1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <crypto/internal/cipher.h> 102 #include <linux/kernel.h> 103 #include <linux/jiffies.h> 104 #include <linux/string_choices.h> 105 106 /*************************************************************** 107 * Backend cipher definitions available to DRBG 108 ***************************************************************/ 109 110 /* 111 * The order of the DRBG definitions here matter: every DRBG is registered 112 * as stdrng. Each DRBG receives an increasing cra_priority values the later 113 * they are defined in this array (see drbg_fill_array). 114 * 115 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the 116 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the 117 * favored DRBGs are the latest entries in this array. 118 */ 119 static const struct drbg_core drbg_cores[] = { 120 #ifdef CONFIG_CRYPTO_DRBG_CTR 121 { 122 .flags = DRBG_CTR | DRBG_STRENGTH128, 123 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 124 .blocklen_bytes = 16, 125 .cra_name = "ctr_aes128", 126 .backend_cra_name = "aes", 127 }, { 128 .flags = DRBG_CTR | DRBG_STRENGTH192, 129 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 130 .blocklen_bytes = 16, 131 .cra_name = "ctr_aes192", 132 .backend_cra_name = "aes", 133 }, { 134 .flags = DRBG_CTR | DRBG_STRENGTH256, 135 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 136 .blocklen_bytes = 16, 137 .cra_name = "ctr_aes256", 138 .backend_cra_name = "aes", 139 }, 140 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 141 #ifdef CONFIG_CRYPTO_DRBG_HASH 142 { 143 .flags = DRBG_HASH | DRBG_STRENGTH256, 144 .statelen = 111, /* 888 bits */ 145 .blocklen_bytes = 48, 146 .cra_name = "sha384", 147 .backend_cra_name = "sha384", 148 }, { 149 .flags = DRBG_HASH | DRBG_STRENGTH256, 150 .statelen = 111, /* 888 bits */ 151 .blocklen_bytes = 64, 152 .cra_name = "sha512", 153 .backend_cra_name = "sha512", 154 }, { 155 .flags = DRBG_HASH | DRBG_STRENGTH256, 156 .statelen = 55, /* 440 bits */ 157 .blocklen_bytes = 32, 158 .cra_name = "sha256", 159 .backend_cra_name = "sha256", 160 }, 161 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 162 #ifdef CONFIG_CRYPTO_DRBG_HMAC 163 { 164 .flags = DRBG_HMAC | DRBG_STRENGTH256, 165 .statelen = 48, /* block length of cipher */ 166 .blocklen_bytes = 48, 167 .cra_name = "hmac_sha384", 168 .backend_cra_name = "hmac(sha384)", 169 }, { 170 .flags = DRBG_HMAC | DRBG_STRENGTH256, 171 .statelen = 32, /* block length of cipher */ 172 .blocklen_bytes = 32, 173 .cra_name = "hmac_sha256", 174 .backend_cra_name = "hmac(sha256)", 175 }, { 176 .flags = DRBG_HMAC | DRBG_STRENGTH256, 177 .statelen = 64, /* block length of cipher */ 178 .blocklen_bytes = 64, 179 .cra_name = "hmac_sha512", 180 .backend_cra_name = "hmac(sha512)", 181 }, 182 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 183 }; 184 185 static int drbg_uninstantiate(struct drbg_state *drbg); 186 187 /****************************************************************** 188 * Generic helper functions 189 ******************************************************************/ 190 191 /* 192 * Return strength of DRBG according to SP800-90A section 8.4 193 * 194 * @flags DRBG flags reference 195 * 196 * Return: normalized strength in *bytes* value or 32 as default 197 * to counter programming errors 198 */ 199 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 200 { 201 switch (flags & DRBG_STRENGTH_MASK) { 202 case DRBG_STRENGTH128: 203 return 16; 204 case DRBG_STRENGTH192: 205 return 24; 206 case DRBG_STRENGTH256: 207 return 32; 208 default: 209 return 32; 210 } 211 } 212 213 /* 214 * FIPS 140-2 continuous self test for the noise source 215 * The test is performed on the noise source input data. Thus, the function 216 * implicitly knows the size of the buffer to be equal to the security 217 * strength. 218 * 219 * Note, this function disregards the nonce trailing the entropy data during 220 * initial seeding. 221 * 222 * drbg->drbg_mutex must have been taken. 223 * 224 * @drbg DRBG handle 225 * @entropy buffer of seed data to be checked 226 * 227 * return: 228 * 0 on success 229 * -EAGAIN on when the CTRNG is not yet primed 230 * < 0 on error 231 */ 232 static int drbg_fips_continuous_test(struct drbg_state *drbg, 233 const unsigned char *entropy) 234 { 235 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 236 int ret = 0; 237 238 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 239 return 0; 240 241 /* skip test if we test the overall system */ 242 if (list_empty(&drbg->test_data.list)) 243 return 0; 244 /* only perform test in FIPS mode */ 245 if (!fips_enabled) 246 return 0; 247 248 if (!drbg->fips_primed) { 249 /* Priming of FIPS test */ 250 memcpy(drbg->prev, entropy, entropylen); 251 drbg->fips_primed = true; 252 /* priming: another round is needed */ 253 return -EAGAIN; 254 } 255 ret = memcmp(drbg->prev, entropy, entropylen); 256 if (!ret) 257 panic("DRBG continuous self test failed\n"); 258 memcpy(drbg->prev, entropy, entropylen); 259 260 /* the test shall pass when the two values are not equal */ 261 return 0; 262 } 263 264 /* 265 * Convert an integer into a byte representation of this integer. 266 * The byte representation is big-endian 267 * 268 * @val value to be converted 269 * @buf buffer holding the converted integer -- caller must ensure that 270 * buffer size is at least 32 bit 271 */ 272 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 273 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 274 { 275 struct s { 276 __be32 conv; 277 }; 278 struct s *conversion = (struct s *) buf; 279 280 conversion->conv = cpu_to_be32(val); 281 } 282 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 283 284 /****************************************************************** 285 * CTR DRBG callback functions 286 ******************************************************************/ 287 288 #ifdef CONFIG_CRYPTO_DRBG_CTR 289 #define CRYPTO_DRBG_CTR_STRING "CTR " 290 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 291 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 292 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 293 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 294 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 295 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 296 297 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 298 const unsigned char *key); 299 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 300 const struct drbg_string *in); 301 static int drbg_init_sym_kernel(struct drbg_state *drbg); 302 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 303 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 304 u8 *inbuf, u32 inbuflen, 305 u8 *outbuf, u32 outlen); 306 #define DRBG_OUTSCRATCHLEN 256 307 308 /* BCC function for CTR DRBG as defined in 10.4.3 */ 309 static int drbg_ctr_bcc(struct drbg_state *drbg, 310 unsigned char *out, const unsigned char *key, 311 struct list_head *in) 312 { 313 int ret = 0; 314 struct drbg_string *curr = NULL; 315 struct drbg_string data; 316 short cnt = 0; 317 318 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 319 320 /* 10.4.3 step 2 / 4 */ 321 drbg_kcapi_symsetkey(drbg, key); 322 list_for_each_entry(curr, in, list) { 323 const unsigned char *pos = curr->buf; 324 size_t len = curr->len; 325 /* 10.4.3 step 4.1 */ 326 while (len) { 327 /* 10.4.3 step 4.2 */ 328 if (drbg_blocklen(drbg) == cnt) { 329 cnt = 0; 330 ret = drbg_kcapi_sym(drbg, out, &data); 331 if (ret) 332 return ret; 333 } 334 out[cnt] ^= *pos; 335 pos++; 336 cnt++; 337 len--; 338 } 339 } 340 /* 10.4.3 step 4.2 for last block */ 341 if (cnt) 342 ret = drbg_kcapi_sym(drbg, out, &data); 343 344 return ret; 345 } 346 347 /* 348 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 349 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 350 * the scratchpad is used as follows: 351 * drbg_ctr_update: 352 * temp 353 * start: drbg->scratchpad 354 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 355 * note: the cipher writing into this variable works 356 * blocklen-wise. Now, when the statelen is not a multiple 357 * of blocklen, the generateion loop below "spills over" 358 * by at most blocklen. Thus, we need to give sufficient 359 * memory. 