1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <crypto/df_sp80090a.h> 102 #include <crypto/internal/cipher.h> 103 #include <linux/kernel.h> 104 #include <linux/jiffies.h> 105 #include <linux/string_choices.h> 106 107 /*************************************************************** 108 * Backend cipher definitions available to DRBG 109 ***************************************************************/ 110 111 /* 112 * The order of the DRBG definitions here matter: every DRBG is registered 113 * as stdrng. Each DRBG receives an increasing cra_priority values the later 114 * they are defined in this array (see drbg_fill_array). 115 * 116 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the 117 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the 118 * favored DRBGs are the latest entries in this array. 119 */ 120 static const struct drbg_core drbg_cores[] = { 121 #ifdef CONFIG_CRYPTO_DRBG_CTR 122 { 123 .flags = DRBG_CTR | DRBG_STRENGTH128, 124 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 125 .blocklen_bytes = 16, 126 .cra_name = "ctr_aes128", 127 .backend_cra_name = "aes", 128 }, { 129 .flags = DRBG_CTR | DRBG_STRENGTH192, 130 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 131 .blocklen_bytes = 16, 132 .cra_name = "ctr_aes192", 133 .backend_cra_name = "aes", 134 }, { 135 .flags = DRBG_CTR | DRBG_STRENGTH256, 136 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 137 .blocklen_bytes = 16, 138 .cra_name = "ctr_aes256", 139 .backend_cra_name = "aes", 140 }, 141 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 142 #ifdef CONFIG_CRYPTO_DRBG_HASH 143 { 144 .flags = DRBG_HASH | DRBG_STRENGTH256, 145 .statelen = 111, /* 888 bits */ 146 .blocklen_bytes = 48, 147 .cra_name = "sha384", 148 .backend_cra_name = "sha384", 149 }, { 150 .flags = DRBG_HASH | DRBG_STRENGTH256, 151 .statelen = 111, /* 888 bits */ 152 .blocklen_bytes = 64, 153 .cra_name = "sha512", 154 .backend_cra_name = "sha512", 155 }, { 156 .flags = DRBG_HASH | DRBG_STRENGTH256, 157 .statelen = 55, /* 440 bits */ 158 .blocklen_bytes = 32, 159 .cra_name = "sha256", 160 .backend_cra_name = "sha256", 161 }, 162 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 163 #ifdef CONFIG_CRYPTO_DRBG_HMAC 164 { 165 .flags = DRBG_HMAC | DRBG_STRENGTH256, 166 .statelen = 48, /* block length of cipher */ 167 .blocklen_bytes = 48, 168 .cra_name = "hmac_sha384", 169 .backend_cra_name = "hmac(sha384)", 170 }, { 171 .flags = DRBG_HMAC | DRBG_STRENGTH256, 172 .statelen = 32, /* block length of cipher */ 173 .blocklen_bytes = 32, 174 .cra_name = "hmac_sha256", 175 .backend_cra_name = "hmac(sha256)", 176 }, { 177 .flags = DRBG_HMAC | DRBG_STRENGTH256, 178 .statelen = 64, /* block length of cipher */ 179 .blocklen_bytes = 64, 180 .cra_name = "hmac_sha512", 181 .backend_cra_name = "hmac(sha512)", 182 }, 183 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 184 }; 185 186 static int drbg_uninstantiate(struct drbg_state *drbg); 187 188 /****************************************************************** 189 * Generic helper functions 190 ******************************************************************/ 191 192 /* 193 * Return strength of DRBG according to SP800-90A section 8.4 194 * 195 * @flags DRBG flags reference 196 * 197 * Return: normalized strength in *bytes* value or 32 as default 198 * to counter programming errors 199 */ 200 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 201 { 202 switch (flags & DRBG_STRENGTH_MASK) { 203 case DRBG_STRENGTH128: 204 return 16; 205 case DRBG_STRENGTH192: 206 return 24; 207 case DRBG_STRENGTH256: 208 return 32; 209 default: 210 return 32; 211 } 212 } 213 214 /* 215 * FIPS 140-2 continuous self test for the noise source 216 * The test is performed on the noise source input data. Thus, the function 217 * implicitly knows the size of the buffer to be equal to the security 218 * strength. 219 * 220 * Note, this function disregards the nonce trailing the entropy data during 221 * initial seeding. 222 * 223 * drbg->drbg_mutex must have been taken. 224 * 225 * @drbg DRBG handle 226 * @entropy buffer of seed data to be checked 227 * 228 * return: 229 * %true on success 230 * %false when the CTRNG is not yet primed 231 */ 232 static bool drbg_fips_continuous_test(struct drbg_state *drbg, 233 const unsigned char *entropy) 234 { 235 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 236 237 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 238 return true; 239 240 /* skip test if we test the overall system */ 241 if (list_empty(&drbg->test_data.list)) 242 return true; 243 /* only perform test in FIPS mode */ 244 if (!fips_enabled) 245 return true; 246 247 if (!drbg->fips_primed) { 248 /* Priming of FIPS test */ 249 memcpy(drbg->prev, entropy, entropylen); 250 drbg->fips_primed = true; 251 /* priming: another round is needed */ 252 return false; 253 } 254 if (!memcmp(drbg->prev, entropy, entropylen)) 255 panic("DRBG continuous self test failed\n"); 256 memcpy(drbg->prev, entropy, entropylen); 257 258 /* the test shall pass when the two values are not equal */ 259 return true; 260 } 261 262 /****************************************************************** 263 * CTR DRBG callback functions 264 ******************************************************************/ 265 266 #ifdef CONFIG_CRYPTO_DRBG_CTR 267 #define CRYPTO_DRBG_CTR_STRING "CTR " 268 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 269 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 270 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 271 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 272 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 273 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 274 275 static int drbg_init_sym_kernel(struct drbg_state *drbg); 276 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 277 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 278 u8 *inbuf, u32 inbuflen, 279 u8 *outbuf, u32 outlen); 280 #define DRBG_OUTSCRATCHLEN 256 281 282 static int drbg_ctr_df(struct drbg_state *drbg, 283 unsigned char *df_data, size_t bytes_to_return, 284 struct list_head *seedlist) 285 { 286 return crypto_drbg_ctr_df(drbg->priv_data, df_data, drbg_statelen(drbg), 287 seedlist, drbg_blocklen(drbg), drbg_statelen(drbg)); 288 } 289 290 /* 291 * update function of CTR DRBG as defined in 10.2.1.2 292 * 293 * The reseed variable has an enhanced meaning compared to the update 294 * functions of the other DRBGs as follows: 295 * 0 => initial seed from initialization 296 * 1 => reseed via drbg_seed 297 * 2 => first invocation from drbg_ctr_update when addtl is present. In 298 * this case, the df_data scratchpad is not deleted so that it is 299 * available for another calls to prevent calling the DF function 300 * again. 