1/* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100#include <crypto/drbg.h> 101 102/*************************************************************** 103 * Backend cipher definitions available to DRBG 104 ***************************************************************/ 105 106/* 107 * The order of the DRBG definitions here matter: every DRBG is registered 108 * as stdrng. Each DRBG receives an increasing cra_priority values the later 109 * they are defined in this array (see drbg_fill_array). 110 * 111 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 112 * the SHA256 / AES 256 over other ciphers. Thus, the favored 113 * DRBGs are the latest entries in this array. 114 */ 115static const struct drbg_core drbg_cores[] = { 116#ifdef CONFIG_CRYPTO_DRBG_CTR 117 { 118 .flags = DRBG_CTR | DRBG_STRENGTH128, 119 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 120 .blocklen_bytes = 16, 121 .cra_name = "ctr_aes128", 122 .backend_cra_name = "aes", 123 }, { 124 .flags = DRBG_CTR | DRBG_STRENGTH192, 125 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 126 .blocklen_bytes = 16, 127 .cra_name = "ctr_aes192", 128 .backend_cra_name = "aes", 129 }, { 130 .flags = DRBG_CTR | DRBG_STRENGTH256, 131 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 132 .blocklen_bytes = 16, 133 .cra_name = "ctr_aes256", 134 .backend_cra_name = "aes", 135 }, 136#endif /* CONFIG_CRYPTO_DRBG_CTR */ 137#ifdef CONFIG_CRYPTO_DRBG_HASH 138 { 139 .flags = DRBG_HASH | DRBG_STRENGTH128, 140 .statelen = 55, /* 440 bits */ 141 .blocklen_bytes = 20, 142 .cra_name = "sha1", 143 .backend_cra_name = "sha1", 144 }, { 145 .flags = DRBG_HASH | DRBG_STRENGTH256, 146 .statelen = 111, /* 888 bits */ 147 .blocklen_bytes = 48, 148 .cra_name = "sha384", 149 .backend_cra_name = "sha384", 150 }, { 151 .flags = DRBG_HASH | DRBG_STRENGTH256, 152 .statelen = 111, /* 888 bits */ 153 .blocklen_bytes = 64, 154 .cra_name = "sha512", 155 .backend_cra_name = "sha512", 156 }, { 157 .flags = DRBG_HASH | DRBG_STRENGTH256, 158 .statelen = 55, /* 440 bits */ 159 .blocklen_bytes = 32, 160 .cra_name = "sha256", 161 .backend_cra_name = "sha256", 162 }, 163#endif /* CONFIG_CRYPTO_DRBG_HASH */ 164#ifdef CONFIG_CRYPTO_DRBG_HMAC 165 { 166 .flags = DRBG_HMAC | DRBG_STRENGTH128, 167 .statelen = 20, /* block length of cipher */ 168 .blocklen_bytes = 20, 169 .cra_name = "hmac_sha1", 170 .backend_cra_name = "hmac(sha1)", 171 }, { 172 .flags = DRBG_HMAC | DRBG_STRENGTH256, 173 .statelen = 48, /* block length of cipher */ 174 .blocklen_bytes = 48, 175 .cra_name = "hmac_sha384", 176 .backend_cra_name = "hmac(sha384)", 177 }, { 178 .flags = DRBG_HMAC | DRBG_STRENGTH256, 179 .statelen = 64, /* block length of cipher */ 180 .blocklen_bytes = 64, 181 .cra_name = "hmac_sha512", 182 .backend_cra_name = "hmac(sha512)", 183 }, { 184 .flags = DRBG_HMAC | DRBG_STRENGTH256, 185 .statelen = 32, /* block length of cipher */ 186 .blocklen_bytes = 32, 187 .cra_name = "hmac_sha256", 188 .backend_cra_name = "hmac(sha256)", 189 }, 190#endif /* CONFIG_CRYPTO_DRBG_HMAC */ 191}; 192 193/****************************************************************** 194 * Generic helper functions 195 ******************************************************************/ 196 197/* 198 * Return strength of DRBG according to SP800-90A section 8.4 199 * 200 * @flags DRBG flags reference 201 * 202 * Return: normalized strength in *bytes* value or 32 as default 203 * to counter programming errors 204 */ 205static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 206{ 207 switch (flags & DRBG_STRENGTH_MASK) { 208 case DRBG_STRENGTH128: 209 return 16; 210 case DRBG_STRENGTH192: 211 return 24; 212 case DRBG_STRENGTH256: 213 return 32; 214 default: 215 return 32; 216 } 217} 218 219/* 220 * FIPS 140-2 continuous self test 221 * The test is performed on the result of one round of the output 222 * function. Thus, the function implicitly knows the size of the 223 * buffer. 224 * 225 * @drbg DRBG handle 226 * @buf output buffer of random data to be checked 227 * 228 * return: 229 * true on success 230 * false on error 231 */ 232static bool drbg_fips_continuous_test(struct drbg_state *drbg, 233 const unsigned char *buf) 234{ 235#ifdef CONFIG_CRYPTO_FIPS 236 int ret = 0; 237 /* skip test if we test the overall system */ 238 if (drbg->test_data) 239 return true; 240 /* only perform test in FIPS mode */ 241 if (0 == fips_enabled) 242 return true; 243 if (!drbg->fips_primed) { 244 /* Priming of FIPS test */ 245 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 246 drbg->fips_primed = true; 247 /* return false due to priming, i.e. another round is needed */ 248 return false; 249 } 250 ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); 251 if (!ret) 252 panic("DRBG continuous self test failed\n"); 253 memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 254 /* the test shall pass when the two compared values are not equal */ 255 return ret != 0; 256#else 257 return true; 258#endif /* CONFIG_CRYPTO_FIPS */ 259} 260 261/* 262 * Convert an integer into a byte representation of this integer. 