360 * df_data 361 * start: drbg->scratchpad + 362 * drbg_statelen(drbg) + drbg_blocklen(drbg) 363 * length: drbg_statelen(drbg) 364 * 365 * drbg_ctr_df: 366 * pad 367 * start: df_data + drbg_statelen(drbg) 368 * length: drbg_blocklen(drbg) 369 * iv 370 * start: pad + drbg_blocklen(drbg) 371 * length: drbg_blocklen(drbg) 372 * temp 373 * start: iv + drbg_blocklen(drbg) 374 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 375 * note: temp is the buffer that the BCC function operates 376 * on. BCC operates blockwise. drbg_statelen(drbg) 377 * is sufficient when the DRBG state length is a multiple 378 * of the block size. For AES192 (and maybe other ciphers) 379 * this is not correct and the length for temp is 380 * insufficient (yes, that also means for such ciphers, 381 * the final output of all BCC rounds are truncated). 382 * Therefore, add drbg_blocklen(drbg) to cover all 383 * possibilities. 384 */ 385 386 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 387 static int drbg_ctr_df(struct drbg_state *drbg, 388 unsigned char *df_data, size_t bytes_to_return, 389 struct list_head *seedlist) 390 { 391 int ret = -EFAULT; 392 unsigned char L_N[8]; 393 /* S3 is input */ 394 struct drbg_string S1, S2, S4, cipherin; 395 LIST_HEAD(bcc_list); 396 unsigned char *pad = df_data + drbg_statelen(drbg); 397 unsigned char *iv = pad + drbg_blocklen(drbg); 398 unsigned char *temp = iv + drbg_blocklen(drbg); 399 size_t padlen = 0; 400 unsigned int templen = 0; 401 /* 10.4.2 step 7 */ 402 unsigned int i = 0; 403 /* 10.4.2 step 8 */ 404 const unsigned char *K = (unsigned char *) 405 "\x00\x01\x02\x03\x04\x05\x06\x07" 406 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 407 "\x10\x11\x12\x13\x14\x15\x16\x17" 408 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 409 unsigned char *X; 410 size_t generated_len = 0; 411 size_t inputlen = 0; 412 struct drbg_string *seed = NULL; 413 414 memset(pad, 0, drbg_blocklen(drbg)); 415 memset(iv, 0, drbg_blocklen(drbg)); 416 417 /* 10.4.2 step 1 is implicit as we work byte-wise */ 418 419 /* 10.4.2 step 2 */ 420 if ((512/8) < bytes_to_return) 421 return -EINVAL; 422 423 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 424 list_for_each_entry(seed, seedlist, list) 425 inputlen += seed->len; 426 drbg_cpu_to_be32(inputlen, &L_N[0]); 427 428 /* 10.4.2 step 3 */ 429 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 430 431 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 432 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 433 /* wrap the padlen appropriately */ 434 if (padlen) 435 padlen = drbg_blocklen(drbg) - padlen; 436 /* 437 * pad / padlen contains the 0x80 byte and the following zero bytes. 438 * As the calculated padlen value only covers the number of zero 439 * bytes, this value has to be incremented by one for the 0x80 byte. 440 */ 441 padlen++; 442 pad[0] = 0x80; 443 444 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 445 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 446 list_add_tail(&S1.list, &bcc_list); 447 drbg_string_fill(&S2, L_N, sizeof(L_N)); 448 list_add_tail(&S2.list, &bcc_list); 449 list_splice_tail(seedlist, &bcc_list); 450 drbg_string_fill(&S4, pad, padlen); 451 list_add_tail(&S4.list, &bcc_list); 452 453 /* 10.4.2 step 9 */ 454 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 455 /* 456 * 10.4.2 step 9.1 - the padding is implicit as the buffer 457 * holds zeros after allocation -- even the increment of i 458 * is irrelevant as the increment remains within length of i 459 */ 460 drbg_cpu_to_be32(i, iv); 461 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 462 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 463 if (ret) 464 goto out; 465 /* 10.4.2 step 9.3 */ 466 i++; 467 templen += drbg_blocklen(drbg); 468 } 469 470 /* 10.4.2 step 11 */ 471 X = temp + (drbg_keylen(drbg)); 472 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 473 474 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 475 476 /* 10.4.2 step 13 */ 477 drbg_kcapi_symsetkey(drbg, temp); 478 while (generated_len < bytes_to_return) { 479 short blocklen = 0; 480 /* 481 * 10.4.2 step 13.1: the truncation of the key length is 482 * implicit as the key is only drbg_blocklen in size based on 483 * the implementation of the cipher function callback 484 */ 485 ret = drbg_kcapi_sym(drbg, X, &cipherin); 486 if (ret) 487 goto out; 488 blocklen = (drbg_blocklen(drbg) < 489 (bytes_to_return - generated_len)) ? 490 drbg_blocklen(drbg) : 491 (bytes_to_return - generated_len); 492 /* 10.4.2 step 13.2 and 14 */ 493 memcpy(df_data + generated_len, X, blocklen); 494 generated_len += blocklen; 495 } 496 497 ret = 0; 498 499 out: 500 memset(iv, 0, drbg_blocklen(drbg)); 501 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 502 memset(pad, 0, drbg_blocklen(drbg)); 503 return ret; 504 } 505 506 /* 507 * update function of CTR DRBG as defined in 10.2.1.2 508 * 509 * The reseed variable has an enhanced meaning compared to the update 510 * functions of the other DRBGs as follows: 511 * 0 => initial seed from initialization 512 * 1 => reseed via drbg_seed 513 * 2 => first invocation from drbg_ctr_update when addtl is present. In 514 * this case, the df_data scratchpad is not deleted so that it is 515 * available for another calls to prevent calling the DF function 516 * again. 517 * 3 => second invocation from drbg_ctr_update. When the update function 518 * was called with addtl, the df_data memory already contains the 519 * DFed addtl information and we do not need to call DF again. 520 */ 521 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 522 int reseed) 523 { 524 int ret = -EFAULT; 525 /* 10.2.1.2 step 1 */ 526 unsigned char *temp = drbg->scratchpad; 527 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 528 drbg_blocklen(drbg); 529 530 if (3 > reseed) 531 memset(df_data, 0, drbg_statelen(drbg)); 532 533 if (!reseed) { 534 /* 535 * The DRBG uses the CTR mode of the underlying AES cipher. The 536 * CTR mode increments the counter value after the AES operation 537 * but SP800-90A requires that the counter is incremented before 538 * the AES operation. Hence, we increment it at the time we set 539 * it by one. 540 */ 541 crypto_inc(drbg->V, drbg_blocklen(drbg)); 542 543 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 544 drbg_keylen(drbg)); 545 if (ret) 546 goto out; 547 } 548 549 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 550 if (seed) { 551 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 552 if (ret) 553 goto out; 554 } 555 556 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 557 temp, drbg_statelen(drbg)); 558 if (ret) 559 return ret; 560 561 /* 10.2.1.2 step 5 */ 562 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 563 drbg_keylen(drbg)); 564 if (ret) 565 goto out; 566 /* 10.2.1.2 step 6 */ 567 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 568 /* See above: increment counter by one to compensate timing of CTR op */ 569 crypto_inc(drbg->V, drbg_blocklen(drbg)); 570 ret = 0; 571 572 out: 573 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 574 if (2 != reseed) 575 memset(df_data, 0, drbg_statelen(drbg)); 576 return ret; 577 } 578 579 /* 580 * scratchpad use: drbg_ctr_update is called independently from 581 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 582 */ 583 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 584 static int drbg_ctr_generate(struct drbg_state *drbg, 585 unsigned char *buf, unsigned