xref: /linux/crypto/drbg.c (revision cdd30ebb1b9f36159d66f088b61aee264e649d7a)
1 /*
2  * DRBG: Deterministic Random Bits Generator
3  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
4  *       properties:
5  *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6  *		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7  *		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8  *		* with and without prediction resistance
9  *
10  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, and the entire permission notice in its entirety,
17  *    including the disclaimer of warranties.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior
23  *    written permission.
24  *
25  * ALTERNATIVELY, this product may be distributed under the terms of
26  * the GNU General Public License, in which case the provisions of the GPL are
27  * required INSTEAD OF the above restrictions.  (This clause is
28  * necessary due to a potential bad interaction between the GPL and
29  * the restrictions contained in a BSD-style copyright.)
30  *
31  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
35  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42  * DAMAGE.
43  *
44  * DRBG Usage
45  * ==========
46  * The SP 800-90A DRBG allows the user to specify a personalization string
47  * for initialization as well as an additional information string for each
48  * random number request. The following code fragments show how a caller
49  * uses the kernel crypto API to use the full functionality of the DRBG.
50  *
51  * Usage without any additional data
52  * ---------------------------------
53  * struct crypto_rng *drng;
54  * int err;
55  * char data[DATALEN];
56  *
57  * drng = crypto_alloc_rng(drng_name, 0, 0);
58  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59  * crypto_free_rng(drng);
60  *
61  *
62  * Usage with personalization string during initialization
63  * -------------------------------------------------------
64  * struct crypto_rng *drng;
65  * int err;
66  * char data[DATALEN];
67  * struct drbg_string pers;
68  * char personalization[11] = "some-string";
69  *
70  * drbg_string_fill(&pers, personalization, strlen(personalization));
71  * drng = crypto_alloc_rng(drng_name, 0, 0);
72  * // The reset completely re-initializes the DRBG with the provided
73  * // personalization string
74  * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76  * crypto_free_rng(drng);
77  *
78  *
79  * Usage with additional information string during random number request
80  * ---------------------------------------------------------------------
81  * struct crypto_rng *drng;
82  * int err;
83  * char data[DATALEN];
84  * char addtl_string[11] = "some-string";
85  * string drbg_string addtl;
86  *
87  * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88  * drng = crypto_alloc_rng(drng_name, 0, 0);
89  * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90  * // the same error codes.
91  * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92  * crypto_free_rng(drng);
93  *
94  *
95  * Usage with personalization and additional information strings
96  * -------------------------------------------------------------
97  * Just mix both scenarios above.
98  */
99 
100 #include <crypto/drbg.h>
101 #include <crypto/internal/cipher.h>
102 #include <linux/kernel.h>
103 #include <linux/jiffies.h>
104 #include <linux/string_choices.h>
105 
106 /***************************************************************
107  * Backend cipher definitions available to DRBG
108  ***************************************************************/
109 
110 /*
111  * The order of the DRBG definitions here matter: every DRBG is registered
112  * as stdrng. Each DRBG receives an increasing cra_priority values the later
113  * they are defined in this array (see drbg_fill_array).
114  *
115  * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
116  * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
117  * favored DRBGs are the latest entries in this array.
118  */
119 static const struct drbg_core drbg_cores[] = {
120 #ifdef CONFIG_CRYPTO_DRBG_CTR
121 	{
122 		.flags = DRBG_CTR | DRBG_STRENGTH128,
123 		.statelen = 32, /* 256 bits as defined in 10.2.1 */
124 		.blocklen_bytes = 16,
125 		.cra_name = "ctr_aes128",
126 		.backend_cra_name = "aes",
127 	}, {
128 		.flags = DRBG_CTR | DRBG_STRENGTH192,
129 		.statelen = 40, /* 320 bits as defined in 10.2.1 */
130 		.blocklen_bytes = 16,
131 		.cra_name = "ctr_aes192",
132 		.backend_cra_name = "aes",
133 	}, {
134 		.flags = DRBG_CTR | DRBG_STRENGTH256,
135 		.statelen = 48, /* 384 bits as defined in 10.2.1 */
136 		.blocklen_bytes = 16,
137 		.cra_name = "ctr_aes256",
138 		.backend_cra_name = "aes",
139 	},
140 #endif /* CONFIG_CRYPTO_DRBG_CTR */
141 #ifdef CONFIG_CRYPTO_DRBG_HASH
142 	{
143 		.flags = DRBG_HASH | DRBG_STRENGTH256,
144 		.statelen = 111, /* 888 bits */
145 		.blocklen_bytes = 48,
146 		.cra_name = "sha384",
147 		.backend_cra_name = "sha384",
148 	}, {
149 		.flags = DRBG_HASH | DRBG_STRENGTH256,
150 		.statelen = 111, /* 888 bits */
151 		.blocklen_bytes = 64,
152 		.cra_name = "sha512",
153 		.backend_cra_name = "sha512",
154 	}, {
155 		.flags = DRBG_HASH | DRBG_STRENGTH256,
156 		.statelen = 55, /* 440 bits */
157 		.blocklen_bytes = 32,
158 		.cra_name = "sha256",
159 		.backend_cra_name = "sha256",
160 	},
161 #endif /* CONFIG_CRYPTO_DRBG_HASH */
162 #ifdef CONFIG_CRYPTO_DRBG_HMAC
163 	{
164 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
165 		.statelen = 48, /* block length of cipher */
166 		.blocklen_bytes = 48,
167 		.cra_name = "hmac_sha384",
168 		.backend_cra_name = "hmac(sha384)",
169 	}, {
170 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
171 		.statelen = 32, /* block length of cipher */
172 		.blocklen_bytes = 32,
173 		.cra_name = "hmac_sha256",
174 		.backend_cra_name = "hmac(sha256)",
175 	}, {
176 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
177 		.statelen = 64, /* block length of cipher */
178 		.blocklen_bytes = 64,
179 		.cra_name = "hmac_sha512",
180 		.backend_cra_name = "hmac(sha512)",
181 	},
182 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
183 };
184 
185 static int drbg_uninstantiate(struct drbg_state *drbg);
186 
187 /******************************************************************
188  * Generic helper functions
189  ******************************************************************/
190 
191 /*
192  * Return strength of DRBG according to SP800-90A section 8.4
193  *
194  * @flags DRBG flags reference
195  *
196  * Return: normalized strength in *bytes* value or 32 as default
197  *	   to counter programming errors
198  */
drbg_sec_strength(drbg_flag_t flags)199 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
200 {
201 	switch (flags & DRBG_STRENGTH_MASK) {
202 	case DRBG_STRENGTH128:
203 		return 16;
204 	case DRBG_STRENGTH192:
205 		return 24;
206 	case DRBG_STRENGTH256:
207 		return 32;
208 	default:
209 		return 32;
210 	}
211 }
212 
213 /*
214  * FIPS 140-2 continuous self test for the noise source
215  * The test is performed on the noise source input data. Thus, the function
216  * implicitly knows the size of the buffer to be equal to the security
217  * strength.
218  *
219  * Note, this function disregards the nonce trailing the entropy data during
220  * initial seeding.
221  *
222  * drbg->drbg_mutex must have been taken.
223  *
224  * @drbg DRBG handle
225  * @entropy buffer of seed data to be checked
226  *
227  * return:
228  *	0 on success
229  *	-EAGAIN on when the CTRNG is not yet primed
230  *	< 0 on error
231  */
drbg_fips_continuous_test(struct drbg_state * drbg,const unsigned char * entropy)232 static int drbg_fips_continuous_test(struct drbg_state *drbg,
233 				     const unsigned char *entropy)
234 {
235 	unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
236 	int ret = 0;
237 
238 	if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
239 		return 0;
240 
241 	/* skip test if we test the overall system */
242 	if (list_empty(&drbg->test_data.list))
243 		return 0;
244 	/* only perform test in FIPS mode */
245 	if (!fips_enabled)
246 		return 0;
247 
248 	if (!drbg->fips_primed) {
249 		/* Priming of FIPS test */
250 		memcpy(drbg->prev, entropy, entropylen);
251 		drbg->fips_primed = true;
252 		/* priming: another round is needed */
253 		return -EAGAIN;
254 	}
255 	ret = memcmp(drbg->prev, entropy, entropylen);
256 	if (!ret)
257 		panic("DRBG continuous self test failed\n");
258 	memcpy(drbg->prev, entropy, entropylen);
259 
260 	/* the test shall pass when the two values are not equal */
261 	return 0;
262 }
263 
264 /*
265  * Convert an integer into a byte representation of this integer.
