1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <crypto/df_sp80090a.h> 102 #include <crypto/internal/cipher.h> 103 #include <linux/kernel.h> 104 #include <linux/jiffies.h> 105 #include <linux/string_choices.h> 106 107 /*************************************************************** 108 * Backend cipher definitions available to DRBG 109 ***************************************************************/ 110 111 /* 112 * The order of the DRBG definitions here matter: every DRBG is registered 113 * as stdrng. Each DRBG receives an increasing cra_priority values the later 114 * they are defined in this array (see drbg_fill_array). 115 * 116 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the 117 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the 118 * favored DRBGs are the latest entries in this array. 119 */ 120 static const struct drbg_core drbg_cores[] = { 121 #ifdef CONFIG_CRYPTO_DRBG_CTR 122 { 123 .flags = DRBG_CTR | DRBG_STRENGTH128, 124 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 125 .blocklen_bytes = 16, 126 .cra_name = "ctr_aes128", 127 .backend_cra_name = "aes", 128 }, { 129 .flags = DRBG_CTR | DRBG_STRENGTH192, 130 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 131 .blocklen_bytes = 16, 132 .cra_name = "ctr_aes192", 133 .backend_cra_name = "aes", 134 }, { 135 .flags = DRBG_CTR | DRBG_STRENGTH256, 136 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 137 .blocklen_bytes = 16, 138 .cra_name = "ctr_aes256", 139 .backend_cra_name = "aes", 140 }, 141 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 142 #ifdef CONFIG_CRYPTO_DRBG_HASH 143 { 144 .flags = DRBG_HASH | DRBG_STRENGTH256, 145 .statelen = 111, /* 888 bits */ 146 .blocklen_bytes = 48, 147 .cra_name = "sha384", 148 .backend_cra_name = "sha384", 149 }, { 150 .flags = DRBG_HASH | DRBG_STRENGTH256, 151 .statelen = 111, /* 888 bits */ 152 .blocklen_bytes = 64, 153 .cra_name = "sha512", 154 .backend_cra_name = "sha512", 155 }, { 156 .flags = DRBG_HASH | DRBG_STRENGTH256, 157 .statelen = 55, /* 440 bits */ 158 .blocklen_bytes = 32, 159 .cra_name = "sha256", 160 .backend_cra_name = "sha256", 161 }, 162 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 163 #ifdef CONFIG_CRYPTO_DRBG_HMAC 164 { 165 .flags = DRBG_HMAC | DRBG_STRENGTH256, 166 .statelen = 48, /* block length of cipher */ 167 .blocklen_bytes = 48, 168 .cra_name = "hmac_sha384", 169 .backend_cra_name = "hmac(sha384)", 170 }, { 171 .flags = DRBG_HMAC | DRBG_STRENGTH256, 172 .statelen = 32, /* block length of cipher */ 173 .blocklen_bytes = 32, 174 .cra_name = "hmac_sha256", 175 .backend_cra_name = "hmac(sha256)", 176 }, { 177 .flags = DRBG_HMAC | DRBG_STRENGTH256, 178 .statelen = 64, /* block length of cipher */ 179 .blocklen_bytes = 64, 180 .cra_name = "hmac_sha512", 181 .backend_cra_name = "hmac(sha512)", 182 }, 183 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 184 }; 185 186 static int drbg_uninstantiate(struct drbg_state *drbg); 187 188 /****************************************************************** 189 * Generic helper functions 190 ******************************************************************/ 191 192 /* 193 * Return strength of DRBG according to SP800-90A section 8.4 194 * 195 * @flags DRBG flags reference 196 * 197 * Return: normalized strength in *bytes* value or 32 as default 198 * to counter programming errors 199 */ 200 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 201 { 202 switch (flags & DRBG_STRENGTH_MASK) { 203 case DRBG_STRENGTH128: 204 return 16; 205 case DRBG_STRENGTH192: 206 return 24; 207 case DRBG_STRENGTH256: 208 return 32; 209 default: 210 return 32; 211 } 212 } 213 214 /* 215 * FIPS 140-2 continuous self test for the noise source 216 * The test is performed on the noise source input data. Thus, the function 217 * implicitly knows the size of the buffer to be equal to the security 218 * strength. 219 * 220 * Note, this function disregards the nonce trailing the entropy data during 221 * initial seeding. 222 * 223 * drbg->drbg_mutex must have been taken. 224 * 225 * @drbg DRBG handle 226 * @entropy buffer of seed data to be checked 227 * 228 * return: 229 * 0 on success 230 * -EAGAIN on when the CTRNG is not yet primed 231 * < 0 on error 232 */ 233 static int drbg_fips_continuous_test(struct drbg_state *drbg, 234 const unsigned char *entropy) 235 __must_hold(&drbg->drbg_mutex) 236 { 237 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 238 int ret = 0; 239 240 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 241 return 0; 242 243 /* skip test if we test the overall system */ 244 if (list_empty(&drbg->test_data.list)) 245 return 0; 246 /* only perform test in FIPS mode */ 247 if (!fips_enabled) 248 return 0; 249 250 if (!drbg->fips_primed) { 251 /* Priming of FIPS test */ 252 memcpy(drbg->prev, entropy, entropylen); 253 drbg->fips_primed = true; 254 /* priming: another round is needed */ 255 return -EAGAIN; 256 } 257 ret = memcmp(drbg->prev, entropy, entropylen); 258 if (!ret) 259 panic("DRBG continuous self test failed\n"); 260 memcpy(drbg->prev, entropy, entropylen); 261 262 /* the test shall pass when the two values are not equal */ 263 return 0; 264 } 265 266 /****************************************************************** 267 * CTR DRBG callback functions 268 ******************************************************************/ 269 270 #ifdef CONFIG_CRYPTO_DRBG_CTR 271 #define CRYPTO_DRBG_CTR_STRING "CTR " 272 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 273 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 274 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 275 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 276 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 277 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 278 279 static int drbg_init_sym_kernel(struct drbg_state *drbg); 280 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 281 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 282 u8 *inbuf, u32 inbuflen, 283 u8 *outbuf, u32 outlen); 284 #define DRBG_OUTSCRATCHLEN 256 285 286 static int drbg_ctr_df(struct drbg_state *drbg, 287 unsigned char *df_data, size_t bytes_to_return, 288 struct list_head *seedlist) 289 { 290 return crypto_drbg_ctr_df(drbg->priv_data, df_data, drbg_statelen(drbg), 291 seedlist, drbg_blocklen(drbg), drbg_statelen(drbg)); 292 } 293 294 /* 295 * update function of CTR DRBG as defined in 10.2.1.2 296 * 297 * The reseed variable has an enhanced meaning compared to the update 298 * functions of the other DRBGs as follows: 299 * 0 => initial seed from initialization 300 * 1 => reseed via drbg_seed 301 * 2 => first invocation from drbg_ctr_update when addtl is present. In 302 * this case, the df_data scratchpad is not deleted so that it is 303 * available for another calls to prevent calling the DF function 304 * again. 