1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <linux/kernel.h> 102 103 /*************************************************************** 104 * Backend cipher definitions available to DRBG 105 ***************************************************************/ 106 107 /* 108 * The order of the DRBG definitions here matter: every DRBG is registered 109 * as stdrng. Each DRBG receives an increasing cra_priority values the later 110 * they are defined in this array (see drbg_fill_array). 111 * 112 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113 * the SHA256 / AES 256 over other ciphers. Thus, the favored 114 * DRBGs are the latest entries in this array. 115 */ 116 static const struct drbg_core drbg_cores[] = { 117 #ifdef CONFIG_CRYPTO_DRBG_CTR 118 { 119 .flags = DRBG_CTR | DRBG_STRENGTH128, 120 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121 .blocklen_bytes = 16, 122 .cra_name = "ctr_aes128", 123 .backend_cra_name = "aes", 124 }, { 125 .flags = DRBG_CTR | DRBG_STRENGTH192, 126 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127 .blocklen_bytes = 16, 128 .cra_name = "ctr_aes192", 129 .backend_cra_name = "aes", 130 }, { 131 .flags = DRBG_CTR | DRBG_STRENGTH256, 132 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133 .blocklen_bytes = 16, 134 .cra_name = "ctr_aes256", 135 .backend_cra_name = "aes", 136 }, 137 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 138 #ifdef CONFIG_CRYPTO_DRBG_HASH 139 { 140 .flags = DRBG_HASH | DRBG_STRENGTH128, 141 .statelen = 55, /* 440 bits */ 142 .blocklen_bytes = 20, 143 .cra_name = "sha1", 144 .backend_cra_name = "sha1", 145 }, { 146 .flags = DRBG_HASH | DRBG_STRENGTH256, 147 .statelen = 111, /* 888 bits */ 148 .blocklen_bytes = 48, 149 .cra_name = "sha384", 150 .backend_cra_name = "sha384", 151 }, { 152 .flags = DRBG_HASH | DRBG_STRENGTH256, 153 .statelen = 111, /* 888 bits */ 154 .blocklen_bytes = 64, 155 .cra_name = "sha512", 156 .backend_cra_name = "sha512", 157 }, { 158 .flags = DRBG_HASH | DRBG_STRENGTH256, 159 .statelen = 55, /* 440 bits */ 160 .blocklen_bytes = 32, 161 .cra_name = "sha256", 162 .backend_cra_name = "sha256", 163 }, 164 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 165 #ifdef CONFIG_CRYPTO_DRBG_HMAC 166 { 167 .flags = DRBG_HMAC | DRBG_STRENGTH128, 168 .statelen = 20, /* block length of cipher */ 169 .blocklen_bytes = 20, 170 .cra_name = "hmac_sha1", 171 .backend_cra_name = "hmac(sha1)", 172 }, { 173 .flags = DRBG_HMAC | DRBG_STRENGTH256, 174 .statelen = 48, /* block length of cipher */ 175 .blocklen_bytes = 48, 176 .cra_name = "hmac_sha384", 177 .backend_cra_name = "hmac(sha384)", 178 }, { 179 .flags = DRBG_HMAC | DRBG_STRENGTH256, 180 .statelen = 64, /* block length of cipher */ 181 .blocklen_bytes = 64, 182 .cra_name = "hmac_sha512", 183 .backend_cra_name = "hmac(sha512)", 184 }, { 185 .flags = DRBG_HMAC | DRBG_STRENGTH256, 186 .statelen = 32, /* block length of cipher */ 187 .blocklen_bytes = 32, 188 .cra_name = "hmac_sha256", 189 .backend_cra_name = "hmac(sha256)", 190 }, 191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192 }; 193 194 static int drbg_uninstantiate(struct drbg_state *drbg); 195 196 /****************************************************************** 197 * Generic helper functions 198 ******************************************************************/ 199 200 /* 201 * Return strength of DRBG according to SP800-90A section 8.4 202 * 203 * @flags DRBG flags reference 204 * 205 * Return: normalized strength in *bytes* value or 32 as default 206 * to counter programming errors 207 */ 208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 209 { 210 switch (flags & DRBG_STRENGTH_MASK) { 211 case DRBG_STRENGTH128: 212 return 16; 213 case DRBG_STRENGTH192: 214 return 24; 215 case DRBG_STRENGTH256: 216 return 32; 217 default: 218 return 32; 219 } 220 } 221 222 /* 223 * Convert an integer into a byte representation of this integer. 224 * The byte representation is big-endian 225 * 226 * @val value to be converted 227 * @buf buffer holding the converted integer -- caller must ensure that 228 * buffer size is at least 32 bit 229 */ 230 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 231 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 232 { 233 struct s { 234 __be32 conv; 235 }; 236 struct s *conversion = (struct s *) buf; 237 238 conversion->conv = cpu_to_be32(val); 239 } 240 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 241 242 /****************************************************************** 243 * CTR DRBG callback functions 244 ******************************************************************/ 245 246 #ifdef CONFIG_CRYPTO_DRBG_CTR 247 #define CRYPTO_DRBG_CTR_STRING "CTR " 248 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 249 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 250 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 251 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 252 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 253 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 254 255 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 256 const unsigned char *key); 257 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 258 const struct drbg_string *in); 259 static int drbg_init_sym_kernel(struct drbg_state *drbg); 260 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 261 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 262 u8 *inbuf, u32 inbuflen, 263 u8 *outbuf, u32 outlen); 264 #define DRBG_CTR_NULL_LEN 128 265 #define DRBG_OUTSCRATCHLEN DRBG_CTR_NULL_LEN 266 267 /* BCC function for CTR DRBG as defined in 10.4.3 */ 268 static int drbg_ctr_bcc(struct drbg_state *drbg, 269 unsigned char *out, const unsigned char *key, 270 struct list_head *in) 271 { 272 int ret = 0; 273 struct drbg_string *curr = NULL; 274 struct drbg_string data; 275 short cnt = 0; 276 277 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 278 279 /* 10.4.3 step 2 / 4 */ 280 drbg_kcapi_symsetkey(drbg, key); 281 list_for_each_entry(curr, in, list) { 282 const unsigned char *pos = curr->buf; 283 size_t len = curr->len; 284 /* 10.4.3 step 4.1 */ 285 while (len) { 286 /* 10.4.3 step 4.2 */ 287 if (drbg_blocklen(drbg) == cnt) { 288 cnt = 0; 289 ret = drbg_kcapi_sym(drbg, out, &data); 290 if (ret) 291 return ret; 292 } 293 out[cnt] ^= *pos; 294 pos++; 295 cnt++; 296 len--; 297 } 298 } 299 /* 10.4.3 step 4.2 for last block */ 300 if (cnt) 301 ret = drbg_kcapi_sym(drbg, out, &data); 302 303 return ret; 304 } 305 306 /* 307 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 308 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 309 * the scratchpad is used as follows: 310 * drbg_ctr_update: 311 * temp 312 * start: drbg->scratchpad 313 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 314 * note: the cipher writing into this variable works 315 * blocklen-wise. Now, when the statelen is not a multiple 316 * of blocklen, the generateion loop below "spills over" 317 * by at most blocklen. Thus, we need to give sufficient 318 * memory. 319 * df_data 320 * start: drbg->scratchpad + 321 * drbg_statelen(drbg) + drbg_blocklen(drbg) 322 * length: drbg_statelen(drbg) 323 * 324 * drbg_ctr_df: 325 * pad 326 * start: df_data + drbg_statelen(drbg) 327 * length: drbg_blocklen(drbg) 328 * iv 329 * start: pad + drbg_blocklen(drbg) 330 * length: drbg_blocklen(drbg) 331 * temp 332 * start: iv + drbg_blocklen(drbg) 333 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 334 * note: temp is the buffer that the BCC function operates 335 * on. BCC operates blockwise. drbg_statelen(drbg) 336 * is sufficient when the DRBG state length is a multiple 337 * of the block size. For AES192 (and maybe other ciphers) 338 * this is not correct and the length for temp is 339 * insufficient (yes, that also means for such ciphers, 340 * the final output of all BCC rounds are truncated). 