int buflen, 586 struct list_head *addtl) 587 { 588 int ret; 589 int len = min_t(int, buflen, INT_MAX); 590 591 /* 10.2.1.5.2 step 2 */ 592 if (addtl && !list_empty(addtl)) { 593 ret = drbg_ctr_update(drbg, addtl, 2); 594 if (ret) 595 return 0; 596 } 597 598 /* 10.2.1.5.2 step 4.1 */ 599 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 600 if (ret) 601 return ret; 602 603 /* 10.2.1.5.2 step 6 */ 604 ret = drbg_ctr_update(drbg, NULL, 3); 605 if (ret) 606 len = ret; 607 608 return len; 609 } 610 611 static const struct drbg_state_ops drbg_ctr_ops = { 612 .update = drbg_ctr_update, 613 .generate = drbg_ctr_generate, 614 .crypto_init = drbg_init_sym_kernel, 615 .crypto_fini = drbg_fini_sym_kernel, 616 }; 617 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 618 619 /****************************************************************** 620 * HMAC DRBG callback functions 621 ******************************************************************/ 622 623 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 624 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 625 const struct list_head *in); 626 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 627 const unsigned char *key); 628 static int drbg_init_hash_kernel(struct drbg_state *drbg); 629 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 630 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 631 632 #ifdef CONFIG_CRYPTO_DRBG_HMAC 633 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 634 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 635 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 636 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 637 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 638 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 639 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 640 641 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 642 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 643 int reseed) 644 { 645 int ret = -EFAULT; 646 int i = 0; 647 struct drbg_string seed1, seed2, vdata; 648 LIST_HEAD(seedlist); 649 LIST_HEAD(vdatalist); 650 651 if (!reseed) { 652 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 653 memset(drbg->V, 1, drbg_statelen(drbg)); 654 drbg_kcapi_hmacsetkey(drbg, drbg->C); 655 } 656 657 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 658 list_add_tail(&seed1.list, &seedlist); 659 /* buffer of seed2 will be filled in for loop below with one byte */ 660 drbg_string_fill(&seed2, NULL, 1); 661 list_add_tail(&seed2.list, &seedlist); 662 /* input data of seed is allowed to be NULL at this point */ 663 if (seed) 664 list_splice_tail(seed, &seedlist); 665 666 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 667 list_add_tail(&vdata.list, &vdatalist); 668 for (i = 2; 0 < i; i--) { 669 /* first round uses 0x0, second 0x1 */ 670 unsigned char prefix = DRBG_PREFIX0; 671 if (1 == i) 672 prefix = DRBG_PREFIX1; 673 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 674 seed2.buf = &prefix; 675 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 676 if (ret) 677 return ret; 678 drbg_kcapi_hmacsetkey(drbg, drbg->C); 679 680 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 681 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 682 if (ret) 683 return ret; 684 685 /* 10.1.2.2 step 3 */ 686 if (!seed) 687 return ret; 688 } 689 690 return 0; 691 } 692 693 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 694 static int drbg_hmac_generate(struct drbg_state *drbg, 695 unsigned char *buf, 696 unsigned int buflen, 697 struct list_head *addtl) 698 { 699 int len = 0; 700 int ret = 0; 701 struct drbg_string data; 702 LIST_HEAD(datalist); 703 704 /* 10.1.2.5 step 2 */ 705 if (addtl && !list_empty(addtl)) { 706 ret = drbg_hmac_update(drbg, addtl, 1); 707 if (ret) 708 return ret; 709 } 710 711 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 712 list_add_tail(&data.list, &datalist); 713 while (len < buflen) { 714 unsigned int outlen = 0; 715 /* 10.1.2.5 step 4.1 */ 716 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 717 if (ret) 718 return ret; 719 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 720 drbg_blocklen(drbg) : (buflen - len); 721 722 /* 10.1.2.5 step 4.2 */ 723 memcpy(buf + len, drbg->V, outlen); 724 len += outlen; 725 } 726 727 /* 10.1.2.5 step 6 */ 728 if (addtl && !list_empty(addtl)) 729 ret = drbg_hmac_update(drbg, addtl, 1); 730 else 731 ret = drbg_hmac_update(drbg, NULL, 1); 732 if (ret) 733 return ret; 734 735 return len; 736 } 737 738 static const struct drbg_state_ops drbg_hmac_ops = { 739 .update = drbg_hmac_update, 740 .generate = drbg_hmac_generate, 741 .crypto_init = drbg_init_hash_kernel, 742 .crypto_fini = drbg_fini_hash_kernel, 743 }; 744 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 745 746 /****************************************************************** 747 * Hash DRBG callback functions 748 ******************************************************************/ 749 750 #ifdef CONFIG_CRYPTO_DRBG_HASH 751 #define CRYPTO_DRBG_HASH_STRING "HASH " 752 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 753 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 754 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 755 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 756 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 757 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 758 759 /* 760 * Increment buffer 761 * 762 * @dst buffer to increment 763 * @add value to add 764 */ 765 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 766 const unsigned char *add, size_t addlen) 767 { 768 /* implied: dstlen > addlen */ 769 unsigned char *dstptr; 770 const unsigned char *addptr; 771 unsigned int remainder = 0; 772 size_t len = addlen; 773 774 dstptr = dst + (dstlen-1); 775 addptr = add + (addlen-1); 776 while (len) { 777 remainder += *dstptr + *addptr; 778 *dstptr = remainder & 0xff; 779 remainder >>= 8; 780 len--; dstptr--; addptr--; 781 } 782 len = dstlen - addlen; 783 while (len && remainder > 0) { 784 remainder = *dstptr + 1; 785 *dstptr = remainder & 0xff; 786 remainder >>= 8; 787 len--; dstptr--; 788 } 789 } 790 791 /* 792 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 793 * interlinked, the scratchpad is used as follows: 794 * drbg_hash_update 795 * start: drbg->scratchpad 796 * length: drbg_statelen(drbg) 797 * drbg_hash_df: 798 * start: drbg->scratchpad + drbg_statelen(drbg) 799 * length: drbg_blocklen(drbg) 800 * 801 * drbg_hash_process_addtl uses the scratchpad, but fully completes 802 * before either of the functions mentioned before are invoked. Therefore, 803 * drbg_hash_process_addtl does not need to be specifically considered. 