263 * The byte representation is big-endian 264 * 265 * @val value to be converted 266 * @buf buffer holding the converted integer -- caller must ensure that 267 * buffer size is at least 32 bit 268 */ 269#if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 270static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 271{ 272 struct s { 273 __be32 conv; 274 }; 275 struct s *conversion = (struct s *) buf; 276 277 conversion->conv = cpu_to_be32(val); 278} 279#endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 280 281/****************************************************************** 282 * CTR DRBG callback functions 283 ******************************************************************/ 284 285#ifdef CONFIG_CRYPTO_DRBG_CTR 286#define CRYPTO_DRBG_CTR_STRING "CTR " 287MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 288MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 289MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 290MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 291MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 292MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 293 294static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 295 unsigned char *outval, const struct drbg_string *in); 296static int drbg_init_sym_kernel(struct drbg_state *drbg); 297static int drbg_fini_sym_kernel(struct drbg_state *drbg); 298 299/* BCC function for CTR DRBG as defined in 10.4.3 */ 300static int drbg_ctr_bcc(struct drbg_state *drbg, 301 unsigned char *out, const unsigned char *key, 302 struct list_head *in) 303{ 304 int ret = 0; 305 struct drbg_string *curr = NULL; 306 struct drbg_string data; 307 short cnt = 0; 308 309 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 310 311 /* 10.4.3 step 2 / 4 */ 312 list_for_each_entry(curr, in, list) { 313 const unsigned char *pos = curr->buf; 314 size_t len = curr->len; 315 /* 10.4.3 step 4.1 */ 316 while (len) { 317 /* 10.4.3 step 4.2 */ 318 if (drbg_blocklen(drbg) == cnt) { 319 cnt = 0; 320 ret = drbg_kcapi_sym(drbg, key, out, &data); 321 if (ret) 322 return ret; 323 } 324 out[cnt] ^= *pos; 325 pos++; 326 cnt++; 327 len--; 328 } 329 } 330 /* 10.4.3 step 4.2 for last block */ 331 if (cnt) 332 ret = drbg_kcapi_sym(drbg, key, out, &data); 333 334 return ret; 335} 336 337/* 338 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 339 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 340 * the scratchpad is used as follows: 341 * drbg_ctr_update: 342 * temp 343 * start: drbg->scratchpad 344 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 345 * note: the cipher writing into this variable works 346 * blocklen-wise. Now, when the statelen is not a multiple 347 * of blocklen, the generateion loop below "spills over" 348 * by at most blocklen. Thus, we need to give sufficient 349 * memory. 350 * df_data 351 * start: drbg->scratchpad + 352 * drbg_statelen(drbg) + drbg_blocklen(drbg) 353 * length: drbg_statelen(drbg) 354 * 355 * drbg_ctr_df: 356 * pad 357 * start: df_data + drbg_statelen(drbg) 358 * length: drbg_blocklen(drbg) 359 * iv 360 * start: pad + drbg_blocklen(drbg) 361 * length: drbg_blocklen(drbg) 362 * temp 363 * start: iv + drbg_blocklen(drbg) 364 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 365 * note: temp is the buffer that the BCC function operates 366 * on. BCC operates blockwise. drbg_statelen(drbg) 367 * is sufficient when the DRBG state length is a multiple 368 * of the block size. For AES192 (and maybe other ciphers) 369 * this is not correct and the length for temp is 370 * insufficient (yes, that also means for such ciphers, 371 * the final output of all BCC rounds are truncated). 372 * Therefore, add drbg_blocklen(drbg) to cover all 373 * possibilities. 374 */ 375 376/* Derivation Function for CTR DRBG as defined in 10.4.2 */ 377static int drbg_ctr_df(struct drbg_state *drbg, 378 unsigned char *df_data, size_t bytes_to_return, 379 struct list_head *seedlist) 380{ 381 int ret = -EFAULT; 382 unsigned char L_N[8]; 383 /* S3 is input */ 384 struct drbg_string S1, S2, S4, cipherin; 385 LIST_HEAD(bcc_list); 386 unsigned char *pad = df_data + drbg_statelen(drbg); 387 unsigned char *iv = pad + drbg_blocklen(drbg); 388 unsigned char *temp = iv + drbg_blocklen(drbg); 389 size_t padlen = 0; 390 unsigned int templen = 0; 391 /* 10.4.2 step 7 */ 392 unsigned int i = 0; 393 /* 10.4.2 step 8 */ 394 const unsigned char *K = (unsigned char *) 395 "\x00\x01\x02\x03\x04\x05\x06\x07" 396 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 397 "\x10\x11\x12\x13\x14\x15\x16\x17" 398 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 399 unsigned char *X; 400 size_t generated_len = 0; 401 size_t inputlen = 0; 402 struct drbg_string *seed = NULL; 403 404 memset(pad, 