xref: /linux/crypto/drbg.c (revision b8e85e6f3a09fc56b0ff574887798962ef8a8f80)
1 /*
2  * DRBG: Deterministic Random Bits Generator
3  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
4  *       properties:
5  *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6  *		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7  *		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8  *		* with and without prediction resistance
9  *
10  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, and the entire permission notice in its entirety,
17  *    including the disclaimer of warranties.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior
23  *    written permission.
24  *
25  * ALTERNATIVELY, this product may be distributed under the terms of
26  * the GNU General Public License, in which case the provisions of the GPL are
27  * required INSTEAD OF the above restrictions.  (This clause is
28  * necessary due to a potential bad interaction between the GPL and
29  * the restrictions contained in a BSD-style copyright.)
30  *
31  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
35  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42  * DAMAGE.
43  *
44  * DRBG Usage
45  * ==========
46  * The SP 800-90A DRBG allows the user to specify a personalization string
47  * for initialization as well as an additional information string for each
48  * random number request. The following code fragments show how a caller
49  * uses the kernel crypto API to use the full functionality of the DRBG.
50  *
51  * Usage without any additional data
52  * ---------------------------------
53  * struct crypto_rng *drng;
54  * int err;
55  * char data[DATALEN];
56  *
57  * drng = crypto_alloc_rng(drng_name, 0, 0);
58  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59  * crypto_free_rng(drng);
60  *
61  *
62  * Usage with personalization string during initialization
63  * -------------------------------------------------------
64  * struct crypto_rng *drng;
65  * int err;
66  * char data[DATALEN];
67  * struct drbg_string pers;
68  * char personalization[11] = "some-string";
69  *
70  * drbg_string_fill(&pers, personalization, strlen(personalization));
71  * drng = crypto_alloc_rng(drng_name, 0, 0);
72  * // The reset completely re-initializes the DRBG with the provided
73  * // personalization string
74  * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76  * crypto_free_rng(drng);
77  *
78  *
79  * Usage with additional information string during random number request
80  * ---------------------------------------------------------------------
81  * struct crypto_rng *drng;
82  * int err;
83  * char data[DATALEN];
84  * char addtl_string[11] = "some-string";
85  * string drbg_string addtl;
86  *
87  * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88  * drng = crypto_alloc_rng(drng_name, 0, 0);
89  * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90  * // the same error codes.
91  * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92  * crypto_free_rng(drng);
93  *
94  *
95  * Usage with personalization and additional information strings
96  * -------------------------------------------------------------
97  * Just mix both scenarios above.
98  */
99 
100 #include <crypto/drbg.h>
101 #include <crypto/internal/cipher.h>
102 #include <linux/kernel.h>
103 #include <linux/jiffies.h>
104 
105 /***************************************************************
106  * Backend cipher definitions available to DRBG
107  ***************************************************************/
108 
109 /*
110  * The order of the DRBG definitions here matter: every DRBG is registered
111  * as stdrng. Each DRBG receives an increasing cra_priority values the later
112  * they are defined in this array (see drbg_fill_array).
113  *
114  * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
115  * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
116  * favored DRBGs are the latest entries in this array.
117  */
118 static const struct drbg_core drbg_cores[] = {
119 #ifdef CONFIG_CRYPTO_DRBG_CTR
120 	{
121 		.flags = DRBG_CTR | DRBG_STRENGTH128,
122 		.statelen = 32, /* 256 bits as defined in 10.2.1 */
123 		.blocklen_bytes = 16,
124 		.cra_name = "ctr_aes128",
125 		.backend_cra_name = "aes",
126 	}, {
127 		.flags = DRBG_CTR | DRBG_STRENGTH192,
128 		.statelen = 40, /* 320 bits as defined in 10.2.1 */
129 		.blocklen_bytes = 16,
130 		.cra_name = "ctr_aes192",
131 		.backend_cra_name = "aes",
132 	}, {
133 		.flags = DRBG_CTR | DRBG_STRENGTH256,
134 		.statelen = 48, /* 384 bits as defined in 10.2.1 */
135 		.blocklen_bytes = 16,
136 		.cra_name = "ctr_aes256",
137 		.backend_cra_name = "aes",
138 	},
139 #endif /* CONFIG_CRYPTO_DRBG_CTR */
140 #ifdef CONFIG_CRYPTO_DRBG_HASH
141 	{
142 		.flags = DRBG_HASH | DRBG_STRENGTH256,
143 		.statelen = 111, /* 888 bits */
144 		.blocklen_bytes = 48,
145 		.cra_name = "sha384",
146 		.backend_cra_name = "sha384",
147 	}, {
148 		.flags = DRBG_HASH | DRBG_STRENGTH256,
149 		.statelen = 111, /* 888 bits */
150 		.blocklen_bytes = 64,
151 		.cra_name = "sha512",
152 		.backend_cra_name = "sha512",
153 	}, {
154 		.flags = DRBG_HASH | DRBG_STRENGTH256,
155 		.statelen = 55, /* 440 bits */
156 		.blocklen_bytes = 32,
157 		.cra_name = "sha256",
158 		.backend_cra_name = "sha256",
159 	},
160 #endif /* CONFIG_CRYPTO_DRBG_HASH */
161 #ifdef CONFIG_CRYPTO_DRBG_HMAC
162 	{
163 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
164 		.statelen = 48, /* block length of cipher */
165 		.blocklen_bytes = 48,
166 		.cra_name = "hmac_sha384",
167 		.backend_cra_name = "hmac(sha384)",
168 	}, {
169 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
170 		.statelen = 32, /* block length of cipher */
171 		.blocklen_bytes = 32,
172 		.cra_name = "hmac_sha256",
173 		.backend_cra_name = "hmac(sha256)",
174 	}, {
175 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
176 		.statelen = 64, /* block length of cipher */
177 		.blocklen_bytes = 64,
178 		.cra_name = "hmac_sha512",
179 		.backend_cra_name = "hmac(sha512)",
180 	},
181 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
182 };
183 
184 static int drbg_uninstantiate(struct drbg_state *drbg);
185 
186 /******************************************************************
187  * Generic helper functions
188  ******************************************************************/
189 
190 /*
191  * Return strength of DRBG according to SP800-90A section 8.4
192  *
193  * @flags DRBG flags reference
194  *
195  * Return: normalized strength in *bytes* value or 32 as default
196  *	   to counter programming errors
197  */
198 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
199 {
200 	switch (flags & DRBG_STRENGTH_MASK) {
201 	case DRBG_STRENGTH128:
202 		return 16;
203 	case DRBG_STRENGTH192:
204 		return 24;
205 	case DRBG_STRENGTH256:
206 		return 32;
207 	default:
208 		return 32;
209 	}
210 }
211 
212 /*
213  * FIPS 140-2 continuous self test for the noise source
214  * The test is performed on the noise source input data. Thus, the function
215  * implicitly knows the size of the buffer to be equal to the security
216  * strength.
217  *
218  * Note, this function disregards the nonce trailing the entropy data during
219  * initial seeding.
220  *
221  * drbg->drbg_mutex must have been taken.
222  *
223  * @drbg DRBG handle
224  * @entropy buffer of seed data to be checked
225  *
226  * return:
227  *	0 on success
228  *	-EAGAIN on when the CTRNG is not yet primed
229  *	< 0 on error
230  */
231 static int drbg_fips_continuous_test(struct drbg_state *drbg,
232 				     const unsigned char *entropy)
233 {
234 	unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
235 	int ret = 0;
236 
237 	if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
238 		return 0;
239 
240 	/* skip test if we test the overall system */
241 	if (list_empty(&drbg->test_data.list))
242 		return 0;
243 	/* only perform test in FIPS mode */
244 	if (!fips_enabled)
245 		return 0;
246 
247 	if (!drbg->fips_primed) {
248 		/* Priming of FIPS test */
249 		memcpy(drbg->prev, entropy, entropylen);
250 		drbg->fips_primed = true;
251 		/* priming: another round is needed */
252 		return -EAGAIN;
253 	}
254 	ret = memcmp(drbg->prev, entropy, entropylen);
255 	if (!ret)
256 		panic("DRBG continuous self test failed\n");
257 	memcpy(drbg->prev, entropy, entropylen);
258 
259 	/* the test shall pass when the two values are not equal */
260 	return 0;
261 }
262 
263 /*
264  * Convert an integer into a byte representation of this integer.