341 * Therefore, add drbg_blocklen(drbg) to cover all 342 * possibilities. 343 */ 344 345 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 346 static int drbg_ctr_df(struct drbg_state *drbg, 347 unsigned char *df_data, size_t bytes_to_return, 348 struct list_head *seedlist) 349 { 350 int ret = -EFAULT; 351 unsigned char L_N[8]; 352 /* S3 is input */ 353 struct drbg_string S1, S2, S4, cipherin; 354 LIST_HEAD(bcc_list); 355 unsigned char *pad = df_data + drbg_statelen(drbg); 356 unsigned char *iv = pad + drbg_blocklen(drbg); 357 unsigned char *temp = iv + drbg_blocklen(drbg); 358 size_t padlen = 0; 359 unsigned int templen = 0; 360 /* 10.4.2 step 7 */ 361 unsigned int i = 0; 362 /* 10.4.2 step 8 */ 363 const unsigned char *K = (unsigned char *) 364 "\x00\x01\x02\x03\x04\x05\x06\x07" 365 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 366 "\x10\x11\x12\x13\x14\x15\x16\x17" 367 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 368 unsigned char *X; 369 size_t generated_len = 0; 370 size_t inputlen = 0; 371 struct drbg_string *seed = NULL; 372 373 memset(pad, 0, drbg_blocklen(drbg)); 374 memset(iv, 0, drbg_blocklen(drbg)); 375 376 /* 10.4.2 step 1 is implicit as we work byte-wise */ 377 378 /* 10.4.2 step 2 */ 379 if ((512/8) < bytes_to_return) 380 return -EINVAL; 381 382 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 383 list_for_each_entry(seed, seedlist, list) 384 inputlen += seed->len; 385 drbg_cpu_to_be32(inputlen, &L_N[0]); 386 387 /* 10.4.2 step 3 */ 388 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 389 390 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 391 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 392 /* wrap the padlen appropriately */ 393 if (padlen) 394 padlen = drbg_blocklen(drbg) - padlen; 395 /* 396 * pad / padlen contains the 0x80 byte and the following zero bytes. 397 * As the calculated padlen value only covers the number of zero 398 * bytes, this value has to be incremented by one for the 0x80 byte. 399 */ 400 padlen++; 401 pad[0] = 0x80; 402 403 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 404 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 405 list_add_tail(&S1.list, &bcc_list); 406 drbg_string_fill(&S2, L_N, sizeof(L_N)); 407 list_add_tail(&S2.list, &bcc_list); 408 list_splice_tail(seedlist, &bcc_list); 409 drbg_string_fill(&S4, pad, padlen); 410 list_add_tail(&S4.list, &bcc_list); 411 412 /* 10.4.2 step 9 */ 413 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 414 /* 415 * 10.4.2 step 9.1 - the padding is implicit as the buffer 416 * holds zeros after allocation -- even the increment of i 417 * is irrelevant as the increment remains within length of i 418 */ 419 drbg_cpu_to_be32(i, iv); 420 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 421 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 422 if (ret) 423 goto out; 424 /* 10.4.2 step 9.3 */ 425 i++; 426 templen += drbg_blocklen(drbg); 427 } 428 429 /* 10.4.2 step 11 */ 430 X = temp + (drbg_keylen(drbg)); 431 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 432 433 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 434 435 /* 10.4.2 step 13 */ 436 drbg_kcapi_symsetkey(drbg, temp); 437 while (generated_len < bytes_to_return) { 438 short blocklen = 0; 439 /* 440 * 10.4.2 step 13.1: the truncation of the key length is 441 * implicit as the key is only drbg_blocklen in size based on 442 * the implementation of the cipher function callback 443 */ 444 ret = drbg_kcapi_sym(drbg, X, &cipherin); 445 if (ret) 446 goto out; 447 blocklen = (drbg_blocklen(drbg) < 448 (bytes_to_return - generated_len)) ? 449 drbg_blocklen(drbg) : 450 (bytes_to_return - generated_len); 451 /* 10.4.2 step 13.2 and 14 */ 452 memcpy(df_data + generated_len, X, blocklen); 453 generated_len += blocklen; 454 } 455 456 ret = 0; 457 458 out: 459 memset(iv, 0, drbg_blocklen(drbg)); 460 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 461 memset(pad, 0, drbg_blocklen(drbg)); 462 return ret; 463 } 464 465 /* 466 * update function of CTR DRBG as defined in 10.2.1.2 467 * 468 * The reseed variable has an enhanced meaning compared to the update 469 * functions of the other DRBGs as follows: 470 * 0 => initial seed from initialization 471 * 1 => reseed via drbg_seed 472 * 2 => first invocation from drbg_ctr_update when addtl is present. In 473 * this case, the df_data scratchpad is not deleted so that it is 474 * available for another calls to prevent calling the DF function 475 * again. 476 * 3 => second invocation from drbg_ctr_update. When the update function 477 * was called with addtl, the df_data memory already contains the 478 * DFed addtl information and we do not need to call DF again. 479 */ 480 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 481 int reseed) 482 { 483 int ret = -EFAULT; 484 /* 10.2.1.2 step 1 */ 485 unsigned char *temp = drbg->scratchpad; 486 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 487 drbg_blocklen(drbg); 488 489 if (3 > reseed) 490 memset(df_data, 0, drbg_statelen(drbg)); 491 492 if (!reseed) { 493 /* 494 * The DRBG uses the CTR mode of the underlying AES cipher. The 495 * CTR mode increments the counter value after the AES operation 496 * but SP800-90A requires that the counter is incremented before 497 * the AES operation. Hence, we increment it at the time we set 498 * it by one. 499 */ 500 crypto_inc(drbg->V, drbg_blocklen(drbg)); 501 502 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 503 drbg_keylen(drbg)); 504 if (ret) 505 goto out; 506 } 507 508 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 509 if (seed) { 510 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 511 if (ret) 512 goto out; 513 } 514 515 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 516 temp, drbg_statelen(drbg)); 517 if (ret) 518 return ret; 519 520 /* 10.2.1.2 step 5 */ 521 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 522 drbg_keylen(drbg)); 523 if (ret) 524 goto out; 525 /* 10.2.1.2 step 6 */ 526 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 527 /* See above: increment counter by one to compensate timing of CTR op */ 528 crypto_inc(drbg->V, drbg_blocklen(drbg)); 529 ret = 0; 530 531 out: 532 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 533 if (2 != reseed) 534 memset(df_data, 0, drbg_statelen(drbg)); 535 return ret; 536 } 537 538 /* 539 * scratchpad use: drbg_ctr_update is called independently from 540 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 541 */ 542 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 543 static int drbg_ctr_generate(struct drbg_state *drbg, 544 unsigned char *buf, unsigned int buflen, 545 struct list_head *addtl) 546 { 547 int ret; 548 int len = min_t(int, buflen, INT_MAX); 549 550 /* 10.2.1.5.2 step 2 */ 551 if (addtl && !list_empty(addtl)) { 552 ret = drbg_ctr_update(drbg, addtl, 2); 553 if (ret) 554 return 0; 555 } 556 557 /* 10.2.1.5.2 step 4.1 */ 558 ret = drbg_kcapi_sym_ctr(drbg, drbg->ctr_null_value, DRBG_CTR_NULL_LEN, 559 buf, len); 560 if (ret) 561 return ret; 562 563 /* 10.2.1.5.2 step 6 */ 564 ret = drbg_ctr_update(drbg, NULL, 3); 565 if (ret) 566 len = ret; 567 568 return len; 569 } 570 571 static const struct