1 /*
2 * DRBG: Deterministic Random Bits Generator
3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following
4 * properties:
5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8 * * with and without prediction resistance
9 *
10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, and the entire permission notice in its entirety,
17 * including the disclaimer of warranties.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. The name of the author may not be used to endorse or promote
22 * products derived from this software without specific prior
23 * written permission.
24 *
25 * ALTERNATIVELY, this product may be distributed under the terms of
26 * the GNU General Public License, in which case the provisions of the GPL are
27 * required INSTEAD OF the above restrictions. (This clause is
28 * necessary due to a potential bad interaction between the GPL and
29 * the restrictions contained in a BSD-style copyright.)
30 *
31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42 * DAMAGE.
43 *
44 * DRBG Usage
45 * ==========
46 * The SP 800-90A DRBG allows the user to specify a personalization string
47 * for initialization as well as an additional information string for each
48 * random number request. The following code fragments show how a caller
49 * uses the kernel crypto API to use the full functionality of the DRBG.
50 *
51 * Usage without any additional data
52 * ---------------------------------
53 * struct crypto_rng *drng;
54 * int err;
55 * char data[DATALEN];
56 *
57 * drng = crypto_alloc_rng(drng_name, 0, 0);
58 * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59 * crypto_free_rng(drng);
60 *
61 *
62 * Usage with personalization string during initialization
63 * -------------------------------------------------------
64 * struct crypto_rng *drng;
65 * int err;
66 * char data[DATALEN];
67 * struct drbg_string pers;
68 * char personalization[11] = "some-string";
69 *
70 * drbg_string_fill(&pers, personalization, strlen(personalization));
71 * drng = crypto_alloc_rng(drng_name, 0, 0);
72 * // The reset completely re-initializes the DRBG with the provided
73 * // personalization string
74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75 * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76 * crypto_free_rng(drng);
77 *
78 *
79 * Usage with additional information string during random number request
80 * ---------------------------------------------------------------------
81 * struct crypto_rng *drng;
82 * int err;
83 * char data[DATALEN];
84 * char addtl_string[11] = "some-string";
85 * string drbg_string addtl;
86 *
87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88 * drng = crypto_alloc_rng(drng_name, 0, 0);
89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90 * // the same error codes.
91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92 * crypto_free_rng(drng);
93 *
94 *
95 * Usage with personalization and additional information strings
96 * -------------------------------------------------------------
97 * Just mix both scenarios above.
98 */
99
100 #include <crypto/drbg.h>
101 #include <crypto/df_sp80090a.h>
102 #include <crypto/internal/cipher.h>
103 #include <linux/kernel.h>
104 #include <linux/jiffies.h>
105 #include <linux/string_choices.h>
106
107 /***************************************************************
108 * Backend cipher definitions available to DRBG
109 ***************************************************************/
110
111 /*
112 * The order of the DRBG definitions here matter: every DRBG is registered
113 * as stdrng. Each DRBG receives an increasing cra_priority values the later
114 * they are defined in this array (see drbg_fill_array).
115 *
116 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
117 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
118 * favored DRBGs are the latest entries in this array.
119 */
120 static const struct drbg_core drbg_cores[] = {
121 #ifdef CONFIG_CRYPTO_DRBG_CTR
122 {
123 .flags = DRBG_CTR | DRBG_STRENGTH128,
124 .statelen = 32, /* 256 bits as defined in 10.2.1 */
125 .blocklen_bytes = 16,
126 .cra_name = "ctr_aes128",
127 .backend_cra_name = "aes",
128 }, {
129 .flags = DRBG_CTR | DRBG_STRENGTH192,
130 .statelen = 40, /* 320 bits as defined in 10.2.1 */
131 .blocklen_bytes = 16,
132 .cra_name = "ctr_aes192",
133 .backend_cra_name = "aes",
134 }, {
135 .flags = DRBG_CTR | DRBG_STRENGTH256,
136 .statelen = 48, /* 384 bits as defined in 10.2.1 */
137 .blocklen_bytes = 16,
138 .cra_name = "ctr_aes256",
139 .backend_cra_name = "aes",
140 },
141 #endif /* CONFIG_CRYPTO_DRBG_CTR */
142 #ifdef CONFIG_CRYPTO_DRBG_HASH
143 {
144 .flags = DRBG_HASH | DRBG_STRENGTH256,
145 .statelen = 111, /* 888 bits */
146 .blocklen_bytes = 48,
147 .cra_name = "sha384",
148 .backend_cra_name = "sha384",
149 }, {
150 .flags = DRBG_HASH | DRBG_STRENGTH256,
151 .statelen = 111, /* 888 bits */
152 .blocklen_bytes = 64,
153 .cra_name = "sha512",
154 .backend_cra_name = "sha512",
155 }, {
156 .flags = DRBG_HASH | DRBG_STRENGTH256,
157 .statelen = 55, /* 440 bits */
158 .blocklen_bytes = 32,
159 .cra_name = "sha256",
160 .backend_cra_name = "sha256",
161 },
162 #endif /* CONFIG_CRYPTO_DRBG_HASH */
163 #ifdef CONFIG_CRYPTO_DRBG_HMAC
164 {
165 .flags = DRBG_HMAC | DRBG_STRENGTH256,
166 .statelen = 48, /* block length of cipher */
167 .blocklen_bytes = 48,
168 .cra_name = "hmac_sha384",
169 .backend_cra_name = "hmac(sha384)",
170 }, {
171 .flags = DRBG_HMAC | DRBG_STRENGTH256,
172 .statelen = 32, /* block length of cipher */
173 .blocklen_bytes = 32,
174 .cra_name = "hmac_sha256",
175 .backend_cra_name = "hmac(sha256)",
176 }, {
177 .flags = DRBG_HMAC | DRBG_STRENGTH256,
178 .statelen = 64, /* block length of cipher */
179 .blocklen_bytes = 64,
180 .cra_name = "hmac_sha512",
181 .backend_cra_name = "hmac(sha512)",
182 },
183 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
184 };
185
186 static int drbg_uninstantiate(struct drbg_state *drbg);
187
188 /******************************************************************
189 * Generic helper functions
190 ******************************************************************/
191
192 /*
193 * Return strength of DRBG according to SP800-90A section 8.4
194 *
195 * @flags DRBG flags reference
196 *
197 * Return: normalized strength in *bytes* value or 32 as default
198 * to counter programming errors
199 */
drbg_sec_strength(drbg_flag_t flags)200 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
201 {
202 switch (flags & DRBG_STRENGTH_MASK) {
203 case DRBG_STRENGTH128:
204 return 16;
205 case DRBG_STRENGTH192:
206 return 24;
207 case DRBG_STRENGTH256:
208 return 32;
209 default:
210 return 32;
211 }
212 }
213
214 /*
215 * FIPS 140-2 continuous self test for the noise source
216 * The test is performed on the noise source input data. Thus, the function
217 * implicitly knows the size of the buffer to be equal to the security
218 * strength.
219 *
220 * Note, this function disregards the nonce trailing the entropy data during
221 * initial seeding.
222 *
223 * drbg->drbg_mutex must have been taken.