301 * 3 => second invocation from drbg_ctr_update. When the update function 302 * was called with addtl, the df_data memory already contains the 303 * DFed addtl information and we do not need to call DF again. 304 */ 305 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 306 int reseed) 307 { 308 int ret = -EFAULT; 309 /* 10.2.1.2 step 1 */ 310 unsigned char *temp = drbg->scratchpad; 311 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 312 drbg_blocklen(drbg); 313 314 if (3 > reseed) 315 memset(df_data, 0, drbg_statelen(drbg)); 316 317 if (!reseed) { 318 /* 319 * The DRBG uses the CTR mode of the underlying AES cipher. The 320 * CTR mode increments the counter value after the AES operation 321 * but SP800-90A requires that the counter is incremented before 322 * the AES operation. Hence, we increment it at the time we set 323 * it by one. 324 */ 325 crypto_inc(drbg->V, drbg_blocklen(drbg)); 326 327 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 328 drbg_keylen(drbg)); 329 if (ret) 330 goto out; 331 } 332 333 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 334 if (seed) { 335 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 336 if (ret) 337 goto out; 338 } 339 340 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 341 temp, drbg_statelen(drbg)); 342 if (ret) 343 return ret; 344 345 /* 10.2.1.2 step 5 */ 346 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 347 drbg_keylen(drbg)); 348 if (ret) 349 goto out; 350 /* 10.2.1.2 step 6 */ 351 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 352 /* See above: increment counter by one to compensate timing of CTR op */ 353 crypto_inc(drbg->V, drbg_blocklen(drbg)); 354 ret = 0; 355 356 out: 357 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 358 if (2 != reseed) 359 memset(df_data, 0, drbg_statelen(drbg)); 360 return ret; 361 } 362 363 /* 364 * scratchpad use: drbg_ctr_update is called independently from 365 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 366 */ 367 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 368 static int drbg_ctr_generate(struct drbg_state *drbg, 369 unsigned char *buf, unsigned int buflen, 370 struct list_head *addtl) 371 { 372 int ret; 373 int len = min_t(int, buflen, INT_MAX); 374 375 /* 10.2.1.5.2 step 2 */ 376 if (addtl && !list_empty(addtl)) { 377 ret = drbg_ctr_update(drbg, addtl, 2); 378 if (ret) 379 return 0; 380 } 381 382 /* 10.2.1.5.2 step 4.1 */ 383 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 384 if (ret) 385 return ret; 386 387 /* 10.2.1.5.2 step 6 */ 388 ret = drbg_ctr_update(drbg, NULL, 3); 389 if (ret) 390 len = ret; 391 392 return len; 393 } 394 395 static const struct drbg_state_ops drbg_ctr_ops = { 396 .update = drbg_ctr_update, 397 .generate = drbg_ctr_generate, 398 .crypto_init = drbg_init_sym_kernel, 399 .crypto_fini = drbg_fini_sym_kernel, 400 }; 401 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 402 403 /****************************************************************** 404 * HMAC DRBG callback functions 405 ******************************************************************/ 406 407 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 408 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 409 const struct list_head *in); 410 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 411 const unsigned char *key); 412 static int drbg_init_hash_kernel(struct drbg_state *drbg); 413 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 414 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 415 416 #ifdef CONFIG_CRYPTO_DRBG_HMAC 417 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 418 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 419 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 420 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 421 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 422 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 423 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 424 425 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 426 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 427 int reseed) 428 { 429 int ret = -EFAULT; 430 int i = 0; 431 struct drbg_string seed1, seed2, vdata; 432 LIST_HEAD(seedlist); 433 LIST_HEAD(vdatalist); 434 435 if (!reseed) { 436 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 437 memset(drbg->V, 1, drbg_statelen(drbg)); 438 drbg_kcapi_hmacsetkey(drbg, drbg->C); 439 } 440 441 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 442 list_add_tail(&seed1.list, &seedlist); 443 /* buffer of seed2 will be filled in for loop below with one byte */ 444 drbg_string_fill(&seed2, NULL, 1); 445 list_add_tail(&seed2.list, &seedlist); 446 /* input data of seed is allowed to be NULL at this point */ 447 if (seed) 448 list_splice_tail(seed, &seedlist); 449 450 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 451 list_add_tail(&vdata.list, &vdatalist); 452 for (i = 2; 0 < i; i--) { 453 /* first round uses 0x0, second 0x1 */ 454 unsigned char prefix = DRBG_PREFIX0; 455 if (1 == i) 456 prefix = DRBG_PREFIX1; 457 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 458 seed2.buf = &prefix; 459 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 460 if (ret) 461 return ret; 462 drbg_kcapi_hmacsetkey(drbg, drbg->C); 463 464 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 465 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 466 if (ret) 467 return ret; 468 469 /* 10.1.2.2 step 3 */ 470 if (!seed) 471 return ret; 472 } 473 474 return 0; 475 } 476 477 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 478 static int drbg_hmac_generate(struct drbg_state *drbg, 479 unsigned char *buf, 480 unsigned int buflen, 481 struct list_head *addtl) 482 { 483 int len = 0; 484 int ret = 0; 485 struct drbg_string data; 486 LIST_HEAD(datalist); 487 488 /* 10.1.2.5 step 2 */ 489 if (addtl && !list_empty(addtl)) { 490 ret = drbg_hmac_update(drbg, addtl, 1); 491 if (ret) 492 return ret; 493 } 494 495 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 496 list_add_tail(&data.list, &datalist); 497 while (len < buflen) { 498 unsigned int outlen = 0; 499 /* 10.1.2.5 step 4.1 */ 500 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 501 if (ret) 502 return ret; 503 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 504 drbg_blocklen(drbg) : (buflen - len); 505 506 /* 10.1.2.5 step 4.2 */ 507 memcpy(buf + len, drbg->V, outlen); 508 len += outlen; 509 } 510 511 /* 10.1.2.5 step 6 */ 512 if (addtl && !list_empty(addtl)) 513 ret = drbg_hmac_update(drbg, addtl, 1); 514 else 515 ret = drbg_hmac_update(drbg, NULL, 1); 516 if (ret) 517 return ret; 518 519 return len; 520 } 521 522 static const struct drbg_state_ops drbg_hmac_ops = { 523 .update = drbg_hmac_update, 524 .generate = drbg_hmac_generate, 525 .crypto_init = drbg_init_hash_kernel, 526 .crypto_fini = drbg_fini_hash_kernel, 527 }; 528 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 