266  * The byte representation is big-endian
267  *
268  * @val value to be converted
269  * @buf buffer holding the converted integer -- caller must ensure that
270  *      buffer size is at least 32 bit
271  */
272 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
drbg_cpu_to_be32(__u32 val,unsigned char * buf)273 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
274 {
275 	struct s {
276 		__be32 conv;
277 	};
278 	struct s *conversion = (struct s *) buf;
279 
280 	conversion->conv = cpu_to_be32(val);
281 }
282 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
283 
284 /******************************************************************
285  * CTR DRBG callback functions
286  ******************************************************************/
287 
288 #ifdef CONFIG_CRYPTO_DRBG_CTR
289 #define CRYPTO_DRBG_CTR_STRING "CTR "
290 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
291 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
292 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
293 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
294 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
295 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
296 
297 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
298 				 const unsigned char *key);
299 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
300 			  const struct drbg_string *in);
301 static int drbg_init_sym_kernel(struct drbg_state *drbg);
302 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
303 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
304 			      u8 *inbuf, u32 inbuflen,
305 			      u8 *outbuf, u32 outlen);
306 #define DRBG_OUTSCRATCHLEN 256
307 
308 /* BCC function for CTR DRBG as defined in 10.4.3 */
drbg_ctr_bcc(struct drbg_state * drbg,unsigned char * out,const unsigned char * key,struct list_head * in)309 static int drbg_ctr_bcc(struct drbg_state *drbg,
310 			unsigned char *out, const unsigned char *key,
311 			struct list_head *in)
312 {
313 	int ret = 0;
314 	struct drbg_string *curr = NULL;
315 	struct drbg_string data;
316 	short cnt = 0;
317 
318 	drbg_string_fill(&data, out, drbg_blocklen(drbg));
319 
320 	/* 10.4.3 step 2 / 4 */
321 	drbg_kcapi_symsetkey(drbg, key);
322 	list_for_each_entry(curr, in, list) {
323 		const unsigned char *pos = curr->buf;
324 		size_t len = curr->len;
325 		/* 10.4.3 step 4.1 */
326 		while (len) {
327 			/* 10.4.3 step 4.2 */
328 			if (drbg_blocklen(drbg) == cnt) {
329 				cnt = 0;
330 				ret = drbg_kcapi_sym(drbg, out, &data);
331 				if (ret)
332 					return ret;
333 			}
334 			out[cnt] ^= *pos;
335 			pos++;
336 			cnt++;
337 			len--;
338 		}
339 	}
340 	/* 10.4.3 step 4.2 for last block */
341 	if (cnt)
342 		ret = drbg_kcapi_sym(drbg, out, &data);
343 
344 	return ret;
345 }
346 
347 /*
348  * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
349  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
350  * the scratchpad is used as follows:
351  * drbg_ctr_update:
352  *	temp
353  *		start: drbg->scratchpad
354  *		length: drbg_statelen(drbg) + drbg_blocklen(drbg)
355  *			note: the cipher writing into this variable works
356  *			blocklen-wise. Now, when the statelen is not a multiple
357  *			of blocklen, the generateion loop below "spills over"
358  *			by at most blocklen. Thus, we need to give sufficient
359  *			memory.
360  *	df_data
361  *		start: drbg->scratchpad +
362  *				drbg_statelen(drbg) + drbg_blocklen(drbg)
363  *		length: drbg_statelen(drbg)
364  *
365  * drbg_ctr_df:
366  *	pad
367  *		start: df_data + drbg_statelen(drbg)
368  *		length: drbg_blocklen(drbg)
369  *	iv
370  *		start: pad + drbg_blocklen(drbg)
371  *		length: drbg_blocklen(drbg)
372  *	temp
373  *		start: iv + drbg_blocklen(drbg)
374  *		length: drbg_satelen(drbg) + drbg_blocklen(drbg)
375  *			note: temp is the buffer that the BCC function operates
376  *			on. BCC operates blockwise. drbg_statelen(drbg)
377  *			is sufficient when the DRBG state length is a multiple
378  *			of the block size. For AES192 (and maybe other ciphers)
379  *			this is not correct and the length for temp is
380  *			insufficient (yes, that also means for such ciphers,
381  *			the final output of all BCC rounds are truncated).
382  *			Therefore, add drbg_blocklen(drbg) to cover all
383  *			possibilities.
384  */
385 
386 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
drbg_ctr_df(struct drbg_state * drbg,unsigned char * df_data,size_t bytes_to_return,struct list_head * seedlist)387 static int drbg_ctr_df(struct drbg_state *drbg,
388 		       unsigned char *df_data, size_t bytes_to_return,
389 		       struct list_head *seedlist)
390 {
391 	int ret = -EFAULT;
392 	unsigned char L_N[8];
393 	/* S3 is input */
394 	struct drbg_string S1, S2, S4, cipherin;
395 	LIST_HEAD(bcc_list);
396 	unsigned char *pad = df_data + drbg_statelen(drbg);
397 	unsigned char *iv = pad + drbg_blocklen(drbg);
398 	unsigned char *temp = iv + drbg_blocklen(drbg);
399 	size_t padlen = 0;
400 	unsigned int templen = 0;
401 	/* 10.4.2 step 7 */
402 	unsigned int i = 0;
403 	/* 10.4.2 step 8 */
404 	const unsigned char *K = (unsigned char *)
405 			   "\x00\x01\x02\x03\x04\x05\x06\x07"
406 			   "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
407 			   "\x10\x11\x12\x13\x14\x15\x16\x17"
408 			   "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
409 	unsigned char *X;
410 	size_t generated_len = 0;
411 	size_t inputlen = 0;
412 	struct drbg_string *seed = NULL;
413 
414 	memset(pad, 0, drbg_blocklen(drbg));
415 	memset(iv, 0, drbg_blocklen(drbg));
416 
417 	/* 10.4.2 step 1 is implicit as we work byte-wise */
418 
419 	/* 10.4.2 step 2 */
420 	if ((512/8) < bytes_to_return)
421 		return -EINVAL;
422 
423 	/* 10.4.2 step 2 -- calculate the entire length of all input data */
424 	list_for_each_entry(seed, seedlist, list)
425 		inputlen += seed->len;
426 	drbg_cpu_to_be32(inputlen, &L_N[0]);
427 
428 	/* 10.4.2 step 3 */
429 	drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
430 
431 	/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
432 	padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
433 	/* wrap the padlen appropriately */
434 	if (padlen)
435 		padlen = drbg_blocklen(drbg) - padlen;
436 	/*
437 	 * pad / padlen contains the 0x80 byte and the following zero bytes.
438 	 * As the calculated padlen value only covers the number of zero
439 	 * bytes, this value has to be incremented by one for the 0x80 byte.
440 	 */
441 	padlen++;
442 	pad[0] = 0x80;
443 
444 	/* 10.4.2 step 4 -- first fill the linked list and then order it */
445 	drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
446 	list_add_tail(&S1.list, &bcc_list);
447 	drbg_string_fill(&S2, L_N, sizeof(L_N));
448 	list_add_tail(&S2.list, &bcc_list);
449 	list_splice_tail(seedlist, &bcc_list);
450 	drbg_string_fill(&S4, pad, padlen);
451 	list_add_tail(&S4.list, &bcc_list);
452 
453 	/* 10.4.2 step 9 */
454 	while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
455 		/*
456 		 * 10.4.2 step 9.1 - the padding is implicit as the buffer
457 		 * holds zeros after allocation -- even the increment of i
458 		 * is irrelevant as the increment remains within length of i
459 		 */
460 		drbg_cpu_to_be32(i, iv);
461 		/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
462 		ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
463 		if (ret)
464 			goto out;
465 		/* 10.4.2 step 9.3 */
466 		i++;
467 		templen += drbg_blocklen(drbg);
468 	}
469 
470 	/* 10.4.2 step 11 */
471 	X = temp + (drbg_keylen(drbg));
472 	drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
473 
474 	/* 10.4.2 step 12: overwriting of outval is implemented in next step */
475 
476 	/* 10.4.2 step 13 */
477 	drbg_kcapi_symsetkey(drbg, temp);
478 	while (generated_len < bytes_to_return) {
479 		short blocklen = 0;
480 		/*
481 		 * 10.4.2 step 13.1: the truncation of the key length is
482 		 * implicit as the key is only drbg_blocklen in size based on
483 		 * the implementation of the cipher function callback
484 		 */
485 		ret = drbg_kcapi_sym(drbg, X, &cipherin);
486 		if (ret)
487 			goto out;
488 		blocklen = (drbg_blocklen(drbg) <
489 				(bytes_to_return - generated_len)) ?
490 			    drbg_blocklen(drbg) :
491 				(bytes_to_return - generated_len);
492 		/* 10.4.2 step 13.2 and 14 */
493 		memcpy(df_data + generated_len, X, blocklen);
494 		generated_len += blocklen;
495 	}
496 
497 	ret = 0;
498 
499 out:
500 	memset(iv, 0, drbg_blocklen(drbg));
501 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
502 	memset(pad, 0, drbg_blocklen(drbg));
503 	return ret;
504 }
505 
506 /*
507  * update function of CTR DRBG as defined in 10.2.1.2
508  *
509  * The reseed variable has an enhanced meaning compared to the update
510  * functions of the other DRBGs as follows:
511  * 0 => initial seed from initialization
512  * 1 => reseed via drbg_seed
513  * 2 => first invocation from drbg_ctr_update when addtl is present. In
514  *      this case, the df_data scratchpad is not deleted so that it is
515  *      available for another calls to prevent calling the DF function
516  *      again.
517  * 3 => second invocation from drbg_ctr_update. When the update function
518  *      was called with addtl, the df_data memory already contains the
519  *      DFed addtl information and we do not need to call DF again.
520  */
drbg_ctr_update(struct drbg_state * drbg,struct list_head * seed,int reseed)521 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
522 			   int reseed)
523 {
524 	int ret = -EFAULT;
525 	/* 10.2.1.2 step 1 */
526 	unsigned char *temp = drbg->scratchpad;
527 	unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
528 				 drbg_blocklen(drbg);
529 
530 	if (3 > reseed)
531 		memset(df_data, 0, drbg_statelen(drbg));
532 
533 	if (!reseed) {
534 		/*
535 		 * The DRBG uses the CTR mode of the underlying AES cipher. The
536 		 * CTR mode increments the counter value after the AES operation
537 		 * but SP800-90A requires that the counter is incremented before
538 		 * the AES operation. Hence, we increment it at the time we set
539 		 * it by one.