224 *
225 * @drbg DRBG handle
226 * @entropy buffer of seed data to be checked
227 *
228 * return:
229 * %true on success
230 * %false when the CTRNG is not yet primed
231 */
drbg_fips_continuous_test(struct drbg_state * drbg,const unsigned char * entropy)232 static bool drbg_fips_continuous_test(struct drbg_state *drbg,
233 const unsigned char *entropy)
234 __must_hold(&drbg->drbg_mutex)
235 {
236 unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
237
238 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
239 return true;
240
241 /* skip test if we test the overall system */
242 if (list_empty(&drbg->test_data.list))
243 return true;
244 /* only perform test in FIPS mode */
245 if (!fips_enabled)
246 return true;
247
248 if (!drbg->fips_primed) {
249 /* Priming of FIPS test */
250 memcpy(drbg->prev, entropy, entropylen);
251 drbg->fips_primed = true;
252 /* priming: another round is needed */
253 return false;
254 }
255 if (!memcmp(drbg->prev, entropy, entropylen))
256 panic("DRBG continuous self test failed\n");
257 memcpy(drbg->prev, entropy, entropylen);
258
259 /* the test shall pass when the two values are not equal */
260 return true;
261 }
262
263 /******************************************************************
264 * CTR DRBG callback functions
265 ******************************************************************/
266
267 #ifdef CONFIG_CRYPTO_DRBG_CTR
268 #define CRYPTO_DRBG_CTR_STRING "CTR "
269 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
270 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
271 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
272 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
273 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
274 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
275
276 static int drbg_init_sym_kernel(struct drbg_state *drbg);
277 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
278 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
279 u8 *inbuf, u32 inbuflen,
280 u8 *outbuf, u32 outlen);
281 #define DRBG_OUTSCRATCHLEN 256
282
drbg_ctr_df(struct drbg_state * drbg,unsigned char * df_data,size_t bytes_to_return,struct list_head * seedlist)283 static int drbg_ctr_df(struct drbg_state *drbg,
284 unsigned char *df_data, size_t bytes_to_return,
285 struct list_head *seedlist)
286 {
287 return crypto_drbg_ctr_df(drbg->priv_data, df_data, drbg_statelen(drbg),
288 seedlist, drbg_blocklen(drbg), drbg_statelen(drbg));
289 }
290
291 /*
292 * update function of CTR DRBG as defined in 10.2.1.2
293 *
294 * The reseed variable has an enhanced meaning compared to the update
295 * functions of the other DRBGs as follows:
296 * 0 => initial seed from initialization
297 * 1 => reseed via drbg_seed
298 * 2 => first invocation from drbg_ctr_update when addtl is present. In
299 * this case, the df_data scratchpad is not deleted so that it is
300 * available for another calls to prevent calling the DF function
301 * again.
302 * 3 => second invocation from drbg_ctr_update. When the update function
303 * was called with addtl, the df_data memory already contains the
304 * DFed addtl information and we do not need to call DF again.
305 */
drbg_ctr_update(struct drbg_state * drbg,struct list_head * seed,int reseed)306 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
307 int reseed)
308 {
309 int ret = -EFAULT;
310 /* 10.2.1.2 step 1 */
311 unsigned char *temp = drbg->scratchpad;
312 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
313 drbg_blocklen(drbg);
314
315 if (3 > reseed)
316 memset(df_data, 0, drbg_statelen(drbg));
317
318 if (!reseed) {
319 /*
320 * The DRBG uses the CTR mode of the underlying AES cipher. The
321 * CTR mode increments the counter value after the AES operation
322 * but SP800-90A requires that the counter is incremented before
323 * the AES operation. Hence, we increment it at the time we set
324 * it by one.
325 */
326 crypto_inc(drbg->V, drbg_blocklen(drbg));
327
328 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
329 drbg_keylen(drbg));
330 if (ret)
331 goto out;
332 }
333
334 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
335 if (seed) {
336 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
337 if (ret)
338 goto out;
339 }
340
341 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
342 temp, drbg_statelen(drbg));
343 if (ret)
344 return ret;
345
346 /* 10.2.1.2 step 5 */
347 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
348 drbg_keylen(drbg));
349 if (ret)
350 goto out;
351 /* 10.2.1.2 step 6 */
352 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
353 /* See above: increment counter by one to compensate timing of CTR op */
354 crypto_inc(drbg->V, drbg_blocklen(drbg));
355 ret = 0;
356
357 out:
358 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
359 if (2 != reseed)
360 memset(df_data, 0, drbg_statelen(drbg));
361 return ret;
362 }
363
364 /*
365 * scratchpad use: drbg_ctr_update is called independently from
366 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
367 */
368 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
drbg_ctr_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)369 static int drbg_ctr_generate(struct drbg_state *drbg,
370 unsigned char *buf, unsigned int buflen,
371 struct list_head *addtl)
372 {
373 int ret;
374 int len = min_t(int, buflen, INT_MAX);
375
376 /* 10.2.1.5.2 step 2 */
377 if (addtl && !list_empty(addtl)) {
378 ret = drbg_ctr_update(drbg, addtl, 2);
379 if (ret)
380 return 0;
381 }
382
383 /* 10.2.1.5.2 step 4.1 */
384 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
385 if (ret)
386 return ret;
387
388 /* 10.2.1.5.2 step 6 */
389 ret = drbg_ctr_update(drbg, NULL, 3);
390 if (ret)
391 len = ret;
392
393 return len;
394 }
395
396 static const struct drbg_state_ops drbg_ctr_ops = {
397 .update = drbg_ctr_update,
398 .generate = drbg_ctr_generate,
399 .crypto_init = drbg_init_sym_kernel,
400 .crypto_fini = drbg_fini_sym_kernel,
401 };
402 #endif /* CONFIG_CRYPTO_DRBG_CTR */
403
404 /******************************************************************
405 * HMAC DRBG callback functions
406 ******************************************************************/
407
408 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
409 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
410 const struct list_head *in);
411 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
412 const unsigned char *key);
413 static int drbg_init_hash_kernel(struct drbg_state *drbg);
414 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
415 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
416
417 #ifdef CONFIG_CRYPTO_DRBG_HMAC
418 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
419 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
420 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
421 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
422 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
423 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
424 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
425
426 /* update function of HMAC DRBG as defined in 10.1.2.2 */
drbg_hmac_update(struct drbg_state * drbg,struct list_head * seed,int reseed)427 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
428 int reseed)
429 {
430 int ret = -EFAULT;
431 int i = 0;
432 struct drbg_string seed1, seed2, vdata;
433 LIST_HEAD(seedlist);
434 LIST_HEAD(vdatalist);
435
436 if (!reseed) {
437 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
438 memset(drbg->V, 1, drbg_statelen(drbg));
439 drbg_kcapi_hmacsetkey(drbg, drbg->C);
440 }
441
442 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
443 list_add_tail(&seed1.list, &seedlist);
444 /* buffer of seed2 will be filled in for loop below with one byte */
445 drbg_string_fill(&seed2, NULL, 1);
446 list_add_tail(&seed2.list, &seedlist);
447 /* input data of seed is allowed to be NULL at this point */
448 if (seed)