804 */ 805 806 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 807 static int drbg_hash_df(struct drbg_state *drbg, 808 unsigned char *outval, size_t outlen, 809 struct list_head *entropylist) 810 { 811 int ret = 0; 812 size_t len = 0; 813 unsigned char input[5]; 814 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 815 struct drbg_string data; 816 817 /* 10.4.1 step 3 */ 818 input[0] = 1; 819 drbg_cpu_to_be32((outlen * 8), &input[1]); 820 821 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 822 drbg_string_fill(&data, input, 5); 823 list_add(&data.list, entropylist); 824 825 /* 10.4.1 step 4 */ 826 while (len < outlen) { 827 short blocklen = 0; 828 /* 10.4.1 step 4.1 */ 829 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 830 if (ret) 831 goto out; 832 /* 10.4.1 step 4.2 */ 833 input[0]++; 834 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 835 drbg_blocklen(drbg) : (outlen - len); 836 memcpy(outval + len, tmp, blocklen); 837 len += blocklen; 838 } 839 840 out: 841 memset(tmp, 0, drbg_blocklen(drbg)); 842 return ret; 843 } 844 845 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 846 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 847 int reseed) 848 { 849 int ret = 0; 850 struct drbg_string data1, data2; 851 LIST_HEAD(datalist); 852 LIST_HEAD(datalist2); 853 unsigned char *V = drbg->scratchpad; 854 unsigned char prefix = DRBG_PREFIX1; 855 856 if (!seed) 857 return -EINVAL; 858 859 if (reseed) { 860 /* 10.1.1.3 step 1 */ 861 memcpy(V, drbg->V, drbg_statelen(drbg)); 862 drbg_string_fill(&data1, &prefix, 1); 863 list_add_tail(&data1.list, &datalist); 864 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 865 list_add_tail(&data2.list, &datalist); 866 } 867 list_splice_tail(seed, &datalist); 868 869 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 870 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 871 if (ret) 872 goto out; 873 874 /* 10.1.1.2 / 10.1.1.3 step 4 */ 875 prefix = DRBG_PREFIX0; 876 drbg_string_fill(&data1, &prefix, 1); 877 list_add_tail(&data1.list, &datalist2); 878 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 879 list_add_tail(&data2.list, &datalist2); 880 /* 10.1.1.2 / 10.1.1.3 step 4 */ 881 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 882 883 out: 884 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 885 return ret; 886 } 887 888 /* processing of additional information string for Hash DRBG */ 889 static int drbg_hash_process_addtl(struct drbg_state *drbg, 890 struct list_head *addtl) 891 { 892 int ret = 0; 893 struct drbg_string data1, data2; 894 LIST_HEAD(datalist); 895 unsigned char prefix = DRBG_PREFIX2; 896 897 /* 10.1.1.4 step 2 */ 898 if (!addtl || list_empty(addtl)) 899 return 0; 900 901 /* 10.1.1.4 step 2a */ 902 drbg_string_fill(&data1, &prefix, 1); 903 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 904 list_add_tail(&data1.list, &datalist); 905 list_add_tail(&data2.list, &datalist); 906 list_splice_tail(addtl, &datalist); 907 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 908 if (ret) 909 goto out; 910 911 /* 10.1.1.4 step 2b */ 912 drbg_add_buf(drbg->V, drbg_statelen(drbg), 913 drbg->scratchpad, drbg_blocklen(drbg)); 914 915 out: 916 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 917 return ret; 918 } 919 920 /* Hashgen defined in 10.1.1.4 */ 921 static int drbg_hash_hashgen(struct drbg_state *drbg, 922 unsigned char *buf, 923 unsigned int buflen) 924 { 925 int len = 0; 926 int ret = 0; 927 unsigned char *src = drbg->scratchpad; 928 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 929 struct drbg_string data; 930 LIST_HEAD(datalist); 931 932 /* 10.1.1.4 step hashgen 2 */ 933 memcpy(src, drbg->V, drbg_statelen(drbg)); 934 935 drbg_string_fill(&data, src, drbg_statelen(drbg)); 936 list_add_tail(&data.list, &datalist); 937 while (len < buflen) { 938 unsigned int outlen = 0; 939 /* 10.1.1.4 step hashgen 4.1 */ 940 ret = drbg_kcapi_hash(drbg, dst, &datalist); 941 if (ret) { 942 len = ret; 943 goto out; 944 } 945 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 946 drbg_blocklen(drbg) : (buflen - len); 947 /* 10.1.1.4 step hashgen 4.2 */ 948 memcpy(buf + len, dst, outlen); 949 len += outlen; 950 /* 10.1.1.4 hashgen step 4.3 */ 951 if (len < buflen) 952 crypto_inc(src, drbg_statelen(drbg)); 953 } 954 955 out: 956 memset(drbg->scratchpad, 0, 957 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 958 return len; 959 } 960 961 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 962 static int drbg_hash_generate(struct drbg_state *drbg, 963 unsigned char *buf, unsigned int buflen, 964 struct list_head *addtl) 965 { 966 int len = 0; 967 int ret = 0; 968 union { 969 unsigned char req[8]; 970 __be64 req_int; 971 } u; 972 unsigned char prefix = DRBG_PREFIX3; 973 struct drbg_string data1, data2; 974 LIST_HEAD(datalist); 975 976 /* 10.1.1.4 step 2 */ 977 ret = drbg_hash_process_addtl(drbg, addtl); 978 if (ret) 979 return ret; 980 /* 10.1.1.4 step 3 */ 981 len = drbg_hash_hashgen(drbg, buf, buflen); 982 983 /* this is the value H as documented in 10.1.1.4 */ 984 /* 10.1.1.4 step 4 */ 985 drbg_string_fill(&data1, &prefix, 1); 986 list_add_tail(&data1.list, &datalist); 987 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 988 list_add_tail(&data2.list, &datalist); 989 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 990 if (ret) { 991 len = ret; 992 goto out; 993 } 994 995 /* 10.1.1.4 step 5 */ 996 drbg_add_buf(drbg->V, drbg_statelen(drbg), 997 drbg->scratchpad, drbg_blocklen(drbg)); 998 drbg_add_buf(drbg->V, drbg_statelen(drbg), 999 drbg->C, drbg_statelen(drbg)); 1000 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1001 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1002 1003 out: 1004 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1005 return len; 1006 } 1007 1008 /* 1009 * scratchpad usage: as update and generate are used isolated, both 1010 * can use the scratchpad 1011 */ 1012 static const struct drbg_state_ops drbg_hash_ops = { 1013 .update = drbg_hash_update, 1014 .generate = drbg_hash_generate, 1015 .crypto_init = drbg_init_hash_kernel, 1016 .crypto_fini = drbg_fini_hash_kernel, 1017 }; 1018 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1019 1020 /****************************************************************** 1021 * Functions common for DRBG implementations 1022 ******************************************************************/ 1023 1024 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 1025 int reseed, enum drbg_seed_state new_seed_state) 1026 { 1027 int ret = drbg->d_ops->update(drbg, seed, reseed); 1028 1029 if (ret) 1030 return ret; 1031 1032 drbg->seeded = new_seed_state; 1033 drbg->last_seed_time = jiffies; 1034 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1035 drbg->reseed_ctr = 1; 1036 1037 switch (drbg->seeded) { 1038 case DRBG_SEED_STATE_UNSEEDED: 1039 /* Impossible, but handle it to silence compiler warnings. */ 1040 fallthrough; 1041 case DRBG_SEED_STATE_PARTIAL: 1042 /* 1043 * Require frequent reseeds until the seed source is 1044 * fully initialized. 1045 */ 1046 drbg->reseed_threshold = 50; 1047 break; 1048 1049 case DRBG_SEED_STATE_FULL: 1050 /* 1051 * Seed source has become fully initialized, frequent 1052 * reseeds no longer required. 1053 */ 1054 drbg->reseed_threshold = drbg_max_requests(drbg); 1055 break; 1056 } 1057 1058 return ret; 1059 } 1060 1061 static inline int drbg_get_random_bytes(struct drbg_state *drbg, 1062 unsigned char *entropy, 1063 unsigned int entropylen) 1064 { 1065 int ret; 1066 1067 do { 1068 get_random_bytes(entropy, entropylen); 1069 ret = drbg_fips_continuous_test(drbg, entropy); 1070 if (ret && ret != -EAGAIN) 1071 return ret; 1072 } while (ret); 1073 1074 return 0; 1075 } 1076 1077 static int drbg_seed_from_random(struct drbg_state *drbg) 1078 { 1079 struct drbg_string data; 1080 LIST_HEAD(seedlist); 1081 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1082 unsigned char entropy[32]; 1083 int ret; 1084 1085 BUG_ON(!entropylen); 1086 BUG_ON(entropylen > sizeof(entropy)); 1087 1088 drbg_string_fill(&data, entropy, entropylen); 1089 list_add_tail(&data.list, &seedlist); 1090 1091 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1092 if (ret) 1093 goto out; 1094 1095 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); 1096 1097 out: 1098 memzero_explicit(entropy, entropylen); 1099 return ret; 1100 } 1101 1102 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg) 1103 { 1104 unsigned long next_reseed; 1105 1106 /* Don't ever reseed from get_random_bytes() in test mode. */ 1107 if (list_empty(&drbg->test_data.list)) 1108 return false; 1109 1110 /* 1111 * Obtain fresh entropy for the nopr DRBGs after 300s have 1112 * elapsed in order to still achieve sort of partial 1113 * prediction resistance over the time domain at least. Note 1114 * that the period of 300s has been chosen to match the 1115 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha 1116 * rngs. 1117 */ 1118 next_reseed = drbg->last_seed_time + 300 * HZ; 1119 return time_after(jiffies, next_reseed); 1120 } 1121 1122 /* 1123 * Seeding or reseeding of the DRBG 1124 * 1125 * @drbg: DRBG state struct 1126 * @pers: personalization / additional information buffer 1127 * @reseed: 0 for initial seed process, 1 for reseeding 1128 * 1129 * return: 1130 * 0 on success 1131 * error value otherwise 1132 */ 1133 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1134 bool reseed) 1135 { 1136 int ret; 1137 unsigned char entropy[((32 + 16) * 2)]; 1138 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1139 struct drbg_string data1; 1140 LIST_HEAD(seedlist); 1141 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; 1142 1143 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1144 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1145 pr_devel("DRBG: personalization string too long %zu\n", 1146 pers->len); 1147 return -EINVAL; 1148 } 1149 1150 if (list_empty(&drbg->test_data.list)) { 1151 drbg_string_fill(&data1, drbg->test_data.buf, 1152 drbg->test_data.len); 1153 pr_devel("DRBG: using test entropy\n"); 1154 } else { 1155 /* 1156 * Gather entropy equal to the security strength of the DRBG. 1157 * With a derivation function, a nonce is required in addition 1158 * to the entropy. A nonce must be at least 1/2 of the security 1159 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1160 * of the strength. The consideration of a nonce is only 1161 * applicable during initial seeding. 1162 */ 1163 BUG_ON(!entropylen); 1164 if (!reseed) 1165 entropylen = ((entropylen + 1) / 2) * 3; 1166 BUG_ON((entropylen * 2) > sizeof(entropy)); 1167 1168 /* Get seed from in-kernel /dev/urandom */ 1169 if (!rng_is_initialized()) 1170 new_seed_state = DRBG_SEED_STATE_PARTIAL; 1171 1172 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1173 if (ret) 1174 goto out; 1175 1176 if (!drbg->jent) { 1177 drbg_string_fill(&data1, entropy, entropylen); 1178 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1179 entropylen); 1180 } else { 1181 /* 1182 * Get seed from Jitter RNG, failures are 1183 * fatal only in FIPS mode. 1184 */ 1185 ret = crypto_rng_get_bytes(drbg->jent, 1186 entropy + entropylen, 1187 entropylen); 1188 if (fips_enabled && ret) { 1189 pr_devel("DRBG: jent failed with %d\n", ret); 1190 1191 /* 1192 * Do not treat the transient failure of the 1193 * Jitter RNG as an error that needs to be 1194 * reported. The combined number of the 1195 * maximum reseed threshold times the maximum 1196 * number of Jitter RNG transient errors is 1197 * less than the reseed threshold required by 1198 * SP800-90A allowing us to treat the 1199 * transient errors as such. 1200 * 1201 * However, we mandate that at least the first 1202 * seeding operation must succeed with the 1203 * Jitter RNG. 1204 */ 1205 if (!reseed || ret != -EAGAIN) 1206 goto out; 1207 } 1208 1209 drbg_string_fill(&data1, entropy, entropylen * 2); 1210 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1211 entropylen * 2); 1212 } 1213 } 1214 list_add_tail(&data1.list, &seedlist); 1215 1216 /* 1217 * concatenation of entropy with personalization str / addtl input) 1218 * the variable pers is directly handed in by the caller, so check its 1219 * contents whether it is appropriate 1220 */ 1221 if (pers && pers->buf && 0 < pers->len) { 1222 list_add_tail(&pers->list, &seedlist); 1223 pr_devel("DRBG: using personalization string\n"); 1224 } 1225 1226 if (!reseed) { 1227 memset(drbg->V, 0, drbg_statelen(drbg)); 1228 memset(drbg->C, 0, drbg_statelen(drbg)); 1229 } 1230 1231 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); 1232 1233 out: 1234 memzero_explicit(entropy, entropylen * 2); 1235 1236 return ret; 1237 } 1238 1239 /* Free all substructures in a DRBG state without the DRBG state structure */ 1240 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1241 { 1242 if (!drbg) 1243 return; 1244 kfree_sensitive(drbg->Vbuf); 1245 drbg->Vbuf = NULL; 1246 drbg->V = NULL; 1247 kfree_sensitive(drbg->Cbuf); 1248 drbg->Cbuf = NULL; 1249 drbg->C = NULL; 1250 kfree_sensitive(drbg->scratchpadbuf); 1251 drbg->scratchpadbuf = NULL; 1252 drbg->reseed_ctr = 0; 1253 drbg->d_ops = NULL; 1254 drbg->core = NULL; 1255 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1256 kfree_sensitive(drbg->prev); 1257 drbg->prev = NULL; 1258 drbg->fips_primed = false; 1259 } 1260 } 1261 1262 /* 1263 * Allocate all sub-structures for a DRBG state. 1264 * The DRBG state structure must already be allocated. 1265 */ 1266 static inline int drbg_alloc_state(struct drbg_state *drbg) 1267 { 1268 int ret = -ENOMEM; 1269 unsigned int sb_size = 0; 1270 1271 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1272 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1273 case DRBG_HMAC: 1274 drbg->d_ops = &drbg_hmac_ops; 1275 break; 1276 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1277 #ifdef CONFIG_CRYPTO_DRBG_HASH 1278 case DRBG_HASH: 1279 drbg->d_ops = &drbg_hash_ops; 1280 break; 1281 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1282 #ifdef CONFIG_CRYPTO_DRBG_CTR 1283 case DRBG_CTR: 1284 drbg->d_ops = &drbg_ctr_ops; 1285 break; 1286 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1287 default: 1288 ret = -EOPNOTSUPP; 1289 goto err; 1290 } 1291 1292 ret = drbg->d_ops->crypto_init(drbg); 1293 if (ret < 0) 1294 goto err; 1295 1296 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1297 if (!drbg->Vbuf) { 1298 ret = -ENOMEM; 1299 goto fini; 1300 } 1301 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1302 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1303 if (!drbg->Cbuf) { 1304 ret = -ENOMEM; 1305 goto fini; 1306 } 1307 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1308 /* scratchpad is only generated for CTR and Hash */ 1309 if (drbg->core->flags & DRBG_HMAC) 1310 sb_size = 0; 1311 else if (drbg->core->flags & DRBG_CTR) 1312 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1313 drbg_statelen(drbg) + /* df_data */ 1314 drbg_blocklen(drbg) + /* pad */ 1315 drbg_blocklen(drbg) + /* iv */ 1316 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1317 else 1318 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1319 1320 if (0 < sb_size) { 1321 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1322 if (!drbg->scratchpadbuf) { 1323 ret = -ENOMEM; 1324 goto fini; 1325 } 1326 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1327 } 1328 1329 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1330 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1331 GFP_KERNEL); 1332 if (!drbg->prev) { 1333 ret = -ENOMEM; 1334 goto fini; 1335 } 1336 drbg->fips_primed = false; 1337 } 1338 1339 return 0; 1340 1341 fini: 1342 drbg->d_ops->crypto_fini(drbg); 1343 err: 1344 drbg_dealloc_state(drbg); 1345 return ret; 1346 } 1347 1348 /************************************************************************* 1349 * DRBG interface functions 1350 *************************************************************************/ 1351 1352 /* 1353 * DRBG generate function as required by SP800-90A - this function 1354 * generates random numbers 1355 * 1356 * @drbg DRBG state handle 1357 * @buf Buffer where to store the random numbers -- the buffer must already 1358 * be pre-allocated by caller 1359 * @buflen Length of output buffer - this value defines the number of random 1360 * bytes pulled from DRBG 1361 * @addtl Additional input that is mixed into state, may be NULL -- note 1362 * the entropy is pulled by the DRBG internally unconditionally 1363 * as defined in SP800-90A. The additional input is mixed into 1364 * the state in addition to the pulled entropy. 