1 /* 2 * DRBG based on NIST SP800-90A 3 * 4 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, and the entire permission notice in its entirety, 11 * including the disclaimer of warranties. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote 16 * products derived from this software without specific prior 17 * written permission. 18 * 19 * ALTERNATIVELY, this product may be distributed under the terms of 20 * the GNU General Public License, in which case the provisions of the GPL are 21 * required INSTEAD OF the above restrictions. (This clause is 22 * necessary due to a potential bad interaction between the GPL and 23 * the restrictions contained in a BSD-style copyright.) 24 * 25 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 26 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 28 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 29 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 30 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 31 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 32 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 33 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 35 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 36 * DAMAGE. 37 */ 38 39 #ifndef _DRBG_H 40 #define _DRBG_H 41 42 43 #include <linux/random.h> 44 #include <linux/scatterlist.h> 45 #include <crypto/hash.h> 46 #include <linux/module.h> 47 #include <linux/crypto.h> 48 #include <linux/slab.h> 49 #include <crypto/internal/rng.h> 50 #include <crypto/rng.h> 51 #include <linux/fips.h> 52 #include <linux/spinlock.h> 53 #include <linux/list.h> 54 55 /* 56 * Concatenation Helper and string operation helper 57 * 58 * SP800-90A requires the concatenation of different data. To avoid copying 59 * buffers around or allocate additional memory, the following data structure 60 * is used to point to the original memory with its size. In addition, it 61 * is used to build a linked list. The linked list defines the concatenation 62 * of individual buffers. The order of memory block referenced in that 63 * linked list determines the order of concatenation. 64 */ 65 struct drbg_string { 66 const unsigned char *buf; 67 size_t len; 68 struct list_head list; 69 }; 70 71 static inline void drbg_string_fill(struct drbg_string *string, 72 const unsigned char *buf, size_t len) 73 { 74 string->buf = buf; 75 string->len = len; 76 INIT_LIST_HEAD(&string->list); 77 } 78 79 struct drbg_state; 80 typedef uint32_t drbg_flag_t; 81 82 struct drbg_core { 83 drbg_flag_t flags; /* flags for the cipher */ 84 __u8 statelen; /* maximum state length */ 85 /* 86 * maximum length of personalization string or additional input 87 * string -- exponent for base 2 88 */ 89 __u8 max_addtllen; 90 /* maximum bits per RNG request -- exponent for base 2*/ 91 __u8 max_bits; 92 /* maximum number of requests -- exponent for base 2 */ 93 __u8 max_req; 94 __u8 blocklen_bytes; /* block size of output in bytes */ 95 char cra_name[CRYPTO_MAX_ALG_NAME]; /* mapping to kernel crypto API */ 96 /* kernel crypto API backend cipher name */ 97 char backend_cra_name[CRYPTO_MAX_ALG_NAME]; 98 }; 99 100 struct drbg_state_ops { 101 int (*update)(struct drbg_state *drbg, struct list_head *seed, 102 int reseed); 103 int (*generate)(struct drbg_state *drbg, 104 unsigned char *buf, unsigned int buflen, 105 struct list_head *addtl); 106 int (*crypto_init)(struct drbg_state *drbg); 107 int (*crypto_fini)(struct drbg_state *drbg); 108 109 }; 110 111 struct drbg_test_data { 112 struct drbg_string *testentropy; /* TEST PARAMETER: test entropy */ 113 }; 114 115 struct drbg_state { 116 spinlock_t drbg_lock; /* lock around DRBG */ 117 unsigned char *V; /* internal state 10.1.1.1 1a) */ 118 /* hash: static value 10.1.1.1 1b) hmac / ctr: key */ 119 unsigned char *C; 120 /* Number of RNG requests since last reseed -- 10.1.1.1 1c) */ 121 size_t reseed_ctr; 122 /* some memory the DRBG can use for its operation */ 123 unsigned char *scratchpad; 124 void *priv_data; /* Cipher handle */ 125 bool seeded; /* DRBG fully seeded? */ 126 bool pr; /* Prediction resistance enabled? */ 127 #ifdef CONFIG_CRYPTO_FIPS 128 bool fips_primed; /* Continuous test primed? */ 129 unsigned char *prev; /* FIPS 140-2 continuous test value */ 130 #endif 131 const struct drbg_state_ops *d_ops; 132 const struct drbg_core *core; 133 struct drbg_test_data *test_data; 134 }; 135 136 static inline __u8 drbg_statelen(struct drbg_state *drbg) 137 { 138 if (drbg && drbg->core) 139 return drbg->core->statelen; 140 return 0; 141 } 