449 list_splice_tail(seed, &seedlist);
450
451 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
452 list_add_tail(&vdata.list, &vdatalist);
453 for (i = 2; 0 < i; i--) {
454 /* first round uses 0x0, second 0x1 */
455 unsigned char prefix = DRBG_PREFIX0;
456 if (1 == i)
457 prefix = DRBG_PREFIX1;
458 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
459 seed2.buf = &prefix;
460 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
461 if (ret)
462 return ret;
463 drbg_kcapi_hmacsetkey(drbg, drbg->C);
464
465 /* 10.1.2.2 step 2 and 5 -- HMAC for V */
466 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
467 if (ret)
468 return ret;
469
470 /* 10.1.2.2 step 3 */
471 if (!seed)
472 return ret;
473 }
474
475 return 0;
476 }
477
478 /* generate function of HMAC DRBG as defined in 10.1.2.5 */
drbg_hmac_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)479 static int drbg_hmac_generate(struct drbg_state *drbg,
480 unsigned char *buf,
481 unsigned int buflen,
482 struct list_head *addtl)
483 {
484 int len = 0;
485 int ret = 0;
486 struct drbg_string data;
487 LIST_HEAD(datalist);
488
489 /* 10.1.2.5 step 2 */
490 if (addtl && !list_empty(addtl)) {
491 ret = drbg_hmac_update(drbg, addtl, 1);
492 if (ret)
493 return ret;
494 }
495
496 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
497 list_add_tail(&data.list, &datalist);
498 while (len < buflen) {
499 unsigned int outlen = 0;
500 /* 10.1.2.5 step 4.1 */
501 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
502 if (ret)
503 return ret;
504 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
505 drbg_blocklen(drbg) : (buflen - len);
506
507 /* 10.1.2.5 step 4.2 */
508 memcpy(buf + len, drbg->V, outlen);
509 len += outlen;
510 }
511
512 /* 10.1.2.5 step 6 */
513 if (addtl && !list_empty(addtl))
514 ret = drbg_hmac_update(drbg, addtl, 1);
515 else
516 ret = drbg_hmac_update(drbg, NULL, 1);
517 if (ret)
518 return ret;
519
520 return len;
521 }
522
523 static const struct drbg_state_ops drbg_hmac_ops = {
524 .update = drbg_hmac_update,
525 .generate = drbg_hmac_generate,
526 .crypto_init = drbg_init_hash_kernel,
527 .crypto_fini = drbg_fini_hash_kernel,
528 };
529 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
530
531 /******************************************************************
532 * Hash DRBG callback functions
533 ******************************************************************/
534
535 #ifdef CONFIG_CRYPTO_DRBG_HASH
536 #define CRYPTO_DRBG_HASH_STRING "HASH "
537 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
538 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
539 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
540 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
541 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
542 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
543
544 /*
545 * Increment buffer
546 *
547 * @dst buffer to increment
548 * @add value to add
549 */
drbg_add_buf(unsigned char * dst,size_t dstlen,const unsigned char * add,size_t addlen)550 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
551 const unsigned char *add, size_t addlen)
552 {
553 /* implied: dstlen > addlen */
554 unsigned char *dstptr;
555 const unsigned char *addptr;
556 unsigned int remainder = 0;
557 size_t len = addlen;
558
559 dstptr = dst + (dstlen-1);
560 addptr = add + (addlen-1);
561 while (len) {
562 remainder += *dstptr + *addptr;
563 *dstptr = remainder & 0xff;
564 remainder >>= 8;
565 len--; dstptr--; addptr--;
566 }
567 len = dstlen - addlen;
568 while (len && remainder > 0) {
569 remainder = *dstptr + 1;
570 *dstptr = remainder & 0xff;
571 remainder >>= 8;
572 len--; dstptr--;
573 }
574 }
575
576 /*
577 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
578 * interlinked, the scratchpad is used as follows:
579 * drbg_hash_update
580 * start: drbg->scratchpad
581 * length: drbg_statelen(drbg)
582 * drbg_hash_df:
583 * start: drbg->scratchpad + drbg_statelen(drbg)
584 * length: drbg_blocklen(drbg)
585 *
586 * drbg_hash_process_addtl uses the scratchpad, but fully completes
587 * before either of the functions mentioned before are invoked. Therefore,
588 * drbg_hash_process_addtl does not need to be specifically considered.
589 */
590
591 /* Derivation Function for Hash DRBG as defined in 10.4.1 */
drbg_hash_df(struct drbg_state * drbg,unsigned char * outval,size_t outlen,struct list_head * entropylist)592 static int drbg_hash_df(struct drbg_state *drbg,
593 unsigned char *outval, size_t outlen,
594 struct list_head *entropylist)
595 {
596 int ret = 0;
597 size_t len = 0;
598 unsigned char input[5];
599 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
600 struct drbg_string data;
601
602 /* 10.4.1 step 3 */
603 input[0] = 1;
604 drbg_cpu_to_be32((outlen * 8), &input[1]);
605
606 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
607 drbg_string_fill(&data, input, 5);
608 list_add(&data.list, entropylist);
609
610 /* 10.4.1 step 4 */
611 while (len < outlen) {
612 short blocklen = 0;
613 /* 10.4.1 step 4.1 */
614 ret = drbg_kcapi_hash(drbg, tmp, entropylist);
615 if (ret)
616 goto out;
617 /* 10.4.1 step 4.2 */
618 input[0]++;
619 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
620 drbg_blocklen(drbg) : (outlen - len);
621 memcpy(outval + len, tmp, blocklen);
622 len += blocklen;
623 }
624
625 out:
626 memset(tmp, 0, drbg_blocklen(drbg));
627 return ret;
628 }
629
630 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
drbg_hash_update(struct drbg_state * drbg,struct list_head * seed,int reseed)631 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
632 int reseed)
633 {
634 int ret = 0;
635 struct drbg_string data1, data2;
636 LIST_HEAD(datalist);
637 LIST_HEAD(datalist2);
638 unsigned char *V = drbg->scratchpad;
639 unsigned char prefix = DRBG_PREFIX1;
640
641 if (!seed)
642 return -EINVAL;
643
644 if (reseed) {
645 /* 10.1.1.3 step 1 */
646 memcpy(V, drbg->V, drbg_statelen(drbg));
647 drbg_string_fill(&data1, &prefix, 1);
648 list_add_tail(&data1.list, &datalist);
649 drbg_string_fill(&data2, V, drbg_statelen(drbg));
650 list_add_tail(&data2.list, &datalist);
651 }
652 list_splice_tail(seed, &datalist);
653
654 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
655 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
656 if (ret)
657 goto out;
658
659 /* 10.1.1.2 / 10.1.1.3 step 4 */
660 prefix = DRBG_PREFIX0;
661 drbg_string_fill(&data1, &prefix, 1);
662 list_add_tail(&data1.list, &datalist2);
663 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
664 list_add_tail(&data2.list, &datalist2);
665 /* 10.1.1.2 / 10.1.1.3 step 4 */
666 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
667
668 out:
669 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
670 return ret;
671 }
672
673 /* processing of additional information string for Hash DRBG */
drbg_hash_process_addtl(struct drbg_state * drbg,struct list_head * addtl)674 static int drbg_hash_process_addtl(struct drbg_state *drbg,
675 struct list_head *addtl)
676 {
677 int ret = 0;
678 struct drbg_string data1, data2;
679 LIST_HEAD(datalist);
680 unsigned char prefix = DRBG_PREFIX2;
681
682 /* 10.1.1.4 step 2 */
683 if (!addtl || list_empty(addtl))
684 return 0;
685
686 /* 10.1.1.4 step 2a */
687 drbg_string_fill(&data1, &prefix, 1);
688 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
689 list_add_tail(&data1.list, &datalist);
690 list_add_tail(&data2.list, &datalist);
691 list_splice_tail(addtl, &datalist);
692 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
693 if (ret)
694 goto out;
695
696 /* 10.1.1.4 step 2b */
697 drbg_add_buf(drbg->V, drbg_statelen(drbg),
698 drbg->scratchpad, drbg_blocklen(drbg));
699
700 out:
701 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
702 return ret;
703 }
704
705 /* Hashgen defined in 10.1.1.4 */
drbg_hash_hashgen(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen)706 static int drbg_hash_hashgen(struct drbg_state *drbg,
