1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <crypto/df_sp80090a.h> 102 #include <crypto/internal/cipher.h> 103 #include <linux/kernel.h> 104 #include <linux/jiffies.h> 105 #include <linux/string_choices.h> 106 107 /*************************************************************** 108 * Backend cipher definitions available to DRBG 109 ***************************************************************/ 110 111 /* 112 * The order of the DRBG definitions here matter: every DRBG is registered 113 * as stdrng. Each DRBG receives an increasing cra_priority values the later 114 * they are defined in this array (see drbg_fill_array). 115 * 116 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the 117 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the 118 * favored DRBGs are the latest entries in this array. 119 */ 120 static const struct drbg_core drbg_cores[] = { 121 #ifdef CONFIG_CRYPTO_DRBG_CTR 122 { 123 .flags = DRBG_CTR | DRBG_STRENGTH128, 124 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 125 .blocklen_bytes = 16, 126 .cra_name = "ctr_aes128", 127 .backend_cra_name = "aes", 128 }, { 129 .flags = DRBG_CTR | DRBG_STRENGTH192, 130 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 131 .blocklen_bytes = 16, 132 .cra_name = "ctr_aes192", 133 .backend_cra_name = "aes", 134 }, { 135 .flags = DRBG_CTR | DRBG_STRENGTH256, 136 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 137 .blocklen_bytes = 16, 138 .cra_name = "ctr_aes256", 139 .backend_cra_name = "aes", 140 }, 141 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 142 #ifdef CONFIG_CRYPTO_DRBG_HASH 143 { 144 .flags = DRBG_HASH | DRBG_STRENGTH256, 145 .statelen = 111, /* 888 bits */ 146 .blocklen_bytes = 48, 147 .cra_name = "sha384", 148 .backend_cra_name = "sha384", 149 }, { 150 .flags = DRBG_HASH | DRBG_STRENGTH256, 151 .statelen = 111, /* 888 bits */ 152 .blocklen_bytes = 64, 153 .cra_name = "sha512", 154 .backend_cra_name = "sha512", 155 }, { 156 .flags = DRBG_HASH | DRBG_STRENGTH256, 157 .statelen = 55, /* 440 bits */ 158 .blocklen_bytes = 32, 159 .cra_name = "sha256", 160 .backend_cra_name = "sha256", 161 }, 162 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 163 #ifdef CONFIG_CRYPTO_DRBG_HMAC 164 { 165 .flags = DRBG_HMAC | DRBG_STRENGTH256, 166 .statelen = 48, /* block length of cipher */ 167 .blocklen_bytes = 48, 168 .cra_name = "hmac_sha384", 169 .backend_cra_name = "hmac(sha384)", 170 }, { 171 .flags = DRBG_HMAC | DRBG_STRENGTH256, 172 .statelen = 32, /* block length of cipher */ 173 .blocklen_bytes = 32, 174 .cra_name = "hmac_sha256", 175 .backend_cra_name = "hmac(sha256)", 176 }, { 177 .flags = DRBG_HMAC | DRBG_STRENGTH256, 178 .statelen = 64, /* block length of cipher */ 179 .blocklen_bytes = 64, 180 .cra_name = "hmac_sha512", 181 .backend_cra_name = "hmac(sha512)", 182 }, 183 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 184 }; 185 186 static int drbg_uninstantiate(struct drbg_state *drbg); 187 188 /****************************************************************** 189 * Generic helper functions 190 ******************************************************************/ 191 192 /* 193 * Return strength of DRBG according to SP800-90A section 8.4 194 * 195 * @flags DRBG flags reference 196 * 197 * Return: normalized strength in *bytes* value or 32 as default 198 * to counter programming errors 199 */ 200 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 201 { 202 switch (flags & DRBG_STRENGTH_MASK) { 203 case DRBG_STRENGTH128: 204 return 16; 205 case DRBG_STRENGTH192: 206 return 24; 207 case DRBG_STRENGTH256: 208 return 32; 209 default: 210 return 32; 211 } 212 } 213 214 /* 215 * FIPS 140-2 continuous self test for the noise source 216 * The test is performed on the noise source input data. Thus, the function 217 * implicitly knows the size of the buffer to be equal to the security 218 * strength. 219 * 220 * Note, this function disregards the nonce trailing the entropy data during 221 * initial seeding. 222 * 223 * drbg->drbg_mutex must have been taken. 224 * 225 * @drbg DRBG handle 226 * @entropy buffer of seed data to be checked 227 * 228 * return: 229 * %true on success 230 * %false when the CTRNG is not yet primed 231 */ 232 static bool drbg_fips_continuous_test(struct drbg_state *drbg, 233 const unsigned char *entropy) 234 __must_hold(&drbg->drbg_mutex) 235 { 236 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 237 238 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 239 return true; 240 241 /* skip test if we test the overall system */ 242 if (list_empty(&drbg->test_data.list)) 243 return true; 244 /* only perform test in FIPS mode */ 245 if (!fips_enabled) 246 return true; 247 248 if (!drbg->fips_primed) { 249 /* Priming of FIPS test */ 250 memcpy(drbg->prev, entropy, entropylen); 251 drbg->fips_primed = true; 252 /* priming: another round is needed */ 253 return false; 254 } 255 if (!memcmp(drbg->prev, entropy, entropylen)) 256 panic("DRBG continuous self test failed\n"); 257 memcpy(drbg->prev, entropy, entropylen); 258 259 /* the test shall pass when the two values are not equal */ 260 return true; 261 } 262 263 /****************************************************************** 264 * CTR DRBG callback functions 265 ******************************************************************/ 266 267 #ifdef CONFIG_CRYPTO_DRBG_CTR 268 #define CRYPTO_DRBG_CTR_STRING "CTR " 269 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 270 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 271 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 272 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 273 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 274 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 275 276 static int drbg_init_sym_kernel(struct drbg_state *drbg); 277 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 278 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 279 u8 *inbuf, u32 inbuflen, 280 u8 *outbuf, u32 outlen); 281 #define DRBG_OUTSCRATCHLEN 256 282 283 static int drbg_ctr_df(struct drbg_state *drbg, 284 unsigned char *df_data, size_t bytes_to_return, 285 struct list_head *seedlist) 286 { 287 return crypto_drbg_ctr_df(drbg->priv_data, df_data, drbg_statelen(drbg), 288 seedlist, drbg_blocklen(drbg), drbg_statelen(drbg)); 289 } 290 291 /* 292 * update function of CTR DRBG as defined in 10.2.1.2 293 * 294 * The reseed variable has an enhanced meaning compared to the update 295 * functions of the other DRBGs as follows: 296 * 0 => initial seed from initialization 297 * 1 => reseed via drbg_seed 298 * 2 => first invocation from drbg_ctr_update when addtl is present. In 299 * this case, the df_data scratchpad is not deleted so that it is 300 * available for another calls to prevent calling the DF function 301 * again. 