529 530 /****************************************************************** 531 * Hash DRBG callback functions 532 ******************************************************************/ 533 534 #ifdef CONFIG_CRYPTO_DRBG_HASH 535 #define CRYPTO_DRBG_HASH_STRING "HASH " 536 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 537 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 538 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 539 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 540 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 541 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 542 543 /* 544 * Increment buffer 545 * 546 * @dst buffer to increment 547 * @add value to add 548 */ 549 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 550 const unsigned char *add, size_t addlen) 551 { 552 /* implied: dstlen > addlen */ 553 unsigned char *dstptr; 554 const unsigned char *addptr; 555 unsigned int remainder = 0; 556 size_t len = addlen; 557 558 dstptr = dst + (dstlen-1); 559 addptr = add + (addlen-1); 560 while (len) { 561 remainder += *dstptr + *addptr; 562 *dstptr = remainder & 0xff; 563 remainder >>= 8; 564 len--; dstptr--; addptr--; 565 } 566 len = dstlen - addlen; 567 while (len && remainder > 0) { 568 remainder = *dstptr + 1; 569 *dstptr = remainder & 0xff; 570 remainder >>= 8; 571 len--; dstptr--; 572 } 573 } 574 575 /* 576 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 577 * interlinked, the scratchpad is used as follows: 578 * drbg_hash_update 579 * start: drbg->scratchpad 580 * length: drbg_statelen(drbg) 581 * drbg_hash_df: 582 * start: drbg->scratchpad + drbg_statelen(drbg) 583 * length: drbg_blocklen(drbg) 584 * 585 * drbg_hash_process_addtl uses the scratchpad, but fully completes 586 * before either of the functions mentioned before are invoked. Therefore, 587 * drbg_hash_process_addtl does not need to be specifically considered. 588 */ 589 590 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 591 static int drbg_hash_df(struct drbg_state *drbg, 592 unsigned char *outval, size_t outlen, 593 struct list_head *entropylist) 594 { 595 int ret = 0; 596 size_t len = 0; 597 unsigned char input[5]; 598 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 599 struct drbg_string data; 600 601 /* 10.4.1 step 3 */ 602 input[0] = 1; 603 drbg_cpu_to_be32((outlen * 8), &input[1]); 604 605 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 606 drbg_string_fill(&data, input, 5); 607 list_add(&data.list, entropylist); 608 609 /* 10.4.1 step 4 */ 610 while (len < outlen) { 611 short blocklen = 0; 612 /* 10.4.1 step 4.1 */ 613 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 614 if (ret) 615 goto out; 616 /* 10.4.1 step 4.2 */ 617 input[0]++; 618 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 619 drbg_blocklen(drbg) : (outlen - len); 620 memcpy(outval + len, tmp, blocklen); 621 len += blocklen; 622 } 623 624 out: 625 memset(tmp, 0, drbg_blocklen(drbg)); 626 return ret; 627 } 628 629 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 630 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 631 int reseed) 632 { 633 int ret = 0; 634 struct drbg_string data1, data2; 635 LIST_HEAD(datalist); 636 LIST_HEAD(datalist2); 637 unsigned char *V = drbg->scratchpad; 638 unsigned char prefix = DRBG_PREFIX1; 639 640 if (!seed) 641 return -EINVAL; 642 643 if (reseed) { 644 /* 10.1.1.3 step 1 */ 645 memcpy(V, drbg->V, drbg_statelen(drbg)); 646 drbg_string_fill(&data1, &prefix, 1); 647 list_add_tail(&data1.list, &datalist); 648 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 649 list_add_tail(&data2.list, &datalist); 650 } 651 list_splice_tail(seed, &datalist); 652 653 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 654 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 655 if (ret) 656 goto out; 657 658 /* 10.1.1.2 / 10.1.1.3 step 4 */ 659 prefix = DRBG_PREFIX0; 660 drbg_string_fill(&data1, &prefix, 1); 661 list_add_tail(&data1.list, &datalist2); 662 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 663 list_add_tail(&data2.list, &datalist2); 664 /* 10.1.1.2 / 10.1.1.3 step 4 */ 665 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 666 667 out: 668 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 669 return ret; 670 } 671 672 /* processing of additional information string for Hash DRBG */ 673 static int drbg_hash_process_addtl(struct drbg_state *drbg, 674 struct list_head *addtl) 675 { 676 int ret = 0; 677 struct drbg_string data1, data2; 678 LIST_HEAD(datalist); 679 unsigned char prefix = DRBG_PREFIX2; 680 681 /* 10.1.1.4 step 2 */ 682 if (!addtl || list_empty(addtl)) 683 return 0; 684 685 /* 10.1.1.4 step 2a */ 686 drbg_string_fill(&data1, &prefix, 1); 687 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 688 list_add_tail(&data1.list, &datalist); 689 list_add_tail(&data2.list, &datalist); 690 list_splice_tail(addtl, &datalist); 691 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 692 if (ret) 693 goto out; 694 695 /* 10.1.1.4 step 2b */ 696 drbg_add_buf(drbg->V, drbg_statelen(drbg), 697 drbg->scratchpad, drbg_blocklen(drbg)); 698 699 out: 700 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 701 return ret; 702 } 703 704 /* Hashgen defined in 10.1.1.4 */ 705 static int drbg_hash_hashgen(struct drbg_state *drbg, 706 unsigned char *buf, 707 unsigned int buflen) 708 { 709 int len = 0; 710 int ret = 0; 711 unsigned char *src = drbg->scratchpad; 712 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 713 struct drbg_string data; 714 LIST_HEAD(datalist); 715 716 /* 10.1.1.4 step hashgen 2 */ 717 memcpy(src, drbg->V, drbg_statelen(drbg)); 718 719 drbg_string_fill(&data, src, drbg_statelen(drbg)); 720 list_add_tail(&data.list, &datalist); 721 while (len < buflen) { 722 unsigned int outlen = 0; 723 /* 10.1.1.4 step hashgen 4.1 */ 724 ret = drbg_kcapi_hash(drbg, dst, &datalist); 725 if (ret) { 726 len = ret; 727 goto out; 728 } 729 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 730 drbg_blocklen(drbg) : (buflen - len); 731 /* 10.1.1.4 step hashgen 4.2 */ 732 memcpy(buf + len, dst, outlen); 733 len += outlen; 734 /* 10.1.1.4 hashgen step 4.3 */ 735 if (len < buflen) 736 crypto_inc(src, drbg_statelen(drbg)); 737 } 738 739 out: 740 memset(drbg->scratchpad, 0, 741 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 742 return len; 743 } 744 745 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 746 static int drbg_hash_generate(struct drbg_state *drbg, 747 unsigned char *buf, unsigned int buflen, 748 struct list_head *addtl) 749 { 750 int len = 0; 751 int ret = 0; 752 union { 753 unsigned char req[8]; 754 __be64 req_int; 755 } u; 756 unsigned char prefix = DRBG_PREFIX3; 757 struct drbg_string data1, data2; 758 LIST_HEAD(datalist); 759 760 /* 10.1.1.4 step 2 */ 761 ret = drbg_hash_process_addtl(drbg, addtl); 