707 unsigned char *buf,
708 unsigned int buflen)
709 {
710 int len = 0;
711 int ret = 0;
712 unsigned char *src = drbg->scratchpad;
713 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
714 struct drbg_string data;
715 LIST_HEAD(datalist);
716
717 /* 10.1.1.4 step hashgen 2 */
718 memcpy(src, drbg->V, drbg_statelen(drbg));
719
720 drbg_string_fill(&data, src, drbg_statelen(drbg));
721 list_add_tail(&data.list, &datalist);
722 while (len < buflen) {
723 unsigned int outlen = 0;
724 /* 10.1.1.4 step hashgen 4.1 */
725 ret = drbg_kcapi_hash(drbg, dst, &datalist);
726 if (ret) {
727 len = ret;
728 goto out;
729 }
730 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
731 drbg_blocklen(drbg) : (buflen - len);
732 /* 10.1.1.4 step hashgen 4.2 */
733 memcpy(buf + len, dst, outlen);
734 len += outlen;
735 /* 10.1.1.4 hashgen step 4.3 */
736 if (len < buflen)
737 crypto_inc(src, drbg_statelen(drbg));
738 }
739
740 out:
741 memset(drbg->scratchpad, 0,
742 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
743 return len;
744 }
745
746 /* generate function for Hash DRBG as defined in 10.1.1.4 */
drbg_hash_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)747 static int drbg_hash_generate(struct drbg_state *drbg,
748 unsigned char *buf, unsigned int buflen,
749 struct list_head *addtl)
750 {
751 int len = 0;
752 int ret = 0;
753 union {
754 unsigned char req[8];
755 __be64 req_int;
756 } u;
757 unsigned char prefix = DRBG_PREFIX3;
758 struct drbg_string data1, data2;
759 LIST_HEAD(datalist);
760
761 /* 10.1.1.4 step 2 */
762 ret = drbg_hash_process_addtl(drbg, addtl);
763 if (ret)
764 return ret;
765 /* 10.1.1.4 step 3 */
766 len = drbg_hash_hashgen(drbg, buf, buflen);
767
768 /* this is the value H as documented in 10.1.1.4 */
769 /* 10.1.1.4 step 4 */
770 drbg_string_fill(&data1, &prefix, 1);
771 list_add_tail(&data1.list, &datalist);
772 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
773 list_add_tail(&data2.list, &datalist);
774 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
775 if (ret) {
776 len = ret;
777 goto out;
778 }
779
780 /* 10.1.1.4 step 5 */
781 drbg_add_buf(drbg->V, drbg_statelen(drbg),
782 drbg->scratchpad, drbg_blocklen(drbg));
783 drbg_add_buf(drbg->V, drbg_statelen(drbg),
784 drbg->C, drbg_statelen(drbg));
785 u.req_int = cpu_to_be64(drbg->reseed_ctr);
786 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
787
788 out:
789 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
790 return len;
791 }
792
793 /*
794 * scratchpad usage: as update and generate are used isolated, both
795 * can use the scratchpad
796 */
797 static const struct drbg_state_ops drbg_hash_ops = {
798 .update = drbg_hash_update,
799 .generate = drbg_hash_generate,
800 .crypto_init = drbg_init_hash_kernel,
801 .crypto_fini = drbg_fini_hash_kernel,
802 };
803 #endif /* CONFIG_CRYPTO_DRBG_HASH */
804
805 /******************************************************************
806 * Functions common for DRBG implementations
807 ******************************************************************/
808
__drbg_seed(struct drbg_state * drbg,struct list_head * seed,int reseed,enum drbg_seed_state new_seed_state)809 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
810 int reseed, enum drbg_seed_state new_seed_state)
811 {
812 int ret = drbg->d_ops->update(drbg, seed, reseed);
813
814 if (ret)
815 return ret;
816
817 drbg->seeded = new_seed_state;
818 drbg->last_seed_time = jiffies;
819 /* 10.1.1.2 / 10.1.1.3 step 5 */
820 drbg->reseed_ctr = 1;
821
822 switch (drbg->seeded) {
823 case DRBG_SEED_STATE_UNSEEDED:
824 /* Impossible, but handle it to silence compiler warnings. */
825 fallthrough;
826 case DRBG_SEED_STATE_PARTIAL:
827 /*
828 * Require frequent reseeds until the seed source is
829 * fully initialized.
830 */
831 drbg->reseed_threshold = 50;
832 break;
833
834 case DRBG_SEED_STATE_FULL:
835 /*
836 * Seed source has become fully initialized, frequent
837 * reseeds no longer required.
838 */
839 drbg->reseed_threshold = drbg_max_requests(drbg);
840 break;
841 }
842
843 return ret;
844 }
845
drbg_get_random_bytes(struct drbg_state * drbg,unsigned char * entropy,unsigned int entropylen)846 static inline void drbg_get_random_bytes(struct drbg_state *drbg,
847 unsigned char *entropy,
848 unsigned int entropylen)
849 __must_hold(&drbg->drbg_mutex)
850 {
851 do
852 get_random_bytes(entropy, entropylen);
853 while (!drbg_fips_continuous_test(drbg, entropy));
854 }
855
drbg_seed_from_random(struct drbg_state * drbg)856 static int drbg_seed_from_random(struct drbg_state *drbg)
857 __must_hold(&drbg->drbg_mutex)
858 {
859 struct drbg_string data;
860 LIST_HEAD(seedlist);
861 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
862 unsigned char entropy[32];
863 int ret;
864
865 BUG_ON(!entropylen);
866 BUG_ON(entropylen > sizeof(entropy));
867
868 drbg_string_fill(&data, entropy, entropylen);
869 list_add_tail(&data.list, &seedlist);
870
871 drbg_get_random_bytes(drbg, entropy, entropylen);
872
873 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
874
875 memzero_explicit(entropy, entropylen);
876 return ret;
877 }
878
drbg_nopr_reseed_interval_elapsed(struct drbg_state * drbg)879 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg)
880 {
881 unsigned long next_reseed;
882
883 /* Don't ever reseed from get_random_bytes() in test mode. */
884 if (list_empty(&drbg->test_data.list))
885 return false;
886
887 /*
888 * Obtain fresh entropy for the nopr DRBGs after 300s have
889 * elapsed in order to still achieve sort of partial
890 * prediction resistance over the time domain at least. Note
891 * that the period of 300s has been chosen to match the
892 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha
893 * rngs.
894 */
895 next_reseed = drbg->last_seed_time + 300 * HZ;
896 return time_after(jiffies, next_reseed);
897 }
898
899 /*
900 * Seeding or reseeding of the DRBG
901 *
902 * @drbg: DRBG state struct
903 * @pers: personalization / additional information buffer
904 * @reseed: 0 for initial seed process, 1 for reseeding
905 *
906 * return:
907 * 0 on success
908 * error value otherwise
909 */
drbg_seed(struct drbg_state * drbg,struct drbg_string * pers,bool reseed)910 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
911 bool reseed)
912 __must_hold(&drbg->drbg_mutex)
913 {
914 int ret;
915 unsigned char entropy[((32 + 16) * 2)];
916 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
917 struct drbg_string data1;
918 LIST_HEAD(seedlist);
919 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
920
921 /* 9.1 / 9.2 / 9.3.1 step 3 */
922 if (pers && pers->len > (drbg_max_addtl(drbg))) {
923 pr_devel("DRBG: personalization string too long %zu\n",
924 pers->len);
925 return -EINVAL;
926 }
927
928 if (list_empty(&drbg->test_data.list)) {
929 drbg_string_fill(&data1, drbg->test_data.buf,
930 drbg->test_data.len);
931 pr_devel("DRBG: using test entropy\n");
932 } else {
933 /*
934 * Gather entropy equal to the security strength of the DRBG.
935 * With a derivation function, a nonce is required in addition
936 * to the entropy. A nonce must be at least 1/2 of the security
937 * strength of the DRBG in size. Thus, entropy + nonce is 3/2
938 * of the strength. The consideration of a nonce is only
939 * applicable during initial seeding.
940 */
941 BUG_ON(!entropylen);
942 if (!reseed)
943 entropylen = ((entropylen + 1) / 2) * 3;
944 BUG_ON((entropylen * 2) > sizeof(entropy));
945
946 /* Get seed from in-kernel /dev/urandom */
947 if (!rng_is_initialized())
948 new_seed_state = DRBG_SEED_STATE_PARTIAL;
949
950 drbg_get_random_bytes(drbg, entropy, entropylen);
951
952 if (!drbg->jent) {
953 drbg_string_fill(&data1, entropy, entropylen);
954 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
955 entropylen);
956 } else {
957 /*
958 * Get seed from Jitter RNG, failures are
959 * fatal only in FIPS mode.