1365 * 1366 * return: 0 when all bytes are generated; < 0 in case of an error 1367 */ 1368 static int drbg_generate(struct drbg_state *drbg, 1369 unsigned char *buf, unsigned int buflen, 1370 struct drbg_string *addtl) 1371 { 1372 int len = 0; 1373 LIST_HEAD(addtllist); 1374 1375 if (!drbg->core) { 1376 pr_devel("DRBG: not yet seeded\n"); 1377 return -EINVAL; 1378 } 1379 if (0 == buflen || !buf) { 1380 pr_devel("DRBG: no output buffer provided\n"); 1381 return -EINVAL; 1382 } 1383 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1384 pr_devel("DRBG: wrong format of additional information\n"); 1385 return -EINVAL; 1386 } 1387 1388 /* 9.3.1 step 2 */ 1389 len = -EINVAL; 1390 if (buflen > (drbg_max_request_bytes(drbg))) { 1391 pr_devel("DRBG: requested random numbers too large %u\n", 1392 buflen); 1393 goto err; 1394 } 1395 1396 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1397 1398 /* 9.3.1 step 4 */ 1399 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1400 pr_devel("DRBG: additional information string too long %zu\n", 1401 addtl->len); 1402 goto err; 1403 } 1404 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1405 1406 /* 1407 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1408 * here. The spec is a bit convoluted here, we make it simpler. 1409 */ 1410 if (drbg->reseed_threshold < drbg->reseed_ctr) 1411 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1412 1413 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { 1414 pr_devel("DRBG: reseeding before generation (prediction " 1415 "resistance: %s, state %s)\n", 1416 str_true_false(drbg->pr), 1417 (drbg->seeded == DRBG_SEED_STATE_FULL ? 1418 "seeded" : "unseeded")); 1419 /* 9.3.1 steps 7.1 through 7.3 */ 1420 len = drbg_seed(drbg, addtl, true); 1421 if (len) 1422 goto err; 1423 /* 9.3.1 step 7.4 */ 1424 addtl = NULL; 1425 } else if (rng_is_initialized() && 1426 (drbg->seeded == DRBG_SEED_STATE_PARTIAL || 1427 drbg_nopr_reseed_interval_elapsed(drbg))) { 1428 len = drbg_seed_from_random(drbg); 1429 if (len) 1430 goto err; 1431 } 1432 1433 if (addtl && 0 < addtl->len) 1434 list_add_tail(&addtl->list, &addtllist); 1435 /* 9.3.1 step 8 and 10 */ 1436 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1437 1438 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1439 drbg->reseed_ctr++; 1440 if (0 >= len) 1441 goto err; 1442 1443 /* 1444 * Section 11.3.3 requires to re-perform self tests after some 1445 * generated random numbers. The chosen value after which self 1446 * test is performed is arbitrary, but it should be reasonable. 1447 * However, we do not perform the self tests because of the following 1448 * reasons: it is mathematically impossible that the initial self tests 1449 * were successfully and the following are not. If the initial would 1450 * pass and the following would not, the kernel integrity is violated. 1451 * In this case, the entire kernel operation is questionable and it 1452 * is unlikely that the integrity violation only affects the 1453 * correct operation of the DRBG. 1454 * 1455 * Albeit the following code is commented out, it is provided in 1456 * case somebody has a need to implement the test of 11.3.3. 1457 */ 1458 #if 0 1459 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1460 int err = 0; 1461 pr_devel("DRBG: start to perform self test\n"); 1462 if (drbg->core->flags & DRBG_HMAC) 1463 err = alg_test("drbg_pr_hmac_sha512", 1464 "drbg_pr_hmac_sha512", 0, 0); 1465 else if (drbg->core->flags & DRBG_CTR) 1466 err = alg_test("drbg_pr_ctr_aes256", 1467 "drbg_pr_ctr_aes256", 0, 0); 1468 else 1469 err = alg_test("drbg_pr_sha256", 1470 "drbg_pr_sha256", 0, 0); 1471 if (err) { 1472 pr_err("DRBG: periodical self test failed\n"); 1473 /* 1474 * uninstantiate implies that from now on, only errors 1475 * are returned when reusing this DRBG cipher handle 1476 */ 1477 drbg_uninstantiate(drbg); 1478 return 0; 1479 } else { 1480 pr_devel("DRBG: self test successful\n"); 1481 } 1482 } 1483 #endif 1484 1485 /* 1486 * All operations were successful, return 0 as mandated by 1487 * the kernel crypto API interface. 1488 */ 1489 len = 0; 1490 err: 1491 return len; 1492 } 1493 1494 /* 1495 * Wrapper around drbg_generate which can pull arbitrary long strings 1496 * from the DRBG without hitting the maximum request limitation. 1497 * 1498 * Parameters: see drbg_generate 1499 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1500 * the entire drbg_generate_long request fails 1501 */ 1502 static int drbg_generate_long(struct drbg_state *drbg, 1503 unsigned char *buf, unsigned int buflen, 1504 struct drbg_string *addtl) 1505 { 1506 unsigned int len = 0; 1507 unsigned int slice = 0; 1508 do { 1509 int err = 0; 1510 unsigned int chunk = 0; 1511 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1512 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1513 mutex_lock(&drbg->drbg_mutex); 1514 err = drbg_generate(drbg, buf + len, chunk, addtl); 1515 mutex_unlock(&drbg->drbg_mutex); 1516 if (0 > err) 1517 return err; 1518 len += chunk; 1519 } while (slice > 0 && (len < buflen)); 1520 return 0; 1521 } 1522 1523 static int drbg_prepare_hrng(struct drbg_state *drbg) 1524 { 1525 /* We do not need an HRNG in test mode. */ 1526 if (list_empty(&drbg->test_data.list)) 1527 return 0; 1528 1529 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1530 if (IS_ERR(drbg->jent)) { 1531 const int err = PTR_ERR(drbg->jent); 1532 1533 drbg->jent = NULL; 1534 if (fips_enabled) 1535 return err; 1536 pr_info("DRBG: Continuing without Jitter RNG\n"); 1537 } 1538 1539 return 0; 1540 } 1541 1542 /* 1543 * DRBG instantiation function as required by SP800-90A - this function 1544 * sets up the DRBG handle, performs the initial seeding and all sanity 1545 * checks required by SP800-90A 1546 * 1547 * @drbg memory of state -- if NULL, new memory is allocated 1548 * @pers Personalization string that is mixed into state, may be NULL -- note 1549 * the entropy is pulled by the DRBG internally unconditionally 1550 * as defined in SP800-90A. The additional input is mixed into 1551 * the state in addition to the pulled entropy. 1552 * @coreref reference to core 1553 * @pr prediction resistance enabled 1554 * 1555 * return 1556 * 0 on success 1557 * error value otherwise 1558 */ 1559 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1560 int coreref, bool pr) 1561 { 1562 int ret; 1563 bool reseed = true; 1564 1565 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1566 "%s\n", coreref, str_enabled_disabled(pr)); 1567 mutex_lock(&drbg->drbg_mutex); 1568 1569 /* 9.1 step 1 is implicit with the selected DRBG type */ 1570 1571 /* 1572 * 9.1 step 2 is implicit as caller can select prediction resistance 1573 * and the flag is copied into drbg->flags -- 1574 * all DRBG types support prediction resistance 1575 */ 1576 1577 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1578 1579 if (!drbg->core) { 1580 drbg->core = &drbg_cores[coreref]; 1581 drbg->pr = pr; 1582 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1583 drbg->last_seed_time = 0; 1584 drbg->reseed_threshold = drbg_max_requests(drbg); 1585 1586 ret = drbg_alloc_state(drbg); 1587 if (ret) 1588 goto unlock; 1589 1590 ret = drbg_prepare_hrng(drbg); 1591 if (ret) 1592 goto free_everything; 1593 1594 reseed = false; 1595 } 1596 1597 ret = drbg_seed(drbg, pers, reseed); 1598 1599 if (ret && !reseed) 1600 goto free_everything; 1601 1602 mutex_unlock(&drbg->drbg_mutex); 1603 return ret; 1604 1605 unlock: 1606 mutex_unlock(&drbg->drbg_mutex); 1607 return ret; 1608 1609 free_everything: 1610 mutex_unlock(&drbg->drbg_mutex); 1611 drbg_uninstantiate(drbg); 1612 return ret; 1613 } 1614 1615 /* 1616 * DRBG uninstantiate function as required by SP800-90A - this function 1617 * frees all buffers and the DRBG handle 1618 * 1619 * @drbg DRBG state handle 1620 * 1621 * return 1622 * 0 on success 1623 */ 1624 static int drbg_uninstantiate(struct drbg_state *drbg) 1625 { 1626 if (!IS_ERR_OR_NULL(drbg->jent)) 1627 crypto_free_rng(drbg->jent); 1628 drbg->jent = NULL; 1629 1630 if (drbg->d_ops) 1631 drbg->d_ops->crypto_fini(drbg); 1632 