drbg_state_ops drbg_ctr_ops = { 572 .update = drbg_ctr_update, 573 .generate = drbg_ctr_generate, 574 .crypto_init = drbg_init_sym_kernel, 575 .crypto_fini = drbg_fini_sym_kernel, 576 }; 577 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 578 579 /****************************************************************** 580 * HMAC DRBG callback functions 581 ******************************************************************/ 582 583 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 584 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 585 const struct list_head *in); 586 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 587 const unsigned char *key); 588 static int drbg_init_hash_kernel(struct drbg_state *drbg); 589 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 590 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 591 592 #ifdef CONFIG_CRYPTO_DRBG_HMAC 593 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 594 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 595 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 596 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 597 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 598 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 599 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 600 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 601 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 602 603 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 604 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 605 int reseed) 606 { 607 int ret = -EFAULT; 608 int i = 0; 609 struct drbg_string seed1, seed2, vdata; 610 LIST_HEAD(seedlist); 611 LIST_HEAD(vdatalist); 612 613 if (!reseed) { 614 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 615 memset(drbg->V, 1, drbg_statelen(drbg)); 616 drbg_kcapi_hmacsetkey(drbg, drbg->C); 617 } 618 619 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 620 list_add_tail(&seed1.list, &seedlist); 621 /* buffer of seed2 will be filled in for loop below with one byte */ 622 drbg_string_fill(&seed2, NULL, 1); 623 list_add_tail(&seed2.list, &seedlist); 624 /* input data of seed is allowed to be NULL at this point */ 625 if (seed) 626 list_splice_tail(seed, &seedlist); 627 628 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 629 list_add_tail(&vdata.list, &vdatalist); 630 for (i = 2; 0 < i; i--) { 631 /* first round uses 0x0, second 0x1 */ 632 unsigned char prefix = DRBG_PREFIX0; 633 if (1 == i) 634 prefix = DRBG_PREFIX1; 635 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 636 seed2.buf = &prefix; 637 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 638 if (ret) 639 return ret; 640 drbg_kcapi_hmacsetkey(drbg, drbg->C); 641 642 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 643 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 644 if (ret) 645 return ret; 646 647 /* 10.1.2.2 step 3 */ 648 if (!seed) 649 return ret; 650 } 651 652 return 0; 653 } 654 655 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 656 static int drbg_hmac_generate(struct drbg_state *drbg, 657 unsigned char *buf, 658 unsigned int buflen, 659 struct list_head *addtl) 660 { 661 int len = 0; 662 int ret = 0; 663 struct drbg_string data; 664 LIST_HEAD(datalist); 665 666 /* 10.1.2.5 step 2 */ 667 if (addtl && !list_empty(addtl)) { 668 ret = drbg_hmac_update(drbg, addtl, 1); 669 if (ret) 670 return ret; 671 } 672 673 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 674 list_add_tail(&data.list, &datalist); 675 while (len < buflen) { 676 unsigned int outlen = 0; 677 /* 10.1.2.5 step 4.1 */ 678 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 679 if (ret) 680 return ret; 681 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 682 drbg_blocklen(drbg) : (buflen - len); 683 684 /* 10.1.2.5 step 4.2 */ 685 memcpy(buf + len, drbg->V, outlen); 686 len += outlen; 687 } 688 689 /* 10.1.2.5 step 6 */ 690 if (addtl && !list_empty(addtl)) 691 ret = drbg_hmac_update(drbg, addtl, 1); 692 else 693 ret = drbg_hmac_update(drbg, NULL, 1); 694 if (ret) 695 return ret; 696 697 return len; 698 } 699 700 static const struct drbg_state_ops drbg_hmac_ops = { 701 .update = drbg_hmac_update, 702 .generate = drbg_hmac_generate, 703 .crypto_init = drbg_init_hash_kernel, 704 .crypto_fini = drbg_fini_hash_kernel, 705 }; 706 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 707 708 /****************************************************************** 709 * Hash DRBG callback functions 710 ******************************************************************/ 711 712 #ifdef CONFIG_CRYPTO_DRBG_HASH 713 #define CRYPTO_DRBG_HASH_STRING "HASH " 714 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 715 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 716 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 717 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 718 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 719 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 720 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 721 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 722 723 /* 724 * Increment buffer 725 * 726 * @dst buffer to increment 727 * @add value to add 728 */ 729 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 730 const unsigned char *add, size_t addlen) 731 { 732 /* implied: dstlen > addlen */ 733 unsigned char *dstptr; 734 const unsigned char *addptr; 735 unsigned int remainder = 0; 736 size_t len = addlen; 737 738 dstptr = dst + (dstlen-1); 739 addptr = add + (addlen-1); 740 while (len) { 741 remainder += *dstptr + *addptr; 742 *dstptr = remainder & 0xff; 743 remainder >>= 8; 744 len--; dstptr--; addptr--; 745 } 746 len = dstlen - addlen; 747 while (len && remainder > 0) { 748 remainder = *dstptr + 1; 749 *dstptr = remainder & 0xff; 750 remainder >>= 8; 751 len--; dstptr--; 752 } 753 } 754 755 /* 756 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 757 * interlinked, the scratchpad is used as follows: 758 * drbg_hash_update 759 * start: drbg->scratchpad 760 * length: drbg_statelen(drbg) 761 * drbg_hash_df: 762 * start: drbg->scratchpad + drbg_statelen(drbg) 763 * length: drbg_blocklen(drbg) 764 * 765 * drbg_hash_process_addtl uses the scratchpad, but fully completes 766 * before either of the functions mentioned before are invoked. Therefore, 767 * drbg_hash_process_addtl does not need to be specifically considered. 768 */ 769 770 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 771 static int drbg_hash_df(struct drbg_state *drbg, 772 unsigned char *outval, size_t outlen, 773 struct list_head *entropylist) 774 { 775 int ret = 0; 776 size_t len = 0; 777 unsigned char input[5]; 778 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 779 struct drbg_string data; 780 781 /* 10.4.1 step 3 */ 782 input[0] = 1; 783 drbg_cpu_to_be32((outlen * 8), &input[1]); 784 785 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 786 drbg_string_fill(&data, input, 5); 787 list_add(&data.list, entropylist); 788 789 /* 10.4.1 step 4 */ 790 while (len < outlen) { 791 short blocklen = 0; 792 /* 10.4.1 step 4.1 */ 793 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 794 if (ret) 795 goto out; 796 /* 10.4.1 step 4.2 */ 797 input[0]++; 798 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 799 drbg_blocklen(drbg) : (outlen - len); 800 memcpy(outval + len, tmp, blocklen); 801 len += blocklen; 802 } 803 804 out: 805 memset(tmp, 0, drbg_blocklen(drbg)); 806 return ret; 807 } 808 809 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 810 