265  * The byte representation is big-endian
266  *
267  * @val value to be converted
268  * @buf buffer holding the converted integer -- caller must ensure that
269  *      buffer size is at least 32 bit
270  */
271 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
272 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
273 {
274 	struct s {
275 		__be32 conv;
276 	};
277 	struct s *conversion = (struct s *) buf;
278 
279 	conversion->conv = cpu_to_be32(val);
280 }
281 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
282 
283 /******************************************************************
284  * CTR DRBG callback functions
285  ******************************************************************/
286 
287 #ifdef CONFIG_CRYPTO_DRBG_CTR
288 #define CRYPTO_DRBG_CTR_STRING "CTR "
289 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
290 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
291 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
292 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
293 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
294 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
295 
296 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
297 				 const unsigned char *key);
298 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
299 			  const struct drbg_string *in);
300 static int drbg_init_sym_kernel(struct drbg_state *drbg);
301 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
302 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
303 			      u8 *inbuf, u32 inbuflen,
304 			      u8 *outbuf, u32 outlen);
305 #define DRBG_OUTSCRATCHLEN 256
306 
307 /* BCC function for CTR DRBG as defined in 10.4.3 */
308 static int drbg_ctr_bcc(struct drbg_state *drbg,
309 			unsigned char *out, const unsigned char *key,
310 			struct list_head *in)
311 {
312 	int ret = 0;
313 	struct drbg_string *curr = NULL;
314 	struct drbg_string data;
315 	short cnt = 0;
316 
317 	drbg_string_fill(&data, out, drbg_blocklen(drbg));
318 
319 	/* 10.4.3 step 2 / 4 */
320 	drbg_kcapi_symsetkey(drbg, key);
321 	list_for_each_entry(curr, in, list) {
322 		const unsigned char *pos = curr->buf;
323 		size_t len = curr->len;
324 		/* 10.4.3 step 4.1 */
325 		while (len) {
326 			/* 10.4.3 step 4.2 */
327 			if (drbg_blocklen(drbg) == cnt) {
328 				cnt = 0;
329 				ret = drbg_kcapi_sym(drbg, out, &data);
330 				if (ret)
331 					return ret;
332 			}
333 			out[cnt] ^= *pos;
334 			pos++;
335 			cnt++;
336 			len--;
337 		}
338 	}
339 	/* 10.4.3 step 4.2 for last block */
340 	if (cnt)
341 		ret = drbg_kcapi_sym(drbg, out, &data);
342 
343 	return ret;
344 }
345 
346 /*
347  * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
348  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
349  * the scratchpad is used as follows:
350  * drbg_ctr_update:
351  *	temp
352  *		start: drbg->scratchpad
353  *		length: drbg_statelen(drbg) + drbg_blocklen(drbg)
354  *			note: the cipher writing into this variable works
355  *			blocklen-wise. Now, when the statelen is not a multiple
356  *			of blocklen, the generateion loop below "spills over"
357  *			by at most blocklen. Thus, we need to give sufficient
358  *			memory.
359  *	df_data
360  *		start: drbg->scratchpad +
361  *				drbg_statelen(drbg) + drbg_blocklen(drbg)
362  *		length: drbg_statelen(drbg)
363  *
364  * drbg_ctr_df:
365  *	pad
366  *		start: df_data + drbg_statelen(drbg)
367  *		length: drbg_blocklen(drbg)
368  *	iv
369  *		start: pad + drbg_blocklen(drbg)
370  *		length: drbg_blocklen(drbg)
371  *	temp
372  *		start: iv + drbg_blocklen(drbg)
373  *		length: drbg_satelen(drbg) + drbg_blocklen(drbg)
374  *			note: temp is the buffer that the BCC function operates
375  *			on. BCC operates blockwise. drbg_statelen(drbg)
376  *			is sufficient when the DRBG state length is a multiple
377  *			of the block size. For AES192 (and maybe other ciphers)
378  *			this is not correct and the length for temp is
379  *			insufficient (yes, that also means for such ciphers,
380  *			the final output of all BCC rounds are truncated).
381  *			Therefore, add drbg_blocklen(drbg) to cover all
382  *			possibilities.
383  */
384 
385 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
386 static int drbg_ctr_df(struct drbg_state *drbg,
387 		       unsigned char *df_data, size_t bytes_to_return,
388 		       struct list_head *seedlist)
389 {
390 	int ret = -EFAULT;
391 	unsigned char L_N[8];
392 	/* S3 is input */
393 	struct drbg_string S1, S2, S4, cipherin;
394 	LIST_HEAD(bcc_list);
395 	unsigned char *pad = df_data + drbg_statelen(drbg);
396 	unsigned char *iv = pad + drbg_blocklen(drbg);
397 	unsigned char *temp = iv + drbg_blocklen(drbg);
398 	size_t padlen = 0;
399 	unsigned int templen = 0;
400 	/* 10.4.2 step 7 */
401 	unsigned int i = 0;
402 	/* 10.4.2 step 8 */
403 	const unsigned char *K = (unsigned char *)
404 			   "\x00\x01\x02\x03\x04\x05\x06\x07"
405 			   "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
406 			   "\x10\x11\x12\x13\x14\x15\x16\x17"
407 			   "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
408 	unsigned char *X;
409 	size_t generated_len = 0;
410 	size_t inputlen = 0;
411 	struct drbg_string *seed = NULL;
412 
413 	memset(pad, 0, drbg_blocklen(drbg));
414 	memset(iv, 0, drbg_blocklen(drbg));
415 
416 	/* 10.4.2 step 1 is implicit as we work byte-wise */
417 
418 	/* 10.4.2 step 2 */
419 	if ((512/8) < bytes_to_return)
420 		return -EINVAL;
421 
422 	/* 10.4.2 step 2 -- calculate the entire length of all input data */
423 	list_for_each_entry(seed, seedlist, list)
424 		inputlen += seed->len;
425 	drbg_cpu_to_be32(inputlen, &L_N[0]);
426 
427 	/* 10.4.2 step 3 */
428 	drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
429 
430 	/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
431 	padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
432 	/* wrap the padlen appropriately */
433 	if (padlen)
434 		padlen = drbg_blocklen(drbg) - padlen;
435 	/*
436 	 * pad / padlen contains the 0x80 byte and the following zero bytes.
437 	 * As the calculated padlen value only covers the number of zero
438 	 * bytes, this value has to be incremented by one for the 0x80 byte.
439 	 */
440 	padlen++;
441 	pad[0] = 0x80;
442 
443 	/* 10.4.2 step 4 -- first fill the linked list and then order it */
444 	drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
445 	list_add_tail(&S1.list, &bcc_list);
446 	drbg_string_fill(&S2, L_N, sizeof(L_N));
447 	list_add_tail(&S2.list, &bcc_list);
448 	list_splice_tail(seedlist, &bcc_list);
449 	drbg_string_fill(&S4, pad, padlen);
450 	list_add_tail(&S4.list, &bcc_list);
451 
452 	/* 10.4.2 step 9 */
453 	while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
454 		/*
455 		 * 10.4.2 step 9.1 - the padding is implicit as the buffer
456 		 * holds zeros after allocation -- even the increment of i
457 		 * is irrelevant as the increment remains within length of i
458 		 */
459 		drbg_cpu_to_be32(i, iv);
460 		/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
461 		ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
462 		if (ret)
463 			goto out;
464 		/* 10.4.2 step 9.3 */
465 		i++;
466 		templen += drbg_blocklen(drbg);
467 	}
468 
469 	/* 10.4.2 step 11 */
470 	X = temp + (drbg_keylen(drbg));
471 	drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
472 
473 	/* 10.4.2 step 12: overwriting of outval is implemented in next step */
474 
475 	/* 10.4.2 step 13 */
476 	drbg_kcapi_symsetkey(drbg, temp);
477 	while (generated_len < bytes_to_return) {
478 		short blocklen = 0;
479 		/*
480 		 * 10.4.2 step 13.1: the truncation of the key length is
481 		 * implicit as the key is only drbg_blocklen in size based on
482 		 * the implementation of the cipher function callback
483 		 */
484 		ret = drbg_kcapi_sym(drbg, X, &cipherin);
485 		if (ret)
486 			goto out;
487 		blocklen = (drbg_blocklen(drbg) <
488 				(bytes_to_return - generated_len)) ?
489 			    drbg_blocklen(drbg) :
490 				(bytes_to_return - generated_len);
491 		/* 10.4.2 step 13.2 and 14 */
492 		memcpy(df_data + generated_len, X, blocklen);
493 		generated_len += blocklen;
494 	}
495 
496 	ret = 0;
497 
498 out:
499 	memset(iv, 0, drbg_blocklen(drbg));
500 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
501 	memset(pad, 0, drbg_blocklen(drbg));
502 	return ret;
503 }
504 
505 /*
506  * update function of CTR DRBG as defined in 10.2.1.2
507  *
508  * The reseed variable has an enhanced meaning compared to the update
509  * functions of the other DRBGs as follows:
510  * 0 => initial seed from initialization
511  * 1 => reseed via drbg_seed
512  * 2 => first invocation from drbg_ctr_update when addtl is present. In
513  *      this case, the df_data scratchpad is not deleted so that it is
514  *      available for another calls to prevent calling the DF function
515  *      again.
516  * 3 => second invocation from drbg_ctr_update. When the update function
517  *      was called with addtl, the df_data memory already contains the
518  *      DFed addtl information and we do not need to call DF again.