drbg_dealloc_state(drbg); 1633 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1634 return 0; 1635 } 1636 1637 /* 1638 * Helper function for setting the test data in the DRBG 1639 * 1640 * @drbg DRBG state handle 1641 * @data test data 1642 * @len test data length 1643 */ 1644 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1645 const u8 *data, unsigned int len) 1646 { 1647 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1648 1649 mutex_lock(&drbg->drbg_mutex); 1650 drbg_string_fill(&drbg->test_data, data, len); 1651 mutex_unlock(&drbg->drbg_mutex); 1652 } 1653 1654 /*************************************************************** 1655 * Kernel crypto API cipher invocations requested by DRBG 1656 ***************************************************************/ 1657 1658 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1659 struct sdesc { 1660 struct shash_desc shash; 1661 char ctx[]; 1662 }; 1663 1664 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1665 { 1666 struct sdesc *sdesc; 1667 struct crypto_shash *tfm; 1668 1669 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1670 if (IS_ERR(tfm)) { 1671 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1672 drbg->core->backend_cra_name); 1673 return PTR_ERR(tfm); 1674 } 1675 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1676 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1677 GFP_KERNEL); 1678 if (!sdesc) { 1679 crypto_free_shash(tfm); 1680 return -ENOMEM; 1681 } 1682 1683 sdesc->shash.tfm = tfm; 1684 drbg->priv_data = sdesc; 1685 1686 return 0; 1687 } 1688 1689 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1690 { 1691 struct sdesc *sdesc = drbg->priv_data; 1692 if (sdesc) { 1693 crypto_free_shash(sdesc->shash.tfm); 1694 kfree_sensitive(sdesc); 1695 } 1696 drbg->priv_data = NULL; 1697 return 0; 1698 } 1699 1700 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1701 const unsigned char *key) 1702 { 1703 struct sdesc *sdesc = drbg->priv_data; 1704 1705 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1706 } 1707 1708 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1709 const struct list_head *in) 1710 { 1711 struct sdesc *sdesc = drbg->priv_data; 1712 struct drbg_string *input = NULL; 1713 1714 crypto_shash_init(&sdesc->shash); 1715 list_for_each_entry(input, in, list) 1716 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1717 return crypto_shash_final(&sdesc->shash, outval); 1718 } 1719 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1720 1721 #ifdef CONFIG_CRYPTO_DRBG_CTR 1722 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1723 { 1724 struct crypto_cipher *tfm = 1725 (struct crypto_cipher *)drbg->priv_data; 1726 if (tfm) 1727 crypto_free_cipher(tfm); 1728 drbg->priv_data = NULL; 1729 1730 if (drbg->ctr_handle) 1731 crypto_free_skcipher(drbg->ctr_handle); 1732 drbg->ctr_handle = NULL; 1733 1734 if (drbg->ctr_req) 1735 skcipher_request_free(drbg->ctr_req); 1736 drbg->ctr_req = NULL; 1737 1738 kfree(drbg->outscratchpadbuf); 1739 drbg->outscratchpadbuf = NULL; 1740 1741 return 0; 1742 } 1743 1744 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1745 { 1746 struct crypto_cipher *tfm; 1747 struct crypto_skcipher *sk_tfm; 1748 struct skcipher_request *req; 1749 unsigned int alignmask; 1750 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1751 1752 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1753 if (IS_ERR(tfm)) { 1754 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1755 drbg->core->backend_cra_name); 1756 return PTR_ERR(tfm); 1757 } 1758 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1759 drbg->priv_data = tfm; 1760 1761 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1762 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1763 drbg_fini_sym_kernel(drbg); 1764 return -EINVAL; 1765 } 1766 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1767 if (IS_ERR(sk_tfm)) { 1768 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1769 ctr_name); 1770 drbg_fini_sym_kernel(drbg); 1771 return PTR_ERR(sk_tfm); 1772 } 1773 drbg->ctr_handle = sk_tfm; 1774 crypto_init_wait(&drbg->ctr_wait); 1775 1776 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1777 if (!req) { 1778 pr_info("DRBG: could not allocate request queue\n"); 1779 drbg_fini_sym_kernel(drbg); 1780 return -ENOMEM; 1781 } 1782 drbg->ctr_req = req; 1783 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1784 CRYPTO_TFM_REQ_MAY_SLEEP, 1785 crypto_req_done, &drbg->ctr_wait); 1786 1787 alignmask = crypto_skcipher_alignmask(sk_tfm); 1788 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1789 GFP_KERNEL); 1790 if (!drbg->outscratchpadbuf) { 1791 drbg_fini_sym_kernel(drbg); 1792 return -ENOMEM; 1793 } 1794 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1795 alignmask + 1); 1796 1797 sg_init_table(&drbg->sg_in, 1); 1798 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1799 1800 return alignmask; 1801 } 1802 1803 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1804 const unsigned char *key) 1805 { 1806 struct crypto_cipher *tfm = drbg->priv_data; 1807 1808 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1809 } 1810 1811 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1812 const struct drbg_string *in) 1813 { 1814 struct crypto_cipher *tfm = drbg->priv_data; 1815 1816 /* there is only component in *in */ 1817 BUG_ON(in->len < drbg_blocklen(drbg)); 1818 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1819 return 0; 1820 } 1821 1822 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1823 u8 *inbuf, u32 inlen, 1824 u8 *outbuf, u32 outlen) 1825 { 1826 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1827 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1828 int ret; 1829 1830 if (inbuf) { 1831 /* Use caller-provided input buffer */ 1832 sg_set_buf(sg_in, inbuf, inlen); 1833 } else { 1834 /* Use scratchpad for in-place operation */ 1835 inlen = scratchpad_use; 1836 memset(drbg->outscratchpad, 0, scratchpad_use); 1837 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1838 } 1839 1840 while (outlen) { 1841 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1842 1843 /* Output buffer may not be valid for SGL, use scratchpad */ 1844 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1845 cryptlen, drbg->V); 1846 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1847 &drbg->ctr_wait); 1848 if (ret) 1849 goto out; 1850 1851 crypto_init_wait(&drbg->ctr_wait); 1852 1853 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1854 memzero_explicit(drbg->outscratchpad, cryptlen); 1855 1856 outlen -= cryptlen; 1857 outbuf += cryptlen; 1858 } 1859 ret = 0; 1860 1861 out: 1862 return ret; 1863 } 1864 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1865 1866 /*************************************************************** 1867 * Kernel crypto API interface to register DRBG 1868 ***************************************************************/ 1869 1870 /* 1871 * Look up the DRBG flags by given kernel crypto API cra_name 1872 * The code uses the drbg_cores definition to do this 1873 * 1874 * @cra_name kernel crypto API cra_name 1875 * @coreref reference to integer which is filled with the pointer to 1876 * the applicable core 1877 * @pr reference for setting prediction resistance 1878 * 1879 * return: flags 1880 */ 1881 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1882 int *coreref, bool *pr) 1883 { 1884 int i = 0; 1885 size_t start = 0; 1886 int len = 0; 1887 1888 *pr = true; 1889 /* disassemble the names */ 1890 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1891 start = 10; 1892 *pr = false; 1893 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1894 start = 8; 1895 } else { 1896 return; 1897 } 1898 1899 /* remove the first part */ 1900 len = strlen(cra_driver_name) - start; 1901 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1902 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1903 len)) { 1904 *coreref = i; 1905 return; 1906 } 1907 } 1908 } 1909 1910 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1911 { 1912 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1913 1914 mutex_init(&drbg->drbg_mutex); 1915 1916 return 0; 1917 } 1918 1919 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1920 { 1921 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1922 } 1923 1924 /* 1925 * Generate random numbers invoked by the kernel crypto API: 1926 * The API of the kernel crypto API is extended as follows: 1927 * 1928 * src is additional input supplied to the RNG. 1929 * slen is the length of src. 1930 * dst is the output buffer where random data is to be stored. 