1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <linux/kernel.h> 102 103 /*************************************************************** 104 * Backend cipher definitions available to DRBG 105 ***************************************************************/ 106 107 /* 108 * The order of the DRBG definitions here matter: every DRBG is registered 109 * as stdrng. Each DRBG receives an increasing cra_priority values the later 110 * they are defined in this array (see drbg_fill_array). 111 * 112 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113 * the SHA256 / AES 256 over other ciphers. Thus, the favored 114 * DRBGs are the latest entries in this array. 115 */ 116 static const struct drbg_core drbg_cores[] = { 117 #ifdef CONFIG_CRYPTO_DRBG_CTR 118 { 119 .flags = DRBG_CTR | DRBG_STRENGTH128, 120 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121 .blocklen_bytes = 16, 122 .cra_name = "ctr_aes128", 123 .backend_cra_name = "aes", 124 }, { 125 .flags = DRBG_CTR | DRBG_STRENGTH192, 126 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127 .blocklen_bytes = 16, 128 .cra_name = "ctr_aes192", 129 .backend_cra_name = "aes", 130 }, { 131 .flags = DRBG_CTR | DRBG_STRENGTH256, 132 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133 .blocklen_bytes = 16, 134 .cra_name = "ctr_aes256", 135 .backend_cra_name = "aes", 136 }, 137 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 138 #ifdef CONFIG_CRYPTO_DRBG_HASH 139 { 140 .flags = DRBG_HASH | DRBG_STRENGTH128, 141 .statelen = 55, /* 440 bits */ 142 .blocklen_bytes = 20, 143 .cra_name = "sha1", 144 .backend_cra_name = "sha1", 145 }, { 146 .flags = DRBG_HASH | DRBG_STRENGTH256, 147 .statelen = 111, /* 888 bits */ 148 .blocklen_bytes = 48, 149 .cra_name = "sha384", 150 .backend_cra_name = "sha384", 151 }, { 152 .flags = DRBG_HASH | DRBG_STRENGTH256, 153 .statelen = 111, /* 888 bits */ 154 .blocklen_bytes = 64, 155 .cra_name = "sha512", 156 .backend_cra_name = "sha512", 157 }, { 158 .flags = DRBG_HASH | DRBG_STRENGTH256, 159 .statelen = 55, /* 440 bits */ 160 .blocklen_bytes = 32, 161 .cra_name = "sha256", 162 .backend_cra_name = "sha256", 163 }, 164 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 165 #ifdef CONFIG_CRYPTO_DRBG_HMAC 166 { 167 .flags = DRBG_HMAC | DRBG_STRENGTH128, 168 .statelen = 20, /* block length of cipher */ 169 .blocklen_bytes = 20, 170 .cra_name = "hmac_sha1", 171 .backend_cra_name = "hmac(sha1)", 172 }, { 173 .flags = DRBG_HMAC | DRBG_STRENGTH256, 174 .statelen = 48, /* block length of cipher */ 175 .blocklen_bytes = 48, 176 .cra_name = "hmac_sha384", 177 .backend_cra_name = "hmac(sha384)", 178 }, { 179 .flags = DRBG_HMAC | DRBG_STRENGTH256, 180 .statelen = 64, /* block length of cipher */ 181 .blocklen_bytes = 64, 182 .cra_name = "hmac_sha512", 183 .backend_cra_name = "hmac(sha512)", 184 }, { 185 .flags = DRBG_HMAC | DRBG_STRENGTH256, 186 .statelen = 32, /* block length of cipher */ 187 .blocklen_bytes = 32, 188 .cra_name = "hmac_sha256", 189 .backend_cra_name = "hmac(sha256)", 190 }, 191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192 }; 193 194 static int drbg_uninstantiate(struct drbg_state *drbg); 195 196 /****************************************************************** 197 * Generic helper functions 198 ******************************************************************/ 199 200 /* 201 * Return strength of DRBG according to SP800-90A section 8.4 202 * 203 * @flags DRBG flags reference 204 * 205 * Return: normalized strength in *bytes* value or 32 as default 206 * to counter programming errors 207 */ 208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 209 { 210 switch (flags & DRBG_STRENGTH_MASK) { 211 case DRBG_STRENGTH128: 212 return 16; 213 case DRBG_STRENGTH192: 214 return 24; 215 case DRBG_STRENGTH256: 216 return 32; 217 default: 218 return 32; 219 } 220 } 221 222 /* 223 * Convert an integer into a byte representation of this integer. 224 * The byte representation is big-endian 225 * 226 * @val value to be converted 227 * @buf buffer holding the converted integer -- caller must ensure that 228 * buffer size is at least 32 bit 229 */ 230 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 231 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 232 { 233 struct s { 234 __be32 conv; 235 }; 236 struct s *conversion = (struct s *) buf; 237 238 conversion->conv = cpu_to_be32(val); 239 } 240 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 241 242 /****************************************************************** 243 * CTR DRBG callback functions 244 ******************************************************************/ 245 246 #ifdef CONFIG_CRYPTO_DRBG_CTR 247 #define CRYPTO_DRBG_CTR_STRING "CTR " 248 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 249 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 250 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 251 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 252 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 253 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 254 255 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 256 const unsigned char *key); 257 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 258 const struct drbg_string *in); 259 static int drbg_init_sym_kernel(struct drbg_state *drbg); 260 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 261 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 262 u8 *inbuf, u32 inbuflen, 263 u8 *outbuf, u32 outlen); 264 #define DRBG_OUTSCRATCHLEN 256 265 266 /* BCC function for CTR DRBG as defined in 10.4.3 */ 267 static int drbg_ctr_bcc(struct drbg_state *drbg, 268 unsigned char *out, const unsigned char *key, 269 struct list_head *in) 270 { 271 int ret = 0; 272 struct drbg_string *curr = NULL; 273 struct drbg_string data; 274 short cnt = 0; 275 276 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 277 278 /* 10.4.3 step 2 / 4 */ 279 drbg_kcapi_symsetkey(drbg, key); 280 list_for_each_entry(curr, in, list) { 281 const unsigned char *pos = curr->buf; 282 size_t len = curr->len; 283 /* 10.4.3 step 4.1 */ 284 while (len) { 285 /* 10.4.3 step 4.2 */ 286 if (drbg_blocklen(drbg) == cnt) { 287 cnt = 0; 288 ret = drbg_kcapi_sym(drbg, out, &data); 289 if (ret) 290 return ret; 291 } 292 out[cnt] ^= *pos; 293 pos++; 294 cnt++; 295 len--; 296 } 297 } 298 /* 10.4.3 step 4.2 for last block */ 299 if (cnt) 300 ret = drbg_kcapi_sym(drbg, out, &data); 301 302 return ret; 303 } 304 305 /* 306 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 307 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 308 * the scratchpad is used as follows: 309 * drbg_ctr_update: 310 * temp 311 * start: drbg->scratchpad 312 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 313 * note: the cipher writing into this variable works 314 * blocklen-wise. Now, when the statelen is not a multiple 315 * of blocklen, the generateion loop below "spills over" 316 * by at most blocklen. Thus, we need to give sufficient 317 * memory. 318 * df_data 319 * start: drbg->scratchpad + 320 * drbg_statelen(drbg) + drbg_blocklen(drbg) 321 * length: drbg_statelen(drbg) 322 * 323 * drbg_ctr_df: 324 * pad 325 * start: df_data + drbg_statelen(drbg) 326 * length: drbg_blocklen(drbg) 327 * iv 328 * start: pad + drbg_blocklen(drbg) 329 * length: drbg_blocklen(drbg) 330 * temp 331 * start: iv + drbg_blocklen(drbg) 332 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 333 * note: temp is the buffer that the BCC function operates 334 * on. BCC operates blockwise. drbg_statelen(drbg) 335 * is sufficient when the DRBG state length is a multiple 336 * of the block size. For AES192 (and maybe other ciphers) 337 * this is not correct and the length for temp is 338 * insufficient (yes, that also means for such ciphers, 339 * the final output of all BCC rounds are truncated). 