762 if (ret) 763 return ret; 764 /* 10.1.1.4 step 3 */ 765 len = drbg_hash_hashgen(drbg, buf, buflen); 766 767 /* this is the value H as documented in 10.1.1.4 */ 768 /* 10.1.1.4 step 4 */ 769 drbg_string_fill(&data1, &prefix, 1); 770 list_add_tail(&data1.list, &datalist); 771 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 772 list_add_tail(&data2.list, &datalist); 773 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 774 if (ret) { 775 len = ret; 776 goto out; 777 } 778 779 /* 10.1.1.4 step 5 */ 780 drbg_add_buf(drbg->V, drbg_statelen(drbg), 781 drbg->scratchpad, drbg_blocklen(drbg)); 782 drbg_add_buf(drbg->V, drbg_statelen(drbg), 783 drbg->C, drbg_statelen(drbg)); 784 u.req_int = cpu_to_be64(drbg->reseed_ctr); 785 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 786 787 out: 788 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 789 return len; 790 } 791 792 /* 793 * scratchpad usage: as update and generate are used isolated, both 794 * can use the scratchpad 795 */ 796 static const struct drbg_state_ops drbg_hash_ops = { 797 .update = drbg_hash_update, 798 .generate = drbg_hash_generate, 799 .crypto_init = drbg_init_hash_kernel, 800 .crypto_fini = drbg_fini_hash_kernel, 801 }; 802 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 803 804 /****************************************************************** 805 * Functions common for DRBG implementations 806 ******************************************************************/ 807 808 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 809 int reseed, enum drbg_seed_state new_seed_state) 810 { 811 int ret = drbg->d_ops->update(drbg, seed, reseed); 812 813 if (ret) 814 return ret; 815 816 drbg->seeded = new_seed_state; 817 drbg->last_seed_time = jiffies; 818 /* 10.1.1.2 / 10.1.1.3 step 5 */ 819 drbg->reseed_ctr = 1; 820 821 switch (drbg->seeded) { 822 case DRBG_SEED_STATE_UNSEEDED: 823 /* Impossible, but handle it to silence compiler warnings. */ 824 fallthrough; 825 case DRBG_SEED_STATE_PARTIAL: 826 /* 827 * Require frequent reseeds until the seed source is 828 * fully initialized. 829 */ 830 drbg->reseed_threshold = 50; 831 break; 832 833 case DRBG_SEED_STATE_FULL: 834 /* 835 * Seed source has become fully initialized, frequent 836 * reseeds no longer required. 837 */ 838 drbg->reseed_threshold = drbg_max_requests(drbg); 839 break; 840 } 841 842 return ret; 843 } 844 845 static inline void drbg_get_random_bytes(struct drbg_state *drbg, 846 unsigned char *entropy, 847 unsigned int entropylen) 848 { 849 do 850 get_random_bytes(entropy, entropylen); 851 while (!drbg_fips_continuous_test(drbg, entropy)); 852 } 853 854 static int drbg_seed_from_random(struct drbg_state *drbg) 855 { 856 struct drbg_string data; 857 LIST_HEAD(seedlist); 858 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 859 unsigned char entropy[32]; 860 int ret; 861 862 BUG_ON(!entropylen); 863 BUG_ON(entropylen > sizeof(entropy)); 864 865 drbg_string_fill(&data, entropy, entropylen); 866 list_add_tail(&data.list, &seedlist); 867 868 drbg_get_random_bytes(drbg, entropy, entropylen); 869 870 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); 871 872 memzero_explicit(entropy, entropylen); 873 return ret; 874 } 875 876 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg) 877 { 878 unsigned long next_reseed; 879 880 /* Don't ever reseed from get_random_bytes() in test mode. */ 881 if (list_empty(&drbg->test_data.list)) 882 return false; 883 884 /* 885 * Obtain fresh entropy for the nopr DRBGs after 300s have 886 * elapsed in order to still achieve sort of partial 887 * prediction resistance over the time domain at least. Note 888 * that the period of 300s has been chosen to match the 889 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha 890 * rngs. 891 */ 892 next_reseed = drbg->last_seed_time + 300 * HZ; 893 return time_after(jiffies, next_reseed); 894 } 895 896 /* 897 * Seeding or reseeding of the DRBG 898 * 899 * @drbg: DRBG state struct 900 * @pers: personalization / additional information buffer 901 * @reseed: 0 for initial seed process, 1 for reseeding 902 * 903 * return: 904 * 0 on success 905 * error value otherwise 906 */ 907 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 908 bool reseed) 909 { 910 int ret; 911 unsigned char entropy[((32 + 16) * 2)]; 912 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 913 struct drbg_string data1; 914 LIST_HEAD(seedlist); 915 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; 916 917 /* 9.1 / 9.2 / 9.3.1 step 3 */ 918 if (pers && pers->len > (drbg_max_addtl(drbg))) { 919 pr_devel("DRBG: personalization string too long %zu\n", 920 pers->len); 921 return -EINVAL; 922 } 923 924 if (list_empty(&drbg->test_data.list)) { 925 drbg_string_fill(&data1, drbg->test_data.buf, 926 drbg->test_data.len); 927 pr_devel("DRBG: using test entropy\n"); 928 } else { 929 /* 930 * Gather entropy equal to the security strength of the DRBG. 931 * With a derivation function, a nonce is required in addition 932 * to the entropy. A nonce must be at least 1/2 of the security 933 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 934 * of the strength. The consideration of a nonce is only 935 * applicable during initial seeding. 936 */ 937 BUG_ON(!entropylen); 938 if (!reseed) 939 entropylen = ((entropylen + 1) / 2) * 3; 940 BUG_ON((entropylen * 2) > sizeof(entropy)); 941 942 /* Get seed from in-kernel /dev/urandom */ 943 if (!rng_is_initialized()) 944 new_seed_state = DRBG_SEED_STATE_PARTIAL; 945 946 drbg_get_random_bytes(drbg, entropy, entropylen); 947 948 if (!drbg->jent) { 949 drbg_string_fill(&data1, entropy, entropylen); 950 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 951 entropylen); 952 } else { 953 /* 954 * Get seed from Jitter RNG, failures are 955 * fatal only in FIPS mode. 956 */ 957 ret = crypto_rng_get_bytes(drbg->jent, 958 entropy + entropylen, 959 entropylen); 960 if (fips_enabled && ret) { 961 pr_devel("DRBG: jent failed with %d\n", ret); 962 963 /* 964 * Do not treat the transient failure of the 965 * Jitter RNG as an error that needs to be 966 * reported. The combined number of the 967 * maximum reseed threshold times the maximum 968 * number of Jitter RNG transient errors is 969 * less than the reseed threshold required by 970 * SP800-90A allowing us to treat the 971 * transient errors as such. 972 * 973 * However, we mandate that at least the first 974 * seeding operation must succeed with the 975 * Jitter RNG. 976 */ 977 if (!reseed || ret != -EAGAIN) 978 goto out; 979 } 980 981 drbg_string_fill(&data1, entropy, entropylen * 2); 982 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 983 entropylen * 2); 984 } 985 } 986 list_add_tail(&data1.list, &seedlist); 987 988 /* 989 * concatenation of entropy with personalization str / addtl input) 990 * the variable pers is directly