xref: /linux/crypto/df_sp80090a.c (revision 69050f8d6d075dc01af7a5f2f550a8067510366f) 
1 // SPDX-License-Identifier: GPL-2.0
2 
3 /*
4  * NIST SP800-90A DRBG derivation function
5  *
6  * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
7  */
8 
9 #include <linux/errno.h>
10 #include <linux/kernel.h>
11 #include <linux/module.h>
12 #include <linux/string.h>
13 #include <crypto/aes.h>
14 #include <crypto/df_sp80090a.h>
15 #include <crypto/internal/drbg.h>
16 
17 static void drbg_kcapi_sym(struct aes_enckey *aeskey, unsigned char *outval,
18 			   const struct drbg_string *in, u8 blocklen_bytes)
19 {
20 	/* there is only component in *in */
21 	BUG_ON(in->len < blocklen_bytes);
22 	aes_encrypt(aeskey, outval, in->buf);
23 }
24 
25 /* BCC function for CTR DRBG as defined in 10.4.3 */
26 
27 static void drbg_ctr_bcc(struct aes_enckey *aeskey,
28 			 unsigned char *out, const unsigned char *key,
29 			 struct list_head *in,
30 			 u8 blocklen_bytes,
31 			 u8 keylen)
32 {
33 	struct drbg_string *curr = NULL;
34 	struct drbg_string data;
35 	short cnt = 0;
36 
37 	drbg_string_fill(&data, out, blocklen_bytes);
38 
39 	/* 10.4.3 step 2 / 4 */
40 	aes_prepareenckey(aeskey, key, keylen);
41 	list_for_each_entry(curr, in, list) {
42 		const unsigned char *pos = curr->buf;
43 		size_t len = curr->len;
44 		/* 10.4.3 step 4.1 */
45 		while (len) {
46 			/* 10.4.3 step 4.2 */
47 			if (blocklen_bytes == cnt) {
48 				cnt = 0;
49 				drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes);
50 			}
51 			out[cnt] ^= *pos;
52 			pos++;
53 			cnt++;
54 			len--;
55 		}
56 	}
57 	/* 10.4.3 step 4.2 for last block */
58 	if (cnt)
59 		drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes);
60 }
61 
62 /*
63  * scratchpad usage: drbg_ctr_update is interlinked with crypto_drbg_ctr_df
64  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
65  * the scratchpad is used as follows:
66  * drbg_ctr_update:
67  *	temp
68  *		start: drbg->scratchpad
69  *		length: drbg_statelen(drbg) + drbg_blocklen(drbg)
70  *			note: the cipher writing into this variable works
71  *			blocklen-wise. Now, when the statelen is not a multiple
72  *			of blocklen, the generateion loop below "spills over"
73  *			by at most blocklen. Thus, we need to give sufficient
74  *			memory.
75  *	df_data
76  *		start: drbg->scratchpad +
77  *				drbg_statelen(drbg) + drbg_blocklen(drbg)
78  *		length: drbg_statelen(drbg)
79  *
80  * crypto_drbg_ctr_df:
81  *	pad
82  *		start: df_data + drbg_statelen(drbg)
83  *		length: drbg_blocklen(drbg)
84  *	iv
85  *		start: pad + drbg_blocklen(drbg)
86  *		length: drbg_blocklen(drbg)
87  *	temp
88  *		start: iv + drbg_blocklen(drbg)
89  *		length: drbg_satelen(drbg) + drbg_blocklen(drbg)
90  *			note: temp is the buffer that the BCC function operates
91  *			on. BCC operates blockwise. drbg_statelen(drbg)
92  *			is sufficient when the DRBG state length is a multiple
93  *			of the block size. For AES192 (and maybe other ciphers)
94  *			this is not correct and the length for temp is
95  *			insufficient (yes, that also means for such ciphers,
96  *			the final output of all BCC rounds are truncated).
97  *			Therefore, add drbg_blocklen(drbg) to cover all
98  *			possibilities.