340 * Therefore, add drbg_blocklen(drbg) to cover all 341 * possibilities. 342 */ 343 344 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 345 static int drbg_ctr_df(struct drbg_state *drbg, 346 unsigned char *df_data, size_t bytes_to_return, 347 struct list_head *seedlist) 348 { 349 int ret = -EFAULT; 350 unsigned char L_N[8]; 351 /* S3 is input */ 352 struct drbg_string S1, S2, S4, cipherin; 353 LIST_HEAD(bcc_list); 354 unsigned char *pad = df_data + drbg_statelen(drbg); 355 unsigned char *iv = pad + drbg_blocklen(drbg); 356 unsigned char *temp = iv + drbg_blocklen(drbg); 357 size_t padlen = 0; 358 unsigned int templen = 0; 359 /* 10.4.2 step 7 */ 360 unsigned int i = 0; 361 /* 10.4.2 step 8 */ 362 const unsigned char *K = (unsigned char *) 363 "\x00\x01\x02\x03\x04\x05\x06\x07" 364 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 365 "\x10\x11\x12\x13\x14\x15\x16\x17" 366 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 367 unsigned char *X; 368 size_t generated_len = 0; 369 size_t inputlen = 0; 370 struct drbg_string *seed = NULL; 371 372 memset(pad, 0, drbg_blocklen(drbg)); 373 memset(iv, 0, drbg_blocklen(drbg)); 374 375 /* 10.4.2 step 1 is implicit as we work byte-wise */ 376 377 /* 10.4.2 step 2 */ 378 if ((512/8) < bytes_to_return) 379 return -EINVAL; 380 381 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 382 list_for_each_entry(seed, seedlist, list) 383 inputlen += seed->len; 384 drbg_cpu_to_be32(inputlen, &L_N[0]); 385 386 /* 10.4.2 step 3 */ 387 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 388 389 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 390 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 391 /* wrap the padlen appropriately */ 392 if (padlen) 393 padlen = drbg_blocklen(drbg) - padlen; 394 /* 395 * pad / padlen contains the 0x80 byte and the following zero bytes. 396 * As the calculated padlen value only covers the number of zero 397 * bytes, this value has to be incremented by one for the 0x80 byte. 398 */ 399 padlen++; 400 pad[0] = 0x80; 401 402 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 403 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 404 list_add_tail(&S1.list, &bcc_list); 405 drbg_string_fill(&S2, L_N, sizeof(L_N)); 406 list_add_tail(&S2.list, &bcc_list); 407 list_splice_tail(seedlist, &bcc_list); 408 drbg_string_fill(&S4, pad, padlen); 409 list_add_tail(&S4.list, &bcc_list); 410 411 /* 10.4.2 step 9 */ 412 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 413 /* 414 * 10.4.2 step 9.1 - the padding is implicit as the buffer 415 * holds zeros after allocation -- even the increment of i 416 * is irrelevant as the increment remains within length of i 417 */ 418 drbg_cpu_to_be32(i, iv); 419 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 420 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 421 if (ret) 422 goto out; 423 /* 10.4.2 step 9.3 */ 424 i++; 425 templen += drbg_blocklen(drbg); 426 } 427 428 /* 10.4.2 step 11 */ 429 X = temp + (drbg_keylen(drbg)); 430 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 431 432 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 433 434 /* 10.4.2 step 13 */ 435 drbg_kcapi_symsetkey(drbg, temp); 436 while (generated_len < bytes_to_return) { 437 short blocklen = 0; 438 /* 439 * 10.4.2 step 13.1: the truncation of the key length is 440 * implicit as the key is only drbg_blocklen in size based on 441 * the implementation of the cipher function callback 442 */ 443 ret = drbg_kcapi_sym(drbg, X, &cipherin); 444 if (ret) 445 goto out; 446 blocklen = (drbg_blocklen(drbg) < 447 (bytes_to_return - generated_len)) ? 448 drbg_blocklen(drbg) : 449 (bytes_to_return - generated_len); 450 /* 10.4.2 step 13.2 and 14 */ 451 memcpy(df_data + generated_len, X, blocklen); 452 generated_len += blocklen; 453 } 454 455 ret = 0; 456 457 out: 458 memset(iv, 0, drbg_blocklen(drbg)); 459 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 460 memset(pad, 0, drbg_blocklen(drbg)); 461 return ret; 462 } 463 464 /* 465 * update function of CTR DRBG as defined in 10.2.1.2 466 * 467 * The reseed variable has an enhanced meaning compared to the update 468 * functions of the other DRBGs as follows: 469 * 0 => initial seed from initialization 470 * 1 => reseed via drbg_seed 471 * 2 => first invocation from drbg_ctr_update when addtl is present. In 472 * this case, the df_data scratchpad is not deleted so that it is 473 * available for another calls to prevent calling the DF function 474 * again. 475 * 3 => second invocation from drbg_ctr_update. When the update function 476 * was called with addtl, the df_data memory already contains the 477 * DFed addtl information and we do not need to call DF again. 478 */ 479 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 480 int reseed) 481 { 482 int ret = -EFAULT; 483 /* 10.2.1.2 step 1 */ 484 unsigned char *temp = drbg->scratchpad; 485 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 486 drbg_blocklen(drbg); 487 488 if (3 > reseed) 489 memset(df_data, 0, drbg_statelen(drbg)); 490 491 if (!reseed) { 492 /* 493 * The DRBG uses the CTR mode of the underlying AES cipher. The 494 * CTR mode increments the counter value after the AES operation 495 * but SP800-90A requires that the counter is incremented before 496 * the AES operation. Hence, we increment it at the time we set 497 * it by one. 498 */ 499 crypto_inc(drbg->V, drbg_blocklen(drbg)); 500 501 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 502 drbg_keylen(drbg)); 503 if (ret) 504 goto out; 505 } 506 507 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 508 if (seed) { 509 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 510 if (ret) 511 goto out; 512 } 513 514 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 515 temp, drbg_statelen(drbg)); 516 if (ret) 517 return ret; 518 519 /* 10.2.1.2 step 5 */ 520 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 521 drbg_keylen(drbg)); 522 if (ret) 523 goto out; 524 /* 10.2.1.2 step 6 */ 525 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 526 /* See above: increment counter by one to compensate timing of CTR op */ 527 crypto_inc(drbg->V, drbg_blocklen(drbg)); 528 ret = 0; 529 530 out: 531 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 532 if (2 != reseed) 533 memset(df_data, 0, drbg_statelen(drbg)); 534 return ret; 535 } 536 537 /* 538 * scratchpad use: drbg_ctr_update is called independently from 539 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 540 */ 541 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 542 static int drbg_ctr_generate(struct drbg_state *drbg, 543 unsigned char *buf, unsigned int buflen, 544 struct list_head *addtl) 545 { 546 int ret; 547 int len = min_t(int, buflen, INT_MAX); 548 549 /* 10.2.1.5.2 step 2 */ 550 if (addtl && !list_empty(addtl)) { 551 ret = drbg_ctr_update(drbg, addtl, 2); 552 if (ret) 553 return 0; 554 } 555 556 /* 10.2.1.5.2 step 4.1 */ 557 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 558 if (ret) 559 return ret; 560 561 /* 10.2.1.5.2 step 6 */ 562 ret = drbg_ctr_update(drbg, NULL, 3); 563 if (ret) 564 len = ret; 565 566 return len; 567 } 568 569 static const struct drbg_state_ops drbg_ctr_ops = { 570 .update = drbg_ctr_update, 571 .generate = drbg_ctr_generate, 572 .crypto_init = drbg_init_sym_kernel, 573 .crypto_fini = drbg_fini_sym_kernel, 574 }; 575 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 576 577 /****************************************************************** 578 * HMAC DRBG callback functions 579 ******************************************************************/ 580 581 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 582 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 583 const struct list_head *in); 584 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 585 const unsigned char *key); 586 static int drbg_init_hash_kernel(struct drbg_state *drbg); 587 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 588 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 589 590 #ifdef CONFIG_CRYPTO_DRBG_HMAC 591 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 592 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 593 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 594 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 595 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 596 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 597 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 598 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 599 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 600 601 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 602 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 603 int reseed) 604 { 605 int ret = -EFAULT; 606 int i = 0; 607 struct drbg_string seed1, seed2, vdata; 608 LIST_HEAD(seedlist); 609 LIST_HEAD(vdatalist); 610 611 if (!reseed) { 612 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 613 memset(drbg->V, 1, drbg_statelen(drbg)); 614 drbg_kcapi_hmacsetkey(drbg, drbg->C); 615 } 616 617 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 618 list_add_tail(&seed1.list, &seedlist); 619 /* buffer of seed2 will be filled in for loop below with one byte */ 620 drbg_string_fill(&seed2, NULL, 1); 621 list_add_tail(&seed2.list, &seedlist); 622 /* input data of seed is allowed to be NULL at this point */ 623 if (seed) 624 list_splice_tail(seed, &seedlist); 625 626 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 627 list_add_tail(&vdata.list, &vdatalist); 628 for (i = 2; 0 < i; i--) { 629 /* first round uses 0x0, second 0x1 */ 630 unsigned char prefix = DRBG_PREFIX0; 631 if (1 == i) 632 prefix = DRBG_PREFIX1; 633 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 634 seed2.buf = &prefix; 635 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 636 if (ret) 637 return ret; 638 drbg_kcapi_hmacsetkey(drbg, drbg->C); 639 640 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 641 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 642 if (ret) 643 return ret; 644 645 /* 10.1.2.2 step 3 */ 646 if (!seed) 647 return ret; 648 } 649 650 return 0; 651 } 652 653 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 654 static int drbg_hmac_generate(struct drbg_state *drbg, 655 unsigned char *buf, 656 unsigned int buflen, 657 struct list_head *addtl) 658 { 659 int len = 0; 660 int ret = 0; 661 struct drbg_string data; 662 LIST_HEAD(datalist); 663 664 /* 10.1.2.5 step 2 */ 665 if (addtl && !list_empty(addtl)) { 666 ret = drbg_hmac_update(drbg, addtl, 1); 667 if (ret) 668 return ret; 669 } 670 671 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 672 list_add_tail(&data.list, &datalist); 673 while (len < buflen) { 674 unsigned int outlen = 0; 675 /* 10.1.2.5 step 4.1 */ 676 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 677 if (ret) 678 return ret; 679 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 680 drbg_blocklen(drbg) : (buflen - len); 681 682 /* 10.1.2.5 step 4.2 */ 683 memcpy(buf + len, drbg->V, outlen); 684 len += outlen; 685 } 686 687 /* 10.1.2.5 step 6 */ 688 if (addtl && !list_empty(addtl)) 689 ret = drbg_hmac_update(drbg, addtl, 1); 690 else 691 ret = drbg_hmac_update(drbg, NULL, 1); 692 if (ret) 693 return ret; 694 695 return len; 696 } 697 698 static const struct drbg_state_ops drbg_hmac_ops = { 699 .update = drbg_hmac_update, 700 .generate = drbg_hmac_generate, 701 .crypto_init = drbg_init_hash_kernel, 702 .crypto_fini = drbg_fini_hash_kernel, 703 }; 704 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 705 706 /****************************************************************** 707 * Hash DRBG callback functions 708 ******************************************************************/ 709 710 #ifdef CONFIG_CRYPTO_DRBG_HASH 711 #define CRYPTO_DRBG_HASH_STRING "HASH " 712 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 713 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 714 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 715 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 716 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 717 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 718 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 719 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 720 721 /* 722 * Increment buffer 723 * 724 * @dst buffer to increment 725 * @add value to add 726 */ 727 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 728 const unsigned char *add, size_t addlen) 729 { 730 /* implied: dstlen > addlen */ 731 unsigned char *dstptr; 732 const unsigned char *addptr; 733 unsigned int remainder = 0; 734 size_t len = addlen; 735 736 dstptr = dst + (dstlen-1); 737 addptr = add + (addlen-1); 738 while (len) { 739 remainder += *dstptr + *addptr; 740 *dstptr = remainder & 0xff; 741 remainder >>= 8; 742 len--; dstptr--; addptr--; 743 } 744 len = dstlen - addlen; 745 while (len && remainder > 0) { 746 remainder = *dstptr + 1; 747 *dstptr = remainder & 0xff; 748 remainder >>= 8; 749 len--; dstptr--; 750 } 751 } 752 753 /* 754 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 755 * interlinked, the scratchpad is used as follows: 756 * drbg_hash_update 757 * start: drbg->scratchpad 758 * length: drbg_statelen(drbg) 759 * drbg_hash_df: 760 * start: drbg->scratchpad + drbg_statelen(drbg) 761 * length: drbg_blocklen(drbg) 762 * 763 * drbg_hash_process_addtl uses the scratchpad, but fully completes 764 * before either of the functions mentioned before are invoked. Therefore, 765 * drbg_hash_process_addtl does not need to be specifically considered. 