0, drbg_blocklen(drbg)); 405 memset(iv, 0, drbg_blocklen(drbg)); 406 407 /* 10.4.2 step 1 is implicit as we work byte-wise */ 408 409 /* 10.4.2 step 2 */ 410 if ((512/8) < bytes_to_return) 411 return -EINVAL; 412 413 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 414 list_for_each_entry(seed, seedlist, list) 415 inputlen += seed->len; 416 drbg_cpu_to_be32(inputlen, &L_N[0]); 417 418 /* 10.4.2 step 3 */ 419 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 420 421 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 422 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 423 /* wrap the padlen appropriately */ 424 if (padlen) 425 padlen = drbg_blocklen(drbg) - padlen; 426 /* 427 * pad / padlen contains the 0x80 byte and the following zero bytes. 428 * As the calculated padlen value only covers the number of zero 429 * bytes, this value has to be incremented by one for the 0x80 byte. 430 */ 431 padlen++; 432 pad[0] = 0x80; 433 434 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 435 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 436 list_add_tail(&S1.list, &bcc_list); 437 drbg_string_fill(&S2, L_N, sizeof(L_N)); 438 list_add_tail(&S2.list, &bcc_list); 439 list_splice_tail(seedlist, &bcc_list); 440 drbg_string_fill(&S4, pad, padlen); 441 list_add_tail(&S4.list, &bcc_list); 442 443 /* 10.4.2 step 9 */ 444 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 445 /* 446 * 10.4.2 step 9.1 - the padding is implicit as the buffer 447 * holds zeros after allocation -- even the increment of i 448 * is irrelevant as the increment remains within length of i 449 */ 450 drbg_cpu_to_be32(i, iv); 451 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 452 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 453 if (ret) 454 goto out; 455 /* 10.4.2 step 9.3 */ 456 i++; 457 templen += drbg_blocklen(drbg); 458 } 459 460 /* 10.4.2 step 11 */ 461 X = temp + (drbg_keylen(drbg)); 462 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 463 464 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 465 466 /* 10.4.2 step 13 */ 467 while (generated_len < bytes_to_return) { 468 short blocklen = 0; 469 /* 470 * 10.4.2 step 13.1: the truncation of the key length is 471 * implicit as the key is only drbg_blocklen in size based on 472 * the implementation of the cipher function callback 473 */ 474 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 475 if (ret) 476 goto out; 477 blocklen = (drbg_blocklen(drbg) < 478 (bytes_to_return - generated_len)) ? 479 drbg_blocklen(drbg) : 480 (bytes_to_return - generated_len); 481 /* 10.4.2 step 13.2 and 14 */ 482 memcpy(df_data + generated_len, X, blocklen); 483 generated_len += blocklen; 484 } 485 486 ret = 0; 487 488out: 489 memset(iv, 0, drbg_blocklen(drbg)); 490 memset(temp, 0, drbg_statelen(drbg)); 491 memset(pad, 0, drbg_blocklen(drbg)); 492 return ret; 493} 494 495/* 496 * update function of CTR DRBG as defined in 10.2.1.2 497 * 498 * The reseed variable has an enhanced meaning compared to the update 499 * functions of the other DRBGs as follows: 500 * 0 => initial seed from initialization 501 * 1 => reseed via drbg_seed 502 * 2 => first invocation from drbg_ctr_update when addtl is present. In 503 * this case, the df_data scratchpad is not deleted so that it is 504 * available for another calls to prevent calling the DF function 505 * again. 506 * 3 => second invocation from drbg_ctr_update. When the update function 507 * was called with addtl, the df_data memory already contains the 508 * DFed addtl information and we do not need to call DF again. 509 */ 510static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 511 int reseed) 512{ 513 int ret = -EFAULT; 514 /* 10.2.1.2 step 1 */ 515 unsigned char *temp = drbg->scratchpad; 516 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 517 drbg_blocklen(drbg); 518 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 519 unsigned int len = 0; 520 struct drbg_string cipherin; 521 522 if (3 > reseed) 523 memset(df_data, 0, drbg_statelen(drbg)); 524 525 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 526 if (seed) { 527 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 528 if (ret) 529 goto out; 530 } 531 532 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 533 /* 534 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 535 * zeroizes all memory during initialization 536 */ 537 while (len < (drbg_statelen(drbg))) { 538 /* 10.2.1.2 step 2.1 */ 539 crypto_inc(drbg->V, drbg_blocklen(drbg)); 540 /* 541 * 10.2.1.2 step 2.2 */ 542 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 543 if (ret) 544 goto out; 545 /* 10.2.1.2 step 2.3 and 3 */ 546 len += drbg_blocklen(drbg); 547 } 548 549 /* 10.2.1.2 step 4 */ 550 temp_p = temp; 551 df_data_p = df_data; 552 for (len = 0; len < drbg_statelen(drbg); len++) { 553 *temp_p ^= *df_data_p; 554 df_data_p++; temp_p++; 555 } 556 557 /* 10.2.1.2 step 5 */ 558 