->core) { 1579 drbg->core = &drbg_cores[coreref]; 1580 drbg->pr = pr; 1581 drbg->seeded = false; 1582 drbg->reseed_threshold = drbg_max_requests(drbg); 1583 1584 ret = drbg_alloc_state(drbg); 1585 if (ret) 1586 goto unlock; 1587 1588 ret = drbg_prepare_hrng(drbg); 1589 if (ret) 1590 goto free_everything; 1591 1592 if (IS_ERR(drbg->jent)) { 1593 ret = PTR_ERR(drbg->jent); 1594 drbg->jent = NULL; 1595 if (fips_enabled || ret != -ENOENT) 1596 goto free_everything; 1597 pr_info("DRBG: Continuing without Jitter RNG\n"); 1598 } 1599 1600 reseed = false; 1601 } 1602 1603 ret = drbg_seed(drbg, pers, reseed); 1604 1605 if (ret && !reseed) 1606 goto free_everything; 1607 1608 mutex_unlock(&drbg->drbg_mutex); 1609 return ret; 1610 1611 unlock: 1612 mutex_unlock(&drbg->drbg_mutex); 1613 return ret; 1614 1615 free_everything: 1616 mutex_unlock(&drbg->drbg_mutex); 1617 drbg_uninstantiate(drbg); 1618 return ret; 1619 } 1620 1621 /* 1622 * DRBG uninstantiate function as required by SP800-90A - this function 1623 * frees all buffers and the DRBG handle 1624 * 1625 * @drbg DRBG state handle 1626 * 1627 * return 1628 * 0 on success 1629 */ 1630 static int drbg_uninstantiate(struct drbg_state *drbg) 1631 { 1632 if (drbg->random_ready.func) { 1633 del_random_ready_callback(&drbg->random_ready); 1634 cancel_work_sync(&drbg->seed_work); 1635 } 1636 1637 if (!IS_ERR_OR_NULL(drbg->jent)) 1638 crypto_free_rng(drbg->jent); 1639 drbg->jent = NULL; 1640 1641 if (drbg->d_ops) 1642 drbg->d_ops->crypto_fini(drbg); 1643 drbg_dealloc_state(drbg); 1644 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1645 return 0; 1646 } 1647 1648 /* 1649 * Helper function for setting the test data in the DRBG 1650 * 1651 * @drbg DRBG state handle 1652 * @data test data 1653 * @len test data length 1654 */ 1655 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1656 const u8 *data, unsigned int len) 1657 { 1658 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1659 1660 mutex_lock(&drbg->drbg_mutex); 1661 drbg_string_fill(&drbg->test_data, data, len); 1662 mutex_unlock(&drbg->drbg_mutex); 1663 } 1664 1665 /*************************************************************** 1666 * Kernel crypto API cipher invocations requested by DRBG 1667 ***************************************************************/ 1668 1669 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1670 struct sdesc { 1671 struct shash_desc shash; 1672 char ctx[]; 1673 }; 1674 1675 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1676 { 1677 struct sdesc *sdesc; 1678 struct crypto_shash *tfm; 1679 1680 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1681 if (IS_ERR(tfm)) { 1682 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1683 drbg->core->backend_cra_name); 1684 return PTR_ERR(tfm); 1685 } 1686 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1687 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1688 GFP_KERNEL); 1689 if (!sdesc) { 1690 crypto_free_shash(tfm); 1691 return -ENOMEM; 1692 } 1693 1694 sdesc->shash.tfm = tfm; 1695 drbg->priv_data = sdesc; 1696 1697 return crypto_shash_alignmask(tfm); 1698 } 1699 1700 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1701 { 1702 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1703 if (sdesc) { 1704 crypto_free_shash(sdesc->shash.tfm); 1705 kfree_sensitive(sdesc); 1706 } 1707 drbg->priv_data = NULL; 1708 return 0; 1709 } 1710 1711 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1712 const unsigned char *key) 1713 { 1714 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1715 1716 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1717 } 1718 1719 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1720 const struct list_head *in) 1721 { 1722 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1723 struct drbg_string *input = NULL; 1724 1725 crypto_shash_init(&sdesc->shash); 1726 list_for_each_entry(input, in, list) 1727 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1728 return crypto_shash_final(&sdesc->shash, outval); 1729 } 1730 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1731 1732 #ifdef CONFIG_CRYPTO_DRBG_CTR 1733 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1734 { 1735 struct crypto_cipher *tfm = 1736 (struct crypto_cipher *)drbg->priv_data; 1737 if (tfm) 1738 crypto_free_cipher(tfm); 1739 drbg->priv_data = NULL; 1740 1741 if (drbg->ctr_handle) 1742 crypto_free_skcipher(drbg->ctr_handle); 1743 drbg->ctr_handle = NULL; 1744 1745 if (drbg->ctr_req) 1746 skcipher_request_free(drbg->ctr_req); 1747 drbg->ctr_req = NULL; 1748 1749 kfree(drbg->outscratchpadbuf); 1750 drbg->outscratchpadbuf = NULL; 1751 1752 return 0; 1753 } 1754 1755 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1756 { 1757 struct crypto_cipher *tfm; 1758 struct crypto_skcipher *sk_tfm; 1759 struct skcipher_request *req; 1760 unsigned int alignmask; 1761 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1762 1763 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1764 if (IS_ERR(tfm)) { 1765 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1766 drbg->core->backend_cra_name); 1767 return PTR_ERR(tfm); 1768 } 1769 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1770 drbg->priv_data = tfm; 1771 1772 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1773 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1774 drbg_fini_sym_kernel(drbg); 1775 return -EINVAL; 1776 } 1777 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1778 if (IS_ERR(sk_tfm)) { 1779 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1780 ctr_name); 1781 drbg_fini_sym_kernel(drbg); 1782 return PTR_ERR(sk_tfm); 1783 } 1784 drbg->ctr_handle = sk_tfm; 1785 crypto_init_wait(&drbg->ctr_wait); 1786 1787 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1788 if (!req) { 1789 pr_info("DRBG: could not allocate request queue\n"); 1790 drbg_fini_sym_kernel(drbg); 1791 return -ENOMEM; 1792 } 1793 drbg->ctr_req = req; 1794 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1795 CRYPTO_TFM_REQ_MAY_SLEEP, 1796 crypto_req_done, &drbg->ctr_wait); 1797 1798 alignmask = crypto_skcipher_alignmask(sk_tfm); 1799 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1800 GFP_KERNEL); 1801 if (!drbg->outscratchpadbuf) { 1802 drbg_fini_sym_kernel(drbg); 1803 return -ENOMEM; 1804 } 1805 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1806 alignmask + 1); 1807 1808 sg_init_table(&drbg->sg_in, 1); 1809 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1810 1811 return alignmask; 1812 } 1813 1814 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1815 const unsigned char *key) 1816 { 1817 struct crypto_cipher *tfm = 1818 (struct crypto_cipher *)drbg->priv_data; 1819 1820 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1821 } 1822 1823 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1824 const struct drbg_string *in) 1825 { 1826 struct crypto_cipher *tfm = 1827 (struct crypto_cipher *)drbg->priv_data; 1828 1829 /* there is only component in *in */ 1830 BUG_ON(in->len < drbg_blocklen(drbg)); 1831 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1832 return 0; 1833 } 1834 1835 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1836 u8 *inbuf, u32 inlen, 1837 u8 *outbuf, u32 outlen) 1838 { 1839 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1840 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1841 int ret; 1842 1843 if (inbuf) { 1844 /* Use caller-provided input buffer */ 1845 sg_set_buf(sg_in, inbuf, inlen); 1846 } else { 1847 /* Use scratchpad for in-place operation */ 1848 inlen = scratchpad_use; 1849 memset(drbg->outscratchpad, 0, scratchpad_use); 1850 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1851 } 1852 1853 while (outlen) { 1854 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1855 1856 /* Output buffer may not be valid for SGL, use scratchpad */ 1857 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1858 cryptlen, drbg->V); 1859 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1860 &drbg->ctr_wait); 1861 if (ret) 1862 goto out; 1863 1864 crypto_init_wait(&drbg->ctr_wait); 1865 1866 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1867 memzero_explicit(drbg->outscratchpad, cryptlen); 1868 1869 outlen -= cryptlen; 1870 outbuf += cryptlen; 1871 } 1872 ret = 0; 1873 1874 out: 1875 return ret; 1876 } 1877 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1878 1879 /*************************************************************** 1880 * Kernel crypto API interface to register DRBG 1881 ***************************************************************/ 1882 1883 /* 1884 * Look up the DRBG flags by given kernel crypto API cra_name 1885 * The code uses