766 */ 767 768 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 769 static int drbg_hash_df(struct drbg_state *drbg, 770 unsigned char *outval, size_t outlen, 771 struct list_head *entropylist) 772 { 773 int ret = 0; 774 size_t len = 0; 775 unsigned char input[5]; 776 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 777 struct drbg_string data; 778 779 /* 10.4.1 step 3 */ 780 input[0] = 1; 781 drbg_cpu_to_be32((outlen * 8), &input[1]); 782 783 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 784 drbg_string_fill(&data, input, 5); 785 list_add(&data.list, entropylist); 786 787 /* 10.4.1 step 4 */ 788 while (len < outlen) { 789 short blocklen = 0; 790 /* 10.4.1 step 4.1 */ 791 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 792 if (ret) 793 goto out; 794 /* 10.4.1 step 4.2 */ 795 input[0]++; 796 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 797 drbg_blocklen(drbg) : (outlen - len); 798 memcpy(outval + len, tmp, blocklen); 799 len += blocklen; 800 } 801 802 out: 803 memset(tmp, 0, drbg_blocklen(drbg)); 804 return ret; 805 } 806 807 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 808 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 809 int reseed) 810 { 811 int ret = 0; 812 struct drbg_string data1, data2; 813 LIST_HEAD(datalist); 814 LIST_HEAD(datalist2); 815 unsigned char *V = drbg->scratchpad; 816 unsigned char prefix = DRBG_PREFIX1; 817 818 if (!seed) 819 return -EINVAL; 820 821 if (reseed) { 822 /* 10.1.1.3 step 1 */ 823 memcpy(V, drbg->V, drbg_statelen(drbg)); 824 drbg_string_fill(&data1, &prefix, 1); 825 list_add_tail(&data1.list, &datalist); 826 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 827 list_add_tail(&data2.list, &datalist); 828 } 829 list_splice_tail(seed, &datalist); 830 831 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 832 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 833 if (ret) 834 goto out; 835 836 /* 10.1.1.2 / 10.1.1.3 step 4 */ 837 prefix = DRBG_PREFIX0; 838 drbg_string_fill(&data1, &prefix, 1); 839 list_add_tail(&data1.list, &datalist2); 840 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 841 list_add_tail(&data2.list, &datalist2); 842 /* 10.1.1.2 / 10.1.1.3 step 4 */ 843 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 844 845 out: 846 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 847 return ret; 848 } 849 850 /* processing of additional information string for Hash DRBG */ 851 static int drbg_hash_process_addtl(struct drbg_state *drbg, 852 struct list_head *addtl) 853 { 854 int ret = 0; 855 struct drbg_string data1, data2; 856 LIST_HEAD(datalist); 857 unsigned char prefix = DRBG_PREFIX2; 858 859 /* 10.1.1.4 step 2 */ 860 if (!addtl || list_empty(addtl)) 861 return 0; 862 863 /* 10.1.1.4 step 2a */ 864 drbg_string_fill(&data1, &prefix, 1); 865 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 866 list_add_tail(&data1.list, &datalist); 867 list_add_tail(&data2.list, &datalist); 868 list_splice_tail(addtl, &datalist); 869 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 870 if (ret) 871 goto out; 872 873 /* 10.1.1.4 step 2b */ 874 drbg_add_buf(drbg->V, drbg_statelen(drbg), 875 drbg->scratchpad, drbg_blocklen(drbg)); 876 877 out: 878 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 879 return ret; 880 } 881 882 /* Hashgen defined in 10.1.1.4 */ 883 static int drbg_hash_hashgen(struct drbg_state *drbg, 884 unsigned char *buf, 885 unsigned int buflen) 886 { 887 int len = 0; 888 int ret = 0; 889 unsigned char *src = drbg->scratchpad; 890 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 891 struct drbg_string data; 892 LIST_HEAD(datalist); 893 894 /* 10.1.1.4 step hashgen 2 */ 895 memcpy(src, drbg->V, drbg_statelen(drbg)); 896 897 drbg_string_fill(&data, src, drbg_statelen(drbg)); 898 list_add_tail(&data.list, &datalist); 899 while (len < buflen) { 900 unsigned int outlen = 0; 901 /* 10.1.1.4 step hashgen 4.1 */ 902 ret = drbg_kcapi_hash(drbg, dst, &datalist); 903 if (ret) { 904 len = ret; 905 goto out; 906 } 907 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 908 drbg_blocklen(drbg) : (buflen - len); 909 /* 10.1.1.4 step hashgen 4.2 */ 910 memcpy(buf + len, dst, outlen); 911 len += outlen; 912 /* 10.1.1.4 hashgen step 4.3 */ 913 if (len < buflen) 914 crypto_inc(src, drbg_statelen(drbg)); 915 } 916 917 out: 918 memset(drbg->scratchpad, 0, 919 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 920 return len; 921 } 922 923 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 924 static int drbg_hash_generate(struct drbg_state *drbg, 925 unsigned char *buf, unsigned int buflen, 926 struct list_head *addtl) 927 { 928 int len = 0; 929 int ret = 0; 930 union { 931 unsigned char req[8]; 932 __be64 req_int; 933 } u; 934 unsigned char prefix = DRBG_PREFIX3; 935 struct drbg_string data1, data2; 936 LIST_HEAD(datalist); 937 938 /* 10.1.1.4 step 2 */ 939 ret = drbg_hash_process_addtl(drbg, addtl); 940 if (ret) 941 return ret; 942 /* 10.1.1.4 step 3 */ 943 len = drbg_hash_hashgen(drbg, buf, buflen); 944 945 /* this is the value H as documented in 10.1.1.4 */ 946 /* 10.1.1.4 step 4 */ 947 drbg_string_fill(&data1, &prefix, 1); 948 list_add_tail(&data1.list, &datalist); 949 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 950 list_add_tail(&data2.list, &datalist); 951 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 952 if (ret) { 953 len = ret; 954 goto out; 955 } 956 957 /* 10.1.1.4 step 5 */ 958 drbg_add_buf(drbg->V, drbg_statelen(drbg), 959 drbg->scratchpad, drbg_blocklen(drbg)); 960 drbg_add_buf(drbg->V, drbg_statelen(drbg), 961 drbg->C, drbg_statelen(drbg)); 962 u.req_int = cpu_to_be64(drbg->reseed_ctr); 963 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 964 965 out: 966 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 967 return len; 968 } 969 970 /* 971 * scratchpad usage: as update and generate are used isolated, both 972 * can use the scratchpad 973 */ 974 static const struct drbg_state_ops drbg_hash_ops = { 975 .update = drbg_hash_update, 976 .generate = drbg_hash_generate, 977 .crypto_init = drbg_init_hash_kernel, 978 .crypto_fini = drbg_fini_hash_kernel, 979 }; 980 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 981 982 /****************************************************************** 983 * Functions common for DRBG implementations 984 ******************************************************************/ 985 986 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 987 int reseed) 988 { 989 int ret = drbg->d_ops->update(drbg, seed, reseed); 990 991 if (ret) 992 return ret; 993 994 drbg->seeded = true; 995 /* 10.1.1.2 / 10.1.1.3 step 5 */ 996 drbg->reseed_ctr = 1; 997 998 return ret; 999 } 1000 1001 static void drbg_async_seed(struct work_struct *work) 1002 { 1003 struct drbg_string data; 1004 LIST_HEAD(seedlist); 1005 struct drbg_state *drbg = container_of(work, struct drbg_state, 1006 seed_work); 1007 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1008 unsigned char entropy[32]; 1009 1010 BUG_ON(!entropylen); 1011 BUG_ON(entropylen > sizeof(entropy)); 1012 get_random_bytes(entropy, entropylen); 1013 1014 drbg_string_fill(&data, entropy, entropylen); 1015 list_add_tail(&data.list, &seedlist); 1016 1017 mutex_lock(&drbg->drbg_mutex); 1018 1019 /* If nonblocking pool is initialized, deactivate Jitter RNG */ 1020 crypto_free_rng(drbg->jent); 1021 drbg->jent = NULL; 1022 1023 /* Set seeded to false so that if __drbg_seed fails the 1024 * next generate call will trigger a reseed. 1025 */ 1026 drbg->seeded = false; 1027 1028 __drbg_seed(drbg, &seedlist, true); 1029 1030 if (drbg->seeded) 1031 drbg->reseed_threshold = drbg_max_requests(drbg); 1032 1033 mutex_unlock(&drbg->drbg_mutex); 1034 1035 memzero_explicit(entropy, entropylen); 1036 } 1037 1038 /* 1039 * Seeding or reseeding of the DRBG 1040 * 1041 * @drbg: DRBG state struct 1042 * @pers: personalization / additional information buffer 1043 * @reseed: 0 for initial seed process, 1 for reseeding 1044 * 1045 * return: 1046 * 0 on success 1047 * error value otherwise 1048 */ 1049 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1050 bool reseed) 1051 { 1052 int ret; 1053 unsigned char entropy[((32 + 16) * 2)]; 1054 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1055 struct drbg_string data1; 1056 LIST_HEAD(seedlist); 1057 1058 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1059 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1060 pr_devel("DRBG: personalization string too long %zu\n", 1061 pers->len); 1062 return -EINVAL; 1063 } 1064 1065 if (list_empty(&drbg->test_data.list)) { 1066 drbg_string_fill(&data1, drbg->test_data.buf, 1067 drbg->test_data.len); 1068 pr_devel("DRBG: using test entropy\n"); 1069 } else { 1070 /* 1071 * Gather entropy equal to the security strength of the DRBG. 1072 * With a derivation function, a nonce is required in addition 1073 * to the entropy. A nonce must be at least 1/2 of the security 1074 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1075 * of the strength. The consideration of a nonce is only 1076 * applicable during initial seeding. 