960 */
961 ret = crypto_rng_get_bytes(drbg->jent,
962 entropy + entropylen,
963 entropylen);
964 if (fips_enabled && ret) {
965 pr_devel("DRBG: jent failed with %d\n", ret);
966
967 /*
968 * Do not treat the transient failure of the
969 * Jitter RNG as an error that needs to be
970 * reported. The combined number of the
971 * maximum reseed threshold times the maximum
972 * number of Jitter RNG transient errors is
973 * less than the reseed threshold required by
974 * SP800-90A allowing us to treat the
975 * transient errors as such.
976 *
977 * However, we mandate that at least the first
978 * seeding operation must succeed with the
979 * Jitter RNG.
980 */
981 if (!reseed || ret != -EAGAIN)
982 goto out;
983 }
984
985 drbg_string_fill(&data1, entropy, entropylen * 2);
986 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
987 entropylen * 2);
988 }
989 }
990 list_add_tail(&data1.list, &seedlist);
991
992 /*
993 * concatenation of entropy with personalization str / addtl input)
994 * the variable pers is directly handed in by the caller, so check its
995 * contents whether it is appropriate
996 */
997 if (pers && pers->buf && 0 < pers->len) {
998 list_add_tail(&pers->list, &seedlist);
999 pr_devel("DRBG: using personalization string\n");
1000 }
1001
1002 if (!reseed) {
1003 memset(drbg->V, 0, drbg_statelen(drbg));
1004 memset(drbg->C, 0, drbg_statelen(drbg));
1005 }
1006
1007 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
1008
1009 out:
1010 memzero_explicit(entropy, entropylen * 2);
1011
1012 return ret;
1013 }
1014
1015 /* Free all substructures in a DRBG state without the DRBG state structure */
drbg_dealloc_state(struct drbg_state * drbg)1016 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1017 {
1018 if (!drbg)
1019 return;
1020 kfree_sensitive(drbg->Vbuf);
1021 drbg->Vbuf = NULL;
1022 drbg->V = NULL;
1023 kfree_sensitive(drbg->Cbuf);
1024 drbg->Cbuf = NULL;
1025 drbg->C = NULL;
1026 kfree_sensitive(drbg->scratchpadbuf);
1027 drbg->scratchpadbuf = NULL;
1028 drbg->reseed_ctr = 0;
1029 drbg->d_ops = NULL;
1030 drbg->core = NULL;
1031 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1032 kfree_sensitive(drbg->prev);
1033 drbg->prev = NULL;
1034 drbg->fips_primed = false;
1035 }
1036 }
1037
1038 /*
1039 * Allocate all sub-structures for a DRBG state.
1040 * The DRBG state structure must already be allocated.
1041 */
drbg_alloc_state(struct drbg_state * drbg)1042 static inline int drbg_alloc_state(struct drbg_state *drbg)
1043 {
1044 int ret = -ENOMEM;
1045 unsigned int sb_size = 0;
1046
1047 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1048 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1049 case DRBG_HMAC:
1050 drbg->d_ops = &drbg_hmac_ops;
1051 break;
1052 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
1053 #ifdef CONFIG_CRYPTO_DRBG_HASH
1054 case DRBG_HASH:
1055 drbg->d_ops = &drbg_hash_ops;
1056 break;
1057 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1058 #ifdef CONFIG_CRYPTO_DRBG_CTR
1059 case DRBG_CTR:
1060 drbg->d_ops = &drbg_ctr_ops;
1061 break;
1062 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1063 default:
1064 ret = -EOPNOTSUPP;
1065 goto err;
1066 }
1067
1068 ret = drbg->d_ops->crypto_init(drbg);
1069 if (ret < 0)
1070 goto err;
1071
1072 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1073 if (!drbg->Vbuf) {
1074 ret = -ENOMEM;
1075 goto fini;
1076 }
1077 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1078 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1079 if (!drbg->Cbuf) {
1080 ret = -ENOMEM;
1081 goto fini;
1082 }
1083 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1084 /* scratchpad is only generated for CTR and Hash */
1085 if (drbg->core->flags & DRBG_HMAC)
1086 sb_size = 0;
1087 else if (drbg->core->flags & DRBG_CTR)
1088 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1089 crypto_drbg_ctr_df_datalen(drbg_statelen(drbg),
1090 drbg_blocklen(drbg));
1091 else
1092 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1093
1094 if (0 < sb_size) {
1095 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1096 if (!drbg->scratchpadbuf) {
1097 ret = -ENOMEM;
1098 goto fini;
1099 }
1100 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1101 }
1102
1103 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1104 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1105 GFP_KERNEL);
1106 if (!drbg->prev) {
1107 ret = -ENOMEM;
1108 goto fini;
1109 }
1110 drbg->fips_primed = false;
1111 }
1112
1113 return 0;
1114
1115 fini:
1116 drbg->d_ops->crypto_fini(drbg);
1117 err:
1118 drbg_dealloc_state(drbg);
1119 return ret;
1120 }
1121
1122 /*************************************************************************
1123 * DRBG interface functions
1124 *************************************************************************/
1125
1126 /*
1127 * DRBG generate function as required by SP800-90A - this function
1128 * generates random numbers
1129 *
1130 * @drbg DRBG state handle
1131 * @buf Buffer where to store the random numbers -- the buffer must already
1132 * be pre-allocated by caller
1133 * @buflen Length of output buffer - this value defines the number of random
1134 * bytes pulled from DRBG
1135 * @addtl Additional input that is mixed into state, may be NULL -- note
1136 * the entropy is pulled by the DRBG internally unconditionally
1137 * as defined in SP800-90A. The additional input is mixed into
1138 * the state in addition to the pulled entropy.
1139 *
1140 * return: 0 when all bytes are generated; < 0 in case of an error
1141 */
drbg_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct drbg_string * addtl)1142 static int drbg_generate(struct drbg_state *drbg,
1143 unsigned char *buf, unsigned int buflen,
1144 struct drbg_string *addtl)
1145 __must_hold(&drbg->drbg_mutex)
1146 {
1147 int len = 0;
1148 LIST_HEAD(addtllist);
1149
1150 if (!drbg->core) {
1151 pr_devel("DRBG: not yet seeded\n");
1152 return -EINVAL;
1153 }
1154 if (0 == buflen || !buf) {
1155 pr_devel("DRBG: no output buffer provided\n");
1156 return -EINVAL;
1157 }
1158 if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1159 pr_devel("DRBG: wrong format of additional information\n");
1160 return -EINVAL;
1161 }
1162
1163 /* 9.3.1 step 2 */
1164 len = -EINVAL;
1165 if (buflen > (drbg_max_request_bytes(drbg))) {
1166 pr_devel("DRBG: requested random numbers too large %u\n",
1167 buflen);
1168 goto err;
1169 }
1170
1171 /* 9.3.1 step 3 is implicit with the chosen DRBG */
1172
1173 /* 9.3.1 step 4 */
1174 if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1175 pr_devel("DRBG: additional information string too long %zu\n",
1176 addtl->len);
1177 goto err;
1178 }
1179 /* 9.3.1 step 5 is implicit with the chosen DRBG */
1180
1181 /*
1182 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1183 * here. The spec is a bit convoluted here, we make it simpler.
1184 */
1185 if (drbg->reseed_threshold < drbg->reseed_ctr)
1186 drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1187
1188 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
1189 pr_devel("DRBG: reseeding before generation (prediction "
1190 "resistance: %s, state %s)\n",
1191 str_true_false(drbg->pr),
1192 (drbg->seeded == DRBG_SEED_STATE_FULL ?