540 		 */
541 		crypto_inc(drbg->V, drbg_blocklen(drbg));
542 
543 		ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
544 					     drbg_keylen(drbg));
545 		if (ret)
546 			goto out;
547 	}
548 
549 	/* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
550 	if (seed) {
551 		ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
552 		if (ret)
553 			goto out;
554 	}
555 
556 	ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
557 				 temp, drbg_statelen(drbg));
558 	if (ret)
559 		return ret;
560 
561 	/* 10.2.1.2 step 5 */
562 	ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
563 				     drbg_keylen(drbg));
564 	if (ret)
565 		goto out;
566 	/* 10.2.1.2 step 6 */
567 	memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
568 	/* See above: increment counter by one to compensate timing of CTR op */
569 	crypto_inc(drbg->V, drbg_blocklen(drbg));
570 	ret = 0;
571 
572 out:
573 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
574 	if (2 != reseed)
575 		memset(df_data, 0, drbg_statelen(drbg));
576 	return ret;
577 }
578 
579 /*
580  * scratchpad use: drbg_ctr_update is called independently from
581  * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
582  */
583 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
drbg_ctr_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)584 static int drbg_ctr_generate(struct drbg_state *drbg,
585 			     unsigned char *buf, unsigned int buflen,
586 			     struct list_head *addtl)
587 {
588 	int ret;
589 	int len = min_t(int, buflen, INT_MAX);
590 
591 	/* 10.2.1.5.2 step 2 */
592 	if (addtl && !list_empty(addtl)) {
593 		ret = drbg_ctr_update(drbg, addtl, 2);
594 		if (ret)
595 			return 0;
596 	}
597 
598 	/* 10.2.1.5.2 step 4.1 */
599 	ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
600 	if (ret)
601 		return ret;
602 
603 	/* 10.2.1.5.2 step 6 */
604 	ret = drbg_ctr_update(drbg, NULL, 3);
605 	if (ret)
606 		len = ret;
607 
608 	return len;
609 }
610 
611 static const struct drbg_state_ops drbg_ctr_ops = {
612 	.update		= drbg_ctr_update,
613 	.generate	= drbg_ctr_generate,
614 	.crypto_init	= drbg_init_sym_kernel,
615 	.crypto_fini	= drbg_fini_sym_kernel,
616 };
617 #endif /* CONFIG_CRYPTO_DRBG_CTR */
618 
619 /******************************************************************
620  * HMAC DRBG callback functions
621  ******************************************************************/
622 
623 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
624 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
625 			   const struct list_head *in);
626 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
627 				  const unsigned char *key);
628 static int drbg_init_hash_kernel(struct drbg_state *drbg);
629 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
630 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
631 
632 #ifdef CONFIG_CRYPTO_DRBG_HMAC
633 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
634 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
635 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
636 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
637 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
638 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
639 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
640 
641 /* update function of HMAC DRBG as defined in 10.1.2.2 */
drbg_hmac_update(struct drbg_state * drbg,struct list_head * seed,int reseed)642 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
643 			    int reseed)
644 {
645 	int ret = -EFAULT;
646 	int i = 0;
647 	struct drbg_string seed1, seed2, vdata;
648 	LIST_HEAD(seedlist);
649 	LIST_HEAD(vdatalist);
650 
651 	if (!reseed) {
652 		/* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
653 		memset(drbg->V, 1, drbg_statelen(drbg));
654 		drbg_kcapi_hmacsetkey(drbg, drbg->C);
655 	}
656 
657 	drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
658 	list_add_tail(&seed1.list, &seedlist);
659 	/* buffer of seed2 will be filled in for loop below with one byte */
660 	drbg_string_fill(&seed2, NULL, 1);
661 	list_add_tail(&seed2.list, &seedlist);
662 	/* input data of seed is allowed to be NULL at this point */
663 	if (seed)
664 		list_splice_tail(seed, &seedlist);
665 
666 	drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
667 	list_add_tail(&vdata.list, &vdatalist);
668 	for (i = 2; 0 < i; i--) {
669 		/* first round uses 0x0, second 0x1 */
670 		unsigned char prefix = DRBG_PREFIX0;
671 		if (1 == i)
672 			prefix = DRBG_PREFIX1;
673 		/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
674 		seed2.buf = &prefix;
675 		ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
676 		if (ret)
677 			return ret;
678 		drbg_kcapi_hmacsetkey(drbg, drbg->C);
679 
680 		/* 10.1.2.2 step 2 and 5 -- HMAC for V */
681 		ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
682 		if (ret)
683 			return ret;
684 
685 		/* 10.1.2.2 step 3 */
686 		if (!seed)
687 			return ret;
688 	}
689 
690 	return 0;
691 }
692 
693 /* generate function of HMAC DRBG as defined in 10.1.2.5 */
drbg_hmac_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)694 static int drbg_hmac_generate(struct drbg_state *drbg,
695 			      unsigned char *buf,
696 			      unsigned int buflen,
697 			      struct list_head *addtl)
698 {
699 	int len = 0;
700 	int ret = 0;
701 	struct drbg_string data;
702 	LIST_HEAD(datalist);
703 
704 	/* 10.1.2.5 step 2 */
705 	if (addtl && !list_empty(addtl)) {
706 		ret = drbg_hmac_update(drbg, addtl, 1);
707 		if (ret)
708 			return ret;
709 	}
710 
711 	drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
712 	list_add_tail(&data.list, &datalist);
713 	while (len < buflen) {
714 		unsigned int outlen = 0;
715 		/* 10.1.2.5 step 4.1 */
716 		ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
717 		if (ret)
718 			return ret;
719 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
720 			  drbg_blocklen(drbg) : (buflen - len);
721 
722 		/* 10.1.2.5 step 4.2 */
723 		memcpy(buf + len, drbg->V, outlen);
724 		len += outlen;
725 	}
726 
727 	/* 10.1.2.5 step 6 */
728 	if (addtl && !list_empty(addtl))
729 		ret = drbg_hmac_update(drbg, addtl, 1);
730 	else
731 		ret = drbg_hmac_update(drbg, NULL, 1);
732 	if (ret)
733 		return ret;
734 
735 	return len;
736 }
737 
738 static const struct drbg_state_ops drbg_hmac_ops = {
739 	.update		= drbg_hmac_update,
740 	.generate	= drbg_hmac_generate,
741 	.crypto_init	= drbg_init_hash_kernel,
742 	.crypto_fini	= drbg_fini_hash_kernel,
743 };
744 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
745 
746 /******************************************************************
747  * Hash DRBG callback functions
748  ******************************************************************/
749 
750 #ifdef CONFIG_CRYPTO_DRBG_HASH
751 #define CRYPTO_DRBG_HASH_STRING "HASH "
752 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
753 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
754 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
755 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
756 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
757 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
758 
759 /*
760  * Increment buffer
761  *
762  * @dst buffer to increment
763  * @add value to add
764  */
drbg_add_buf(unsigned char * dst,size_t dstlen,const unsigned char * add,size_t addlen)765 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
766 				const unsigned char *add, size_t addlen)
767 {
768 	/* implied: dstlen > addlen */
769 	unsigned char *dstptr;
770 	const unsigned char *addptr;
771 	unsigned int remainder = 0;
772 	size_t len = addlen;
773 
774 	dstptr = dst + (dstlen-1);
775 	addptr = add + (addlen-1);
776 	while (len) {
777 		remainder += *dstptr + *addptr;
778 		*dstptr = remainder & 0xff;
779 		remainder >>= 8;
780 		len--; dstptr--; addptr--;
781 	}
782 	len = dstlen - addlen;
783 	while (len && remainder > 0) {
784 		remainder = *dstptr + 1;
785 		*dstptr = remainder & 0xff;
786 		remainder >>= 8;
787 		len--; dstptr--;
788 	}
789 }
790 
791 /*
792  * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
793  * interlinked, the scratchpad is used as follows:
794  * drbg_hash_update
795  *	start: drbg->scratchpad
796  *	length: drbg_statelen(drbg)
797  * drbg_hash_df:
798  *	start: drbg->scratchpad + drbg_statelen(drbg)
799  *	length: drbg_blocklen(drbg)
800  *
801  * drbg_hash_process_addtl uses the scratchpad, but fully completes
802  * before either of the functions mentioned before are invoked. Therefore,
803  * drbg_hash_process_addtl does not need to be specifically considered.