the drbg_cores definition to do this 1886 * 1887 * @cra_name kernel crypto API cra_name 1888 * @coreref reference to integer which is filled with the pointer to 1889 * the applicable core 1890 * @pr reference for setting prediction resistance 1891 * 1892 * return: flags 1893 */ 1894 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1895 int *coreref, bool *pr) 1896 { 1897 int i = 0; 1898 size_t start = 0; 1899 int len = 0; 1900 1901 *pr = true; 1902 /* disassemble the names */ 1903 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1904 start = 10; 1905 *pr = false; 1906 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1907 start = 8; 1908 } else { 1909 return; 1910 } 1911 1912 /* remove the first part */ 1913 len = strlen(cra_driver_name) - start; 1914 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1915 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1916 len)) { 1917 *coreref = i; 1918 return; 1919 } 1920 } 1921 } 1922 1923 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1924 { 1925 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1926 1927 mutex_init(&drbg->drbg_mutex); 1928 1929 return 0; 1930 } 1931 1932 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1933 { 1934 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1935 } 1936 1937 /* 1938 * Generate random numbers invoked by the kernel crypto API: 1939 * The API of the kernel crypto API is extended as follows: 1940 * 1941 * src is additional input supplied to the RNG. 1942 * slen is the length of src. 1943 * dst is the output buffer where random data is to be stored. 1944 * dlen is the length of dst. 1945 */ 1946 static int drbg_kcapi_random(struct crypto_rng *tfm, 1947 const u8 *src, unsigned int slen, 1948 u8 *dst, unsigned int dlen) 1949 { 1950 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1951 struct drbg_string *addtl = NULL; 1952 struct drbg_string string; 1953 1954 if (slen) { 1955 /* linked list variable is now local to allow modification */ 1956 drbg_string_fill(&string, src, slen); 1957 addtl = &string; 1958 } 1959 1960 return drbg_generate_long(drbg, dst, dlen, addtl); 1961 } 1962 1963 /* 1964 * Seed the DRBG invoked by the kernel crypto API 1965 */ 1966 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1967 const u8 *seed, unsigned int slen) 1968 { 1969 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1970 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1971 bool pr = false; 1972 struct drbg_string string; 1973 struct drbg_string *seed_string = NULL; 1974 int coreref = 0; 1975 1976 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1977 &pr); 1978 if (0 < slen) { 1979 drbg_string_fill(&string, seed, slen); 1980 seed_string = &string; 1981 } 1982 1983 return drbg_instantiate(drbg, seed_string, coreref, pr); 1984 } 1985 1986 /*************************************************************** 1987 * Kernel module: code to load the module 1988 ***************************************************************/ 1989 1990 /* 1991 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1992 * of the error handling. 1993 * 1994 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1995 * as seed source of get_random_bytes does not fail. 1996 * 1997 * Note 2: There is no sensible way of testing the reseed counter 1998 * enforcement, so skip it. 1999 */ 2000 static inline int __init drbg_healthcheck_sanity(void) 2001 { 2002 int len = 0; 2003 #define OUTBUFLEN 16 2004 unsigned char buf[OUTBUFLEN]; 2005 struct drbg_state *drbg = NULL; 2006 int ret = -EFAULT; 2007 int rc = -EFAULT; 2008 bool pr = false; 2009 int coreref = 0; 2010 struct drbg_string addtl; 2011 size_t max_addtllen, max_request_bytes; 2012 2013 /* only perform test in FIPS mode */ 2014 if (!fips_enabled) 2015 return 0; 2016 2017 #ifdef CONFIG_CRYPTO_DRBG_CTR 2018 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 2019 #elif defined CONFIG_CRYPTO_DRBG_HASH 2020 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 2021 #else 2022 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 2023 #endif 2024 2025 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 2026 if (!drbg) 2027 return -ENOMEM; 2028 2029 mutex_init(&drbg->drbg_mutex); 2030 drbg->core = &drbg_cores[coreref]; 2031 drbg->reseed_threshold = drbg_max_requests(drbg); 2032 2033 /* 2034 * if the following tests