305 * 3 => second invocation from drbg_ctr_update. When the update function 306 * was called with addtl, the df_data memory already contains the 307 * DFed addtl information and we do not need to call DF again. 308 */ 309 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 310 int reseed) 311 { 312 int ret = -EFAULT; 313 /* 10.2.1.2 step 1 */ 314 unsigned char *temp = drbg->scratchpad; 315 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 316 drbg_blocklen(drbg); 317 318 if (3 > reseed) 319 memset(df_data, 0, drbg_statelen(drbg)); 320 321 if (!reseed) { 322 /* 323 * The DRBG uses the CTR mode of the underlying AES cipher. The 324 * CTR mode increments the counter value after the AES operation 325 * but SP800-90A requires that the counter is incremented before 326 * the AES operation. Hence, we increment it at the time we set 327 * it by one. 328 */ 329 crypto_inc(drbg->V, drbg_blocklen(drbg)); 330 331 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 332 drbg_keylen(drbg)); 333 if (ret) 334 goto out; 335 } 336 337 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 338 if (seed) { 339 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 340 if (ret) 341 goto out; 342 } 343 344 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 345 temp, drbg_statelen(drbg)); 346 if (ret) 347 return ret; 348 349 /* 10.2.1.2 step 5 */ 350 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 351 drbg_keylen(drbg)); 352 if (ret) 353 goto out; 354 /* 10.2.1.2 step 6 */ 355 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 356 /* See above: increment counter by one to compensate timing of CTR op */ 357 crypto_inc(drbg->V, drbg_blocklen(drbg)); 358 ret = 0; 359 360 out: 361 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 362 if (2 != reseed) 363 memset(df_data, 0, drbg_statelen(drbg)); 364 return ret; 365 } 366 367 /* 368 * scratchpad use: drbg_ctr_update is called independently from 369 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 370 */ 371 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 372 static int drbg_ctr_generate(struct drbg_state *drbg, 373 unsigned char *buf, unsigned int buflen, 374 struct list_head *addtl) 375 { 376 int ret; 377 int len = min_t(int, buflen, INT_MAX); 378 379 /* 10.2.1.5.2 step 2 */ 380 if (addtl && !list_empty(addtl)) { 381 ret = drbg_ctr_update(drbg, addtl, 2); 382 if (ret) 383 return 0; 384 } 385 386 /* 10.2.1.5.2 step 4.1 */ 387 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 388 if (ret) 389 return ret; 390 391 /* 10.2.1.5.2 step 6 */ 392 ret = drbg_ctr_update(drbg, NULL, 3); 393 if (ret) 394 len = ret; 395 396 return len; 397 } 398 399 static const struct drbg_state_ops drbg_ctr_ops = { 400 .update = drbg_ctr_update, 401 .generate = drbg_ctr_generate, 402 .crypto_init = drbg_init_sym_kernel, 403 .crypto_fini = drbg_fini_sym_kernel, 404 }; 405 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 406 407 /****************************************************************** 408 * HMAC DRBG callback functions 409 ******************************************************************/ 410 411 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 412 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 413 const struct list_head *in); 414 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 415 const unsigned char *key); 416 static int drbg_init_hash_kernel(struct drbg_state *drbg); 417 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 418 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 419 420 #ifdef CONFIG_CRYPTO_DRBG_HMAC 421 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 422 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 423 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 424 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 425 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 426 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 427 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 428 429 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 430 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 431 int reseed) 432 { 433 int ret = -EFAULT; 434 int i = 0; 435 struct drbg_string seed1, seed2, vdata; 436 LIST_HEAD(seedlist); 437 LIST_HEAD(vdatalist); 438 439 if (!reseed) { 440 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 441 memset(drbg->V, 1, drbg_statelen(drbg)); 442 drbg_kcapi_hmacsetkey(drbg, drbg->C); 443 } 444 445 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 446 list_add_tail(&seed1.list, &seedlist); 447 /* buffer of seed2 will be filled in for loop below with one byte */ 448 drbg_string_fill(&seed2, NULL, 1); 449 list_add_tail(&seed2.list, &seedlist); 450 /* input data of seed is allowed to be NULL at this point */ 451 if (seed) 452 list_splice_tail(seed, &seedlist); 453 454 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 455 list_add_tail(&vdata.list, &vdatalist); 456 for (i = 2; 0 < i; i--) { 457 /* first round uses 0x0, second 0x1 */ 458 unsigned char prefix = DRBG_PREFIX0; 459 if (1 == i) 460 prefix = DRBG_PREFIX1; 461 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 462 seed2.buf = &prefix; 463 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 464 if (ret) 465 return ret; 466 drbg_kcapi_hmacsetkey(drbg, drbg->C); 467 468 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 469 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 470 if (ret) 471 return ret; 472 473 /* 10.1.2.2 step 3 */ 474 if (!seed) 475 return ret; 476 } 477 478 return 0; 479 } 480 481 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 482 static int drbg_hmac_generate(struct drbg_state *drbg, 483 unsigned char *buf, 484 unsigned int buflen, 485 struct list_head *addtl) 486 { 487 int len = 0; 488 int ret = 0; 489 struct drbg_string data; 490 LIST_HEAD(datalist); 491 492 /* 10.1.2.5 step 2 */ 493 if (addtl && !list_empty(addtl)) { 494 ret = drbg_hmac_update(drbg, addtl, 1); 495 if (ret) 496 return ret; 497 } 498 499 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 500 list_add_tail(&data.list, &datalist); 501 while (len < buflen) { 502 unsigned int outlen = 0; 503 /* 10.1.2.5 step 4.1 */ 504 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 505 if (ret) 506 return ret; 507 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 508 drbg_blocklen(drbg) : (buflen - len); 509 510 /* 10.1.2.5 step 4.2 */ 511 memcpy(buf + len, drbg->V, outlen); 512 len += outlen; 513 } 514 515 /* 10.1.2.5 step 6 */ 516 if (addtl && !list_empty(addtl)) 517 ret = drbg_hmac_update(drbg, addtl, 1); 518 else 519 ret = drbg_hmac_update(drbg, NULL, 1); 520 if (ret) 521 return ret; 522 523 return len; 524 } 525 526 static const struct drbg_state_ops drbg_hmac_ops = { 527 .update = drbg_hmac_update, 528 .generate = drbg_hmac_generate, 529 .crypto_init = drbg_init_hash_kernel, 530 .crypto_fini = drbg_fini_hash_kernel, 531 }; 532 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 533 534 /****************************************************************** 535 * Hash DRBG callback functions 536 ******************************************************************/ 537 538 #ifdef CONFIG_CRYPTO_DRBG_HASH 539 #define CRYPTO_DRBG_HASH_STRING "HASH " 540 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 541 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 542 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 543 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 544 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 545 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 546 547 /* 548 * Increment buffer 549 * 550 * @dst buffer to increment 551 * @add value to add 552 */ 553 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 554 const unsigned char *add, size_t addlen) 555 { 556 /* implied: dstlen > addlen */ 557 unsigned char *dstptr; 558 const unsigned char *addptr; 559 unsigned int remainder = 0; 560 size_t len = addlen; 561 562 dstptr = dst + (dstlen-1); 563 addptr = add + (addlen-1); 564 while (len) { 565 remainder += *dstptr + *addptr; 566 *dstptr = remainder & 0xff; 567 remainder >>= 8; 568 len--; dstptr--; addptr--; 569 } 570 len = dstlen - addlen; 571 while (len && remainder > 0) { 572 remainder = *dstptr + 1; 573 *dstptr = remainder & 0xff; 574 remainder >>= 8; 575 len--; dstptr--; 576 } 577 } 578 579 /* 580 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 581 * interlinked, the scratchpad is used as follows: 582 * drbg_hash_update 583 * start: drbg->scratchpad 584 * length: drbg_statelen(drbg) 585 * drbg_hash_df: 586 * start: drbg->scratchpad + drbg_statelen(drbg) 587 * length: drbg_blocklen(drbg) 588 * 589 * drbg_hash_process_addtl uses the scratchpad, but fully completes 590 * before either of the functions mentioned before are invoked. Therefore, 591 * drbg_hash_process_addtl does not need to be specifically considered. 592 */ 593 594 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 595 static int drbg_hash_df(struct drbg_state *drbg, 596 unsigned char *outval, size_t outlen, 597 struct list_head *entropylist) 598 { 599 int ret = 0; 600 size_t len = 0; 601 unsigned char input[5]; 602 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 603 struct drbg_string data; 604 605 /* 10.4.1 step 3 */ 606 input[0] = 1; 607 drbg_cpu_to_be32((outlen * 8), &input[1]); 608 609 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 610 drbg_string_fill(&data, input, 5); 611 list_add(&data.list, entropylist); 612 613 /* 10.4.1 step 4 */ 614 while (len < outlen) { 615 short blocklen = 0; 616 /* 10.4.1 step 4.1 */ 617 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 618 if (ret) 619 goto out; 620 /* 10.4.1 step 4.2 */ 621 input[0]++; 622 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 623 drbg_blocklen(drbg) : (outlen - len); 624 memcpy(outval + len, tmp, blocklen); 625 len += blocklen; 626 } 627 628 out: 629 memset(tmp, 0, drbg_blocklen(drbg)); 630 return ret; 631 } 632 633 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 634 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 635 int reseed) 636 { 637 int ret = 0; 638 struct drbg_string data1, data2; 639 LIST_HEAD(datalist); 640 LIST_HEAD(datalist2); 641 unsigned char *V = drbg->scratchpad; 642 unsigned char prefix = DRBG_PREFIX1; 643 644 if (!seed) 645 return -EINVAL; 646 647 if (reseed) { 648 /* 10.1.1.3 step 1 */ 649 memcpy(V, drbg->V, drbg_statelen(drbg)); 650 drbg_string_fill(&data1, &prefix, 1); 651 list_add_tail(&data1.list, &datalist); 652 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 653 list_add_tail(&data2.list, &datalist); 654 } 655 list_splice_tail(seed, &datalist); 656 657 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 658 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 659 if (ret) 660 goto out; 661 662 /* 10.1.1.2 / 10.1.1.3 step 4 */ 663 prefix = DRBG_PREFIX0; 664 drbg_string_fill(&data1, &prefix, 1); 665 list_add_tail(&data1.list, &datalist2); 666 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 667 list_add_tail(&data2.list, &datalist2); 668 /* 10.1.1.2 / 10.1.1.3 step 4 */ 669 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 670 671 out: 672 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 673 return ret; 674 } 675 676 /* processing of additional information string for Hash DRBG */ 677 static int drbg_hash_process_addtl(struct drbg_state *drbg, 678 struct list_head *addtl) 679 { 680 int ret = 0; 681 struct drbg_string data1, data2; 682 LIST_HEAD(datalist); 683 unsigned char prefix = DRBG_PREFIX2; 684 685 /* 10.1.1.4 step 2 */ 686 if (!addtl || list_empty(addtl)) 687 return 0; 688 689 /* 10.1.1.4 step 2a */ 690 drbg_string_fill(&data1, &prefix, 1); 691 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 692 list_add_tail(&data1.list, &datalist); 693 list_add_tail(&data2.list, &datalist); 694 list_splice_tail(addtl, &datalist); 695 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 696 if (ret) 697 goto out; 698 699 /* 10.1.1.4 step 2b */ 700 drbg_add_buf(drbg->V, drbg_statelen(drbg), 701 drbg->scratchpad, drbg_blocklen(drbg)); 702 703 out: 704 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 705 return ret; 706 } 707 708 /* Hashgen defined in 10.1.1.4 */ 709 static int drbg_hash_hashgen(struct drbg_state *drbg, 710 unsigned char *buf, 711 unsigned int buflen) 712 { 713 int len = 0; 714 int ret = 0; 715 unsigned char *src = drbg->scratchpad; 716 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 717 struct drbg_string data; 718 LIST_HEAD(datalist); 719 720 /* 10.1.1.4 step hashgen 2 */ 721 memcpy(src, drbg->V, drbg_statelen(drbg)); 722 723 drbg_string_fill(&data, src, drbg_statelen(drbg)); 724 list_add_tail(&data.list, &datalist); 725 while (len < buflen) { 726 unsigned int outlen = 0; 727 /* 10.1.1.4 step hashgen 4.1 */ 728 ret = drbg_kcapi_hash(drbg, dst, &datalist); 729 if (ret) { 730 len = ret; 731 goto out; 732 } 733 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 734 drbg_blocklen(drbg) : (buflen - len); 735 /* 10.1.1.4 step hashgen 4.2 */ 736 memcpy(buf + len, dst, outlen); 737 len += outlen; 738 /* 10.1.1.4 hashgen step 4.3 */ 739 if (len < buflen) 740 crypto_inc(src, drbg_statelen(drbg)); 741 } 742 743 out: 744 memset(drbg->scratchpad, 0, 745 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 746 return len; 747 } 748 749 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 750 static int drbg_hash_generate(struct drbg_state *drbg, 751 unsigned char *buf, unsigned int buflen, 752 struct list_head *addtl) 753 { 754 int len = 0; 755 int ret = 0; 756 union { 757 unsigned char req[8]; 758 __be64 req_int; 759 } u; 760 unsigned char prefix = DRBG_PREFIX3; 761 struct drbg_string data1, data2; 762 LIST_HEAD(datalist); 763 764 /* 10.1.1.4 step 2 */ 765 ret = drbg_hash_process_addtl(drbg, addtl); 766 if (ret) 767 return ret; 768 /* 10.1.1.4 step 3 */ 769 len = drbg_hash_hashgen(drbg, buf, buflen); 