804  */
805 
806 /* Derivation Function for Hash DRBG as defined in 10.4.1 */
drbg_hash_df(struct drbg_state * drbg,unsigned char * outval,size_t outlen,struct list_head * entropylist)807 static int drbg_hash_df(struct drbg_state *drbg,
808 			unsigned char *outval, size_t outlen,
809 			struct list_head *entropylist)
810 {
811 	int ret = 0;
812 	size_t len = 0;
813 	unsigned char input[5];
814 	unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
815 	struct drbg_string data;
816 
817 	/* 10.4.1 step 3 */
818 	input[0] = 1;
819 	drbg_cpu_to_be32((outlen * 8), &input[1]);
820 
821 	/* 10.4.1 step 4.1 -- concatenation of data for input into hash */
822 	drbg_string_fill(&data, input, 5);
823 	list_add(&data.list, entropylist);
824 
825 	/* 10.4.1 step 4 */
826 	while (len < outlen) {
827 		short blocklen = 0;
828 		/* 10.4.1 step 4.1 */
829 		ret = drbg_kcapi_hash(drbg, tmp, entropylist);
830 		if (ret)
831 			goto out;
832 		/* 10.4.1 step 4.2 */
833 		input[0]++;
834 		blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
835 			    drbg_blocklen(drbg) : (outlen - len);
836 		memcpy(outval + len, tmp, blocklen);
837 		len += blocklen;
838 	}
839 
840 out:
841 	memset(tmp, 0, drbg_blocklen(drbg));
842 	return ret;
843 }
844 
845 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
drbg_hash_update(struct drbg_state * drbg,struct list_head * seed,int reseed)846 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
847 			    int reseed)
848 {
849 	int ret = 0;
850 	struct drbg_string data1, data2;
851 	LIST_HEAD(datalist);
852 	LIST_HEAD(datalist2);
853 	unsigned char *V = drbg->scratchpad;
854 	unsigned char prefix = DRBG_PREFIX1;
855 
856 	if (!seed)
857 		return -EINVAL;
858 
859 	if (reseed) {
860 		/* 10.1.1.3 step 1 */
861 		memcpy(V, drbg->V, drbg_statelen(drbg));
862 		drbg_string_fill(&data1, &prefix, 1);
863 		list_add_tail(&data1.list, &datalist);
864 		drbg_string_fill(&data2, V, drbg_statelen(drbg));
865 		list_add_tail(&data2.list, &datalist);
866 	}
867 	list_splice_tail(seed, &datalist);
868 
869 	/* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
870 	ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
871 	if (ret)
872 		goto out;
873 
874 	/* 10.1.1.2 / 10.1.1.3 step 4  */
875 	prefix = DRBG_PREFIX0;
876 	drbg_string_fill(&data1, &prefix, 1);
877 	list_add_tail(&data1.list, &datalist2);
878 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
879 	list_add_tail(&data2.list, &datalist2);
880 	/* 10.1.1.2 / 10.1.1.3 step 4 */
881 	ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
882 
883 out:
884 	memset(drbg->scratchpad, 0, drbg_statelen(drbg));
885 	return ret;
886 }
887 
888 /* processing of additional information string for Hash DRBG */
drbg_hash_process_addtl(struct drbg_state * drbg,struct list_head * addtl)889 static int drbg_hash_process_addtl(struct drbg_state *drbg,
890 				   struct list_head *addtl)
891 {
892 	int ret = 0;
893 	struct drbg_string data1, data2;
894 	LIST_HEAD(datalist);
895 	unsigned char prefix = DRBG_PREFIX2;
896 
897 	/* 10.1.1.4 step 2 */
898 	if (!addtl || list_empty(addtl))
899 		return 0;
900 
901 	/* 10.1.1.4 step 2a */
902 	drbg_string_fill(&data1, &prefix, 1);
903 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
904 	list_add_tail(&data1.list, &datalist);
905 	list_add_tail(&data2.list, &datalist);
906 	list_splice_tail(addtl, &datalist);
907 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
908 	if (ret)
909 		goto out;
910 
911 	/* 10.1.1.4 step 2b */
912 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
913 		     drbg->scratchpad, drbg_blocklen(drbg));
914 
915 out:
916 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
917 	return ret;
918 }
919 
920 /* Hashgen defined in 10.1.1.4 */
drbg_hash_hashgen(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen)921 static int drbg_hash_hashgen(struct drbg_state *drbg,
922 			     unsigned char *buf,
923 			     unsigned int buflen)
924 {
925 	int len = 0;
926 	int ret = 0;
927 	unsigned char *src = drbg->scratchpad;
928 	unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
929 	struct drbg_string data;
930 	LIST_HEAD(datalist);
931 
932 	/* 10.1.1.4 step hashgen 2 */
933 	memcpy(src, drbg->V, drbg_statelen(drbg));
934 
935 	drbg_string_fill(&data, src, drbg_statelen(drbg));
936 	list_add_tail(&data.list, &datalist);
937 	while (len < buflen) {
938 		unsigned int outlen = 0;
939 		/* 10.1.1.4 step hashgen 4.1 */
940 		ret = drbg_kcapi_hash(drbg, dst, &datalist);
941 		if (ret) {
942 			len = ret;
943 			goto out;
944 		}
945 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
946 			  drbg_blocklen(drbg) : (buflen - len);
947 		/* 10.1.1.4 step hashgen 4.2 */
948 		memcpy(buf + len, dst, outlen);
949 		len += outlen;
950 		/* 10.1.1.4 hashgen step 4.3 */
951 		if (len < buflen)
952 			crypto_inc(src, drbg_statelen(drbg));
953 	}
954 
955 out:
956 	memset(drbg->scratchpad, 0,
957 	       (drbg_statelen(drbg) + drbg_blocklen(drbg)));
958 	return len;
959 }
960 
961 /* generate function for Hash DRBG as defined in  10.1.1.4 */
drbg_hash_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)962 static int drbg_hash_generate(struct drbg_state *drbg,
963 			      unsigned char *buf, unsigned int buflen,
964 			      struct list_head *addtl)
965 {
966 	int len = 0;
967 	int ret = 0;
968 	union {
969 		unsigned char req[8];
970 		__be64 req_int;
971 	} u;
972 	unsigned char prefix = DRBG_PREFIX3;
973 	struct drbg_string data1, data2;
974 	LIST_HEAD(datalist);
975 
976 	/* 10.1.1.4 step 2 */
977 	ret = drbg_hash_process_addtl(drbg, addtl);
978 	if (ret)
979 		return ret;
980 	/* 10.1.1.4 step 3 */
981 	len = drbg_hash_hashgen(drbg, buf, buflen);
982 
983 	/* this is the value H as documented in 10.1.1.4 */
984 	/* 10.1.1.4 step 4 */
985 	drbg_string_fill(&data1, &prefix, 1);
986 	list_add_tail(&data1.list, &datalist);
987 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
988 	list_add_tail(&data2.list, &datalist);
989 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
990 	if (ret) {
991 		len = ret;
992 		goto out;
993 	}
994 
995 	/* 10.1.1.4 step 5 */
996 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
997 		     drbg->scratchpad, drbg_blocklen(drbg));
998 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
999 		     drbg->C, drbg_statelen(drbg));
1000 	u.req_int = cpu_to_be64(drbg->reseed_ctr);
1001 	drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1002 
1003 out:
1004 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1005 	return len;
1006 }
1007 
1008 /*
1009  * scratchpad usage: as update and generate are used isolated, both
1010  * can use the scratchpad
1011  */
1012 static const struct drbg_state_ops drbg_hash_ops = {
1013 	.update		= drbg_hash_update,
1014 	.generate	= drbg_hash_generate,
1015 	.crypto_init	= drbg_init_hash_kernel,
1016 	.crypto_fini	= drbg_fini_hash_kernel,
1017 };
1018 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1019 
1020 /******************************************************************
1021  * Functions common for DRBG implementations
1022  ******************************************************************/
1023 
__drbg_seed(struct drbg_state * drbg,struct list_head * seed,int reseed,enum drbg_seed_state new_seed_state)1024 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1025 			      int reseed, enum drbg_seed_state new_seed_state)
1026 {
1027 	int ret = drbg->d_ops->update(drbg, seed, reseed);
1028 
1029 	if (ret)
1030 		return ret;
1031 
1032 	drbg->seeded = new_seed_state;
1033 	drbg->last_seed_time = jiffies;
1034 	/* 10.1.1.2 / 10.1.1.3 step 5 */
1035 	drbg->reseed_ctr = 1;
1036 
1037 	switch (drbg->seeded) {
1038 	case DRBG_SEED_STATE_UNSEEDED:
1039 		/* Impossible, but handle it to silence compiler warnings. */
1040 		fallthrough;
1041 	case DRBG_SEED_STATE_PARTIAL:
1042 		/*
1043 		 * Require frequent reseeds until the seed source is
1044 		 * fully initialized.
1045 		 */
1046 		drbg->reseed_threshold = 50;
1047 		break;
1048 
1049 	case DRBG_SEED_STATE_FULL:
1050 		/*
1051 		 * Seed source has become fully initialized, frequent
1052 		 * reseeds no longer required.
1053 		 */
1054 		drbg->reseed_threshold = drbg_max_requests(drbg);
1055 		break;
1056 	}
1057 
1058 	return ret;
1059 }
1060 
drbg_get_random_bytes(struct drbg_state * drbg,unsigned char * entropy,unsigned int entropylen)1061 static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1062 					unsigned char *entropy,
1063 					unsigned int entropylen)
1064 {
1065 	int ret;
1066 
1067 	do {
1068 		get_random_bytes(entropy, entropylen);
1069 		ret = drbg_fips_continuous_test(drbg, entropy);
1070 		if (ret && ret != -EAGAIN)
1071 			return ret;
1072 	} while (ret);
1073 
1074 	return 0;
1075 }
1076 
drbg_seed_from_random(struct drbg_state * drbg)1077 static int drbg_seed_from_random(struct drbg_state *drbg)
1078 {
1079 	struct drbg_string data;
1080 	LIST_HEAD(seedlist);
1081 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1082 	unsigned char entropy[32];
1083 	int ret;
1084 
1085 	BUG_ON(!entropylen);
1086 	BUG_ON(entropylen > sizeof(entropy));
1087 
1088 	drbg_string_fill(&data, entropy, entropylen);
1089 	list_add_tail(&data.list, &seedlist);
1090 
1091 	ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1092 	if (ret)
1093 		goto out;
1094 
1095 	ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
1096 
1097 out:
1098 	memzero_explicit(entropy, entropylen);
1099 	return ret;
1100 }
1101 
drbg_nopr_reseed_interval_elapsed(struct drbg_state * drbg)1102 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg)
1103 {
1104 	unsigned long next_reseed;
1105 
1106 	/* Don't ever reseed from get_random_bytes() in test mode. */
1107 	if (list_empty(&drbg->test_data.list))
1108 		return false;
1109 
1110 	/*
1111 	 * Obtain fresh entropy for the nopr DRBGs after 300s have
1112 	 * elapsed in order to still achieve sort of partial
1113 	 * prediction resistance over the time domain at least. Note
1114 	 * that the period of 300s has been chosen to match the
1115 	 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha
1116 	 * rngs.
