1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <crypto/internal/cipher.h> 102 #include <linux/kernel.h> 103 #include <linux/jiffies.h> 104 105 /*************************************************************** 106 * Backend cipher definitions available to DRBG 107 ***************************************************************/ 108 109 /* 110 * The order of the DRBG definitions here matter: every DRBG is registered 111 * as stdrng. Each DRBG receives an increasing cra_priority values the later 112 * they are defined in this array (see drbg_fill_array). 113 * 114 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the 115 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the 116 * favored DRBGs are the latest entries in this array. 117 */ 118 static const struct drbg_core drbg_cores[] = { 119 #ifdef CONFIG_CRYPTO_DRBG_CTR 120 { 121 .flags = DRBG_CTR | DRBG_STRENGTH128, 122 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 123 .blocklen_bytes = 16, 124 .cra_name = "ctr_aes128", 125 .backend_cra_name = "aes", 126 }, { 127 .flags = DRBG_CTR | DRBG_STRENGTH192, 128 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 129 .blocklen_bytes = 16, 130 .cra_name = "ctr_aes192", 131 .backend_cra_name = "aes", 132 }, { 133 .flags = DRBG_CTR | DRBG_STRENGTH256, 134 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 135 .blocklen_bytes = 16, 136 .cra_name = "ctr_aes256", 137 .backend_cra_name = "aes", 138 }, 139 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 140 #ifdef CONFIG_CRYPTO_DRBG_HASH 141 { 142 .flags = DRBG_HASH | DRBG_STRENGTH128, 143 .statelen = 55, /* 440 bits */ 144 .blocklen_bytes = 20, 145 .cra_name = "sha1", 146 .backend_cra_name = "sha1", 147 }, { 148 .flags = DRBG_HASH | DRBG_STRENGTH256, 149 .statelen = 111, /* 888 bits */ 150 .blocklen_bytes = 48, 151 .cra_name = "sha384", 152 .backend_cra_name = "sha384", 153 }, { 154 .flags = DRBG_HASH | DRBG_STRENGTH256, 155 .statelen = 111, /* 888 bits */ 156 .blocklen_bytes = 64, 157 .cra_name = "sha512", 158 .backend_cra_name = "sha512", 159 }, { 160 .flags = DRBG_HASH | DRBG_STRENGTH256, 161 .statelen = 55, /* 440 bits */ 162 .blocklen_bytes = 32, 163 .cra_name = "sha256", 164 .backend_cra_name = "sha256", 165 }, 166 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 167 #ifdef CONFIG_CRYPTO_DRBG_HMAC 168 { 169 .flags = DRBG_HMAC | DRBG_STRENGTH128, 170 .statelen = 20, /* block length of cipher */ 171 .blocklen_bytes = 20, 172 .cra_name = "hmac_sha1", 173 .backend_cra_name = "hmac(sha1)", 174 }, { 175 .flags = DRBG_HMAC | DRBG_STRENGTH256, 176 .statelen = 48, /* block length of cipher */ 177 .blocklen_bytes = 48, 178 .cra_name = "hmac_sha384", 179 .backend_cra_name = "hmac(sha384)", 180 }, { 181 .flags = DRBG_HMAC | DRBG_STRENGTH256, 182 .statelen = 32, /* block length of cipher */ 183 .blocklen_bytes = 32, 184 .cra_name = "hmac_sha256", 185 .backend_cra_name = "hmac(sha256)", 186 }, { 187 .flags = DRBG_HMAC | DRBG_STRENGTH256, 188 .statelen = 64, /* block length of cipher */ 189 .blocklen_bytes = 64, 190 .cra_name = "hmac_sha512", 191 .backend_cra_name = "hmac(sha512)", 192 }, 193 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 194 }; 195 196 static int drbg_uninstantiate(struct drbg_state *drbg); 197 198 /****************************************************************** 199 * Generic helper functions 200 ******************************************************************/ 201 202 /* 203 * Return strength of DRBG according to SP800-90A section 8.4 204 * 205 * @flags DRBG flags reference 206 * 207 * Return: normalized strength in *bytes* value or 32 as default 208 * to counter programming errors 209 */ 210 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 211 { 212 switch (flags & DRBG_STRENGTH_MASK) { 213 case DRBG_STRENGTH128: 214 return 16; 215 case DRBG_STRENGTH192: 216 return 24; 217 case DRBG_STRENGTH256: 218 return 32; 219 default: 220 return 32; 221 } 222 } 223 224 /* 225 * FIPS 140-2 continuous self test for the noise source 226 * The test is performed on the noise source input data. Thus, the function 227 * implicitly knows the size of the buffer to be equal to the security 228 * strength. 229 * 230 * Note, this function disregards the nonce trailing the entropy data during 231 * initial seeding. 232 * 233 * drbg->drbg_mutex must have been taken. 234 * 235 * @drbg DRBG handle 236 * @entropy buffer of seed data to be checked 237 * 238 * return: 239 * 0 on success 240 * -EAGAIN on when the CTRNG is not yet primed 241 * < 0 on error 242 */ 243 static int drbg_fips_continuous_test(struct drbg_state *drbg, 244 const unsigned char *entropy) 245 { 246 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 247 int ret = 0; 248 249 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 250 return 0; 251 252 /* skip test if we test the overall system */ 253 if (list_empty(&drbg->test_data.list)) 254 return 0; 255 /* only perform test in FIPS mode */ 256 if (!fips_enabled) 257 return 0; 258 259 if (!drbg->fips_primed) { 260 /* Priming of FIPS test */ 261 memcpy(drbg->prev, entropy, entropylen); 262 drbg->fips_primed = true; 263 /* priming: another round is needed */ 264 return -EAGAIN; 265 } 266 ret = memcmp(drbg->prev, entropy, entropylen); 267 if (!ret) 268 panic("DRBG continuous self test failed\n"); 269 memcpy(drbg->prev, entropy, entropylen); 270 271 /* the test shall pass when the two values are not equal */ 272 return 0; 273 } 274 275 /* 276 * Convert an integer into a byte representation of this integer. 277 * The byte representation is big-endian 278 * 279 * @val value to be converted 280 * @buf buffer holding the converted integer -- caller must ensure that 281 * buffer size is at least 32 bit 282 */ 283 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 284 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 285 { 286 struct s { 287 __be32 conv; 288 }; 289 struct s *conversion = (struct s *) buf; 290 291 conversion->conv = cpu_to_be32(val); 292 } 293 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 294 295 /****************************************************************** 296 * CTR DRBG callback functions 297 ******************************************************************/ 298 299 #ifdef CONFIG_CRYPTO_DRBG_CTR 300 #define CRYPTO_DRBG_CTR_STRING "CTR " 301 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 302 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 303 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 304 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 305 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 306 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 307 308 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 309 const unsigned char *key); 310 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 311 const struct drbg_string *in); 312 static int drbg_init_sym_kernel(struct drbg_state *drbg); 313 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 314 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 315 u8 *inbuf, u32 inbuflen, 316 u8 *outbuf, u32 outlen); 317 #define DRBG_OUTSCRATCHLEN 256 318 319 /* BCC function for CTR DRBG as defined in 10.4.3 */ 320 static int drbg_ctr_bcc(struct drbg_state *drbg, 321 unsigned char *out, const unsigned char *key, 322 struct list_head *in) 323 { 324 int ret = 0; 325 struct drbg_string *curr = NULL; 326 struct drbg_string data; 327 short cnt = 0; 328 329 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 330 331 /* 10.4.3 step 2 / 4 */ 332 drbg_kcapi_symsetkey(drbg, key); 333 list_for_each_entry(curr, in, list) { 334 const unsigned char *pos = curr->buf; 335 size_t len = curr->len; 336 /* 10.4.3 step 4.1 */ 337 while (len) { 338 /* 10.4.3 step 4.2 */ 339 if (drbg_blocklen(drbg) == cnt) { 340 cnt = 0; 341 ret = drbg_kcapi_sym(drbg, out, &data); 342 if (ret) 343 return ret; 344 } 345 out[cnt] ^= *pos; 346 pos++; 347 cnt++; 348 len--; 349 } 350 } 351 /* 10.4.3 step 4.2 for last block */ 352 if (cnt) 353 ret = drbg_kcapi_sym(drbg, out, &data); 354 355 return ret; 356 } 357 358 /* 359 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 360 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 361 * the scratchpad is used as follows: 362 * drbg_ctr_update: 363 * temp 364 * start: drbg->scratchpad 365 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 366 * note: the cipher writing into this variable works 367 * blocklen-wise. Now, when the statelen is not a multiple 368 * of blocklen, the generateion loop below "spills over" 369 * by at most blocklen. Thus, we need to give sufficient 370 * memory. 