1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <linux/string.h> 102 103 /*************************************************************** 104 * Backend cipher definitions available to DRBG 105 ***************************************************************/ 106 107 /* 108 * The order of the DRBG definitions here matter: every DRBG is registered 109 * as stdrng. Each DRBG receives an increasing cra_priority values the later 110 * they are defined in this array (see drbg_fill_array). 111 * 112 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113 * the SHA256 / AES 256 over other ciphers. Thus, the favored 114 * DRBGs are the latest entries in this array. 115 */ 116 static const struct drbg_core drbg_cores[] = { 117 #ifdef CONFIG_CRYPTO_DRBG_CTR 118 { 119 .flags = DRBG_CTR | DRBG_STRENGTH128, 120 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121 .blocklen_bytes = 16, 122 .cra_name = "ctr_aes128", 123 .backend_cra_name = "ecb(aes)", 124 }, { 125 .flags = DRBG_CTR | DRBG_STRENGTH192, 126 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127 .blocklen_bytes = 16, 128 .cra_name = "ctr_aes192", 129 .backend_cra_name = "ecb(aes)", 130 }, { 131 .flags = DRBG_CTR | DRBG_STRENGTH256, 132 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133 .blocklen_bytes = 16, 134 .cra_name = "ctr_aes256", 135 .backend_cra_name = "ecb(aes)", 136 }, 137 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 138 #ifdef CONFIG_CRYPTO_DRBG_HASH 139 { 140 .flags = DRBG_HASH | DRBG_STRENGTH128, 141 .statelen = 55, /* 440 bits */ 142 .blocklen_bytes = 20, 143 .cra_name = "sha1", 144 .backend_cra_name = "sha1", 145 }, { 146 .flags = DRBG_HASH | DRBG_STRENGTH256, 147 .statelen = 111, /* 888 bits */ 148 .blocklen_bytes = 48, 149 .cra_name = "sha384", 150 .backend_cra_name = "sha384", 151 }, { 152 .flags = DRBG_HASH | DRBG_STRENGTH256, 153 .statelen = 111, /* 888 bits */ 154 .blocklen_bytes = 64, 155 .cra_name = "sha512", 156 .backend_cra_name = "sha512", 157 }, { 158 .flags = DRBG_HASH | DRBG_STRENGTH256, 159 .statelen = 55, /* 440 bits */ 160 .blocklen_bytes = 32, 161 .cra_name = "sha256", 162 .backend_cra_name = "sha256", 163 }, 164 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 165 #ifdef CONFIG_CRYPTO_DRBG_HMAC 166 { 167 .flags = DRBG_HMAC | DRBG_STRENGTH128, 168 .statelen = 20, /* block length of cipher */ 169 .blocklen_bytes = 20, 170 .cra_name = "hmac_sha1", 171 .backend_cra_name = "hmac(sha1)", 172 }, { 173 .flags = DRBG_HMAC | DRBG_STRENGTH256, 174 .statelen = 48, /* block length of cipher */ 175 .blocklen_bytes = 48, 176 .cra_name = "hmac_sha384", 177 .backend_cra_name = "hmac(sha384)", 178 }, { 179 .flags = DRBG_HMAC | DRBG_STRENGTH256, 180 .statelen = 64, /* block length of cipher */ 181 .blocklen_bytes = 64, 182 .cra_name = "hmac_sha512", 183 .backend_cra_name = "hmac(sha512)", 184 }, { 185 .flags = DRBG_HMAC | DRBG_STRENGTH256, 186 .statelen = 32, /* block length of cipher */ 187 .blocklen_bytes = 32, 188 .cra_name = "hmac_sha256", 189 .backend_cra_name = "hmac(sha256)", 190 }, 191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192 }; 193 194 /****************************************************************** 195 * Generic helper functions 196 ******************************************************************/ 197 198 /* 199 * Return strength of DRBG according to SP800-90A section 8.4 200 * 201 * @flags DRBG flags reference 202 * 203 * Return: normalized strength in *bytes* value or 32 as default 204 * to counter programming errors 205 */ 206 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 207 { 208 switch (flags & DRBG_STRENGTH_MASK) { 209 case DRBG_STRENGTH128: 210 return 16; 211 case DRBG_STRENGTH192: 212 return 24; 213 case DRBG_STRENGTH256: 214 return 32; 215 default: 216 return 32; 217 } 218 } 219 220 /* 221 * FIPS 140-2 continuous self test 222 * The test is performed on the result of one round of the output 223 * function. Thus, the function implicitly knows the size of the 224 * buffer. 225 * 226 * The FIPS test can be called in an endless loop until it returns 227 * true. Although the code looks like a potential for a deadlock, it 228 * is not the case, because returning a false cannot mathematically 229 * occur (except once when a reseed took place and the updated state 230 * would is now set up such that the generation of new value returns 231 * an identical one -- this is most unlikely and would happen only once). 232 * Thus, if this function repeatedly returns false and thus would cause 233 * a deadlock, the integrity of the entire kernel is lost. 234 * 235 * @drbg DRBG handle 236 * @buf output buffer of random data to be checked 237 * 238 * return: 239 * true on success 240 * false on error 241 */ 242 static bool drbg_fips_continuous_test(struct drbg_state *drbg, 243 const unsigned char *buf) 244 { 245 #ifdef CONFIG_CRYPTO_FIPS 246 int ret = 0; 247 /* skip test if we test the overall system */ 248 if (drbg->test_data) 249 return true; 250 /* only perform test in FIPS mode */ 251 if (0 == fips_enabled) 252 return true; 253 if (!drbg->fips_primed) { 254 /* Priming of FIPS test */ 255 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 256 drbg->fips_primed = true; 257 /* return false due to priming, i.e. another round is needed */ 258 return false; 259 } 260 ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); 261 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 262 /* the test shall pass when the two compared values are not equal */ 263 return ret != 0; 264 #else 265 return true; 266 #endif /* CONFIG_CRYPTO_FIPS */ 267 } 268 269 /* 270 * Convert an integer into a byte representation of this integer. 271 * The byte representation is big-endian 272 * 273 * @val value to be converted 274 * @buf buffer holding the converted integer -- caller must ensure that 275 * buffer size is at least 32 bit 276 */ 277 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 278 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 279 { 280 struct s { 281 __be32 conv; 282 }; 283 struct s *conversion = (struct s *) buf; 284 285 conversion->conv = cpu_to_be32(val); 286 } 287 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 288 289 /****************************************************************** 290 * CTR DRBG callback functions 291 ******************************************************************/ 292 293 #ifdef CONFIG_CRYPTO_DRBG_CTR 294 #define CRYPTO_DRBG_CTR_STRING "CTR " 295 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 296 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 297 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 298 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 299 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 300 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 301 302 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 303 unsigned char *outval, const struct drbg_string *in); 304 static int drbg_init_sym_kernel(struct drbg_state *drbg); 305 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 306 307 /* BCC function for CTR DRBG as defined in 10.4.3 */ 308 static int drbg_ctr_bcc(struct drbg_state *drbg, 309 unsigned char *out, const unsigned char *key, 310 struct list_head *in) 311 { 312 int ret = 0; 313 struct drbg_string *curr = NULL; 314 struct drbg_string data; 315 short cnt = 0; 316 317 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 318 319 /* 10.4.3 step 1 */ 320 memset(out, 0, drbg_blocklen(drbg)); 321 322 /* 10.4.3 step 2 / 4 */ 323 list_for_each_entry(curr, in, list) { 324 const unsigned char *pos = curr->buf; 325 size_t len = curr->len; 326 /* 10.4.3 step 4.1 */ 327 while (len) { 328 /* 10.4.3 step 4.2 */ 329 if (drbg_blocklen(drbg) == cnt) { 330 cnt = 0; 331 ret = drbg_kcapi_sym(drbg, key, out, &data); 332 if (ret) 333 return ret; 334 } 335 out[cnt] ^= *pos; 336 pos++; 337 cnt++; 338 len--; 339 } 340 } 341 /* 10.4.3 step 4.2 for last block */ 342 if (cnt) 343 ret = drbg_kcapi_sym(drbg, key, out, &data); 344 345 return ret; 346 } 347 348 /* 349 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 350 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 351 * the scratchpad is used as follows: 352 * drbg_ctr_update: 353 * temp 354 * start: drbg->scratchpad 355 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 356 * note: the cipher writing into this variable works 357 * blocklen-wise. Now, when the statelen is not a multiple 358 * of blocklen, the generateion loop below "spills over" 359 * by at most blocklen. Thus, we need to give sufficient 360 * memory. 