519  */
520 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
521 			   int reseed)
522 {
523 	int ret = -EFAULT;
524 	/* 10.2.1.2 step 1 */
525 	unsigned char *temp = drbg->scratchpad;
526 	unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
527 				 drbg_blocklen(drbg);
528 
529 	if (3 > reseed)
530 		memset(df_data, 0, drbg_statelen(drbg));
531 
532 	if (!reseed) {
533 		/*
534 		 * The DRBG uses the CTR mode of the underlying AES cipher. The
535 		 * CTR mode increments the counter value after the AES operation
536 		 * but SP800-90A requires that the counter is incremented before
537 		 * the AES operation. Hence, we increment it at the time we set
538 		 * it by one.
539 		 */
540 		crypto_inc(drbg->V, drbg_blocklen(drbg));
541 
542 		ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
543 					     drbg_keylen(drbg));
544 		if (ret)
545 			goto out;
546 	}
547 
548 	/* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
549 	if (seed) {
550 		ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
551 		if (ret)
552 			goto out;
553 	}
554 
555 	ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
556 				 temp, drbg_statelen(drbg));
557 	if (ret)
558 		return ret;
559 
560 	/* 10.2.1.2 step 5 */
561 	ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
562 				     drbg_keylen(drbg));
563 	if (ret)
564 		goto out;
565 	/* 10.2.1.2 step 6 */
566 	memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
567 	/* See above: increment counter by one to compensate timing of CTR op */
568 	crypto_inc(drbg->V, drbg_blocklen(drbg));
569 	ret = 0;
570 
571 out:
572 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
573 	if (2 != reseed)
574 		memset(df_data, 0, drbg_statelen(drbg));
575 	return ret;
576 }
577 
578 /*
579  * scratchpad use: drbg_ctr_update is called independently from
580  * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
581  */
582 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
583 static int drbg_ctr_generate(struct drbg_state *drbg,
584 			     unsigned char *buf, unsigned int buflen,
585 			     struct list_head *addtl)
586 {
587 	int ret;
588 	int len = min_t(int, buflen, INT_MAX);
589 
590 	/* 10.2.1.5.2 step 2 */
591 	if (addtl && !list_empty(addtl)) {
592 		ret = drbg_ctr_update(drbg, addtl, 2);
593 		if (ret)
594 			return 0;
595 	}
596 
597 	/* 10.2.1.5.2 step 4.1 */
598 	ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
599 	if (ret)
600 		return ret;
601 
602 	/* 10.2.1.5.2 step 6 */
603 	ret = drbg_ctr_update(drbg, NULL, 3);
604 	if (ret)
605 		len = ret;
606 
607 	return len;
608 }
609 
610 static const struct drbg_state_ops drbg_ctr_ops = {
611 	.update		= drbg_ctr_update,
612 	.generate	= drbg_ctr_generate,
613 	.crypto_init	= drbg_init_sym_kernel,
614 	.crypto_fini	= drbg_fini_sym_kernel,
615 };
616 #endif /* CONFIG_CRYPTO_DRBG_CTR */
617 
618 /******************************************************************
619  * HMAC DRBG callback functions
620  ******************************************************************/
621 
622 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
623 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
624 			   const struct list_head *in);
625 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
626 				  const unsigned char *key);
627 static int drbg_init_hash_kernel(struct drbg_state *drbg);
628 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
629 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
630 
631 #ifdef CONFIG_CRYPTO_DRBG_HMAC
632 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
633 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
634 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
635 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
636 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
637 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
638 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
639 
640 /* update function of HMAC DRBG as defined in 10.1.2.2 */
641 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
642 			    int reseed)
643 {
644 	int ret = -EFAULT;
645 	int i = 0;
646 	struct drbg_string seed1, seed2, vdata;
647 	LIST_HEAD(seedlist);
648 	LIST_HEAD(vdatalist);
649 
650 	if (!reseed) {
651 		/* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
652 		memset(drbg->V, 1, drbg_statelen(drbg));
653 		drbg_kcapi_hmacsetkey(drbg, drbg->C);
654 	}
655 
656 	drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
657 	list_add_tail(&seed1.list, &seedlist);
658 	/* buffer of seed2 will be filled in for loop below with one byte */
659 	drbg_string_fill(&seed2, NULL, 1);
660 	list_add_tail(&seed2.list, &seedlist);
661 	/* input data of seed is allowed to be NULL at this point */
662 	if (seed)
663 		list_splice_tail(seed, &seedlist);
664 
665 	drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
666 	list_add_tail(&vdata.list, &vdatalist);
667 	for (i = 2; 0 < i; i--) {
668 		/* first round uses 0x0, second 0x1 */
669 		unsigned char prefix = DRBG_PREFIX0;
670 		if (1 == i)
671 			prefix = DRBG_PREFIX1;
672 		/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
673 		seed2.buf = &prefix;
674 		ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
675 		if (ret)
676 			return ret;
677 		drbg_kcapi_hmacsetkey(drbg, drbg->C);
678 
679 		/* 10.1.2.2 step 2 and 5 -- HMAC for V */
680 		ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
681 		if (ret)
682 			return ret;
683 
684 		/* 10.1.2.2 step 3 */
685 		if (!seed)
686 			return ret;
687 	}
688 
689 	return 0;
690 }
691 
692 /* generate function of HMAC DRBG as defined in 10.1.2.5 */
693 static int drbg_hmac_generate(struct drbg_state *drbg,
694 			      unsigned char *buf,
695 			      unsigned int buflen,
696 			      struct list_head *addtl)
697 {
698 	int len = 0;
699 	int ret = 0;
700 	struct drbg_string data;
701 	LIST_HEAD(datalist);
702 
703 	/* 10.1.2.5 step 2 */
704 	if (addtl && !list_empty(addtl)) {
705 		ret = drbg_hmac_update(drbg, addtl, 1);
706 		if (ret)
707 			return ret;
708 	}
709 
710 	drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
711 	list_add_tail(&data.list, &datalist);
712 	while (len < buflen) {
713 		unsigned int outlen = 0;
714 		/* 10.1.2.5 step 4.1 */
715 		ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
716 		if (ret)
717 			return ret;
718 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
719 			  drbg_blocklen(drbg) : (buflen - len);
720 
721 		/* 10.1.2.5 step 4.2 */
722 		memcpy(buf + len, drbg->V, outlen);
723 		len += outlen;
724 	}
725 
726 	/* 10.1.2.5 step 6 */
727 	if (addtl && !list_empty(addtl))
728 		ret = drbg_hmac_update(drbg, addtl, 1);
729 	else
730 		ret = drbg_hmac_update(drbg, NULL, 1);
731 	if (ret)
732 		return ret;
733 
734 	return len;
735 }
736 
737 static const struct drbg_state_ops drbg_hmac_ops = {
738 	.update		= drbg_hmac_update,
739 	.generate	= drbg_hmac_generate,
740 	.crypto_init	= drbg_init_hash_kernel,
741 	.crypto_fini	= drbg_fini_hash_kernel,
742 };
743 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
744 
745 /******************************************************************
746  * Hash DRBG callback functions
747  ******************************************************************/
748 
749 #ifdef CONFIG_CRYPTO_DRBG_HASH
750 #define CRYPTO_DRBG_HASH_STRING "HASH "
751 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
752 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
753 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
754 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
755 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
756 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
757 
758 /*
759  * Increment buffer
760  *
761  * @dst buffer to increment
762  * @add value to add
763  */
764 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
765 				const unsigned char *add, size_t addlen)
766 {
767 	/* implied: dstlen > addlen */
768 	unsigned char *dstptr;
769 	const unsigned char *addptr;
770 	unsigned int remainder = 0;
771 	size_t len = addlen;
772 
773 	dstptr = dst + (dstlen-1);
774 	addptr = add + (addlen-1);
775 	while (len) {
776 		remainder += *dstptr + *addptr;
777 		*dstptr = remainder & 0xff;
778 		remainder >>= 8;
779 		len--; dstptr--; addptr--;
780 	}
781 	len = dstlen - addlen;
782 	while (len && remainder > 0) {
783 		remainder = *dstptr + 1;
784 		*dstptr = remainder & 0xff;
785 		remainder >>= 8;
786 		len--; dstptr--;
787 	}
788 }
789 
790 /*
791  * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
792  * interlinked, the scratchpad is used as follows:
793  * drbg_hash_update
794  *	start: drbg->scratchpad
795  *	length: drbg_statelen(drbg)
796  * drbg_hash_df:
797  *	start: drbg->scratchpad + drbg_statelen(drbg)
798  *	length: drbg_blocklen(drbg)
799  *
800  * drbg_hash_process_addtl uses the scratchpad, but fully completes
801  * before either of the functions mentioned before are invoked. Therefore,
802  * drbg_hash_process_addtl does not need to be specifically considered.