371 * df_data 372 * start: drbg->scratchpad + 373 * drbg_statelen(drbg) + drbg_blocklen(drbg) 374 * length: drbg_statelen(drbg) 375 * 376 * drbg_ctr_df: 377 * pad 378 * start: df_data + drbg_statelen(drbg) 379 * length: drbg_blocklen(drbg) 380 * iv 381 * start: pad + drbg_blocklen(drbg) 382 * length: drbg_blocklen(drbg) 383 * temp 384 * start: iv + drbg_blocklen(drbg) 385 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 386 * note: temp is the buffer that the BCC function operates 387 * on. BCC operates blockwise. drbg_statelen(drbg) 388 * is sufficient when the DRBG state length is a multiple 389 * of the block size. For AES192 (and maybe other ciphers) 390 * this is not correct and the length for temp is 391 * insufficient (yes, that also means for such ciphers, 392 * the final output of all BCC rounds are truncated). 393 * Therefore, add drbg_blocklen(drbg) to cover all 394 * possibilities. 395 */ 396 397 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 398 static int drbg_ctr_df(struct drbg_state *drbg, 399 unsigned char *df_data, size_t bytes_to_return, 400 struct list_head *seedlist) 401 { 402 int ret = -EFAULT; 403 unsigned char L_N[8]; 404 /* S3 is input */ 405 struct drbg_string S1, S2, S4, cipherin; 406 LIST_HEAD(bcc_list); 407 unsigned char *pad = df_data + drbg_statelen(drbg); 408 unsigned char *iv = pad + drbg_blocklen(drbg); 409 unsigned char *temp = iv + drbg_blocklen(drbg); 410 size_t padlen = 0; 411 unsigned int templen = 0; 412 /* 10.4.2 step 7 */ 413 unsigned int i = 0; 414 /* 10.4.2 step 8 */ 415 const unsigned char *K = (unsigned char *) 416 "\x00\x01\x02\x03\x04\x05\x06\x07" 417 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 418 "\x10\x11\x12\x13\x14\x15\x16\x17" 419 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 420 unsigned char *X; 421 size_t generated_len = 0; 422 size_t inputlen = 0; 423 struct drbg_string *seed = NULL; 424 425 memset(pad, 0, drbg_blocklen(drbg)); 426 memset(iv, 0, drbg_blocklen(drbg)); 427 428 /* 10.4.2 step 1 is implicit as we work byte-wise */ 429 430 /* 10.4.2 step 2 */ 431 if ((512/8) < bytes_to_return) 432 return -EINVAL; 433 434 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 435 list_for_each_entry(seed, seedlist, list) 436 inputlen += seed->len; 437 drbg_cpu_to_be32(inputlen, &L_N[0]); 438 439 /* 10.4.2 step 3 */ 440 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 441 442 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 443 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 444 /* wrap the padlen appropriately */ 445 if (padlen) 446 padlen = drbg_blocklen(drbg) - padlen; 447 /* 448 * pad / padlen contains the 0x80 byte and the following zero bytes. 449 * As the calculated padlen value only covers the number of zero 450 * bytes, this value has to be incremented by one for the 0x80 byte. 451 */ 452 padlen++; 453 pad[0] = 0x80; 454 455 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 456 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 457 list_add_tail(&S1.list, &bcc_list); 458 drbg_string_fill(&S2, L_N, sizeof(L_N)); 459 list_add_tail(&S2.list, &bcc_list); 460 list_splice_tail(seedlist, &bcc_list); 461 drbg_string_fill(&S4, pad, padlen); 462 list_add_tail(&S4.list, &bcc_list); 463 464 /* 10.4.2 step 9 */ 465 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 466 /* 467 * 10.4.2 step 9.1 - the padding is implicit as the buffer 468 * holds zeros after allocation -- even the increment of i 469 * is irrelevant as the increment remains within length of i 470 */ 471 drbg_cpu_to_be32(i, iv); 472 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 473 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 474 if (ret) 475 goto out; 476 /* 10.4.2 step 9.3 */ 477 i++; 478 templen += drbg_blocklen(drbg); 479 } 480 481 /* 10.4.2 step 11 */ 482 X = temp + (drbg_keylen(drbg)); 483 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 484 485 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 486 487 /* 10.4.2 step 13 */ 488 drbg_kcapi_symsetkey(drbg, temp); 489 while (generated_len < bytes_to_return) { 490 short blocklen = 0; 491 /* 492 * 10.4.2 step 13.1: the truncation of the key length is 493 * implicit as the key is only drbg_blocklen in size based on 494 * the implementation of the cipher function callback 495 */ 496 ret = drbg_kcapi_sym(drbg, X, &cipherin); 497 if (ret) 498 goto out; 499 blocklen = (drbg_blocklen(drbg) < 500 (bytes_to_return - generated_len)) ? 501 drbg_blocklen(drbg) : 502 (bytes_to_return - generated_len); 503 /* 10.4.2 step 13.2 and 14 */ 504 memcpy(df_data + generated_len, X, blocklen); 505 generated_len += blocklen; 506 } 507 508 ret = 0; 509 510 out: 511 memset(iv, 0, drbg_blocklen(drbg)); 512 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 513 memset(pad, 0, drbg_blocklen(drbg)); 514 return ret; 515 } 516 517 /* 518 * update function of CTR DRBG as defined in 10.2.1.2 519 * 520 * The reseed variable has an enhanced meaning compared to the update 521 * functions of the other DRBGs as follows: 522 * 0 => initial seed from initialization 523 * 1 => reseed via drbg_seed 524 * 2 => first invocation from drbg_ctr_update when addtl is present. In 525 * this case, the df_data scratchpad is not deleted so that it is 526 * available for another calls to prevent calling the DF function 527 * again. 528 * 3 => second invocation from drbg_ctr_update. When the update function 529 * was called with addtl, the df_data memory already contains the 530 * DFed addtl information and we do not need to call DF again. 531 */ 532 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 533 int reseed) 534 { 535 int ret = -EFAULT; 536 /* 10.2.1.2 step 1 */ 537 unsigned char *temp = drbg->scratchpad; 538 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 539 drbg_blocklen(drbg); 540 541 if (3 > reseed) 542 memset(df_data, 0, drbg_statelen(drbg)); 543 544 if (!reseed) { 545 /* 546 * The DRBG uses the CTR mode of the underlying AES cipher. The 547 * CTR mode increments the counter value after the AES operation 548 * but SP800-90A requires that the counter is incremented before 549 * the AES operation. Hence, we increment it at the time we set 550 * it by one. 551 */ 552 crypto_inc(drbg->V, drbg_blocklen(drbg)); 553 554 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 555 drbg_keylen(drbg)); 556 if (ret) 557 goto out; 558 } 559 560 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 561 if (seed) { 562 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 563 if (ret) 564 goto out; 565 } 566 567 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 568 temp, drbg_statelen(drbg)); 569 if (ret) 570 return ret; 571 572 /* 10.2.1.2 step 5 */ 573 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 574 drbg_keylen(drbg)); 575 if (ret) 576 goto out; 577 /* 10.2.1.2 step 6 */ 578 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 579 /* See above: increment counter by one to compensate timing of CTR op */ 580 crypto_inc(drbg->V, drbg_blocklen(drbg)); 581 ret = 0; 582 583 out: 584 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 585 if (2 != reseed) 586 memset(df_data, 0, drbg_statelen(drbg)); 587 return ret; 588 } 589 590 /* 591 * scratchpad use: drbg_ctr_update is called independently from 592 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 