memcpy(drbg->C, temp, drbg_keylen(drbg)); 559 /* 10.2.1.2 step 6 */ 560 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 561 ret = 0; 562 563out: 564 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 565 if (2 != reseed) 566 memset(df_data, 0, drbg_statelen(drbg)); 567 return ret; 568} 569 570/* 571 * scratchpad use: drbg_ctr_update is called independently from 572 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 573 */ 574/* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 575static int drbg_ctr_generate(struct drbg_state *drbg, 576 unsigned char *buf, unsigned int buflen, 577 struct list_head *addtl) 578{ 579 int len = 0; 580 int ret = 0; 581 struct drbg_string data; 582 583 /* 10.2.1.5.2 step 2 */ 584 if (addtl && !list_empty(addtl)) { 585 ret = drbg_ctr_update(drbg, addtl, 2); 586 if (ret) 587 return 0; 588 } 589 590 /* 10.2.1.5.2 step 4.1 */ 591 crypto_inc(drbg->V, drbg_blocklen(drbg)); 592 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 593 while (len < buflen) { 594 int outlen = 0; 595 /* 10.2.1.5.2 step 4.2 */ 596 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 597 if (ret) { 598 len = ret; 599 goto out; 600 } 601 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 602 drbg_blocklen(drbg) : (buflen - len); 603 if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) { 604 /* 10.2.1.5.2 step 6 */ 605 crypto_inc(drbg->V, drbg_blocklen(drbg)); 606 continue; 607 } 608 /* 10.2.1.5.2 step 4.3 */ 609 memcpy(buf + len, drbg->scratchpad, outlen); 610 len += outlen; 611 /* 10.2.1.5.2 step 6 */ 612 if (len < buflen) 613 crypto_inc(drbg->V, drbg_blocklen(drbg)); 614 } 615 616 /* 10.2.1.5.2 step 6 */ 617 ret = drbg_ctr_update(drbg, NULL, 3); 618 if (ret) 619 len = ret; 620 621out: 622 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 623 return len; 624} 625 626static struct drbg_state_ops drbg_ctr_ops = { 627 .update = drbg_ctr_update, 628 .generate = drbg_ctr_generate, 629 .crypto_init = drbg_init_sym_kernel, 630 .crypto_fini = drbg_fini_sym_kernel, 631}; 632#endif /* CONFIG_CRYPTO_DRBG_CTR */ 633 634/****************************************************************** 635 * HMAC DRBG callback functions 636 ******************************************************************/ 637 638#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 639static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 640 unsigned char *outval, const struct list_head *in); 641static int drbg_init_hash_kernel(struct drbg_state *drbg); 642static int drbg_fini_hash_kernel(struct drbg_state *drbg); 643#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 644 645#ifdef CONFIG_CRYPTO_DRBG_HMAC 646#define CRYPTO_DRBG_HMAC_STRING "HMAC " 647MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 648MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 649MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 650MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 651MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 652MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 653MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 654MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 655 656/* update function of HMAC DRBG as defined in 10.1.2.2 */ 657static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 658 int reseed) 659{ 660 int ret = -EFAULT; 661 int i = 0; 662 struct drbg_string seed1, seed2, vdata; 663 LIST_HEAD(seedlist); 664 LIST_HEAD(vdatalist); 665 666 if (!reseed) 667 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 668 memset(drbg->V, 1, drbg_statelen(drbg)); 669 670 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 671 list_add_tail(&seed1.list, &seedlist); 672 /* buffer of seed2 will be filled in for loop below with one byte */ 673 drbg_string_fill(&seed2, NULL, 1); 674 list_add_tail(&seed2.list, &seedlist); 675 /* input data of seed is allowed to be NULL at this point */ 676 if (seed) 677 list_splice_tail(seed, &seedlist); 678 679 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 680 list_add_tail(&vdata.list, &vdatalist); 681 for (i = 2; 0 < i; i--) { 682 /* first round uses 0x0, second 0x1 */ 683 unsigned char prefix = DRBG_PREFIX0; 684 if (1 == i) 685 prefix = DRBG_PREFIX1; 686 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 687 seed2.buf = &prefix; 688 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist); 689 if (ret) 690 return ret; 691 692 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 693 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist); 694 if (ret) 695 return ret; 696 697 /* 10.1.2.2 step 3 */ 698 if (!seed) 699 return ret; 700 } 701 702 return 0; 703} 704 705/* generate function of HMAC DRBG as defined in 10.1.2.5 */ 706static int drbg_hmac_generate(struct drbg_state *drbg, 707 unsigned char *buf, 708 unsigned int buflen, 709 struct list_head *addtl) 710{ 711 int len = 0; 712 int ret = 0; 713 struct drbg_string data; 714 LIST_HEAD(datalist); 