fail, it is likely that there is a buffer 2035 * overflow as buf is much smaller than the requested or provided 2036 * string lengths -- in case the error handling does not succeed 2037 * we may get an OOPS. And we want to get an OOPS as this is a 2038 * grave bug. 2039 */ 2040 2041 max_addtllen = drbg_max_addtl(drbg); 2042 max_request_bytes = drbg_max_request_bytes(drbg); 2043 drbg_string_fill(&addtl, buf, max_addtllen + 1); 2044 /* overflow addtllen with additonal info string */ 2045 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 2046 BUG_ON(0 < len); 2047 /* overflow max_bits */ 2048 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 2049 BUG_ON(0 < len); 2050 2051 /* overflow max addtllen with personalization string */ 2052 ret = drbg_seed(drbg, &addtl, false); 2053 BUG_ON(0 == ret); 2054 /* all tests passed */ 2055 rc = 0; 2056 2057 pr_devel("DRBG: Sanity tests for failure code paths successfully " 2058 "completed\n"); 2059 2060 kfree(drbg); 2061 return rc; 2062 } 2063 2064 static struct rng_alg drbg_algs[22]; 2065 2066 /* 2067 * Fill the array drbg_algs used to register the different DRBGs 2068 * with the kernel crypto API. To fill the array, the information 2069 * from drbg_cores[] is used. 2070 */ 2071 static inline void __init drbg_fill_array(struct rng_alg *alg, 2072 const struct drbg_core *core, int pr) 2073 { 2074 int pos = 0; 2075 static int priority = 200; 2076 2077 memcpy(alg->base.cra_name, "stdrng", 6); 2078 if (pr) { 2079 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 2080 pos = 8; 2081 } else { 2082 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 2083 pos = 10; 2084 } 2085 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 2086 strlen(core->cra_name)); 2087 2088 alg->base.cra_priority = priority; 2089 priority++; 2090 /* 2091 * If FIPS mode enabled, the selected DRBG shall have the 2092 * highest cra_priority over other stdrng instances to ensure 2093 * it is selected. 2094 */ 2095 if (fips_enabled) 2096 alg->base.cra_priority += 200; 2097 2098 alg->base.cra_ctxsize = sizeof(struct drbg_state); 2099 alg->base.cra_module = THIS_MODULE; 2100 alg->base.cra_init = drbg_kcapi_init; 2101 alg->base.cra_exit = drbg_kcapi_cleanup; 2102 alg->generate = drbg_kcapi_random; 2103 alg->seed = drbg_kcapi_seed; 2104 alg->set_ent = drbg_kcapi_set_entropy; 2105 alg->seedsize = 0; 2106 } 2107 2108 static int __init drbg_init(void) 2109 { 2110 unsigned int i = 0; /* pointer to drbg_algs */ 2111 unsigned int j = 0; /* pointer to drbg_cores */ 2112 int ret; 2113 2114 ret = drbg_healthcheck_sanity(); 2115 if (ret) 2116 return ret; 2117 2118 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2119 pr_info("DRBG: Cannot register all DRBG types" 2120 "(slots needed: %zu, slots available: %zu)\n", 2121 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2122 return -EFAULT; 2123 } 2124 2125 /* 2126 * each DRBG definition can be used with PR and without PR, thus 2127 * we instantiate each DRBG in drbg_cores[] twice. 2128 * 2129 * As the order of placing them into the drbg_algs array matters 2130 * (the later DRBGs receive a higher cra_priority) we register the 2131 * prediction resistance DRBGs first as the should not be too 2132 * interesting. 2133 */ 2134 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2135 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2136 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2137 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2138 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2139 } 2140 2141 static void __exit drbg_exit(void) 2142 { 2143 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2144 } 2145 2146 subsys_initcall(drbg_init); 2147 module_exit(drbg_exit); 2148 #ifndef CRYPTO_DRBG_HASH_STRING 2149 #define CRYPTO_DRBG_HASH_STRING "" 2150 #endif 2151 #ifndef CRYPTO_DRBG_HMAC_STRING 2152 #define CRYPTO_DRBG_HMAC_STRING "" 2153 #endif 2154 #ifndef CRYPTO_DRBG_CTR_STRING 2155 #define CRYPTO_DRBG_CTR_STRING "" 2156 #endif 2157 MODULE_LICENSE("GPL"); 2158 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2159 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2160 "using following cores: " 2161 CRYPTO_DRBG_HASH_STRING 2162 CRYPTO_DRBG_HMAC_STRING 2163 CRYPTO_DRBG_CTR_STRING); 2164 MODULE_ALIAS_CRYPTO("stdrng"); 2165 MODULE_IMPORT_NS(CRYPTO_INTERNAL); 2166