593 */ 594 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 595 static int drbg_ctr_generate(struct drbg_state *drbg, 596 unsigned char *buf, unsigned int buflen, 597 struct list_head *addtl) 598 { 599 int ret; 600 int len = min_t(int, buflen, INT_MAX); 601 602 /* 10.2.1.5.2 step 2 */ 603 if (addtl && !list_empty(addtl)) { 604 ret = drbg_ctr_update(drbg, addtl, 2); 605 if (ret) 606 return 0; 607 } 608 609 /* 10.2.1.5.2 step 4.1 */ 610 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 611 if (ret) 612 return ret; 613 614 /* 10.2.1.5.2 step 6 */ 615 ret = drbg_ctr_update(drbg, NULL, 3); 616 if (ret) 617 len = ret; 618 619 return len; 620 } 621 622 static const struct drbg_state_ops drbg_ctr_ops = { 623 .update = drbg_ctr_update, 624 .generate = drbg_ctr_generate, 625 .crypto_init = drbg_init_sym_kernel, 626 .crypto_fini = drbg_fini_sym_kernel, 627 }; 628 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 629 630 /****************************************************************** 631 * HMAC DRBG callback functions 632 ******************************************************************/ 633 634 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 635 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 636 const struct list_head *in); 637 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 638 const unsigned char *key); 639 static int drbg_init_hash_kernel(struct drbg_state *drbg); 640 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 641 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 642 643 #ifdef CONFIG_CRYPTO_DRBG_HMAC 644 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 645 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 646 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 647 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 648 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 649 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 650 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 651 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 652 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 653 654 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 655 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 656 int reseed) 657 { 658 int ret = -EFAULT; 659 int i = 0; 660 struct drbg_string seed1, seed2, vdata; 661 LIST_HEAD(seedlist); 662 LIST_HEAD(vdatalist); 663 664 if (!reseed) { 665 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 666 memset(drbg->V, 1, drbg_statelen(drbg)); 667 drbg_kcapi_hmacsetkey(drbg, drbg->C); 668 } 669 670 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 671 list_add_tail(&seed1.list, &seedlist); 672 /* buffer of seed2 will be filled in for loop below with one byte */ 673 drbg_string_fill(&seed2, NULL, 1); 674 list_add_tail(&seed2.list, &seedlist); 675 /* input data of seed is allowed to be NULL at this point */ 676 if (seed) 677 list_splice_tail(seed, &seedlist); 678 679 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 680 list_add_tail(&vdata.list, &vdatalist); 681 for (i = 2; 0 < i; i--) { 682 /* first round uses 0x0, second 0x1 */ 683 unsigned char prefix = DRBG_PREFIX0; 684 if (1 == i) 685 prefix = DRBG_PREFIX1; 686 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 687 seed2.buf = &prefix; 688 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 689 if (ret) 690 return ret; 691 drbg_kcapi_hmacsetkey(drbg, drbg->C); 692 693 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 694 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 695 if (ret) 696 return ret; 697 698 /* 10.1.2.2 step 3 */ 699 if (!seed) 700 return ret; 701 } 702 703 return 0; 704 } 705 706 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 707 static int drbg_hmac_generate(struct drbg_state *drbg, 708 unsigned char *buf, 709 unsigned int buflen, 710 struct list_head *addtl) 711 { 712 int len = 0; 713 int ret = 0; 714 struct drbg_string data; 715 LIST_HEAD(datalist); 716 717 /* 10.1.2.5 step 2 */ 718 if (addtl && !list_empty(addtl)) { 719 ret = drbg_hmac_update(drbg, addtl, 1); 720 if (ret) 721 return ret; 722 } 723 724 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 725 list_add_tail(&data.list, &datalist); 726 while (len < buflen) { 727 unsigned int outlen = 0; 728 /* 10.1.2.5 step 4.1 */ 729 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 730 if (ret) 731 return ret; 732 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 733 drbg_blocklen(drbg) : (buflen - len); 734 735 /* 10.1.2.5 step 4.2 */ 736 memcpy(buf + len, drbg->V, outlen); 737 len += outlen; 738 } 739 740 /* 10.1.2.5 step 6 */ 741 if (addtl && !list_empty(addtl)) 742 ret = drbg_hmac_update(drbg, addtl, 1); 743 else 744 ret = drbg_hmac_update(drbg, NULL, 1); 745 if (ret) 746 return ret; 747 748 return len; 749 } 750 751 static const struct drbg_state_ops drbg_hmac_ops = { 752 .update = drbg_hmac_update, 753 .generate = drbg_hmac_generate, 754 .crypto_init = drbg_init_hash_kernel, 755 .crypto_fini = drbg_fini_hash_kernel, 756 }; 757 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 758 759 /****************************************************************** 760 * Hash DRBG callback functions 761 ******************************************************************/ 762 763 #ifdef CONFIG_CRYPTO_DRBG_HASH 764 #define CRYPTO_DRBG_HASH_STRING "HASH " 765 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 766 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 767 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 768 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 769 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 770 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 771 MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 772 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 773 774 /* 775 * Increment buffer 776 * 777 * @dst buffer to increment 778 * @add value to add 779 */ 780 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 781 const unsigned char *add, size_t addlen) 782 { 783 /* implied: dstlen > addlen */ 784 unsigned char *dstptr; 785 const unsigned char *addptr; 786 unsigned int remainder = 0; 787 size_t len = addlen; 788 789 dstptr = dst + (dstlen-1); 790 addptr = add + (addlen-1); 791 while (len) { 792 remainder += *dstptr + *addptr; 793 *dstptr = remainder & 0xff; 794 remainder >>= 8; 795 len--; dstptr--; addptr--; 796 } 797 len = dstlen - addlen; 798 while (len && remainder > 0) { 799 remainder = *dstptr + 1; 800 *dstptr = remainder & 0xff; 801 remainder >>= 8; 802 len--; dstptr--; 803 } 804 } 805 806 /* 807 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 808 * interlinked, the scratchpad is used as follows: 809 * drbg_hash_update 810 * start: drbg->scratchpad 811 * length: drbg_statelen(drbg) 812 * drbg_hash_df: 813 * start: drbg->scratchpad + drbg_statelen(drbg) 814 * length: drbg_blocklen(drbg) 815 * 816 * drbg_hash_process_addtl uses the scratchpad, but fully completes 817 * before either of the functions mentioned before are invoked. Therefore, 818 * drbg_hash_process_addtl does not need to be specifically considered. 