803  */
804 
805 /* Derivation Function for Hash DRBG as defined in 10.4.1 */
806 static int drbg_hash_df(struct drbg_state *drbg,
807 			unsigned char *outval, size_t outlen,
808 			struct list_head *entropylist)
809 {
810 	int ret = 0;
811 	size_t len = 0;
812 	unsigned char input[5];
813 	unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
814 	struct drbg_string data;
815 
816 	/* 10.4.1 step 3 */
817 	input[0] = 1;
818 	drbg_cpu_to_be32((outlen * 8), &input[1]);
819 
820 	/* 10.4.1 step 4.1 -- concatenation of data for input into hash */
821 	drbg_string_fill(&data, input, 5);
822 	list_add(&data.list, entropylist);
823 
824 	/* 10.4.1 step 4 */
825 	while (len < outlen) {
826 		short blocklen = 0;
827 		/* 10.4.1 step 4.1 */
828 		ret = drbg_kcapi_hash(drbg, tmp, entropylist);
829 		if (ret)
830 			goto out;
831 		/* 10.4.1 step 4.2 */
832 		input[0]++;
833 		blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
834 			    drbg_blocklen(drbg) : (outlen - len);
835 		memcpy(outval + len, tmp, blocklen);
836 		len += blocklen;
837 	}
838 
839 out:
840 	memset(tmp, 0, drbg_blocklen(drbg));
841 	return ret;
842 }
843 
844 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
845 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
846 			    int reseed)
847 {
848 	int ret = 0;
849 	struct drbg_string data1, data2;
850 	LIST_HEAD(datalist);
851 	LIST_HEAD(datalist2);
852 	unsigned char *V = drbg->scratchpad;
853 	unsigned char prefix = DRBG_PREFIX1;
854 
855 	if (!seed)
856 		return -EINVAL;
857 
858 	if (reseed) {
859 		/* 10.1.1.3 step 1 */
860 		memcpy(V, drbg->V, drbg_statelen(drbg));
861 		drbg_string_fill(&data1, &prefix, 1);
862 		list_add_tail(&data1.list, &datalist);
863 		drbg_string_fill(&data2, V, drbg_statelen(drbg));
864 		list_add_tail(&data2.list, &datalist);
865 	}
866 	list_splice_tail(seed, &datalist);
867 
868 	/* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
869 	ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
870 	if (ret)
871 		goto out;
872 
873 	/* 10.1.1.2 / 10.1.1.3 step 4  */
874 	prefix = DRBG_PREFIX0;
875 	drbg_string_fill(&data1, &prefix, 1);
876 	list_add_tail(&data1.list, &datalist2);
877 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
878 	list_add_tail(&data2.list, &datalist2);
879 	/* 10.1.1.2 / 10.1.1.3 step 4 */
880 	ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
881 
882 out:
883 	memset(drbg->scratchpad, 0, drbg_statelen(drbg));
884 	return ret;
885 }
886 
887 /* processing of additional information string for Hash DRBG */
888 static int drbg_hash_process_addtl(struct drbg_state *drbg,
889 				   struct list_head *addtl)
890 {
891 	int ret = 0;
892 	struct drbg_string data1, data2;
893 	LIST_HEAD(datalist);
894 	unsigned char prefix = DRBG_PREFIX2;
895 
896 	/* 10.1.1.4 step 2 */
897 	if (!addtl || list_empty(addtl))
898 		return 0;
899 
900 	/* 10.1.1.4 step 2a */
901 	drbg_string_fill(&data1, &prefix, 1);
902 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
903 	list_add_tail(&data1.list, &datalist);
904 	list_add_tail(&data2.list, &datalist);
905 	list_splice_tail(addtl, &datalist);
906 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
907 	if (ret)
908 		goto out;
909 
910 	/* 10.1.1.4 step 2b */
911 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
912 		     drbg->scratchpad, drbg_blocklen(drbg));
913 
914 out:
915 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
916 	return ret;
917 }
918 
919 /* Hashgen defined in 10.1.1.4 */
920 static int drbg_hash_hashgen(struct drbg_state *drbg,
921 			     unsigned char *buf,
922 			     unsigned int buflen)
923 {
924 	int len = 0;
925 	int ret = 0;
926 	unsigned char *src = drbg->scratchpad;
927 	unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
928 	struct drbg_string data;
929 	LIST_HEAD(datalist);
930 
931 	/* 10.1.1.4 step hashgen 2 */
932 	memcpy(src, drbg->V, drbg_statelen(drbg));
933 
934 	drbg_string_fill(&data, src, drbg_statelen(drbg));
935 	list_add_tail(&data.list, &datalist);
936 	while (len < buflen) {
937 		unsigned int outlen = 0;
938 		/* 10.1.1.4 step hashgen 4.1 */
939 		ret = drbg_kcapi_hash(drbg, dst, &datalist);
940 		if (ret) {
941 			len = ret;
942 			goto out;
943 		}
944 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
945 			  drbg_blocklen(drbg) : (buflen - len);
946 		/* 10.1.1.4 step hashgen 4.2 */
947 		memcpy(buf + len, dst, outlen);
948 		len += outlen;
949 		/* 10.1.1.4 hashgen step 4.3 */
950 		if (len < buflen)
951 			crypto_inc(src, drbg_statelen(drbg));
952 	}
953 
954 out:
955 	memset(drbg->scratchpad, 0,
956 	       (drbg_statelen(drbg) + drbg_blocklen(drbg)));
957 	return len;
958 }
959 
960 /* generate function for Hash DRBG as defined in  10.1.1.4 */
961 static int drbg_hash_generate(struct drbg_state *drbg,
962 			      unsigned char *buf, unsigned int buflen,
963 			      struct list_head *addtl)
964 {
965 	int len = 0;
966 	int ret = 0;
967 	union {
968 		unsigned char req[8];
969 		__be64 req_int;
970 	} u;
971 	unsigned char prefix = DRBG_PREFIX3;
972 	struct drbg_string data1, data2;
973 	LIST_HEAD(datalist);
974 
975 	/* 10.1.1.4 step 2 */
976 	ret = drbg_hash_process_addtl(drbg, addtl);
977 	if (ret)
978 		return ret;
979 	/* 10.1.1.4 step 3 */
980 	len = drbg_hash_hashgen(drbg, buf, buflen);
981 
982 	/* this is the value H as documented in 10.1.1.4 */
983 	/* 10.1.1.4 step 4 */
984 	drbg_string_fill(&data1, &prefix, 1);
985 	list_add_tail(&data1.list, &datalist);
986 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
987 	list_add_tail(&data2.list, &datalist);
988 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
989 	if (ret) {
990 		len = ret;
991 		goto out;
992 	}
993 
994 	/* 10.1.1.4 step 5 */
995 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
996 		     drbg->scratchpad, drbg_blocklen(drbg));
997 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
998 		     drbg->C, drbg_statelen(drbg));
999 	u.req_int = cpu_to_be64(drbg->reseed_ctr);
1000 	drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1001 
1002 out:
1003 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1004 	return len;
1005 }
1006 
1007 /*
1008  * scratchpad usage: as update and generate are used isolated, both
1009  * can use the scratchpad
1010  */
1011 static const struct drbg_state_ops drbg_hash_ops = {
1012 	.update		= drbg_hash_update,
1013 	.generate	= drbg_hash_generate,
1014 	.crypto_init	= drbg_init_hash_kernel,
1015 	.crypto_fini	= drbg_fini_hash_kernel,
1016 };
1017 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1018 
1019 /******************************************************************
1020  * Functions common for DRBG implementations
1021  ******************************************************************/
1022 
1023 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1024 			      int reseed, enum drbg_seed_state new_seed_state)
1025 {
1026 	int ret = drbg->d_ops->update(drbg, seed, reseed);
1027 
1028 	if (ret)
1029 		return ret;
1030 
1031 	drbg->seeded = new_seed_state;
1032 	drbg->last_seed_time = jiffies;
1033 	/* 10.1.1.2 / 10.1.1.3 step 5 */
1034 	drbg->reseed_ctr = 1;
1035 
1036 	switch (drbg->seeded) {
1037 	case DRBG_SEED_STATE_UNSEEDED:
1038 		/* Impossible, but handle it to silence compiler warnings. */
1039 		fallthrough;
1040 	case DRBG_SEED_STATE_PARTIAL:
1041 		/*
1042 		 * Require frequent reseeds until the seed source is
1043 		 * fully initialized.
1044 		 */
1045 		drbg->reseed_threshold = 50;
1046 		break;
1047 
1048 	case DRBG_SEED_STATE_FULL:
1049 		/*
1050 		 * Seed source has become fully initialized, frequent
1051 		 * reseeds no longer required.
1052 		 */
1053 		drbg->reseed_threshold = drbg_max_requests(drbg);
1054 		break;
1055 	}
1056 
1057 	return ret;
1058 }
1059 
1060 static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1061 					unsigned char *entropy,
1062 					unsigned int entropylen)
1063 {
1064 	int ret;
1065 
1066 	do {
1067 		get_random_bytes(entropy, entropylen);
1068 		ret = drbg_fips_continuous_test(drbg, entropy);
1069 		if (ret && ret != -EAGAIN)
1070 			return ret;
1071 	} while (ret);
1072 
1073 	return 0;
1074 }
1075 
1076 static int drbg_seed_from_random(struct drbg_state *drbg)
1077 {
1078 	struct drbg_string data;
1079 	LIST_HEAD(seedlist);
1080 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1081 	unsigned char entropy[32];
1082 	int ret;
1083 
1084 	BUG_ON(!entropylen);
1085 	BUG_ON(entropylen > sizeof(entropy));
1086 
1087 	drbg_string_fill(&data, entropy, entropylen);
1088 	list_add_tail(&data.list, &seedlist);
1089 
1090 	ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1091 	if (ret)
1092 		goto out;
1093 
1094 	ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
1095 
1096 out:
1097 	memzero_explicit(entropy, entropylen);
1098 	return ret;
1099 }
1100 
1101 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg)
1102 {
1103 	unsigned long next_reseed;
1104 
1105 	/* Don't ever reseed from get_random_bytes() in test mode. */
1106 	if (list_empty(&drbg->test_data.list))
1107 		return false;
1108 
1109 	/*
1110 	 * Obtain fresh entropy for the nopr DRBGs after 300s have
1111 	 * elapsed in order to still achieve sort of partial
1112 	 * prediction resistance over the time domain at least. Note
1113 	 * that the period of 300s has been chosen to match the
1114 	 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha
1115 	 * rngs.