770 771 /* this is the value H as documented in 10.1.1.4 */ 772 /* 10.1.1.4 step 4 */ 773 drbg_string_fill(&data1, &prefix, 1); 774 list_add_tail(&data1.list, &datalist); 775 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 776 list_add_tail(&data2.list, &datalist); 777 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 778 if (ret) { 779 len = ret; 780 goto out; 781 } 782 783 /* 10.1.1.4 step 5 */ 784 drbg_add_buf(drbg->V, drbg_statelen(drbg), 785 drbg->scratchpad, drbg_blocklen(drbg)); 786 drbg_add_buf(drbg->V, drbg_statelen(drbg), 787 drbg->C, drbg_statelen(drbg)); 788 u.req_int = cpu_to_be64(drbg->reseed_ctr); 789 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 790 791 out: 792 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 793 return len; 794 } 795 796 /* 797 * scratchpad usage: as update and generate are used isolated, both 798 * can use the scratchpad 799 */ 800 static const struct drbg_state_ops drbg_hash_ops = { 801 .update = drbg_hash_update, 802 .generate = drbg_hash_generate, 803 .crypto_init = drbg_init_hash_kernel, 804 .crypto_fini = drbg_fini_hash_kernel, 805 }; 806 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 807 808 /****************************************************************** 809 * Functions common for DRBG implementations 810 ******************************************************************/ 811 812 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 813 int reseed, enum drbg_seed_state new_seed_state) 814 { 815 int ret = drbg->d_ops->update(drbg, seed, reseed); 816 817 if (ret) 818 return ret; 819 820 drbg->seeded = new_seed_state; 821 drbg->last_seed_time = jiffies; 822 /* 10.1.1.2 / 10.1.1.3 step 5 */ 823 drbg->reseed_ctr = 1; 824 825 switch (drbg->seeded) { 826 case DRBG_SEED_STATE_UNSEEDED: 827 /* Impossible, but handle it to silence compiler warnings. */ 828 fallthrough; 829 case DRBG_SEED_STATE_PARTIAL: 830 /* 831 * Require frequent reseeds until the seed source is 832 * fully initialized. 833 */ 834 drbg->reseed_threshold = 50; 835 break; 836 837 case DRBG_SEED_STATE_FULL: 838 /* 839 * Seed source has become fully initialized, frequent 840 * reseeds no longer required. 841 */ 842 drbg->reseed_threshold = drbg_max_requests(drbg); 843 break; 844 } 845 846 return ret; 847 } 848 849 static inline int drbg_get_random_bytes(struct drbg_state *drbg, 850 unsigned char *entropy, 851 unsigned int entropylen) 852 __must_hold(&drbg->drbg_mutex) 853 { 854 int ret; 855 856 do { 857 get_random_bytes(entropy, entropylen); 858 ret = drbg_fips_continuous_test(drbg, entropy); 859 if (ret && ret != -EAGAIN) 860 return ret; 861 } while (ret); 862 863 return 0; 864 } 865 866 static int drbg_seed_from_random(struct drbg_state *drbg) 867 __must_hold(&drbg->drbg_mutex) 868 { 869 struct drbg_string data; 870 LIST_HEAD(seedlist); 871 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 872 unsigned char entropy[32]; 873 int ret; 874 875 BUG_ON(!entropylen); 876 BUG_ON(entropylen > sizeof(entropy)); 877 878 drbg_string_fill(&data, entropy, entropylen); 879 list_add_tail(&data.list, &seedlist); 880 881 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 882 if (ret) 883 goto out; 884 885 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); 886 887 out: 888 memzero_explicit(entropy, entropylen); 889 return ret; 890 } 891 892 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg) 893 { 894 unsigned long next_reseed; 895 896 /* Don't ever reseed from get_random_bytes() in test mode. */ 897 if (list_empty(&drbg->test_data.list)) 898 return false; 899 900 /* 901 * Obtain fresh entropy for the nopr DRBGs after 300s have 902 * elapsed in order to still achieve sort of partial 903 * prediction resistance over the time domain at least. Note 904 * that the period of 300s has been chosen to match the 905 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha 906 * rngs. 907 */ 908 next_reseed = drbg->last_seed_time + 300 * HZ; 909 return time_after(jiffies, next_reseed); 910 } 911 912 /* 913 * Seeding or reseeding of the DRBG 914 * 915 * @drbg: DRBG state struct 916 * @pers: personalization / additional information buffer 917 * @reseed: 0 for initial seed process, 1 for reseeding 918 * 919 * return: 920 * 0 on success 921 * error value otherwise 922 */ 923 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 924 bool reseed) 925 __must_hold(&drbg->drbg_mutex) 926 { 927 int ret; 928 unsigned char entropy[((32 + 16) * 2)]; 929 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 930 struct drbg_string data1; 931 LIST_HEAD(seedlist); 932 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; 933 934 /* 9.1 / 9.2 / 9.3.1 step 3 */ 935 if (pers && pers->len > (drbg_max_addtl(drbg))) { 936 pr_devel("DRBG: personalization string too long %zu\n", 937 pers->len); 938 return -EINVAL; 939 } 940 941 if (list_empty(&drbg->test_data.list)) { 942 drbg_string_fill(&data1, drbg->test_data.buf, 943 drbg->test_data.len); 944 pr_devel("DRBG: using test entropy\n"); 945 } else { 946 /* 947 * Gather entropy equal to the security strength of the DRBG. 948 * With a derivation function, a nonce is required in addition 949 * to the entropy. A nonce must be at least 1/2 of the security 950 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 951 * of the strength. The consideration of a nonce is only 952 * applicable during initial seeding. 953 */ 954 BUG_ON(!entropylen); 955 if (!reseed) 956 entropylen = ((entropylen + 1) / 2) * 3; 957 BUG_ON((entropylen * 2) > sizeof(entropy)); 958 959 /* Get seed from in-kernel /dev/urandom */ 960 if (!rng_is_initialized()) 961 new_seed_state = DRBG_SEED_STATE_PARTIAL; 962 963 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 964 if (ret) 965 goto out; 966 967 if (!drbg->jent) { 968 drbg_string_fill(&data1, entropy, entropylen); 969 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 970 entropylen); 971 } else { 972 /* 973 * Get seed from Jitter RNG, failures are 974 * fatal only in FIPS mode. 975 */ 976 ret = crypto_rng_get_bytes(drbg->jent, 977 entropy + entropylen, 978 entropylen); 979 if (fips_enabled && ret) { 980 pr_devel("DRBG: jent failed with %d\n", ret); 981 982 /* 983 * Do not treat the transient failure of the 984 * Jitter RNG as an error that needs to be 985 * reported. The combined number of the 986 * maximum reseed threshold times the maximum 987 * number of Jitter RNG transient errors is 988 * less than the reseed threshold required by 989 * SP800-90A allowing us to treat the 990 * transient errors as such. 991 * 992 * However, we mandate that at least the first 993 * seeding operation must succeed with the 994 * Jitter RNG. 995 */ 996 if (!reseed || ret != -EAGAIN) 997 goto out; 998 } 999 1000 drbg_string_fill(&data1, entropy, entropylen * 2); 1001 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1002 entropylen * 2); 1003 } 1004 } 1005 list_add_tail(&data1.list, &seedlist); 