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 811 int reseed) 812 { 813 int ret = 0; 814 struct drbg_string data1, data2; 815 LIST_HEAD(datalist); 816 LIST_HEAD(datalist2); 817 unsigned char *V = drbg->scratchpad; 818 unsigned char prefix = DRBG_PREFIX1; 819 820 if (!seed) 821 return -EINVAL; 822 823 if (reseed) { 824 /* 10.1.1.3 step 1 */ 825 memcpy(V, drbg->V, drbg_statelen(drbg)); 826 drbg_string_fill(&data1, &prefix, 1); 827 list_add_tail(&data1.list, &datalist); 828 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 829 list_add_tail(&data2.list, &datalist); 830 } 831 list_splice_tail(seed, &datalist); 832 833 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 834 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 835 if (ret) 836 goto out; 837 838 /* 10.1.1.2 / 10.1.1.3 step 4 */ 839 prefix = DRBG_PREFIX0; 840 drbg_string_fill(&data1, &prefix, 1); 841 list_add_tail(&data1.list, &datalist2); 842 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 843 list_add_tail(&data2.list, &datalist2); 844 /* 10.1.1.2 / 10.1.1.3 step 4 */ 845 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 846 847 out: 848 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 849 return ret; 850 } 851 852 /* processing of additional information string for Hash DRBG */ 853 static int drbg_hash_process_addtl(struct drbg_state *drbg, 854 struct list_head *addtl) 855 { 856 int ret = 0; 857 struct drbg_string data1, data2; 858 LIST_HEAD(datalist); 859 unsigned char prefix = DRBG_PREFIX2; 860 861 /* 10.1.1.4 step 2 */ 862 if (!addtl || list_empty(addtl)) 863 return 0; 864 865 /* 10.1.1.4 step 2a */ 866 drbg_string_fill(&data1, &prefix, 1); 867 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 868 list_add_tail(&data1.list, &datalist); 869 list_add_tail(&data2.list, &datalist); 870 list_splice_tail(addtl, &datalist); 871 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 872 if (ret) 873 goto out; 874 875 /* 10.1.1.4 step 2b */ 876 drbg_add_buf(drbg->V, drbg_statelen(drbg), 877 drbg->scratchpad, drbg_blocklen(drbg)); 878 879 out: 880 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 881 return ret; 882 } 883 884 /* Hashgen defined in 10.1.1.4 */ 885 static int drbg_hash_hashgen(struct drbg_state *drbg, 886 unsigned char *buf, 887 unsigned int buflen) 888 { 889 int len = 0; 890 int ret = 0; 891 unsigned char *src = drbg->scratchpad; 892 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 893 struct drbg_string data; 894 LIST_HEAD(datalist); 895 896 /* 10.1.1.4 step hashgen 2 */ 897 memcpy(src, drbg->V, drbg_statelen(drbg)); 898 899 drbg_string_fill(&data, src, drbg_statelen(drbg)); 900 list_add_tail(&data.list, &datalist); 901 while (len < buflen) { 902 unsigned int outlen = 0; 903 /* 10.1.1.4 step hashgen 4.1 */ 904 ret = drbg_kcapi_hash(drbg, dst, &datalist); 905 if (ret) { 906 len = ret; 907 goto out; 908 } 909 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 910 drbg_blocklen(drbg) : (buflen - len); 911 /* 10.1.1.4 step hashgen 4.2 */ 912 memcpy(buf + len, dst, outlen); 913 len += outlen; 914 /* 10.1.1.4 hashgen step 4.3 */ 915 if (len < buflen) 916 crypto_inc(src, drbg_statelen(drbg)); 917 } 918 919 out: 920 memset(drbg->scratchpad, 0, 921 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 922 return len; 923 } 924 925 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 926 static int drbg_hash_generate(struct drbg_state *drbg, 927 unsigned char *buf, unsigned int buflen, 928 struct list_head *addtl) 929 { 930 int len = 0; 931 int ret = 0; 932 union { 933 unsigned char req[8]; 934 __be64 req_int; 935 } u; 936 unsigned char prefix = DRBG_PREFIX3; 937 struct drbg_string data1, data2; 938 LIST_HEAD(datalist); 939 940 /* 10.1.1.4 step 2 */ 941 ret = drbg_hash_process_addtl(drbg, addtl); 942 if (ret) 943 return ret; 944 /* 10.1.1.4 step 3 */ 945 len = drbg_hash_hashgen(drbg, buf, buflen); 946 947 /* this is the value H as documented in 10.1.1.4 */ 948 /* 10.1.1.4 step 4 */ 949 drbg_string_fill(&data1, &prefix, 1); 950 list_add_tail(&data1.list, &datalist); 951 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 952 list_add_tail(&data2.list, &datalist); 953 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 954 if (ret) { 955 len = ret; 956 goto out; 957 } 958 959 /* 10.1.1.4 step 5 */ 960 drbg_add_buf(drbg->V, drbg_statelen(drbg), 961 drbg->scratchpad, drbg_blocklen(drbg)); 962 drbg_add_buf(drbg->V, drbg_statelen(drbg), 963 drbg->C, drbg_statelen(drbg)); 964 u.req_int = cpu_to_be64(drbg->reseed_ctr); 965 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 966 967 out: 968 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 969 return len; 970 } 971 972 /* 973 * scratchpad usage: as update and generate are used isolated, both 974 * can use the scratchpad 975 */ 976 static const struct drbg_state_ops drbg_hash_ops = { 977 .update = drbg_hash_update, 978 .generate = drbg_hash_generate, 979 .crypto_init = drbg_init_hash_kernel, 980 .crypto_fini = drbg_fini_hash_kernel, 981 }; 982 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 983 984 /****************************************************************** 985 * Functions common for DRBG implementations 986 ******************************************************************/ 987 988 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 989 int reseed) 990 { 991 int ret = drbg->d_ops->update(drbg, seed, reseed); 992 993 if (ret) 994 return ret; 995 996 drbg->seeded = true; 997 /* 10.1.1.2 / 10.1.1.3 step 5 */ 998 drbg->reseed_ctr = 1; 999 1000 return ret; 1001 } 1002 1003 static void drbg_async_seed(struct work_struct *work) 1004 { 1005 struct drbg_string data; 1006 LIST_HEAD(seedlist); 1007 struct drbg_state *drbg = container_of(work, struct drbg_state, 1008 seed_work); 1009 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1010 unsigned char entropy[32]; 1011 1012 BUG_ON(!entropylen); 1013 BUG_ON(entropylen > sizeof(entropy)); 1014 get_random_bytes(entropy, entropylen); 1015 1016 drbg_string_fill(&data, entropy, entropylen); 1017 list_add_tail(&data.list, &seedlist); 1018 1019 mutex_lock(&drbg->drbg_mutex); 1020 1021 /* If nonblocking pool is initialized, deactivate Jitter RNG */ 1022 crypto_free_rng(drbg->jent); 1023 drbg->jent = NULL; 1024 1025 /* Set seeded to false so that if __drbg_seed fails the 1026 * next generate call will trigger a reseed. 1027 */ 1028 drbg->seeded = false; 1029 1030 __drbg_seed(drbg, &seedlist, true); 1031 1032 if (drbg->seeded) 1033 drbg->reseed_threshold = drbg_max_requests(drbg); 1034 1035 mutex_unlock(&drbg->drbg_mutex); 1036 1037 memzero_explicit(entropy, entropylen); 1038 } 1039 1040 /* 1041 * Seeding or reseeding of the DRBG 1042 * 1043 * @drbg: DRBG state struct 1044 * @pers: personalization / additional information buffer 1045 * @reseed: 0 for initial seed process, 1 for reseeding 1046 * 1047 * return: 1048 * 0 on success 1049 * error value otherwise 1050 */ 1051 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1052 bool reseed) 1053 { 1054 int ret; 1055 unsigned char entropy[((32 + 16) * 2)]; 1056 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1057 struct drbg_string data1; 1058 LIST_HEAD(seedlist); 1059 1060 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1061 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1062 pr_devel("DRBG: personalization string too long %zu\n", 1063 pers->len); 1064 return -EINVAL; 1065 } 1066 1067 if (list_empty(&drbg->test_data.list)) { 1068 drbg_string_fill(&data1, drbg->test_data.buf, 1069 drbg->test_data.len); 1070 pr_devel("DRBG: using test entropy\n"); 1071 } else { 1072 /* 1073 * Gather entropy equal to the security strength of the DRBG. 1074 * With a derivation function, a nonce is required in addition 1075 * to the entropy. A nonce must be at least 1/2 of the security 1076 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1077 * of the strength. The consideration of a nonce is only 1078 * applicable during initial seeding. 