819 */ 820 821 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 822 static int drbg_hash_df(struct drbg_state *drbg, 823 unsigned char *outval, size_t outlen, 824 struct list_head *entropylist) 825 { 826 int ret = 0; 827 size_t len = 0; 828 unsigned char input[5]; 829 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 830 struct drbg_string data; 831 832 /* 10.4.1 step 3 */ 833 input[0] = 1; 834 drbg_cpu_to_be32((outlen * 8), &input[1]); 835 836 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 837 drbg_string_fill(&data, input, 5); 838 list_add(&data.list, entropylist); 839 840 /* 10.4.1 step 4 */ 841 while (len < outlen) { 842 short blocklen = 0; 843 /* 10.4.1 step 4.1 */ 844 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 845 if (ret) 846 goto out; 847 /* 10.4.1 step 4.2 */ 848 input[0]++; 849 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 850 drbg_blocklen(drbg) : (outlen - len); 851 memcpy(outval + len, tmp, blocklen); 852 len += blocklen; 853 } 854 855 out: 856 memset(tmp, 0, drbg_blocklen(drbg)); 857 return ret; 858 } 859 860 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 861 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 862 int reseed) 863 { 864 int ret = 0; 865 struct drbg_string data1, data2; 866 LIST_HEAD(datalist); 867 LIST_HEAD(datalist2); 868 unsigned char *V = drbg->scratchpad; 869 unsigned char prefix = DRBG_PREFIX1; 870 871 if (!seed) 872 return -EINVAL; 873 874 if (reseed) { 875 /* 10.1.1.3 step 1 */ 876 memcpy(V, drbg->V, drbg_statelen(drbg)); 877 drbg_string_fill(&data1, &prefix, 1); 878 list_add_tail(&data1.list, &datalist); 879 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 880 list_add_tail(&data2.list, &datalist); 881 } 882 list_splice_tail(seed, &datalist); 883 884 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 885 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 886 if (ret) 887 goto out; 888 889 /* 10.1.1.2 / 10.1.1.3 step 4 */ 890 prefix = DRBG_PREFIX0; 891 drbg_string_fill(&data1, &prefix, 1); 892 list_add_tail(&data1.list, &datalist2); 893 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 894 list_add_tail(&data2.list, &datalist2); 895 /* 10.1.1.2 / 10.1.1.3 step 4 */ 896 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 897 898 out: 899 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 900 return ret; 901 } 902 903 /* processing of additional information string for Hash DRBG */ 904 static int drbg_hash_process_addtl(struct drbg_state *drbg, 905 struct list_head *addtl) 906 { 907 int ret = 0; 908 struct drbg_string data1, data2; 909 LIST_HEAD(datalist); 910 unsigned char prefix = DRBG_PREFIX2; 911 912 /* 10.1.1.4 step 2 */ 913 if (!addtl || list_empty(addtl)) 914 return 0; 915 916 /* 10.1.1.4 step 2a */ 917 drbg_string_fill(&data1, &prefix, 1); 918 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 919 list_add_tail(&data1.list, &datalist); 920 list_add_tail(&data2.list, &datalist); 921 list_splice_tail(addtl, &datalist); 922 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 923 if (ret) 924 goto out; 925 926 /* 10.1.1.4 step 2b */ 927 drbg_add_buf(drbg->V, drbg_statelen(drbg), 928 drbg->scratchpad, drbg_blocklen(drbg)); 929 930 out: 931 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 932 return ret; 933 } 934 935 /* Hashgen defined in 10.1.1.4 */ 936 static int drbg_hash_hashgen(struct drbg_state *drbg, 937 unsigned char *buf, 938 unsigned int buflen) 939 { 940 int len = 0; 941 int ret = 0; 942 unsigned char *src = drbg->scratchpad; 943 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 944 struct drbg_string data; 945 LIST_HEAD(datalist); 946 947 /* 10.1.1.4 step hashgen 2 */ 948 memcpy(src, drbg->V, drbg_statelen(drbg)); 949 950 drbg_string_fill(&data, src, drbg_statelen(drbg)); 951 list_add_tail(&data.list, &datalist); 952 while (len < buflen) { 953 unsigned int outlen = 0; 954 /* 10.1.1.4 step hashgen 4.1 */ 955 ret = drbg_kcapi_hash(drbg, dst, &datalist); 956 if (ret) { 957 len = ret; 958 goto out; 959 } 960 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 961 drbg_blocklen(drbg) : (buflen - len); 962 /* 10.1.1.4 step hashgen 4.2 */ 963 memcpy(buf + len, dst, outlen); 964 len += outlen; 965 /* 10.1.1.4 hashgen step 4.3 */ 966 if (len < buflen) 967 crypto_inc(src, drbg_statelen(drbg)); 968 } 969 970 out: 971 memset(drbg->scratchpad, 0, 972 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 973 return len; 974 } 975 976 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 977 static int drbg_hash_generate(struct drbg_state *drbg, 978 unsigned char *buf, unsigned int buflen, 979 struct list_head *addtl) 980 { 981 int len = 0; 982 int ret = 0; 983 union { 984 unsigned char req[8]; 985 __be64 req_int; 986 } u; 987 unsigned char prefix = DRBG_PREFIX3; 988 struct drbg_string data1, data2; 989 LIST_HEAD(datalist); 990 991 /* 10.1.1.4 step 2 */ 992 ret = drbg_hash_process_addtl(drbg, addtl); 993 if (ret) 994 return ret; 995 /* 10.1.1.4 step 3 */ 996 len = drbg_hash_hashgen(drbg, buf, buflen); 997 998 /* this is the value H as documented in 10.1.1.4 */ 999 /* 10.1.1.4 step 4 */ 1000 drbg_string_fill(&data1, &prefix, 1); 1001 list_add_tail(&data1.list, &datalist); 1002 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1003 list_add_tail(&data2.list, &datalist); 1004 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 1005 if (ret) { 1006 len = ret; 1007 goto out; 1008 } 1009 1010 /* 10.1.1.4 step 5 */ 1011 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1012 drbg->scratchpad, drbg_blocklen(drbg)); 1013 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1014 drbg->C, drbg_statelen(drbg)); 1015 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1016 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1017 1018 out: 1019 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1020 return len; 1021 } 1022 1023 /* 1024 * scratchpad usage: as update and generate are used isolated, both 1025 * can use the scratchpad 1026 */ 1027 static const struct drbg_state_ops drbg_hash_ops = { 1028 .update = drbg_hash_update, 1029 .generate = drbg_hash_generate, 1030 .crypto_init = drbg_init_hash_kernel, 1031 .crypto_fini = drbg_fini_hash_kernel, 1032 }; 1033 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1034 1035 /****************************************************************** 1036 * Functions common for DRBG implementations 1037 ******************************************************************/ 1038 1039 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 1040 int reseed, enum drbg_seed_state new_seed_state) 1041 { 1042 int ret = drbg->d_ops->update(drbg, seed, reseed); 1043 1044 if (ret) 1045 return ret; 1046 1047 drbg->seeded = new_seed_state; 1048 drbg->last_seed_time = jiffies; 1049 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1050 drbg->reseed_ctr = 1; 1051 1052 switch (drbg->seeded) { 1053 case DRBG_SEED_STATE_UNSEEDED: 1054 /* Impossible, but handle it to silence compiler warnings. */ 1055 fallthrough; 1056 case DRBG_SEED_STATE_PARTIAL: 1057 /* 1058 * Require frequent reseeds until the seed source is 1059 * fully initialized. 1060 */ 1061 drbg->reseed_threshold = 50; 1062 break; 1063 1064 case DRBG_SEED_STATE_FULL: 1065 /* 1066 * Seed source has become fully initialized, frequent 1067 * reseeds no longer required. 1068 */ 1069 drbg->reseed_threshold = drbg_max_requests(drbg); 1070 break; 1071 } 1072 1073 return ret; 1074 } 1075 1076 static inline int drbg_get_random_bytes(struct drbg_state *drbg, 1077 unsigned char *entropy, 1078 unsigned int entropylen) 1079 { 1080 int ret; 1081 1082 do { 1083 get_random_bytes(entropy, entropylen); 1084 ret = drbg_fips_continuous_test(drbg, entropy); 1085 if (ret && ret != -EAGAIN) 1086 return ret; 1087 } while (ret); 1088 1089 return 0; 1090 } 1091 1092 static int drbg_seed_from_random(struct drbg_state *drbg) 1093 { 1094 struct drbg_string data; 1095 LIST_HEAD(seedlist); 1096 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1097 unsigned char entropy[32]; 1098 int ret; 1099 1100 BUG_ON(!entropylen); 1101 BUG_ON(entropylen > sizeof(entropy)); 1102 1103 drbg_string_fill(&data, entropy, entropylen); 1104 list_add_tail(&data.list, &seedlist); 1105 1106 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1107 if (ret) 1108 goto out; 1109 1110 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); 1111 1112 out: 1113 memzero_explicit(entropy, entropylen); 1114 return ret; 1115 } 1116 1117 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg) 1118 { 1119 unsigned long next_reseed; 1120 1121 /* Don't ever reseed from get_random_bytes() in test mode. */ 1122 if (list_empty(&drbg->test_data.list)) 1123 return false; 1124 1125 /* 1126 * Obtain fresh entropy for the nopr DRBGs after 300s