302 * 3 => second invocation from drbg_ctr_update. When the update function 303 * was called with addtl, the df_data memory already contains the 304 * DFed addtl information and we do not need to call DF again. 305 */ 306 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 307 int reseed) 308 { 309 int ret = -EFAULT; 310 /* 10.2.1.2 step 1 */ 311 unsigned char *temp = drbg->scratchpad; 312 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 313 drbg_blocklen(drbg); 314 315 if (3 > reseed) 316 memset(df_data, 0, drbg_statelen(drbg)); 317 318 if (!reseed) { 319 /* 320 * The DRBG uses the CTR mode of the underlying AES cipher. The 321 * CTR mode increments the counter value after the AES operation 322 * but SP800-90A requires that the counter is incremented before 323 * the AES operation. Hence, we increment it at the time we set 324 * it by one. 325 */ 326 crypto_inc(drbg->V, drbg_blocklen(drbg)); 327 328 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 329 drbg_keylen(drbg)); 330 if (ret) 331 goto out; 332 } 333 334 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 335 if (seed) { 336 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 337 if (ret) 338 goto out; 339 } 340 341 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 342 temp, drbg_statelen(drbg)); 343 if (ret) 344 return ret; 345 346 /* 10.2.1.2 step 5 */ 347 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 348 drbg_keylen(drbg)); 349 if (ret) 350 goto out; 351 /* 10.2.1.2 step 6 */ 352 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 353 /* See above: increment counter by one to compensate timing of CTR op */ 354 crypto_inc(drbg->V, drbg_blocklen(drbg)); 355 ret = 0; 356 357 out: 358 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 359 if (2 != reseed) 360 memset(df_data, 0, drbg_statelen(drbg)); 361 return ret; 362 } 363 364 /* 365 * scratchpad use: drbg_ctr_update is called independently from 366 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 367 */ 368 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 369 static int drbg_ctr_generate(struct drbg_state *drbg, 370 unsigned char *buf, unsigned int buflen, 371 struct list_head *addtl) 372 { 373 int ret; 374 int len = min_t(int, buflen, INT_MAX); 375 376 /* 10.2.1.5.2 step 2 */ 377 if (addtl && !list_empty(addtl)) { 378 ret = drbg_ctr_update(drbg, addtl, 2); 379 if (ret) 380 return 0; 381 } 382 383 /* 10.2.1.5.2 step 4.1 */ 384 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 385 if (ret) 386 return ret; 387 388 /* 10.2.1.5.2 step 6 */ 389 ret = drbg_ctr_update(drbg, NULL, 3); 390 if (ret) 391 len = ret; 392 393 return len; 394 } 395 396 static const struct drbg_state_ops drbg_ctr_ops = { 397 .update = drbg_ctr_update, 398 .generate = drbg_ctr_generate, 399 .crypto_init = drbg_init_sym_kernel, 400 .crypto_fini = drbg_fini_sym_kernel, 401 }; 402 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 403 404 /****************************************************************** 405 * HMAC DRBG callback functions 406 ******************************************************************/ 407 408 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 409 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 410 const struct list_head *in); 411 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 412 const unsigned char *key); 413 static int drbg_init_hash_kernel(struct drbg_state *drbg); 414 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 415 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 416 417 #ifdef CONFIG_CRYPTO_DRBG_HMAC 418 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 419 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 420 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 421 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 422 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 423 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 424 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 425 426 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 427 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 428 int reseed) 429 { 430 int ret = -EFAULT; 431 int i = 0; 432 struct drbg_string seed1, seed2, vdata; 433 LIST_HEAD(seedlist); 434 LIST_HEAD(vdatalist); 435 436 if (!reseed) { 437 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 438 memset(drbg->V, 1, drbg_statelen(drbg)); 439 drbg_kcapi_hmacsetkey(drbg, drbg->C); 440 } 441 442 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 443 list_add_tail(&seed1.list, &seedlist); 444 /* buffer of seed2 will be filled in for loop below with one byte */ 445 drbg_string_fill(&seed2, NULL, 1); 446 list_add_tail(&seed2.list, &seedlist); 447 /* input data of seed is allowed to be NULL at this point */ 448 if (seed) 449 list_splice_tail(seed, &seedlist); 450 451 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 452 list_add_tail(&vdata.list, &vdatalist); 453 for (i = 2; 0 < i; i--) { 454 /* first round uses 0x0, second 0x1 */ 455 unsigned char prefix = DRBG_PREFIX0; 456 if (1 == i) 457 prefix = DRBG_PREFIX1; 458 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 459 seed2.buf = &prefix; 460 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 461 if (ret) 462 return ret; 463 drbg_kcapi_hmacsetkey(drbg, drbg->C); 464 465 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 466 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 467 if (ret) 468 return ret; 469 470 /* 10.1.2.2 step 3 */ 471 if (!seed) 472 return ret; 473 } 474 475 return 0; 476 } 477 478 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 479 static int drbg_hmac_generate(struct drbg_state *drbg, 480 unsigned char *buf, 481 unsigned int buflen, 482 struct list_head *addtl) 483 { 484 int len = 0; 485 int ret = 0; 486 struct drbg_string data; 487 LIST_HEAD(datalist); 488 489 /* 10.1.2.5 step 2 */ 490 if (addtl && !list_empty(addtl)) { 491 ret = drbg_hmac_update(drbg, addtl, 1); 492 if (ret) 493 return ret; 494 } 495 496 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 497 list_add_tail(&data.list, &datalist); 498 while (len < buflen) { 499 unsigned int outlen = 0; 500 /* 10.1.2.5 step 4.1 */ 501 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 502 if (ret) 503 return ret; 504 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 505 drbg_blocklen(drbg) : (buflen - len); 506 507 /* 10.1.2.5 step 4.2 */ 508 memcpy(buf + len, drbg->V, outlen); 509 len += outlen; 510 } 511 512 /* 10.1.2.5 step 6 */ 513 if (addtl && !list_empty(addtl)) 514 ret = drbg_hmac_update(drbg, addtl, 1); 515 else 516 ret = drbg_hmac_update(drbg, NULL, 1); 517 if (ret) 518 return ret; 519 520 return len; 521 } 522 523 static const struct drbg_state_ops drbg_hmac_ops = { 524 .update = drbg_hmac_update, 525 .generate = drbg_hmac_generate, 526 .crypto_init = drbg_init_hash_kernel, 527 .crypto_fini = drbg_fini_hash_kernel, 528 }; 529 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 