1079 */ 1080 BUG_ON(!entropylen); 1081 if (!reseed) 1082 entropylen = ((entropylen + 1) / 2) * 3; 1083 BUG_ON((entropylen * 2) > sizeof(entropy)); 1084 1085 /* Get seed from in-kernel /dev/urandom */ 1086 get_random_bytes(entropy, entropylen); 1087 1088 if (!drbg->jent) { 1089 drbg_string_fill(&data1, entropy, entropylen); 1090 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1091 entropylen); 1092 } else { 1093 /* Get seed from Jitter RNG */ 1094 ret = crypto_rng_get_bytes(drbg->jent, 1095 entropy + entropylen, 1096 entropylen); 1097 if (ret) { 1098 pr_devel("DRBG: jent failed with %d\n", ret); 1099 return ret; 1100 } 1101 1102 drbg_string_fill(&data1, entropy, entropylen * 2); 1103 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1104 entropylen * 2); 1105 } 1106 } 1107 list_add_tail(&data1.list, &seedlist); 1108 1109 /* 1110 * concatenation of entropy with personalization str / addtl input) 1111 * the variable pers is directly handed in by the caller, so check its 1112 * contents whether it is appropriate 1113 */ 1114 if (pers && pers->buf && 0 < pers->len) { 1115 list_add_tail(&pers->list, &seedlist); 1116 pr_devel("DRBG: using personalization string\n"); 1117 } 1118 1119 if (!reseed) { 1120 memset(drbg->V, 0, drbg_statelen(drbg)); 1121 memset(drbg->C, 0, drbg_statelen(drbg)); 1122 } 1123 1124 ret = __drbg_seed(drbg, &seedlist, reseed); 1125 1126 memzero_explicit(entropy, entropylen * 2); 1127 1128 return ret; 1129 } 1130 1131 /* Free all substructures in a DRBG state without the DRBG state structure */ 1132 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1133 { 1134 if (!drbg) 1135 return; 1136 kzfree(drbg->V); 1137 drbg->Vbuf = NULL; 1138 kzfree(drbg->C); 1139 drbg->Cbuf = NULL; 1140 kzfree(drbg->scratchpadbuf); 1141 drbg->scratchpadbuf = NULL; 1142 drbg->reseed_ctr = 0; 1143 drbg->d_ops = NULL; 1144 drbg->core = NULL; 1145 } 1146 1147 /* 1148 * Allocate all sub-structures for a DRBG state. 1149 * The DRBG state structure must already be allocated. 1150 */ 1151 static inline int drbg_alloc_state(struct drbg_state *drbg) 1152 { 1153 int ret = -ENOMEM; 1154 unsigned int sb_size = 0; 1155 1156 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1157 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1158 case DRBG_HMAC: 1159 drbg->d_ops = &drbg_hmac_ops; 1160 break; 1161 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1162 #ifdef CONFIG_CRYPTO_DRBG_HASH 1163 case DRBG_HASH: 1164 drbg->d_ops = &drbg_hash_ops; 1165 break; 1166 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1167 #ifdef CONFIG_CRYPTO_DRBG_CTR 1168 case DRBG_CTR: 1169 drbg->d_ops = &drbg_ctr_ops; 1170 break; 1171 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1172 default: 1173 ret = -EOPNOTSUPP; 1174 goto err; 1175 } 1176 1177 ret = drbg->d_ops->crypto_init(drbg); 1178 if (ret < 0) 1179 goto err; 1180 1181 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1182 if (!drbg->Vbuf) { 1183 ret = -ENOMEM; 1184 goto fini; 1185 } 1186 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1187 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1188 if (!drbg->Cbuf) { 1189 ret = -ENOMEM; 1190 goto fini; 1191 } 1192 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1193 /* scratchpad is only generated for CTR and Hash */ 1194 if (drbg->core->flags & DRBG_HMAC) 1195 sb_size = 0; 1196 else if (drbg->core->flags & DRBG_CTR) 1197 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1198 drbg_statelen(drbg) + /* df_data */ 1199 drbg_blocklen(drbg) + /* pad */ 1200 drbg_blocklen(drbg) + /* iv */ 1201 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1202 else 1203 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1204 1205 if (0 < sb_size) { 1206 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1207 if (!drbg->scratchpadbuf) { 1208 ret = -ENOMEM; 1209 goto fini; 1210 } 1211 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1212 } 1213 1214 return 0; 1215 1216 fini: 1217 drbg->d_ops->crypto_fini(drbg); 1218 err: 1219 drbg_dealloc_state(drbg); 1220 return ret; 1221 } 1222 1223 /************************************************************************* 1224 * DRBG interface functions 1225 *************************************************************************/ 1226 1227 /* 1228 * DRBG generate function as required by SP800-90A - this function 1229 * generates random numbers 1230 * 1231 * @drbg DRBG state handle 1232 * @buf Buffer where to store the random numbers -- the buffer must already 1233 * be pre-allocated by caller 1234 * @buflen Length of output buffer - this value defines the number of random 1235 * bytes pulled from DRBG 1236 * @addtl Additional input that is mixed into state, may be NULL -- note 1237 * the entropy is pulled by the DRBG internally unconditionally 1238 * as defined in SP800-90A. The additional input is mixed into 1239 * the state in addition to the pulled entropy. 1240 * 1241 * return: 0 when all bytes are generated; < 0 in case of an error 1242 */ 1243 static int drbg_generate(struct drbg_state *drbg, 1244 unsigned char *buf, unsigned int buflen, 1245 struct drbg_string *addtl) 1246 { 1247 int len = 0; 1248 LIST_HEAD(addtllist); 1249 1250 if (!drbg->core) { 1251 pr_devel("DRBG: not yet seeded\n"); 1252 return -EINVAL; 1253 } 1254 if (0 == buflen || !buf) { 1255 pr_devel("DRBG: no output buffer provided\n"); 1256 return -EINVAL; 1257 } 1258 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1259 pr_devel("DRBG: wrong format of additional information\n"); 1260 return -EINVAL; 1261 } 1262 1263 /* 9.3.1 step 2 */ 1264 len = -EINVAL; 1265 if (buflen > (drbg_max_request_bytes(drbg))) { 1266 pr_devel("DRBG: requested random numbers too large %u\n", 1267 buflen); 1268 goto err; 1269 } 1270 1271 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1272 1273 /* 9.3.1 step 4 */ 1274 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1275 pr_devel("DRBG: additional information string too long %zu\n", 1276 addtl->len); 1277 goto err; 1278 } 1279 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1280 1281 /* 1282 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1283 * here. The spec is a bit convoluted here, we make it simpler. 1284 */ 1285 if (drbg->reseed_threshold < drbg->reseed_ctr) 1286 drbg->seeded = false; 1287 1288 if (drbg->pr || !drbg->seeded) { 1289 pr_devel("DRBG: reseeding before generation (prediction " 1290 "resistance: %s, state %s)\n", 1291 drbg->pr ? "true" : "false", 1292 drbg->seeded ? "seeded" : "unseeded"); 1293 /* 9.3.1 steps 7.1 through 7.3 */ 1294 len = drbg_seed(drbg, addtl, true); 1295 if (len) 1296 goto err; 1297 /* 9.3.1 step 7.4 */ 1298 addtl = NULL; 1299 } 1300 1301 if (addtl && 0 < addtl->len) 1302 list_add_tail(&addtl->list, &addtllist); 1303 /* 9.3.1 step 8 and 10 */ 1304 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1305 1306 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1307 drbg->reseed_ctr++; 1308 if (0 >= len) 1309 goto err; 1310 1311 /* 1312 * Section 11.3.3 requires to re-perform self tests after some 1313 * generated random numbers. The chosen value after which self 1314 * test is performed is arbitrary, but it should be reasonable. 