1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <crypto/df_sp80090a.h> 102 #include <crypto/internal/cipher.h> 103 #include <linux/kernel.h> 104 #include <linux/jiffies.h> 105 #include <linux/string_choices.h> 106 107 /*************************************************************** 108 * Backend cipher definitions available to DRBG 109 ***************************************************************/ 110 111 /* 112 * The order of the DRBG definitions here matter: every DRBG is registered 113 * as stdrng. Each DRBG receives an increasing cra_priority values the later 114 * they are defined in this array (see drbg_fill_array). 115 * 116 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the 117 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the 118 * favored DRBGs are the latest entries in this array. 119 */ 120 static const struct drbg_core drbg_cores[] = { 121 #ifdef CONFIG_CRYPTO_DRBG_CTR 122 { 123 .flags = DRBG_CTR | DRBG_STRENGTH128, 124 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 125 .blocklen_bytes = 16, 126 .cra_name = "ctr_aes128", 127 .backend_cra_name = "aes", 128 }, { 129 .flags = DRBG_CTR | DRBG_STRENGTH192, 130 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 131 .blocklen_bytes = 16, 132 .cra_name = "ctr_aes192", 133 .backend_cra_name = "aes", 134 }, { 135 .flags = DRBG_CTR | DRBG_STRENGTH256, 136 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 137 .blocklen_bytes = 16, 138 .cra_name = "ctr_aes256", 139 .backend_cra_name = "aes", 140 }, 141 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 142 #ifdef CONFIG_CRYPTO_DRBG_HASH 143 { 144 .flags = DRBG_HASH | DRBG_STRENGTH256, 145 .statelen = 111, /* 888 bits */ 146 .blocklen_bytes = 48, 147 .cra_name = "sha384", 148 .backend_cra_name = "sha384", 149 }, { 150 .flags = DRBG_HASH | DRBG_STRENGTH256, 151 .statelen = 111, /* 888 bits */ 152 .blocklen_bytes = 64, 153 .cra_name = "sha512", 154 .backend_cra_name = "sha512", 155 }, { 156 .flags = DRBG_HASH | DRBG_STRENGTH256, 157 .statelen = 55, /* 440 bits */ 158 .blocklen_bytes = 32, 159 .cra_name = "sha256", 160 .backend_cra_name = "sha256", 161 }, 162 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 163 #ifdef CONFIG_CRYPTO_DRBG_HMAC 164 { 165 .flags = DRBG_HMAC | DRBG_STRENGTH256, 166 .statelen = 48, /* block length of cipher */ 167 .blocklen_bytes = 48, 168 .cra_name = "hmac_sha384", 169 .backend_cra_name = "hmac(sha384)", 170 }, { 171 .flags = DRBG_HMAC | DRBG_STRENGTH256, 172 .statelen = 32, /* block length of cipher */ 173 .blocklen_bytes = 32, 174 .cra_name = "hmac_sha256", 175 .backend_cra_name = "hmac(sha256)", 176 }, { 177 .flags = DRBG_HMAC | DRBG_STRENGTH256, 178 .statelen = 64, /* block length of cipher */ 179 .blocklen_bytes = 64, 180 .cra_name = "hmac_sha512", 181 .backend_cra_name = "hmac(sha512)", 182 }, 183 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 184 }; 185 186 static int drbg_uninstantiate(struct drbg_state *drbg); 187 188 /****************************************************************** 189 * Generic helper functions 190 ******************************************************************/ 191 192 /* 193 * Return strength of DRBG according to SP800-90A section 8.4 194 * 195 * @flags DRBG flags reference 196 * 197 * Return: normalized strength in *bytes* value or 32 as default 198 * to counter programming errors 199 */ 200 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 201 { 202 switch (flags & DRBG_STRENGTH_MASK) { 203 case DRBG_STRENGTH128: 204 return 16; 205 case DRBG_STRENGTH192: 206 return 24; 207 case DRBG_STRENGTH256: 208 return 32; 209 default: 210 return 32; 211 } 212 } 213 214 /* 215 * FIPS 140-2 continuous self test for the noise source 216 * The test is performed on the noise source input data. Thus, the function 217 * implicitly knows the size of the buffer to be equal to the security 218 * strength. 219 * 220 * Note, this function disregards the nonce trailing the entropy data during 221 * initial seeding. 222 * 223 * drbg->drbg_mutex must have been taken. 224 * 225 * @drbg DRBG handle 226 * @entropy buffer of seed data to be checked 227 * 228 * return: 229 * 0 on success 230 * -EAGAIN on when the CTRNG is not yet primed 231 * < 0 on error 232 */ 233 static int drbg_fips_continuous_test(struct drbg_state *drbg, 234 const unsigned char *entropy) 235 { 236 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 237 int ret = 0; 238 239 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 240 return 0; 241 242 /* skip test if we test the overall system */ 243 if (list_empty(&drbg->test_data.list)) 244 return 0; 245 /* only perform test in FIPS mode */ 246 if (!fips_enabled) 247 return 0; 248 249 if (!drbg->fips_primed) { 250 /* Priming of FIPS test */ 251 memcpy(drbg->prev, entropy, entropylen); 252 drbg->fips_primed = true; 253 /* priming: another round is needed */ 254 return -EAGAIN; 255 } 256 ret = memcmp(drbg->prev, entropy, entropylen); 257 if (!ret) 258 panic("DRBG continuous self test failed\n"); 259 memcpy(drbg->prev, entropy, entropylen); 260 261 /* the test shall pass when the two values are not equal */ 262 return 0; 263 } 264 265 /****************************************************************** 266 * CTR DRBG callback functions 267 ******************************************************************/ 268 269 #ifdef CONFIG_CRYPTO_DRBG_CTR 270 #define CRYPTO_DRBG_CTR_STRING "CTR " 271 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 272 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 273 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 274 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 275 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 276 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 277 278 static int drbg_init_sym_kernel(struct drbg_state *drbg); 279 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 280 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 281 u8 *inbuf, u32 inbuflen, 282 u8 *outbuf, u32 outlen); 283 #define DRBG_OUTSCRATCHLEN 256 284 285 static int drbg_ctr_df(struct drbg_state *drbg, 286 unsigned char *df_data, size_t bytes_to_return, 287 struct list_head *seedlist) 288 { 289 return crypto_drbg_ctr_df(drbg->priv_data, df_data, drbg_statelen(drbg), 290 seedlist, drbg_blocklen(drbg), drbg_statelen(drbg)); 291 } 292 293 /* 294 * update function of CTR DRBG as defined in 10.2.1.2 295 * 296 * The reseed variable has an enhanced meaning compared to the update 297 * functions of the other DRBGs as follows: 298 * 0 => initial seed from initialization 299 * 1 => reseed via drbg_seed 300 * 2 => first invocation from drbg_ctr_update when addtl is present. In 301 * this case, the df_data scratchpad is not deleted so that it is 302 * available for another calls to prevent calling the DF function 303 * again. 