have 1127 * elapsed in order to still achieve sort of partial 1128 * prediction resistance over the time domain at least. Note 1129 * that the period of 300s has been chosen to match the 1130 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha 1131 * rngs. 1132 */ 1133 next_reseed = drbg->last_seed_time + 300 * HZ; 1134 return time_after(jiffies, next_reseed); 1135 } 1136 1137 /* 1138 * Seeding or reseeding of the DRBG 1139 * 1140 * @drbg: DRBG state struct 1141 * @pers: personalization / additional information buffer 1142 * @reseed: 0 for initial seed process, 1 for reseeding 1143 * 1144 * return: 1145 * 0 on success 1146 * error value otherwise 1147 */ 1148 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1149 bool reseed) 1150 { 1151 int ret; 1152 unsigned char entropy[((32 + 16) * 2)]; 1153 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1154 struct drbg_string data1; 1155 LIST_HEAD(seedlist); 1156 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; 1157 1158 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1159 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1160 pr_devel("DRBG: personalization string too long %zu\n", 1161 pers->len); 1162 return -EINVAL; 1163 } 1164 1165 if (list_empty(&drbg->test_data.list)) { 1166 drbg_string_fill(&data1, drbg->test_data.buf, 1167 drbg->test_data.len); 1168 pr_devel("DRBG: using test entropy\n"); 1169 } else { 1170 /* 1171 * Gather entropy equal to the security strength of the DRBG. 1172 * With a derivation function, a nonce is required in addition 1173 * to the entropy. A nonce must be at least 1/2 of the security 1174 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1175 * of the strength. The consideration of a nonce is only 1176 * applicable during initial seeding. 1177 */ 1178 BUG_ON(!entropylen); 1179 if (!reseed) 1180 entropylen = ((entropylen + 1) / 2) * 3; 1181 BUG_ON((entropylen * 2) > sizeof(entropy)); 1182 1183 /* Get seed from in-kernel /dev/urandom */ 1184 if (!rng_is_initialized()) 1185 new_seed_state = DRBG_SEED_STATE_PARTIAL; 1186 1187 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1188 if (ret) 1189 goto out; 1190 1191 if (!drbg->jent) { 1192 drbg_string_fill(&data1, entropy, entropylen); 1193 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1194 entropylen); 1195 } else { 1196 /* 1197 * Get seed from Jitter RNG, failures are 1198 * fatal only in FIPS mode. 1199 */ 1200 ret = crypto_rng_get_bytes(drbg->jent, 1201 entropy + entropylen, 1202 entropylen); 1203 if (fips_enabled && ret) { 1204 pr_devel("DRBG: jent failed with %d\n", ret); 1205 1206 /* 1207 * Do not treat the transient failure of the 1208 * Jitter RNG as an error that needs to be 1209 * reported. The combined number of the 1210 * maximum reseed threshold times the maximum 1211 * number of Jitter RNG transient errors is 1212 * less than the reseed threshold required by 1213 * SP800-90A allowing us to treat the 1214 * transient errors as such. 1215 * 1216 * However, we mandate that at least the first 1217 * seeding operation must succeed with the 1218 * Jitter RNG. 1219 */ 1220 if (!reseed || ret != -EAGAIN) 1221 goto out; 1222 } 1223 1224 drbg_string_fill(&data1, entropy, entropylen * 2); 1225 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1226 entropylen * 2); 1227 } 1228 } 1229 list_add_tail(&data1.list, &seedlist); 1230 1231 /* 1232 * concatenation of entropy with personalization str / addtl input) 1233 * the variable pers is directly handed in by the caller, so check its 1234 * contents whether it is appropriate 1235 */ 1236 if (pers && pers->buf && 0 < pers->len) { 1237 list_add_tail(&pers->list, &seedlist); 1238 pr_devel("DRBG: using personalization string\n"); 1239 } 1240 1241 if (!reseed) { 1242 memset(drbg->V, 0, drbg_statelen(drbg)); 1243 memset(drbg->C, 0, drbg_statelen(drbg)); 1244 } 1245 1246 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); 1247 1248 out: 1249 memzero_explicit(entropy, entropylen * 2); 1250 1251 return ret; 1252 } 1253 1254 /* Free all substructures in a DRBG state without the DRBG state structure */ 1255 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1256 { 1257 if (!drbg) 1258 return; 1259 kfree_sensitive(drbg->Vbuf); 1260 drbg->Vbuf = NULL; 1261 drbg->V = NULL; 1262 kfree_sensitive(drbg->Cbuf); 1263 drbg->Cbuf = NULL; 1264 drbg->C = NULL; 1265 kfree_sensitive(drbg->scratchpadbuf); 1266 drbg->scratchpadbuf = NULL; 1267 drbg->reseed_ctr = 0; 1268 drbg->d_ops = NULL; 1269 drbg->core = NULL; 1270 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1271 kfree_sensitive(drbg->prev); 1272 drbg->prev = NULL; 1273 drbg->fips_primed = false; 1274 } 1275 } 1276 1277 /* 1278 * Allocate all sub-structures for a DRBG state. 1279 * The DRBG state structure must already be allocated. 1280 */ 1281 static inline int drbg_alloc_state(struct drbg_state *drbg) 1282 { 1283 int ret = -ENOMEM; 1284 unsigned int sb_size = 0; 1285 1286 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1287 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1288 case DRBG_HMAC: 1289 drbg->d_ops = &drbg_hmac_ops; 1290 break; 1291 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1292 #ifdef CONFIG_CRYPTO_DRBG_HASH 1293 case DRBG_HASH: 1294 drbg->d_ops = &drbg_hash_ops; 1295 break; 1296 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1297 #ifdef CONFIG_CRYPTO_DRBG_CTR 1298 case DRBG_CTR: 1299 drbg->d_ops = &drbg_ctr_ops; 1300 break; 1301 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1302 default: 1303 ret = -EOPNOTSUPP; 1304 goto err; 1305 } 1306 1307 ret = drbg->d_ops->crypto_init(drbg); 1308 if (ret < 0) 1309 goto err; 1310 1311 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1312 if (!drbg->Vbuf) { 1313 ret = -ENOMEM; 1314 goto fini; 1315 } 1316 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1317 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1318 if (!drbg->Cbuf) { 1319 ret = -ENOMEM; 1320 goto fini; 1321 } 1322 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1323 /* scratchpad is only generated for CTR and Hash */ 1324 if (drbg->core->flags & DRBG_HMAC) 1325 sb_size = 0; 1326 else if (drbg->core->flags & DRBG_CTR) 1327 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1328 drbg_statelen(drbg) + /* df_data */ 1329 drbg_blocklen(drbg) + /* pad */ 1330 drbg_blocklen(drbg) + /* iv */ 1331 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1332 else 1333 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1334 1335 if (0 < sb_size) { 1336 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1337 if (!drbg->scratchpadbuf) { 1338 ret = -ENOMEM; 1339 goto fini; 1340 } 1341 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1342 } 1343 1344 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1345 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1346 GFP_KERNEL); 1347 if (!drbg->prev) { 1348 ret = -ENOMEM; 1349 goto fini; 1350 } 1351 drbg->fips_primed = false; 1352 } 1353 1354 return 0; 1355 1356 fini: 1357 drbg->d_ops->crypto_fini(drbg); 1358 err: 1359 drbg_dealloc_state(drbg); 1360 return ret; 1361 } 1362 1363 /************************************************************************* 1364 * DRBG interface functions 1365 *************************************************************************/ 1366 1367 /* 1368 * DRBG generate function as required by SP800-90A - this function 1369 * generates random numbers 1370 * 1371 * @drbg DRBG state handle 1372 * @buf Buffer where to store the random numbers -- the buffer must already 1373 * be pre-allocated by caller 1374 * @buflen Length of output buffer - this value defines the number of random 1375 * bytes pulled from DRBG 1376 * @addtl Additional input that is mixed into state, may be NULL -- note 1377 * the entropy is pulled by the DRBG internally unconditionally 1378 * as defined in SP800-90A. The additional input is mixed into 1379 * the state in addition to the pulled entropy. 