1315 * However, we do not perform the self tests because of the following 1316 * reasons: it is mathematically impossible that the initial self tests 1317 * were successfully and the following are not. If the initial would 1318 * pass and the following would not, the kernel integrity is violated. 1319 * In this case, the entire kernel operation is questionable and it 1320 * is unlikely that the integrity violation only affects the 1321 * correct operation of the DRBG. 1322 * 1323 * Albeit the following code is commented out, it is provided in 1324 * case somebody has a need to implement the test of 11.3.3. 1325 */ 1326 #if 0 1327 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1328 int err = 0; 1329 pr_devel("DRBG: start to perform self test\n"); 1330 if (drbg->core->flags & DRBG_HMAC) 1331 err = alg_test("drbg_pr_hmac_sha256", 1332 "drbg_pr_hmac_sha256", 0, 0); 1333 else if (drbg->core->flags & DRBG_CTR) 1334 err = alg_test("drbg_pr_ctr_aes128", 1335 "drbg_pr_ctr_aes128", 0, 0); 1336 else 1337 err = alg_test("drbg_pr_sha256", 1338 "drbg_pr_sha256", 0, 0); 1339 if (err) { 1340 pr_err("DRBG: periodical self test failed\n"); 1341 /* 1342 * uninstantiate implies that from now on, only errors 1343 * are returned when reusing this DRBG cipher handle 1344 */ 1345 drbg_uninstantiate(drbg); 1346 return 0; 1347 } else { 1348 pr_devel("DRBG: self test successful\n"); 1349 } 1350 } 1351 #endif 1352 1353 /* 1354 * All operations were successful, return 0 as mandated by 1355 * the kernel crypto API interface. 1356 */ 1357 len = 0; 1358 err: 1359 return len; 1360 } 1361 1362 /* 1363 * Wrapper around drbg_generate which can pull arbitrary long strings 1364 * from the DRBG without hitting the maximum request limitation. 1365 * 1366 * Parameters: see drbg_generate 1367 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1368 * the entire drbg_generate_long request fails 1369 */ 1370 static int drbg_generate_long(struct drbg_state *drbg, 1371 unsigned char *buf, unsigned int buflen, 1372 struct drbg_string *addtl) 1373 { 1374 unsigned int len = 0; 1375 unsigned int slice = 0; 1376 do { 1377 int err = 0; 1378 unsigned int chunk = 0; 1379 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1380 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1381 mutex_lock(&drbg->drbg_mutex); 1382 err = drbg_generate(drbg, buf + len, chunk, addtl); 1383 mutex_unlock(&drbg->drbg_mutex); 1384 if (0 > err) 1385 return err; 1386 len += chunk; 1387 } while (slice > 0 && (len < buflen)); 1388 return 0; 1389 } 1390 1391 static void drbg_schedule_async_seed(struct random_ready_callback *rdy) 1392 { 1393 struct drbg_state *drbg = container_of(rdy, struct drbg_state, 1394 random_ready); 1395 1396 schedule_work(&drbg->seed_work); 1397 } 1398 1399 static int drbg_prepare_hrng(struct drbg_state *drbg) 1400 { 1401 int err; 1402 1403 /* We do not need an HRNG in test mode. */ 1404 if (list_empty(&drbg->test_data.list)) 1405 return 0; 1406 1407 INIT_WORK(&drbg->seed_work, drbg_async_seed); 1408 1409 drbg->random_ready.owner = THIS_MODULE; 1410 drbg->random_ready.func = drbg_schedule_async_seed; 1411 1412 err = add_random_ready_callback(&drbg->random_ready); 1413 1414 switch (err) { 1415 case 0: 1416 break; 1417 1418 case -EALREADY: 1419 err = 0; 1420 /* fall through */ 1421 1422 default: 1423 drbg->random_ready.func = NULL; 1424 return err; 1425 } 1426 1427 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1428 1429 /* 1430 * Require frequent reseeds until the seed source is fully 1431 * initialized. 1432 */ 1433 drbg->reseed_threshold = 50; 1434 1435 return err; 1436 } 1437 1438 /* 1439 * DRBG instantiation function as required by SP800-90A - this function 1440 * sets up the DRBG handle, performs the initial seeding and all sanity 1441 * checks required by SP800-90A 1442 * 1443 * @drbg memory of state -- if NULL, new memory is allocated 1444 * @pers Personalization string that is mixed into state, may be NULL -- note 1445 * the entropy is pulled by the DRBG internally unconditionally 1446 * as defined in SP800-90A. The additional input is mixed into 1447 * the state in addition to the pulled entropy. 1448 * @coreref reference to core 1449 * @pr prediction resistance enabled 1450 * 1451 * return 1452 * 0 on success 1453 * error value otherwise 1454 */ 1455 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1456 int coreref, bool pr) 1457 { 1458 int ret; 1459 bool reseed = true; 1460 1461 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1462 "%s\n", coreref, pr ? "enabled" : "disabled"); 1463 mutex_lock(&drbg->drbg_mutex); 1464 1465 /* 9.1 step 1 is implicit with the selected DRBG type */ 1466 1467 /* 1468 * 9.1 step 2 is implicit as caller can select prediction resistance 1469 * and the flag is copied into drbg->flags -- 1470 * all DRBG types support prediction resistance 1471 */ 1472 1473 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1474 1475 if (!drbg->core) { 1476 drbg->core = &drbg_cores[coreref]; 1477 drbg->pr = pr; 1478 drbg->seeded = false; 1479 drbg->reseed_threshold = drbg_max_requests(drbg); 1480 1481 ret = drbg_alloc_state(drbg); 1482 if (ret) 1483 goto unlock; 1484 1485 ret = drbg_prepare_hrng(drbg); 1486 if (ret) 1487 goto free_everything; 1488 1489 if (IS_ERR(drbg->jent)) { 1490 ret = PTR_ERR(drbg->jent); 1491 drbg->jent = NULL; 1492 if (fips_enabled || ret != -ENOENT) 1493 goto free_everything; 1494 pr_info("DRBG: Continuing without Jitter RNG\n"); 1495 } 1496 1497 reseed = false; 1498 } 1499 1500 ret = drbg_seed(drbg, pers, reseed); 1501 1502 if (ret && !reseed) 1503 goto free_everything; 1504 1505 mutex_unlock(&drbg->drbg_mutex); 1506 return ret; 1507 1508 unlock: 1509 mutex_unlock(&drbg->drbg_mutex); 1510 return ret; 1511 1512 free_everything: 1513 mutex_unlock(&drbg->drbg_mutex); 1514 drbg_uninstantiate(drbg); 1515 return ret; 1516 } 1517 1518 /* 1519 * DRBG uninstantiate function as required by SP800-90A - this function 1520 * frees all buffers and the DRBG handle 1521 * 1522 * @drbg DRBG state handle 1523 * 1524 * return 1525 * 0 on success 1526 */ 1527 static int drbg_uninstantiate(struct drbg_state *drbg) 1528 { 1529 if (drbg->random_ready.func) { 1530 del_random_ready_callback(&drbg->random_ready); 1531 cancel_work_sync(&drbg->seed_work); 1532 crypto_free_rng(drbg->jent); 1533 drbg->jent = NULL; 1534 } 1535 1536 if (drbg->d_ops) 1537 drbg->d_ops->crypto_fini(drbg); 1538 drbg_dealloc_state(drbg); 1539 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1540 return 0; 1541 } 1542 1543 /* 1544 * Helper function for setting the test data in the DRBG 1545 * 1546 * @drbg DRBG state handle 1547 * @data test data 1548 * @len test data length 1549 */ 1550 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1551 const u8 *data, unsigned int len) 1552 { 1553 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1554 1555 mutex_lock(&drbg->drbg_mutex); 1556 drbg_string_fill(&drbg->test_data, data, len); 1557 mutex_unlock(&drbg->drbg_mutex); 1558 } 1559 1560 /*************************************************************** 1561 * Kernel crypto API cipher invocations requested by DRBG 1562 ***************************************************************/ 1563 1564 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1565 struct sdesc { 1566 struct shash_desc shash; 1567 char ctx[]; 1568 }; 1569 1570 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1571 { 1572 struct sdesc *sdesc; 1573 struct crypto_shash *tfm; 1574 1575 