361 * df_data 362 * start: drbg->scratchpad + 363 * drbg_statelen(drbg) + drbg_blocklen(drbg) 364 * length: drbg_statelen(drbg) 365 * 366 * drbg_ctr_df: 367 * pad 368 * start: df_data + drbg_statelen(drbg) 369 * length: drbg_blocklen(drbg) 370 * iv 371 * start: pad + drbg_blocklen(drbg) 372 * length: drbg_blocklen(drbg) 373 * temp 374 * start: iv + drbg_blocklen(drbg) 375 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 376 * note: temp is the buffer that the BCC function operates 377 * on. BCC operates blockwise. drbg_statelen(drbg) 378 * is sufficient when the DRBG state length is a multiple 379 * of the block size. For AES192 (and maybe other ciphers) 380 * this is not correct and the length for temp is 381 * insufficient (yes, that also means for such ciphers, 382 * the final output of all BCC rounds are truncated). 383 * Therefore, add drbg_blocklen(drbg) to cover all 384 * possibilities. 385 */ 386 387 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 388 static int drbg_ctr_df(struct drbg_state *drbg, 389 unsigned char *df_data, size_t bytes_to_return, 390 struct list_head *seedlist) 391 { 392 int ret = -EFAULT; 393 unsigned char L_N[8]; 394 /* S3 is input */ 395 struct drbg_string S1, S2, S4, cipherin; 396 LIST_HEAD(bcc_list); 397 unsigned char *pad = df_data + drbg_statelen(drbg); 398 unsigned char *iv = pad + drbg_blocklen(drbg); 399 unsigned char *temp = iv + drbg_blocklen(drbg); 400 size_t padlen = 0; 401 unsigned int templen = 0; 402 /* 10.4.2 step 7 */ 403 unsigned int i = 0; 404 /* 10.4.2 step 8 */ 405 const unsigned char *K = (unsigned char *) 406 "\x00\x01\x02\x03\x04\x05\x06\x07" 407 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 408 "\x10\x11\x12\x13\x14\x15\x16\x17" 409 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 410 unsigned char *X; 411 size_t generated_len = 0; 412 size_t inputlen = 0; 413 struct drbg_string *seed = NULL; 414 415 memset(pad, 0, drbg_blocklen(drbg)); 416 memset(iv, 0, drbg_blocklen(drbg)); 417 memset(temp, 0, drbg_statelen(drbg)); 418 419 /* 10.4.2 step 1 is implicit as we work byte-wise */ 420 421 /* 10.4.2 step 2 */ 422 if ((512/8) < bytes_to_return) 423 return -EINVAL; 424 425 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 426 list_for_each_entry(seed, seedlist, list) 427 inputlen += seed->len; 428 drbg_cpu_to_be32(inputlen, &L_N[0]); 429 430 /* 10.4.2 step 3 */ 431 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 432 433 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 434 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 435 /* wrap the padlen appropriately */ 436 if (padlen) 437 padlen = drbg_blocklen(drbg) - padlen; 438 /* 439 * pad / padlen contains the 0x80 byte and the following zero bytes. 440 * As the calculated padlen value only covers the number of zero 441 * bytes, this value has to be incremented by one for the 0x80 byte. 442 */ 443 padlen++; 444 pad[0] = 0x80; 445 446 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 447 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 448 list_add_tail(&S1.list, &bcc_list); 449 drbg_string_fill(&S2, L_N, sizeof(L_N)); 450 list_add_tail(&S2.list, &bcc_list); 451 list_splice_tail(seedlist, &bcc_list); 452 drbg_string_fill(&S4, pad, padlen); 453 list_add_tail(&S4.list, &bcc_list); 454 455 /* 10.4.2 step 9 */ 456 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 457 /* 458 * 10.4.2 step 9.1 - the padding is implicit as the buffer 459 * holds zeros after allocation -- even the increment of i 460 * is irrelevant as the increment remains within length of i 461 */ 462 drbg_cpu_to_be32(i, iv); 463 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 464 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 465 if (ret) 466 goto out; 467 /* 10.4.2 step 9.3 */ 468 i++; 469 templen += drbg_blocklen(drbg); 470 } 471 472 /* 10.4.2 step 11 */ 473 X = temp + (drbg_keylen(drbg)); 474 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 475 476 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 477 478 /* 10.4.2 step 13 */ 479 while (generated_len < bytes_to_return) { 480 short blocklen = 0; 481 /* 482 * 10.4.2 step 13.1: the truncation of the key length is 483 * implicit as the key is only drbg_blocklen in size based on 484 * the implementation of the cipher function callback 485 */ 486 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 487 if (ret) 488 goto out; 489 blocklen = (drbg_blocklen(drbg) < 490 (bytes_to_return - generated_len)) ? 491 drbg_blocklen(drbg) : 492 (bytes_to_return - generated_len); 493 /* 10.4.2 step 13.2 and 14 */ 494 memcpy(df_data + generated_len, X, blocklen); 495 generated_len += blocklen; 496 } 497 498 ret = 0; 499 500 out: 501 memzero_explicit(iv, drbg_blocklen(drbg)); 502 memzero_explicit(temp, drbg_statelen(drbg)); 503 memzero_explicit(pad, drbg_blocklen(drbg)); 504 return ret; 505 } 506 507 /* 508 * update function of CTR DRBG as defined in 10.2.1.2 509 * 510 * The reseed variable has an enhanced meaning compared to the update 511 * functions of the other DRBGs as follows: 512 * 0 => initial seed from initialization 513 * 1 => reseed via drbg_seed 514 * 2 => first invocation from drbg_ctr_update when addtl is present. In 515 * this case, the df_data scratchpad is not deleted so that it is 516 * available for another calls to prevent calling the DF function 517 * again. 518 * 3 => second invocation from drbg_ctr_update. When the update function 519 * was called with addtl, the df_data memory already contains the 520 * DFed addtl information and we do not need to call DF again. 