1006 1007 /* 1008 * concatenation of entropy with personalization str / addtl input) 1009 * the variable pers is directly handed in by the caller, so check its 1010 * contents whether it is appropriate 1011 */ 1012 if (pers && pers->buf && 0 < pers->len) { 1013 list_add_tail(&pers->list, &seedlist); 1014 pr_devel("DRBG: using personalization string\n"); 1015 } 1016 1017 if (!reseed) { 1018 memset(drbg->V, 0, drbg_statelen(drbg)); 1019 memset(drbg->C, 0, drbg_statelen(drbg)); 1020 } 1021 1022 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); 1023 1024 out: 1025 memzero_explicit(entropy, entropylen * 2); 1026 1027 return ret; 1028 } 1029 1030 /* Free all substructures in a DRBG state without the DRBG state structure */ 1031 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1032 { 1033 if (!drbg) 1034 return; 1035 kfree_sensitive(drbg->Vbuf); 1036 drbg->Vbuf = NULL; 1037 drbg->V = NULL; 1038 kfree_sensitive(drbg->Cbuf); 1039 drbg->Cbuf = NULL; 1040 drbg->C = NULL; 1041 kfree_sensitive(drbg->scratchpadbuf); 1042 drbg->scratchpadbuf = NULL; 1043 drbg->reseed_ctr = 0; 1044 drbg->d_ops = NULL; 1045 drbg->core = NULL; 1046 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1047 kfree_sensitive(drbg->prev); 1048 drbg->prev = NULL; 1049 drbg->fips_primed = false; 1050 } 1051 } 1052 1053 /* 1054 * Allocate all sub-structures for a DRBG state. 1055 * The DRBG state structure must already be allocated. 1056 */ 1057 static inline int drbg_alloc_state(struct drbg_state *drbg) 1058 { 1059 int ret = -ENOMEM; 1060 unsigned int sb_size = 0; 1061 1062 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1063 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1064 case DRBG_HMAC: 1065 drbg->d_ops = &drbg_hmac_ops; 1066 break; 1067 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1068 #ifdef CONFIG_CRYPTO_DRBG_HASH 1069 case DRBG_HASH: 1070 drbg->d_ops = &drbg_hash_ops; 1071 break; 1072 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1073 #ifdef CONFIG_CRYPTO_DRBG_CTR 1074 case DRBG_CTR: 1075 drbg->d_ops = &drbg_ctr_ops; 1076 break; 1077 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1078 default: 1079 ret = -EOPNOTSUPP; 1080 goto err; 1081 } 1082 1083 ret = drbg->d_ops->crypto_init(drbg); 1084 if (ret < 0) 1085 goto err; 1086 1087 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1088 if (!drbg->Vbuf) { 1089 ret = -ENOMEM; 1090 goto fini; 1091 } 1092 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1093 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1094 if (!drbg->Cbuf) { 1095 ret = -ENOMEM; 1096 goto fini; 1097 } 1098 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1099 /* scratchpad is only generated for CTR and Hash */ 1100 if (drbg->core->flags & DRBG_HMAC) 1101 sb_size = 0; 1102 else if (drbg->core->flags & DRBG_CTR) 1103 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1104 crypto_drbg_ctr_df_datalen(drbg_statelen(drbg), 1105 drbg_blocklen(drbg)); 1106 else 1107 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1108 1109 if (0 < sb_size) { 1110 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1111 if (!drbg->scratchpadbuf) { 1112 ret = -ENOMEM; 1113 goto fini; 1114 } 1115 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1116 } 1117 1118 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1119 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1120 GFP_KERNEL); 1121 if (!drbg->prev) { 1122 ret = -ENOMEM; 1123 goto fini; 1124 } 1125 drbg->fips_primed = false; 1126 } 1127 1128 return 0; 1129 1130 fini: 1131 drbg->d_ops->crypto_fini(drbg); 1132 err: 1133 drbg_dealloc_state(drbg); 1134 return ret; 1135 } 1136 1137 /************************************************************************* 1138 * DRBG interface functions 1139 *************************************************************************/ 1140 1141 /* 1142 * DRBG generate function as required by SP800-90A - this function 1143 * generates random numbers 1144 * 1145 * @drbg DRBG state handle 1146 * @buf Buffer where to store the random numbers -- the buffer must already 1147 * be pre-allocated by caller 1148 * @buflen Length of output buffer - this value defines the number of random 1149 * bytes pulled from DRBG 1150 * @addtl Additional input that is mixed into state, may be NULL -- note 1151 * the entropy is pulled by the DRBG internally unconditionally 1152 * as defined in SP800-90A. The additional input is mixed into 1153 * the state in addition to the pulled entropy. 1154 * 1155 * return: 0 when all bytes are generated; < 0 in case of an error 1156 */ 1157 static int drbg_generate(struct drbg_state *drbg, 1158 unsigned char *buf, unsigned int buflen, 1159 struct drbg_string *addtl) 1160 __must_hold(&drbg->drbg_mutex) 1161 { 1162 int len = 0; 1163 LIST_HEAD(addtllist); 1164 1165 if (!drbg->core) { 1166 pr_devel("DRBG: not yet seeded\n"); 1167 return -EINVAL; 1168 } 1169 if (0 == buflen || !buf) { 1170 pr_devel("DRBG: no output buffer provided\n"); 1171 return -EINVAL; 1172 } 1173 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1174 pr_devel("DRBG: wrong format of additional information\n"); 1175 return -EINVAL; 1176 } 1177 1178 /* 9.3.1 step 2 */ 1179 len = -EINVAL; 1180 if (buflen > (drbg_max_request_bytes(drbg))) { 1181 pr_devel("DRBG: requested random numbers too large %u\n", 1182 buflen); 1183 goto err; 1184 } 1185 1186 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1187 1188 /* 9.3.1 step 4 */ 1189 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1190 pr_devel("DRBG: additional information string too long %zu\n", 1191 addtl->len); 1192 goto err; 1193 } 1194 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1195 1196 /* 1197 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1198 * here. The spec is a bit convoluted here, we make it simpler. 1199 */ 1200 if (drbg->reseed_threshold < drbg->reseed_ctr) 1201 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1202 1203 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { 1204 pr_devel("DRBG: reseeding before generation (prediction " 1205 "resistance: %s, state %s)\n", 1206 str_true_false(drbg->pr), 1207 (drbg->seeded == DRBG_SEED_STATE_FULL ? 1208 "seeded" : "unseeded")); 1209 /* 9.3.1 steps 7.1 through 7.3 */ 1210 len = drbg_seed(drbg, addtl, true); 1211 if (len) 1212 goto err; 1213 /* 9.3.1 step 7.4 */ 1214 addtl = NULL; 1215 } else if (rng_is_initialized() && 1216 (drbg->seeded == DRBG_SEED_STATE_PARTIAL || 1217 drbg_nopr_reseed_interval_elapsed(drbg))) { 1218 len = drbg_seed_from_random(drbg); 1219 if (len) 1220 goto err; 1221 } 1222 1223 if (addtl && 0 < addtl->len) 1224 list_add_tail(&addtl->list, &addtllist); 1225 /* 9.3.1 step 8 and 10 */ 1226 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1227 1228 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1229 drbg->reseed_ctr++; 1230 if (0 >= len) 1231 goto err; 1232 1233 /* 1234 * Section 11.3.3 requires to re-perform self tests after some 1235 * generated random numbers. The chosen value after which self 1236 * test is performed is arbitrary, but it should be reasonable. 