530 531 /****************************************************************** 532 * Hash DRBG callback functions 533 ******************************************************************/ 534 535 #ifdef CONFIG_CRYPTO_DRBG_HASH 536 #define CRYPTO_DRBG_HASH_STRING "HASH " 537 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 538 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 539 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 540 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 541 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 542 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 543 544 /* 545 * Increment buffer 546 * 547 * @dst buffer to increment 548 * @add value to add 549 */ 550 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 551 const unsigned char *add, size_t addlen) 552 { 553 /* implied: dstlen > addlen */ 554 unsigned char *dstptr; 555 const unsigned char *addptr; 556 unsigned int remainder = 0; 557 size_t len = addlen; 558 559 dstptr = dst + (dstlen-1); 560 addptr = add + (addlen-1); 561 while (len) { 562 remainder += *dstptr + *addptr; 563 *dstptr = remainder & 0xff; 564 remainder >>= 8; 565 len--; dstptr--; addptr--; 566 } 567 len = dstlen - addlen; 568 while (len && remainder > 0) { 569 remainder = *dstptr + 1; 570 *dstptr = remainder & 0xff; 571 remainder >>= 8; 572 len--; dstptr--; 573 } 574 } 575 576 /* 577 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 578 * interlinked, the scratchpad is used as follows: 579 * drbg_hash_update 580 * start: drbg->scratchpad 581 * length: drbg_statelen(drbg) 582 * drbg_hash_df: 583 * start: drbg->scratchpad + drbg_statelen(drbg) 584 * length: drbg_blocklen(drbg) 585 * 586 * drbg_hash_process_addtl uses the scratchpad, but fully completes 587 * before either of the functions mentioned before are invoked. Therefore, 588 * drbg_hash_process_addtl does not need to be specifically considered. 589 */ 590 591 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 592 static int drbg_hash_df(struct drbg_state *drbg, 593 unsigned char *outval, size_t outlen, 594 struct list_head *entropylist) 595 { 596 int ret = 0; 597 size_t len = 0; 598 unsigned char input[5]; 599 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 600 struct drbg_string data; 601 602 /* 10.4.1 step 3 */ 603 input[0] = 1; 604 drbg_cpu_to_be32((outlen * 8), &input[1]); 605 606 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 607 drbg_string_fill(&data, input, 5); 608 list_add(&data.list, entropylist); 609 610 /* 10.4.1 step 4 */ 611 while (len < outlen) { 612 short blocklen = 0; 613 /* 10.4.1 step 4.1 */ 614 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 615 if (ret) 616 goto out; 617 /* 10.4.1 step 4.2 */ 618 input[0]++; 619 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 620 drbg_blocklen(drbg) : (outlen - len); 621 memcpy(outval + len, tmp, blocklen); 622 len += blocklen; 623 } 624 625 out: 626 memset(tmp, 0, drbg_blocklen(drbg)); 627 return ret; 628 } 629 630 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 631 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 632 int reseed) 633 { 634 int ret = 0; 635 struct drbg_string data1, data2; 636 LIST_HEAD(datalist); 637 LIST_HEAD(datalist2); 638 unsigned char *V = drbg->scratchpad; 639 unsigned char prefix = DRBG_PREFIX1; 640 641 if (!seed) 642 return -EINVAL; 643 644 if (reseed) { 645 /* 10.1.1.3 step 1 */ 646 memcpy(V, drbg->V, drbg_statelen(drbg)); 647 drbg_string_fill(&data1, &prefix, 1); 648 list_add_tail(&data1.list, &datalist); 649 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 650 list_add_tail(&data2.list, &datalist); 651 } 652 list_splice_tail(seed, &datalist); 653 654 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 655 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 656 if (ret) 657 goto out; 658 659 /* 10.1.1.2 / 10.1.1.3 step 4 */ 660 prefix = DRBG_PREFIX0; 661 drbg_string_fill(&data1, &prefix, 1); 662 list_add_tail(&data1.list, &datalist2); 663 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 664 list_add_tail(&data2.list, &datalist2); 665 /* 10.1.1.2 / 10.1.1.3 step 4 */ 666 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 667 668 out: 669 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 670 return ret; 671 } 672 673 /* processing of additional information string for Hash DRBG */ 674 static int drbg_hash_process_addtl(struct drbg_state *drbg, 675 struct list_head *addtl) 676 { 677 int ret = 0; 678 struct drbg_string data1, data2; 679 LIST_HEAD(datalist); 680 unsigned char prefix = DRBG_PREFIX2; 681 682 /* 10.1.1.4 step 2 */ 683 if (!addtl || list_empty(addtl)) 684 return 0; 685 686 /* 10.1.1.4 step 2a */ 687 drbg_string_fill(&data1, &prefix, 1); 688 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 689 list_add_tail(&data1.list, &datalist); 690 list_add_tail(&data2.list, &datalist); 691 list_splice_tail(addtl, &datalist); 692 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 693 if (ret) 694 goto out; 695 696 /* 10.1.1.4 step 2b */ 697 drbg_add_buf(drbg->V, drbg_statelen(drbg), 698 drbg->scratchpad, drbg_blocklen(drbg)); 699 700 out: 701 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 702 return ret; 703 } 704 705 /* Hashgen defined in 10.1.1.4 */ 706 static int drbg_hash_hashgen(struct drbg_state *drbg, 707 unsigned char *buf, 708 unsigned int buflen) 709 { 710 int len = 0; 711 int ret = 0; 712 unsigned char *src = drbg->scratchpad; 713 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 714 struct drbg_string data; 715 LIST_HEAD(datalist); 716 717 /* 10.1.1.4 step hashgen 2 */ 718 memcpy(src, drbg->V, drbg_statelen(drbg)); 719 720 drbg_string_fill(&data, src, drbg_statelen(drbg)); 721 list_add_tail(&data.list, &datalist); 722 while (len < buflen) { 723 unsigned int outlen = 0; 724 /* 10.1.1.4 step hashgen 4.1 */ 725 ret = drbg_kcapi_hash(drbg, dst, &datalist); 726 if (ret) { 727 len = ret; 728 goto out; 729 } 730 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 731 drbg_blocklen(drbg) : (buflen - len); 732 /* 10.1.1.4 step hashgen 4.2 */ 733 memcpy(buf + len, dst, outlen); 734 len += outlen; 735 /* 10.1.1.4 hashgen step 4.3 */ 736 if (len < buflen) 737 crypto_inc(src, drbg_statelen(drbg)); 738 } 739 740 out: 741 memset(drbg->scratchpad, 0, 742 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 743 return len; 744 } 745 746 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 747 static int drbg_hash_generate(struct drbg_state *drbg, 748 unsigned char *buf, unsigned int buflen, 749 struct list_head *addtl) 750 { 751 int len = 0; 752 int ret = 0; 753 union { 754 unsigned char req[8]; 755 __be64 req_int; 756 } u; 757 unsigned char prefix = DRBG_PREFIX3; 758 struct drbg_string data1, data2; 759 LIST_HEAD(datalist); 760 761 /* 10.1.1.4 step 2 */ 762 ret = drbg_hash_process_addtl(drbg, addtl); 763 if (ret) 764 return ret; 765 /* 