1193 "seeded" : "unseeded"));
1194 /* 9.3.1 steps 7.1 through 7.3 */
1195 len = drbg_seed(drbg, addtl, true);
1196 if (len)
1197 goto err;
1198 /* 9.3.1 step 7.4 */
1199 addtl = NULL;
1200 } else if (rng_is_initialized() &&
1201 (drbg->seeded == DRBG_SEED_STATE_PARTIAL ||
1202 drbg_nopr_reseed_interval_elapsed(drbg))) {
1203 len = drbg_seed_from_random(drbg);
1204 if (len)
1205 goto err;
1206 }
1207
1208 if (addtl && 0 < addtl->len)
1209 list_add_tail(&addtl->list, &addtllist);
1210 /* 9.3.1 step 8 and 10 */
1211 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1212
1213 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1214 drbg->reseed_ctr++;
1215 if (0 >= len)
1216 goto err;
1217
1218 /*
1219 * Section 11.3.3 requires to re-perform self tests after some
1220 * generated random numbers. The chosen value after which self
1221 * test is performed is arbitrary, but it should be reasonable.
1222 * However, we do not perform the self tests because of the following
1223 * reasons: it is mathematically impossible that the initial self tests
1224 * were successfully and the following are not. If the initial would
1225 * pass and the following would not, the kernel integrity is violated.
1226 * In this case, the entire kernel operation is questionable and it
1227 * is unlikely that the integrity violation only affects the
1228 * correct operation of the DRBG.
1229 *
1230 * Albeit the following code is commented out, it is provided in
1231 * case somebody has a need to implement the test of 11.3.3.
1232 */
1233 #if 0
1234 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1235 int err = 0;
1236 pr_devel("DRBG: start to perform self test\n");
1237 if (drbg->core->flags & DRBG_HMAC)
1238 err = alg_test("drbg_pr_hmac_sha512",
1239 "drbg_pr_hmac_sha512", 0, 0);
1240 else if (drbg->core->flags & DRBG_CTR)
1241 err = alg_test("drbg_pr_ctr_aes256",
1242 "drbg_pr_ctr_aes256", 0, 0);
1243 else
1244 err = alg_test("drbg_pr_sha256",
1245 "drbg_pr_sha256", 0, 0);
1246 if (err) {
1247 pr_err("DRBG: periodical self test failed\n");
1248 /*
1249 * uninstantiate implies that from now on, only errors
1250 * are returned when reusing this DRBG cipher handle
1251 */
1252 drbg_uninstantiate(drbg);
1253 return 0;
1254 } else {
1255 pr_devel("DRBG: self test successful\n");
1256 }
1257 }
1258 #endif
1259
1260 /*
1261 * All operations were successful, return 0 as mandated by
1262 * the kernel crypto API interface.
1263 */
1264 len = 0;
1265 err:
1266 return len;
1267 }
1268
1269 /*
1270 * Wrapper around drbg_generate which can pull arbitrary long strings
1271 * from the DRBG without hitting the maximum request limitation.
1272 *
1273 * Parameters: see drbg_generate
1274 * Return codes: see drbg_generate -- if one drbg_generate request fails,
1275 * the entire drbg_generate_long request fails
1276 */
drbg_generate_long(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct drbg_string * addtl)1277 static int drbg_generate_long(struct drbg_state *drbg,
1278 unsigned char *buf, unsigned int buflen,
1279 struct drbg_string *addtl)
1280 {
1281 unsigned int len = 0;
1282 unsigned int slice = 0;
1283 do {
1284 int err = 0;
1285 unsigned int chunk = 0;
1286 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1287 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1288 mutex_lock(&drbg->drbg_mutex);
1289 err = drbg_generate(drbg, buf + len, chunk, addtl);
1290 mutex_unlock(&drbg->drbg_mutex);
1291 if (0 > err)
1292 return err;
1293 len += chunk;
1294 } while (slice > 0 && (len < buflen));
1295 return 0;
1296 }
1297
drbg_prepare_hrng(struct drbg_state * drbg)1298 static int drbg_prepare_hrng(struct drbg_state *drbg)
1299 {
1300 /* We do not need an HRNG in test mode. */
1301 if (list_empty(&drbg->test_data.list))
1302 return 0;
1303
1304 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1305 if (IS_ERR(drbg->jent)) {
1306 const int err = PTR_ERR(drbg->jent);
1307
1308 drbg->jent = NULL;
1309 if (fips_enabled)
1310 return err;
1311 pr_info("DRBG: Continuing without Jitter RNG\n");
1312 }
1313
1314 return 0;
1315 }
1316
1317 /*
1318 * DRBG instantiation function as required by SP800-90A - this function
1319 * sets up the DRBG handle, performs the initial seeding and all sanity
1320 * checks required by SP800-90A
1321 *
1322 * @drbg memory of state -- if NULL, new memory is allocated
1323 * @pers Personalization string that is mixed into state, may be NULL -- note
1324 * the entropy is pulled by the DRBG internally unconditionally
1325 * as defined in SP800-90A. The additional input is mixed into
1326 * the state in addition to the pulled entropy.
1327 * @coreref reference to core
1328 * @pr prediction resistance enabled
1329 *
1330 * return
1331 * 0 on success
1332 * error value otherwise
1333 */
drbg_instantiate(struct drbg_state * drbg,struct drbg_string * pers,int coreref,bool pr)1334 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1335 int coreref, bool pr)
1336 {
1337 int ret;
1338 bool reseed = true;
1339
1340 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1341 "%s\n", coreref, str_enabled_disabled(pr));
1342 mutex_lock(&drbg->drbg_mutex);
1343
1344 /* 9.1 step 1 is implicit with the selected DRBG type */
1345
1346 /*
1347 * 9.1 step 2 is implicit as caller can select prediction resistance
1348 * and the flag is copied into drbg->flags --
1349 * all DRBG types support prediction resistance
1350 */
1351
1352 /* 9.1 step 4 is implicit in drbg_sec_strength */
1353
1354 if (!drbg->core) {
1355 drbg->core = &drbg_cores[coreref];
1356 drbg->pr = pr;
1357 drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1358 drbg->last_seed_time = 0;
1359 drbg->reseed_threshold = drbg_max_requests(drbg);
1360
1361 ret = drbg_alloc_state(drbg);
1362 if (ret)
1363 goto unlock;
1364
1365 ret = drbg_prepare_hrng(drbg);
1366 if (ret)
1367 goto free_everything;
1368
1369 reseed = false;
1370 }
1371
1372 ret = drbg_seed(drbg, pers, reseed);
1373
1374 if (ret && !reseed)
1375 goto free_everything;
1376
1377 mutex_unlock(&drbg->drbg_mutex);
1378 return ret;
1379
1380 unlock:
1381 mutex_unlock(&drbg->drbg_mutex);
1382 return ret;
1383
1384 free_everything:
1385 mutex_unlock(&drbg->drbg_mutex);
1386 drbg_uninstantiate(drbg);
1387 return ret;
1388 }
1389
1390 /*
1391 * DRBG uninstantiate function as required by SP800-90A - this function
1392 * frees all buffers and the DRBG handle
1393 *
1394 * @drbg DRBG state handle
1395 *
1396 * return
1397 * 0 on success
1398 */
drbg_uninstantiate(struct drbg_state * drbg)1399 static int drbg_uninstantiate(struct drbg_state *drbg)
1400 {
1401 if (!IS_ERR_OR_NULL(drbg->jent))
1402 crypto_free_rng(drbg->jent);
1403 drbg->jent = NULL;
1404
1405 if (drbg->d_ops)
1406 drbg->d_ops->crypto_fini(drbg);
1407 drbg_dealloc_state(drbg);
1408 /* no scrubbing of test_data -- this shall survive an uninstantiate */
1409 return 0;
1410 }
1411
1412 /*
1413 * Helper function for setting the test data in the DRBG
1414 *
1415 * @drbg DRBG state handle
1416 * @data test data
1417 * @len test data length
1418 */
drbg_kcapi_set_entropy(struct crypto_rng * tfm,const u8 * data,unsigned int len)1419 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1420 const u8 *data, unsigned int len)
1421 {
1422 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1423
1424 mutex_lock(&drbg->drbg_mutex);
1425 drbg_string_fill(&drbg->test_data, data, len);
1426 mutex_unlock(&drbg->drbg_mutex);
1427 }
1428
1429 /***************************************************************
1430 * Kernel crypto API cipher invocations requested by DRBG
1431 ***************************************************************/