1117 	 */
1118 	next_reseed = drbg->last_seed_time + 300 * HZ;
1119 	return time_after(jiffies, next_reseed);
1120 }
1121 
1122 /*
1123  * Seeding or reseeding of the DRBG
1124  *
1125  * @drbg: DRBG state struct
1126  * @pers: personalization / additional information buffer
1127  * @reseed: 0 for initial seed process, 1 for reseeding
1128  *
1129  * return:
1130  *	0 on success
1131  *	error value otherwise
1132  */
drbg_seed(struct drbg_state * drbg,struct drbg_string * pers,bool reseed)1133 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1134 		     bool reseed)
1135 {
1136 	int ret;
1137 	unsigned char entropy[((32 + 16) * 2)];
1138 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1139 	struct drbg_string data1;
1140 	LIST_HEAD(seedlist);
1141 	enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
1142 
1143 	/* 9.1 / 9.2 / 9.3.1 step 3 */
1144 	if (pers && pers->len > (drbg_max_addtl(drbg))) {
1145 		pr_devel("DRBG: personalization string too long %zu\n",
1146 			 pers->len);
1147 		return -EINVAL;
1148 	}
1149 
1150 	if (list_empty(&drbg->test_data.list)) {
1151 		drbg_string_fill(&data1, drbg->test_data.buf,
1152 				 drbg->test_data.len);
1153 		pr_devel("DRBG: using test entropy\n");
1154 	} else {
1155 		/*
1156 		 * Gather entropy equal to the security strength of the DRBG.
1157 		 * With a derivation function, a nonce is required in addition
1158 		 * to the entropy. A nonce must be at least 1/2 of the security
1159 		 * strength of the DRBG in size. Thus, entropy + nonce is 3/2
1160 		 * of the strength. The consideration of a nonce is only
1161 		 * applicable during initial seeding.
1162 		 */
1163 		BUG_ON(!entropylen);
1164 		if (!reseed)
1165 			entropylen = ((entropylen + 1) / 2) * 3;
1166 		BUG_ON((entropylen * 2) > sizeof(entropy));
1167 
1168 		/* Get seed from in-kernel /dev/urandom */
1169 		if (!rng_is_initialized())
1170 			new_seed_state = DRBG_SEED_STATE_PARTIAL;
1171 
1172 		ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1173 		if (ret)
1174 			goto out;
1175 
1176 		if (!drbg->jent) {
1177 			drbg_string_fill(&data1, entropy, entropylen);
1178 			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1179 				 entropylen);
1180 		} else {
1181 			/*
1182 			 * Get seed from Jitter RNG, failures are
1183 			 * fatal only in FIPS mode.
1184 			 */
1185 			ret = crypto_rng_get_bytes(drbg->jent,
1186 						   entropy + entropylen,
1187 						   entropylen);
1188 			if (fips_enabled && ret) {
1189 				pr_devel("DRBG: jent failed with %d\n", ret);
1190 
1191 				/*
1192 				 * Do not treat the transient failure of the
1193 				 * Jitter RNG as an error that needs to be
1194 				 * reported. The combined number of the
1195 				 * maximum reseed threshold times the maximum
1196 				 * number of Jitter RNG transient errors is
1197 				 * less than the reseed threshold required by
1198 				 * SP800-90A allowing us to treat the
1199 				 * transient errors as such.
1200 				 *
1201 				 * However, we mandate that at least the first
1202 				 * seeding operation must succeed with the
1203 				 * Jitter RNG.
1204 				 */
1205 				if (!reseed || ret != -EAGAIN)
1206 					goto out;
1207 			}
1208 
1209 			drbg_string_fill(&data1, entropy, entropylen * 2);
1210 			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1211 				 entropylen * 2);
1212 		}
1213 	}
1214 	list_add_tail(&data1.list, &seedlist);
1215 
1216 	/*
1217 	 * concatenation of entropy with personalization str / addtl input)
1218 	 * the variable pers is directly handed in by the caller, so check its
1219 	 * contents whether it is appropriate
1220 	 */
1221 	if (pers && pers->buf && 0 < pers->len) {
1222 		list_add_tail(&pers->list, &seedlist);
1223 		pr_devel("DRBG: using personalization string\n");
1224 	}
1225 
1226 	if (!reseed) {
1227 		memset(drbg->V, 0, drbg_statelen(drbg));
1228 		memset(drbg->C, 0, drbg_statelen(drbg));
1229 	}
1230 
1231 	ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
1232 
1233 out:
1234 	memzero_explicit(entropy, entropylen * 2);
1235 
1236 	return ret;
1237 }
1238 
1239 /* Free all substructures in a DRBG state without the DRBG state structure */
drbg_dealloc_state(struct drbg_state * drbg)1240 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1241 {
1242 	if (!drbg)
1243 		return;
1244 	kfree_sensitive(drbg->Vbuf);
1245 	drbg->Vbuf = NULL;
1246 	drbg->V = NULL;
1247 	kfree_sensitive(drbg->Cbuf);
1248 	drbg->Cbuf = NULL;
1249 	drbg->C = NULL;
1250 	kfree_sensitive(drbg->scratchpadbuf);
1251 	drbg->scratchpadbuf = NULL;
1252 	drbg->reseed_ctr = 0;
1253 	drbg->d_ops = NULL;
1254 	drbg->core = NULL;
1255 	if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1256 		kfree_sensitive(drbg->prev);
1257 		drbg->prev = NULL;
1258 		drbg->fips_primed = false;
1259 	}
1260 }
1261 
1262 /*
1263  * Allocate all sub-structures for a DRBG state.
1264  * The DRBG state structure must already be allocated.
1265  */
drbg_alloc_state(struct drbg_state * drbg)1266 static inline int drbg_alloc_state(struct drbg_state *drbg)
1267 {
1268 	int ret = -ENOMEM;
1269 	unsigned int sb_size = 0;
1270 
1271 	switch (drbg->core->flags & DRBG_TYPE_MASK) {
1272 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1273 	case DRBG_HMAC:
1274 		drbg->d_ops = &drbg_hmac_ops;
1275 		break;
1276 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
1277 #ifdef CONFIG_CRYPTO_DRBG_HASH
1278 	case DRBG_HASH:
1279 		drbg->d_ops = &drbg_hash_ops;
1280 		break;
1281 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1282 #ifdef CONFIG_CRYPTO_DRBG_CTR
1283 	case DRBG_CTR:
1284 		drbg->d_ops = &drbg_ctr_ops;
1285 		break;
1286 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1287 	default:
1288 		ret = -EOPNOTSUPP;
1289 		goto err;
1290 	}
1291 
1292 	ret = drbg->d_ops->crypto_init(drbg);
1293 	if (ret < 0)
1294 		goto err;
1295 
1296 	drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1297 	if (!drbg->Vbuf) {
1298 		ret = -ENOMEM;
1299 		goto fini;
1300 	}
1301 	drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1302 	drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1303 	if (!drbg->Cbuf) {
1304 		ret = -ENOMEM;
1305 		goto fini;
1306 	}
1307 	drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1308 	/* scratchpad is only generated for CTR and Hash */
1309 	if (drbg->core->flags & DRBG_HMAC)
1310 		sb_size = 0;
1311 	else if (drbg->core->flags & DRBG_CTR)
1312 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1313 			  drbg_statelen(drbg) +	/* df_data */
1314 			  drbg_blocklen(drbg) +	/* pad */
1315 			  drbg_blocklen(drbg) +	/* iv */
1316 			  drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1317 	else
1318 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1319 
1320 	if (0 < sb_size) {
1321 		drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1322 		if (!drbg->scratchpadbuf) {
1323 			ret = -ENOMEM;
1324 			goto fini;
1325 		}
1326 		drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1327 	}
1328 
1329 	if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1330 		drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1331 				     GFP_KERNEL);
1332 		if (!drbg->prev) {
1333 			ret = -ENOMEM;
1334 			goto fini;
1335 		}
1336 		drbg->fips_primed = false;
1337 	}
1338 
1339 	return 0;
1340 
1341 fini:
1342 	drbg->d_ops->crypto_fini(drbg);
1343 err:
1344 	drbg_dealloc_state(drbg);
1345 	return ret;
1346 }
1347 
1348 /*************************************************************************
1349  * DRBG interface functions
1350  *************************************************************************/
1351 
1352 /*
1353  * DRBG generate function as required by SP800-90A - this function
1354  * generates random numbers
1355  *
1356  * @drbg DRBG state handle
1357  * @buf Buffer where to store the random numbers -- the buffer must already
1358  *      be pre-allocated by caller
1359  * @buflen Length of output buffer - this value defines the number of random
1360  *	   bytes pulled from DRBG
1361  * @addtl Additional input that is mixed into state, may be NULL -- note
1362  *	  the entropy is pulled by the DRBG internally unconditionally
1363  *	  as defined in SP800-90A. The additional input is mixed into
1364  *	  the state in addition to the pulled entropy.