1077 */ 1078 BUG_ON(!entropylen); 1079 if (!reseed) 1080 entropylen = ((entropylen + 1) / 2) * 3; 1081 BUG_ON((entropylen * 2) > sizeof(entropy)); 1082 1083 /* Get seed from in-kernel /dev/urandom */ 1084 get_random_bytes(entropy, entropylen); 1085 1086 if (!drbg->jent) { 1087 drbg_string_fill(&data1, entropy, entropylen); 1088 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1089 entropylen); 1090 } else { 1091 /* Get seed from Jitter RNG */ 1092 ret = crypto_rng_get_bytes(drbg->jent, 1093 entropy + entropylen, 1094 entropylen); 1095 if (ret) { 1096 pr_devel("DRBG: jent failed with %d\n", ret); 1097 return ret; 1098 } 1099 1100 drbg_string_fill(&data1, entropy, entropylen * 2); 1101 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1102 entropylen * 2); 1103 } 1104 } 1105 list_add_tail(&data1.list, &seedlist); 1106 1107 /* 1108 * concatenation of entropy with personalization str / addtl input) 1109 * the variable pers is directly handed in by the caller, so check its 1110 * contents whether it is appropriate 1111 */ 1112 if (pers && pers->buf && 0 < pers->len) { 1113 list_add_tail(&pers->list, &seedlist); 1114 pr_devel("DRBG: using personalization string\n"); 1115 } 1116 1117 if (!reseed) { 1118 memset(drbg->V, 0, drbg_statelen(drbg)); 1119 memset(drbg->C, 0, drbg_statelen(drbg)); 1120 } 1121 1122 ret = __drbg_seed(drbg, &seedlist, reseed); 1123 1124 memzero_explicit(entropy, entropylen * 2); 1125 1126 return ret; 1127 } 1128 1129 /* Free all substructures in a DRBG state without the DRBG state structure */ 1130 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1131 { 1132 if (!drbg) 1133 return; 1134 kzfree(drbg->Vbuf); 1135 drbg->Vbuf = NULL; 1136 drbg->V = NULL; 1137 kzfree(drbg->Cbuf); 1138 drbg->Cbuf = NULL; 1139 drbg->C = NULL; 1140 kzfree(drbg->scratchpadbuf); 1141 drbg->scratchpadbuf = NULL; 1142 drbg->reseed_ctr = 0; 1143 drbg->d_ops = NULL; 1144 drbg->core = NULL; 1145 } 1146 1147 /* 1148 * Allocate all sub-structures for a DRBG state. 1149 * The DRBG state structure must already be allocated. 1150 */ 1151 static inline int drbg_alloc_state(struct drbg_state *drbg) 1152 { 1153 int ret = -ENOMEM; 1154 unsigned int sb_size = 0; 1155 1156 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1157 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1158 case DRBG_HMAC: 1159 drbg->d_ops = &drbg_hmac_ops; 1160 break; 1161 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1162 #ifdef CONFIG_CRYPTO_DRBG_HASH 1163 case DRBG_HASH: 1164 drbg->d_ops = &drbg_hash_ops; 1165 break; 1166 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1167 #ifdef CONFIG_CRYPTO_DRBG_CTR 1168 case DRBG_CTR: 1169 drbg->d_ops = &drbg_ctr_ops; 1170 break; 1171 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1172 default: 1173 ret = -EOPNOTSUPP; 1174 goto err; 1175 } 1176 1177 ret = drbg->d_ops->crypto_init(drbg); 1178 if (ret < 0) 1179 goto err; 1180 1181 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1182 if (!drbg->Vbuf) { 1183 ret = -ENOMEM; 1184 goto fini; 1185 } 1186 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1187 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1188 if (!drbg->Cbuf) { 1189 ret = -ENOMEM; 1190 goto fini; 1191 } 1192 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1193 /* scratchpad is only generated for CTR and Hash */ 1194 if (drbg->core->flags & DRBG_HMAC) 1195 sb_size = 0; 1196 else if (drbg->core->flags & DRBG_CTR) 1197 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1198 drbg_statelen(drbg) + /* df_data */ 1199 drbg_blocklen(drbg) + /* pad */ 1200 drbg_blocklen(drbg) + /* iv */ 1201 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1202 else 1203 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1204 1205 if (0 < sb_size) { 1206 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1207 if (!drbg->scratchpadbuf) { 1208 ret = -ENOMEM; 1209 goto fini; 1210 } 1211 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1212 } 1213 1214 return 0; 1215 1216 fini: 1217 drbg->d_ops->crypto_fini(drbg); 1218 err: 1219 drbg_dealloc_state(drbg); 1220 return ret; 1221 } 1222 1223 /************************************************************************* 1224 * DRBG interface functions 1225 *************************************************************************/ 1226 1227 /* 1228 * DRBG generate function as required by SP800-90A - this function 1229 * generates random numbers 1230 * 1231 * @drbg DRBG state handle 1232 * @buf Buffer where to store the random numbers -- the buffer must already 1233 * be pre-allocated by caller 1234 * @buflen Length of output buffer - this value defines the number of random 1235 * bytes pulled from DRBG 1236 * @addtl Additional input that is mixed into state, may be NULL -- note 1237 * the entropy is pulled by the DRBG internally unconditionally 1238 * as defined in SP800-90A. The additional input is mixed into 1239 * the state in addition to the pulled entropy. 1240 * 1241 * return: 0 when all bytes are generated; < 0 in case of an error 1242 */ 1243 static int drbg_generate(struct drbg_state *drbg, 1244 unsigned char *buf, unsigned int buflen, 1245 struct drbg_string *addtl) 1246 { 1247 int len = 0; 1248 LIST_HEAD(addtllist); 1249 1250 if (!drbg->core) { 1251 pr_devel("DRBG: not yet seeded\n"); 1252 return -EINVAL; 1253 } 1254 if (0 == buflen || !buf) { 1255 pr_devel("DRBG: no output buffer provided\n"); 1256 return -EINVAL; 1257 } 1258 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1259 pr_devel("DRBG: wrong format of additional information\n"); 1260 return -EINVAL; 1261 } 1262 1263 /* 9.3.1 step 2 */ 1264 len = -EINVAL; 1265 if (buflen > (drbg_max_request_bytes(drbg))) { 1266 pr_devel("DRBG: requested random numbers too large %u\n", 1267 buflen); 1268 goto err; 1269 } 1270 1271 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1272 1273 /* 9.3.1 step 4 */ 1274 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1275 pr_devel("DRBG: additional information string too long %zu\n", 1276 addtl->len); 1277 goto err; 1278 } 1279 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1280 1281 /* 1282 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1283 * here. The spec is a bit convoluted here, we make it simpler. 1284 */ 1285 if (drbg->reseed_threshold < drbg->reseed_ctr) 1286 drbg->seeded = false; 1287 1288 if (drbg->pr || !drbg->seeded) { 1289 pr_devel("DRBG: reseeding before generation (prediction " 1290 "resistance: %s, state %s)\n", 1291 drbg->pr ? "true" : "false", 1292 drbg->seeded ? "seeded" : "unseeded"); 1293 /* 9.3.1 steps 7.1 through 7.3 */ 1294 len = drbg_seed(drbg, addtl, true); 1295 if (len) 1296 goto err; 1297 /* 9.3.1 step 7.4 */ 1298 addtl = NULL; 1299 } 1300 1301 if (addtl && 0 < addtl->len) 1302 list_add_tail(&addtl->list, &addtllist); 1303 /* 9.3.1 step 8 and 10 */ 1304 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1305 1306 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1307 drbg->reseed_ctr++; 1308 if (0 >= len) 1309 goto err; 1310 1311 /* 1312 * Section 11.3.3 requires to re-perform self tests after some 1313 * generated random numbers. The chosen value after which self 1314 * test is performed is arbitrary, but it should be reasonable. 