1116 	 */
1117 	next_reseed = drbg->last_seed_time + 300 * HZ;
1118 	return time_after(jiffies, next_reseed);
1119 }
1120 
1121 /*
1122  * Seeding or reseeding of the DRBG
1123  *
1124  * @drbg: DRBG state struct
1125  * @pers: personalization / additional information buffer
1126  * @reseed: 0 for initial seed process, 1 for reseeding
1127  *
1128  * return:
1129  *	0 on success
1130  *	error value otherwise
1131  */
1132 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1133 		     bool reseed)
1134 {
1135 	int ret;
1136 	unsigned char entropy[((32 + 16) * 2)];
1137 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1138 	struct drbg_string data1;
1139 	LIST_HEAD(seedlist);
1140 	enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
1141 
1142 	/* 9.1 / 9.2 / 9.3.1 step 3 */
1143 	if (pers && pers->len > (drbg_max_addtl(drbg))) {
1144 		pr_devel("DRBG: personalization string too long %zu\n",
1145 			 pers->len);
1146 		return -EINVAL;
1147 	}
1148 
1149 	if (list_empty(&drbg->test_data.list)) {
1150 		drbg_string_fill(&data1, drbg->test_data.buf,
1151 				 drbg->test_data.len);
1152 		pr_devel("DRBG: using test entropy\n");
1153 	} else {
1154 		/*
1155 		 * Gather entropy equal to the security strength of the DRBG.
1156 		 * With a derivation function, a nonce is required in addition
1157 		 * to the entropy. A nonce must be at least 1/2 of the security
1158 		 * strength of the DRBG in size. Thus, entropy + nonce is 3/2
1159 		 * of the strength. The consideration of a nonce is only
1160 		 * applicable during initial seeding.
1161 		 */
1162 		BUG_ON(!entropylen);
1163 		if (!reseed)
1164 			entropylen = ((entropylen + 1) / 2) * 3;
1165 		BUG_ON((entropylen * 2) > sizeof(entropy));
1166 
1167 		/* Get seed from in-kernel /dev/urandom */
1168 		if (!rng_is_initialized())
1169 			new_seed_state = DRBG_SEED_STATE_PARTIAL;
1170 
1171 		ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1172 		if (ret)
1173 			goto out;
1174 
1175 		if (!drbg->jent) {
1176 			drbg_string_fill(&data1, entropy, entropylen);
1177 			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1178 				 entropylen);
1179 		} else {
1180 			/*
1181 			 * Get seed from Jitter RNG, failures are
1182 			 * fatal only in FIPS mode.
1183 			 */
1184 			ret = crypto_rng_get_bytes(drbg->jent,
1185 						   entropy + entropylen,
1186 						   entropylen);
1187 			if (fips_enabled && ret) {
1188 				pr_devel("DRBG: jent failed with %d\n", ret);
1189 
1190 				/*
1191 				 * Do not treat the transient failure of the
1192 				 * Jitter RNG as an error that needs to be
1193 				 * reported. The combined number of the
1194 				 * maximum reseed threshold times the maximum
1195 				 * number of Jitter RNG transient errors is
1196 				 * less than the reseed threshold required by
1197 				 * SP800-90A allowing us to treat the
1198 				 * transient errors as such.
1199 				 *
1200 				 * However, we mandate that at least the first
1201 				 * seeding operation must succeed with the
1202 				 * Jitter RNG.
1203 				 */
1204 				if (!reseed || ret != -EAGAIN)
1205 					goto out;
1206 			}
1207 
1208 			drbg_string_fill(&data1, entropy, entropylen * 2);
1209 			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1210 				 entropylen * 2);
1211 		}
1212 	}
1213 	list_add_tail(&data1.list, &seedlist);
1214 
1215 	/*
1216 	 * concatenation of entropy with personalization str / addtl input)
1217 	 * the variable pers is directly handed in by the caller, so check its
1218 	 * contents whether it is appropriate
1219 	 */
1220 	if (pers && pers->buf && 0 < pers->len) {
1221 		list_add_tail(&pers->list, &seedlist);
1222 		pr_devel("DRBG: using personalization string\n");
1223 	}
1224 
1225 	if (!reseed) {
1226 		memset(drbg->V, 0, drbg_statelen(drbg));
1227 		memset(drbg->C, 0, drbg_statelen(drbg));
1228 	}
1229 
1230 	ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
1231 
1232 out:
1233 	memzero_explicit(entropy, entropylen * 2);
1234 
1235 	return ret;
1236 }
1237 
1238 /* Free all substructures in a DRBG state without the DRBG state structure */
1239 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1240 {
1241 	if (!drbg)
1242 		return;
1243 	kfree_sensitive(drbg->Vbuf);
1244 	drbg->Vbuf = NULL;
1245 	drbg->V = NULL;
1246 	kfree_sensitive(drbg->Cbuf);
1247 	drbg->Cbuf = NULL;
1248 	drbg->C = NULL;
1249 	kfree_sensitive(drbg->scratchpadbuf);
1250 	drbg->scratchpadbuf = NULL;
1251 	drbg->reseed_ctr = 0;
1252 	drbg->d_ops = NULL;
1253 	drbg->core = NULL;
1254 	if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1255 		kfree_sensitive(drbg->prev);
1256 		drbg->prev = NULL;
1257 		drbg->fips_primed = false;
1258 	}
1259 }
1260 
1261 /*
1262  * Allocate all sub-structures for a DRBG state.
1263  * The DRBG state structure must already be allocated.
1264  */
1265 static inline int drbg_alloc_state(struct drbg_state *drbg)
1266 {
1267 	int ret = -ENOMEM;
1268 	unsigned int sb_size = 0;
1269 
1270 	switch (drbg->core->flags & DRBG_TYPE_MASK) {
1271 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1272 	case DRBG_HMAC:
1273 		drbg->d_ops = &drbg_hmac_ops;
1274 		break;
1275 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
1276 #ifdef CONFIG_CRYPTO_DRBG_HASH
1277 	case DRBG_HASH:
1278 		drbg->d_ops = &drbg_hash_ops;
1279 		break;
1280 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1281 #ifdef CONFIG_CRYPTO_DRBG_CTR
1282 	case DRBG_CTR:
1283 		drbg->d_ops = &drbg_ctr_ops;
1284 		break;
1285 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1286 	default:
1287 		ret = -EOPNOTSUPP;
1288 		goto err;
1289 	}
1290 
1291 	ret = drbg->d_ops->crypto_init(drbg);
1292 	if (ret < 0)
1293 		goto err;
1294 
1295 	drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1296 	if (!drbg->Vbuf) {
1297 		ret = -ENOMEM;
1298 		goto fini;
1299 	}
1300 	drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1301 	drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1302 	if (!drbg->Cbuf) {
1303 		ret = -ENOMEM;
1304 		goto fini;
1305 	}
1306 	drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1307 	/* scratchpad is only generated for CTR and Hash */
1308 	if (drbg->core->flags & DRBG_HMAC)
1309 		sb_size = 0;
1310 	else if (drbg->core->flags & DRBG_CTR)
1311 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1312 			  drbg_statelen(drbg) +	/* df_data */
1313 			  drbg_blocklen(drbg) +	/* pad */
1314 			  drbg_blocklen(drbg) +	/* iv */
1315 			  drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1316 	else
1317 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1318 
1319 	if (0 < sb_size) {
1320 		drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1321 		if (!drbg->scratchpadbuf) {
1322 			ret = -ENOMEM;
1323 			goto fini;
1324 		}
1325 		drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1326 	}
1327 
1328 	if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1329 		drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1330 				     GFP_KERNEL);
1331 		if (!drbg->prev) {
1332 			ret = -ENOMEM;
1333 			goto fini;
1334 		}
1335 		drbg->fips_primed = false;
1336 	}
1337 
1338 	return 0;
1339 
1340 fini:
1341 	drbg->d_ops->crypto_fini(drbg);
1342 err:
1343 	drbg_dealloc_state(drbg);
1344 	return ret;
1345 }
1346 
1347 /*************************************************************************
1348  * DRBG interface functions
1349  *************************************************************************/
1350 
1351 /*
1352  * DRBG generate function as required by SP800-90A - this function
1353  * generates random numbers
1354  *
1355  * @drbg DRBG state handle
1356  * @buf Buffer where to store the random numbers -- the buffer must already
1357  *      be pre-allocated by caller
1358  * @buflen Length of output buffer - this value defines the number of random
1359  *	   bytes pulled from DRBG
1360  * @addtl Additional input that is mixed into state, may be NULL -- note
1361  *	  the entropy is pulled by the DRBG internally unconditionally
1362  *	  as defined in SP800-90A. The additional input is mixed into
1363  *	  the state in addition to the pulled entropy.