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1576 if (IS_ERR(tfm)) { 1577 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1578 drbg->core->backend_cra_name); 1579 return PTR_ERR(tfm); 1580 } 1581 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1582 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1583 GFP_KERNEL); 1584 if (!sdesc) { 1585 crypto_free_shash(tfm); 1586 return -ENOMEM; 1587 } 1588 1589 sdesc->shash.tfm = tfm; 1590 sdesc->shash.flags = 0; 1591 drbg->priv_data = sdesc; 1592 1593 return crypto_shash_alignmask(tfm); 1594 } 1595 1596 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1597 { 1598 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1599 if (sdesc) { 1600 crypto_free_shash(sdesc->shash.tfm); 1601 kzfree(sdesc); 1602 } 1603 drbg->priv_data = NULL; 1604 return 0; 1605 } 1606 1607 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1608 const unsigned char *key) 1609 { 1610 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1611 1612 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1613 } 1614 1615 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1616 const struct list_head *in) 1617 { 1618 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1619 struct drbg_string *input = NULL; 1620 1621 crypto_shash_init(&sdesc->shash); 1622 list_for_each_entry(input, in, list) 1623 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1624 return crypto_shash_final(&sdesc->shash, outval); 1625 } 1626 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1627 1628 #ifdef CONFIG_CRYPTO_DRBG_CTR 1629 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1630 { 1631 struct crypto_cipher *tfm = 1632 (struct crypto_cipher *)drbg->priv_data; 1633 if (tfm) 1634 crypto_free_cipher(tfm); 1635 drbg->priv_data = NULL; 1636 1637 if (drbg->ctr_handle) 1638 crypto_free_skcipher(drbg->ctr_handle); 1639 drbg->ctr_handle = NULL; 1640 1641 if (drbg->ctr_req) 1642 skcipher_request_free(drbg->ctr_req); 1643 drbg->ctr_req = NULL; 1644 1645 kfree(drbg->ctr_null_value_buf); 1646 drbg->ctr_null_value = NULL; 1647 1648 kfree(drbg->outscratchpadbuf); 1649 drbg->outscratchpadbuf = NULL; 1650 1651 return 0; 1652 } 1653 1654 static void drbg_skcipher_cb(struct crypto_async_request *req, int error) 1655 { 1656 struct drbg_state *drbg = req->data; 1657 1658 if (error == -EINPROGRESS) 1659 return; 1660 drbg->ctr_async_err = error; 1661 complete(&drbg->ctr_completion); 1662 } 1663 1664 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1665 { 1666 struct crypto_cipher *tfm; 1667 struct crypto_skcipher *sk_tfm; 1668 struct skcipher_request *req; 1669 unsigned int alignmask; 1670 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1671 1672 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1673 if (IS_ERR(tfm)) { 1674 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1675 drbg->core->backend_cra_name); 1676 return PTR_ERR(tfm); 1677 } 1678 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1679 drbg->priv_data = tfm; 1680 1681 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1682 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1683 drbg_fini_sym_kernel(drbg); 1684 return -EINVAL; 1685 } 1686 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1687 if (IS_ERR(sk_tfm)) { 1688 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1689 ctr_name); 1690 drbg_fini_sym_kernel(drbg); 1691 return PTR_ERR(sk_tfm); 1692 } 1693 drbg->ctr_handle = sk_tfm; 1694 1695 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1696 if (!req) { 1697 pr_info("DRBG: could not allocate request queue\n"); 1698 drbg_fini_sym_kernel(drbg); 1699 return -ENOMEM; 1700 } 1701 drbg->ctr_req = req; 1702 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, 1703 drbg_skcipher_cb, drbg); 1704 1705 alignmask = crypto_skcipher_alignmask(sk_tfm); 1706 drbg->ctr_null_value_buf = kzalloc(DRBG_CTR_NULL_LEN + alignmask, 1707 GFP_KERNEL); 1708 if (!drbg->ctr_null_value_buf) { 1709 drbg_fini_sym_kernel(drbg); 1710 return -ENOMEM; 1711 } 1712 drbg->ctr_null_value = (u8 *)PTR_ALIGN(drbg->ctr_null_value_buf, 1713 alignmask + 1); 1714 1715 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1716 GFP_KERNEL); 1717 if (!drbg->outscratchpadbuf) { 1718 drbg_fini_sym_kernel(drbg); 1719 return -ENOMEM; 1720 } 1721 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1722 alignmask + 1); 1723 1724 return alignmask; 1725 } 1726 1727 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1728 const unsigned char *key) 1729 { 1730 struct crypto_cipher *tfm = 1731 (struct crypto_cipher *)drbg->priv_data; 1732 1733 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1734 } 1735 1736 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1737 const struct drbg_string *in) 1738 { 1739 struct crypto_cipher *tfm = 1740 (struct crypto_cipher *)drbg->priv_data; 1741 1742 /* there is only component in *in */ 1743 BUG_ON(in->len < drbg_blocklen(drbg)); 1744 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1745 return 0; 1746 } 1747 1748 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1749 u8 *inbuf, u32 inlen, 1750 u8 *outbuf, u32 outlen) 1751 { 1752 struct scatterlist sg_in, sg_out; 1753 int ret; 1754 1755 sg_init_one(&sg_in, inbuf, inlen); 1756 sg_init_one(&sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1757 1758 while (outlen) { 1759 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1760 1761 /* Output buffer may not be valid for SGL, use scratchpad */ 1762 skcipher_request_set_crypt(drbg->ctr_req, &sg_in, &sg_out, 1763 cryptlen, drbg->V); 1764 ret = crypto_skcipher_encrypt(drbg->ctr_req); 1765 switch (ret) { 1766 case 0: 1767 break; 1768 case -EINPROGRESS: 1769 case -EBUSY: 1770 wait_for_completion(&drbg->ctr_completion); 1771 if (!drbg->ctr_async_err) { 1772 reinit_completion(&drbg->ctr_completion); 1773 break; 1774 } 1775 default: 1776 goto out; 1777 } 1778 init_completion(&drbg->ctr_completion); 1779 1780 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1781 1782 outlen -= cryptlen; 1783 outbuf += cryptlen; 1784 } 1785 ret = 0; 1786 1787 out: 1788 memzero_explicit(drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1789 return ret; 1790 } 1791 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1792 1793 /*************************************************************** 1794 * Kernel crypto API interface to register DRBG 1795 ***************************************************************/ 1796 1797 /* 1798 * Look up the DRBG flags by given kernel crypto API cra_name 1799 * The code uses the drbg_cores definition to do this 1800 * 1801 * @cra_name kernel crypto API cra_name 1802 * @coreref reference to integer which is filled with the pointer to 1803 * the applicable core 1804 * @pr reference for setting prediction resistance 1805 * 1806 * return: flags 1807 */ 1808 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1809 int *coreref, bool *pr) 1810 { 1811 int i = 0; 1812 size_t start = 0; 1813 int len = 0; 1814 1815 *pr = true; 1816 /* disassemble the names */ 1817 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1818 start = 10; 1819 *pr = false; 1820 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1821 start = 8; 1822 } else { 1823 return; 1824 } 1825 1826 /* remove the first part */ 1827 len = strlen(cra_driver_name) - start; 1828 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1829 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1830 len)) { 1831 *coreref = i; 1832 return; 1833 } 1834 } 1835 } 1836 1837 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1838 { 1839 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1840 1841 mutex_init(&drbg->drbg_mutex); 1842 1843 return 0; 1844 } 1845 1846 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1847 { 1848 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1849 } 1850 1851 /* 1852 * Generate random numbers invoked by the kernel crypto API: 1853 * The API of the kernel crypto API is extended as follows: 1854 * 1855 * src is additional input supplied to the RNG. 1856 * slen is the length of src. 1857 * dst is the output buffer where random data is to be stored. 