1365  *
1366  * return: 0 when all bytes are generated; < 0 in case of an error
1367  */
drbg_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct drbg_string * addtl)1368 static int drbg_generate(struct drbg_state *drbg,
1369 			 unsigned char *buf, unsigned int buflen,
1370 			 struct drbg_string *addtl)
1371 {
1372 	int len = 0;
1373 	LIST_HEAD(addtllist);
1374 
1375 	if (!drbg->core) {
1376 		pr_devel("DRBG: not yet seeded\n");
1377 		return -EINVAL;
1378 	}
1379 	if (0 == buflen || !buf) {
1380 		pr_devel("DRBG: no output buffer provided\n");
1381 		return -EINVAL;
1382 	}
1383 	if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1384 		pr_devel("DRBG: wrong format of additional information\n");
1385 		return -EINVAL;
1386 	}
1387 
1388 	/* 9.3.1 step 2 */
1389 	len = -EINVAL;
1390 	if (buflen > (drbg_max_request_bytes(drbg))) {
1391 		pr_devel("DRBG: requested random numbers too large %u\n",
1392 			 buflen);
1393 		goto err;
1394 	}
1395 
1396 	/* 9.3.1 step 3 is implicit with the chosen DRBG */
1397 
1398 	/* 9.3.1 step 4 */
1399 	if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1400 		pr_devel("DRBG: additional information string too long %zu\n",
1401 			 addtl->len);
1402 		goto err;
1403 	}
1404 	/* 9.3.1 step 5 is implicit with the chosen DRBG */
1405 
1406 	/*
1407 	 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1408 	 * here. The spec is a bit convoluted here, we make it simpler.
1409 	 */
1410 	if (drbg->reseed_threshold < drbg->reseed_ctr)
1411 		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1412 
1413 	if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
1414 		pr_devel("DRBG: reseeding before generation (prediction "
1415 			 "resistance: %s, state %s)\n",
1416 			 str_true_false(drbg->pr),
1417 			 (drbg->seeded ==  DRBG_SEED_STATE_FULL ?
1418 			  "seeded" : "unseeded"));
1419 		/* 9.3.1 steps 7.1 through 7.3 */
1420 		len = drbg_seed(drbg, addtl, true);
1421 		if (len)
1422 			goto err;
1423 		/* 9.3.1 step 7.4 */
1424 		addtl = NULL;
1425 	} else if (rng_is_initialized() &&
1426 		   (drbg->seeded == DRBG_SEED_STATE_PARTIAL ||
1427 		    drbg_nopr_reseed_interval_elapsed(drbg))) {
1428 		len = drbg_seed_from_random(drbg);
1429 		if (len)
1430 			goto err;
1431 	}
1432 
1433 	if (addtl && 0 < addtl->len)
1434 		list_add_tail(&addtl->list, &addtllist);
1435 	/* 9.3.1 step 8 and 10 */
1436 	len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1437 
1438 	/* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1439 	drbg->reseed_ctr++;
1440 	if (0 >= len)
1441 		goto err;
1442 
1443 	/*
1444 	 * Section 11.3.3 requires to re-perform self tests after some
1445 	 * generated random numbers. The chosen value after which self
1446 	 * test is performed is arbitrary, but it should be reasonable.
1447 	 * However, we do not perform the self tests because of the following
1448 	 * reasons: it is mathematically impossible that the initial self tests
1449 	 * were successfully and the following are not. If the initial would
1450 	 * pass and the following would not, the kernel integrity is violated.
1451 	 * In this case, the entire kernel operation is questionable and it
1452 	 * is unlikely that the integrity violation only affects the
1453 	 * correct operation of the DRBG.
1454 	 *
1455 	 * Albeit the following code is commented out, it is provided in
1456 	 * case somebody has a need to implement the test of 11.3.3.
1457 	 */
1458 #if 0
1459 	if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1460 		int err = 0;
1461 		pr_devel("DRBG: start to perform self test\n");
1462 		if (drbg->core->flags & DRBG_HMAC)
1463 			err = alg_test("drbg_pr_hmac_sha512",
1464 				       "drbg_pr_hmac_sha512", 0, 0);
1465 		else if (drbg->core->flags & DRBG_CTR)
1466 			err = alg_test("drbg_pr_ctr_aes256",
1467 				       "drbg_pr_ctr_aes256", 0, 0);
1468 		else
1469 			err = alg_test("drbg_pr_sha256",
1470 				       "drbg_pr_sha256", 0, 0);
1471 		if (err) {
1472 			pr_err("DRBG: periodical self test failed\n");
1473 			/*
1474 			 * uninstantiate implies that from now on, only errors
1475 			 * are returned when reusing this DRBG cipher handle
1476 			 */
1477 			drbg_uninstantiate(drbg);
1478 			return 0;
1479 		} else {
1480 			pr_devel("DRBG: self test successful\n");
1481 		}
1482 	}
1483 #endif
1484 
1485 	/*
1486 	 * All operations were successful, return 0 as mandated by
1487 	 * the kernel crypto API interface.
1488 	 */
1489 	len = 0;
1490 err:
1491 	return len;
1492 }
1493 
1494 /*
1495  * Wrapper around drbg_generate which can pull arbitrary long strings
1496  * from the DRBG without hitting the maximum request limitation.
1497  *
1498  * Parameters: see drbg_generate
1499  * Return codes: see drbg_generate -- if one drbg_generate request fails,
1500  *		 the entire drbg_generate_long request fails
1501  */
drbg_generate_long(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct drbg_string * addtl)1502 static int drbg_generate_long(struct drbg_state *drbg,
1503 			      unsigned char *buf, unsigned int buflen,
1504 			      struct drbg_string *addtl)
1505 {
1506 	unsigned int len = 0;
1507 	unsigned int slice = 0;
1508 	do {
1509 		int err = 0;
1510 		unsigned int chunk = 0;
1511 		slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1512 		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1513 		mutex_lock(&drbg->drbg_mutex);
1514 		err = drbg_generate(drbg, buf + len, chunk, addtl);
1515 		mutex_unlock(&drbg->drbg_mutex);
1516 		if (0 > err)
1517 			return err;
1518 		len += chunk;
1519 	} while (slice > 0 && (len < buflen));
1520 	return 0;
1521 }
1522 
drbg_prepare_hrng(struct drbg_state * drbg)1523 static int drbg_prepare_hrng(struct drbg_state *drbg)
1524 {
1525 	/* We do not need an HRNG in test mode. */
1526 	if (list_empty(&drbg->test_data.list))
1527 		return 0;
1528 
1529 	drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1530 	if (IS_ERR(drbg->jent)) {
1531 		const int err = PTR_ERR(drbg->jent);
1532 
1533 		drbg->jent = NULL;
1534 		if (fips_enabled)
1535 			return err;
1536 		pr_info("DRBG: Continuing without Jitter RNG\n");
1537 	}
1538 
1539 	return 0;
1540 }
1541 
1542 /*
1543  * DRBG instantiation function as required by SP800-90A - this function
1544  * sets up the DRBG handle, performs the initial seeding and all sanity
1545  * checks required by SP800-90A
1546  *
1547  * @drbg memory of state -- if NULL, new memory is allocated
1548  * @pers Personalization string that is mixed into state, may be NULL -- note
1549  *	 the entropy is pulled by the DRBG internally unconditionally
1550  *	 as defined in SP800-90A. The additional input is mixed into
1551  *	 the state in addition to the pulled entropy.