304 * 3 => second invocation from drbg_ctr_update. When the update function 305 * was called with addtl, the df_data memory already contains the 306 * DFed addtl information and we do not need to call DF again. 307 */ 308 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 309 int reseed) 310 { 311 int ret = -EFAULT; 312 /* 10.2.1.2 step 1 */ 313 unsigned char *temp = drbg->scratchpad; 314 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 315 drbg_blocklen(drbg); 316 317 if (3 > reseed) 318 memset(df_data, 0, drbg_statelen(drbg)); 319 320 if (!reseed) { 321 /* 322 * The DRBG uses the CTR mode of the underlying AES cipher. The 323 * CTR mode increments the counter value after the AES operation 324 * but SP800-90A requires that the counter is incremented before 325 * the AES operation. Hence, we increment it at the time we set 326 * it by one. 327 */ 328 crypto_inc(drbg->V, drbg_blocklen(drbg)); 329 330 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 331 drbg_keylen(drbg)); 332 if (ret) 333 goto out; 334 } 335 336 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 337 if (seed) { 338 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 339 if (ret) 340 goto out; 341 } 342 343 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 344 temp, drbg_statelen(drbg)); 345 if (ret) 346 return ret; 347 348 /* 10.2.1.2 step 5 */ 349 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 350 drbg_keylen(drbg)); 351 if (ret) 352 goto out; 353 /* 10.2.1.2 step 6 */ 354 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 355 /* See above: increment counter by one to compensate timing of CTR op */ 356 crypto_inc(drbg->V, drbg_blocklen(drbg)); 357 ret = 0; 358 359 out: 360 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 361 if (2 != reseed) 362 memset(df_data, 0, drbg_statelen(drbg)); 363 return ret; 364 } 365 366 /* 367 * scratchpad use: drbg_ctr_update is called independently from 368 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 369 */ 370 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 371 static int drbg_ctr_generate(struct drbg_state *drbg, 372 unsigned char *buf, unsigned int buflen, 373 struct list_head *addtl) 374 { 375 int ret; 376 int len = min_t(int, buflen, INT_MAX); 377 378 /* 10.2.1.5.2 step 2 */ 379 if (addtl && !list_empty(addtl)) { 380 ret = drbg_ctr_update(drbg, addtl, 2); 381 if (ret) 382 return 0; 383 } 384 385 /* 10.2.1.5.2 step 4.1 */ 386 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 387 if (ret) 388 return ret; 389 390 /* 10.2.1.5.2 step 6 */ 391 ret = drbg_ctr_update(drbg, NULL, 3); 392 if (ret) 393 len = ret; 394 395 return len; 396 } 397 398 static const struct drbg_state_ops drbg_ctr_ops = { 399 .update = drbg_ctr_update, 400 .generate = drbg_ctr_generate, 401 .crypto_init = drbg_init_sym_kernel, 402 .crypto_fini = drbg_fini_sym_kernel, 403 }; 404 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 405 406 /****************************************************************** 407 * HMAC DRBG callback functions 408 ******************************************************************/ 409 410 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 411 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 412 const struct list_head *in); 413 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 414 const unsigned char *key); 415 static int drbg_init_hash_kernel(struct drbg_state *drbg); 416 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 417 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 418 419 #ifdef CONFIG_CRYPTO_DRBG_HMAC 420 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 421 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 422 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 423 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 424 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 425 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 426 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 427 428 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 429 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 430 int reseed) 431 { 432 int ret = -EFAULT; 433 int i = 0; 434 struct drbg_string seed1, seed2, vdata; 435 LIST_HEAD(seedlist); 436 LIST_HEAD(vdatalist); 437 438 if (!reseed) { 439 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 440 memset(drbg->V, 1, drbg_statelen(drbg)); 441 drbg_kcapi_hmacsetkey(drbg, drbg->C); 442 } 443 444 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 445 list_add_tail(&seed1.list, &seedlist); 446 /* buffer of seed2 will be filled in for loop below with one byte */ 447 drbg_string_fill(&seed2, NULL, 1); 448 list_add_tail(&seed2.list, &seedlist); 449 /* input data of seed is allowed to be NULL at this point */ 450 if (seed) 451 list_splice_tail(seed, &seedlist); 452 453 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 454 list_add_tail(&vdata.list, &vdatalist); 455 for (i = 2; 0 < i; i--) { 456 /* first round uses 0x0, second 0x1 */ 457 unsigned char prefix = DRBG_PREFIX0; 458 if (1 == i) 459 prefix = DRBG_PREFIX1; 460 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 461 seed2.buf = &prefix; 462 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 463 if (ret) 464 return ret; 465 drbg_kcapi_hmacsetkey(drbg, drbg->C); 466 467 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 468 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 469 if (ret) 470 return ret; 471 472 /* 10.1.2.2 step 3 */ 473 if (!seed) 474 return ret; 475 } 476 477 return 0; 478 } 479 480 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 481 static int drbg_hmac_generate(struct drbg_state *drbg, 482 unsigned char *buf, 483 unsigned int buflen, 484 struct list_head *addtl) 485 { 486 int len = 0; 487 int ret = 0; 488 struct drbg_string data; 489 LIST_HEAD(datalist); 490 491 /* 10.1.2.5 step 2 */ 492 if (addtl && !list_empty(addtl)) { 493 ret = drbg_hmac_update(drbg, addtl, 1); 494 if (ret) 495 return ret; 496 } 497 498 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 499 list_add_tail(&data.list, &datalist); 500 while (len < buflen) { 501 unsigned int outlen = 0; 502 /* 10.1.2.5 step 4.1 */ 503 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 504 if (ret) 505 return ret; 506 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 507 drbg_blocklen(drbg) : (buflen - len); 508 509 /* 10.1.2.5 step 4.2 */ 510 memcpy(buf + len, drbg->V, outlen); 511 len += outlen; 512 } 513 514 /* 10.1.2.5 step 6 */ 515 if (addtl && !list_empty(addtl)) 516 ret = drbg_hmac_update(drbg, addtl, 1); 517 else 518 ret = drbg_hmac_update(drbg, NULL, 1); 519 if (ret) 520 return ret; 521 522 return len; 523 } 524 525 static const struct drbg_state_ops drbg_hmac_ops = { 526 .update = drbg_hmac_update, 527 .generate = drbg_hmac_generate, 528 .crypto_init = drbg_init_hash_kernel, 529 .crypto_fini = drbg_fini_hash_kernel, 530 }; 531 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 532 533 /****************************************************************** 534 * Hash DRBG callback functions 535 ******************************************************************/ 536 537 #ifdef CONFIG_CRYPTO_DRBG_HASH 538 #define CRYPTO_DRBG_HASH_STRING "HASH " 539 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 540 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 541 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 542 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 543 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 544 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 545 546 /* 547 * Increment buffer 548 * 549 * @dst buffer to increment 550 * @add value to add 551 */ 552 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 553 const unsigned char *add, size_t addlen) 554 { 555 /* implied: dstlen > addlen */ 556 unsigned char *dstptr; 557 const unsigned char *addptr; 558 unsigned int remainder = 0; 559 size_t len = addlen; 560 561 dstptr = dst + (dstlen-1); 562 addptr = add + (addlen-1); 563 while (len) { 564 remainder += *dstptr + *addptr; 565 *dstptr = remainder & 0xff; 566 remainder >>= 8; 567 len--; dstptr--; addptr--; 568 } 569 len = dstlen - addlen; 570 while (len && remainder > 0) { 571 remainder = *dstptr + 1; 572 *dstptr = remainder & 0xff; 573 remainder >>= 8; 574 len--; dstptr--; 575 } 576 } 577 578 /* 579 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 580 * interlinked, the scratchpad is used as follows: 581 * drbg_hash_update 582 * start: drbg->scratchpad 583 * length: drbg_statelen(drbg) 584 * drbg_hash_df: 585 * start: drbg->scratchpad + drbg_statelen(drbg) 586 * length: drbg_blocklen(drbg) 587 * 588 * drbg_hash_process_addtl uses the scratchpad, but fully completes 589 * before either of the functions mentioned before are invoked. Therefore, 590 * drbg_hash_process_addtl does not need to be specifically considered. 591 */ 592 593 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 594 static int drbg_hash_df(struct drbg_state *drbg, 595 unsigned char *outval, size_t outlen, 596 struct list_head *entropylist) 597 { 598 int ret = 0; 599 size_t len = 0; 600 unsigned char input[5]; 601 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 602 struct drbg_string data; 603 604 /* 10.4.1 step 3 */ 605 input[0] = 1; 606 drbg_cpu_to_be32((outlen * 8), &input[1]); 607 608 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 609 drbg_string_fill(&data, input, 5); 610 list_add(&data.list, entropylist); 611 612 /* 10.4.1 step 4 */ 613 while (len < outlen) { 614 short blocklen = 0; 615 /* 10.4.1 step 4.1 */ 616 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 617 if (ret) 618 goto out; 619 /* 10.4.1 step 4.2 */ 620 input[0]++; 621 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 622 drbg_blocklen(drbg) : (outlen - len); 623 memcpy(outval + len, tmp, blocklen); 624 len += blocklen; 625 } 626 627 out: 628 memset(tmp, 0, drbg_blocklen(drbg)); 629 return ret; 630 } 631 632 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 633 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 634 int reseed) 635 { 636 int ret = 0; 637 struct drbg_string data1, data2; 638 LIST_HEAD(datalist); 639 LIST_HEAD(datalist2); 640 unsigned char *V = drbg->scratchpad; 641 unsigned char prefix = DRBG_PREFIX1; 642 643 if (!seed) 644 return -EINVAL; 645 646 if (reseed) { 647 /* 10.1.1.3 step 1 */ 648 memcpy(V, drbg->V, drbg_statelen(drbg)); 649 drbg_string_fill(&data1, &prefix, 1); 650 list_add_tail(&data1.list, &datalist); 651 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 652 list_add_tail(&data2.list, &datalist); 653 } 654 list_splice_tail(seed, &datalist); 655 656 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 657 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 658 if (ret) 659 goto out; 660 661 /* 10.1.1.2 / 10.1.1.3 step 4 */ 662 prefix = DRBG_PREFIX0; 663 drbg_string_fill(&data1, &prefix, 1); 664 list_add_tail(&data1.list, &datalist2); 665 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 666 list_add_tail(&data2.list, &datalist2); 667 /* 10.1.1.2 / 10.1.1.3 step 4 */ 668 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 669 670 out: 671 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 672 return ret; 673 } 674 675 /* processing of additional information string for Hash DRBG */ 676 static int drbg_hash_process_addtl(struct drbg_state *drbg, 677 struct list_head *addtl) 678 { 679 int ret = 0; 680 struct drbg_string data1, data2; 681 LIST_HEAD(datalist); 682 unsigned char prefix = DRBG_PREFIX2; 683 684 /* 10.1.1.4 step 2 */ 685 if (!addtl || list_empty(addtl)) 686 return 0; 687 688 /* 10.1.1.4 step 2a */ 689 drbg_string_fill(&data1, &prefix, 1); 690 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 691 list_add_tail(&data1.list, &datalist); 692 list_add_tail(&data2.list, &datalist); 693 list_splice_tail(addtl, &datalist); 694 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 695 if (ret) 696 goto out; 697 698 /* 10.1.1.4 step 2b */ 699 drbg_add_buf(drbg->V, drbg_statelen(drbg), 700 drbg->scratchpad, drbg_blocklen(drbg)); 701 702 out: 703 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 704 return ret; 705 } 706 707 /* Hashgen defined in 10.1.1.4 */ 708 static int drbg_hash_hashgen(struct drbg_state *drbg, 709 unsigned char *buf, 710 unsigned int buflen) 711 { 712 int len = 0; 713 int ret = 0; 714 unsigned char *src = drbg->scratchpad; 715 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 716 struct drbg_string data; 717 LIST_HEAD(datalist); 718 719 /* 10.1.1.4 step hashgen 2 */ 720 memcpy(src, drbg->V, drbg_statelen(drbg)); 721 722 drbg_string_fill(&data, src, drbg_statelen(drbg)); 723 list_add_tail(&data.list, &datalist); 724 while (len < buflen) { 725 unsigned int outlen = 0; 726 /* 10.1.1.4 step hashgen 4.1 */ 727 ret = drbg_kcapi_hash(drbg, dst, &datalist); 728 if (ret) { 729 len = ret; 730 goto out; 731 } 732 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 733 drbg_blocklen(drbg) : (buflen - len); 734 /* 10.1.1.4 step hashgen 4.2 */ 735 memcpy(buf + len, dst, outlen); 736 len += outlen; 737 /* 10.1.1.4 hashgen step 4.3 */ 738 if (len < buflen) 739 crypto_inc(src, drbg_statelen(drbg)); 740 } 741 742 out: 743 memset(drbg->scratchpad, 0, 744 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 745 return len; 746 } 747 748 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 749 static int drbg_hash_generate(struct drbg_state *drbg, 750 unsigned char *buf, unsigned int buflen, 751 struct list_head *addtl) 752 { 753 int len = 0; 754 int ret = 0; 755 union { 756 unsigned char req[8]; 757 __be64 req_int; 758 } u; 759 unsigned char prefix = DRBG_PREFIX3; 760 struct drbg_string data1, data2; 761 LIST_HEAD(datalist); 762 763 /* 10.1.1.4 step 2 */ 764 ret = drbg_hash_process_addtl(drbg, addtl); 765 if (ret) 766 return ret; 767 /* 10.1.1.4 step 3 */ 768 len = drbg_hash_hashgen(drbg, buf, buflen); 769 770 /* this is the value H as documented in 10.1.1.4 */ 771 /* 10.1.1.4 step 4 */ 772 drbg_string_fill(&data1, &prefix, 1); 773 list_add_tail(&data1.list, &datalist); 774 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 775 list_add_tail(&data2.list, &datalist); 776 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 777 if (ret) { 778 len = ret; 779 goto out; 780 } 781 782 /* 10.1.1.4 step 5 */ 783 drbg_add_buf(drbg->V, drbg_statelen(drbg), 784 drbg->scratchpad, drbg_blocklen(drbg)); 785 drbg_add_buf(drbg->V, drbg_statelen(drbg), 786 drbg->C, drbg_statelen(drbg)); 787 u.req_int = cpu_to_be64(drbg->reseed_ctr); 788 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 789 790 out: 791 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 792 return len; 793 } 794 795 /* 796 * scratchpad usage: as update and generate are used isolated, both 797 * can use the scratchpad 798 */ 799 static const struct drbg_state_ops drbg_hash_ops = { 800 .update = drbg_hash_update, 801 .generate = drbg_hash_generate, 802 .crypto_init = drbg_init_hash_kernel, 803 .crypto_fini = drbg_fini_hash_kernel, 804 }; 805 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 806 807 /****************************************************************** 808 * Functions common for DRBG implementations 809 ******************************************************************/ 810 811 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 812 int reseed, enum drbg_seed_state new_seed_state) 813 { 814 int ret = drbg->d_ops->update(drbg, seed, reseed); 815 816 if (ret) 817 return ret; 818 819 drbg->seeded = new_seed_state; 820 drbg->last_seed_time = jiffies; 821 /* 10.1.1.2 / 10.1.1.3 step 5 */ 822 drbg->reseed_ctr = 1; 823 824 switch (drbg->seeded) { 825 case DRBG_SEED_STATE_UNSEEDED: 826 /* Impossible, but handle it to silence compiler warnings. */ 827 fallthrough; 828 case DRBG_SEED_STATE_PARTIAL: 829 /* 830 * Require frequent reseeds until the seed source is 831 * fully initialized. 832 */ 833 drbg->reseed_threshold = 50; 834 break; 835 836 case DRBG_SEED_STATE_FULL: 837 /* 838 * Seed source has become fully initialized, frequent 839 * reseeds no longer required. 840 */ 841 drbg->reseed_threshold = drbg_max_requests(drbg); 842 break; 843 } 844 845 return ret; 846 } 847 848 static inline int drbg_get_random_bytes(struct drbg_state *drbg, 849 unsigned char *entropy, 850 unsigned int entropylen) 851 { 852 int ret; 853 854 do { 855 get_random_bytes(entropy, entropylen); 856 ret = drbg_fips_continuous_test(drbg, entropy); 857 if (ret && ret != -EAGAIN) 858 return ret; 859 } while (ret); 860 861 return 0; 862 } 863 864 static int drbg_seed_from_random(struct drbg_state *drbg) 865 { 866 struct drbg_string data; 867 LIST_HEAD(seedlist); 868 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 869 unsigned char entropy[32]; 870 int ret; 871 872 BUG_ON(!entropylen); 873 BUG_ON(entropylen > sizeof(entropy)); 874 875 drbg_string_fill(&data, entropy, entropylen); 876 list_add_tail(&data.list, &seedlist); 877 878 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 879 if (ret) 880 goto out; 881 882 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); 883 884 out: 885 memzero_explicit(entropy, entropylen); 886 return ret; 887 } 888 889 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg) 890 { 891 unsigned long next_reseed; 892 893 /* Don't ever reseed from get_random_bytes() in test mode. */ 894 if (list_empty(&drbg->test_data.list)) 895 return false; 896 897 /* 898 * Obtain fresh entropy for the nopr DRBGs after 300s have 899 * elapsed in order to still achieve sort of partial 900 * prediction resistance over the time domain at least. Note 901 * that the period of 300s has been chosen to match the 902 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha 903 * rngs. 904 */ 905 next_reseed = drbg->last_seed_time + 300 * HZ; 906 return time_after(jiffies, next_reseed); 907 } 908 909 /* 910 * Seeding or reseeding of the DRBG 911 * 912 * @drbg: DRBG state struct 913 * @pers: personalization / additional information buffer 914 * @reseed: 0 for initial seed process, 1 for reseeding 915 * 916 * return: 917 * 0 on success 918 * error value otherwise 919 */ 920 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 921 bool reseed) 922 { 923 int ret; 924 unsigned char entropy[((32 + 16) * 2)]; 925 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 926 struct drbg_string data1; 927 LIST_HEAD(seedlist); 928 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; 929 930 /* 9.1 / 9.2 / 9.3.1 step 3 */ 931 if (pers && pers->len > (drbg_max_addtl(drbg))) { 932 pr_devel("DRBG: personalization string too long %zu\n", 933 pers->len); 934 return -EINVAL; 935 } 936 937 if (list_empty(&drbg->test_data.list)) { 938 drbg_string_fill(&data1, drbg->test_data.buf, 939 drbg->test_data.len); 940 pr_devel("DRBG: using test entropy\n"); 941 } else { 942 /* 943 * Gather entropy equal to the security strength of the DRBG. 944 * With a derivation function, a nonce is required in addition 945 * to the entropy. A nonce must be at least 1/2 of the security 946 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 947 * of the strength. The consideration of a nonce is only 948 * applicable during initial seeding. 949 */ 950 BUG_ON(!entropylen); 951 if (!reseed) 952 entropylen = ((entropylen + 1) / 2) * 3; 953 BUG_ON((entropylen * 2) > sizeof(entropy)); 954 955 /* Get seed from in-kernel /dev/urandom */ 956 if (!rng_is_initialized()) 957 new_seed_state = DRBG_SEED_STATE_PARTIAL; 958 959 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 960 if (ret) 961 goto out; 962 963 if (!drbg->jent) { 964 drbg_string_fill(&data1, entropy, entropylen); 965 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 966 entropylen); 967 } else { 968 /* 969 * Get seed from Jitter RNG, failures are 970 * fatal only in FIPS mode. 971 */ 972 ret = crypto_rng_get_bytes(drbg->jent, 973 entropy + entropylen, 974 entropylen); 975 if (fips_enabled && ret) { 976 pr_devel("DRBG: jent failed with %d\n", ret); 977 978 /* 979 * Do not treat the transient failure of the 980 * Jitter RNG as an error that needs to be 981 * reported. The combined number of the 982 * maximum reseed threshold times the maximum 983 * number of Jitter RNG transient errors is 984 * less than the reseed threshold required by 985 * SP800-90A allowing us to treat the 986 * transient errors as such. 987 * 988 * However, we mandate that at least the first 989 * seeding operation must succeed with the 990 * Jitter RNG. 991 */ 992 if (!reseed || ret != -EAGAIN) 993 goto out; 994 } 995 996 drbg_string_fill(&data1, entropy, entropylen * 2); 997 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 998 entropylen * 2); 999 } 1000 } 1001 list_add_tail(&data1.list, &seedlist); 1002 1003 /* 1004 * concatenation of entropy