142 143 static inline __u8 drbg_blocklen(struct drbg_state *drbg) 144 { 145 if (drbg && drbg->core) 146 return drbg->core->blocklen_bytes; 147 return 0; 148 } 149 150 static inline __u8 drbg_keylen(struct drbg_state *drbg) 151 { 152 if (drbg && drbg->core) 153 return (drbg->core->statelen - drbg->core->blocklen_bytes); 154 return 0; 155 } 156 157 static inline size_t drbg_max_request_bytes(struct drbg_state *drbg) 158 { 159 /* max_bits is in bits, but buflen is in bytes */ 160 return (1 << (drbg->core->max_bits - 3)); 161 } 162 163 static inline size_t drbg_max_addtl(struct drbg_state *drbg) 164 { 165 return (1UL<<(drbg->core->max_addtllen)); 166 } 167 168 static inline size_t drbg_max_requests(struct drbg_state *drbg) 169 { 170 return (1UL<<(drbg->core->max_req)); 171 } 172 173 /* 174 * kernel crypto API input data structure for DRBG generate in case dlen 175 * is set to 0 176 */ 177 struct drbg_gen { 178 unsigned char *outbuf; /* output buffer for random numbers */ 179 unsigned int outlen; /* size of output buffer */ 180 struct drbg_string *addtl; /* additional information string */ 181 struct drbg_test_data *test_data; /* test data */ 182 }; 183 184 /* 185 * This is a wrapper to the kernel crypto API function of 186 * crypto_rng_get_bytes() to allow the caller to provide additional data. 187 * 188 * @drng DRBG handle -- see crypto_rng_get_bytes 189 * @outbuf output buffer -- see crypto_rng_get_bytes 190 * @outlen length of output buffer -- see crypto_rng_get_bytes 191 * @addtl_input additional information string input buffer 192 * @addtllen length of additional information string buffer 193 * 194 * return 195 * see crypto_rng_get_bytes 196 */ 197 static inline int crypto_drbg_get_bytes_addtl(struct crypto_rng *drng, 198 unsigned char *outbuf, unsigned int outlen, 199 struct drbg_string *addtl) 200 { 201 int ret; 202 struct drbg_gen genbuf; 203 genbuf.outbuf = outbuf; 204 genbuf.outlen = outlen; 205 genbuf.addtl = addtl; 206 genbuf.test_data = NULL; 207 ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0); 208 return ret; 209 } 210 211 /* 212 * TEST code 213 * 214 * This is a wrapper to the kernel crypto API function of 215 * crypto_rng_get_bytes() to allow the caller to provide additional data and 216 * allow furnishing of test_data 217 * 218 * @drng DRBG handle -- see crypto_rng_get_bytes 219 * @outbuf output buffer -- see crypto_rng_get_bytes 220 * @outlen length of output buffer -- see crypto_rng_get_bytes 221 * @addtl_input additional information string input buffer 222 * @addtllen length of additional information string buffer 223 * @test_data filled test data 224 * 225 * return 226 * see crypto_rng_get_bytes 227 */ 228 static inline int crypto_drbg_get_bytes_addtl_test(struct crypto_rng *drng, 229 unsigned char *outbuf, unsigned int outlen, 230 struct drbg_string *addtl, 231 struct drbg_test_data *test_data) 232 { 233 int ret; 234 struct drbg_gen genbuf; 235 genbuf.outbuf = outbuf; 236 genbuf.outlen = outlen; 237 genbuf.addtl = addtl; 238 genbuf.test_data = test_data; 239 ret = crypto_rng_get_bytes(drng, (u8 *)&genbuf, 0); 240 return ret; 241 } 242 243 /* 244 * TEST code 245 * 246 * This is a wrapper to the kernel crypto API function of 247 * crypto_rng_reset() to allow the caller to provide test_data 248 * 249 * @drng DRBG handle -- see crypto_rng_reset 250 * @pers personalization string input buffer 251 * @perslen length of additional information string buffer 252 * @test_data filled test data 253 * 254 * return 255 * see crypto_rng_reset 256 */ 257 static inline int crypto_drbg_reset_test(struct crypto_rng *drng, 258 struct drbg_string *pers, 259 struct drbg_test_data *test_data) 260 { 261 int ret; 262 struct drbg_gen genbuf; 263 genbuf.outbuf = NULL; 264 genbuf.outlen = 0; 265 genbuf.addtl = pers; 266 genbuf.test_data = test_data; 267 ret = crypto_rng_reset(drng, (u8 *)&genbuf, 0); 268 return ret; 269 } 270 271 /* DRBG type flags */ 272 #define DRBG_CTR ((drbg_flag_t)1<<0) 273 #define DRBG_HMAC ((drbg_flag_t)1<<1) 274 #define DRBG_HASH ((drbg_flag_t)1<<2) 275 #define DRBG_TYPE_MASK (DRBG_CTR | DRBG_HMAC | DRBG_HASH) 276 /* DRBG strength flags */ 277 #define DRBG_STRENGTH128 ((drbg_flag_t)1<<3) 278 #define DRBG_STRENGTH192 ((drbg_flag_t)1<<4) 279 #define DRBG_STRENGTH256 ((drbg_flag_t)1<<5) 280 #define DRBG_STRENGTH_MASK (DRBG_STRENGTH128 | DRBG_STRENGTH192 | \ 281 DRBG_STRENGTH256) 282 283 enum drbg_prefixes { 284 DRBG_PREFIX0 = 0x00, 285 DRBG_PREFIX1, 286 DRBG_PREFIX2, 287 DRBG_PREFIX3 288 }; 289 290 #endif /* _DRBG_H */ 291