1237 * However, we do not perform the self tests because of the following 1238 * reasons: it is mathematically impossible that the initial self tests 1239 * were successfully and the following are not. If the initial would 1240 * pass and the following would not, the kernel integrity is violated. 1241 * In this case, the entire kernel operation is questionable and it 1242 * is unlikely that the integrity violation only affects the 1243 * correct operation of the DRBG. 1244 * 1245 * Albeit the following code is commented out, it is provided in 1246 * case somebody has a need to implement the test of 11.3.3. 1247 */ 1248 #if 0 1249 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1250 int err = 0; 1251 pr_devel("DRBG: start to perform self test\n"); 1252 if (drbg->core->flags & DRBG_HMAC) 1253 err = alg_test("drbg_pr_hmac_sha512", 1254 "drbg_pr_hmac_sha512", 0, 0); 1255 else if (drbg->core->flags & DRBG_CTR) 1256 err = alg_test("drbg_pr_ctr_aes256", 1257 "drbg_pr_ctr_aes256", 0, 0); 1258 else 1259 err = alg_test("drbg_pr_sha256", 1260 "drbg_pr_sha256", 0, 0); 1261 if (err) { 1262 pr_err("DRBG: periodical self test failed\n"); 1263 /* 1264 * uninstantiate implies that from now on, only errors 1265 * are returned when reusing this DRBG cipher handle 1266 */ 1267 drbg_uninstantiate(drbg); 1268 return 0; 1269 } else { 1270 pr_devel("DRBG: self test successful\n"); 1271 } 1272 } 1273 #endif 1274 1275 /* 1276 * All operations were successful, return 0 as mandated by 1277 * the kernel crypto API interface. 1278 */ 1279 len = 0; 1280 err: 1281 return len; 1282 } 1283 1284 /* 1285 * Wrapper around drbg_generate which can pull arbitrary long strings 1286 * from the DRBG without hitting the maximum request limitation. 1287 * 1288 * Parameters: see drbg_generate 1289 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1290 * the entire drbg_generate_long request fails 1291 */ 1292 static int drbg_generate_long(struct drbg_state *drbg, 1293 unsigned char *buf, unsigned int buflen, 1294 struct drbg_string *addtl) 1295 { 1296 unsigned int len = 0; 1297 unsigned int slice = 0; 1298 do { 1299 int err = 0; 1300 unsigned int chunk = 0; 1301 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1302 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1303 mutex_lock(&drbg->drbg_mutex); 1304 err = drbg_generate(drbg, buf + len, chunk, addtl); 1305 mutex_unlock(&drbg->drbg_mutex); 1306 if (0 > err) 1307 return err; 1308 len += chunk; 1309 } while (slice > 0 && (len < buflen)); 1310 return 0; 1311 } 1312 1313 static int drbg_prepare_hrng(struct drbg_state *drbg) 1314 { 1315 /* We do not need an HRNG in test mode. */ 1316 if (list_empty(&drbg->test_data.list)) 1317 return 0; 1318 1319 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1320 if (IS_ERR(drbg->jent)) { 1321 const int err = PTR_ERR(drbg->jent); 1322 1323 drbg->jent = NULL; 1324 if (fips_enabled) 1325 return err; 1326 pr_info("DRBG: Continuing without Jitter RNG\n"); 1327 } 1328 1329 return 0; 1330 } 1331 1332 /* 1333 * DRBG instantiation function as required by SP800-90A - this function 1334 * sets up the DRBG handle, performs the initial seeding and all sanity 1335 * checks required by SP800-90A 1336 * 1337 * @drbg memory of state -- if NULL, new memory is allocated 1338 * @pers Personalization string that is mixed into state, may be NULL -- note 1339 * the entropy is pulled by the DRBG internally unconditionally 1340 * as defined in SP800-90A. The additional input is mixed into 1341 * the state in addition to the pulled entropy. 1342 * @coreref reference to core 1343 * @pr prediction resistance enabled 1344 * 1345 * return 1346 * 0 on success 1347 * error value otherwise 1348 */ 1349 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1350 int coreref, bool pr) 1351 { 1352 int ret; 1353 bool reseed = true; 1354 1355 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1356 "%s\n", coreref, str_enabled_disabled(pr)); 1357 mutex_lock(&drbg->drbg_mutex); 1358 1359 /* 9.1 step 1 is implicit with the selected DRBG type */ 1360 1361 /* 1362 * 9.1 step 2 is implicit as caller can select prediction resistance 1363 * and the flag is copied into drbg->flags -- 1364 * all DRBG types support prediction resistance 1365 */ 1366 1367 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1368 1369 if (!drbg->core) { 1370 drbg->core = &drbg_cores[coreref]; 1371 drbg->pr = pr; 1372 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1373 drbg->last_seed_time = 0; 1374 drbg->reseed_threshold = drbg_max_requests(drbg); 1375 1376 ret = drbg_alloc_state(drbg); 1377 if (ret) 1378 goto unlock; 1379 1380 ret = drbg_prepare_hrng(drbg); 1381 if (ret) 1382 goto free_everything; 1383 1384 reseed = false; 1385 } 1386 1387 ret = drbg_seed(drbg, pers, reseed); 1388 1389 if (ret && !reseed) 1390 goto free_everything; 1391 1392 mutex_unlock(&drbg->drbg_mutex); 1393 return ret; 1394 1395 unlock: 1396 mutex_unlock(&drbg->drbg_mutex); 1397 return ret; 1398 1399 free_everything: 1400 mutex_unlock(&drbg->drbg_mutex); 1401 drbg_uninstantiate(drbg); 1402 return ret; 1403 } 1404 1405 /* 1406 * DRBG uninstantiate function as required by SP800-90A - this function 1407 * frees all buffers and the DRBG handle 1408 * 1409 * @drbg DRBG state handle 1410 * 1411 * return 1412 * 0 on success 1413 */ 1414 static int drbg_uninstantiate(struct drbg_state *drbg) 1415 { 1416 if (!IS_ERR_OR_NULL(drbg->jent)) 1417 crypto_free_rng(drbg->jent); 1418 drbg->jent = NULL; 1419 1420 if (drbg->d_ops) 1421 drbg->d_ops->crypto_fini(drbg); 1422 drbg_dealloc_state(drbg); 1423 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1424 return 0; 1425 } 1426 1427 /* 1428 * Helper function for setting the test data in the DRBG 1429 * 1430 * @drbg DRBG state handle 1431 * @data test data 1432 * @len test data length 1433 */ 1434 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1435 const u8 *data, unsigned int len) 1436 { 1437 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1438 1439 mutex_lock(&drbg->drbg_mutex); 1440 drbg_string_fill(&drbg->test_data, data, len); 1441 mutex_unlock(&drbg->drbg_mutex); 1442 } 1443 1444 /*************************************************************** 1445 * Kernel crypto API cipher invocations requested by DRBG 1446 ***************************************************************/ 1447 1448 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1449 struct sdesc { 1450 struct shash_desc shash; 1451 }; 1452 1453 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1454 { 1455 struct sdesc *sdesc; 1456 struct crypto_shash *tfm; 1457 1458 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1459 if (IS_ERR(tfm)) { 1460 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1461 