with personalization str / addtl input) 1005 * the variable pers is directly handed in by the caller, so check its 1006 * contents whether it is appropriate 1007 */ 1008 if (pers && pers->buf && 0 < pers->len) { 1009 list_add_tail(&pers->list, &seedlist); 1010 pr_devel("DRBG: using personalization string\n"); 1011 } 1012 1013 if (!reseed) { 1014 memset(drbg->V, 0, drbg_statelen(drbg)); 1015 memset(drbg->C, 0, drbg_statelen(drbg)); 1016 } 1017 1018 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); 1019 1020 out: 1021 memzero_explicit(entropy, entropylen * 2); 1022 1023 return ret; 1024 } 1025 1026 /* Free all substructures in a DRBG state without the DRBG state structure */ 1027 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1028 { 1029 if (!drbg) 1030 return; 1031 kfree_sensitive(drbg->Vbuf); 1032 drbg->Vbuf = NULL; 1033 drbg->V = NULL; 1034 kfree_sensitive(drbg->Cbuf); 1035 drbg->Cbuf = NULL; 1036 drbg->C = NULL; 1037 kfree_sensitive(drbg->scratchpadbuf); 1038 drbg->scratchpadbuf = NULL; 1039 drbg->reseed_ctr = 0; 1040 drbg->d_ops = NULL; 1041 drbg->core = NULL; 1042 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1043 kfree_sensitive(drbg->prev); 1044 drbg->prev = NULL; 1045 drbg->fips_primed = false; 1046 } 1047 } 1048 1049 /* 1050 * Allocate all sub-structures for a DRBG state. 1051 * The DRBG state structure must already be allocated. 1052 */ 1053 static inline int drbg_alloc_state(struct drbg_state *drbg) 1054 { 1055 int ret = -ENOMEM; 1056 unsigned int sb_size = 0; 1057 1058 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1059 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1060 case DRBG_HMAC: 1061 drbg->d_ops = &drbg_hmac_ops; 1062 break; 1063 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1064 #ifdef CONFIG_CRYPTO_DRBG_HASH 1065 case DRBG_HASH: 1066 drbg->d_ops = &drbg_hash_ops; 1067 break; 1068 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1069 #ifdef CONFIG_CRYPTO_DRBG_CTR 1070 case DRBG_CTR: 1071 drbg->d_ops = &drbg_ctr_ops; 1072 break; 1073 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1074 default: 1075 ret = -EOPNOTSUPP; 1076 goto err; 1077 } 1078 1079 ret = drbg->d_ops->crypto_init(drbg); 1080 if (ret < 0) 1081 goto err; 1082 1083 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1084 if (!drbg->Vbuf) { 1085 ret = -ENOMEM; 1086 goto fini; 1087 } 1088 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1089 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1090 if (!drbg->Cbuf) { 1091 ret = -ENOMEM; 1092 goto fini; 1093 } 1094 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1095 /* scratchpad is only generated for CTR and Hash */ 1096 if (drbg->core->flags & DRBG_HMAC) 1097 sb_size = 0; 1098 else if (drbg->core->flags & DRBG_CTR) 1099 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1100 crypto_drbg_ctr_df_datalen(drbg_statelen(drbg), 1101 drbg_blocklen(drbg)); 1102 else 1103 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1104 1105 if (0 < sb_size) { 1106 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1107 if (!drbg->scratchpadbuf) { 1108 ret = -ENOMEM; 1109 goto fini; 1110 } 1111 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1112 } 1113 1114 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1115 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1116 GFP_KERNEL); 1117 if (!drbg->prev) { 1118 ret = -ENOMEM; 1119 goto fini; 1120 } 1121 drbg->fips_primed = false; 1122 } 1123 1124 return 0; 1125 1126 fini: 1127 drbg->d_ops->crypto_fini(drbg); 1128 err: 1129 drbg_dealloc_state(drbg); 1130 return ret; 1131 } 1132 1133 /************************************************************************* 1134 * DRBG interface functions 1135 *************************************************************************/ 1136 1137 /* 1138 * DRBG generate function as required by SP800-90A - this function 1139 * generates random numbers 1140 * 1141 * @drbg DRBG state handle 1142 * @buf Buffer where to store the random numbers -- the buffer must already 1143 * be pre-allocated by caller 1144 * @buflen Length of output buffer - this value defines the number of random 1145 * bytes pulled from DRBG 1146 * @addtl Additional input that is mixed into state, may be NULL -- note 1147 * the entropy is pulled by the DRBG internally unconditionally 1148 * as defined in SP800-90A. The additional input is mixed into 1149 * the state in addition to the pulled entropy. 1150 * 1151 * return: 0 when all bytes are generated; < 0 in case of an error 1152 */ 1153 static int drbg_generate(struct drbg_state *drbg, 1154 unsigned char *buf, unsigned int buflen, 1155 struct drbg_string *addtl) 1156 { 1157 int len = 0; 1158 LIST_HEAD(addtllist); 1159 1160 if (!drbg->core) { 1161 pr_devel("DRBG: not yet seeded\n"); 1162 return -EINVAL; 1163 } 1164 if (0 == buflen || !buf) { 1165 pr_devel("DRBG: no output buffer provided\n"); 1166 return -EINVAL; 1167 } 1168 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1169 pr_devel("DRBG: wrong format of additional information\n"); 1170 return -EINVAL; 1171 } 1172 1173 /* 9.3.1 step 2 */ 1174 len = -EINVAL; 1175 if (buflen > (drbg_max_request_bytes(drbg))) { 1176 pr_devel("DRBG: requested random numbers too large %u\n", 1177 buflen); 1178 goto err; 1179 } 1180 1181 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1182 1183 /* 9.3.1 step 4 */ 1184 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1185 pr_devel("DRBG: additional information string too long %zu\n", 1186 addtl->len); 1187 goto err; 1188 } 1189 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1190 1191 /* 1192 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1193 * here. The spec is a bit convoluted here, we make it simpler. 1194 */ 1195 if (drbg->reseed_threshold < drbg->reseed_ctr) 1196 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1197 1198 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { 1199 pr_devel("DRBG: reseeding before generation (prediction " 1200 "resistance: %s, state %s)\n", 1201 str_true_false(drbg->pr), 1202 (drbg->seeded == DRBG_SEED_STATE_FULL ? 1203 "seeded" : "unseeded")); 1204 /* 9.3.1 steps 7.1 through 7.3 */ 1205 len = drbg_seed(drbg, addtl, true); 1206 if (len) 1207 goto err; 1208 /* 9.3.1 step 7.4 */ 1209 addtl = NULL; 1210 } else if (rng_is_initialized() && 1211 (drbg->seeded == DRBG_SEED_STATE_PARTIAL || 1212 drbg_nopr_reseed_interval_elapsed(drbg))) { 1213 len = drbg_seed_from_random(drbg); 1214 if (len) 1215 goto err; 1216 } 1217 1218 if (addtl && 0 < addtl->len) 1219 list_add_tail(&addtl->list, &addtllist); 1220 /* 9.3.1 step 8 and 10 */ 1221 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1222 1223 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1224 drbg->reseed_ctr++; 1225 if (0 >= len) 1226 goto err; 1227 1228 /* 1229 * Section 11.3.3 requires to re-perform self tests after some 1230 * generated random numbers. The chosen value after which self 1231 * test is performed is arbitrary, but it should be reasonable. 