handed in by the caller, so check its 991 * contents whether it is appropriate 992 */ 993 if (pers && pers->buf && 0 < pers->len) { 994 list_add_tail(&pers->list, &seedlist); 995 pr_devel("DRBG: using personalization string\n"); 996 } 997 998 if (!reseed) { 999 memset(drbg->V, 0, drbg_statelen(drbg)); 1000 memset(drbg->C, 0, drbg_statelen(drbg)); 1001 } 1002 1003 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); 1004 1005 out: 1006 memzero_explicit(entropy, entropylen * 2); 1007 1008 return ret; 1009 } 1010 1011 /* Free all substructures in a DRBG state without the DRBG state structure */ 1012 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1013 { 1014 if (!drbg) 1015 return; 1016 kfree_sensitive(drbg->Vbuf); 1017 drbg->Vbuf = NULL; 1018 drbg->V = NULL; 1019 kfree_sensitive(drbg->Cbuf); 1020 drbg->Cbuf = NULL; 1021 drbg->C = NULL; 1022 kfree_sensitive(drbg->scratchpadbuf); 1023 drbg->scratchpadbuf = NULL; 1024 drbg->reseed_ctr = 0; 1025 drbg->d_ops = NULL; 1026 drbg->core = NULL; 1027 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1028 kfree_sensitive(drbg->prev); 1029 drbg->prev = NULL; 1030 drbg->fips_primed = false; 1031 } 1032 } 1033 1034 /* 1035 * Allocate all sub-structures for a DRBG state. 1036 * The DRBG state structure must already be allocated. 1037 */ 1038 static inline int drbg_alloc_state(struct drbg_state *drbg) 1039 { 1040 int ret = -ENOMEM; 1041 unsigned int sb_size = 0; 1042 1043 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1044 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1045 case DRBG_HMAC: 1046 drbg->d_ops = &drbg_hmac_ops; 1047 break; 1048 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1049 #ifdef CONFIG_CRYPTO_DRBG_HASH 1050 case DRBG_HASH: 1051 drbg->d_ops = &drbg_hash_ops; 1052 break; 1053 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1054 #ifdef CONFIG_CRYPTO_DRBG_CTR 1055 case DRBG_CTR: 1056 drbg->d_ops = &drbg_ctr_ops; 1057 break; 1058 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1059 default: 1060 ret = -EOPNOTSUPP; 1061 goto err; 1062 } 1063 1064 ret = drbg->d_ops->crypto_init(drbg); 1065 if (ret < 0) 1066 goto err; 1067 1068 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1069 if (!drbg->Vbuf) { 1070 ret = -ENOMEM; 1071 goto fini; 1072 } 1073 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1074 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1075 if (!drbg->Cbuf) { 1076 ret = -ENOMEM; 1077 goto fini; 1078 } 1079 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1080 /* scratchpad is only generated for CTR and Hash */ 1081 if (drbg->core->flags & DRBG_HMAC) 1082 sb_size = 0; 1083 else if (drbg->core->flags & DRBG_CTR) 1084 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1085 crypto_drbg_ctr_df_datalen(drbg_statelen(drbg), 1086 drbg_blocklen(drbg)); 1087 else 1088 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1089 1090 if (0 < sb_size) { 1091 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1092 if (!drbg->scratchpadbuf) { 1093 ret = -ENOMEM; 1094 goto fini; 1095 } 1096 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1097 } 1098 1099 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1100 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1101 GFP_KERNEL); 1102 if (!drbg->prev) { 1103 ret = -ENOMEM; 1104 goto fini; 1105 } 1106 drbg->fips_primed = false; 1107 } 1108 1109 return 0; 1110 1111 fini: 1112 drbg->d_ops->crypto_fini(drbg); 1113 err: 1114 drbg_dealloc_state(drbg); 1115 return ret; 1116 } 1117 1118 /************************************************************************* 1119 * DRBG interface functions 1120 *************************************************************************/ 1121 1122 /* 1123 * DRBG generate function as required by SP800-90A - this function 1124 * generates random numbers 1125 * 1126 * @drbg DRBG state handle 1127 * @buf Buffer where to store the random numbers -- the buffer must already 1128 * be pre-allocated by caller 1129 * @buflen Length of output buffer - this value defines the number of random 1130 * bytes pulled from DRBG 1131 * @addtl Additional input that is mixed into state, may be NULL -- note 1132 * the entropy is pulled by the DRBG internally unconditionally 1133 * as defined in SP800-90A. The additional input is mixed into 1134 * the state in addition to the pulled entropy. 1135 * 1136 * return: 0 when all bytes are generated; < 0 in case of an error 1137 */ 1138 static int drbg_generate(struct drbg_state *drbg, 1139 unsigned char *buf, unsigned int buflen, 1140 struct drbg_string *addtl) 1141 { 1142 int len = 0; 1143 LIST_HEAD(addtllist); 1144 1145 if (!drbg->core) { 1146 pr_devel("DRBG: not yet seeded\n"); 1147 return -EINVAL; 1148 } 1149 if (0 == buflen || !buf) { 1150 pr_devel("DRBG: no output buffer provided\n"); 1151 return -EINVAL; 1152 } 1153 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1154 pr_devel("DRBG: wrong format of additional information\n"); 1155 return -EINVAL; 1156 } 1157 1158 /* 9.3.1 step 2 */ 1159 len = -EINVAL; 1160 if (buflen > (drbg_max_request_bytes(drbg))) { 1161 pr_devel("DRBG: requested random numbers too large %u\n", 1162 buflen); 1163 goto err; 1164 } 1165 1166 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1167 1168 /* 9.3.1 step 4 */ 1169 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1170 pr_devel("DRBG: additional information string too long %zu\n", 1171 addtl->len); 1172 goto err; 1173 } 1174 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1175 1176 /* 1177 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1178 * here. The spec is a bit convoluted here, we make it simpler. 1179 */ 1180 if (drbg->reseed_threshold < drbg->reseed_ctr) 1181 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1182 1183 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { 1184 pr_devel("DRBG: reseeding before generation (prediction " 1185 "resistance: %s, state %s)\n", 1186 str_true_false(drbg->pr), 1187 (drbg->seeded == DRBG_SEED_STATE_FULL ? 1188 "seeded" : "unseeded")); 1189 /* 9.3.1 steps 7.1 through 7.3 */ 1190 len = drbg_seed(drbg, addtl, true); 1191 if (len) 1192 goto err; 1193 /* 9.3.1 step 7.4 */ 1194 addtl = NULL; 1195 } else if (rng_is_initialized() && 1196 (drbg->seeded == DRBG_SEED_STATE_PARTIAL || 1197 drbg_nopr_reseed_interval_elapsed(drbg))) { 1198 len = drbg_seed_from_random(drbg); 1199 if (len) 1200 goto err; 1201 } 1202 1203 if (addtl && 0 < addtl->len) 1204 list_add_tail(&addtl->list, &addtllist); 1205 /* 9.3.1 step 8 and 10 */ 1206 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1207 1208 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1209 drbg->reseed_ctr++; 1210 if (0 >= len) 1211 goto err; 1212 1213 /* 1214 * Section 11.3.3 requires to re-perform self tests after some 1215 * generated random numbers. The chosen value after which self 1216 * test is performed is arbitrary, but it should be reasonable. 