1380 * 1381 * return: 0 when all bytes are generated; < 0 in case of an error 1382 */ 1383 static int drbg_generate(struct drbg_state *drbg, 1384 unsigned char *buf, unsigned int buflen, 1385 struct drbg_string *addtl) 1386 { 1387 int len = 0; 1388 LIST_HEAD(addtllist); 1389 1390 if (!drbg->core) { 1391 pr_devel("DRBG: not yet seeded\n"); 1392 return -EINVAL; 1393 } 1394 if (0 == buflen || !buf) { 1395 pr_devel("DRBG: no output buffer provided\n"); 1396 return -EINVAL; 1397 } 1398 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1399 pr_devel("DRBG: wrong format of additional information\n"); 1400 return -EINVAL; 1401 } 1402 1403 /* 9.3.1 step 2 */ 1404 len = -EINVAL; 1405 if (buflen > (drbg_max_request_bytes(drbg))) { 1406 pr_devel("DRBG: requested random numbers too large %u\n", 1407 buflen); 1408 goto err; 1409 } 1410 1411 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1412 1413 /* 9.3.1 step 4 */ 1414 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1415 pr_devel("DRBG: additional information string too long %zu\n", 1416 addtl->len); 1417 goto err; 1418 } 1419 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1420 1421 /* 1422 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1423 * here. The spec is a bit convoluted here, we make it simpler. 1424 */ 1425 if (drbg->reseed_threshold < drbg->reseed_ctr) 1426 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1427 1428 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { 1429 pr_devel("DRBG: reseeding before generation (prediction " 1430 "resistance: %s, state %s)\n", 1431 drbg->pr ? "true" : "false", 1432 (drbg->seeded == DRBG_SEED_STATE_FULL ? 1433 "seeded" : "unseeded")); 1434 /* 9.3.1 steps 7.1 through 7.3 */ 1435 len = drbg_seed(drbg, addtl, true); 1436 if (len) 1437 goto err; 1438 /* 9.3.1 step 7.4 */ 1439 addtl = NULL; 1440 } else if (rng_is_initialized() && 1441 (drbg->seeded == DRBG_SEED_STATE_PARTIAL || 1442 drbg_nopr_reseed_interval_elapsed(drbg))) { 1443 len = drbg_seed_from_random(drbg); 1444 if (len) 1445 goto err; 1446 } 1447 1448 if (addtl && 0 < addtl->len) 1449 list_add_tail(&addtl->list, &addtllist); 1450 /* 9.3.1 step 8 and 10 */ 1451 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1452 1453 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1454 drbg->reseed_ctr++; 1455 if (0 >= len) 1456 goto err; 1457 1458 /* 1459 * Section 11.3.3 requires to re-perform self tests after some 1460 * generated random numbers. The chosen value after which self 1461 * test is performed is arbitrary, but it should be reasonable. 1462 * However, we do not perform the self tests because of the following 1463 * reasons: it is mathematically impossible that the initial self tests 1464 * were successfully and the following are not. If the initial would 1465 * pass and the following would not, the kernel integrity is violated. 1466 * In this case, the entire kernel operation is questionable and it 1467 * is unlikely that the integrity violation only affects the 1468 * correct operation of the DRBG. 1469 * 1470 * Albeit the following code is commented out, it is provided in 1471 * case somebody has a need to implement the test of 11.3.3. 1472 */ 1473 #if 0 1474 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1475 int err = 0; 1476 pr_devel("DRBG: start to perform self test\n"); 1477 if (drbg->core->flags & DRBG_HMAC) 1478 err = alg_test("drbg_pr_hmac_sha512", 1479 "drbg_pr_hmac_sha512", 0, 0); 1480 else if (drbg->core->flags & DRBG_CTR) 1481 err = alg_test("drbg_pr_ctr_aes256", 1482 "drbg_pr_ctr_aes256", 0, 0); 1483 else 1484 err = alg_test("drbg_pr_sha256", 1485 "drbg_pr_sha256", 0, 0); 1486 if (err) { 1487 pr_err("DRBG: periodical self test failed\n"); 1488 /* 1489 * uninstantiate implies that from now on, only errors 1490 * are returned when reusing this DRBG cipher handle 1491 */ 1492 drbg_uninstantiate(drbg); 1493 return 0; 1494 } else { 1495 pr_devel("DRBG: self test successful\n"); 1496 } 1497 } 1498 #endif 1499 1500 /* 1501 * All operations were successful, return 0 as mandated by 1502 * the kernel crypto API interface. 1503 */ 1504 len = 0; 1505 err: 1506 return len; 1507 } 1508 1509 /* 1510 * Wrapper around drbg_generate which can pull arbitrary long strings 1511 * from the DRBG without hitting the maximum request limitation. 1512 * 1513 * Parameters: see drbg_generate 1514 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1515 * the entire drbg_generate_long request fails 1516 */ 1517 static int drbg_generate_long(struct drbg_state *drbg, 1518 unsigned char *buf, unsigned int buflen, 1519 struct drbg_string *addtl) 1520 { 1521 unsigned int len = 0; 1522 unsigned int slice = 0; 1523 do { 1524 int err = 0; 1525 unsigned int chunk = 0; 1526 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1527 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1528 mutex_lock(&drbg->drbg_mutex); 1529 err = drbg_generate(drbg, buf + len, chunk, addtl); 1530 mutex_unlock(&drbg->drbg_mutex); 1531 if (0 > err) 1532 return err; 1533 len += chunk; 1534 } while (slice > 0 && (len < buflen)); 1535 return 0; 1536 } 1537 1538 static int drbg_prepare_hrng(struct drbg_state *drbg) 1539 { 1540 /* We do not need an HRNG in test mode. */ 1541 if (list_empty(&drbg->test_data.list)) 1542 return 0; 1543 1544 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1545 if (IS_ERR(drbg->jent)) { 1546 const int err = PTR_ERR(drbg->jent); 1547 1548 drbg->jent = NULL; 1549 if (fips_enabled) 1550 return err; 1551 pr_info("DRBG: Continuing without Jitter RNG\n"); 1552 } 1553 1554 return 0; 1555 } 1556 1557 /* 1558 * DRBG instantiation function as required by SP800-90A - this function 1559 * sets up the DRBG handle, performs the initial seeding and all sanity 1560 * checks required by SP800-90A 1561 * 1562 * @drbg memory of state -- if NULL, new memory is allocated 1563 * @pers Personalization string that is mixed into state, may be NULL -- note 1564 * the entropy is pulled by the DRBG internally unconditionally 1565 * as defined in SP800-90A. The additional input is mixed into 1566 * the state in addition to the pulled entropy. 1567 * @coreref reference to core 1568 * @pr prediction resistance enabled 1569 * 1570 * return 1571 * 0 on success 1572 * error value otherwise 1573 */ 1574 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1575 int coreref, bool pr) 1576 { 1577 int ret; 1578 bool reseed = true; 1579 1580 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1581 "%s\n", coreref, pr ? "enabled" : "disabled"); 1582 mutex_lock(&drbg->drbg_mutex); 1583 1584 /* 9.1 step 1 is implicit with the selected DRBG type */ 1585 1586 /* 1587 * 9.1 step 2 is implicit as caller can select prediction resistance 1588 * and the flag is copied into drbg->flags -- 1589 * all DRBG types support prediction resistance 1590 */ 1591 1592 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1593 1594 if (!drbg->core) { 1595 drbg->core = &drbg_cores[coreref]; 1596 drbg->pr = pr; 1597 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1598 drbg->last_seed_time = 0; 1599 drbg->reseed_threshold = drbg_max_requests(drbg); 1600 1601 ret = drbg_alloc_state(drbg); 1602 if (ret) 1603 goto unlock; 1604 1605 ret = drbg_prepare_hrng(drbg); 1606 if (ret) 1607 goto free_everything; 1608 1609 reseed = false; 1610 } 1611 1612 ret = drbg_seed(drbg, pers, reseed); 1613 1614 if (ret && !reseed) 1615 goto free_everything; 1616 1617 mutex_unlock(&drbg->drbg_mutex); 1618 return ret; 1619 1620 unlock: 1621 mutex_unlock(&drbg->drbg_mutex); 1622 return ret; 1623 1624 free_everything: 1625 mutex_unlock(&drbg->drbg_mutex); 1626 drbg_uninstantiate(drbg); 1627 return ret; 1628 } 1629 1630 /* 1631 * DRBG uninstantiate function as required by SP800-90A - this function 1632 * frees all buffers and the DRBG handle 1633 * 1634 * @drbg DRBG state handle 1635 * 1636 * return 1637 * 0 on success 1638 */ 1639 static int drbg_uninstantiate(struct drbg_state *drbg) 1640 { 1641 if (!IS_ERR_OR_NULL(drbg->jent)) 1642 crypto_free_rng(drbg->jent); 1643 drbg->jent = NULL; 1644 1645 if (drbg->d_ops) 1646 drbg->d_ops->crypto_fini(drbg); 1647 drbg_dealloc_state(drbg); 1648 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1649 return 0; 1650 } 1651 1652 /* 1653 * Helper function for setting the test data in the DRBG 1654 * 1655 * @drbg DRBG state handle 1656 * @data test data 1657 * @len test data length 1658 */ 1659 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1660 const u8 *data, unsigned int len) 1661 { 1662 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1663 1664 mutex_lock(&drbg->drbg_mutex); 1665 drbg_string_fill(&drbg->test_data, data, len); 1666 mutex_unlock(&drbg->drbg_mutex); 1667 } 1668 1669 /*************************************************************** 1670 * Kernel crypto API cipher invocations requested by DRBG 1671 ***************************************************************/ 1672 1673 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1674 struct sdesc { 1675 struct shash_desc shash; 1676 char ctx[]; 1677 }; 1678 1679 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1680 { 1681 struct sdesc *sdesc; 1682 struct crypto_shash *tfm; 1683 1684 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1685 if (IS_ERR(tfm)) { 1686 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1687 drbg->core->backend_cra_name); 1688 return PTR_ERR(tfm); 1689 } 1690 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1691 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1692 GFP_KERNEL); 1693 if (!sdesc) { 1694 crypto_free_shash(tfm); 1695 return -ENOMEM; 1696 } 1697 1698 sdesc->shash.tfm = tfm; 1699 drbg->priv_data = sdesc; 1700 1701 return 0; 1702 } 1703 1704 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1705 { 1706 struct sdesc *sdesc = drbg->priv_data; 1707 if (sdesc) { 1708 crypto_free_shash(sdesc->shash.tfm); 1709 kfree_sensitive(sdesc); 1710 } 1711 drbg->priv_data = NULL; 1712 return 0; 1713 } 1714 1715 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1716 const unsigned char *key) 1717 { 1718 struct sdesc *sdesc = drbg->priv_data; 1719 1720 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1721 } 1722 1723 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1724 const struct list_head *in) 1725 { 1726 struct sdesc *sdesc = drbg->priv_data; 1727 struct drbg_string *input = NULL; 1728 1729 crypto_shash_init(&sdesc->shash); 1730 list_for_each_entry(input, in, list) 1731 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1732 return crypto_shash_final(&sdesc->shash, outval); 1733 } 1734 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1735 1736 #ifdef CONFIG_CRYPTO_DRBG_CTR 1737 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1738 { 1739 struct crypto_cipher *tfm = 1740 (struct crypto_cipher *)drbg->priv_data; 1741 if (tfm) 1742 crypto_free_cipher(tfm); 1743 drbg->priv_data = NULL; 1744 1745 if (drbg->ctr_handle) 1746 crypto_free_skcipher(drbg->ctr_handle); 1747 drbg->ctr_handle = NULL; 1748 1749 if (drbg->ctr_req) 1750 skcipher_request_free(drbg->ctr_req); 1751 drbg->ctr_req = NULL; 1752 1753 kfree(drbg->outscratchpadbuf); 1754 drbg->outscratchpadbuf = NULL; 1755 1756 return 0; 1757 } 1758 1759 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1760 { 1761 struct crypto_cipher *tfm; 1762 struct crypto_skcipher *sk_tfm; 1763 struct skcipher_request *req; 1764 unsigned int alignmask; 1765 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1766 1767 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1768 if (IS_ERR(tfm)) { 1769 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1770 drbg->core->backend_cra_name); 1771 return PTR_ERR(tfm); 1772 } 1773 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1774 drbg->priv_data = tfm; 1775 1776 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1777 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1778 drbg_fini_sym_kernel(drbg); 1779 return -EINVAL; 1780 } 1781 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1782 if (IS_ERR(sk_tfm)) { 1783 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1784 ctr_name); 1785 drbg_fini_sym_kernel(drbg); 1786 return PTR_ERR(sk_tfm); 1787 } 1788 drbg->ctr_handle = sk_tfm; 1789 crypto_init_wait(&drbg->ctr_wait); 1790 1791 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1792 if (!req) { 1793 pr_info("DRBG: could not allocate request queue\n"); 1794 drbg_fini_sym_kernel(drbg); 1795 return -ENOMEM; 1796 } 1797 drbg->ctr_req = req; 1798 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1799 CRYPTO_TFM_REQ_MAY_SLEEP, 1800 crypto_req_done, &drbg->ctr_wait); 1801 1802 alignmask = crypto_skcipher_alignmask(sk_tfm); 1803 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1804 GFP_KERNEL); 1805 if (!drbg->outscratchpadbuf) { 1806 drbg_fini_sym_kernel(drbg); 1807 return -ENOMEM; 1808 } 1809 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1810 alignmask + 1); 1811 1812 sg_init_table(&drbg->sg_in, 1); 1813 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1814 1815 return alignmask; 1816 } 1817 1818 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1819 const unsigned char *key) 1820 { 1821 struct crypto_cipher *tfm = drbg->priv_data; 1822 1823 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1824 } 1825 1826 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1827 const struct drbg_string *in) 1828 { 1829 struct crypto_cipher *tfm = drbg->priv_data; 1830 1831 /* there is only component in *in */ 1832 BUG_ON(in->len < drbg_blocklen(drbg)); 1833 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1834 return 0; 1835 } 1836 1837 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1838 u8 *inbuf, u32 inlen, 1839 u8 *outbuf, u32 outlen) 1840 { 1841 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1842 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1843 int ret; 1844 1845 if (inbuf) { 1846 /* Use caller-provided input buffer */ 1847 sg_set_buf(sg_in, inbuf, inlen); 1848 } else { 1849 /* Use scratchpad for in-place operation */ 1850 inlen = scratchpad_use; 1851 memset(drbg->outscratchpad, 0, scratchpad_use); 1852 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1853 } 1854 1855 while (outlen) { 1856 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1857 1858 /* Output buffer may not be valid for SGL, use scratchpad */ 1859 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1860 cryptlen, drbg->V); 1861 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1862 &drbg->ctr_wait); 1863 if (ret) 1864 goto out; 1865 1866 crypto_init_wait(&drbg->ctr_wait); 1867 1868 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1869 memzero_explicit(drbg->outscratchpad, cryptlen); 1870 1871 outlen -= cryptlen; 1872 outbuf += cryptlen; 1873 } 1874 ret = 0; 1875 1876 out: 1877 return ret; 1878 } 1879 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1880 1881 /*************************************************************** 1882 * Kernel crypto API interface to register DRBG 1883 ***************************************************************/ 1884 1885 /* 1886 * Look up the DRBG flags by given kernel crypto API cra_name 1887 * The code uses the drbg_cores definition to do this 1888 * 1889 * @cra_name kernel crypto API cra_name 1890 * @coreref reference to integer which is filled with the pointer to 1891 * the applicable core 1892 * @pr reference for setting prediction resistance 1893 * 1894 * return: flags 1895 */ 1896 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1897 int *coreref, bool *pr) 1898 { 1899 int i = 0; 1900 size_t start = 0; 1901 int len = 0; 1902 1903 *pr = true; 1904 /* disassemble the names */ 1905 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1906 start = 10; 1907 *pr = false; 1908 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1909 start = 8; 1910 } else { 1911 return; 1912 } 1913 1914 /* remove the first part */ 1915 len = strlen(cra_driver_name) - start; 1916 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1917 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1918 len)) { 1919 *coreref = i; 1920 return; 1921 } 1922 } 1923 } 1924 1925 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1926 { 1927 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1928 1929 mutex_init(&drbg->drbg_mutex); 1930 1931 return 0; 1932 } 1933 1934 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1935 { 1936 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1937 } 1938 1939 /* 1940 * Generate random numbers invoked by the kernel crypto API: 1941 * The API of the kernel crypto API is extended as follows: 1942 * 1943 * src is additional input supplied to the RNG. 1944 * slen is the length of src. 1945 * dst is the output buffer where random data is to be stored. 