521 */ 522 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 523 int reseed) 524 { 525 int ret = -EFAULT; 526 /* 10.2.1.2 step 1 */ 527 unsigned char *temp = drbg->scratchpad; 528 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 529 drbg_blocklen(drbg); 530 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 531 unsigned int len = 0; 532 struct drbg_string cipherin; 533 534 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 535 if (3 > reseed) 536 memset(df_data, 0, drbg_statelen(drbg)); 537 538 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 539 if (seed) { 540 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 541 if (ret) 542 goto out; 543 } 544 545 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 546 /* 547 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 548 * zeroizes all memory during initialization 549 */ 550 while (len < (drbg_statelen(drbg))) { 551 /* 10.2.1.2 step 2.1 */ 552 crypto_inc(drbg->V, drbg_blocklen(drbg)); 553 /* 554 * 10.2.1.2 step 2.2 */ 555 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 556 if (ret) 557 goto out; 558 /* 10.2.1.2 step 2.3 and 3 */ 559 len += drbg_blocklen(drbg); 560 } 561 562 /* 10.2.1.2 step 4 */ 563 temp_p = temp; 564 df_data_p = df_data; 565 for (len = 0; len < drbg_statelen(drbg); len++) { 566 *temp_p ^= *df_data_p; 567 df_data_p++; temp_p++; 568 } 569 570 /* 10.2.1.2 step 5 */ 571 memcpy(drbg->C, temp, drbg_keylen(drbg)); 572 /* 10.2.1.2 step 6 */ 573 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 574 ret = 0; 575 576 out: 577 memzero_explicit(temp, drbg_statelen(drbg) + drbg_blocklen(drbg)); 578 if (2 != reseed) 579 memzero_explicit(df_data, drbg_statelen(drbg)); 580 return ret; 581 } 582 583 /* 584 * scratchpad use: drbg_ctr_update is called independently from 585 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 586 */ 587 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 588 static int drbg_ctr_generate(struct drbg_state *drbg, 589 unsigned char *buf, unsigned int buflen, 590 struct list_head *addtl) 591 { 592 int len = 0; 593 int ret = 0; 594 struct drbg_string data; 595 596 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 597 598 /* 10.2.1.5.2 step 2 */ 599 if (addtl && !list_empty(addtl)) { 600 ret = drbg_ctr_update(drbg, addtl, 2); 601 if (ret) 602 return 0; 603 } 604 605 /* 10.2.1.5.2 step 4.1 */ 606 crypto_inc(drbg->V, drbg_blocklen(drbg)); 607 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 608 while (len < buflen) { 609 int outlen = 0; 610 /* 10.2.1.5.2 step 4.2 */ 611 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 612 if (ret) { 613 len = ret; 614 goto out; 615 } 616 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 617 drbg_blocklen(drbg) : (buflen - len); 618 if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) { 619 /* 10.2.1.5.2 step 6 */ 620 crypto_inc(drbg->V, drbg_blocklen(drbg)); 621 continue; 622 } 623 /* 10.2.1.5.2 step 4.3 */ 624 memcpy(buf + len, drbg->scratchpad, outlen); 625 len += outlen; 626 /* 10.2.1.5.2 step 6 */ 627 if (len < buflen) 628 crypto_inc(drbg->V, drbg_blocklen(drbg)); 629 } 630 631 /* 10.2.1.5.2 step 6 */ 632 ret = drbg_ctr_update(drbg, NULL, 3); 633 if (ret) 634 len = ret; 635 636 out: 637 memzero_explicit(drbg->scratchpad, drbg_blocklen(drbg)); 638 return len; 639 } 640 641 static struct drbg_state_ops drbg_ctr_ops = { 642 .update = drbg_ctr_update, 643 .generate = drbg_ctr_generate, 644 .crypto_init = drbg_init_sym_kernel, 645 .crypto_fini = drbg_fini_sym_kernel, 646 }; 647 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 648 649 /****************************************************************** 650 * HMAC DRBG callback functions 651 ******************************************************************/ 652 653 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 654 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 655 unsigned char *outval, const struct list_head *in); 656 static int drbg_init_hash_kernel(struct drbg_state *drbg); 657 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 658 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 659 660 #ifdef CONFIG_CRYPTO_DRBG_HMAC 661 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 662 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 663 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 664 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 665 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 666 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 667 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 668 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 669 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 670 671 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 672 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 673 int reseed) 674 { 675 int ret = -EFAULT; 676 int i = 0; 677 struct drbg_string seed1, seed2, vdata; 678 LIST_HEAD(seedlist); 679 LIST_HEAD(vdatalist); 680 681 if (!reseed) 682 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 683 memset(drbg->V, 1, drbg_statelen(drbg)); 684 685 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 686 list_add_tail(&seed1.list, &seedlist); 687 /* buffer of seed2 will be filled in for loop below with one byte */ 688 drbg_string_fill(&seed2, NULL, 1); 689 list_add_tail(&seed2.list, &seedlist); 690 /* input data of seed is allowed to be NULL at this point */ 691 if (seed) 692 list_splice_tail(seed, &seedlist); 693 694 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 695 list_add_tail(&vdata.list, &vdatalist); 696 for (i = 2; 0 < i; i--) { 697 /* first round uses 0x0, second 0x1 */ 698 unsigned char prefix = DRBG_PREFIX0; 699 if (1 == i) 700 prefix = DRBG_PREFIX1; 701 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 702 seed2.buf = &prefix; 703 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist); 704 if (ret) 705 return ret; 706 707 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 708 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist); 709 if (ret) 710 return ret; 711 712 /* 10.1.2.2 step 3 */ 713 if (!seed) 714 return ret; 715 } 716 717 return 0; 718 } 719 720 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 721 static int drbg_hmac_generate(struct drbg_state *drbg, 722 unsigned char *buf, 723 unsigned int buflen, 724 struct list_head *addtl) 725 { 726 int len = 0; 727 int ret = 0; 728 struct drbg_string data; 729 LIST_HEAD(datalist); 730 731 /* 10.1.2.5 step 2 */ 732 if (addtl && !list_empty(addtl)) { 733 ret = drbg_hmac_update(drbg, addtl, 1); 734 if (ret) 735 return ret; 736 } 737 738 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 739 list_add_tail(&data.list, &datalist); 740 while (len < buflen) { 741 unsigned int outlen = 0; 742 /* 10.1.2.5 step 4.1 */ 743 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist); 744 if (ret) 745 return ret; 746 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 747 drbg_blocklen(drbg) : (buflen - len); 748 if (!drbg_fips_continuous_test(drbg, drbg->V)) 749 continue; 750 751 /* 10.1.2.5 step 4.2 */ 752 memcpy(buf + len, drbg->V, outlen); 753 len += outlen; 754 } 755 756 /* 10.1.2.5 step 6 */ 757 if (addtl && !list_empty(addtl)) 758 ret = drbg_hmac_update(drbg, addtl, 1); 759 else 760 ret = drbg_hmac_update(drbg, NULL, 1); 761 if (ret) 762 return ret; 763 764 return len; 765 } 766 767 static struct drbg_state_ops drbg_hmac_ops = { 768 .update = drbg_hmac_update, 769 .generate = drbg_hmac_generate, 770 .crypto_init = drbg_init_hash_kernel, 771 .crypto_fini = drbg_fini_hash_kernel, 772 773 }; 774 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 775 776 /****************************************************************** 777 * Hash DRBG callback functions 778 ******************************************************************/ 779 780 #ifdef CONFIG_CRYPTO_DRBG_HASH 781 #define CRYPTO_DRBG_HASH_STRING "HASH " 782 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 783 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 784 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 785 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 786 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 787 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 788 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 789 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 790 791 /* 792 * Increment buffer 793 * 794 * @dst buffer to increment 795 * @add value to add 796 */ 797 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 798 const unsigned char *add, size_t addlen) 799 { 800 /* implied: dstlen > addlen */ 801 unsigned char *dstptr; 802 const unsigned char *addptr; 803 unsigned int remainder = 0; 804 size_t len = addlen; 805 806 dstptr = dst + (dstlen-1); 807 addptr = add + (addlen-1); 808 while (len) { 809 remainder += *dstptr + *addptr; 810 *dstptr = remainder & 0xff; 811 remainder >>= 8; 812 len--; dstptr--; addptr--; 813 } 814 len = dstlen - addlen; 815 while (len && remainder > 0) { 816 remainder = *dstptr + 1; 817 *dstptr = remainder & 0xff; 818 remainder >>= 8; 819 len--; dstptr--; 820 } 821 } 822 823 /* 824 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 825 * interlinked, the scratchpad is used as follows: 826 * drbg_hash_update 827 * start: drbg->scratchpad 828 * length: drbg_statelen(drbg) 829 * drbg_hash_df: 830 * start: drbg->scratchpad + drbg_statelen(drbg) 831 * length: drbg_blocklen(drbg) 832 * 833 * drbg_hash_process_addtl uses the scratchpad, but fully completes 834 * before either of the functions mentioned before are invoked. Therefore, 835 * drbg_hash_process_addtl does not need to be specifically considered. 