1217 * However, we do not perform the self tests because of the following 1218 * reasons: it is mathematically impossible that the initial self tests 1219 * were successfully and the following are not. If the initial would 1220 * pass and the following would not, the kernel integrity is violated. 1221 * In this case, the entire kernel operation is questionable and it 1222 * is unlikely that the integrity violation only affects the 1223 * correct operation of the DRBG. 1224 * 1225 * Albeit the following code is commented out, it is provided in 1226 * case somebody has a need to implement the test of 11.3.3. 1227 */ 1228 #if 0 1229 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1230 int err = 0; 1231 pr_devel("DRBG: start to perform self test\n"); 1232 if (drbg->core->flags & DRBG_HMAC) 1233 err = alg_test("drbg_pr_hmac_sha512", 1234 "drbg_pr_hmac_sha512", 0, 0); 1235 else if (drbg->core->flags & DRBG_CTR) 1236 err = alg_test("drbg_pr_ctr_aes256", 1237 "drbg_pr_ctr_aes256", 0, 0); 1238 else 1239 err = alg_test("drbg_pr_sha256", 1240 "drbg_pr_sha256", 0, 0); 1241 if (err) { 1242 pr_err("DRBG: periodical self test failed\n"); 1243 /* 1244 * uninstantiate implies that from now on, only errors 1245 * are returned when reusing this DRBG cipher handle 1246 */ 1247 drbg_uninstantiate(drbg); 1248 return 0; 1249 } else { 1250 pr_devel("DRBG: self test successful\n"); 1251 } 1252 } 1253 #endif 1254 1255 /* 1256 * All operations were successful, return 0 as mandated by 1257 * the kernel crypto API interface. 1258 */ 1259 len = 0; 1260 err: 1261 return len; 1262 } 1263 1264 /* 1265 * Wrapper around drbg_generate which can pull arbitrary long strings 1266 * from the DRBG without hitting the maximum request limitation. 1267 * 1268 * Parameters: see drbg_generate 1269 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1270 * the entire drbg_generate_long request fails 1271 */ 1272 static int drbg_generate_long(struct drbg_state *drbg, 1273 unsigned char *buf, unsigned int buflen, 1274 struct drbg_string *addtl) 1275 { 1276 unsigned int len = 0; 1277 unsigned int slice = 0; 1278 do { 1279 int err = 0; 1280 unsigned int chunk = 0; 1281 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1282 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1283 mutex_lock(&drbg->drbg_mutex); 1284 err = drbg_generate(drbg, buf + len, chunk, addtl); 1285 mutex_unlock(&drbg->drbg_mutex); 1286 if (0 > err) 1287 return err; 1288 len += chunk; 1289 } while (slice > 0 && (len < buflen)); 1290 return 0; 1291 } 1292 1293 static int drbg_prepare_hrng(struct drbg_state *drbg) 1294 { 1295 /* We do not need an HRNG in test mode. */ 1296 if (list_empty(&drbg->test_data.list)) 1297 return 0; 1298 1299 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1300 if (IS_ERR(drbg->jent)) { 1301 const int err = PTR_ERR(drbg->jent); 1302 1303 drbg->jent = NULL; 1304 if (fips_enabled) 1305 return err; 1306 pr_info("DRBG: Continuing without Jitter RNG\n"); 1307 } 1308 1309 return 0; 1310 } 1311 1312 /* 1313 * DRBG instantiation function as required by SP800-90A - this function 1314 * sets up the DRBG handle, performs the initial seeding and all sanity 1315 * checks required by SP800-90A 1316 * 1317 * @drbg memory of state -- if NULL, new memory is allocated 1318 * @pers Personalization string that is mixed into state, may be NULL -- note 1319 * the entropy is pulled by the DRBG internally unconditionally 1320 * as defined in SP800-90A. The additional input is mixed into 1321 * the state in addition to the pulled entropy. 1322 * @coreref reference to core 1323 * @pr prediction resistance enabled 1324 * 1325 * return 1326 * 0 on success 1327 * error value otherwise 1328 */ 1329 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1330 int coreref, bool pr) 1331 { 1332 int ret; 1333 bool reseed = true; 1334 1335 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1336 "%s\n", coreref, str_enabled_disabled(pr)); 1337 mutex_lock(&drbg->drbg_mutex); 1338 1339 /* 9.1 step 1 is implicit with the selected DRBG type */ 1340 1341 /* 1342 * 9.1 step 2 is implicit as caller can select prediction resistance 1343 * and the flag is copied into drbg->flags -- 1344 * all DRBG types support prediction resistance 1345 */ 1346 1347 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1348 1349 if (!drbg->core) { 1350 drbg->core = &drbg_cores[coreref]; 1351 drbg->pr = pr; 1352 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1353 drbg->last_seed_time = 0; 1354 drbg->reseed_threshold = drbg_max_requests(drbg); 1355 1356 ret = drbg_alloc_state(drbg); 1357 if (ret) 1358 goto unlock; 1359 1360 ret = drbg_prepare_hrng(drbg); 1361 if (ret) 1362 goto free_everything; 1363 1364 reseed = false; 1365 } 1366 1367 ret = drbg_seed(drbg, pers, reseed); 1368 1369 if (ret && !reseed) 1370 goto free_everything; 1371 1372 mutex_unlock(&drbg->drbg_mutex); 1373 return ret; 1374 1375 unlock: 1376 mutex_unlock(&drbg->drbg_mutex); 1377 return ret; 1378 1379 free_everything: 1380 mutex_unlock(&drbg->drbg_mutex); 1381 drbg_uninstantiate(drbg); 1382 return ret; 1383 } 1384 1385 /* 1386 * DRBG uninstantiate function as required by SP800-90A - this function 1387 * frees all buffers and the DRBG handle 1388 * 1389 * @drbg DRBG state handle 1390 * 1391 * return 1392 * 0 on success 1393 */ 1394 static int drbg_uninstantiate(struct drbg_state *drbg) 1395 { 1396 if (!IS_ERR_OR_NULL(drbg->jent)) 1397 crypto_free_rng(drbg->jent); 1398 drbg->jent = NULL; 1399 1400 if (drbg->d_ops) 1401 drbg->d_ops->crypto_fini(drbg); 1402 drbg_dealloc_state(drbg); 1403 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1404 return 0; 1405 } 1406 1407 /* 1408 * Helper function for setting the test data in the DRBG 1409 * 1410 * @drbg DRBG state handle 1411 * @data test data 1412 * @len test data length 1413 */ 1414 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1415 const u8 *data, unsigned int len) 1416 { 1417 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1418 1419 mutex_lock(&drbg->drbg_mutex); 1420 drbg_string_fill(&drbg->test_data, data, len); 1421 mutex_unlock(&drbg->drbg_mutex); 1422 } 1423 1424 /*************************************************************** 1425 * Kernel crypto API cipher invocations requested by DRBG 1426 ***************************************************************/ 1427 1428 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1429 struct sdesc { 1430 struct shash_desc shash; 1431 }; 1432 1433 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1434 { 1435 struct sdesc *sdesc; 1436 struct crypto_shash *tfm; 1437 1438 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1439 if (IS_ERR(tfm)) { 1440 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1441 drbg->core->backend_cra_name); 1442 return PTR_ERR(tfm); 1443 } 1444 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1445 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1446 GFP_KERNEL); 1447 if (!sdesc) { 1448 crypto_free_shash(tfm); 1449 return -ENOMEM; 1450 } 1451 1452 sdesc->shash.tfm = tfm; 1453 drbg->priv_data = sdesc; 1454 1455 return 0; 1456 } 1457 1458 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1459 { 1460 struct sdesc *sdesc = drbg->priv_data; 1461 if (sdesc) { 1462 crypto_free_shash(sdesc->shash.tfm); 1463 kfree_sensitive(sdesc); 1464 } 1465 drbg->priv_data = NULL; 1466 return 0; 1467 } 1468 1469 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1470 const unsigned char *key) 1471 { 1472 struct sdesc *sdesc = drbg->priv_data; 1473 1474 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1475 } 1476 1477 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1478 const struct list_head *in) 1479 { 1480 struct sdesc *sdesc = drbg->priv_data; 1481 struct drbg_string *input = NULL; 1482 1483 crypto_shash_init(&sdesc->shash); 1484 list_for_each_entry(input, in, list) 1485 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1486 return crypto_shash_final(&sdesc->shash, outval); 1487 } 1488 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1489 1490 #ifdef CONFIG_CRYPTO_DRBG_CTR 1491 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1492 { 1493 struct aes_enckey *aeskey = drbg->priv_data; 1494 1495 kfree(aeskey); 1496 drbg->priv_data = NULL; 1497 1498 if (drbg->ctr_handle) 1499 crypto_free_skcipher(drbg->ctr_handle); 1500 drbg->ctr_handle = NULL; 1501 1502 if (drbg->ctr_req) 1503 skcipher_request_free(drbg->ctr_req); 1504 drbg->ctr_req = NULL; 1505 1506 kfree(drbg->outscratchpadbuf); 1507 drbg->outscratchpadbuf = NULL; 1508 1509 return 0; 1510 } 1511 1512 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1513 { 1514 struct aes_enckey *aeskey; 1515 struct crypto_skcipher *sk_tfm; 1516 struct skcipher_request *req; 1517 unsigned int alignmask; 1518 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1519 1520 aeskey = kzalloc(sizeof(*aeskey), GFP_KERNEL); 1521 if (!aeskey) 1522 return -ENOMEM; 1523 drbg->priv_data = aeskey; 1524 1525 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1526 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1527 drbg_fini_sym_kernel(drbg); 1528 return -EINVAL; 1529 } 1530 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1531 if (IS_ERR(sk_tfm)) { 1532 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1533 ctr_name); 1534 drbg_fini_sym_kernel(drbg); 1535 return PTR_ERR(sk_tfm); 1536 } 1537 drbg->ctr_handle = sk_tfm; 1538 crypto_init_wait(&drbg->ctr_wait); 1539 1540 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1541 if (!req) { 1542 pr_info("DRBG: could not allocate request queue\n"); 1543 drbg_fini_sym_kernel(drbg); 1544 return -ENOMEM; 1545 } 1546 drbg->ctr_req = req; 1547 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1548 CRYPTO_TFM_REQ_MAY_SLEEP, 1549 crypto_req_done, &drbg->ctr_wait); 1550 1551 alignmask = crypto_skcipher_alignmask(sk_tfm); 1552 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1553 GFP_KERNEL); 1554 if (!drbg->outscratchpadbuf) { 1555 drbg_fini_sym_kernel(drbg); 1556 return -ENOMEM; 1557 } 1558 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1559 alignmask + 1); 1560 1561 sg_init_table(&drbg->sg_in, 1); 1562 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1563 1564 return alignmask; 1565 } 1566 1567 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1568 u8 *inbuf, u32 inlen, 1569 u8 *outbuf, u32 outlen) 1570 { 1571 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1572 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1573 int ret; 1574 1575 if (inbuf) { 1576 /* Use caller-provided input buffer */ 1577 sg_set_buf(sg_in, inbuf, inlen); 1578 } else { 1579 /* Use scratchpad for in-place operation */ 1580 inlen = scratchpad_use; 1581 memset(drbg->outscratchpad, 0, scratchpad_use); 1582 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1583 } 1584 1585 while (outlen) { 1586 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1587 1588 /* Output buffer may not be valid for SGL, use scratchpad */ 1589 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1590 cryptlen, drbg->V); 1591 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1592 &drbg->ctr_wait); 1593 if (ret) 1594 goto out; 1595 1596 crypto_init_wait(&drbg->ctr_wait); 1597 1598 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1599 memzero_explicit(drbg->outscratchpad, cryptlen); 1600 1601 outlen -= cryptlen; 1602 outbuf += cryptlen; 1603 } 1604 ret = 0; 1605 1606 out: 1607 return ret; 1608 } 1609 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1610 1611 /*************************************************************** 1612 * Kernel crypto API interface to register DRBG 1613 ***************************************************************/ 1614 1615 /* 1616 * Look up the DRBG flags by given kernel crypto API cra_name 1617 * The code uses the drbg_cores definition to do this 1618 * 1619 * @cra_name kernel crypto API cra_name 1620 * @coreref reference to integer which is filled with the pointer to 1621 * the applicable core 1622 * @pr reference for setting prediction resistance 1623 * 1624 * return: flags 1625 */ 1626 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1627 int *coreref, bool *pr) 1628 { 1629 int i = 0; 1630 size_t start = 0; 1631 int len = 0; 1632 1633 *pr = true; 1634 /* disassemble the names */ 1635 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1636 start = 10; 1637 *pr = false; 1638 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1639 start = 8; 1640 } else { 1641 return; 1642 } 1643 1644 /* remove the first part */ 1645 len = strlen(cra_driver_name) - start; 1646 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1647 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1648 len)) { 1649 *coreref = i; 1650 return; 1651 } 1652 } 1653 } 1654 1655 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1656 { 1657 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1658 1659 mutex_init(&drbg->drbg_mutex); 1660 1661 return 0; 1662 } 1663 1664 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1665 { 1666 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1667 } 1668 1669 /* 1670 * Generate random numbers invoked by the kernel crypto API: 1671 * The API of the kernel crypto API is extended as follows: 1672 * 1673 * src is additional input supplied to the RNG. 1674 * slen is the length of src. 1675 * dst is the output buffer where random data is to be stored. 