10.1.1.4 step 3 */ 766 len = drbg_hash_hashgen(drbg, buf, buflen); 767 768 /* this is the value H as documented in 10.1.1.4 */ 769 /* 10.1.1.4 step 4 */ 770 drbg_string_fill(&data1, &prefix, 1); 771 list_add_tail(&data1.list, &datalist); 772 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 773 list_add_tail(&data2.list, &datalist); 774 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 775 if (ret) { 776 len = ret; 777 goto out; 778 } 779 780 /* 10.1.1.4 step 5 */ 781 drbg_add_buf(drbg->V, drbg_statelen(drbg), 782 drbg->scratchpad, drbg_blocklen(drbg)); 783 drbg_add_buf(drbg->V, drbg_statelen(drbg), 784 drbg->C, drbg_statelen(drbg)); 785 u.req_int = cpu_to_be64(drbg->reseed_ctr); 786 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 787 788 out: 789 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 790 return len; 791 } 792 793 /* 794 * scratchpad usage: as update and generate are used isolated, both 795 * can use the scratchpad 796 */ 797 static const struct drbg_state_ops drbg_hash_ops = { 798 .update = drbg_hash_update, 799 .generate = drbg_hash_generate, 800 .crypto_init = drbg_init_hash_kernel, 801 .crypto_fini = drbg_fini_hash_kernel, 802 }; 803 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 804 805 /****************************************************************** 806 * Functions common for DRBG implementations 807 ******************************************************************/ 808 809 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 810 int reseed, enum drbg_seed_state new_seed_state) 811 { 812 int ret = drbg->d_ops->update(drbg, seed, reseed); 813 814 if (ret) 815 return ret; 816 817 drbg->seeded = new_seed_state; 818 drbg->last_seed_time = jiffies; 819 /* 10.1.1.2 / 10.1.1.3 step 5 */ 820 drbg->reseed_ctr = 1; 821 822 switch (drbg->seeded) { 823 case DRBG_SEED_STATE_UNSEEDED: 824 /* Impossible, but handle it to silence compiler warnings. */ 825 fallthrough; 826 case DRBG_SEED_STATE_PARTIAL: 827 /* 828 * Require frequent reseeds until the seed source is 829 * fully initialized. 830 */ 831 drbg->reseed_threshold = 50; 832 break; 833 834 case DRBG_SEED_STATE_FULL: 835 /* 836 * Seed source has become fully initialized, frequent 837 * reseeds no longer required. 838 */ 839 drbg->reseed_threshold = drbg_max_requests(drbg); 840 break; 841 } 842 843 return ret; 844 } 845 846 static inline void drbg_get_random_bytes(struct drbg_state *drbg, 847 unsigned char *entropy, 848 unsigned int entropylen) 849 __must_hold(&drbg->drbg_mutex) 850 { 851 do 852 get_random_bytes(entropy, entropylen); 853 while (!drbg_fips_continuous_test(drbg, entropy)); 854 } 855 856 static int drbg_seed_from_random(struct drbg_state *drbg) 857 __must_hold(&drbg->drbg_mutex) 858 { 859 struct drbg_string data; 860 LIST_HEAD(seedlist); 861 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 862 unsigned char entropy[32]; 863 int ret; 864 865 BUG_ON(!entropylen); 866 BUG_ON(entropylen > sizeof(entropy)); 867 868 drbg_string_fill(&data, entropy, entropylen); 869 list_add_tail(&data.list, &seedlist); 870 871 drbg_get_random_bytes(drbg, entropy, entropylen); 872 873 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); 874 875 memzero_explicit(entropy, entropylen); 876 return ret; 877 } 878 879 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg) 880 { 881 unsigned long next_reseed; 882 883 /* Don't ever reseed from get_random_bytes() in test mode. */ 884 if (list_empty(&drbg->test_data.list)) 885 return false; 886 887 /* 888 * Obtain fresh entropy for the nopr DRBGs after 300s have 889 * elapsed in order to still achieve sort of partial 890 * prediction resistance over the time domain at least. Note 891 * that the period of 300s has been chosen to match the 892 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha 893 * rngs. 894 */ 895 next_reseed = drbg->last_seed_time + 300 * HZ; 896 return time_after(jiffies, next_reseed); 897 } 898 899 /* 900 * Seeding or reseeding of the DRBG 901 * 902 * @drbg: DRBG state struct 903 * @pers: personalization / additional information buffer 904 * @reseed: 0 for initial seed process, 1 for reseeding 905 * 906 * return: 907 * 0 on success 908 * error value otherwise 909 */ 910 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 911 bool reseed) 912 __must_hold(&drbg->drbg_mutex) 913 { 914 int ret; 915 unsigned char entropy[((32 + 16) * 2)]; 916 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 917 struct drbg_string data1; 918 LIST_HEAD(seedlist); 919 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; 920 921 /* 9.1 / 9.2 / 9.3.1 step 3 */ 922 if (pers && pers->len > (drbg_max_addtl(drbg))) { 923 pr_devel("DRBG: personalization string too long %zu\n", 924 pers->len); 925 return -EINVAL; 926 } 927 928 if (list_empty(&drbg->test_data.list)) { 929 drbg_string_fill(&data1, drbg->test_data.buf, 930 drbg->test_data.len); 931 pr_devel("DRBG: using test entropy\n"); 932 } else { 933 /* 934 * Gather entropy equal to the security strength of the DRBG. 935 * With a derivation function, a nonce is required in addition 936 * to the entropy. A nonce must be at least 1/2 of the security 937 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 938 * of the strength. The consideration of a nonce is only 939 * applicable during initial seeding. 940 */ 941 BUG_ON(!entropylen); 942 if (!reseed) 943 entropylen = ((entropylen + 1) / 2) * 3; 944 BUG_ON((entropylen * 2) > sizeof(entropy)); 945 946 /* Get seed from in-kernel /dev/urandom */ 947 if (!rng_is_initialized()) 948 new_seed_state = DRBG_SEED_STATE_PARTIAL; 949 950 drbg_get_random_bytes(drbg, entropy, entropylen); 951 952 if (!drbg->jent) { 953 drbg_string_fill(&data1, entropy, entropylen); 954 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 955 entropylen); 956 } else { 957 /* 958 * Get seed from Jitter RNG, failures are 959 * fatal only in FIPS mode. 960 */ 961 ret = crypto_rng_get_bytes(drbg->jent, 962 entropy + entropylen, 963 entropylen); 964 if (fips_enabled && ret) { 965 pr_devel("DRBG: jent failed with %d\n", ret); 966 967 /* 968 * Do not treat the transient failure of the 969 * Jitter RNG as an error that needs to be 970 * reported. The combined number of the 971 * maximum reseed threshold times the maximum 972 * number of Jitter RNG transient errors is 973 * less than the reseed threshold required by 974 * SP800-90A allowing us to treat the 975 * transient errors as such. 976 * 977 * However, we mandate that at least the first 978 * seeding operation must succeed with the 979 * Jitter RNG. 980 */ 981 if (!reseed || ret != -EAGAIN) 982 goto out; 983 } 984 985 drbg_string_fill(&data1, entropy, entropylen * 2); 986 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 987 entropylen * 2); 988 } 989 } 990 list_add_tail(&data1.list, &seedlist); 991 992 /* 993 * concatenation of entropy with personalization str / addtl