1946 * dlen is the length of dst. 1947 */ 1948 static int drbg_kcapi_random(struct crypto_rng *tfm, 1949 const u8 *src, unsigned int slen, 1950 u8 *dst, unsigned int dlen) 1951 { 1952 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1953 struct drbg_string *addtl = NULL; 1954 struct drbg_string string; 1955 1956 if (slen) { 1957 /* linked list variable is now local to allow modification */ 1958 drbg_string_fill(&string, src, slen); 1959 addtl = &string; 1960 } 1961 1962 return drbg_generate_long(drbg, dst, dlen, addtl); 1963 } 1964 1965 /* 1966 * Seed the DRBG invoked by the kernel crypto API 1967 */ 1968 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1969 const u8 *seed, unsigned int slen) 1970 { 1971 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1972 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1973 bool pr = false; 1974 struct drbg_string string; 1975 struct drbg_string *seed_string = NULL; 1976 int coreref = 0; 1977 1978 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1979 &pr); 1980 if (0 < slen) { 1981 drbg_string_fill(&string, seed, slen); 1982 seed_string = &string; 1983 } 1984 1985 return drbg_instantiate(drbg, seed_string, coreref, pr); 1986 } 1987 1988 /*************************************************************** 1989 * Kernel module: code to load the module 1990 ***************************************************************/ 1991 1992 /* 1993 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1994 * of the error handling. 1995 * 1996 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1997 * as seed source of get_random_bytes does not fail. 1998 * 1999 * Note 2: There is no sensible way of testing the reseed counter 2000 * enforcement, so skip it. 2001 */ 2002 static inline int __init drbg_healthcheck_sanity(void) 2003 { 2004 int len = 0; 2005 #define OUTBUFLEN 16 2006 unsigned char buf[OUTBUFLEN]; 2007 struct drbg_state *drbg = NULL; 2008 int ret; 2009 int rc = -EFAULT; 2010 bool pr = false; 2011 int coreref = 0; 2012 struct drbg_string addtl; 2013 size_t max_addtllen, max_request_bytes; 2014 2015 /* only perform test in FIPS mode */ 2016 if (!fips_enabled) 2017 return 0; 2018 2019 #ifdef CONFIG_CRYPTO_DRBG_CTR 2020 drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr); 2021 #endif 2022 #ifdef CONFIG_CRYPTO_DRBG_HASH 2023 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 2024 #endif 2025 #ifdef CONFIG_CRYPTO_DRBG_HMAC 2026 drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr); 2027 #endif 2028 2029 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 2030 if (!drbg) 2031 return -ENOMEM; 2032 2033 mutex_init(&drbg->drbg_mutex); 2034 drbg->core = &drbg_cores[coreref]; 2035 drbg->reseed_threshold = drbg_max_requests(drbg); 2036 2037 /* 2038 * if the following tests fail, it is likely that there is a buffer 2039 * overflow as buf is much smaller than the requested or provided 2040 * string lengths -- in case the error handling does not succeed 2041 * we may get an OOPS. And we want to get an OOPS as this is a 2042 * grave bug. 2043 */ 2044 2045 max_addtllen = drbg_max_addtl(drbg); 2046 max_request_bytes = drbg_max_request_bytes(drbg); 2047 drbg_string_fill(&addtl, buf, max_addtllen + 1); 2048 /* overflow addtllen with additonal info string */ 2049 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 2050 BUG_ON(0 < len); 2051 /* overflow max_bits */ 2052 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 2053 BUG_ON(0 < len); 2054 2055 /* overflow max addtllen with personalization string */ 2056 ret = drbg_seed(drbg, &addtl, false); 2057 BUG_ON(0 == ret); 2058 /* all tests passed */ 2059 rc = 0; 2060 2061 pr_devel("DRBG: Sanity tests for failure code paths successfully " 2062 "completed\n"); 2063 2064 kfree(drbg); 2065 return rc; 2066 } 2067 2068 static struct rng_alg drbg_algs[22]; 2069 2070 /* 2071 * Fill the array drbg_algs used to register the different DRBGs 2072 * with the kernel crypto API. To fill the array, the information 2073 * from drbg_cores[] is used. 2074 */ 2075 static inline void __init drbg_fill_array(struct rng_alg *alg, 2076 const struct drbg_core *core, int pr) 2077 { 2078 int pos = 0; 2079 static int priority = 200; 2080 2081 memcpy(alg->base.cra_name, "stdrng", 6); 2082 if (pr) { 2083 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 2084 pos = 8; 2085 } else { 2086 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 2087 pos = 10; 2088 } 2089 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 2090 strlen(core->cra_name)); 2091 2092 alg->base.cra_priority = priority; 2093 priority++; 2094 /* 2095 * If FIPS mode enabled, the selected DRBG shall have the 2096 * highest cra_priority over other stdrng instances to ensure 2097 * it is selected. 2098 */ 2099 if (fips_enabled) 2100 alg->base.cra_priority += 200; 2101 2102 alg->base.cra_ctxsize = sizeof(struct drbg_state); 2103 alg->base.cra_module = THIS_MODULE; 2104 alg->base.cra_init = drbg_kcapi_init; 2105 alg->base.cra_exit = drbg_kcapi_cleanup; 2106 alg->generate = drbg_kcapi_random; 2107 alg->seed = drbg_kcapi_seed; 2108 alg->set_ent = drbg_kcapi_set_entropy; 2109 alg->seedsize = 0; 2110 } 2111 2112 static int __init drbg_init(void) 2113 { 2114 unsigned int i = 0; /* pointer to drbg_algs */ 2115 unsigned int j = 0; /* pointer to drbg_cores */ 2116 int ret; 2117 2118 ret = drbg_healthcheck_sanity(); 2119 if (ret) 2120 return ret; 2121 2122 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2123 pr_info("DRBG: Cannot register all DRBG types" 2124 "(slots needed: %zu, slots available: %zu)\n", 2125 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2126 return -EFAULT; 2127 } 2128 2129 /* 2130 * each DRBG definition can be used with PR and without PR, thus 2131 * we instantiate each DRBG in drbg_cores[] twice. 2132 * 2133 * As the order of placing them into the drbg_algs array matters 2134 * (the later DRBGs receive a higher cra_priority) we register the 2135 * prediction resistance DRBGs first as the should not be too 2136 * interesting. 2137 */ 2138 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2139 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2140 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2141 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2142 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2143 } 2144 2145 static void __exit drbg_exit(void) 2146 { 2147 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2148 } 2149 2150 subsys_initcall(drbg_init); 2151 module_exit(drbg_exit); 2152 #ifndef CRYPTO_DRBG_HASH_STRING 2153 #define CRYPTO_DRBG_HASH_STRING "" 2154 #endif 2155 #ifndef CRYPTO_DRBG_HMAC_STRING 2156 #define CRYPTO_DRBG_HMAC_STRING "" 2157 #endif 2158 #ifndef CRYPTO_DRBG_CTR_STRING 2159 #define CRYPTO_DRBG_CTR_STRING "" 2160 #endif 2161 MODULE_LICENSE("GPL"); 2162 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2163 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2164 "using following cores: " 2165 CRYPTO_DRBG_HASH_STRING 2166 CRYPTO_DRBG_HMAC_STRING 2167 CRYPTO_DRBG_CTR_STRING); 2168 MODULE_ALIAS_CRYPTO("stdrng"); 2169 MODULE_IMPORT_NS(CRYPTO_INTERNAL); 2170