1232 * However, we do not perform the self tests because of the following 1233 * reasons: it is mathematically impossible that the initial self tests 1234 * were successfully and the following are not. If the initial would 1235 * pass and the following would not, the kernel integrity is violated. 1236 * In this case, the entire kernel operation is questionable and it 1237 * is unlikely that the integrity violation only affects the 1238 * correct operation of the DRBG. 1239 * 1240 * Albeit the following code is commented out, it is provided in 1241 * case somebody has a need to implement the test of 11.3.3. 1242 */ 1243 #if 0 1244 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1245 int err = 0; 1246 pr_devel("DRBG: start to perform self test\n"); 1247 if (drbg->core->flags & DRBG_HMAC) 1248 err = alg_test("drbg_pr_hmac_sha512", 1249 "drbg_pr_hmac_sha512", 0, 0); 1250 else if (drbg->core->flags & DRBG_CTR) 1251 err = alg_test("drbg_pr_ctr_aes256", 1252 "drbg_pr_ctr_aes256", 0, 0); 1253 else 1254 err = alg_test("drbg_pr_sha256", 1255 "drbg_pr_sha256", 0, 0); 1256 if (err) { 1257 pr_err("DRBG: periodical self test failed\n"); 1258 /* 1259 * uninstantiate implies that from now on, only errors 1260 * are returned when reusing this DRBG cipher handle 1261 */ 1262 drbg_uninstantiate(drbg); 1263 return 0; 1264 } else { 1265 pr_devel("DRBG: self test successful\n"); 1266 } 1267 } 1268 #endif 1269 1270 /* 1271 * All operations were successful, return 0 as mandated by 1272 * the kernel crypto API interface. 1273 */ 1274 len = 0; 1275 err: 1276 return len; 1277 } 1278 1279 /* 1280 * Wrapper around drbg_generate which can pull arbitrary long strings 1281 * from the DRBG without hitting the maximum request limitation. 1282 * 1283 * Parameters: see drbg_generate 1284 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1285 * the entire drbg_generate_long request fails 1286 */ 1287 static int drbg_generate_long(struct drbg_state *drbg, 1288 unsigned char *buf, unsigned int buflen, 1289 struct drbg_string *addtl) 1290 { 1291 unsigned int len = 0; 1292 unsigned int slice = 0; 1293 do { 1294 int err = 0; 1295 unsigned int chunk = 0; 1296 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1297 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1298 mutex_lock(&drbg->drbg_mutex); 1299 err = drbg_generate(drbg, buf + len, chunk, addtl); 1300 mutex_unlock(&drbg->drbg_mutex); 1301 if (0 > err) 1302 return err; 1303 len += chunk; 1304 } while (slice > 0 && (len < buflen)); 1305 return 0; 1306 } 1307 1308 static int drbg_prepare_hrng(struct drbg_state *drbg) 1309 { 1310 /* We do not need an HRNG in test mode. */ 1311 if (list_empty(&drbg->test_data.list)) 1312 return 0; 1313 1314 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1315 if (IS_ERR(drbg->jent)) { 1316 const int err = PTR_ERR(drbg->jent); 1317 1318 drbg->jent = NULL; 1319 if (fips_enabled) 1320 return err; 1321 pr_info("DRBG: Continuing without Jitter RNG\n"); 1322 } 1323 1324 return 0; 1325 } 1326 1327 /* 1328 * DRBG instantiation function as required by SP800-90A - this function 1329 * sets up the DRBG handle, performs the initial seeding and all sanity 1330 * checks required by SP800-90A 1331 * 1332 * @drbg memory of state -- if NULL, new memory is allocated 1333 * @pers Personalization string that is mixed into state, may be NULL -- note 1334 * the entropy is pulled by the DRBG internally unconditionally 1335 * as defined in SP800-90A. The additional input is mixed into 1336 * the state in addition to the pulled entropy. 1337 * @coreref reference to core 1338 * @pr prediction resistance enabled 1339 * 1340 * return 1341 * 0 on success 1342 * error value otherwise 1343 */ 1344 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1345 int coreref, bool pr) 1346 { 1347 int ret; 1348 bool reseed = true; 1349 1350 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1351 "%s\n", coreref, str_enabled_disabled(pr)); 1352 mutex_lock(&drbg->drbg_mutex); 1353 1354 /* 9.1 step 1 is implicit with the selected DRBG type */ 1355 1356 /* 1357 * 9.1 step 2 is implicit as caller can select prediction resistance 1358 * and the flag is copied into drbg->flags -- 1359 * all DRBG types support prediction resistance 1360 */ 1361 1362 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1363 1364 if (!drbg->core) { 1365 drbg->core = &drbg_cores[coreref]; 1366 drbg->pr = pr; 1367 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1368 drbg->last_seed_time = 0; 1369 drbg->reseed_threshold = drbg_max_requests(drbg); 1370 1371 ret = drbg_alloc_state(drbg); 1372 if (ret) 1373 goto unlock; 1374 1375 ret = drbg_prepare_hrng(drbg); 1376 if (ret) 1377 goto free_everything; 1378 1379 reseed = false; 1380 } 1381 1382 ret = drbg_seed(drbg, pers, reseed); 1383 1384 if (ret && !reseed) 1385 goto free_everything; 1386 1387 mutex_unlock(&drbg->drbg_mutex); 1388 return ret; 1389 1390 unlock: 1391 mutex_unlock(&drbg->drbg_mutex); 1392 return ret; 1393 1394 free_everything: 1395 mutex_unlock(&drbg->drbg_mutex); 1396 drbg_uninstantiate(drbg); 1397 return ret; 1398 } 1399 1400 /* 1401 * DRBG uninstantiate function as required by SP800-90A - this function 1402 * frees all buffers and the DRBG handle 1403 * 1404 * @drbg DRBG state handle 1405 * 1406 * return 1407 * 0 on success 1408 */ 1409 static int drbg_uninstantiate(struct drbg_state *drbg) 1410 { 1411 if (!IS_ERR_OR_NULL(drbg->jent)) 1412 crypto_free_rng(drbg->jent); 1413 drbg->jent = NULL; 1414 1415 if (drbg->d_ops) 1416 drbg->d_ops->crypto_fini(drbg); 1417 drbg_dealloc_state(drbg); 1418 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1419 return 0; 1420 } 1421 1422 /* 1423 * Helper function for setting the test data in the DRBG 1424 * 1425 * @drbg DRBG state handle 1426 * @data test data 1427 * @len test data length 1428 */ 1429 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1430 const u8 *data, unsigned int len) 1431 { 1432 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1433 1434 mutex_lock(&drbg->drbg_mutex); 1435 drbg_string_fill(&drbg->test_data, data, len); 1436 mutex_unlock(&drbg->drbg_mutex); 1437 } 1438 1439 /*************************************************************** 1440 * Kernel crypto API cipher invocations requested by DRBG 1441 ***************************************************************/ 1442 1443 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1444 struct sdesc { 1445 struct shash_desc shash; 1446 char ctx[]; 1447 }; 1448 1449 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1450 { 1451 struct sdesc *sdesc; 1452 struct crypto_shash *tfm; 1453 1454 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1455 if (IS_ERR(tfm)) { 1456 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1457 drbg->core->backend_cra_name); 