836 */ 837 838 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 839 static int drbg_hash_df(struct drbg_state *drbg, 840 unsigned char *outval, size_t outlen, 841 struct list_head *entropylist) 842 { 843 int ret = 0; 844 size_t len = 0; 845 unsigned char input[5]; 846 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 847 struct drbg_string data; 848 849 memset(tmp, 0, drbg_blocklen(drbg)); 850 851 /* 10.4.1 step 3 */ 852 input[0] = 1; 853 drbg_cpu_to_be32((outlen * 8), &input[1]); 854 855 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 856 drbg_string_fill(&data, input, 5); 857 list_add(&data.list, entropylist); 858 859 /* 10.4.1 step 4 */ 860 while (len < outlen) { 861 short blocklen = 0; 862 /* 10.4.1 step 4.1 */ 863 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist); 864 if (ret) 865 goto out; 866 /* 10.4.1 step 4.2 */ 867 input[0]++; 868 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 869 drbg_blocklen(drbg) : (outlen - len); 870 memcpy(outval + len, tmp, blocklen); 871 len += blocklen; 872 } 873 874 out: 875 memzero_explicit(tmp, drbg_blocklen(drbg)); 876 return ret; 877 } 878 879 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 880 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 881 int reseed) 882 { 883 int ret = 0; 884 struct drbg_string data1, data2; 885 LIST_HEAD(datalist); 886 LIST_HEAD(datalist2); 887 unsigned char *V = drbg->scratchpad; 888 unsigned char prefix = DRBG_PREFIX1; 889 890 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 891 if (!seed) 892 return -EINVAL; 893 894 if (reseed) { 895 /* 10.1.1.3 step 1 */ 896 memcpy(V, drbg->V, drbg_statelen(drbg)); 897 drbg_string_fill(&data1, &prefix, 1); 898 list_add_tail(&data1.list, &datalist); 899 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 900 list_add_tail(&data2.list, &datalist); 901 } 902 list_splice_tail(seed, &datalist); 903 904 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 905 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 906 if (ret) 907 goto out; 908 909 /* 10.1.1.2 / 10.1.1.3 step 4 */ 910 prefix = DRBG_PREFIX0; 911 drbg_string_fill(&data1, &prefix, 1); 912 list_add_tail(&data1.list, &datalist2); 913 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 914 list_add_tail(&data2.list, &datalist2); 915 /* 10.1.1.2 / 10.1.1.3 step 4 */ 916 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 917 918 out: 919 memzero_explicit(drbg->scratchpad, drbg_statelen(drbg)); 920 return ret; 921 } 922 923 /* processing of additional information string for Hash DRBG */ 924 static int drbg_hash_process_addtl(struct drbg_state *drbg, 925 struct list_head *addtl) 926 { 927 int ret = 0; 928 struct drbg_string data1, data2; 929 LIST_HEAD(datalist); 930 unsigned char prefix = DRBG_PREFIX2; 931 932 /* this is value w as per documentation */ 933 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 934 935 /* 10.1.1.4 step 2 */ 936 if (!addtl || list_empty(addtl)) 937 return 0; 938 939 /* 10.1.1.4 step 2a */ 940 drbg_string_fill(&data1, &prefix, 1); 941 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 942 list_add_tail(&data1.list, &datalist); 943 list_add_tail(&data2.list, &datalist); 944 list_splice_tail(addtl, &datalist); 945 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 946 if (ret) 947 goto out; 948 949 /* 10.1.1.4 step 2b */ 950 drbg_add_buf(drbg->V, drbg_statelen(drbg), 951 drbg->scratchpad, drbg_blocklen(drbg)); 952 953 out: 954 memzero_explicit(drbg->scratchpad, drbg_blocklen(drbg)); 955 return ret; 956 } 957 958 /* Hashgen defined in 10.1.1.4 */ 959 static int drbg_hash_hashgen(struct drbg_state *drbg, 960 unsigned char *buf, 961 unsigned int buflen) 962 { 963 int len = 0; 964 int ret = 0; 965 unsigned char *src = drbg->scratchpad; 966 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 967 struct drbg_string data; 968 LIST_HEAD(datalist); 969 970 memset(src, 0, drbg_statelen(drbg)); 971 memset(dst, 0, drbg_blocklen(drbg)); 972 973 /* 10.1.1.4 step hashgen 2 */ 974 memcpy(src, drbg->V, drbg_statelen(drbg)); 975 976 drbg_string_fill(&data, src, drbg_statelen(drbg)); 977 list_add_tail(&data.list, &datalist); 978 while (len < buflen) { 979 unsigned int outlen = 0; 980 /* 10.1.1.4 step hashgen 4.1 */ 981 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist); 982 if (ret) { 983 len = ret; 984 goto out; 985 } 986 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 987 drbg_blocklen(drbg) : (buflen - len); 988 if (!drbg_fips_continuous_test(drbg, dst)) { 989 crypto_inc(src, drbg_statelen(drbg)); 990 continue; 991 } 992 /* 10.1.1.4 step hashgen 4.2 */ 993 memcpy(buf + len, dst, outlen); 994 len += outlen; 995 /* 10.1.1.4 hashgen step 4.3 */ 996 if (len < buflen) 997 crypto_inc(src, drbg_statelen(drbg)); 998 } 999 1000 out: 1001 memzero_explicit(drbg->scratchpad, 1002 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 1003 return len; 1004 } 1005 1006 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 1007 static int drbg_hash_generate(struct drbg_state *drbg, 1008 unsigned char *buf, unsigned int buflen, 1009 struct list_head *addtl) 1010 { 1011 int len = 0; 1012 int ret = 0; 1013 union { 1014 unsigned char req[8]; 1015 __be64 req_int; 1016 } u; 1017 unsigned char prefix = DRBG_PREFIX3; 1018 struct drbg_string data1, data2; 1019 LIST_HEAD(datalist); 1020 1021 /* 10.1.1.4 step 2 */ 1022 ret = drbg_hash_process_addtl(drbg, addtl); 1023 if (ret) 1024 return ret; 1025 /* 10.1.1.4 step 3 */ 1026 len = drbg_hash_hashgen(drbg, buf, buflen); 1027 1028 /* this is the value H as documented in 10.1.1.4 */ 1029 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1030 /* 10.1.1.4 step 4 */ 1031 drbg_string_fill(&data1, &prefix, 1); 1032 list_add_tail(&data1.list, &datalist); 1033 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1034 list_add_tail(&data2.list, &datalist); 1035 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 1036 if (ret) { 1037 len = ret; 1038 goto out; 1039 } 1040 1041 /* 10.1.1.4 step 5 */ 1042 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1043 drbg->scratchpad, drbg_blocklen(drbg)); 1044 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1045 drbg->C, drbg_statelen(drbg)); 1046 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1047 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1048 1049 out: 1050 memzero_explicit(drbg->scratchpad, drbg_blocklen(drbg)); 1051 return len; 1052 } 1053 1054 /* 1055 * scratchpad usage: as update and generate are used isolated, both 1056 * can use the scratchpad 1057 */ 1058 static struct drbg_state_ops drbg_hash_ops = { 1059 .update = drbg_hash_update, 1060 .generate = drbg_hash_generate, 1061 .crypto_init = drbg_init_hash_kernel, 1062 .crypto_fini = drbg_fini_hash_kernel, 1063 }; 1064 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1065 1066 /****************************************************************** 1067 * Functions common for DRBG implementations 1068 ******************************************************************/ 1069 1070 /* 1071 * Seeding or reseeding of the DRBG 1072 * 1073 * @drbg: DRBG state struct 1074 * @pers: personalization / additional information buffer 1075 * @reseed: 0 for initial seed process, 1 for reseeding 1076 * 1077 * return: 1078 * 0 on success 1079 * error value otherwise 1080 */ 1081 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1082 bool reseed) 1083 { 1084 int ret = 0; 1085 unsigned char *entropy = NULL; 1086 size_t entropylen = 0; 1087 struct drbg_string data1; 1088 LIST_HEAD(seedlist); 1089 1090 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1091 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1092 pr_devel("DRBG: personalization string too long %zu\n", 1093 pers->len); 1094 return -EINVAL; 1095 } 1096 1097 if (drbg->test_data && drbg->test_data->testentropy) { 1098 drbg_string_fill(&data1, drbg->test_data->testentropy->buf, 1099 drbg->test_data->testentropy->len); 1100 pr_devel("DRBG: using test entropy\n"); 1101 } else { 1102 /* 1103 * Gather entropy equal to the security strength of the DRBG. 1104 * With a derivation function, a nonce is required in addition 1105 * to the entropy. A nonce must be at least 1/2 of the security 1106 * strength of the DRBG in size. Thus, entropy * nonce is 3/2 1107 * of the strength. The consideration of a nonce is only 1108 * applicable during initial seeding. 1109 */ 1110 entropylen = drbg_sec_strength(drbg->core->flags); 1111 if (!entropylen) 1112 return -EFAULT; 1113 if (!reseed) 1114 entropylen = ((entropylen + 1) / 2) * 3; 1115 pr_devel("DRBG: (re)seeding with %zu bytes of entropy\n", 1116 entropylen); 1117 entropy = kzalloc(entropylen, GFP_KERNEL); 1118 if (!entropy) 1119 return -ENOMEM; 1120 get_random_bytes(entropy, entropylen); 1121 drbg_string_fill(&data1, entropy, entropylen); 1122 } 1123 list_add_tail(&data1.list, &seedlist); 1124 1125 /* 1126 * concatenation of entropy with personalization str / addtl input) 1127 * the variable pers is directly handed in by the caller, so check its 1128 * contents whether it is appropriate 1129 */ 1130 if (pers && pers->buf && 0 < pers->len) { 1131 list_add_tail(&pers->list, &seedlist); 1132 pr_devel("DRBG: using personalization string\n"); 1133 } 1134 1135 if (!reseed) { 1136 memset(drbg->V, 0, drbg_statelen(drbg)); 1137 memset(drbg->C, 0, drbg_statelen(drbg)); 1138 } 1139 1140 ret = drbg->d_ops->update(drbg, &seedlist, reseed); 1141 if (ret) 1142 goto out; 1143 1144 drbg->seeded = true; 1145 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1146 drbg->reseed_ctr = 1; 1147 1148 out: 1149 kzfree(entropy); 1150 return ret; 1151 } 1152 1153 /* Free all substructures in a DRBG state without the DRBG state structure */ 1154 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1155 { 1156 if (!drbg) 1157 return; 1158 kzfree(drbg->V); 1159 drbg->V = NULL; 1160 kzfree(drbg->C); 1161 drbg->C = NULL; 1162 kzfree(drbg->scratchpad); 1163 drbg->scratchpad = NULL; 1164 drbg->reseed_ctr = 0; 1165 #ifdef CONFIG_CRYPTO_FIPS 1166 kzfree(drbg->prev); 1167 drbg->prev = NULL; 1168 drbg->fips_primed = false; 1169 #endif 1170 } 1171 1172 /* 1173 * Allocate all sub-structures for a DRBG state. 1174 * The DRBG state structure must already be allocated. 1175 */ 1176 static inline int drbg_alloc_state(struct drbg_state *drbg) 1177 { 1178 int ret = -ENOMEM; 1179 unsigned int sb_size = 0; 1180 1181 drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1182 if (!drbg->V) 1183 goto err; 1184 drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1185 if (!drbg->C) 1186 goto err; 1187 #ifdef CONFIG_CRYPTO_FIPS 1188 drbg->prev = kmalloc(drbg_blocklen(drbg), GFP_KERNEL); 1189 if (!drbg->prev) 1190 goto err; 1191 drbg->fips_primed = false; 1192 #endif 1193 /* scratchpad is only generated for CTR and Hash */ 1194 if (drbg->core->flags & DRBG_HMAC) 1195 sb_size = 0; 1196 else if (drbg->core->flags & DRBG_CTR) 1197 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1198 drbg_statelen(drbg) + /* df_data */ 1199 drbg_blocklen(drbg) + /* pad */ 1200 drbg_blocklen(drbg) + /* iv */ 1201 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1202 else 1203 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1204 1205 if (0 < sb_size) { 1206 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1207 if (!drbg->scratchpad) 1208 goto err; 1209 } 1210 spin_lock_init(&drbg->drbg_lock); 1211 return 0; 1212 1213 err: 1214 drbg_dealloc_state(drbg); 1215 return ret; 1216 } 1217 1218 /* 1219 * Strategy to avoid holding long term locks: generate a shadow copy of DRBG 1220 * and perform all operations on this shadow copy. After finishing, restore 1221 * the updated state of the shadow copy into original drbg state. This way, 1222 * only the read and write operations of the original drbg state must be 1223 * locked 1224 */ 1225 static inline void drbg_copy_drbg(struct drbg_state *src, 1226 struct drbg_state *dst) 1227 { 1228 if (!src || !dst) 1229 return; 1230 memcpy(dst->V, src->V, drbg_statelen(src)); 1231 memcpy(dst->C, src->C, drbg_statelen(src)); 1232 dst->reseed_ctr = src->reseed_ctr; 1233 dst->seeded = src->seeded; 1234 dst->pr = src->pr; 1235 #ifdef CONFIG_CRYPTO_FIPS 1236 dst->fips_primed = src->fips_primed; 1237 memcpy(dst->prev, src->prev, drbg_blocklen(src)); 1238 #endif 1239 /* 1240 * Not copied: 1241 * scratchpad is initialized drbg_alloc_state; 1242 * priv_data is initialized with call to crypto_init; 1243 * d_ops and core are set outside, as these parameters are const; 1244 * test_data is set outside to prevent it being copied back. 1245 */ 1246 } 1247 1248 static int drbg_make_shadow(struct drbg_state *drbg, struct drbg_state **shadow) 1249 { 1250 int ret = -ENOMEM; 1251 struct drbg_state *tmp = NULL; 1252 1253 tmp = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1254 if (!tmp) 1255 return -ENOMEM; 1256 1257 /* read-only data as they are defined as const, no lock needed */ 1258 tmp->core = drbg->core; 1259 tmp->d_ops = drbg->d_ops; 1260 1261 ret = drbg_alloc_state(tmp); 1262 if (ret) 1263 goto err; 1264 1265 spin_lock_bh(&drbg->drbg_lock); 1266 drbg_copy_drbg(drbg, tmp); 1267 /* only make a link to the test buffer, as we only read that data */ 1268 tmp->test_data = drbg->test_data; 1269 spin_unlock_bh(&drbg->drbg_lock); 1270 *shadow = tmp; 1271 return 0; 1272 1273 err: 1274 kzfree(tmp); 1275 return ret; 1276 } 1277 1278 static void drbg_restore_shadow(struct drbg_state *drbg, 1279 struct drbg_state **shadow) 1280 { 1281 struct drbg_state *tmp = *shadow; 1282 1283 spin_lock_bh(&drbg->drbg_lock); 1284 drbg_copy_drbg(tmp, drbg); 1285 spin_unlock_bh(&drbg->drbg_lock); 1286 drbg_dealloc_state(tmp); 1287 kzfree(tmp); 1288 *shadow = NULL; 1289 } 1290 1291 /************************************************************************* 1292 * DRBG interface functions 1293 *************************************************************************/ 1294 1295 /* 1296 * DRBG generate function as required by SP800-90A - this function 1297 * generates random numbers 1298 * 1299 * @drbg DRBG state handle 1300 * @buf Buffer where to store the random numbers -- the buffer must already 1301 * be pre-allocated by caller 1302 * @buflen Length of output buffer - this value defines the number of random 1303 * bytes pulled from DRBG 1304 * @addtl Additional input that is mixed into state, may be NULL -- note 1305 * the entropy is pulled by the DRBG internally unconditionally 1306 * as defined in SP800-90A. The additional input is mixed into 1307 * the state in addition to the pulled entropy. 