input) 994 * the variable pers is directly handed in by the caller, so check its 995 * contents whether it is appropriate 996 */ 997 if (pers && pers->buf && 0 < pers->len) { 998 list_add_tail(&pers->list, &seedlist); 999 pr_devel("DRBG: using personalization string\n"); 1000 } 1001 1002 if (!reseed) { 1003 memset(drbg->V, 0, drbg_statelen(drbg)); 1004 memset(drbg->C, 0, drbg_statelen(drbg)); 1005 } 1006 1007 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); 1008 1009 out: 1010 memzero_explicit(entropy, entropylen * 2); 1011 1012 return ret; 1013 } 1014 1015 /* Free all substructures in a DRBG state without the DRBG state structure */ 1016 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1017 { 1018 if (!drbg) 1019 return; 1020 kfree_sensitive(drbg->Vbuf); 1021 drbg->Vbuf = NULL; 1022 drbg->V = NULL; 1023 kfree_sensitive(drbg->Cbuf); 1024 drbg->Cbuf = NULL; 1025 drbg->C = NULL; 1026 kfree_sensitive(drbg->scratchpadbuf); 1027 drbg->scratchpadbuf = NULL; 1028 drbg->reseed_ctr = 0; 1029 drbg->d_ops = NULL; 1030 drbg->core = NULL; 1031 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1032 kfree_sensitive(drbg->prev); 1033 drbg->prev = NULL; 1034 drbg->fips_primed = false; 1035 } 1036 } 1037 1038 /* 1039 * Allocate all sub-structures for a DRBG state. 1040 * The DRBG state structure must already be allocated. 1041 */ 1042 static inline int drbg_alloc_state(struct drbg_state *drbg) 1043 { 1044 int ret = -ENOMEM; 1045 unsigned int sb_size = 0; 1046 1047 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1048 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1049 case DRBG_HMAC: 1050 drbg->d_ops = &drbg_hmac_ops; 1051 break; 1052 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1053 #ifdef CONFIG_CRYPTO_DRBG_HASH 1054 case DRBG_HASH: 1055 drbg->d_ops = &drbg_hash_ops; 1056 break; 1057 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1058 #ifdef CONFIG_CRYPTO_DRBG_CTR 1059 case DRBG_CTR: 1060 drbg->d_ops = &drbg_ctr_ops; 1061 break; 1062 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1063 default: 1064 ret = -EOPNOTSUPP; 1065 goto err; 1066 } 1067 1068 ret = drbg->d_ops->crypto_init(drbg); 1069 if (ret < 0) 1070 goto err; 1071 1072 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1073 if (!drbg->Vbuf) { 1074 ret = -ENOMEM; 1075 goto fini; 1076 } 1077 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1078 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1079 if (!drbg->Cbuf) { 1080 ret = -ENOMEM; 1081 goto fini; 1082 } 1083 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1084 /* scratchpad is only generated for CTR and Hash */ 1085 if (drbg->core->flags & DRBG_HMAC) 1086 sb_size = 0; 1087 else if (drbg->core->flags & DRBG_CTR) 1088 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1089 crypto_drbg_ctr_df_datalen(drbg_statelen(drbg), 1090 drbg_blocklen(drbg)); 1091 else 1092 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1093 1094 if (0 < sb_size) { 1095 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1096 if (!drbg->scratchpadbuf) { 1097 ret = -ENOMEM; 1098 goto fini; 1099 } 1100 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1101 } 1102 1103 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1104 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1105 GFP_KERNEL); 1106 if (!drbg->prev) { 1107 ret = -ENOMEM; 1108 goto fini; 1109 } 1110 drbg->fips_primed = false; 1111 } 1112 1113 return 0; 1114 1115 fini: 1116 drbg->d_ops->crypto_fini(drbg); 1117 err: 1118 drbg_dealloc_state(drbg); 1119 return ret; 1120 } 1121 1122 /************************************************************************* 1123 * DRBG interface functions 1124 *************************************************************************/ 1125 1126 /* 1127 * DRBG generate function as required by SP800-90A - this function 1128 * generates random numbers 1129 * 1130 * @drbg DRBG state handle 1131 * @buf Buffer where to store the random numbers -- the buffer must already 1132 * be pre-allocated by caller 1133 * @buflen Length of output buffer - this value defines the number of random 1134 * bytes pulled from DRBG 1135 * @addtl Additional input that is mixed into state, may be NULL -- note 1136 * the entropy is pulled by the DRBG internally unconditionally 1137 * as defined in SP800-90A. The additional input is mixed into 1138 * the state in addition to the pulled entropy. 1139 * 1140 * return: 0 when all bytes are generated; < 0 in case of an error 1141 */ 1142 static int drbg_generate(struct drbg_state *drbg, 1143 unsigned char *buf, unsigned int buflen, 1144 struct drbg_string *addtl) 1145 __must_hold(&drbg->drbg_mutex) 1146 { 1147 int len = 0; 1148 LIST_HEAD(addtllist); 1149 1150 if (!drbg->core) { 1151 pr_devel("DRBG: not yet seeded\n"); 1152 return -EINVAL; 1153 } 1154 if (0 == buflen || !buf) { 1155 pr_devel("DRBG: no output buffer provided\n"); 1156 return -EINVAL; 1157 } 1158 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1159 pr_devel("DRBG: wrong format of additional information\n"); 1160 return -EINVAL; 1161 } 1162 1163 /* 9.3.1 step 2 */ 1164 len = -EINVAL; 1165 if (buflen > (drbg_max_request_bytes(drbg))) { 1166 pr_devel("DRBG: requested random numbers too large %u\n", 1167 buflen); 1168 goto err; 1169 } 1170 1171 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1172 1173 /* 9.3.1 step 4 */ 1174 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1175 pr_devel("DRBG: additional information string too long %zu\n", 1176 addtl->len); 1177 goto err; 1178 } 1179 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1180 1181 /* 1182 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1183 * here. The spec is a bit convoluted here, we make it simpler. 1184 */ 1185 if (drbg->reseed_threshold < drbg->reseed_ctr) 1186 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1187 1188 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { 1189 pr_devel("DRBG: reseeding before generation (prediction " 1190 "resistance: %s, state %s)\n", 1191 str_true_false(drbg->pr), 1192 (drbg->seeded == DRBG_SEED_STATE_FULL ? 1193 "seeded" : "unseeded")); 1194 /* 9.3.1 steps 7.1 through 7.3 */ 1195 len = drbg_seed(drbg, addtl, true); 1196 if (len) 1197 goto err; 1198 /* 9.3.1 step 7.4 */ 1199 addtl = NULL; 1200 } else if (rng_is_initialized() && 1201 (drbg->seeded == DRBG_SEED_STATE_PARTIAL || 1202 drbg_nopr_reseed_interval_elapsed(drbg))) { 1203 len = drbg_seed_from_random(drbg); 1204 if (len) 1205 goto err; 1206 } 1207 1208 if (addtl && 0 < addtl->len) 1209 list_add_tail(&addtl->list, &addtllist); 1210 /* 9.3.1 step 8 and 10 */ 1211 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1212 1213 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1214 drbg->reseed_ctr++; 1215 if (0 >= len) 1216 goto err; 1217 1218 /* 1219 * Section 11.3.3 requires to re-perform self tests after some 1220 * generated random numbers. The chosen value after which self 1221 * test is performed is arbitrary, but it should be reasonable. 