1458 return PTR_ERR(tfm); 1459 } 1460 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1461 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1462 GFP_KERNEL); 1463 if (!sdesc) { 1464 crypto_free_shash(tfm); 1465 return -ENOMEM; 1466 } 1467 1468 sdesc->shash.tfm = tfm; 1469 drbg->priv_data = sdesc; 1470 1471 return 0; 1472 } 1473 1474 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1475 { 1476 struct sdesc *sdesc = drbg->priv_data; 1477 if (sdesc) { 1478 crypto_free_shash(sdesc->shash.tfm); 1479 kfree_sensitive(sdesc); 1480 } 1481 drbg->priv_data = NULL; 1482 return 0; 1483 } 1484 1485 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1486 const unsigned char *key) 1487 { 1488 struct sdesc *sdesc = drbg->priv_data; 1489 1490 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1491 } 1492 1493 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1494 const struct list_head *in) 1495 { 1496 struct sdesc *sdesc = drbg->priv_data; 1497 struct drbg_string *input = NULL; 1498 1499 crypto_shash_init(&sdesc->shash); 1500 list_for_each_entry(input, in, list) 1501 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1502 return crypto_shash_final(&sdesc->shash, outval); 1503 } 1504 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1505 1506 #ifdef CONFIG_CRYPTO_DRBG_CTR 1507 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1508 { 1509 struct crypto_aes_ctx *aesctx = (struct crypto_aes_ctx *)drbg->priv_data; 1510 1511 kfree(aesctx); 1512 drbg->priv_data = NULL; 1513 1514 if (drbg->ctr_handle) 1515 crypto_free_skcipher(drbg->ctr_handle); 1516 drbg->ctr_handle = NULL; 1517 1518 if (drbg->ctr_req) 1519 skcipher_request_free(drbg->ctr_req); 1520 drbg->ctr_req = NULL; 1521 1522 kfree(drbg->outscratchpadbuf); 1523 drbg->outscratchpadbuf = NULL; 1524 1525 return 0; 1526 } 1527 1528 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1529 { 1530 struct crypto_aes_ctx *aesctx; 1531 struct crypto_skcipher *sk_tfm; 1532 struct skcipher_request *req; 1533 unsigned int alignmask; 1534 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1535 1536 aesctx = kzalloc(sizeof(*aesctx), GFP_KERNEL); 1537 if (!aesctx) 1538 return -ENOMEM; 1539 drbg->priv_data = aesctx; 1540 1541 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1542 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1543 drbg_fini_sym_kernel(drbg); 1544 return -EINVAL; 1545 } 1546 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1547 if (IS_ERR(sk_tfm)) { 1548 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1549 ctr_name); 1550 drbg_fini_sym_kernel(drbg); 1551 return PTR_ERR(sk_tfm); 1552 } 1553 drbg->ctr_handle = sk_tfm; 1554 crypto_init_wait(&drbg->ctr_wait); 1555 1556 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1557 if (!req) { 1558 pr_info("DRBG: could not allocate request queue\n"); 1559 drbg_fini_sym_kernel(drbg); 1560 return -ENOMEM; 1561 } 1562 drbg->ctr_req = req; 1563 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1564 CRYPTO_TFM_REQ_MAY_SLEEP, 1565 crypto_req_done, &drbg->ctr_wait); 1566 1567 alignmask = crypto_skcipher_alignmask(sk_tfm); 1568 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1569 GFP_KERNEL); 1570 if (!drbg->outscratchpadbuf) { 1571 drbg_fini_sym_kernel(drbg); 1572 return -ENOMEM; 1573 } 1574 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1575 alignmask + 1); 1576 1577 sg_init_table(&drbg->sg_in, 1); 1578 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1579 1580 return alignmask; 1581 } 1582 1583 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1584 u8 *inbuf, u32 inlen, 1585 u8 *outbuf, u32 outlen) 1586 { 1587 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1588 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1589 int ret; 1590 1591 if (inbuf) { 1592 /* Use caller-provided input buffer */ 1593 sg_set_buf(sg_in, inbuf, inlen); 1594 } else { 1595 /* Use scratchpad for in-place operation */ 1596 inlen = scratchpad_use; 1597 memset(drbg->outscratchpad, 0, scratchpad_use); 1598 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1599 } 1600 1601 while (outlen) { 1602 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1603 1604 /* Output buffer may not be valid for SGL, use scratchpad */ 1605 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1606 cryptlen, drbg->V); 1607 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1608 &drbg->ctr_wait); 1609 if (ret) 1610 goto out; 1611 1612 crypto_init_wait(&drbg->ctr_wait); 1613 1614 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1615 memzero_explicit(drbg->outscratchpad, cryptlen); 1616 1617 outlen -= cryptlen; 1618 outbuf += cryptlen; 1619 } 1620 ret = 0; 1621 1622 out: 1623 return ret; 1624 } 1625 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1626 1627 /*************************************************************** 1628 * Kernel crypto API interface to register DRBG 1629 ***************************************************************/ 1630 1631 /* 1632 * Look up the DRBG flags by given kernel crypto API cra_name 1633 * The code uses the drbg_cores definition to do this 1634 * 1635 * @cra_name kernel crypto API cra_name 1636 * @coreref reference to integer which is filled with the pointer to 1637 * the applicable core 1638 * @pr reference for setting prediction resistance 1639 * 1640 * return: flags 1641 */ 1642 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1643 int *coreref, bool *pr) 1644 { 1645 int i = 0; 1646 size_t start = 0; 1647 int len = 0; 1648 1649 *pr = true; 1650 /* disassemble the names */ 1651 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1652 start = 10; 1653 *pr = false; 1654 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1655 start = 8; 1656 } else { 1657 return; 1658 } 1659 1660 /* remove the first part */ 1661 len = strlen(cra_driver_name) - start; 1662 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1663 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1664 len)) { 1665 *coreref = i; 1666 return; 1667 } 1668 } 1669 } 1670 1671 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1672 { 1673 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1674 1675 mutex_init(&drbg->drbg_mutex); 1676 1677 return 0; 1678 } 1679 1680 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1681 { 1682 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1683 } 1684 1685 /* 1686 * Generate random numbers invoked by the kernel crypto API: 1687 * The API of the kernel crypto API is extended as follows: 1688 * 1689 * src is additional input supplied to the RNG. 1690 * slen is the length of src. 1691 * dst is the output buffer where random data is to be stored. 