715 716 /* 10.1.2.5 step 2 */ 717 if (addtl && !list_empty(addtl)) { 718 ret = drbg_hmac_update(drbg, addtl, 1); 719 if (ret) 720 return ret; 721 } 722 723 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 724 list_add_tail(&data.list, &datalist); 725 while (len < buflen) { 726 unsigned int outlen = 0; 727 /* 10.1.2.5 step 4.1 */ 728 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist); 729 if (ret) 730 return ret; 731 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 732 drbg_blocklen(drbg) : (buflen - len); 733 if (!drbg_fips_continuous_test(drbg, drbg->V)) 734 continue; 735 736 /* 10.1.2.5 step 4.2 */ 737 memcpy(buf + len, drbg->V, outlen); 738 len += outlen; 739 } 740 741 /* 10.1.2.5 step 6 */ 742 if (addtl && !list_empty(addtl)) 743 ret = drbg_hmac_update(drbg, addtl, 1); 744 else 745 ret = drbg_hmac_update(drbg, NULL, 1); 746 if (ret) 747 return ret; 748 749 return len; 750} 751 752static struct drbg_state_ops drbg_hmac_ops = { 753 .update = drbg_hmac_update, 754 .generate = drbg_hmac_generate, 755 .crypto_init = drbg_init_hash_kernel, 756 .crypto_fini = drbg_fini_hash_kernel, 757}; 758#endif /* CONFIG_CRYPTO_DRBG_HMAC */ 759 760/****************************************************************** 761 * Hash DRBG callback functions 762 ******************************************************************/ 763 764#ifdef CONFIG_CRYPTO_DRBG_HASH 765#define CRYPTO_DRBG_HASH_STRING "HASH " 766MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 767MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 768MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 769MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 770MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 771MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 772MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 773MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 774 775/* 776 * Increment buffer 777 * 778 * @dst buffer to increment 779 * @add value to add 780 */ 781static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 782 const unsigned char *add, size_t addlen) 783{ 784 /* implied: dstlen > addlen */ 785 unsigned char *dstptr; 786 const unsigned char *addptr; 787 unsigned int remainder = 0; 788 size_t len = addlen; 789 790 dstptr = dst + (dstlen-1); 791 addptr = add + (addlen-1); 792 while (len) { 793 remainder += *dstptr + *addptr; 794 *dstptr = remainder & 0xff; 795 remainder >>= 8; 796 len--; dstptr--; addptr--; 797 } 798 len = dstlen - addlen; 799 while (len && remainder > 0) { 800 remainder = *dstptr + 1; 801 *dstptr = remainder & 0xff; 802 remainder >>= 8; 803 len--; dstptr--; 804 } 805} 806 807/* 808 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 809 * interlinked, the scratchpad is used as follows: 810 * drbg_hash_update 811 * start: drbg->scratchpad 812 * length: drbg_statelen(drbg) 813 * drbg_hash_df: 814 * start: drbg->scratchpad + drbg_statelen(drbg) 815 * length: drbg_blocklen(drbg) 816 * 817 * drbg_hash_process_addtl uses the scratchpad, but fully completes 818 * before either of the functions mentioned before are invoked. Therefore, 819 * drbg_hash_process_addtl does not need to be specifically considered. 820 */ 821 822/* Derivation Function for Hash DRBG as defined in 10.4.1 */ 823static int drbg_hash_df(struct drbg_state *drbg, 824 unsigned char *outval, size_t outlen, 825 struct list_head *entropylist) 826{ 827 int ret = 0; 828 size_t len = 0; 829 unsigned char input[5]; 830 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 831 struct drbg_string data; 832 833 /* 10.4.1 step 3 */ 834 input[0] = 1; 835 drbg_cpu_to_be32((outlen * 8), &input[1]); 836 837 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 838 drbg_string_fill(&data, input, 5); 839 list_add(&data.list, entropylist); 840 841 /* 10.4.1 step 4 */ 842 while (len < outlen) { 843 short blocklen = 0; 844 /* 10.4.1 step 4.1 */ 845 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist); 846 if (ret) 847 goto out; 848 /* 10.4.1 step 4.2 */ 849 input[0]++; 850 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 851 drbg_blocklen(drbg) : (outlen - len); 852 memcpy(outval + len, tmp, blocklen); 853 len += blocklen; 854 } 855 856out: 857 memset(tmp, 0, drbg_blocklen(drbg)); 858 return ret; 859} 860 861/* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 862static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 863 int reseed) 864{ 865 int ret = 0; 866 struct drbg_string data1, data2; 867 LIST_HEAD(datalist); 868 LIST_HEAD(datalist2); 869 unsigned char *V = drbg->scratchpad; 870 unsigned char prefix = DRBG_PREFIX1; 871 872 if (!seed) 873 return -EINVAL; 874 875 if (reseed) { 876 /* 10.1.1.3 step 1 */ 877 memcpy(V, drbg->V, drbg_statelen(drbg)); 878 drbg_string_fill(&data1, &prefix, 1); 879 list_add_tail(&data1.list, &datalist); 880 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 881 list_add_tail(&data2.list, &datalist); 