1222 * However, we do not perform the self tests because of the following 1223 * reasons: it is mathematically impossible that the initial self tests 1224 * were successfully and the following are not. If the initial would 1225 * pass and the following would not, the kernel integrity is violated. 1226 * In this case, the entire kernel operation is questionable and it 1227 * is unlikely that the integrity violation only affects the 1228 * correct operation of the DRBG. 1229 * 1230 * Albeit the following code is commented out, it is provided in 1231 * case somebody has a need to implement the test of 11.3.3. 1232 */ 1233 #if 0 1234 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1235 int err = 0; 1236 pr_devel("DRBG: start to perform self test\n"); 1237 if (drbg->core->flags & DRBG_HMAC) 1238 err = alg_test("drbg_pr_hmac_sha512", 1239 "drbg_pr_hmac_sha512", 0, 0); 1240 else if (drbg->core->flags & DRBG_CTR) 1241 err = alg_test("drbg_pr_ctr_aes256", 1242 "drbg_pr_ctr_aes256", 0, 0); 1243 else 1244 err = alg_test("drbg_pr_sha256", 1245 "drbg_pr_sha256", 0, 0); 1246 if (err) { 1247 pr_err("DRBG: periodical self test failed\n"); 1248 /* 1249 * uninstantiate implies that from now on, only errors 1250 * are returned when reusing this DRBG cipher handle 1251 */ 1252 drbg_uninstantiate(drbg); 1253 return 0; 1254 } else { 1255 pr_devel("DRBG: self test successful\n"); 1256 } 1257 } 1258 #endif 1259 1260 /* 1261 * All operations were successful, return 0 as mandated by 1262 * the kernel crypto API interface. 1263 */ 1264 len = 0; 1265 err: 1266 return len; 1267 } 1268 1269 /* 1270 * Wrapper around drbg_generate which can pull arbitrary long strings 1271 * from the DRBG without hitting the maximum request limitation. 1272 * 1273 * Parameters: see drbg_generate 1274 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1275 * the entire drbg_generate_long request fails 1276 */ 1277 static int drbg_generate_long(struct drbg_state *drbg, 1278 unsigned char *buf, unsigned int buflen, 1279 struct drbg_string *addtl) 1280 { 1281 unsigned int len = 0; 1282 unsigned int slice = 0; 1283 do { 1284 int err = 0; 1285 unsigned int chunk = 0; 1286 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1287 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1288 mutex_lock(&drbg->drbg_mutex); 1289 err = drbg_generate(drbg, buf + len, chunk, addtl); 1290 mutex_unlock(&drbg->drbg_mutex); 1291 if (0 > err) 1292 return err; 1293 len += chunk; 1294 } while (slice > 0 && (len < buflen)); 1295 return 0; 1296 } 1297 1298 static int drbg_prepare_hrng(struct drbg_state *drbg) 1299 { 1300 /* We do not need an HRNG in test mode. */ 1301 if (list_empty(&drbg->test_data.list)) 1302 return 0; 1303 1304 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1305 if (IS_ERR(drbg->jent)) { 1306 const int err = PTR_ERR(drbg->jent); 1307 1308 drbg->jent = NULL; 1309 if (fips_enabled) 1310 return err; 1311 pr_info("DRBG: Continuing without Jitter RNG\n"); 1312 } 1313 1314 return 0; 1315 } 1316 1317 /* 1318 * DRBG instantiation function as required by SP800-90A - this function 1319 * sets up the DRBG handle, performs the initial seeding and all sanity 1320 * checks required by SP800-90A 1321 * 1322 * @drbg memory of state -- if NULL, new memory is allocated 1323 * @pers Personalization string that is mixed into state, may be NULL -- note 1324 * the entropy is pulled by the DRBG internally unconditionally 1325 * as defined in SP800-90A. The additional input is mixed into 1326 * the state in addition to the pulled entropy. 1327 * @coreref reference to core 1328 * @pr prediction resistance enabled 1329 * 1330 * return 1331 * 0 on success 1332 * error value otherwise 1333 */ 1334 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1335 int coreref, bool pr) 1336 { 1337 int ret; 1338 bool reseed = true; 1339 1340 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1341 "%s\n", coreref, str_enabled_disabled(pr)); 1342 mutex_lock(&drbg->drbg_mutex); 1343 1344 /* 9.1 step 1 is implicit with the selected DRBG type */ 1345 1346 /* 1347 * 9.1 step 2 is implicit as caller can select prediction resistance 1348 * and the flag is copied into drbg->flags -- 1349 * all DRBG types support prediction resistance 1350 */ 1351 1352 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1353 1354 if (!drbg->core) { 1355 drbg->core = &drbg_cores[coreref]; 1356 drbg->pr = pr; 1357 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1358 drbg->last_seed_time = 0; 1359 drbg->reseed_threshold = drbg_max_requests(drbg); 1360 1361 ret = drbg_alloc_state(drbg); 1362 if (ret) 1363 goto unlock; 1364 1365 ret = drbg_prepare_hrng(drbg); 1366 if (ret) 1367 goto free_everything; 1368 1369 reseed = false; 1370 } 1371 1372 ret = drbg_seed(drbg, pers, reseed); 1373 1374 if (ret && !reseed) 1375 goto free_everything; 1376 1377 mutex_unlock(&drbg->drbg_mutex); 1378 return ret; 1379 1380 unlock: 1381 mutex_unlock(&drbg->drbg_mutex); 1382 return ret; 1383 1384 free_everything: 1385 mutex_unlock(&drbg->drbg_mutex); 1386 drbg_uninstantiate(drbg); 1387 return ret; 1388 } 1389 1390 /* 1391 * DRBG uninstantiate function as required by SP800-90A - this function 1392 * frees all buffers and the DRBG handle 1393 * 1394 * @drbg DRBG state handle 1395 * 1396 * return 1397 * 0 on success 1398 */ 1399 static int drbg_uninstantiate(struct drbg_state *drbg) 1400 { 1401 if (!IS_ERR_OR_NULL(drbg->jent)) 1402 crypto_free_rng(drbg->jent); 1403 drbg->jent = NULL; 1404 1405 if (drbg->d_ops) 1406 drbg->d_ops->crypto_fini(drbg); 1407 drbg_dealloc_state(drbg); 1408 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1409 return 0; 1410 } 1411 1412 /* 1413 * Helper function for setting the test data in the DRBG 1414 * 1415 * @drbg DRBG state handle 1416 * @data test data 1417 * @len test data length 1418 */ 1419 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1420 const u8 *data, unsigned int len) 1421 { 1422 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1423 1424 mutex_lock(&drbg->drbg_mutex); 1425 drbg_string_fill(&drbg->test_data, data, len); 1426 mutex_unlock(&drbg->drbg_mutex); 1427 } 1428 1429 /*************************************************************** 1430 * Kernel crypto API cipher invocations requested by DRBG 1431 ***************************************************************/ 1432 1433 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1434 struct sdesc { 1435 struct shash_desc shash; 1436 }; 1437 1438 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1439 { 1440 struct sdesc *sdesc; 1441 struct crypto_shash *tfm; 1442 1443 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1444 if (IS_ERR(tfm)) { 1445 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1446 drbg->core->backend_cra_name); 