1676 * dlen is the length of dst. 1677 */ 1678 static int drbg_kcapi_random(struct crypto_rng *tfm, 1679 const u8 *src, unsigned int slen, 1680 u8 *dst, unsigned int dlen) 1681 { 1682 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1683 struct drbg_string *addtl = NULL; 1684 struct drbg_string string; 1685 1686 if (slen) { 1687 /* linked list variable is now local to allow modification */ 1688 drbg_string_fill(&string, src, slen); 1689 addtl = &string; 1690 } 1691 1692 return drbg_generate_long(drbg, dst, dlen, addtl); 1693 } 1694 1695 /* 1696 * Seed the DRBG invoked by the kernel crypto API 1697 */ 1698 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1699 const u8 *seed, unsigned int slen) 1700 { 1701 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1702 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1703 bool pr = false; 1704 struct drbg_string string; 1705 struct drbg_string *seed_string = NULL; 1706 int coreref = 0; 1707 1708 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1709 &pr); 1710 if (0 < slen) { 1711 drbg_string_fill(&string, seed, slen); 1712 seed_string = &string; 1713 } 1714 1715 return drbg_instantiate(drbg, seed_string, coreref, pr); 1716 } 1717 1718 /*************************************************************** 1719 * Kernel module: code to load the module 1720 ***************************************************************/ 1721 1722 /* 1723 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1724 * of the error handling. 1725 * 1726 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1727 * as seed source of get_random_bytes does not fail. 1728 * 1729 * Note 2: There is no sensible way of testing the reseed counter 1730 * enforcement, so skip it. 1731 */ 1732 static inline int __init drbg_healthcheck_sanity(void) 1733 { 1734 int len = 0; 1735 #define OUTBUFLEN 16 1736 unsigned char buf[OUTBUFLEN]; 1737 struct drbg_state *drbg = NULL; 1738 int ret; 1739 int rc = -EFAULT; 1740 bool pr = false; 1741 int coreref = 0; 1742 struct drbg_string addtl; 1743 size_t max_addtllen, max_request_bytes; 1744 1745 /* only perform test in FIPS mode */ 1746 if (!fips_enabled) 1747 return 0; 1748 1749 #ifdef CONFIG_CRYPTO_DRBG_CTR 1750 drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr); 1751 #endif 1752 #ifdef CONFIG_CRYPTO_DRBG_HASH 1753 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1754 #endif 1755 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1756 drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr); 1757 #endif 1758 1759 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1760 if (!drbg) 1761 return -ENOMEM; 1762 1763 mutex_init(&drbg->drbg_mutex); 1764 drbg->core = &drbg_cores[coreref]; 1765 drbg->reseed_threshold = drbg_max_requests(drbg); 1766 1767 /* 1768 * if the following tests fail, it is likely that there is a buffer 1769 * overflow as buf is much smaller than the requested or provided 1770 * string lengths -- in case the error handling does not succeed 1771 * we may get an OOPS. And we want to get an OOPS as this is a 1772 * grave bug. 1773 */ 1774 1775 max_addtllen = drbg_max_addtl(drbg); 1776 max_request_bytes = drbg_max_request_bytes(drbg); 1777 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1778 /* overflow addtllen with additonal info string */ 1779 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1780 BUG_ON(0 < len); 1781 /* overflow max_bits */ 1782 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1783 BUG_ON(0 < len); 1784 1785 /* overflow max addtllen with personalization string */ 1786 ret = drbg_seed(drbg, &addtl, false); 1787 BUG_ON(0 == ret); 1788 /* all tests passed */ 1789 rc = 0; 1790 1791 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1792 "completed\n"); 1793 1794 kfree(drbg); 1795 return rc; 1796 } 1797 1798 static struct rng_alg drbg_algs[22]; 1799 1800 /* 1801 * Fill the array drbg_algs used to register the different DRBGs 1802 * with the kernel crypto API. To fill the array, the information 1803 * from drbg_cores[] is used. 1804 */ 1805 static inline void __init drbg_fill_array(struct rng_alg *alg, 1806 const struct drbg_core *core, int pr) 1807 { 1808 int pos = 0; 1809 static int priority = 200; 1810 1811 memcpy(alg->base.cra_name, "stdrng", 6); 1812 if (pr) { 1813 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1814 pos = 8; 1815 } else { 1816 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1817 pos = 10; 1818 } 1819 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1820 strlen(core->cra_name)); 1821 1822 alg->base.cra_priority = priority; 1823 priority++; 1824 /* 1825 * If FIPS mode enabled, the selected DRBG shall have the 1826 * highest cra_priority over other stdrng instances to ensure 1827 * it is selected. 1828 */ 1829 if (fips_enabled) 1830 alg->base.cra_priority += 200; 1831 1832 alg->base.cra_ctxsize = sizeof(struct drbg_state); 1833 alg->base.cra_module = THIS_MODULE; 1834 alg->base.cra_init = drbg_kcapi_init; 1835 alg->base.cra_exit = drbg_kcapi_cleanup; 1836 alg->generate = drbg_kcapi_random; 1837 alg->seed = drbg_kcapi_seed; 1838 alg->set_ent = drbg_kcapi_set_entropy; 1839 alg->seedsize = 0; 1840 } 1841 1842 static int __init drbg_init(void) 1843 { 1844 unsigned int i = 0; /* pointer to drbg_algs */ 1845 unsigned int j = 0; /* pointer to drbg_cores */ 1846 int ret; 1847 1848 ret = drbg_healthcheck_sanity(); 1849 if (ret) 1850 return ret; 1851 1852 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1853 pr_info("DRBG: Cannot register all DRBG types" 1854 "(slots needed: %zu, slots available: %zu)\n", 1855 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1856 return -EFAULT; 1857 } 1858 1859 /* 1860 * each DRBG definition can be used with PR and without PR, thus 1861 * we instantiate each DRBG in drbg_cores[] twice. 1862 * 1863 * As the order of placing them into the drbg_algs array matters 1864 * (the later DRBGs receive a higher cra_priority) we register the 1865 * prediction resistance DRBGs first as the should not be too 1866 * interesting. 1867 */ 1868 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1869 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1870 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1871 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1872 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1873 } 1874 1875 static void __exit drbg_exit(void) 1876 { 1877 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1878 } 1879 1880 module_init(drbg_init); 1881 module_exit(drbg_exit); 1882 #ifndef CRYPTO_DRBG_HASH_STRING 1883 #define CRYPTO_DRBG_HASH_STRING "" 1884 #endif 1885 #ifndef CRYPTO_DRBG_HMAC_STRING 1886 #define CRYPTO_DRBG_HMAC_STRING "" 1887 #endif 1888 #ifndef CRYPTO_DRBG_CTR_STRING 1889 #define CRYPTO_DRBG_CTR_STRING "" 1890 #endif 1891 MODULE_LICENSE("GPL"); 1892 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 1893 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 1894 "using following cores: " 1895 CRYPTO_DRBG_HASH_STRING 1896 CRYPTO_DRBG_HMAC_STRING 1897 CRYPTO_DRBG_CTR_STRING); 1898 MODULE_ALIAS_CRYPTO("stdrng"); 1899 MODULE_IMPORT_NS("CRYPTO_INTERNAL"); 1900