1308 * 1309 * return: generated number of bytes 1310 */ 1311 static int drbg_generate(struct drbg_state *drbg, 1312 unsigned char *buf, unsigned int buflen, 1313 struct drbg_string *addtl) 1314 { 1315 int len = 0; 1316 struct drbg_state *shadow = NULL; 1317 LIST_HEAD(addtllist); 1318 struct drbg_string timestamp; 1319 union { 1320 cycles_t cycles; 1321 unsigned char char_cycles[sizeof(cycles_t)]; 1322 } now; 1323 1324 if (0 == buflen || !buf) { 1325 pr_devel("DRBG: no output buffer provided\n"); 1326 return -EINVAL; 1327 } 1328 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1329 pr_devel("DRBG: wrong format of additional information\n"); 1330 return -EINVAL; 1331 } 1332 1333 len = drbg_make_shadow(drbg, &shadow); 1334 if (len) { 1335 pr_devel("DRBG: shadow copy cannot be generated\n"); 1336 return len; 1337 } 1338 1339 /* 9.3.1 step 2 */ 1340 len = -EINVAL; 1341 if (buflen > (drbg_max_request_bytes(shadow))) { 1342 pr_devel("DRBG: requested random numbers too large %u\n", 1343 buflen); 1344 goto err; 1345 } 1346 1347 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1348 1349 /* 9.3.1 step 4 */ 1350 if (addtl && addtl->len > (drbg_max_addtl(shadow))) { 1351 pr_devel("DRBG: additional information string too long %zu\n", 1352 addtl->len); 1353 goto err; 1354 } 1355 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1356 1357 /* 1358 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1359 * here. The spec is a bit convoluted here, we make it simpler. 1360 */ 1361 if ((drbg_max_requests(shadow)) < shadow->reseed_ctr) 1362 shadow->seeded = false; 1363 1364 /* allocate cipher handle */ 1365 len = shadow->d_ops->crypto_init(shadow); 1366 if (len) 1367 goto err; 1368 1369 if (shadow->pr || !shadow->seeded) { 1370 pr_devel("DRBG: reseeding before generation (prediction " 1371 "resistance: %s, state %s)\n", 1372 drbg->pr ? "true" : "false", 1373 drbg->seeded ? "seeded" : "unseeded"); 1374 /* 9.3.1 steps 7.1 through 7.3 */ 1375 len = drbg_seed(shadow, addtl, true); 1376 if (len) 1377 goto err; 1378 /* 9.3.1 step 7.4 */ 1379 addtl = NULL; 1380 } 1381 1382 /* 1383 * Mix the time stamp into the DRBG state if the DRBG is not in 1384 * test mode. If there are two callers invoking the DRBG at the same 1385 * time, i.e. before the first caller merges its shadow state back, 1386 * both callers would obtain the same random number stream without 1387 * changing the state here. 1388 */ 1389 if (!drbg->test_data) { 1390 now.cycles = random_get_entropy(); 1391 drbg_string_fill(×tamp, now.char_cycles, sizeof(cycles_t)); 1392 list_add_tail(×tamp.list, &addtllist); 1393 } 1394 if (addtl && 0 < addtl->len) 1395 list_add_tail(&addtl->list, &addtllist); 1396 /* 9.3.1 step 8 and 10 */ 1397 len = shadow->d_ops->generate(shadow, buf, buflen, &addtllist); 1398 1399 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1400 shadow->reseed_ctr++; 1401 if (0 >= len) 1402 goto err; 1403 1404 /* 1405 * Section 11.3.3 requires to re-perform self tests after some 1406 * generated random numbers. The chosen value after which self 1407 * test is performed is arbitrary, but it should be reasonable. 1408 * However, we do not perform the self tests because of the following 1409 * reasons: it is mathematically impossible that the initial self tests 1410 * were successfully and the following are not. If the initial would 1411 * pass and the following would not, the kernel integrity is violated. 1412 * In this case, the entire kernel operation is questionable and it 1413 * is unlikely that the integrity violation only affects the 1414 * correct operation of the DRBG. 1415 * 1416 * Albeit the following code is commented out, it is provided in 1417 * case somebody has a need to implement the test of 11.3.3. 1418 */ 1419 #if 0 1420 if (shadow->reseed_ctr && !(shadow->reseed_ctr % 4096)) { 1421 int err = 0; 1422 pr_devel("DRBG: start to perform self test\n"); 1423 if (drbg->core->flags & DRBG_HMAC) 1424 err = alg_test("drbg_pr_hmac_sha256", 1425 "drbg_pr_hmac_sha256", 0, 0); 1426 else if (drbg->core->flags & DRBG_CTR) 1427 err = alg_test("drbg_pr_ctr_aes128", 1428 "drbg_pr_ctr_aes128", 0, 0); 1429 else 1430 err = alg_test("drbg_pr_sha256", 1431 "drbg_pr_sha256", 0, 0); 1432 if (err) { 1433 pr_err("DRBG: periodical self test failed\n"); 1434 /* 1435 * uninstantiate implies that from now on, only errors 1436 * are returned when reusing this DRBG cipher handle 1437 */ 1438 drbg_uninstantiate(drbg); 1439 drbg_dealloc_state(shadow); 1440 kzfree(shadow); 1441 return 0; 1442 } else { 1443 pr_devel("DRBG: self test successful\n"); 1444 } 1445 } 1446 #endif 1447 1448 err: 1449 shadow->d_ops->crypto_fini(shadow); 1450 drbg_restore_shadow(drbg, &shadow); 1451 return len; 1452 } 1453 1454 /* 1455 * Wrapper around drbg_generate which can pull arbitrary long strings 1456 * from the DRBG without hitting the maximum request limitation. 1457 * 1458 * Parameters: see drbg_generate 1459 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1460 * the entire drbg_generate_long request fails 1461 */ 1462 static int drbg_generate_long(struct drbg_state *drbg, 1463 unsigned char *buf, unsigned int buflen, 1464 struct drbg_string *addtl) 1465 { 1466 int len = 0; 1467 unsigned int slice = 0; 1468 do { 1469 int tmplen = 0; 1470 unsigned int chunk = 0; 1471 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1472 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1473 tmplen = drbg_generate(drbg, buf + len, chunk, addtl); 1474 if (0 >= tmplen) 1475 return tmplen; 1476 len += tmplen; 1477 } while (slice > 0 && (len < buflen)); 1478 return len; 1479 } 1480 1481 /* 1482 * DRBG instantiation function as required by SP800-90A - this function 1483 * sets up the DRBG handle, performs the initial seeding and all sanity 1484 * checks required by SP800-90A 1485 * 1486 * @drbg memory of state -- if NULL, new memory is allocated 1487 * @pers Personalization string that is mixed into state, may be NULL -- note 1488 * the entropy is pulled by the DRBG internally unconditionally 1489 * as defined in SP800-90A. The additional input is mixed into 1490 * the state in addition to the pulled entropy. 1491 * @coreref reference to core 1492 * @pr prediction resistance enabled 1493 * 1494 * return 1495 * 0 on success 1496 * error value otherwise 1497 */ 1498 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1499 int coreref, bool pr) 1500 { 1501 int ret = -ENOMEM; 1502 1503 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1504 "%s\n", coreref, pr ? "enabled" : "disabled"); 1505 drbg->core = &drbg_cores[coreref]; 1506 drbg->pr = pr; 1507 drbg->seeded = false; 1508 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1509 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1510 case DRBG_HMAC: 1511 drbg->d_ops = &drbg_hmac_ops; 1512 break; 1513 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1514 #ifdef CONFIG_CRYPTO_DRBG_HASH 1515 case DRBG_HASH: 1516 drbg->d_ops = &drbg_hash_ops; 1517 break; 1518 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1519 #ifdef CONFIG_CRYPTO_DRBG_CTR 1520 case DRBG_CTR: 1521 drbg->d_ops = &drbg_ctr_ops; 1522 break; 1523 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1524 default: 1525 return -EOPNOTSUPP; 1526 } 1527 1528 /* 9.1 step 1 is implicit with the selected DRBG type */ 1529 1530 /* 1531 * 9.1 step 2 is implicit as caller can select prediction