1552  * @coreref reference to core
1553  * @pr prediction resistance enabled
1554  *
1555  * return
1556  *	0 on success
1557  *	error value otherwise
1558  */
drbg_instantiate(struct drbg_state * drbg,struct drbg_string * pers,int coreref,bool pr)1559 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1560 			    int coreref, bool pr)
1561 {
1562 	int ret;
1563 	bool reseed = true;
1564 
1565 	pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1566 		 "%s\n", coreref, str_enabled_disabled(pr));
1567 	mutex_lock(&drbg->drbg_mutex);
1568 
1569 	/* 9.1 step 1 is implicit with the selected DRBG type */
1570 
1571 	/*
1572 	 * 9.1 step 2 is implicit as caller can select prediction resistance
1573 	 * and the flag is copied into drbg->flags --
1574 	 * all DRBG types support prediction resistance
1575 	 */
1576 
1577 	/* 9.1 step 4 is implicit in  drbg_sec_strength */
1578 
1579 	if (!drbg->core) {
1580 		drbg->core = &drbg_cores[coreref];
1581 		drbg->pr = pr;
1582 		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1583 		drbg->last_seed_time = 0;
1584 		drbg->reseed_threshold = drbg_max_requests(drbg);
1585 
1586 		ret = drbg_alloc_state(drbg);
1587 		if (ret)
1588 			goto unlock;
1589 
1590 		ret = drbg_prepare_hrng(drbg);
1591 		if (ret)
1592 			goto free_everything;
1593 
1594 		reseed = false;
1595 	}
1596 
1597 	ret = drbg_seed(drbg, pers, reseed);
1598 
1599 	if (ret && !reseed)
1600 		goto free_everything;
1601 
1602 	mutex_unlock(&drbg->drbg_mutex);
1603 	return ret;
1604 
1605 unlock:
1606 	mutex_unlock(&drbg->drbg_mutex);
1607 	return ret;
1608 
1609 free_everything:
1610 	mutex_unlock(&drbg->drbg_mutex);
1611 	drbg_uninstantiate(drbg);
1612 	return ret;
1613 }
1614 
1615 /*
1616  * DRBG uninstantiate function as required by SP800-90A - this function
1617  * frees all buffers and the DRBG handle
1618  *
1619  * @drbg DRBG state handle
1620  *
1621  * return
1622  *	0 on success
1623  */
drbg_uninstantiate(struct drbg_state * drbg)1624 static int drbg_uninstantiate(struct drbg_state *drbg)
1625 {
1626 	if (!IS_ERR_OR_NULL(drbg->jent))
1627 		crypto_free_rng(drbg->jent);
1628 	drbg->jent = NULL;
1629 
1630 	if (drbg->d_ops)
1631 		drbg->d_ops->crypto_fini(drbg);
1632 	drbg_dealloc_state(drbg);
1633 	/* no scrubbing of test_data -- this shall survive an uninstantiate */
1634 	return 0;
1635 }
1636 
1637 /*
1638  * Helper function for setting the test data in the DRBG
1639  *
1640  * @drbg DRBG state handle
1641  * @data test data
1642  * @len test data length
1643  */
drbg_kcapi_set_entropy(struct crypto_rng * tfm,const u8 * data,unsigned int len)1644 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1645 				   const u8 *data, unsigned int len)
1646 {
1647 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1648 
1649 	mutex_lock(&drbg->drbg_mutex);
1650 	drbg_string_fill(&drbg->test_data, data, len);
1651 	mutex_unlock(&drbg->drbg_mutex);
1652 }
1653 
1654 /***************************************************************
1655  * Kernel crypto API cipher invocations requested by DRBG
1656  ***************************************************************/
1657 
1658 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1659 struct sdesc {
1660 	struct shash_desc shash;
1661 	char ctx[];
1662 };
1663 
drbg_init_hash_kernel(struct drbg_state * drbg)1664 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1665 {
1666 	struct sdesc *sdesc;
1667 	struct crypto_shash *tfm;
1668 
1669 	tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1670 	if (IS_ERR(tfm)) {
1671 		pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1672 				drbg->core->backend_cra_name);
1673 		return PTR_ERR(tfm);
1674 	}
1675 	BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1676 	sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1677 			GFP_KERNEL);
1678 	if (!sdesc) {
1679 		crypto_free_shash(tfm);
1680 		return -ENOMEM;
1681 	}
1682 
1683 	sdesc->shash.tfm = tfm;
1684 	drbg->priv_data = sdesc;
1685 
1686 	return 0;
1687 }
1688 
drbg_fini_hash_kernel(struct drbg_state * drbg)1689 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1690 {
1691 	struct sdesc *sdesc = drbg->priv_data;
1692 	if (sdesc) {
1693 		crypto_free_shash(sdesc->shash.tfm);
1694 		kfree_sensitive(sdesc);
1695 	}
1696 	drbg->priv_data = NULL;
1697 	return 0;
1698 }
1699 
drbg_kcapi_hmacsetkey(struct drbg_state * drbg,const unsigned char * key)1700 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1701 				  const unsigned char *key)
1702 {
1703 	struct sdesc *sdesc = drbg->priv_data;
1704 
1705 	crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1706 }
1707 
drbg_kcapi_hash(struct drbg_state * drbg,unsigned char * outval,const struct list_head * in)1708 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1709 			   const struct list_head *in)
1710 {
1711 	struct sdesc *sdesc = drbg->priv_data;
1712 	struct drbg_string *input = NULL;
1713 
1714 	crypto_shash_init(&sdesc->shash);
1715 	list_for_each_entry(input, in, list)
1716 		crypto_shash_update(&sdesc->shash, input->buf, input->len);
1717 	return crypto_shash_final(&sdesc->shash, outval);
1718 }
1719 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1720 
1721 #ifdef CONFIG_CRYPTO_DRBG_CTR
drbg_fini_sym_kernel(struct drbg_state * drbg)1722 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1723 {
1724 	struct crypto_cipher *tfm =
1725 		(struct crypto_cipher *)drbg->priv_data;
1726 	if (tfm)
1727 		crypto_free_cipher(tfm);
1728 	drbg->priv_data = NULL;
1729 
1730 	if (drbg->ctr_handle)
1731 		crypto_free_skcipher(drbg->ctr_handle);
1732 	drbg->ctr_handle = NULL;
1733 
1734 	if (drbg->ctr_req)
1735 		skcipher_request_free(drbg->ctr_req);
1736 	drbg->ctr_req = NULL;
1737 
1738 	kfree(drbg->outscratchpadbuf);
1739 	drbg->outscratchpadbuf = NULL;
1740 
1741 	return 0;
1742 }
1743 
drbg_init_sym_kernel(struct drbg_state * drbg)1744 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1745 {
1746 	struct crypto_cipher *tfm;
1747 	struct crypto_skcipher *sk_tfm;
1748 	struct skcipher_request *req;
1749 	unsigned int alignmask;
1750 	char ctr_name[CRYPTO_MAX_ALG_NAME];
1751 
1752 	tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1753 	if (IS_ERR(tfm)) {
1754 		pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1755 				drbg->core->backend_cra_name);
1756 		return PTR_ERR(tfm);
1757 	}
1758 	BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1759 	drbg->priv_data = tfm;
1760 
1761 	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1762 	    drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1763 		drbg_fini_sym_kernel(drbg);
1764 		return -EINVAL;
1765 	}
1766 	sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1767 	if (IS_ERR(sk_tfm)) {
1768 		pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1769 				ctr_name);
1770 		drbg_fini_sym_kernel(drbg);
1771 		return PTR_ERR(sk_tfm);
1772 	}
1773 	drbg->ctr_handle = sk_tfm;
1774 	crypto_init_wait(&drbg->ctr_wait);
1775 
1776 	req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1777 	if (!req) {
1778 		pr_info("DRBG: could not allocate request queue\n");
1779 		drbg_fini_sym_kernel(drbg);
1780 		return -ENOMEM;
1781 	}
1782 	drbg->ctr_req = req;
1783 	skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1784 						CRYPTO_TFM_REQ_MAY_SLEEP,
1785 					crypto_req_done, &drbg->ctr_wait);
1786 
1787 	alignmask = crypto_skcipher_alignmask(sk_tfm);
1788 	drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1789 					 GFP_KERNEL);
1790 	if (!drbg->outscratchpadbuf) {
1791 		drbg_fini_sym_kernel(drbg);
1792 		return -ENOMEM;
1793 	}
1794 	drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1795 					      alignmask + 1);
1796 
1797 	sg_init_table(&drbg->sg_in, 1);
1798 	sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1799 
1800 	return alignmask;
1801 }
1802 
drbg_kcapi_symsetkey(struct drbg_state * drbg,const unsigned char * key)1803 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1804 				 const unsigned char *key)
1805 {
1806 	struct crypto_cipher *tfm = drbg->priv_data;
1807 
1808 	crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1809 }
1810 
drbg_kcapi_sym(struct drbg_state * drbg,unsigned char * outval,const struct drbg_string * in)1811 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1812 			  const struct drbg_string *in)
1813 {
1814 	struct crypto_cipher *tfm = drbg->priv_data;
1815 
1816 	/* there is only component in *in */
1817 	BUG_ON(in->len < drbg_blocklen(drbg));
1818 	crypto_cipher_encrypt_one(tfm, outval, in->buf);
1819 	return 0;
1820 }
1821 
drbg_kcapi_sym_ctr(struct drbg_state * drbg,u8 * inbuf,u32 inlen,u8 * outbuf,u32 outlen)1822 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1823 			      u8 *inbuf, u32 inlen,
1824 			      u8 *outbuf, u32 outlen)
1825 {
1826 	struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1827 	u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1828 	int ret;
1829 
1830 	if (inbuf) {
1831 		/* Use caller-provided input buffer */
1832 		sg_set_buf(sg_in, inbuf, inlen);
1833 	} else {
1834 		/* Use scratchpad for in-place operation */
1835 		inlen = scratchpad_use;
1836 		memset(drbg->outscratchpad, 0, scratchpad_use);
1837 		sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1838 	}
1839 
1840 	while (outlen) {
1841 		u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1842 
1843 		/* Output buffer may not be valid for SGL, use scratchpad */
1844 		skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1845 					   cryptlen, drbg->V);
1846 		ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1847 					&drbg->ctr_wait);
1848 		if (ret)
1849 			goto out;
1850 
1851 		crypto_init_wait(&drbg->ctr_wait);
1852 
1853 		memcpy(outbuf, drbg->outscratchpad, cryptlen);
1854 		memzero_explicit(drbg->outscratchpad, cryptlen);
1855 
1856 		outlen -= cryptlen;
1857 		outbuf += cryptlen;
1858 	}
1859 	ret = 0;
1860 
1861 out:
1862 	return ret;
1863 }
1864 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1865 
1866 /***************************************************************
1867  * Kernel crypto API interface to register DRBG
1868  ***************************************************************/
1869 
1870 /*
1871  * Look up the DRBG flags by given kernel crypto API cra_name
1872  * The code uses the drbg_cores definition to do this
1873  *
1874  * @cra_name kernel crypto API cra_name
1875  * @coreref reference to integer which is filled with the pointer to
1876  *  the applicable core
1877  * @pr reference for setting prediction resistance
1878  *
1879  * return: flags
1880  */
drbg_convert_tfm_core(const char * cra_driver_name,int * coreref,bool * pr)1881 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1882 					 int *coreref, bool *pr)
1883 {
1884 	int i = 0;
1885 	size_t start = 0;
1886 	int len = 0;
1887 
1888 	*pr = true;
1889 	/* disassemble the names */
1890 	if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1891 		start = 10;
1892 		*pr = false;
1893 	} else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1894 		start = 8;
1895 	} else {
1896 		return;
1897 	}
1898 
1899 	/* remove the first part */
1900 	len = strlen(cra_driver_name) - start;
1901 	for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1902 		if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1903 			    len)) {
1904 			*coreref = i;
1905 			return;
1906 		}
1907 	}
1908 }
1909 
drbg_kcapi_init(struct crypto_tfm * tfm)1910 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1911 {
1912 	struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1913 
1914 	mutex_init(&drbg->drbg_mutex);
1915 
1916 	return 0;
1917 }
1918 
drbg_kcapi_cleanup(struct crypto_tfm * tfm)1919 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1920 {
1921 	drbg_uninstantiate(crypto_tfm_ctx(tfm));
1922 }
1923 
1924 /*
1925  * Generate random numbers invoked by the kernel crypto API:
1926  * The API of the kernel crypto API is extended as follows:
1927  *
1928  * src is additional input supplied to the RNG.