1931 * dlen is the length of dst. 1932 */ 1933 static int drbg_kcapi_random(struct crypto_rng *tfm, 1934 const u8 *src, unsigned int slen, 1935 u8 *dst, unsigned int dlen) 1936 { 1937 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1938 struct drbg_string *addtl = NULL; 1939 struct drbg_string string; 1940 1941 if (slen) { 1942 /* linked list variable is now local to allow modification */ 1943 drbg_string_fill(&string, src, slen); 1944 addtl = &string; 1945 } 1946 1947 return drbg_generate_long(drbg, dst, dlen, addtl); 1948 } 1949 1950 /* 1951 * Seed the DRBG invoked by the kernel crypto API 1952 */ 1953 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1954 const u8 *seed, unsigned int slen) 1955 { 1956 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1957 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1958 bool pr = false; 1959 struct drbg_string string; 1960 struct drbg_string *seed_string = NULL; 1961 int coreref = 0; 1962 1963 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1964 &pr); 1965 if (0 < slen) { 1966 drbg_string_fill(&string, seed, slen); 1967 seed_string = &string; 1968 } 1969 1970 return drbg_instantiate(drbg, seed_string, coreref, pr); 1971 } 1972 1973 /*************************************************************** 1974 * Kernel module: code to load the module 1975 ***************************************************************/ 1976 1977 /* 1978 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1979 * of the error handling. 1980 * 1981 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1982 * as seed source of get_random_bytes does not fail. 1983 * 1984 * Note 2: There is no sensible way of testing the reseed counter 1985 * enforcement, so skip it. 1986 */ 1987 static inline int __init drbg_healthcheck_sanity(void) 1988 { 1989 int len = 0; 1990 #define OUTBUFLEN 16 1991 unsigned char buf[OUTBUFLEN]; 1992 struct drbg_state *drbg = NULL; 1993 int ret; 1994 int rc = -EFAULT; 1995 bool pr = false; 1996 int coreref = 0; 1997 struct drbg_string addtl; 1998 size_t max_addtllen, max_request_bytes; 1999 2000 /* only perform test in FIPS mode */ 2001 if (!fips_enabled) 2002 return 0; 2003 2004 #ifdef CONFIG_CRYPTO_DRBG_CTR 2005 drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr); 2006 #endif 2007 #ifdef CONFIG_CRYPTO_DRBG_HASH 2008 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 2009 #endif 2010 #ifdef CONFIG_CRYPTO_DRBG_HMAC 2011 drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr); 2012 #endif 2013 2014 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 2015 if (!drbg) 2016 return -ENOMEM; 2017 2018 mutex_init(&drbg->drbg_mutex); 2019 drbg->core = &drbg_cores[coreref]; 2020 drbg->reseed_threshold = drbg_max_requests(drbg); 2021 2022 /* 2023 * if the following tests fail, it is likely that there is a buffer 2024 * overflow as buf is much smaller than the requested or provided 2025 * string lengths -- in case the error handling does not succeed 2026 * we may get an OOPS. And we want to get an OOPS as this is a 2027 * grave bug. 2028 */ 2029 2030 max_addtllen = drbg_max_addtl(drbg); 2031 max_request_bytes = drbg_max_request_bytes(drbg); 2032 drbg_string_fill(&addtl, buf, max_addtllen + 1); 2033 /* overflow addtllen with additonal info string */ 2034 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 2035 BUG_ON(0 < len); 2036 /* overflow max_bits */ 2037 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 2038 BUG_ON(0 < len); 2039 2040 /* overflow max addtllen with personalization string */ 2041 ret = drbg_seed(drbg, &addtl, false); 2042 BUG_ON(0 == ret); 2043 /* all tests passed */ 2044 rc = 0; 2045 2046 pr_devel("DRBG: Sanity tests for failure code paths successfully " 2047 "completed\n"); 2048 2049 kfree(drbg); 2050 return rc; 2051 } 2052 2053 static struct rng_alg drbg_algs[22]; 2054 2055 /* 2056 * Fill the array drbg_algs used to register the different DRBGs 2057 * with the kernel crypto API. To fill the array, the information 2058 * from drbg_cores[] is used. 2059 */ 2060 static inline void __init drbg_fill_array(struct rng_alg *alg, 2061 const struct drbg_core *core, int pr) 2062 { 2063 int pos = 0; 2064 static int priority = 200; 2065 2066 memcpy(alg->base.cra_name, "stdrng", 6); 2067 if (pr) { 2068 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 2069 pos = 8; 2070 } else { 2071 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 2072 pos = 10; 2073 } 2074 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 2075 strlen(core->cra_name)); 2076 2077 alg->base.cra_priority = priority; 2078 priority++; 2079 /* 2080 * If FIPS mode enabled, the selected DRBG shall have the 2081 * highest cra_priority over other stdrng instances to ensure 2082 * it is selected. 2083 */ 2084 if (fips_enabled) 2085 alg->base.cra_priority += 200; 2086 2087 alg->base.cra_ctxsize = sizeof(struct drbg_state); 2088 alg->base.cra_module = THIS_MODULE; 2089 alg->base.cra_init = drbg_kcapi_init; 2090 alg->base.cra_exit = drbg_kcapi_cleanup; 2091 alg->generate = drbg_kcapi_random; 2092 alg->seed = drbg_kcapi_seed; 2093 alg->set_ent = drbg_kcapi_set_entropy; 2094 alg->seedsize = 0; 2095 } 2096 2097 static int __init drbg_init(void) 2098 { 2099 unsigned int i = 0; /* pointer to drbg_algs */ 2100 unsigned int j = 0; /* pointer to drbg_cores */ 2101 int ret; 2102 2103 ret = drbg_healthcheck_sanity(); 2104 if (ret) 2105 return ret; 2106 2107 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2108 pr_info("DRBG: Cannot register all DRBG types" 2109 "(slots needed: %zu, slots available: %zu)\n", 2110 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2111 return -EFAULT; 2112 } 2113 2114 /* 2115 * each DRBG definition can be used with PR and without PR, thus 2116 * we instantiate each DRBG in drbg_cores[] twice. 2117 * 2118 * As the order of placing them into the drbg_algs array matters 2119 * (the later DRBGs receive a higher cra_priority) we register the 2120 * prediction resistance DRBGs first as the should not be too 2121 * interesting. 2122 */ 2123 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2124 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2125 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2126 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2127 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2128 } 2129 2130 static void __exit drbg_exit(void) 2131 { 2132 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2133 } 2134 2135 subsys_initcall(drbg_init); 2136 module_exit(drbg_exit); 2137 #ifndef CRYPTO_DRBG_HASH_STRING 2138 #define CRYPTO_DRBG_HASH_STRING "" 2139 #endif 2140 #ifndef CRYPTO_DRBG_HMAC_STRING 2141 #define CRYPTO_DRBG_HMAC_STRING "" 2142 #endif 2143 #ifndef CRYPTO_DRBG_CTR_STRING 2144 #define CRYPTO_DRBG_CTR_STRING "" 2145 #endif 2146 MODULE_LICENSE("GPL"); 2147 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2148 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2149 "using following cores: " 2150 CRYPTO_DRBG_HASH_STRING 2151 CRYPTO_DRBG_HMAC_STRING 2152 CRYPTO_DRBG_CTR_STRING); 2153 MODULE_ALIAS_CRYPTO("stdrng"); 2154 MODULE_IMPORT_NS(CRYPTO_INTERNAL); 2155