882 } 883 list_splice_tail(seed, &datalist); 884 885 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 886 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 887 if (ret) 888 goto out; 889 890 /* 10.1.1.2 / 10.1.1.3 step 4 */ 891 prefix = DRBG_PREFIX0; 892 drbg_string_fill(&data1, &prefix, 1); 893 list_add_tail(&data1.list, &datalist2); 894 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 895 list_add_tail(&data2.list, &datalist2); 896 /* 10.1.1.2 / 10.1.1.3 step 4 */ 897 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 898 899out: 900 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 901 return ret; 902} 903 904/* processing of additional information string for Hash DRBG */ 905static int drbg_hash_process_addtl(struct drbg_state *drbg, 906 struct list_head *addtl) 907{ 908 int ret = 0; 909 struct drbg_string data1, data2; 910 LIST_HEAD(datalist); 911 unsigned char prefix = DRBG_PREFIX2; 912 913 /* 10.1.1.4 step 2 */ 914 if (!addtl || list_empty(addtl)) 915 return 0; 916 917 /* 10.1.1.4 step 2a */ 918 drbg_string_fill(&data1, &prefix, 1); 919 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 920 list_add_tail(&data1.list, &datalist); 921 list_add_tail(&data2.list, &datalist); 922 list_splice_tail(addtl, &datalist); 923 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 924 if (ret) 925 goto out; 926 927 /* 10.1.1.4 step 2b */ 928 drbg_add_buf(drbg->V, drbg_statelen(drbg), 929 drbg->scratchpad, drbg_blocklen(drbg)); 930 931out: 932 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 933 return ret; 934} 935 936/* Hashgen defined in 10.1.1.4 */ 937static int drbg_hash_hashgen(struct drbg_state *drbg, 938 unsigned char *buf, 939 unsigned int buflen) 940{ 941 int len = 0; 942 int ret = 0; 943 unsigned char *src = drbg->scratchpad; 944 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 945 struct drbg_string data; 946 LIST_HEAD(datalist); 947 948 /* 10.1.1.4 step hashgen 2 */ 949 memcpy(src, drbg->V, drbg_statelen(drbg)); 950 951 drbg_string_fill(&data, src, drbg_statelen(drbg)); 952 list_add_tail(&data.list, &datalist); 953 while (len < buflen) { 954 unsigned int outlen = 0; 955 /* 10.1.1.4 step hashgen 4.1 */ 956 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist); 957 if (ret) { 958 len = ret; 959 goto out; 960 } 961 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 962 drbg_blocklen(drbg) : (buflen - len); 963 if (!drbg_fips_continuous_test(drbg, dst)) { 964 crypto_inc(src, drbg_statelen(drbg)); 965 continue; 966 } 967 /* 10.1.1.4 step hashgen 4.2 */ 968 memcpy(buf + len, dst, outlen); 969 len += outlen; 970 /* 10.1.1.4 hashgen step 4.3 */ 971 if (len < buflen) 972 crypto_inc(src, drbg_statelen(drbg)); 973 } 974 975out: 976 memset(drbg->scratchpad, 0, 977 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 978 return len; 979} 980 981/* generate function for Hash DRBG as defined in 10.1.1.4 */ 982static int drbg_hash_generate(struct drbg_state *drbg, 983 unsigned char *buf, unsigned int buflen, 984 struct list_head *addtl) 985{ 986 int len = 0; 987 int ret = 0; 988 union { 989 unsigned char req[8]; 990 __be64 req_int; 991 } u; 992 unsigned char prefix = DRBG_PREFIX3; 993 struct drbg_string data1, data2; 994 LIST_HEAD(datalist); 995 996 /* 10.1.1.4 step 2 */ 997 ret = drbg_hash_process_addtl(drbg, addtl); 998 if (ret) 999 return ret; 1000 /* 10.1.1.4 step 3 */ 1001 len = drbg_hash_hashgen(drbg, buf, buflen); 1002 1003 /* this is the value H as documented in 10.1.1.4 */ 1004 /* 10.1.1.4 step 4 */ 1005 drbg_string_fill(&data1, &prefix, 1); 1006 list_add_tail(&data1.list, &datalist); 1007 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1008 list_add_tail(&data2.list, &datalist); 1009 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 1010 if (ret) { 1011 len = ret; 1012 goto out; 1013 } 1014 1015 /* 10.1.1.4 step 5 */ 1016 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1017 drbg->scratchpad, drbg_blocklen(drbg)); 1018 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1019 drbg->C, drbg_statelen(drbg)); 1020 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1021 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1022 1023out: 1024 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1025 return len; 1026} 1027 1028/* 1029 * scratchpad usage: as update and generate are used isolated, both 1030 * can use the scratchpad 1031 */ 1032static struct drbg_state_ops drbg_hash_ops = { 1033 .update = drbg_hash_update, 1034 .generate = drbg_hash_generate, 1035 .crypto_init = drbg_init_hash_kernel, 1036 .crypto_fini = drbg_fini_hash_kernel, 1037}; 1038#endif /* CONFIG_CRYPTO_DRBG_HASH */ 1039 1040/****************************************************************** 1041 * Functions common for DRBG implementations 1042 ******************************************************************/ 1043 1044/* 1045 * Seeding or reseeding of the DRBG 1046 * 1047 * @drbg: DRBG state