1432
1433 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1434 struct sdesc {
1435 struct shash_desc shash;
1436 };
1437
drbg_init_hash_kernel(struct drbg_state * drbg)1438 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1439 {
1440 struct sdesc *sdesc;
1441 struct crypto_shash *tfm;
1442
1443 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1444 if (IS_ERR(tfm)) {
1445 pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1446 drbg->core->backend_cra_name);
1447 return PTR_ERR(tfm);
1448 }
1449 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1450 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1451 GFP_KERNEL);
1452 if (!sdesc) {
1453 crypto_free_shash(tfm);
1454 return -ENOMEM;
1455 }
1456
1457 sdesc->shash.tfm = tfm;
1458 drbg->priv_data = sdesc;
1459
1460 return 0;
1461 }
1462
drbg_fini_hash_kernel(struct drbg_state * drbg)1463 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1464 {
1465 struct sdesc *sdesc = drbg->priv_data;
1466 if (sdesc) {
1467 crypto_free_shash(sdesc->shash.tfm);
1468 kfree_sensitive(sdesc);
1469 }
1470 drbg->priv_data = NULL;
1471 return 0;
1472 }
1473
drbg_kcapi_hmacsetkey(struct drbg_state * drbg,const unsigned char * key)1474 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1475 const unsigned char *key)
1476 {
1477 struct sdesc *sdesc = drbg->priv_data;
1478
1479 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1480 }
1481
drbg_kcapi_hash(struct drbg_state * drbg,unsigned char * outval,const struct list_head * in)1482 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1483 const struct list_head *in)
1484 {
1485 struct sdesc *sdesc = drbg->priv_data;
1486 struct drbg_string *input = NULL;
1487
1488 crypto_shash_init(&sdesc->shash);
1489 list_for_each_entry(input, in, list)
1490 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1491 return crypto_shash_final(&sdesc->shash, outval);
1492 }
1493 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1494
1495 #ifdef CONFIG_CRYPTO_DRBG_CTR
drbg_fini_sym_kernel(struct drbg_state * drbg)1496 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1497 {
1498 struct aes_enckey *aeskey = drbg->priv_data;
1499
1500 kfree(aeskey);
1501 drbg->priv_data = NULL;
1502
1503 if (drbg->ctr_handle)
1504 crypto_free_skcipher(drbg->ctr_handle);
1505 drbg->ctr_handle = NULL;
1506
1507 if (drbg->ctr_req)
1508 skcipher_request_free(drbg->ctr_req);
1509 drbg->ctr_req = NULL;
1510
1511 kfree(drbg->outscratchpadbuf);
1512 drbg->outscratchpadbuf = NULL;
1513
1514 return 0;
1515 }
1516
drbg_init_sym_kernel(struct drbg_state * drbg)1517 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1518 {
1519 struct aes_enckey *aeskey;
1520 struct crypto_skcipher *sk_tfm;
1521 struct skcipher_request *req;
1522 unsigned int alignmask;
1523 char ctr_name[CRYPTO_MAX_ALG_NAME];
1524
1525 aeskey = kzalloc_obj(*aeskey);
1526 if (!aeskey)
1527 return -ENOMEM;
1528 drbg->priv_data = aeskey;
1529
1530 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1531 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1532 drbg_fini_sym_kernel(drbg);
1533 return -EINVAL;
1534 }
1535 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1536 if (IS_ERR(sk_tfm)) {
1537 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1538 ctr_name);
1539 drbg_fini_sym_kernel(drbg);
1540 return PTR_ERR(sk_tfm);
1541 }
1542 drbg->ctr_handle = sk_tfm;
1543 crypto_init_wait(&drbg->ctr_wait);
1544
1545 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1546 if (!req) {
1547 pr_info("DRBG: could not allocate request queue\n");
1548 drbg_fini_sym_kernel(drbg);
1549 return -ENOMEM;
1550 }
1551 drbg->ctr_req = req;
1552 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1553 CRYPTO_TFM_REQ_MAY_SLEEP,
1554 crypto_req_done, &drbg->ctr_wait);
1555
1556 alignmask = crypto_skcipher_alignmask(sk_tfm);
1557 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1558 GFP_KERNEL);
1559 if (!drbg->outscratchpadbuf) {
1560 drbg_fini_sym_kernel(drbg);
1561 return -ENOMEM;
1562 }
1563 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1564 alignmask + 1);
1565
1566 sg_init_table(&drbg->sg_in, 1);
1567 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1568
1569 return alignmask;
1570 }
1571
drbg_kcapi_sym_ctr(struct drbg_state * drbg,u8 * inbuf,u32 inlen,u8 * outbuf,u32 outlen)1572 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1573 u8 *inbuf, u32 inlen,
1574 u8 *outbuf, u32 outlen)
1575 {
1576 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1577 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1578 int ret;
1579
1580 if (inbuf) {
1581 /* Use caller-provided input buffer */
1582 sg_set_buf(sg_in, inbuf, inlen);
1583 } else {
1584 /* Use scratchpad for in-place operation */
1585 inlen = scratchpad_use;
1586 memset(drbg->outscratchpad, 0, scratchpad_use);
1587 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1588 }
1589
1590 while (outlen) {
1591 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1592
1593 /* Output buffer may not be valid for SGL, use scratchpad */
1594 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1595 cryptlen, drbg->V);
1596 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1597 &drbg->ctr_wait);
1598 if (ret)
1599 goto out;
1600
1601 crypto_init_wait(&drbg->ctr_wait);
1602
1603 memcpy(outbuf, drbg->outscratchpad, cryptlen);
1604 memzero_explicit(drbg->outscratchpad, cryptlen);
1605
1606 outlen -= cryptlen;
1607 outbuf += cryptlen;
1608 }
1609 ret = 0;
1610
1611 out:
1612 return ret;
1613 }
1614 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1615
1616 /***************************************************************
1617 * Kernel crypto API interface to register DRBG
1618 ***************************************************************/
1619
1620 /*
1621 * Look up the DRBG flags by given kernel crypto API cra_name
1622 * The code uses the drbg_cores definition to do this
1623 *
1624 * @cra_name kernel crypto API cra_name
1625 * @coreref reference to integer which is filled with the pointer to
1626 * the applicable core
1627 * @pr reference for setting prediction resistance
1628 *
1629 * return: flags
1630 */
drbg_convert_tfm_core(const char * cra_driver_name,int * coreref,bool * pr)1631 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1632 int *coreref, bool *pr)
1633 {
1634 int i = 0;
1635 size_t start = 0;
1636 int len = 0;
1637
1638 *pr = true;
1639 /* disassemble the names */
1640 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1641 start = 10;
1642 *pr = false;
1643 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1644 start = 8;
1645 } else {
1646 return;
1647 }
1648
1649 /* remove the first part */
1650 len = strlen(cra_driver_name) - start;
1651 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1652 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1653 len)) {
1654 *coreref = i;
1655 return;
1656 }
1657 }
1658 }
1659
drbg_kcapi_init(struct crypto_tfm * tfm)1660 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1661 {
1662 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1663
1664 mutex_init(&drbg->drbg_mutex);
1665
1666 return 0;
1667 }
1668
drbg_kcapi_cleanup(struct crypto_tfm * tfm)1669 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1670 {
1671 drbg_uninstantiate(crypto_tfm_ctx(tfm));
1672 }
1673
1674 /*
1675 * Generate random numbers invoked by the kernel crypto API:
1676 * The API of the kernel crypto API is extended as follows:
1677 *
1678 * src is additional input supplied to the RNG.
1679 * slen is the length of src.
1680 * dst is the output buffer where random data is to be stored.
1681 * dlen is the length of dst.