resistance 1532 * and the flag is copied into drbg->flags -- 1533 * all DRBG types support prediction resistance 1534 */ 1535 1536 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1537 1538 ret = drbg_alloc_state(drbg); 1539 if (ret) 1540 return ret; 1541 1542 ret = -EFAULT; 1543 if (drbg->d_ops->crypto_init(drbg)) 1544 goto err; 1545 ret = drbg_seed(drbg, pers, false); 1546 drbg->d_ops->crypto_fini(drbg); 1547 if (ret) 1548 goto err; 1549 1550 return 0; 1551 1552 err: 1553 drbg_dealloc_state(drbg); 1554 return ret; 1555 } 1556 1557 /* 1558 * DRBG uninstantiate function as required by SP800-90A - this function 1559 * frees all buffers and the DRBG handle 1560 * 1561 * @drbg DRBG state handle 1562 * 1563 * return 1564 * 0 on success 1565 */ 1566 static int drbg_uninstantiate(struct drbg_state *drbg) 1567 { 1568 spin_lock_bh(&drbg->drbg_lock); 1569 drbg_dealloc_state(drbg); 1570 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1571 spin_unlock_bh(&drbg->drbg_lock); 1572 return 0; 1573 } 1574 1575 /* 1576 * Helper function for setting the test data in the DRBG 1577 * 1578 * @drbg DRBG state handle 1579 * @test_data test data to sets 1580 */ 1581 static inline void drbg_set_testdata(struct drbg_state *drbg, 1582 struct drbg_test_data *test_data) 1583 { 1584 if (!test_data || !test_data->testentropy) 1585 return; 1586 spin_lock_bh(&drbg->drbg_lock); 1587 drbg->test_data = test_data; 1588 spin_unlock_bh(&drbg->drbg_lock); 1589 } 1590 1591 /*************************************************************** 1592 * Kernel crypto API cipher invocations requested by DRBG 1593 ***************************************************************/ 1594 1595 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1596 struct sdesc { 1597 struct shash_desc shash; 1598 char ctx[]; 1599 }; 1600 1601 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1602 { 1603 struct sdesc *sdesc; 1604 struct crypto_shash *tfm; 1605 1606 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1607 if (IS_ERR(tfm)) { 1608 pr_info("DRBG: could not allocate digest TFM handle\n"); 1609 return PTR_ERR(tfm); 1610 } 1611 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1612 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1613 GFP_KERNEL); 1614 if (!sdesc) { 1615 crypto_free_shash(tfm); 1616 return -ENOMEM; 1617 } 1618 1619 sdesc->shash.tfm = tfm; 1620 sdesc->shash.flags = 0; 1621 drbg->priv_data = sdesc; 1622 return 0; 1623 } 1624 1625 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1626 { 1627 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1628 if (sdesc) { 1629 crypto_free_shash(sdesc->shash.tfm); 1630 kzfree(sdesc); 1631 } 1632 drbg->priv_data = NULL; 1633 return 0; 1634 } 1635 1636 static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 1637 unsigned char *outval, const struct list_head *in) 1638 { 1639 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1640 struct drbg_string *input = NULL; 1641 1642 if (key) 1643 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1644 crypto_shash_init(&sdesc->shash); 1645 list_for_each_entry(input, in, list) 1646 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1647 return crypto_shash_final(&sdesc->shash, outval); 1648 } 1649 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1650 1651 #ifdef CONFIG_CRYPTO_DRBG_CTR 1652 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1653 { 1654 int ret = 0; 1655 struct crypto_blkcipher *tfm; 1656 1657 tfm = crypto_alloc_blkcipher(drbg->core->backend_cra_name, 0, 0); 1658 if (IS_ERR(tfm)) { 1659 pr_info("DRBG: could not allocate cipher TFM handle\n"); 1660 return PTR_ERR(tfm); 1661 } 1662 BUG_ON(drbg_blocklen(drbg) != crypto_blkcipher_blocksize(tfm)); 1663 drbg->priv_data = tfm; 1664 return ret; 1665 } 1666 1667 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1668 { 1669 struct crypto_blkcipher *tfm = 1670 (struct crypto_blkcipher *)drbg->priv_data; 1671 if (tfm) 1672 crypto_free_blkcipher(tfm); 1673 drbg->priv_data = NULL; 1674 return 0; 1675 } 1676 1677 static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1678 unsigned char *outval, const struct drbg_string *in) 1679 { 1680 int ret = 0; 1681 struct scatterlist sg_in, sg_out; 1682 struct blkcipher_desc desc; 1683 struct crypto_blkcipher *tfm = 1684 (struct crypto_blkcipher *)drbg->priv_data; 1685 1686 desc.tfm = tfm; 1687 desc.flags = 0; 1688 crypto_blkcipher_setkey(tfm, key, (drbg_keylen(drbg))); 1689 /* there is only component in *in */ 1690 sg_init_one(&sg_in, in->buf, in->len); 1691 sg_init_one(&sg_out, outval, drbg_blocklen(drbg)); 1692 ret = crypto_blkcipher_encrypt(&desc, &sg_out, &sg_in, in->len); 1693 1694 return ret; 1695 } 1696 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1697 1698 /*************************************************************** 1699 * Kernel crypto API interface to register DRBG 1700 ***************************************************************/ 1701 1702 /* 1703 * Look up the DRBG flags by given kernel crypto API cra_name 1704 * The code uses the drbg_cores definition to do this 1705 * 1706 * @cra_name kernel crypto API cra_name 1707 * @coreref reference to integer which is filled with the pointer to 1708 * the applicable core 1709 * @pr reference for setting prediction resistance 1710 * 1711 * return: flags 1712 */ 1713 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1714 int *coreref, bool *pr) 1715 { 1716 int i = 0; 1717 size_t start = 0; 1718 int len = 0; 1719 1720 *pr = true; 1721 /* disassemble the names */ 1722 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1723 start = 10; 1724 *pr = false; 1725 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1726 start = 8; 1727 } else { 1728 return; 1729 } 1730 1731 /* remove the first part */ 1732 len = strlen(cra_driver_name) - start; 1733 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1734 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1735 len)) { 1736 *coreref = i; 1737 return; 1738 } 1739 } 1740 } 1741 1742 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1743 { 1744 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1745 bool pr = false; 1746 int coreref = 0; 1747 1748 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm), &coreref, &pr); 1749 /* 1750 * when personalization string is needed, the caller must call reset 1751 * and provide the personalization string as seed information 1752 */ 1753 return drbg_instantiate(drbg, NULL, coreref, pr); 1754 } 1755 1756 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1757 { 1758 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1759 } 1760 1761 /* 1762 * Generate random numbers invoked by the kernel crypto API: 1763 * The API of the kernel crypto API is extended as follows: 1764 * 1765 * If dlen is larger than zero, rdata is interpreted as the output buffer 1766 * where random data is to be stored. 