1364  *
1365  * return: 0 when all bytes are generated; < 0 in case of an error
1366  */
1367 static int drbg_generate(struct drbg_state *drbg,
1368 			 unsigned char *buf, unsigned int buflen,
1369 			 struct drbg_string *addtl)
1370 {
1371 	int len = 0;
1372 	LIST_HEAD(addtllist);
1373 
1374 	if (!drbg->core) {
1375 		pr_devel("DRBG: not yet seeded\n");
1376 		return -EINVAL;
1377 	}
1378 	if (0 == buflen || !buf) {
1379 		pr_devel("DRBG: no output buffer provided\n");
1380 		return -EINVAL;
1381 	}
1382 	if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1383 		pr_devel("DRBG: wrong format of additional information\n");
1384 		return -EINVAL;
1385 	}
1386 
1387 	/* 9.3.1 step 2 */
1388 	len = -EINVAL;
1389 	if (buflen > (drbg_max_request_bytes(drbg))) {
1390 		pr_devel("DRBG: requested random numbers too large %u\n",
1391 			 buflen);
1392 		goto err;
1393 	}
1394 
1395 	/* 9.3.1 step 3 is implicit with the chosen DRBG */
1396 
1397 	/* 9.3.1 step 4 */
1398 	if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1399 		pr_devel("DRBG: additional information string too long %zu\n",
1400 			 addtl->len);
1401 		goto err;
1402 	}
1403 	/* 9.3.1 step 5 is implicit with the chosen DRBG */
1404 
1405 	/*
1406 	 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1407 	 * here. The spec is a bit convoluted here, we make it simpler.
1408 	 */
1409 	if (drbg->reseed_threshold < drbg->reseed_ctr)
1410 		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1411 
1412 	if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
1413 		pr_devel("DRBG: reseeding before generation (prediction "
1414 			 "resistance: %s, state %s)\n",
1415 			 drbg->pr ? "true" : "false",
1416 			 (drbg->seeded ==  DRBG_SEED_STATE_FULL ?
1417 			  "seeded" : "unseeded"));
1418 		/* 9.3.1 steps 7.1 through 7.3 */
1419 		len = drbg_seed(drbg, addtl, true);
1420 		if (len)
1421 			goto err;
1422 		/* 9.3.1 step 7.4 */
1423 		addtl = NULL;
1424 	} else if (rng_is_initialized() &&
1425 		   (drbg->seeded == DRBG_SEED_STATE_PARTIAL ||
1426 		    drbg_nopr_reseed_interval_elapsed(drbg))) {
1427 		len = drbg_seed_from_random(drbg);
1428 		if (len)
1429 			goto err;
1430 	}
1431 
1432 	if (addtl && 0 < addtl->len)
1433 		list_add_tail(&addtl->list, &addtllist);
1434 	/* 9.3.1 step 8 and 10 */
1435 	len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1436 
1437 	/* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1438 	drbg->reseed_ctr++;
1439 	if (0 >= len)
1440 		goto err;
1441 
1442 	/*
1443 	 * Section 11.3.3 requires to re-perform self tests after some
1444 	 * generated random numbers. The chosen value after which self
1445 	 * test is performed is arbitrary, but it should be reasonable.
1446 	 * However, we do not perform the self tests because of the following
1447 	 * reasons: it is mathematically impossible that the initial self tests
1448 	 * were successfully and the following are not. If the initial would
1449 	 * pass and the following would not, the kernel integrity is violated.
1450 	 * In this case, the entire kernel operation is questionable and it
1451 	 * is unlikely that the integrity violation only affects the
1452 	 * correct operation of the DRBG.
1453 	 *
1454 	 * Albeit the following code is commented out, it is provided in
1455 	 * case somebody has a need to implement the test of 11.3.3.
1456 	 */
1457 #if 0
1458 	if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1459 		int err = 0;
1460 		pr_devel("DRBG: start to perform self test\n");
1461 		if (drbg->core->flags & DRBG_HMAC)
1462 			err = alg_test("drbg_pr_hmac_sha512",
1463 				       "drbg_pr_hmac_sha512", 0, 0);
1464 		else if (drbg->core->flags & DRBG_CTR)
1465 			err = alg_test("drbg_pr_ctr_aes256",
1466 				       "drbg_pr_ctr_aes256", 0, 0);
1467 		else
1468 			err = alg_test("drbg_pr_sha256",
1469 				       "drbg_pr_sha256", 0, 0);
1470 		if (err) {
1471 			pr_err("DRBG: periodical self test failed\n");
1472 			/*
1473 			 * uninstantiate implies that from now on, only errors
1474 			 * are returned when reusing this DRBG cipher handle
1475 			 */
1476 			drbg_uninstantiate(drbg);
1477 			return 0;
1478 		} else {
1479 			pr_devel("DRBG: self test successful\n");
1480 		}
1481 	}
1482 #endif
1483 
1484 	/*
1485 	 * All operations were successful, return 0 as mandated by
1486 	 * the kernel crypto API interface.
1487 	 */
1488 	len = 0;
1489 err:
1490 	return len;
1491 }
1492 
1493 /*
1494  * Wrapper around drbg_generate which can pull arbitrary long strings
1495  * from the DRBG without hitting the maximum request limitation.
1496  *
1497  * Parameters: see drbg_generate
1498  * Return codes: see drbg_generate -- if one drbg_generate request fails,
1499  *		 the entire drbg_generate_long request fails
1500  */
1501 static int drbg_generate_long(struct drbg_state *drbg,
1502 			      unsigned char *buf, unsigned int buflen,
1503 			      struct drbg_string *addtl)
1504 {
1505 	unsigned int len = 0;
1506 	unsigned int slice = 0;
1507 	do {
1508 		int err = 0;
1509 		unsigned int chunk = 0;
1510 		slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1511 		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1512 		mutex_lock(&drbg->drbg_mutex);
1513 		err = drbg_generate(drbg, buf + len, chunk, addtl);
1514 		mutex_unlock(&drbg->drbg_mutex);
1515 		if (0 > err)
1516 			return err;
1517 		len += chunk;
1518 	} while (slice > 0 && (len < buflen));
1519 	return 0;
1520 }
1521 
1522 static int drbg_prepare_hrng(struct drbg_state *drbg)
1523 {
1524 	/* We do not need an HRNG in test mode. */
1525 	if (list_empty(&drbg->test_data.list))
1526 		return 0;
1527 
1528 	drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1529 	if (IS_ERR(drbg->jent)) {
1530 		const int err = PTR_ERR(drbg->jent);
1531 
1532 		drbg->jent = NULL;
1533 		if (fips_enabled)
1534 			return err;
1535 		pr_info("DRBG: Continuing without Jitter RNG\n");
1536 	}
1537 
1538 	return 0;
1539 }
1540 
1541 /*
1542  * DRBG instantiation function as required by SP800-90A - this function
1543  * sets up the DRBG handle, performs the initial seeding and all sanity
1544  * checks required by SP800-90A
1545  *
1546  * @drbg memory of state -- if NULL, new memory is allocated
1547  * @pers Personalization string that is mixed into state, may be NULL -- note
1548  *	 the entropy is pulled by the DRBG internally unconditionally
1549  *	 as defined in SP800-90A. The additional input is mixed into
1550  *	 the state in addition to the pulled entropy.