drbg->core->backend_cra_name); 1462 return PTR_ERR(tfm); 1463 } 1464 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1465 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1466 GFP_KERNEL); 1467 if (!sdesc) { 1468 crypto_free_shash(tfm); 1469 return -ENOMEM; 1470 } 1471 1472 sdesc->shash.tfm = tfm; 1473 drbg->priv_data = sdesc; 1474 1475 return 0; 1476 } 1477 1478 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1479 { 1480 struct sdesc *sdesc = drbg->priv_data; 1481 if (sdesc) { 1482 crypto_free_shash(sdesc->shash.tfm); 1483 kfree_sensitive(sdesc); 1484 } 1485 drbg->priv_data = NULL; 1486 return 0; 1487 } 1488 1489 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1490 const unsigned char *key) 1491 { 1492 struct sdesc *sdesc = drbg->priv_data; 1493 1494 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1495 } 1496 1497 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1498 const struct list_head *in) 1499 { 1500 struct sdesc *sdesc = drbg->priv_data; 1501 struct drbg_string *input = NULL; 1502 1503 crypto_shash_init(&sdesc->shash); 1504 list_for_each_entry(input, in, list) 1505 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1506 return crypto_shash_final(&sdesc->shash, outval); 1507 } 1508 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1509 1510 #ifdef CONFIG_CRYPTO_DRBG_CTR 1511 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1512 { 1513 struct crypto_aes_ctx *aesctx = (struct crypto_aes_ctx *)drbg->priv_data; 1514 1515 kfree(aesctx); 1516 drbg->priv_data = NULL; 1517 1518 if (drbg->ctr_handle) 1519 crypto_free_skcipher(drbg->ctr_handle); 1520 drbg->ctr_handle = NULL; 1521 1522 if (drbg->ctr_req) 1523 skcipher_request_free(drbg->ctr_req); 1524 drbg->ctr_req = NULL; 1525 1526 kfree(drbg->outscratchpadbuf); 1527 drbg->outscratchpadbuf = NULL; 1528 1529 return 0; 1530 } 1531 1532 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1533 { 1534 struct crypto_aes_ctx *aesctx; 1535 struct crypto_skcipher *sk_tfm; 1536 struct skcipher_request *req; 1537 unsigned int alignmask; 1538 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1539 1540 aesctx = kzalloc(sizeof(*aesctx), GFP_KERNEL); 1541 if (!aesctx) 1542 return -ENOMEM; 1543 drbg->priv_data = aesctx; 1544 1545 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1546 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1547 drbg_fini_sym_kernel(drbg); 1548 return -EINVAL; 1549 } 1550 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1551 if (IS_ERR(sk_tfm)) { 1552 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1553 ctr_name); 1554 drbg_fini_sym_kernel(drbg); 1555 return PTR_ERR(sk_tfm); 1556 } 1557 drbg->ctr_handle = sk_tfm; 1558 crypto_init_wait(&drbg->ctr_wait); 1559 1560 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1561 if (!req) { 1562 pr_info("DRBG: could not allocate request queue\n"); 1563 drbg_fini_sym_kernel(drbg); 1564 return -ENOMEM; 1565 } 1566 drbg->ctr_req = req; 1567 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1568 CRYPTO_TFM_REQ_MAY_SLEEP, 1569 crypto_req_done, &drbg->ctr_wait); 1570 1571 alignmask = crypto_skcipher_alignmask(sk_tfm); 1572 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1573 GFP_KERNEL); 1574 if (!drbg->outscratchpadbuf) { 1575 drbg_fini_sym_kernel(drbg); 1576 return -ENOMEM; 1577 } 1578 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1579 alignmask + 1); 1580 1581 sg_init_table(&drbg->sg_in, 1); 1582 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1583 1584 return alignmask; 1585 } 1586 1587 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1588 u8 *inbuf, u32 inlen, 1589 u8 *outbuf, u32 outlen) 1590 { 1591 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1592 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1593 int ret; 1594 1595 if (inbuf) { 1596 /* Use caller-provided input buffer */ 1597 sg_set_buf(sg_in, inbuf, inlen); 1598 } else { 1599 /* Use scratchpad for in-place operation */ 1600 inlen = scratchpad_use; 1601 memset(drbg->outscratchpad, 0, scratchpad_use); 1602 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1603 } 1604 1605 while (outlen) { 1606 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1607 1608 /* Output buffer may not be valid for SGL, use scratchpad */ 1609 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1610 cryptlen, drbg->V); 1611 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1612 &drbg->ctr_wait); 1613 if (ret) 1614 goto out; 1615 1616 crypto_init_wait(&drbg->ctr_wait); 1617 1618 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1619 memzero_explicit(drbg->outscratchpad, cryptlen); 1620 1621 outlen -= cryptlen; 1622 outbuf += cryptlen; 1623 } 1624 ret = 0; 1625 1626 out: 1627 return ret; 1628 } 1629 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1630 1631 /*************************************************************** 1632 * Kernel crypto API interface to register DRBG 1633 ***************************************************************/ 1634 1635 /* 1636 * Look up the DRBG flags by given kernel crypto API cra_name 1637 * The code uses the drbg_cores definition to do this 1638 * 1639 * @cra_name kernel crypto API cra_name 1640 * @coreref reference to integer which is filled with the pointer to 1641 * the applicable core 1642 * @pr reference for setting prediction resistance 1643 * 1644 * return: flags 1645 */ 1646 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1647 int *coreref, bool *pr) 1648 { 1649 int i = 0; 1650 size_t start = 0; 1651 int len = 0; 1652 1653 *pr = true; 1654 /* disassemble the names */ 1655 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1656 start = 10; 1657 *pr = false; 1658 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1659 start = 8; 1660 } else { 1661 return; 1662 } 1663 1664 /* remove the first part */ 1665 len = strlen(cra_driver_name) - start; 1666 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1667 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1668 len)) { 1669 *coreref = i; 1670 return; 1671 } 1672 } 1673 } 1674 1675 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1676 { 1677 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1678 1679 mutex_init(&drbg->drbg_mutex); 1680 1681 return 0; 1682 } 1683 1684 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1685 { 1686 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1687 } 1688 1689 /* 1690 * Generate random numbers invoked by the kernel crypto API: 1691 * The API of the kernel crypto API is extended as follows: 1692 * 1693 * src is additional input supplied to the RNG. 1694 * slen is the length of src. 1695 * dst is the output buffer where random data is to be stored. 