1767 * 1768 * If dlen is zero, rdata is interpreted as a pointer to a struct drbg_gen 1769 * which holds the additional information string that is used for the 1770 * DRBG generation process. The output buffer that is to be used to store 1771 * data is also pointed to by struct drbg_gen. 1772 */ 1773 static int drbg_kcapi_random(struct crypto_rng *tfm, u8 *rdata, 1774 unsigned int dlen) 1775 { 1776 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1777 if (0 < dlen) { 1778 return drbg_generate_long(drbg, rdata, dlen, NULL); 1779 } else { 1780 struct drbg_gen *data = (struct drbg_gen *)rdata; 1781 struct drbg_string addtl; 1782 /* catch NULL pointer */ 1783 if (!data) 1784 return 0; 1785 drbg_set_testdata(drbg, data->test_data); 1786 /* linked list variable is now local to allow modification */ 1787 drbg_string_fill(&addtl, data->addtl->buf, data->addtl->len); 1788 return drbg_generate_long(drbg, data->outbuf, data->outlen, 1789 &addtl); 1790 } 1791 } 1792 1793 /* 1794 * Reset the DRBG invoked by the kernel crypto API 1795 * The reset implies a full re-initialization of the DRBG. Similar to the 1796 * generate function of drbg_kcapi_random, this function extends the 1797 * kernel crypto API interface with struct drbg_gen 1798 */ 1799 static int drbg_kcapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) 1800 { 1801 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1802 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1803 bool pr = false; 1804 struct drbg_string seed_string; 1805 int coreref = 0; 1806 1807 drbg_uninstantiate(drbg); 1808 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1809 &pr); 1810 if (0 < slen) { 1811 drbg_string_fill(&seed_string, seed, slen); 1812 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1813 } else { 1814 struct drbg_gen *data = (struct drbg_gen *)seed; 1815 /* allow invocation of API call with NULL, 0 */ 1816 if (!data) 1817 return drbg_instantiate(drbg, NULL, coreref, pr); 1818 drbg_set_testdata(drbg, data->test_data); 1819 /* linked list variable is now local to allow modification */ 1820 drbg_string_fill(&seed_string, data->addtl->buf, 1821 data->addtl->len); 1822 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1823 } 1824 } 1825 1826 /*************************************************************** 1827 * Kernel module: code to load the module 1828 ***************************************************************/ 1829 1830 /* 1831 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1832 * of the error handling. 1833 * 1834 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1835 * as seed source of get_random_bytes does not fail. 1836 * 1837 * Note 2: There is no sensible way of testing the reseed counter 1838 * enforcement, so skip it. 1839 */ 1840 static inline int __init drbg_healthcheck_sanity(void) 1841 { 1842 #ifdef CONFIG_CRYPTO_FIPS 1843 int len = 0; 1844 #define OUTBUFLEN 16 1845 unsigned char buf[OUTBUFLEN]; 1846 struct drbg_state *drbg = NULL; 1847 int ret = -EFAULT; 1848 int rc = -EFAULT; 1849 bool pr = false; 1850 int coreref = 0; 1851 struct drbg_string addtl; 1852 size_t max_addtllen, max_request_bytes; 1853 1854 /* only perform test in FIPS mode */ 1855 if (!fips_enabled) 1856 return 0; 1857 1858 #ifdef CONFIG_CRYPTO_DRBG_CTR 1859 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1860 #elif defined CONFIG_CRYPTO_DRBG_HASH 1861 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1862 #else 1863 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1864 #endif 1865 1866 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1867 if (!drbg) 1868 return -ENOMEM; 1869 1870 /* 1871 * if the following tests fail, it is likely that there is a buffer 1872 * overflow as buf is much smaller than the requested or provided 1873 * string lengths -- in case the error handling does not succeed 1874 * we may get an OOPS. And we want to get an OOPS as this is a 1875 * grave bug. 1876 */ 1877 1878 /* get a valid instance of DRBG for following tests */ 1879 ret = drbg_instantiate(drbg, NULL, coreref, pr); 1880 if (ret) { 1881 rc = ret; 1882 goto outbuf; 1883 } 1884 max_addtllen = drbg_max_addtl(drbg); 1885 max_request_bytes = drbg_max_request_bytes(drbg); 1886 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1887 /* overflow addtllen with additonal info string */ 1888 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1889 BUG_ON(0 < len); 1890 /* overflow max_bits */ 1891 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1892 BUG_ON(0 < len); 1893 drbg_uninstantiate(drbg); 1894 1895 /* overflow max addtllen with personalization string */ 1896 ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1897 BUG_ON(0 == ret); 1898 /* all tests passed */ 1899 rc = 0; 1900 1901 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1902 "completed\n"); 1903 1904 drbg_uninstantiate(drbg); 1905 outbuf: 1906 kzfree(drbg); 1907 return rc; 1908 #else /* CONFIG_CRYPTO_FIPS */ 1909 return 0; 1910 #endif /* CONFIG_CRYPTO_FIPS */ 1911 } 1912 1913 static struct crypto_alg drbg_algs[22]; 1914 1915 /* 1916 * Fill the array drbg_algs used to register the different DRBGs 1917 * with the kernel crypto API. To fill the array, the information 1918 * from drbg_cores[] is used. 1919 */ 1920 static inline void __init drbg_fill_array(struct crypto_alg *alg, 1921 const struct drbg_core *core, int pr) 1922 { 1923 int pos = 0; 1924 static int priority = 100; 1925 1926 memset(alg, 0, sizeof(struct crypto_alg)); 1927 memcpy(alg->cra_name, "stdrng", 6); 1928 if (pr) { 1929 memcpy(alg->cra_driver_name, "drbg_pr_", 8); 1930 pos = 8; 1931 } else { 1932 memcpy(alg->cra_driver_name, "drbg_nopr_", 10); 1933 pos = 10; 1934 } 1935 memcpy(alg->cra_driver_name + pos, core->cra_name, 1936 strlen(core->cra_name)); 1937 1938 alg->cra_priority = priority; 1939 priority++; 1940 /* 1941 * If FIPS mode enabled, the selected DRBG shall have the 1942 * highest cra_priority over other stdrng instances to ensure 1943 * it is selected. 1944 */ 1945 if (fips_enabled) 1946 alg->cra_priority += 200; 1947 1948 alg->cra_flags = CRYPTO_ALG_TYPE_RNG; 1949 alg->cra_ctxsize = sizeof(struct drbg_state); 1950 alg->cra_type = &crypto_rng_type; 1951 alg->cra_module = THIS_MODULE; 1952 alg->cra_init = drbg_kcapi_init; 1953 alg->cra_exit = drbg_kcapi_cleanup; 1954 alg->cra_u.rng.rng_make_random = drbg_kcapi_random; 1955 alg->cra_u.rng.rng_reset = drbg_kcapi_reset; 1956 alg->cra_u.rng.seedsize = 0; 1957 } 1958 1959 static int __init drbg_init(void) 1960 { 1961 unsigned int i = 0; /* pointer to drbg_algs */ 1962 unsigned int j = 0; /* pointer to drbg_cores */ 1963 int ret = -EFAULT; 1964 1965 ret = drbg_healthcheck_sanity(); 1966 if (ret) 1967 return ret; 1968 1969 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1970 pr_info("DRBG: Cannot register all DRBG types" 1971 "(slots needed: %zu, slots available: %zu)\n", 1972 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1973 return ret; 1974 } 1975 1976 /* 1977 * each DRBG definition can be used with PR and without PR, thus 1978 * we instantiate each DRBG in drbg_cores[] twice. 1979 * 1980 * As the order of placing them into the drbg_algs array matters 1981 * (the later DRBGs receive a higher cra_priority) we register the 1982 * prediction resistance DRBGs first as the should not be too 1983 * interesting. 1984 */ 1985 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1986 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1987 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1988 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1989 return crypto_register_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1990 } 1991 1992 static void __exit drbg_exit(void) 1993 { 1994 crypto_unregister_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1995 } 1996 1997 module_init(drbg_init); 1998 module_exit(drbg_exit); 1999 #ifndef CRYPTO_DRBG_HASH_STRING 2000 #define CRYPTO_DRBG_HASH_STRING "" 2001 #endif 2002 #ifndef CRYPTO_DRBG_HMAC_STRING 2003 #define CRYPTO_DRBG_HMAC_STRING "" 2004 #endif 2005 #ifndef CRYPTO_DRBG_CTR_STRING 2006 #define CRYPTO_DRBG_CTR_STRING "" 2007 #endif 2008 MODULE_LICENSE("GPL"); 2009 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2010 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2011 "using following cores: " 2012 CRYPTO_DRBG_HASH_STRING 2013 CRYPTO_DRBG_HMAC_STRING 2014 CRYPTO_DRBG_CTR_STRING); 2015