99  * refer to crypto_drbg_ctr_df_datalen() to get required length
100  */
101 
102 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
103 int crypto_drbg_ctr_df(struct aes_enckey *aeskey,
104 		       unsigned char *df_data, size_t bytes_to_return,
105 		       struct list_head *seedlist,
106 		       u8 blocklen_bytes,
107 		       u8 statelen)
108 {
109 	unsigned char L_N[8];
110 	/* S3 is input */
111 	struct drbg_string S1, S2, S4, cipherin;
112 	LIST_HEAD(bcc_list);
113 	unsigned char *pad = df_data + statelen;
114 	unsigned char *iv = pad + blocklen_bytes;
115 	unsigned char *temp = iv + blocklen_bytes;
116 	size_t padlen = 0;
117 	unsigned int templen = 0;
118 	/* 10.4.2 step 7 */
119 	unsigned int i = 0;
120 	/* 10.4.2 step 8 */
121 	const unsigned char *K = (unsigned char *)
122 			   "\x00\x01\x02\x03\x04\x05\x06\x07"
123 			   "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
124 			   "\x10\x11\x12\x13\x14\x15\x16\x17"
125 			   "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
126 	unsigned char *X;
127 	size_t generated_len = 0;
128 	size_t inputlen = 0;
129 	struct drbg_string *seed = NULL;
130 	u8 keylen;
131 
132 	memset(pad, 0, blocklen_bytes);
133 	memset(iv, 0, blocklen_bytes);
134 	keylen = statelen - blocklen_bytes;
135 	/* 10.4.2 step 1 is implicit as we work byte-wise */
136 
137 	/* 10.4.2 step 2 */
138 	if ((512 / 8) < bytes_to_return)
139 		return -EINVAL;
140 
141 	/* 10.4.2 step 2 -- calculate the entire length of all input data */
142 	list_for_each_entry(seed, seedlist, list)
143 		inputlen += seed->len;
144 	drbg_cpu_to_be32(inputlen, &L_N[0]);
145 
146 	/* 10.4.2 step 3 */
147 	drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
148 
149 	/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
150 	padlen = (inputlen + sizeof(L_N) + 1) % (blocklen_bytes);
151 	/* wrap the padlen appropriately */
152 	if (padlen)
153 		padlen = blocklen_bytes - padlen;
154 	/*
155 	 * pad / padlen contains the 0x80 byte and the following zero bytes.
156 	 * As the calculated padlen value only covers the number of zero
157 	 * bytes, this value has to be incremented by one for the 0x80 byte.
158 	 */
159 	padlen++;
160 	pad[0] = 0x80;
161 
162 	/* 10.4.2 step 4 -- first fill the linked list and then order it */
163 	drbg_string_fill(&S1, iv, blocklen_bytes);
164 	list_add_tail(&S1.list, &bcc_list);
165 	drbg_string_fill(&S2, L_N, sizeof(L_N));
166 	list_add_tail(&S2.list, &bcc_list);
167 	list_splice_tail(seedlist, &bcc_list);
168 	drbg_string_fill(&S4, pad, padlen);
169 	list_add_tail(&S4.list, &bcc_list);
170 
171 	/* 10.4.2 step 9 */
172 	while (templen < (keylen + (blocklen_bytes))) {
173 		/*
174 		 * 10.4.2 step 9.1 - the padding is implicit as the buffer
175 		 * holds zeros after allocation -- even the increment of i
176 		 * is irrelevant as the increment remains within length of i
177 		 */
178 		drbg_cpu_to_be32(i, iv);
179 		/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
180 		drbg_ctr_bcc(aeskey, temp + templen, K, &bcc_list,
181 			     blocklen_bytes, keylen);
182 		/* 10.4.2 step 9.3 */
183 		i++;
184 		templen += blocklen_bytes;
185 	}
186 
187 	/* 10.4.2 step 11 */
188 	X = temp + (keylen);
189 	drbg_string_fill(&cipherin, X, blocklen_bytes);
190 
191 	/* 10.4.2 step 12: overwriting of outval is implemented in next step */
192 
193 	/* 10.4.2 step 13 */
194 	aes_prepareenckey(aeskey, temp, keylen);
195 	while (generated_len < bytes_to_return) {
196 		short blocklen = 0;
197 		/*
198 		 * 10.4.2 step 13.1: the truncation of the key length is
199 		 * implicit as the key is only drbg_blocklen in size based on
200 		 * the implementation of the cipher function callback
201 		 */
202 		drbg_kcapi_sym(aeskey, X, &cipherin, blocklen_bytes);
203 		blocklen = (blocklen_bytes <
204 				(bytes_to_return - generated_len)) ?
205 			    blocklen_bytes :
206 				(bytes_to_return - generated_len);
207 		/* 10.4.2 step 13.2 and 14 */
208 		memcpy(df_data + generated_len, X, blocklen);
209 		generated_len += blocklen;
210 	}
211 
212 	memset(iv, 0, blocklen_bytes);
213 	memset(temp, 0, statelen + blocklen_bytes);
214 	memset(pad, 0, blocklen_bytes);
215 	return 0;
216 }
217 EXPORT_SYMBOL_GPL(crypto_drbg_ctr_df);
218 
219 MODULE_IMPORT_NS("CRYPTO_INTERNAL");
220 MODULE_LICENSE("GPL v2");
221 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
222 MODULE_DESCRIPTION("Derivation Function conformant to SP800-90A");
223