1858 * dlen is the length of dst. 1859 */ 1860 static int drbg_kcapi_random(struct crypto_rng *tfm, 1861 const u8 *src, unsigned int slen, 1862 u8 *dst, unsigned int dlen) 1863 { 1864 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1865 struct drbg_string *addtl = NULL; 1866 struct drbg_string string; 1867 1868 if (slen) { 1869 /* linked list variable is now local to allow modification */ 1870 drbg_string_fill(&string, src, slen); 1871 addtl = &string; 1872 } 1873 1874 return drbg_generate_long(drbg, dst, dlen, addtl); 1875 } 1876 1877 /* 1878 * Seed the DRBG invoked by the kernel crypto API 1879 */ 1880 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1881 const u8 *seed, unsigned int slen) 1882 { 1883 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1884 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1885 bool pr = false; 1886 struct drbg_string string; 1887 struct drbg_string *seed_string = NULL; 1888 int coreref = 0; 1889 1890 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1891 &pr); 1892 if (0 < slen) { 1893 drbg_string_fill(&string, seed, slen); 1894 seed_string = &string; 1895 } 1896 1897 return drbg_instantiate(drbg, seed_string, coreref, pr); 1898 } 1899 1900 /*************************************************************** 1901 * Kernel module: code to load the module 1902 ***************************************************************/ 1903 1904 /* 1905 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1906 * of the error handling. 1907 * 1908 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1909 * as seed source of get_random_bytes does not fail. 1910 * 1911 * Note 2: There is no sensible way of testing the reseed counter 1912 * enforcement, so skip it. 1913 */ 1914 static inline int __init drbg_healthcheck_sanity(void) 1915 { 1916 int len = 0; 1917 #define OUTBUFLEN 16 1918 unsigned char buf[OUTBUFLEN]; 1919 struct drbg_state *drbg = NULL; 1920 int ret = -EFAULT; 1921 int rc = -EFAULT; 1922 bool pr = false; 1923 int coreref = 0; 1924 struct drbg_string addtl; 1925 size_t max_addtllen, max_request_bytes; 1926 1927 /* only perform test in FIPS mode */ 1928 if (!fips_enabled) 1929 return 0; 1930 1931 #ifdef CONFIG_CRYPTO_DRBG_CTR 1932 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1933 #elif defined CONFIG_CRYPTO_DRBG_HASH 1934 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1935 #else 1936 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1937 #endif 1938 1939 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1940 if (!drbg) 1941 return -ENOMEM; 1942 1943 mutex_init(&drbg->drbg_mutex); 1944 drbg->core = &drbg_cores[coreref]; 1945 drbg->reseed_threshold = drbg_max_requests(drbg); 1946 1947 /* 1948 * if the following tests fail, it is likely that there is a buffer 1949 * overflow as buf is much smaller than the requested or provided 1950 * string lengths -- in case the error handling does not succeed 1951 * we may get an OOPS. And we want to get an OOPS as this is a 1952 * grave bug. 1953 */ 1954 1955 max_addtllen = drbg_max_addtl(drbg); 1956 max_request_bytes = drbg_max_request_bytes(drbg); 1957 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1958 /* overflow addtllen with additonal info string */ 1959 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1960 BUG_ON(0 < len); 1961 /* overflow max_bits */ 1962 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1963 BUG_ON(0 < len); 1964 1965 /* overflow max addtllen with personalization string */ 1966 ret = drbg_seed(drbg, &addtl, false); 1967 BUG_ON(0 == ret); 1968 /* all tests passed */ 1969 rc = 0; 1970 1971 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1972 "completed\n"); 1973 1974 kfree(drbg); 1975 return rc; 1976 } 1977 1978 static struct rng_alg drbg_algs[22]; 1979 1980 /* 1981 * Fill the array drbg_algs used to register the different DRBGs 1982 * with the kernel crypto API. To fill the array, the information 1983 * from drbg_cores[] is used. 1984 */ 1985 static inline void __init drbg_fill_array(struct rng_alg *alg, 1986 const struct drbg_core *core, int pr) 1987 { 1988 int pos = 0; 1989 static int priority = 200; 1990 1991 memcpy(alg->base.cra_name, "stdrng", 6); 1992 if (pr) { 1993 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1994 pos = 8; 1995 } else { 1996 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1997 pos = 10; 1998 } 1999 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 2000 strlen(core->cra_name)); 2001 2002 alg->base.cra_priority = priority; 2003 priority++; 2004 /* 2005 * If FIPS mode enabled, the selected DRBG shall have the 2006 * highest cra_priority over other stdrng instances to ensure 2007 * it is selected. 2008 */ 2009 if (fips_enabled) 2010 alg->base.cra_priority += 200; 2011 2012 alg->base.cra_ctxsize = sizeof(struct drbg_state); 2013 alg->base.cra_module = THIS_MODULE; 2014 alg->base.cra_init = drbg_kcapi_init; 2015 alg->base.cra_exit = drbg_kcapi_cleanup; 2016 alg->generate = drbg_kcapi_random; 2017 alg->seed = drbg_kcapi_seed; 2018 alg->set_ent = drbg_kcapi_set_entropy; 2019 alg->seedsize = 0; 2020 } 2021 2022 static int __init drbg_init(void) 2023 { 2024 unsigned int i = 0; /* pointer to drbg_algs */ 2025 unsigned int j = 0; /* pointer to drbg_cores */ 2026 int ret; 2027 2028 ret = drbg_healthcheck_sanity(); 2029 if (ret) 2030 return ret; 2031 2032 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2033 pr_info("DRBG: Cannot register all DRBG types" 2034 "(slots needed: %zu, slots available: %zu)\n", 2035 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2036 return -EFAULT; 2037 } 2038 2039 /* 2040 * each DRBG definition can be used with PR and without PR, thus 2041 * we instantiate each DRBG in drbg_cores[] twice. 2042 * 2043 * As the order of placing them into the drbg_algs array matters 2044 * (the later DRBGs receive a higher cra_priority) we register the 2045 * prediction resistance DRBGs first as the should not be too 2046 * interesting. 2047 */ 2048 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2049 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2050 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2051 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2052 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2053 } 2054 2055 static void __exit drbg_exit(void) 2056 { 2057 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2058 } 2059 2060 module_init(drbg_init); 2061 module_exit(drbg_exit); 2062 #ifndef CRYPTO_DRBG_HASH_STRING 2063 #define CRYPTO_DRBG_HASH_STRING "" 2064 #endif 2065 #ifndef CRYPTO_DRBG_HMAC_STRING 2066 #define CRYPTO_DRBG_HMAC_STRING "" 2067 #endif 2068 #ifndef CRYPTO_DRBG_CTR_STRING 2069 #define CRYPTO_DRBG_CTR_STRING "" 2070 #endif 2071 MODULE_LICENSE("GPL"); 2072 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2073 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2074 "using following cores: " 2075 CRYPTO_DRBG_HASH_STRING 2076 CRYPTO_DRBG_HMAC_STRING 2077 CRYPTO_DRBG_CTR_STRING); 2078 MODULE_ALIAS_CRYPTO("stdrng"); 2079