1315 * However, we do not perform the self tests because of the following 1316 * reasons: it is mathematically impossible that the initial self tests 1317 * were successfully and the following are not. If the initial would 1318 * pass and the following would not, the kernel integrity is violated. 1319 * In this case, the entire kernel operation is questionable and it 1320 * is unlikely that the integrity violation only affects the 1321 * correct operation of the DRBG. 1322 * 1323 * Albeit the following code is commented out, it is provided in 1324 * case somebody has a need to implement the test of 11.3.3. 1325 */ 1326 #if 0 1327 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1328 int err = 0; 1329 pr_devel("DRBG: start to perform self test\n"); 1330 if (drbg->core->flags & DRBG_HMAC) 1331 err = alg_test("drbg_pr_hmac_sha256", 1332 "drbg_pr_hmac_sha256", 0, 0); 1333 else if (drbg->core->flags & DRBG_CTR) 1334 err = alg_test("drbg_pr_ctr_aes128", 1335 "drbg_pr_ctr_aes128", 0, 0); 1336 else 1337 err = alg_test("drbg_pr_sha256", 1338 "drbg_pr_sha256", 0, 0); 1339 if (err) { 1340 pr_err("DRBG: periodical self test failed\n"); 1341 /* 1342 * uninstantiate implies that from now on, only errors 1343 * are returned when reusing this DRBG cipher handle 1344 */ 1345 drbg_uninstantiate(drbg); 1346 return 0; 1347 } else { 1348 pr_devel("DRBG: self test successful\n"); 1349 } 1350 } 1351 #endif 1352 1353 /* 1354 * All operations were successful, return 0 as mandated by 1355 * the kernel crypto API interface. 1356 */ 1357 len = 0; 1358 err: 1359 return len; 1360 } 1361 1362 /* 1363 * Wrapper around drbg_generate which can pull arbitrary long strings 1364 * from the DRBG without hitting the maximum request limitation. 1365 * 1366 * Parameters: see drbg_generate 1367 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1368 * the entire drbg_generate_long request fails 1369 */ 1370 static int drbg_generate_long(struct drbg_state *drbg, 1371 unsigned char *buf, unsigned int buflen, 1372 struct drbg_string *addtl) 1373 { 1374 unsigned int len = 0; 1375 unsigned int slice = 0; 1376 do { 1377 int err = 0; 1378 unsigned int chunk = 0; 1379 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1380 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1381 mutex_lock(&drbg->drbg_mutex); 1382 err = drbg_generate(drbg, buf + len, chunk, addtl); 1383 mutex_unlock(&drbg->drbg_mutex); 1384 if (0 > err) 1385 return err; 1386 len += chunk; 1387 } while (slice > 0 && (len < buflen)); 1388 return 0; 1389 } 1390 1391 static void drbg_schedule_async_seed(struct random_ready_callback *rdy) 1392 { 1393 struct drbg_state *drbg = container_of(rdy, struct drbg_state, 1394 random_ready); 1395 1396 schedule_work(&drbg->seed_work); 1397 } 1398 1399 static int drbg_prepare_hrng(struct drbg_state *drbg) 1400 { 1401 int err; 1402 1403 /* We do not need an HRNG in test mode. */ 1404 if (list_empty(&drbg->test_data.list)) 1405 return 0; 1406 1407 INIT_WORK(&drbg->seed_work, drbg_async_seed); 1408 1409 drbg->random_ready.owner = THIS_MODULE; 1410 drbg->random_ready.func = drbg_schedule_async_seed; 1411 1412 err = add_random_ready_callback(&drbg->random_ready); 1413 1414 switch (err) { 1415 case 0: 1416 break; 1417 1418 case -EALREADY: 1419 err = 0; 1420 /* fall through */ 1421 1422 default: 1423 drbg->random_ready.func = NULL; 1424 return err; 1425 } 1426 1427 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1428 1429 /* 1430 * Require frequent reseeds until the seed source is fully 1431 * initialized. 1432 */ 1433 drbg->reseed_threshold = 50; 1434 1435 return err; 1436 } 1437 1438 /* 1439 * DRBG instantiation function as required by SP800-90A - this function 1440 * sets up the DRBG handle, performs the initial seeding and all sanity 1441 * checks required by SP800-90A 1442 * 1443 * @drbg memory of state -- if NULL, new memory is allocated 1444 * @pers Personalization string that is mixed into state, may be NULL -- note 1445 * the entropy is pulled by the DRBG internally unconditionally 1446 * as defined in SP800-90A. The additional input is mixed into 1447 * the state in addition to the pulled entropy. 1448 * @coreref reference to core 1449 * @pr prediction resistance enabled 1450 * 1451 * return 1452 * 0 on success 1453 * error value otherwise 1454 */ 1455 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1456 int coreref, bool pr) 1457 { 1458 int ret; 1459 bool reseed = true; 1460 1461 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1462 "%s\n", coreref, pr ? "enabled" : "disabled"); 1463 mutex_lock(&drbg->drbg_mutex); 1464 1465 /* 9.1 step 1 is implicit with the selected DRBG type */ 1466 1467 /* 1468 * 9.1 step 2 is implicit as caller can select prediction resistance 1469 * and the flag is copied into drbg->flags -- 1470 * all DRBG types support prediction resistance 1471 */ 1472 1473 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1474 1475 if (!drbg->core) { 1476 drbg->core = &drbg_cores[coreref]; 1477 drbg->pr = pr; 1478 drbg->seeded = false; 1479 drbg->reseed_threshold = drbg_max_requests(drbg); 1480 1481 ret = drbg_alloc_state(drbg); 1482 if (ret) 1483 goto unlock; 1484 1485 ret = drbg_prepare_hrng(drbg); 1486 if (ret) 1487 goto free_everything; 1488 1489 if (IS_ERR(drbg->jent)) { 1490 ret = PTR_ERR(drbg->jent); 1491 drbg->jent = NULL; 1492 if (fips_enabled || ret != -ENOENT) 1493 goto free_everything; 1494 pr_info("DRBG: Continuing without Jitter RNG\n"); 1495 } 1496 1497 reseed = false; 1498 } 1499 1500 ret = drbg_seed(drbg, pers, reseed); 1501 1502 if (ret && !reseed) 1503 goto free_everything; 1504 1505 mutex_unlock(&drbg->drbg_mutex); 1506 return ret; 1507 1508 unlock: 1509 mutex_unlock(&drbg->drbg_mutex); 1510 return ret; 1511 1512 free_everything: 1513 mutex_unlock(&drbg->drbg_mutex); 1514 drbg_uninstantiate(drbg); 1515 return ret; 1516 } 1517 1518 /* 1519 * DRBG uninstantiate function as required by SP800-90A - this function 1520 * frees all buffers and the DRBG handle 1521 * 1522 * @drbg DRBG state handle 1523 * 1524 * return 1525 * 0 on success 1526 */ 1527 static int drbg_uninstantiate(struct drbg_state *drbg) 1528 { 1529 if (drbg->random_ready.func) { 1530 del_random_ready_callback(&drbg->random_ready); 1531 cancel_work_sync(&drbg->seed_work); 1532 crypto_free_rng(drbg->jent); 1533 drbg->jent = NULL; 1534 } 1535 1536 if (drbg->d_ops) 1537 drbg->d_ops->crypto_fini(drbg); 1538 drbg_dealloc_state(drbg); 1539 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1540 return 0; 1541 } 1542 1543 /* 1544 * Helper function for setting the test data in the DRBG 1545 * 1546 * @drbg DRBG state handle 1547 * @data test data 1548 * @len test data length 1549 */ 1550 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1551 const u8 *data, unsigned int len) 1552 { 1553 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1554 1555 mutex_lock(&drbg->drbg_mutex); 1556 drbg_string_fill(&drbg->test_data, data, len); 1557 mutex_unlock(&drbg->drbg_mutex); 1558 } 1559 1560 /*************************************************************** 1561 * Kernel crypto API cipher invocations requested by DRBG 1562 ***************************************************************/ 