struct 1048 * @pers: personalization / additional information buffer 1049 * @reseed: 0 for initial seed process, 1 for reseeding 1050 * 1051 * return: 1052 * 0 on success 1053 * error value otherwise 1054 */ 1055static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1056 bool reseed) 1057{ 1058 int ret = 0; 1059 unsigned char *entropy = NULL; 1060 size_t entropylen = 0; 1061 struct drbg_string data1; 1062 LIST_HEAD(seedlist); 1063 1064 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1065 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1066 pr_devel("DRBG: personalization string too long %zu\n", 1067 pers->len); 1068 return -EINVAL; 1069 } 1070 1071 if (drbg->test_data && drbg->test_data->testentropy) { 1072 drbg_string_fill(&data1, drbg->test_data->testentropy->buf, 1073 drbg->test_data->testentropy->len); 1074 pr_devel("DRBG: using test entropy\n"); 1075 } else { 1076 /* 1077 * Gather entropy equal to the security strength of the DRBG. 1078 * With a derivation function, a nonce is required in addition 1079 * to the entropy. A nonce must be at least 1/2 of the security 1080 * strength of the DRBG in size. Thus, entropy * nonce is 3/2 1081 * of the strength. The consideration of a nonce is only 1082 * applicable during initial seeding. 1083 */ 1084 entropylen = drbg_sec_strength(drbg->core->flags); 1085 if (!entropylen) 1086 return -EFAULT; 1087 if (!reseed) 1088 entropylen = ((entropylen + 1) / 2) * 3; 1089 pr_devel("DRBG: (re)seeding with %zu bytes of entropy\n", 1090 entropylen); 1091 entropy = kzalloc(entropylen, GFP_KERNEL); 1092 if (!entropy) 1093 return -ENOMEM; 1094 get_random_bytes(entropy, entropylen); 1095 drbg_string_fill(&data1, entropy, entropylen); 1096 } 1097 list_add_tail(&data1.list, &seedlist); 1098 1099 /* 1100 * concatenation of entropy with personalization str / addtl input) 1101 * the variable pers is directly handed in by the caller, so check its 1102 * contents whether it is appropriate 1103 */ 1104 if (pers && pers->buf && 0 < pers->len) { 1105 list_add_tail(&pers->list, &seedlist); 1106 pr_devel("DRBG: using personalization string\n"); 1107 } 1108 1109 if (!reseed) { 1110 memset(drbg->V, 0, drbg_statelen(drbg)); 1111 memset(drbg->C, 0, drbg_statelen(drbg)); 1112 } 1113 1114 ret = drbg->d_ops->update(drbg, &seedlist, reseed); 1115 if (ret) 1116 goto out; 1117 1118 drbg->seeded = true; 1119 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1120 drbg->reseed_ctr = 1; 1121 1122out: 1123 kzfree(entropy); 1124 return ret; 1125} 1126 1127/* Free all substructures in a DRBG state without the DRBG state structure */ 1128static inline void drbg_dealloc_state(struct drbg_state *drbg) 1129{ 1130 if (!drbg) 1131 return; 1132 kzfree(drbg->V); 1133 drbg->V = NULL; 1134 kzfree(drbg->C); 1135 drbg->C = NULL; 1136 kzfree(drbg->scratchpad); 1137 drbg->scratchpad = NULL; 1138 drbg->reseed_ctr = 0; 1139#ifdef CONFIG_CRYPTO_FIPS 1140 kzfree(drbg->prev); 1141 drbg->prev = NULL; 1142 drbg->fips_primed = false; 1143#endif 1144} 1145 1146/* 1147 * Allocate all sub-structures for a DRBG state. 1148 * The DRBG state structure must already be allocated. 1149 */ 1150static inline int drbg_alloc_state(struct drbg_state *drbg) 1151{ 1152 int ret = -ENOMEM; 1153 unsigned int sb_size = 0; 1154 1155 drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1156 if (!drbg->V) 1157 goto err; 1158 drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1159 if (!drbg->C) 1160 goto err; 1161#ifdef CONFIG_CRYPTO_FIPS 1162 drbg->prev = kmalloc(drbg_blocklen(drbg), GFP_KERNEL); 1163 if (!drbg->prev) 1164 goto err; 1165 drbg->fips_primed = false; 1166#endif 1167 /* scratchpad is only generated for CTR and Hash */ 1168 if (drbg->core->flags & DRBG_HMAC) 1169 sb_size = 0; 1170 else if (drbg->core->flags & DRBG_CTR) 1171 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1172 drbg_statelen(drbg) + /* df_data */ 1173 drbg_blocklen(drbg) + /* pad */ 1174 drbg_blocklen(drbg) + /* iv */ 1175 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1176 else 1177 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1178 1179 if (0 < sb_size) { 1180 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1181 if (!drbg->scratchpad) 1182 goto err; 1183 } 1184 spin_lock_init(&drbg->drbg_lock); 1185 return 0; 1186 1187err: 1188 drbg_dealloc_state(drbg); 1189 return ret; 1190} 1191 1192/* 1193 * Strategy to avoid holding long term locks: generate a shadow copy of DRBG 1194 * and perform all operations on this shadow copy. After finishing, restore 1195 * the updated state of the shadow copy into original drbg state. This way, 1196 * only the read and write operations of the original drbg state must be 1197 * locked 1198 */ 1199static inline void drbg_copy_drbg(struct drbg_state *src, 1200 struct drbg_state *dst) 1201{ 1202 if (!src || !dst) 1203 return; 1204 memcpy(dst->V, src->V, drbg_statelen(src)); 1205 memcpy(dst->C, src->C, drbg_statelen(src)); 