1682 */
drbg_kcapi_random(struct crypto_rng * tfm,const u8 * src,unsigned int slen,u8 * dst,unsigned int dlen)1683 static int drbg_kcapi_random(struct crypto_rng *tfm,
1684 const u8 *src, unsigned int slen,
1685 u8 *dst, unsigned int dlen)
1686 {
1687 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1688 struct drbg_string *addtl = NULL;
1689 struct drbg_string string;
1690
1691 if (slen) {
1692 /* linked list variable is now local to allow modification */
1693 drbg_string_fill(&string, src, slen);
1694 addtl = &string;
1695 }
1696
1697 return drbg_generate_long(drbg, dst, dlen, addtl);
1698 }
1699
1700 /*
1701 * Seed the DRBG invoked by the kernel crypto API
1702 */
drbg_kcapi_seed(struct crypto_rng * tfm,const u8 * seed,unsigned int slen)1703 static int drbg_kcapi_seed(struct crypto_rng *tfm,
1704 const u8 *seed, unsigned int slen)
1705 {
1706 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1707 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1708 bool pr = false;
1709 struct drbg_string string;
1710 struct drbg_string *seed_string = NULL;
1711 int coreref = 0;
1712
1713 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1714 &pr);
1715 if (0 < slen) {
1716 drbg_string_fill(&string, seed, slen);
1717 seed_string = &string;
1718 }
1719
1720 return drbg_instantiate(drbg, seed_string, coreref, pr);
1721 }
1722
1723 /***************************************************************
1724 * Kernel module: code to load the module
1725 ***************************************************************/
1726
1727 /*
1728 * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1729 * of the error handling.
1730 *
1731 * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1732 * as seed source of get_random_bytes does not fail.
1733 *
1734 * Note 2: There is no sensible way of testing the reseed counter
1735 * enforcement, so skip it.
1736 */
drbg_healthcheck_sanity(void)1737 static inline int __init drbg_healthcheck_sanity(void)
1738 {
1739 int len = 0;
1740 #define OUTBUFLEN 16
1741 unsigned char buf[OUTBUFLEN];
1742 struct drbg_state *drbg = NULL;
1743 int ret;
1744 int rc = -EFAULT;
1745 bool pr = false;
1746 int coreref = 0;
1747 struct drbg_string addtl;
1748 size_t max_addtllen, max_request_bytes;
1749
1750 /* only perform test in FIPS mode */
1751 if (!fips_enabled)
1752 return 0;
1753
1754 #ifdef CONFIG_CRYPTO_DRBG_CTR
1755 drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
1756 #endif
1757 #ifdef CONFIG_CRYPTO_DRBG_HASH
1758 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1759 #endif
1760 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1761 drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
1762 #endif
1763
1764 drbg = kzalloc_obj(struct drbg_state);
1765 if (!drbg)
1766 return -ENOMEM;
1767
1768 guard(mutex_init)(&drbg->drbg_mutex);
1769 drbg->core = &drbg_cores[coreref];
1770 drbg->reseed_threshold = drbg_max_requests(drbg);
1771
1772 /*
1773 * if the following tests fail, it is likely that there is a buffer
1774 * overflow as buf is much smaller than the requested or provided
1775 * string lengths -- in case the error handling does not succeed
1776 * we may get an OOPS. And we want to get an OOPS as this is a
1777 * grave bug.
1778 */
1779
1780 max_addtllen = drbg_max_addtl(drbg);
1781 max_request_bytes = drbg_max_request_bytes(drbg);
1782 drbg_string_fill(&addtl, buf, max_addtllen + 1);
1783 /* overflow addtllen with additonal info string */
1784 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1785 BUG_ON(0 < len);
1786 /* overflow max_bits */
1787 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1788 BUG_ON(0 < len);
1789
1790 /* overflow max addtllen with personalization string */
1791 ret = drbg_seed(drbg, &addtl, false);
1792 BUG_ON(0 == ret);
1793 /* all tests passed */
1794 rc = 0;
1795
1796 pr_devel("DRBG: Sanity tests for failure code paths successfully "
1797 "completed\n");
1798
1799 kfree(drbg);
1800 return rc;
1801 }
1802
1803 static struct rng_alg drbg_algs[22];
1804
1805 /*
1806 * Fill the array drbg_algs used to register the different DRBGs
1807 * with the kernel crypto API. To fill the array, the information
1808 * from drbg_cores[] is used.
1809 */
drbg_fill_array(struct rng_alg * alg,const struct drbg_core * core,int pr)1810 static inline void __init drbg_fill_array(struct rng_alg *alg,
1811 const struct drbg_core *core, int pr)
1812 {
1813 int pos = 0;
1814 static int priority = 200;
1815
1816 memcpy(alg->base.cra_name, "stdrng", 6);
1817 if (pr) {
1818 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
1819 pos = 8;
1820 } else {
1821 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
1822 pos = 10;
1823 }
1824 memcpy(alg->base.cra_driver_name + pos, core->cra_name,
1825 strlen(core->cra_name));
1826
1827 alg->base.cra_priority = priority;
1828 priority++;
1829 /*
1830 * If FIPS mode enabled, the selected DRBG shall have the
1831 * highest cra_priority over other stdrng instances to ensure
1832 * it is selected.
1833 */
1834 if (fips_enabled)
1835 alg->base.cra_priority += 200;
1836
1837 alg->base.cra_ctxsize = sizeof(struct drbg_state);
1838 alg->base.cra_module = THIS_MODULE;
1839 alg->base.cra_init = drbg_kcapi_init;
1840 alg->base.cra_exit = drbg_kcapi_cleanup;
1841 alg->generate = drbg_kcapi_random;
1842 alg->seed = drbg_kcapi_seed;
1843 alg->set_ent = drbg_kcapi_set_entropy;
1844 alg->seedsize = 0;
1845 }
1846
drbg_init(void)1847 static int __init drbg_init(void)
1848 {
1849 unsigned int i = 0; /* pointer to drbg_algs */
1850 unsigned int j = 0; /* pointer to drbg_cores */
1851 int ret;
1852
1853 ret = drbg_healthcheck_sanity();
1854 if (ret)
1855 return ret;
1856
1857 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
1858 pr_info("DRBG: Cannot register all DRBG types"
1859 "(slots needed: %zu, slots available: %zu)\n",
1860 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
1861 return -EFAULT;
1862 }
1863
1864 /*
1865 * each DRBG definition can be used with PR and without PR, thus
1866 * we instantiate each DRBG in drbg_cores[] twice.
1867 *
1868 * As the order of placing them into the drbg_algs array matters
1869 * (the later DRBGs receive a higher cra_priority) we register the
1870 * prediction resistance DRBGs first as the should not be too
1871 * interesting.
1872 */
1873 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1874 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
1875 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1876 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
1877 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1878 }
1879
drbg_exit(void)1880 static void __exit drbg_exit(void)
1881 {
1882 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1883 }
1884
1885 module_init(drbg_init);
1886 module_exit(drbg_exit);
1887 #ifndef CRYPTO_DRBG_HASH_STRING
1888 #define CRYPTO_DRBG_HASH_STRING ""
1889 #endif
1890 #ifndef CRYPTO_DRBG_HMAC_STRING
1891 #define CRYPTO_DRBG_HMAC_STRING ""
1892 #endif
1893 #ifndef CRYPTO_DRBG_CTR_STRING
1894 #define CRYPTO_DRBG_CTR_STRING ""
1895 #endif
1896 MODULE_LICENSE("GPL");
1897 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
1898 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
1899 "using following cores: "
1900 CRYPTO_DRBG_HASH_STRING
1901 CRYPTO_DRBG_HMAC_STRING
1902 CRYPTO_DRBG_CTR_STRING);
1903 MODULE_ALIAS_CRYPTO("stdrng");
1904 MODULE_IMPORT_NS("CRYPTO_INTERNAL");
1905