1929  * slen is the length of src.
1930  * dst is the output buffer where random data is to be stored.
1931  * dlen is the length of dst.
1932  */
drbg_kcapi_random(struct crypto_rng * tfm,const u8 * src,unsigned int slen,u8 * dst,unsigned int dlen)1933 static int drbg_kcapi_random(struct crypto_rng *tfm,
1934 			     const u8 *src, unsigned int slen,
1935 			     u8 *dst, unsigned int dlen)
1936 {
1937 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1938 	struct drbg_string *addtl = NULL;
1939 	struct drbg_string string;
1940 
1941 	if (slen) {
1942 		/* linked list variable is now local to allow modification */
1943 		drbg_string_fill(&string, src, slen);
1944 		addtl = &string;
1945 	}
1946 
1947 	return drbg_generate_long(drbg, dst, dlen, addtl);
1948 }
1949 
1950 /*
1951  * Seed the DRBG invoked by the kernel crypto API
1952  */
drbg_kcapi_seed(struct crypto_rng * tfm,const u8 * seed,unsigned int slen)1953 static int drbg_kcapi_seed(struct crypto_rng *tfm,
1954 			   const u8 *seed, unsigned int slen)
1955 {
1956 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1957 	struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1958 	bool pr = false;
1959 	struct drbg_string string;
1960 	struct drbg_string *seed_string = NULL;
1961 	int coreref = 0;
1962 
1963 	drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1964 			      &pr);
1965 	if (0 < slen) {
1966 		drbg_string_fill(&string, seed, slen);
1967 		seed_string = &string;
1968 	}
1969 
1970 	return drbg_instantiate(drbg, seed_string, coreref, pr);
1971 }
1972 
1973 /***************************************************************
1974  * Kernel module: code to load the module
1975  ***************************************************************/
1976 
1977 /*
1978  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1979  * of the error handling.
1980  *
1981  * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1982  * as seed source of get_random_bytes does not fail.
1983  *
1984  * Note 2: There is no sensible way of testing the reseed counter
1985  * enforcement, so skip it.
1986  */
drbg_healthcheck_sanity(void)1987 static inline int __init drbg_healthcheck_sanity(void)
1988 {
1989 	int len = 0;
1990 #define OUTBUFLEN 16
1991 	unsigned char buf[OUTBUFLEN];
1992 	struct drbg_state *drbg = NULL;
1993 	int ret;
1994 	int rc = -EFAULT;
1995 	bool pr = false;
1996 	int coreref = 0;
1997 	struct drbg_string addtl;
1998 	size_t max_addtllen, max_request_bytes;
1999 
2000 	/* only perform test in FIPS mode */
2001 	if (!fips_enabled)
2002 		return 0;
2003 
2004 #ifdef CONFIG_CRYPTO_DRBG_CTR
2005 	drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
2006 #endif
2007 #ifdef CONFIG_CRYPTO_DRBG_HASH
2008 	drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
2009 #endif
2010 #ifdef CONFIG_CRYPTO_DRBG_HMAC
2011 	drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
2012 #endif
2013 
2014 	drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2015 	if (!drbg)
2016 		return -ENOMEM;
2017 
2018 	mutex_init(&drbg->drbg_mutex);
2019 	drbg->core = &drbg_cores[coreref];
2020 	drbg->reseed_threshold = drbg_max_requests(drbg);
2021 
2022 	/*
2023 	 * if the following tests fail, it is likely that there is a buffer
2024 	 * overflow as buf is much smaller than the requested or provided
2025 	 * string lengths -- in case the error handling does not succeed
2026 	 * we may get an OOPS. And we want to get an OOPS as this is a
2027 	 * grave bug.
2028 	 */
2029 
2030 	max_addtllen = drbg_max_addtl(drbg);
2031 	max_request_bytes = drbg_max_request_bytes(drbg);
2032 	drbg_string_fill(&addtl, buf, max_addtllen + 1);
2033 	/* overflow addtllen with additonal info string */
2034 	len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2035 	BUG_ON(0 < len);
2036 	/* overflow max_bits */
2037 	len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2038 	BUG_ON(0 < len);
2039 
2040 	/* overflow max addtllen with personalization string */
2041 	ret = drbg_seed(drbg, &addtl, false);
2042 	BUG_ON(0 == ret);
2043 	/* all tests passed */
2044 	rc = 0;
2045 
2046 	pr_devel("DRBG: Sanity tests for failure code paths successfully "
2047 		 "completed\n");
2048 
2049 	kfree(drbg);
2050 	return rc;
2051 }
2052 
2053 static struct rng_alg drbg_algs[22];
2054 
2055 /*
2056  * Fill the array drbg_algs used to register the different DRBGs
2057  * with the kernel crypto API. To fill the array, the information
2058  * from drbg_cores[] is used.
2059  */
drbg_fill_array(struct rng_alg * alg,const struct drbg_core * core,int pr)2060 static inline void __init drbg_fill_array(struct rng_alg *alg,
2061 					  const struct drbg_core *core, int pr)
2062 {
2063 	int pos = 0;
2064 	static int priority = 200;
2065 
2066 	memcpy(alg->base.cra_name, "stdrng", 6);
2067 	if (pr) {
2068 		memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
2069 		pos = 8;
2070 	} else {
2071 		memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
2072 		pos = 10;
2073 	}
2074 	memcpy(alg->base.cra_driver_name + pos, core->cra_name,
2075 	       strlen(core->cra_name));
2076 
2077 	alg->base.cra_priority = priority;
2078 	priority++;
2079 	/*
2080 	 * If FIPS mode enabled, the selected DRBG shall have the
2081 	 * highest cra_priority over other stdrng instances to ensure
2082 	 * it is selected.
2083 	 */
2084 	if (fips_enabled)
2085 		alg->base.cra_priority += 200;
2086 
2087 	alg->base.cra_ctxsize 	= sizeof(struct drbg_state);
2088 	alg->base.cra_module	= THIS_MODULE;
2089 	alg->base.cra_init	= drbg_kcapi_init;
2090 	alg->base.cra_exit	= drbg_kcapi_cleanup;
2091 	alg->generate		= drbg_kcapi_random;
2092 	alg->seed		= drbg_kcapi_seed;
2093 	alg->set_ent		= drbg_kcapi_set_entropy;
2094 	alg->seedsize		= 0;
2095 }
2096 
drbg_init(void)2097 static int __init drbg_init(void)
2098 {
2099 	unsigned int i = 0; /* pointer to drbg_algs */
2100 	unsigned int j = 0; /* pointer to drbg_cores */
2101 	int ret;
2102 
2103 	ret = drbg_healthcheck_sanity();
2104 	if (ret)
2105 		return ret;
2106 
2107 	if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2108 		pr_info("DRBG: Cannot register all DRBG types"
2109 			"(slots needed: %zu, slots available: %zu)\n",
2110 			ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2111 		return -EFAULT;
2112 	}
2113 
2114 	/*
2115 	 * each DRBG definition can be used with PR and without PR, thus
2116 	 * we instantiate each DRBG in drbg_cores[] twice.
2117 	 *
2118 	 * As the order of placing them into the drbg_algs array matters
2119 	 * (the later DRBGs receive a higher cra_priority) we register the
2120 	 * prediction resistance DRBGs first as the should not be too
2121 	 * interesting.
2122 	 */
2123 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2124 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2125 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2126 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2127 	return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2128 }
2129 
drbg_exit(void)2130 static void __exit drbg_exit(void)
2131 {
2132 	crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2133 }
2134 
2135 subsys_initcall(drbg_init);
2136 module_exit(drbg_exit);
2137 #ifndef CRYPTO_DRBG_HASH_STRING
2138 #define CRYPTO_DRBG_HASH_STRING ""
2139 #endif
2140 #ifndef CRYPTO_DRBG_HMAC_STRING
2141 #define CRYPTO_DRBG_HMAC_STRING ""
2142 #endif
2143 #ifndef CRYPTO_DRBG_CTR_STRING
2144 #define CRYPTO_DRBG_CTR_STRING ""
2145 #endif
2146 MODULE_LICENSE("GPL");
2147 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2148 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2149 		   "using following cores: "
2150 		   CRYPTO_DRBG_HASH_STRING
2151 		   CRYPTO_DRBG_HMAC_STRING
2152 		   CRYPTO_DRBG_CTR_STRING);
2153 MODULE_ALIAS_CRYPTO("stdrng");
2154 MODULE_IMPORT_NS("CRYPTO_INTERNAL");
2155