1447 return PTR_ERR(tfm); 1448 } 1449 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1450 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1451 GFP_KERNEL); 1452 if (!sdesc) { 1453 crypto_free_shash(tfm); 1454 return -ENOMEM; 1455 } 1456 1457 sdesc->shash.tfm = tfm; 1458 drbg->priv_data = sdesc; 1459 1460 return 0; 1461 } 1462 1463 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1464 { 1465 struct sdesc *sdesc = drbg->priv_data; 1466 if (sdesc) { 1467 crypto_free_shash(sdesc->shash.tfm); 1468 kfree_sensitive(sdesc); 1469 } 1470 drbg->priv_data = NULL; 1471 return 0; 1472 } 1473 1474 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1475 const unsigned char *key) 1476 { 1477 struct sdesc *sdesc = drbg->priv_data; 1478 1479 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1480 } 1481 1482 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1483 const struct list_head *in) 1484 { 1485 struct sdesc *sdesc = drbg->priv_data; 1486 struct drbg_string *input = NULL; 1487 1488 crypto_shash_init(&sdesc->shash); 1489 list_for_each_entry(input, in, list) 1490 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1491 return crypto_shash_final(&sdesc->shash, outval); 1492 } 1493 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1494 1495 #ifdef CONFIG_CRYPTO_DRBG_CTR 1496 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1497 { 1498 struct aes_enckey *aeskey = drbg->priv_data; 1499 1500 kfree(aeskey); 1501 drbg->priv_data = NULL; 1502 1503 if (drbg->ctr_handle) 1504 crypto_free_skcipher(drbg->ctr_handle); 1505 drbg->ctr_handle = NULL; 1506 1507 if (drbg->ctr_req) 1508 skcipher_request_free(drbg->ctr_req); 1509 drbg->ctr_req = NULL; 1510 1511 kfree(drbg->outscratchpadbuf); 1512 drbg->outscratchpadbuf = NULL; 1513 1514 return 0; 1515 } 1516 1517 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1518 { 1519 struct aes_enckey *aeskey; 1520 struct crypto_skcipher *sk_tfm; 1521 struct skcipher_request *req; 1522 unsigned int alignmask; 1523 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1524 1525 aeskey = kzalloc(sizeof(*aeskey), GFP_KERNEL); 1526 if (!aeskey) 1527 return -ENOMEM; 1528 drbg->priv_data = aeskey; 1529 1530 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1531 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1532 drbg_fini_sym_kernel(drbg); 1533 return -EINVAL; 1534 } 1535 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1536 if (IS_ERR(sk_tfm)) { 1537 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1538 ctr_name); 1539 drbg_fini_sym_kernel(drbg); 1540 return PTR_ERR(sk_tfm); 1541 } 1542 drbg->ctr_handle = sk_tfm; 1543 crypto_init_wait(&drbg->ctr_wait); 1544 1545 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1546 if (!req) { 1547 pr_info("DRBG: could not allocate request queue\n"); 1548 drbg_fini_sym_kernel(drbg); 1549 return -ENOMEM; 1550 } 1551 drbg->ctr_req = req; 1552 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1553 CRYPTO_TFM_REQ_MAY_SLEEP, 1554 crypto_req_done, &drbg->ctr_wait); 1555 1556 alignmask = crypto_skcipher_alignmask(sk_tfm); 1557 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1558 GFP_KERNEL); 1559 if (!drbg->outscratchpadbuf) { 1560 drbg_fini_sym_kernel(drbg); 1561 return -ENOMEM; 1562 } 1563 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1564 alignmask + 1); 1565 1566 sg_init_table(&drbg->sg_in, 1); 1567 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1568 1569 return alignmask; 1570 } 1571 1572 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1573 u8 *inbuf, u32 inlen, 1574 u8 *outbuf, u32 outlen) 1575 { 1576 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1577 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1578 int ret; 1579 1580 if (inbuf) { 1581 /* Use caller-provided input buffer */ 1582 sg_set_buf(sg_in, inbuf, inlen); 1583 } else { 1584 /* Use scratchpad for in-place operation */ 1585 inlen = scratchpad_use; 1586 memset(drbg->outscratchpad, 0, scratchpad_use); 1587 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1588 } 1589 1590 while (outlen) { 1591 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1592 1593 /* Output buffer may not be valid for SGL, use scratchpad */ 1594 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1595 cryptlen, drbg->V); 1596 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1597 &drbg->ctr_wait); 1598 if (ret) 1599 goto out; 1600 1601 crypto_init_wait(&drbg->ctr_wait); 1602 1603 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1604 memzero_explicit(drbg->outscratchpad, cryptlen); 1605 1606 outlen -= cryptlen; 1607 outbuf += cryptlen; 1608 } 1609 ret = 0; 1610 1611 out: 1612 return ret; 1613 } 1614 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1615 1616 /*************************************************************** 1617 * Kernel crypto API interface to register DRBG 1618 ***************************************************************/ 1619 1620 /* 1621 * Look up the DRBG flags by given kernel crypto API cra_name 1622 * The code uses the drbg_cores definition to do this 1623 * 1624 * @cra_name kernel crypto API cra_name 1625 * @coreref reference to integer which is filled with the pointer to 1626 * the applicable core 1627 * @pr reference for setting prediction resistance 1628 * 1629 * return: flags 1630 */ 1631 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1632 int *coreref, bool *pr) 1633 { 1634 int i = 0; 1635 size_t start = 0; 1636 int len = 0; 1637 1638 *pr = true; 1639 /* disassemble the names */ 1640 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1641 start = 10; 1642 *pr = false; 1643 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1644 start = 8; 1645 } else { 1646 return; 1647 } 1648 1649 /* remove the first part */ 1650 len = strlen(cra_driver_name) - start; 1651 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1652 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1653 len)) { 1654 *coreref = i; 1655 return; 1656 } 1657 } 1658 } 1659 1660 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1661 { 1662 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1663 1664 mutex_init(&drbg->drbg_mutex); 1665 1666 return 0; 1667 } 1668 1669 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1670 { 1671 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1672 } 1673 1674 /* 1675 * Generate random numbers invoked by the kernel crypto API: 1676 * The API of the kernel crypto API is extended as follows: 1677 * 1678 * src is additional input supplied to the RNG. 1679 * slen is the length of src. 1680 * dst is the output buffer where random data is to be stored. 