1563 1564 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1565 struct sdesc { 1566 struct shash_desc shash; 1567 char ctx[]; 1568 }; 1569 1570 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1571 { 1572 struct sdesc *sdesc; 1573 struct crypto_shash *tfm; 1574 1575 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1576 if (IS_ERR(tfm)) { 1577 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1578 drbg->core->backend_cra_name); 1579 return PTR_ERR(tfm); 1580 } 1581 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1582 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1583 GFP_KERNEL); 1584 if (!sdesc) { 1585 crypto_free_shash(tfm); 1586 return -ENOMEM; 1587 } 1588 1589 sdesc->shash.tfm = tfm; 1590 drbg->priv_data = sdesc; 1591 1592 return crypto_shash_alignmask(tfm); 1593 } 1594 1595 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1596 { 1597 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1598 if (sdesc) { 1599 crypto_free_shash(sdesc->shash.tfm); 1600 kzfree(sdesc); 1601 } 1602 drbg->priv_data = NULL; 1603 return 0; 1604 } 1605 1606 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1607 const unsigned char *key) 1608 { 1609 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1610 1611 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1612 } 1613 1614 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1615 const struct list_head *in) 1616 { 1617 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1618 struct drbg_string *input = NULL; 1619 1620 crypto_shash_init(&sdesc->shash); 1621 list_for_each_entry(input, in, list) 1622 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1623 return crypto_shash_final(&sdesc->shash, outval); 1624 } 1625 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1626 1627 #ifdef CONFIG_CRYPTO_DRBG_CTR 1628 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1629 { 1630 struct crypto_cipher *tfm = 1631 (struct crypto_cipher *)drbg->priv_data; 1632 if (tfm) 1633 crypto_free_cipher(tfm); 1634 drbg->priv_data = NULL; 1635 1636 if (drbg->ctr_handle) 1637 crypto_free_skcipher(drbg->ctr_handle); 1638 drbg->ctr_handle = NULL; 1639 1640 if (drbg->ctr_req) 1641 skcipher_request_free(drbg->ctr_req); 1642 drbg->ctr_req = NULL; 1643 1644 kfree(drbg->outscratchpadbuf); 1645 drbg->outscratchpadbuf = NULL; 1646 1647 return 0; 1648 } 1649 1650 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1651 { 1652 struct crypto_cipher *tfm; 1653 struct crypto_skcipher *sk_tfm; 1654 struct skcipher_request *req; 1655 unsigned int alignmask; 1656 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1657 1658 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1659 if (IS_ERR(tfm)) { 1660 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1661 drbg->core->backend_cra_name); 1662 return PTR_ERR(tfm); 1663 } 1664 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1665 drbg->priv_data = tfm; 1666 1667 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1668 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1669 drbg_fini_sym_kernel(drbg); 1670 return -EINVAL; 1671 } 1672 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1673 if (IS_ERR(sk_tfm)) { 1674 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1675 ctr_name); 1676 drbg_fini_sym_kernel(drbg); 1677 return PTR_ERR(sk_tfm); 1678 } 1679 drbg->ctr_handle = sk_tfm; 1680 crypto_init_wait(&drbg->ctr_wait); 1681 1682 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1683 if (!req) { 1684 pr_info("DRBG: could not allocate request queue\n"); 1685 drbg_fini_sym_kernel(drbg); 1686 return -ENOMEM; 1687 } 1688 drbg->ctr_req = req; 1689 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1690 CRYPTO_TFM_REQ_MAY_SLEEP, 1691 crypto_req_done, &drbg->ctr_wait); 1692 1693 alignmask = crypto_skcipher_alignmask(sk_tfm); 1694 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1695 GFP_KERNEL); 1696 if (!drbg->outscratchpadbuf) { 1697 drbg_fini_sym_kernel(drbg); 1698 return -ENOMEM; 1699 } 1700 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1701 alignmask + 1); 1702 1703 sg_init_table(&drbg->sg_in, 1); 1704 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1705 1706 return alignmask; 1707 } 1708 1709 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1710 const unsigned char *key) 1711 { 1712 struct crypto_cipher *tfm = 1713 (struct crypto_cipher *)drbg->priv_data; 1714 1715 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1716 } 1717 1718 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1719 const struct drbg_string *in) 1720 { 1721 struct crypto_cipher *tfm = 1722 (struct crypto_cipher *)drbg->priv_data; 1723 1724 /* there is only component in *in */ 1725 BUG_ON(in->len < drbg_blocklen(drbg)); 1726 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1727 return 0; 1728 } 1729 1730 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1731 u8 *inbuf, u32 inlen, 1732 u8 *outbuf, u32 outlen) 1733 { 1734 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1735 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1736 int ret; 1737 1738 if (inbuf) { 1739 /* Use caller-provided input buffer */ 1740 sg_set_buf(sg_in, inbuf, inlen); 1741 } else { 1742 /* Use scratchpad for in-place operation */ 1743 inlen = scratchpad_use; 1744 memset(drbg->outscratchpad, 0, scratchpad_use); 1745 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1746 } 1747 1748 while (outlen) { 1749 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1750 1751 /* Output buffer may not be valid for SGL, use scratchpad */ 1752 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1753 cryptlen, drbg->V); 1754 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1755 &drbg->ctr_wait); 1756 if (ret) 1757 goto out; 1758 1759 crypto_init_wait(&drbg->ctr_wait); 1760 1761 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1762 memzero_explicit(drbg->outscratchpad, cryptlen); 1763 1764 outlen -= cryptlen; 1765 outbuf += cryptlen; 1766 } 1767 ret = 0; 1768 1769 out: 1770 return ret; 1771 } 1772 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1773 1774 /*************************************************************** 1775 * Kernel crypto API interface to register DRBG 1776 ***************************************************************/ 1777 1778 /* 1779 * Look up the DRBG flags by given kernel crypto API cra_name 1780 * The code uses the drbg_cores definition to do this 1781 * 1782 * @cra_name kernel crypto API cra_name 1783 * @coreref reference to integer which is filled with the pointer to 1784 * the applicable core 1785 * @pr reference for setting prediction resistance 1786 * 1787 * return: flags 1788 */ 1789 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1790 int *coreref, bool *pr) 1791 { 1792 int i = 0; 1793 size_t start = 0; 1794 int len = 0; 1795 1796 *pr = true; 1797 /* disassemble the names */ 1798 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1799 start = 10; 1800 *pr = false; 1801 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1802 start = 8; 1803 } else { 1804 return; 1805 } 1806 1807 /* remove the first part */ 1808 len = strlen(cra_driver_name) - start; 1809 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1810 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1811 len)) { 1812 *coreref = i; 1813 return; 1814 } 1815 } 1816 } 1817 1818 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1819 { 1820 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1821 1822 mutex_init(&drbg->drbg_mutex); 1823 1824 return 0; 1825 } 1826 1827 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1828 { 1829 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1830 } 1831 1832 /* 1833 * Generate random numbers invoked by the kernel crypto API: 1834 * The API of the kernel crypto API is extended as follows: 1835 * 1836 * src is additional input supplied to the RNG. 1837 * slen is the length of src. 1838 * dst is the output buffer where random data is to be stored. 