1551  * @coreref reference to core
1552  * @pr prediction resistance enabled
1553  *
1554  * return
1555  *	0 on success
1556  *	error value otherwise
1557  */
1558 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1559 			    int coreref, bool pr)
1560 {
1561 	int ret;
1562 	bool reseed = true;
1563 
1564 	pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1565 		 "%s\n", coreref, pr ? "enabled" : "disabled");
1566 	mutex_lock(&drbg->drbg_mutex);
1567 
1568 	/* 9.1 step 1 is implicit with the selected DRBG type */
1569 
1570 	/*
1571 	 * 9.1 step 2 is implicit as caller can select prediction resistance
1572 	 * and the flag is copied into drbg->flags --
1573 	 * all DRBG types support prediction resistance
1574 	 */
1575 
1576 	/* 9.1 step 4 is implicit in  drbg_sec_strength */
1577 
1578 	if (!drbg->core) {
1579 		drbg->core = &drbg_cores[coreref];
1580 		drbg->pr = pr;
1581 		drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1582 		drbg->last_seed_time = 0;
1583 		drbg->reseed_threshold = drbg_max_requests(drbg);
1584 
1585 		ret = drbg_alloc_state(drbg);
1586 		if (ret)
1587 			goto unlock;
1588 
1589 		ret = drbg_prepare_hrng(drbg);
1590 		if (ret)
1591 			goto free_everything;
1592 
1593 		reseed = false;
1594 	}
1595 
1596 	ret = drbg_seed(drbg, pers, reseed);
1597 
1598 	if (ret && !reseed)
1599 		goto free_everything;
1600 
1601 	mutex_unlock(&drbg->drbg_mutex);
1602 	return ret;
1603 
1604 unlock:
1605 	mutex_unlock(&drbg->drbg_mutex);
1606 	return ret;
1607 
1608 free_everything:
1609 	mutex_unlock(&drbg->drbg_mutex);
1610 	drbg_uninstantiate(drbg);
1611 	return ret;
1612 }
1613 
1614 /*
1615  * DRBG uninstantiate function as required by SP800-90A - this function
1616  * frees all buffers and the DRBG handle
1617  *
1618  * @drbg DRBG state handle
1619  *
1620  * return
1621  *	0 on success
1622  */
1623 static int drbg_uninstantiate(struct drbg_state *drbg)
1624 {
1625 	if (!IS_ERR_OR_NULL(drbg->jent))
1626 		crypto_free_rng(drbg->jent);
1627 	drbg->jent = NULL;
1628 
1629 	if (drbg->d_ops)
1630 		drbg->d_ops->crypto_fini(drbg);
1631 	drbg_dealloc_state(drbg);
1632 	/* no scrubbing of test_data -- this shall survive an uninstantiate */
1633 	return 0;
1634 }
1635 
1636 /*
1637  * Helper function for setting the test data in the DRBG
1638  *
1639  * @drbg DRBG state handle
1640  * @data test data
1641  * @len test data length
1642  */
1643 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1644 				   const u8 *data, unsigned int len)
1645 {
1646 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1647 
1648 	mutex_lock(&drbg->drbg_mutex);
1649 	drbg_string_fill(&drbg->test_data, data, len);
1650 	mutex_unlock(&drbg->drbg_mutex);
1651 }
1652 
1653 /***************************************************************
1654  * Kernel crypto API cipher invocations requested by DRBG
1655  ***************************************************************/
1656 
1657 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1658 struct sdesc {
1659 	struct shash_desc shash;
1660 	char ctx[];
1661 };
1662 
1663 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1664 {
1665 	struct sdesc *sdesc;
1666 	struct crypto_shash *tfm;
1667 
1668 	tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1669 	if (IS_ERR(tfm)) {
1670 		pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1671 				drbg->core->backend_cra_name);
1672 		return PTR_ERR(tfm);
1673 	}
1674 	BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1675 	sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1676 			GFP_KERNEL);
1677 	if (!sdesc) {
1678 		crypto_free_shash(tfm);
1679 		return -ENOMEM;
1680 	}
1681 
1682 	sdesc->shash.tfm = tfm;
1683 	drbg->priv_data = sdesc;
1684 
1685 	return 0;
1686 }
1687 
1688 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1689 {
1690 	struct sdesc *sdesc = drbg->priv_data;
1691 	if (sdesc) {
1692 		crypto_free_shash(sdesc->shash.tfm);
1693 		kfree_sensitive(sdesc);
1694 	}
1695 	drbg->priv_data = NULL;
1696 	return 0;
1697 }
1698 
1699 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1700 				  const unsigned char *key)
1701 {
1702 	struct sdesc *sdesc = drbg->priv_data;
1703 
1704 	crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1705 }
1706 
1707 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1708 			   const struct list_head *in)
1709 {
1710 	struct sdesc *sdesc = drbg->priv_data;
1711 	struct drbg_string *input = NULL;
1712 
1713 	crypto_shash_init(&sdesc->shash);
1714 	list_for_each_entry(input, in, list)
1715 		crypto_shash_update(&sdesc->shash, input->buf, input->len);
1716 	return crypto_shash_final(&sdesc->shash, outval);
1717 }
1718 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1719 
1720 #ifdef CONFIG_CRYPTO_DRBG_CTR
1721 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1722 {
1723 	struct crypto_cipher *tfm =
1724 		(struct crypto_cipher *)drbg->priv_data;
1725 	if (tfm)
1726 		crypto_free_cipher(tfm);
1727 	drbg->priv_data = NULL;
1728 
1729 	if (drbg->ctr_handle)
1730 		crypto_free_skcipher(drbg->ctr_handle);
1731 	drbg->ctr_handle = NULL;
1732 
1733 	if (drbg->ctr_req)
1734 		skcipher_request_free(drbg->ctr_req);
1735 	drbg->ctr_req = NULL;
1736 
1737 	kfree(drbg->outscratchpadbuf);
1738 	drbg->outscratchpadbuf = NULL;
1739 
1740 	return 0;
1741 }
1742 
1743 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1744 {
1745 	struct crypto_cipher *tfm;
1746 	struct crypto_skcipher *sk_tfm;
1747 	struct skcipher_request *req;
1748 	unsigned int alignmask;
1749 	char ctr_name[CRYPTO_MAX_ALG_NAME];
1750 
1751 	tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1752 	if (IS_ERR(tfm)) {
1753 		pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1754 				drbg->core->backend_cra_name);
1755 		return PTR_ERR(tfm);
1756 	}
1757 	BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1758 	drbg->priv_data = tfm;
1759 
1760 	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1761 	    drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1762 		drbg_fini_sym_kernel(drbg);
1763 		return -EINVAL;
1764 	}
1765 	sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1766 	if (IS_ERR(sk_tfm)) {
1767 		pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1768 				ctr_name);
1769 		drbg_fini_sym_kernel(drbg);
1770 		return PTR_ERR(sk_tfm);
1771 	}
1772 	drbg->ctr_handle = sk_tfm;
1773 	crypto_init_wait(&drbg->ctr_wait);
1774 
1775 	req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1776 	if (!req) {
1777 		pr_info("DRBG: could not allocate request queue\n");
1778 		drbg_fini_sym_kernel(drbg);
1779 		return -ENOMEM;
1780 	}
1781 	drbg->ctr_req = req;
1782 	skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1783 						CRYPTO_TFM_REQ_MAY_SLEEP,
1784 					crypto_req_done, &drbg->ctr_wait);
1785 
1786 	alignmask = crypto_skcipher_alignmask(sk_tfm);
1787 	drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1788 					 GFP_KERNEL);
1789 	if (!drbg->outscratchpadbuf) {
1790 		drbg_fini_sym_kernel(drbg);
1791 		return -ENOMEM;
1792 	}
1793 	drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1794 					      alignmask + 1);
1795 
1796 	sg_init_table(&drbg->sg_in, 1);
1797 	sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1798 
1799 	return alignmask;
1800 }
1801 
1802 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1803 				 const unsigned char *key)
1804 {
1805 	struct crypto_cipher *tfm = drbg->priv_data;
1806 
1807 	crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1808 }
1809 
1810 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1811 			  const struct drbg_string *in)
1812 {
1813 	struct crypto_cipher *tfm = drbg->priv_data;
1814 
1815 	/* there is only component in *in */
1816 	BUG_ON(in->len < drbg_blocklen(drbg));
1817 	crypto_cipher_encrypt_one(tfm, outval, in->buf);
1818 	return 0;
1819 }
1820 
1821 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1822 			      u8 *inbuf, u32 inlen,
1823 			      u8 *outbuf, u32 outlen)
1824 {
1825 	struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1826 	u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1827 	int ret;
1828 
1829 	if (inbuf) {
1830 		/* Use caller-provided input buffer */
1831 		sg_set_buf(sg_in, inbuf, inlen);
1832 	} else {
1833 		/* Use scratchpad for in-place operation */
1834 		inlen = scratchpad_use;
1835 		memset(drbg->outscratchpad, 0, scratchpad_use);
1836 		sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1837 	}
1838 
1839 	while (outlen) {
1840 		u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1841 
1842 		/* Output buffer may not be valid for SGL, use scratchpad */
1843 		skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1844 					   cryptlen, drbg->V);
1845 		ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1846 					&drbg->ctr_wait);
1847 		if (ret)
1848 			goto out;
1849 
1850 		crypto_init_wait(&drbg->ctr_wait);
1851 
1852 		memcpy(outbuf, drbg->outscratchpad, cryptlen);
1853 		memzero_explicit(drbg->outscratchpad, cryptlen);
1854 
1855 		outlen -= cryptlen;
1856 		outbuf += cryptlen;
1857 	}
1858 	ret = 0;
1859 
1860 out:
1861 	return ret;
1862 }
1863 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1864 
1865 /***************************************************************
1866  * Kernel crypto API interface to register DRBG
1867  ***************************************************************/
1868 
1869 /*
1870  * Look up the DRBG flags by given kernel crypto API cra_name
1871  * The code uses the drbg_cores definition to do this
1872  *
1873  * @cra_name kernel crypto API cra_name
1874  * @coreref reference to integer which is filled with the pointer to
1875  *  the applicable core
1876  * @pr reference for setting prediction resistance
1877  *
1878  * return: flags
1879  */
1880 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1881 					 int *coreref, bool *pr)
1882 {
1883 	int i = 0;
1884 	size_t start = 0;
1885 	int len = 0;
1886 
1887 	*pr = true;
1888 	/* disassemble the names */
1889 	if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1890 		start = 10;
1891 		*pr = false;
1892 	} else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1893 		start = 8;
1894 	} else {
1895 		return;
1896 	}
1897 
1898 	/* remove the first part */
1899 	len = strlen(cra_driver_name) - start;
1900 	for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1901 		if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1902 			    len)) {
1903 			*coreref = i;
1904 			return;
1905 		}
1906 	}
1907 }
1908 
1909 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1910 {
1911 	struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1912 
1913 	mutex_init(&drbg->drbg_mutex);
1914 
1915 	return 0;
1916 }
1917 
1918 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1919 {
1920 	drbg_uninstantiate(crypto_tfm_ctx(tfm));
1921 }
1922 
1923 /*
1924  * Generate random numbers invoked by the kernel crypto API:
1925  * The API of the kernel crypto API is extended as follows:
1926  *
1927  * src is additional input supplied to the RNG.