1681 * dlen is the length of dst. 1682 */ 1683 static int drbg_kcapi_random(struct crypto_rng *tfm, 1684 const u8 *src, unsigned int slen, 1685 u8 *dst, unsigned int dlen) 1686 { 1687 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1688 struct drbg_string *addtl = NULL; 1689 struct drbg_string string; 1690 1691 if (slen) { 1692 /* linked list variable is now local to allow modification */ 1693 drbg_string_fill(&string, src, slen); 1694 addtl = &string; 1695 } 1696 1697 return drbg_generate_long(drbg, dst, dlen, addtl); 1698 } 1699 1700 /* 1701 * Seed the DRBG invoked by the kernel crypto API 1702 */ 1703 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1704 const u8 *seed, unsigned int slen) 1705 { 1706 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1707 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1708 bool pr = false; 1709 struct drbg_string string; 1710 struct drbg_string *seed_string = NULL; 1711 int coreref = 0; 1712 1713 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1714 &pr); 1715 if (0 < slen) { 1716 drbg_string_fill(&string, seed, slen); 1717 seed_string = &string; 1718 } 1719 1720 return drbg_instantiate(drbg, seed_string, coreref, pr); 1721 } 1722 1723 /*************************************************************** 1724 * Kernel module: code to load the module 1725 ***************************************************************/ 1726 1727 /* 1728 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1729 * of the error handling. 1730 * 1731 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1732 * as seed source of get_random_bytes does not fail. 1733 * 1734 * Note 2: There is no sensible way of testing the reseed counter 1735 * enforcement, so skip it. 1736 */ 1737 static inline int __init drbg_healthcheck_sanity(void) 1738 { 1739 int len = 0; 1740 #define OUTBUFLEN 16 1741 unsigned char buf[OUTBUFLEN]; 1742 struct drbg_state *drbg = NULL; 1743 int ret; 1744 int rc = -EFAULT; 1745 bool pr = false; 1746 int coreref = 0; 1747 struct drbg_string addtl; 1748 size_t max_addtllen, max_request_bytes; 1749 1750 /* only perform test in FIPS mode */ 1751 if (!fips_enabled) 1752 return 0; 1753 1754 #ifdef CONFIG_CRYPTO_DRBG_CTR 1755 drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr); 1756 #endif 1757 #ifdef CONFIG_CRYPTO_DRBG_HASH 1758 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1759 #endif 1760 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1761 drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr); 1762 #endif 1763 1764 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1765 if (!drbg) 1766 return -ENOMEM; 1767 1768 guard(mutex_init)(&drbg->drbg_mutex); 1769 drbg->core = &drbg_cores[coreref]; 1770 drbg->reseed_threshold = drbg_max_requests(drbg); 1771 1772 /* 1773 * if the following tests fail, it is likely that there is a buffer 1774 * overflow as buf is much smaller than the requested or provided 1775 * string lengths -- in case the error handling does not succeed 1776 * we may get an OOPS. And we want to get an OOPS as this is a 1777 * grave bug. 1778 */ 1779 1780 max_addtllen = drbg_max_addtl(drbg); 1781 max_request_bytes = drbg_max_request_bytes(drbg); 1782 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1783 /* overflow addtllen with additonal info string */ 1784 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1785 BUG_ON(0 < len); 1786 /* overflow max_bits */ 1787 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1788 BUG_ON(0 < len); 1789 1790 /* overflow max addtllen with personalization string */ 1791 ret = drbg_seed(drbg, &addtl, false); 1792 BUG_ON(0 == ret); 1793 /* all tests passed */ 1794 rc = 0; 1795 1796 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1797 "completed\n"); 1798 1799 kfree(drbg); 1800 return rc; 1801 } 1802 1803 static struct rng_alg drbg_algs[22]; 1804 1805 /* 1806 * Fill the array drbg_algs used to register the different DRBGs 1807 * with the kernel crypto API. To fill the array, the information 1808 * from drbg_cores[] is used. 1809 */ 1810 static inline void __init drbg_fill_array(struct rng_alg *alg, 1811 const struct drbg_core *core, int pr) 1812 { 1813 int pos = 0; 1814 static int priority = 200; 1815 1816 memcpy(alg->base.cra_name, "stdrng", 6); 1817 if (pr) { 1818 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1819 pos = 8; 1820 } else { 1821 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1822 pos = 10; 1823 } 1824 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1825 strlen(core->cra_name)); 1826 1827 alg->base.cra_priority = priority; 1828 priority++; 1829 /* 1830 * If FIPS mode enabled, the selected DRBG shall have the 1831 * highest cra_priority over other stdrng instances to ensure 1832 * it is selected. 1833 */ 1834 if (fips_enabled) 1835 alg->base.cra_priority += 200; 1836 1837 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1838 alg->base.cra_module = THIS_MODULE; 1839 alg->base.cra_init = drbg_kcapi_init; 1840 alg->base.cra_exit = drbg_kcapi_cleanup; 1841 alg->generate = drbg_kcapi_random; 1842 alg->seed = drbg_kcapi_seed; 1843 alg->set_ent = drbg_kcapi_set_entropy; 1844 alg->seedsize = 0; 1845 } 1846 1847 static int __init drbg_init(void) 1848 { 1849 unsigned int i = 0; /* pointer to drbg_algs */ 1850 unsigned int j = 0; /* pointer to drbg_cores */ 1851 int ret; 1852 1853 ret = drbg_healthcheck_sanity(); 1854 if (ret) 1855 return ret; 1856 1857 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1858 pr_info("DRBG: Cannot register all DRBG types" 1859 "(slots needed: %zu, slots available: %zu)\n", 1860 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1861 return -EFAULT; 1862 } 1863 1864 /* 1865 * each DRBG definition can be used with PR and without PR, thus 1866 * we instantiate each DRBG in drbg_cores[] twice. 1867 * 1868 * As the order of placing them into the drbg_algs array matters 1869 * (the later DRBGs receive a higher cra_priority) we register the 1870 * prediction resistance DRBGs first as the should not be too 1871 * interesting. 1872 */ 1873 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1874 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1875 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1876 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1877 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1878 } 1879 1880 static void __exit drbg_exit(void) 1881 { 1882 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1883 } 1884 1885 module_init(drbg_init); 1886 module_exit(drbg_exit); 1887 #ifndef CRYPTO_DRBG_HASH_STRING 1888 #define CRYPTO_DRBG_HASH_STRING "" 1889 #endif 1890 #ifndef CRYPTO_DRBG_HMAC_STRING 1891 #define CRYPTO_DRBG_HMAC_STRING "" 1892 #endif 1893 #ifndef CRYPTO_DRBG_CTR_STRING 1894 #define CRYPTO_DRBG_CTR_STRING "" 1895 #endif 1896 MODULE_LICENSE("GPL"); 1897 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 1898 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 1899 "using following cores: " 1900 CRYPTO_DRBG_HASH_STRING 1901 CRYPTO_DRBG_HMAC_STRING 1902 CRYPTO_DRBG_CTR_STRING); 1903 MODULE_ALIAS_CRYPTO("stdrng"); 1904 MODULE_IMPORT_NS("CRYPTO_INTERNAL"); 1905