1692 * dlen is the length of dst. 1693 */ 1694 static int drbg_kcapi_random(struct crypto_rng *tfm, 1695 const u8 *src, unsigned int slen, 1696 u8 *dst, unsigned int dlen) 1697 { 1698 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1699 struct drbg_string *addtl = NULL; 1700 struct drbg_string string; 1701 1702 if (slen) { 1703 /* linked list variable is now local to allow modification */ 1704 drbg_string_fill(&string, src, slen); 1705 addtl = &string; 1706 } 1707 1708 return drbg_generate_long(drbg, dst, dlen, addtl); 1709 } 1710 1711 /* 1712 * Seed the DRBG invoked by the kernel crypto API 1713 */ 1714 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1715 const u8 *seed, unsigned int slen) 1716 { 1717 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1718 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1719 bool pr = false; 1720 struct drbg_string string; 1721 struct drbg_string *seed_string = NULL; 1722 int coreref = 0; 1723 1724 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1725 &pr); 1726 if (0 < slen) { 1727 drbg_string_fill(&string, seed, slen); 1728 seed_string = &string; 1729 } 1730 1731 return drbg_instantiate(drbg, seed_string, coreref, pr); 1732 } 1733 1734 /*************************************************************** 1735 * Kernel module: code to load the module 1736 ***************************************************************/ 1737 1738 /* 1739 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1740 * of the error handling. 1741 * 1742 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1743 * as seed source of get_random_bytes does not fail. 1744 * 1745 * Note 2: There is no sensible way of testing the reseed counter 1746 * enforcement, so skip it. 1747 */ 1748 static inline int __init drbg_healthcheck_sanity(void) 1749 { 1750 int len = 0; 1751 #define OUTBUFLEN 16 1752 unsigned char buf[OUTBUFLEN]; 1753 struct drbg_state *drbg = NULL; 1754 int ret; 1755 int rc = -EFAULT; 1756 bool pr = false; 1757 int coreref = 0; 1758 struct drbg_string addtl; 1759 size_t max_addtllen, max_request_bytes; 1760 1761 /* only perform test in FIPS mode */ 1762 if (!fips_enabled) 1763 return 0; 1764 1765 #ifdef CONFIG_CRYPTO_DRBG_CTR 1766 drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr); 1767 #endif 1768 #ifdef CONFIG_CRYPTO_DRBG_HASH 1769 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1770 #endif 1771 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1772 drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr); 1773 #endif 1774 1775 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1776 if (!drbg) 1777 return -ENOMEM; 1778 1779 mutex_init(&drbg->drbg_mutex); 1780 drbg->core = &drbg_cores[coreref]; 1781 drbg->reseed_threshold = drbg_max_requests(drbg); 1782 1783 /* 1784 * if the following tests fail, it is likely that there is a buffer 1785 * overflow as buf is much smaller than the requested or provided 1786 * string lengths -- in case the error handling does not succeed 1787 * we may get an OOPS. And we want to get an OOPS as this is a 1788 * grave bug. 1789 */ 1790 1791 max_addtllen = drbg_max_addtl(drbg); 1792 max_request_bytes = drbg_max_request_bytes(drbg); 1793 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1794 /* overflow addtllen with additonal info string */ 1795 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1796 BUG_ON(0 < len); 1797 /* overflow max_bits */ 1798 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1799 BUG_ON(0 < len); 1800 1801 /* overflow max addtllen with personalization string */ 1802 ret = drbg_seed(drbg, &addtl, false); 1803 BUG_ON(0 == ret); 1804 /* all tests passed */ 1805 rc = 0; 1806 1807 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1808 "completed\n"); 1809 1810 kfree(drbg); 1811 return rc; 1812 } 1813 1814 static struct rng_alg drbg_algs[22]; 1815 1816 /* 1817 * Fill the array drbg_algs used to register the different DRBGs 1818 * with the kernel crypto API. To fill the array, the information 1819 * from drbg_cores[] is used. 1820 */ 1821 static inline void __init drbg_fill_array(struct rng_alg *alg, 1822 const struct drbg_core *core, int pr) 1823 { 1824 int pos = 0; 1825 static int priority = 200; 1826 1827 memcpy(alg->base.cra_name, "stdrng", 6); 1828 if (pr) { 1829 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1830 pos = 8; 1831 } else { 1832 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1833 pos = 10; 1834 } 1835 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1836 strlen(core->cra_name)); 1837 1838 alg->base.cra_priority = priority; 1839 priority++; 1840 /* 1841 * If FIPS mode enabled, the selected DRBG shall have the 1842 * highest cra_priority over other stdrng instances to ensure 1843 * it is selected. 1844 */ 1845 if (fips_enabled) 1846 alg->base.cra_priority += 200; 1847 1848 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1849 alg->base.cra_module = THIS_MODULE; 1850 alg->base.cra_init = drbg_kcapi_init; 1851 alg->base.cra_exit = drbg_kcapi_cleanup; 1852 alg->generate = drbg_kcapi_random; 1853 alg->seed = drbg_kcapi_seed; 1854 alg->set_ent = drbg_kcapi_set_entropy; 1855 alg->seedsize = 0; 1856 } 1857 1858 static int __init drbg_init(void) 1859 { 1860 unsigned int i = 0; /* pointer to drbg_algs */ 1861 unsigned int j = 0; /* pointer to drbg_cores */ 1862 int ret; 1863 1864 ret = drbg_healthcheck_sanity(); 1865 if (ret) 1866 return ret; 1867 1868 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1869 pr_info("DRBG: Cannot register all DRBG types" 1870 "(slots needed: %zu, slots available: %zu)\n", 1871 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1872 return -EFAULT; 1873 } 1874 1875 /* 1876 * each DRBG definition can be used with PR and without PR, thus 1877 * we instantiate each DRBG in drbg_cores[] twice. 1878 * 1879 * As the order of placing them into the drbg_algs array matters 1880 * (the later DRBGs receive a higher cra_priority) we register the 1881 * prediction resistance DRBGs first as the should not be too 1882 * interesting. 1883 */ 1884 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1885 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1886 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1887 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1888 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1889 } 1890 1891 static void __exit drbg_exit(void) 1892 { 1893 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1894 } 1895 1896 module_init(drbg_init); 1897 module_exit(drbg_exit); 1898 #ifndef CRYPTO_DRBG_HASH_STRING 1899 #define CRYPTO_DRBG_HASH_STRING "" 1900 #endif 1901 #ifndef CRYPTO_DRBG_HMAC_STRING 1902 #define CRYPTO_DRBG_HMAC_STRING "" 1903 #endif 1904 #ifndef CRYPTO_DRBG_CTR_STRING 1905 #define CRYPTO_DRBG_CTR_STRING "" 1906 #endif 1907 MODULE_LICENSE("GPL"); 1908 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 1909 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 1910 "using following cores: " 1911 CRYPTO_DRBG_HASH_STRING 1912 CRYPTO_DRBG_HMAC_STRING 1913 CRYPTO_DRBG_CTR_STRING); 1914 MODULE_ALIAS_CRYPTO("stdrng"); 1915 MODULE_IMPORT_NS("CRYPTO_INTERNAL"); 1916