1928  * slen is the length of src.
1929  * dst is the output buffer where random data is to be stored.
1930  * dlen is the length of dst.
1931  */
1932 static int drbg_kcapi_random(struct crypto_rng *tfm,
1933 			     const u8 *src, unsigned int slen,
1934 			     u8 *dst, unsigned int dlen)
1935 {
1936 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1937 	struct drbg_string *addtl = NULL;
1938 	struct drbg_string string;
1939 
1940 	if (slen) {
1941 		/* linked list variable is now local to allow modification */
1942 		drbg_string_fill(&string, src, slen);
1943 		addtl = &string;
1944 	}
1945 
1946 	return drbg_generate_long(drbg, dst, dlen, addtl);
1947 }
1948 
1949 /*
1950  * Seed the DRBG invoked by the kernel crypto API
1951  */
1952 static int drbg_kcapi_seed(struct crypto_rng *tfm,
1953 			   const u8 *seed, unsigned int slen)
1954 {
1955 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1956 	struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1957 	bool pr = false;
1958 	struct drbg_string string;
1959 	struct drbg_string *seed_string = NULL;
1960 	int coreref = 0;
1961 
1962 	drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1963 			      &pr);
1964 	if (0 < slen) {
1965 		drbg_string_fill(&string, seed, slen);
1966 		seed_string = &string;
1967 	}
1968 
1969 	return drbg_instantiate(drbg, seed_string, coreref, pr);
1970 }
1971 
1972 /***************************************************************
1973  * Kernel module: code to load the module
1974  ***************************************************************/
1975 
1976 /*
1977  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1978  * of the error handling.
1979  *
1980  * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1981  * as seed source of get_random_bytes does not fail.
1982  *
1983  * Note 2: There is no sensible way of testing the reseed counter
1984  * enforcement, so skip it.
1985  */
1986 static inline int __init drbg_healthcheck_sanity(void)
1987 {
1988 	int len = 0;
1989 #define OUTBUFLEN 16
1990 	unsigned char buf[OUTBUFLEN];
1991 	struct drbg_state *drbg = NULL;
1992 	int ret;
1993 	int rc = -EFAULT;
1994 	bool pr = false;
1995 	int coreref = 0;
1996 	struct drbg_string addtl;
1997 	size_t max_addtllen, max_request_bytes;
1998 
1999 	/* only perform test in FIPS mode */
2000 	if (!fips_enabled)
2001 		return 0;
2002 
2003 #ifdef CONFIG_CRYPTO_DRBG_CTR
2004 	drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
2005 #endif
2006 #ifdef CONFIG_CRYPTO_DRBG_HASH
2007 	drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
2008 #endif
2009 #ifdef CONFIG_CRYPTO_DRBG_HMAC
2010 	drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
2011 #endif
2012 
2013 	drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2014 	if (!drbg)
2015 		return -ENOMEM;
2016 
2017 	mutex_init(&drbg->drbg_mutex);
2018 	drbg->core = &drbg_cores[coreref];
2019 	drbg->reseed_threshold = drbg_max_requests(drbg);
2020 
2021 	/*
2022 	 * if the following tests fail, it is likely that there is a buffer
2023 	 * overflow as buf is much smaller than the requested or provided
2024 	 * string lengths -- in case the error handling does not succeed
2025 	 * we may get an OOPS. And we want to get an OOPS as this is a
2026 	 * grave bug.
2027 	 */
2028 
2029 	max_addtllen = drbg_max_addtl(drbg);
2030 	max_request_bytes = drbg_max_request_bytes(drbg);
2031 	drbg_string_fill(&addtl, buf, max_addtllen + 1);
2032 	/* overflow addtllen with additonal info string */
2033 	len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2034 	BUG_ON(0 < len);
2035 	/* overflow max_bits */
2036 	len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2037 	BUG_ON(0 < len);
2038 
2039 	/* overflow max addtllen with personalization string */
2040 	ret = drbg_seed(drbg, &addtl, false);
2041 	BUG_ON(0 == ret);
2042 	/* all tests passed */
2043 	rc = 0;
2044 
2045 	pr_devel("DRBG: Sanity tests for failure code paths successfully "
2046 		 "completed\n");
2047 
2048 	kfree(drbg);
2049 	return rc;
2050 }
2051 
2052 static struct rng_alg drbg_algs[22];
2053 
2054 /*
2055  * Fill the array drbg_algs used to register the different DRBGs
2056  * with the kernel crypto API. To fill the array, the information
2057  * from drbg_cores[] is used.
2058  */
2059 static inline void __init drbg_fill_array(struct rng_alg *alg,
2060 					  const struct drbg_core *core, int pr)
2061 {
2062 	int pos = 0;
2063 	static int priority = 200;
2064 
2065 	memcpy(alg->base.cra_name, "stdrng", 6);
2066 	if (pr) {
2067 		memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
2068 		pos = 8;
2069 	} else {
2070 		memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
2071 		pos = 10;
2072 	}
2073 	memcpy(alg->base.cra_driver_name + pos, core->cra_name,
2074 	       strlen(core->cra_name));
2075 
2076 	alg->base.cra_priority = priority;
2077 	priority++;
2078 	/*
2079 	 * If FIPS mode enabled, the selected DRBG shall have the
2080 	 * highest cra_priority over other stdrng instances to ensure
2081 	 * it is selected.
2082 	 */
2083 	if (fips_enabled)
2084 		alg->base.cra_priority += 200;
2085 
2086 	alg->base.cra_ctxsize 	= sizeof(struct drbg_state);
2087 	alg->base.cra_module	= THIS_MODULE;
2088 	alg->base.cra_init	= drbg_kcapi_init;
2089 	alg->base.cra_exit	= drbg_kcapi_cleanup;
2090 	alg->generate		= drbg_kcapi_random;
2091 	alg->seed		= drbg_kcapi_seed;
2092 	alg->set_ent		= drbg_kcapi_set_entropy;
2093 	alg->seedsize		= 0;
2094 }
2095 
2096 static int __init drbg_init(void)
2097 {
2098 	unsigned int i = 0; /* pointer to drbg_algs */
2099 	unsigned int j = 0; /* pointer to drbg_cores */
2100 	int ret;
2101 
2102 	ret = drbg_healthcheck_sanity();
2103 	if (ret)
2104 		return ret;
2105 
2106 	if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2107 		pr_info("DRBG: Cannot register all DRBG types"
2108 			"(slots needed: %zu, slots available: %zu)\n",
2109 			ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2110 		return -EFAULT;
2111 	}
2112 
2113 	/*
2114 	 * each DRBG definition can be used with PR and without PR, thus
2115 	 * we instantiate each DRBG in drbg_cores[] twice.
2116 	 *
2117 	 * As the order of placing them into the drbg_algs array matters
2118 	 * (the later DRBGs receive a higher cra_priority) we register the
2119 	 * prediction resistance DRBGs first as the should not be too
2120 	 * interesting.
2121 	 */
2122 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2123 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2124 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2125 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2126 	return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2127 }
2128 
2129 static void __exit drbg_exit(void)
2130 {
2131 	crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2132 }
2133 
2134 subsys_initcall(drbg_init);
2135 module_exit(drbg_exit);
2136 #ifndef CRYPTO_DRBG_HASH_STRING
2137 #define CRYPTO_DRBG_HASH_STRING ""
2138 #endif
2139 #ifndef CRYPTO_DRBG_HMAC_STRING
2140 #define CRYPTO_DRBG_HMAC_STRING ""
2141 #endif
2142 #ifndef CRYPTO_DRBG_CTR_STRING
2143 #define CRYPTO_DRBG_CTR_STRING ""
2144 #endif
2145 MODULE_LICENSE("GPL");
2146 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2147 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2148 		   "using following cores: "
2149 		   CRYPTO_DRBG_HASH_STRING
2150 		   CRYPTO_DRBG_HMAC_STRING
2151 		   CRYPTO_DRBG_CTR_STRING);
2152 MODULE_ALIAS_CRYPTO("stdrng");
2153 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
2154