1696 * dlen is the length of dst. 1697 */ 1698 static int drbg_kcapi_random(struct crypto_rng *tfm, 1699 const u8 *src, unsigned int slen, 1700 u8 *dst, unsigned int dlen) 1701 { 1702 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1703 struct drbg_string *addtl = NULL; 1704 struct drbg_string string; 1705 1706 if (slen) { 1707 /* linked list variable is now local to allow modification */ 1708 drbg_string_fill(&string, src, slen); 1709 addtl = &string; 1710 } 1711 1712 return drbg_generate_long(drbg, dst, dlen, addtl); 1713 } 1714 1715 /* 1716 * Seed the DRBG invoked by the kernel crypto API 1717 */ 1718 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1719 const u8 *seed, unsigned int slen) 1720 { 1721 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1722 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1723 bool pr = false; 1724 struct drbg_string string; 1725 struct drbg_string *seed_string = NULL; 1726 int coreref = 0; 1727 1728 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1729 &pr); 1730 if (0 < slen) { 1731 drbg_string_fill(&string, seed, slen); 1732 seed_string = &string; 1733 } 1734 1735 return drbg_instantiate(drbg, seed_string, coreref, pr); 1736 } 1737 1738 /*************************************************************** 1739 * Kernel module: code to load the module 1740 ***************************************************************/ 1741 1742 /* 1743 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1744 * of the error handling. 1745 * 1746 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1747 * as seed source of get_random_bytes does not fail. 1748 * 1749 * Note 2: There is no sensible way of testing the reseed counter 1750 * enforcement, so skip it. 1751 */ 1752 static inline int __init drbg_healthcheck_sanity(void) 1753 { 1754 int len = 0; 1755 #define OUTBUFLEN 16 1756 unsigned char buf[OUTBUFLEN]; 1757 struct drbg_state *drbg = NULL; 1758 int ret; 1759 int rc = -EFAULT; 1760 bool pr = false; 1761 int coreref = 0; 1762 struct drbg_string addtl; 1763 size_t max_addtllen, max_request_bytes; 1764 1765 /* only perform test in FIPS mode */ 1766 if (!fips_enabled) 1767 return 0; 1768 1769 #ifdef CONFIG_CRYPTO_DRBG_CTR 1770 drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr); 1771 #endif 1772 #ifdef CONFIG_CRYPTO_DRBG_HASH 1773 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1774 #endif 1775 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1776 drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr); 1777 #endif 1778 1779 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1780 if (!drbg) 1781 return -ENOMEM; 1782 1783 mutex_init(&drbg->drbg_mutex); 1784 drbg->core = &drbg_cores[coreref]; 1785 drbg->reseed_threshold = drbg_max_requests(drbg); 1786 1787 /* 1788 * if the following tests fail, it is likely that there is a buffer 1789 * overflow as buf is much smaller than the requested or provided 1790 * string lengths -- in case the error handling does not succeed 1791 * we may get an OOPS. And we want to get an OOPS as this is a 1792 * grave bug. 1793 */ 1794 1795 max_addtllen = drbg_max_addtl(drbg); 1796 max_request_bytes = drbg_max_request_bytes(drbg); 1797 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1798 /* overflow addtllen with additonal info string */ 1799 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1800 BUG_ON(0 < len); 1801 /* overflow max_bits */ 1802 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1803 BUG_ON(0 < len); 1804 1805 /* overflow max addtllen with personalization string */ 1806 ret = drbg_seed(drbg, &addtl, false); 1807 BUG_ON(0 == ret); 1808 /* all tests passed */ 1809 rc = 0; 1810 1811 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1812 "completed\n"); 1813 1814 kfree(drbg); 1815 return rc; 1816 } 1817 1818 static struct rng_alg drbg_algs[22]; 1819 1820 /* 1821 * Fill the array drbg_algs used to register the different DRBGs 1822 * with the kernel crypto API. To fill the array, the information 1823 * from drbg_cores[] is used. 1824 */ 1825 static inline void __init drbg_fill_array(struct rng_alg *alg, 1826 const struct drbg_core *core, int pr) 1827 { 1828 int pos = 0; 1829 static int priority = 200; 1830 1831 memcpy(alg->base.cra_name, "stdrng", 6); 1832 if (pr) { 1833 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1834 pos = 8; 1835 } else { 1836 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1837 pos = 10; 1838 } 1839 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1840 strlen(core->cra_name)); 1841 1842 alg->base.cra_priority = priority; 1843 priority++; 1844 /* 1845 * If FIPS mode enabled, the selected DRBG shall have the 1846 * highest cra_priority over other stdrng instances to ensure 1847 * it is selected. 1848 */ 1849 if (fips_enabled) 1850 alg->base.cra_priority += 200; 1851 1852 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1853 alg->base.cra_module = THIS_MODULE; 1854 alg->base.cra_init = drbg_kcapi_init; 1855 alg->base.cra_exit = drbg_kcapi_cleanup; 1856 alg->generate = drbg_kcapi_random; 1857 alg->seed = drbg_kcapi_seed; 1858 alg->set_ent = drbg_kcapi_set_entropy; 1859 alg->seedsize = 0; 1860 } 1861 1862 static int __init drbg_init(void) 1863 { 1864 unsigned int i = 0; /* pointer to drbg_algs */ 1865 unsigned int j = 0; /* pointer to drbg_cores */ 1866 int ret; 1867 1868 ret = drbg_healthcheck_sanity(); 1869 if (ret) 1870 return ret; 1871 1872 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1873 pr_info("DRBG: Cannot register all DRBG types" 1874 "(slots needed: %zu, slots available: %zu)\n", 1875 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1876 return -EFAULT; 1877 } 1878 1879 /* 1880 * each DRBG definition can be used with PR and without PR, thus 1881 * we instantiate each DRBG in drbg_cores[] twice. 1882 * 1883 * As the order of placing them into the drbg_algs array matters 1884 * (the later DRBGs receive a higher cra_priority) we register the 1885 * prediction resistance DRBGs first as the should not be too 1886 * interesting. 1887 */ 1888 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1889 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1890 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1891 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1892 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1893 } 1894 1895 static void __exit drbg_exit(void) 1896 { 1897 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1898 } 1899 1900 module_init(drbg_init); 1901 module_exit(drbg_exit); 1902 #ifndef CRYPTO_DRBG_HASH_STRING 1903 #define CRYPTO_DRBG_HASH_STRING "" 1904 #endif 1905 #ifndef CRYPTO_DRBG_HMAC_STRING 1906 #define CRYPTO_DRBG_HMAC_STRING "" 1907 #endif 1908 #ifndef CRYPTO_DRBG_CTR_STRING 1909 #define CRYPTO_DRBG_CTR_STRING "" 1910 #endif 1911 MODULE_LICENSE("GPL"); 1912 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 1913 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 1914 "using following cores: " 1915 CRYPTO_DRBG_HASH_STRING 1916 CRYPTO_DRBG_HMAC_STRING 1917 CRYPTO_DRBG_CTR_STRING); 1918 MODULE_ALIAS_CRYPTO("stdrng"); 1919 MODULE_IMPORT_NS("CRYPTO_INTERNAL"); 1920