1839 * dlen is the length of dst. 1840 */ 1841 static int drbg_kcapi_random(struct crypto_rng *tfm, 1842 const u8 *src, unsigned int slen, 1843 u8 *dst, unsigned int dlen) 1844 { 1845 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1846 struct drbg_string *addtl = NULL; 1847 struct drbg_string string; 1848 1849 if (slen) { 1850 /* linked list variable is now local to allow modification */ 1851 drbg_string_fill(&string, src, slen); 1852 addtl = &string; 1853 } 1854 1855 return drbg_generate_long(drbg, dst, dlen, addtl); 1856 } 1857 1858 /* 1859 * Seed the DRBG invoked by the kernel crypto API 1860 */ 1861 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1862 const u8 *seed, unsigned int slen) 1863 { 1864 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1865 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1866 bool pr = false; 1867 struct drbg_string string; 1868 struct drbg_string *seed_string = NULL; 1869 int coreref = 0; 1870 1871 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1872 &pr); 1873 if (0 < slen) { 1874 drbg_string_fill(&string, seed, slen); 1875 seed_string = &string; 1876 } 1877 1878 return drbg_instantiate(drbg, seed_string, coreref, pr); 1879 } 1880 1881 /*************************************************************** 1882 * Kernel module: code to load the module 1883 ***************************************************************/ 1884 1885 /* 1886 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1887 * of the error handling. 1888 * 1889 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1890 * as seed source of get_random_bytes does not fail. 1891 * 1892 * Note 2: There is no sensible way of testing the reseed counter 1893 * enforcement, so skip it. 1894 */ 1895 static inline int __init drbg_healthcheck_sanity(void) 1896 { 1897 int len = 0; 1898 #define OUTBUFLEN 16 1899 unsigned char buf[OUTBUFLEN]; 1900 struct drbg_state *drbg = NULL; 1901 int ret = -EFAULT; 1902 int rc = -EFAULT; 1903 bool pr = false; 1904 int coreref = 0; 1905 struct drbg_string addtl; 1906 size_t max_addtllen, max_request_bytes; 1907 1908 /* only perform test in FIPS mode */ 1909 if (!fips_enabled) 1910 return 0; 1911 1912 #ifdef CONFIG_CRYPTO_DRBG_CTR 1913 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1914 #elif defined CONFIG_CRYPTO_DRBG_HASH 1915 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1916 #else 1917 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1918 #endif 1919 1920 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1921 if (!drbg) 1922 return -ENOMEM; 1923 1924 mutex_init(&drbg->drbg_mutex); 1925 drbg->core = &drbg_cores[coreref]; 1926 drbg->reseed_threshold = drbg_max_requests(drbg); 1927 1928 /* 1929 * if the following tests fail, it is likely that there is a buffer 1930 * overflow as buf is much smaller than the requested or provided 1931 * string lengths -- in case the error handling does not succeed 1932 * we may get an OOPS. And we want to get an OOPS as this is a 1933 * grave bug. 1934 */ 1935 1936 max_addtllen = drbg_max_addtl(drbg); 1937 max_request_bytes = drbg_max_request_bytes(drbg); 1938 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1939 /* overflow addtllen with additonal info string */ 1940 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1941 BUG_ON(0 < len); 1942 /* overflow max_bits */ 1943 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1944 BUG_ON(0 < len); 1945 1946 /* overflow max addtllen with personalization string */ 1947 ret = drbg_seed(drbg, &addtl, false); 1948 BUG_ON(0 == ret); 1949 /* all tests passed */ 1950 rc = 0; 1951 1952 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1953 "completed\n"); 1954 1955 kfree(drbg); 1956 return rc; 1957 } 1958 1959 static struct rng_alg drbg_algs[22]; 1960 1961 /* 1962 * Fill the array drbg_algs used to register the different DRBGs 1963 * with the kernel crypto API. To fill the array, the information 1964 * from drbg_cores[] is used. 1965 */ 1966 static inline void __init drbg_fill_array(struct rng_alg *alg, 1967 const struct drbg_core *core, int pr) 1968 { 1969 int pos = 0; 1970 static int priority = 200; 1971 1972 memcpy(alg->base.cra_name, "stdrng", 6); 1973 if (pr) { 1974 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1975 pos = 8; 1976 } else { 1977 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1978 pos = 10; 1979 } 1980 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1981 strlen(core->cra_name)); 1982 1983 alg->base.cra_priority = priority; 1984 priority++; 1985 /* 1986 * If FIPS mode enabled, the selected DRBG shall have the 1987 * highest cra_priority over other stdrng instances to ensure 1988 * it is selected. 1989 */ 1990 if (fips_enabled) 1991 alg->base.cra_priority += 200; 1992 1993 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1994 alg->base.cra_module = THIS_MODULE; 1995 alg->base.cra_init = drbg_kcapi_init; 1996 alg->base.cra_exit = drbg_kcapi_cleanup; 1997 alg->generate = drbg_kcapi_random; 1998 alg->seed = drbg_kcapi_seed; 1999 alg->set_ent = drbg_kcapi_set_entropy; 2000 alg->seedsize = 0; 2001 } 2002 2003 static int __init drbg_init(void) 2004 { 2005 unsigned int i = 0; /* pointer to drbg_algs */ 2006 unsigned int j = 0; /* pointer to drbg_cores */ 2007 int ret; 2008 2009 ret = drbg_healthcheck_sanity(); 2010 if (ret) 2011 return ret; 2012 2013 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2014 pr_info("DRBG: Cannot register all DRBG types" 2015 "(slots needed: %zu, slots available: %zu)\n", 2016 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2017 return -EFAULT; 2018 } 2019 2020 /* 2021 * each DRBG definition can be used with PR and without PR, thus 2022 * we instantiate each DRBG in drbg_cores[] twice. 2023 * 2024 * As the order of placing them into the drbg_algs array matters 2025 * (the later DRBGs receive a higher cra_priority) we register the 2026 * prediction resistance DRBGs first as the should not be too 2027 * interesting. 2028 */ 2029 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2030 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2031 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2032 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2033 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2034 } 2035 2036 static void __exit drbg_exit(void) 2037 { 2038 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2039 } 2040 2041 subsys_initcall(drbg_init); 2042 module_exit(drbg_exit); 2043 #ifndef CRYPTO_DRBG_HASH_STRING 2044 #define CRYPTO_DRBG_HASH_STRING "" 2045 #endif 2046 #ifndef CRYPTO_DRBG_HMAC_STRING 2047 #define CRYPTO_DRBG_HMAC_STRING "" 2048 #endif 2049 #ifndef CRYPTO_DRBG_CTR_STRING 2050 #define CRYPTO_DRBG_CTR_STRING "" 2051 #endif 2052 MODULE_LICENSE("GPL"); 2053 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2054 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2055 "using following cores: " 2056 CRYPTO_DRBG_HASH_STRING 2057 CRYPTO_DRBG_HMAC_STRING 2058 CRYPTO_DRBG_CTR_STRING); 2059 MODULE_ALIAS_CRYPTO("stdrng"); 2060