1206 dst->reseed_ctr = src->reseed_ctr; 1207 dst->seeded = src->seeded; 1208 dst->pr = src->pr; 1209#ifdef CONFIG_CRYPTO_FIPS 1210 dst->fips_primed = src->fips_primed; 1211 memcpy(dst->prev, src->prev, drbg_blocklen(src)); 1212#endif 1213 /* 1214 * Not copied: 1215 * scratchpad is initialized drbg_alloc_state; 1216 * priv_data is initialized with call to crypto_init; 1217 * d_ops and core are set outside, as these parameters are const; 1218 * test_data is set outside to prevent it being copied back. 1219 */ 1220} 1221 1222static int drbg_make_shadow(struct drbg_state *drbg, struct drbg_state **shadow) 1223{ 1224 int ret = -ENOMEM; 1225 struct drbg_state *tmp = NULL; 1226 1227 tmp = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1228 if (!tmp) 1229 return -ENOMEM; 1230 1231 /* read-only data as they are defined as const, no lock needed */ 1232 tmp->core = drbg->core; 1233 tmp->d_ops = drbg->d_ops; 1234 1235 ret = drbg_alloc_state(tmp); 1236 if (ret) 1237 goto err; 1238 1239 spin_lock_bh(&drbg->drbg_lock); 1240 drbg_copy_drbg(drbg, tmp); 1241 /* only make a link to the test buffer, as we only read that data */ 1242 tmp->test_data = drbg->test_data; 1243 spin_unlock_bh(&drbg->drbg_lock); 1244 *shadow = tmp; 1245 return 0; 1246 1247err: 1248 kzfree(tmp); 1249 return ret; 1250} 1251 1252static void drbg_restore_shadow(struct drbg_state *drbg, 1253 struct drbg_state **shadow) 1254{ 1255 struct drbg_state *tmp = *shadow; 1256 1257 spin_lock_bh(&drbg->drbg_lock); 1258 drbg_copy_drbg(tmp, drbg); 1259 spin_unlock_bh(&drbg->drbg_lock); 1260 drbg_dealloc_state(tmp); 1261 kzfree(tmp); 1262 *shadow = NULL; 1263} 1264 1265/************************************************************************* 1266 * DRBG interface functions 1267 *************************************************************************/ 1268 1269/* 1270 * DRBG generate function as required by SP800-90A - this function 1271 * generates random numbers 1272 * 1273 * @drbg DRBG state handle 1274 * @buf Buffer where to store the random numbers -- the buffer must already 1275 * be pre-allocated by caller 1276 * @buflen Length of output buffer - this value defines the number of random 1277 * bytes pulled from DRBG 1278 * @addtl Additional input that is mixed into state, may be NULL -- note 1279 * the entropy is pulled by the DRBG internally unconditionally 1280 * as defined in SP800-90A. The additional input is mixed into 1281 * the state in addition to the pulled entropy. 1282 * 1283 * return: 0 when all bytes are generated; < 0 in case of an error 1284 */ 1285static int drbg_generate(struct drbg_state *drbg, 1286 unsigned char *buf, unsigned int buflen, 1287 struct drbg_string *addtl) 1288{ 1289 int len = 0; 1290 struct drbg_state *shadow = NULL; 1291 LIST_HEAD(addtllist); 1292 struct drbg_string timestamp; 1293 union { 1294 cycles_t cycles; 1295 unsigned char char_cycles[sizeof(cycles_t)]; 1296 } now; 1297 1298 if (0 == buflen || !buf) { 1299 pr_devel("DRBG: no output buffer provided\n"); 1300 return -EINVAL; 1301 } 1302 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1303 pr_devel("DRBG: wrong format of additional information\n"); 1304 return -EINVAL; 1305 } 1306 1307 len = drbg_make_shadow(drbg, &shadow); 1308 if (len) { 1309 pr_devel("DRBG: shadow copy cannot be generated\n"); 1310 return len; 1311 } 1312 1313 /* 9.3.1 step 2 */ 1314 len = -EINVAL; 1315 if (buflen > (drbg_max_request_bytes(shadow))) { 1316 pr_devel("DRBG: requested random numbers too large %u\n", 1317 buflen); 1318 goto err; 1319 } 1320 1321 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1322 1323 /* 9.3.1 step 4 */ 1324 if (addtl && addtl->len > (drbg_max_addtl(shadow))) { 1325 pr_devel("DRBG: additional information string too long %zu\n", 1326 addtl->len); 1327 goto err; 1328 } 1329 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1330 1331 /* 1332 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1333 * here. The spec is a bit convoluted here, we make it simpler. 1334 */ 1335 if ((drbg_max_requests(shadow)) < shadow->reseed_ctr) 1336 shadow->seeded = false; 1337 1338 /* allocate cipher handle */ 1339 len = shadow->d_ops->crypto_init(shadow); 1340 if (len) 1341 goto err; 1342 1343 if (shadow->pr || !shadow->seeded) { 1344 pr_devel("DRBG: reseeding before generation (prediction " 1345 "resistance: %s, state %s)\n", 1346 drbg->pr ? "true" : "false", 1347 drbg->seeded ? "seeded" : "unseeded"); 1348 /* 9.3.1 steps 7.1 through 7.3 */ 1349 len = drbg_seed(shadow, addtl, true); 1350 if (len) 1351 goto err; 1352 /* 9.3.1 step 7.4 */ 1353 addtl = NULL; 1354 } 1355 1356 /* 1357 * Mix the time stamp into the DRBG state if the DRBG is not in 1358 * test mode. If there are two callers invoking the DRBG at the same 1359 * time, i.e. before the first caller merges its shadow state back, 1360 * both callers would obtain the same random number stream without 1361 * changing the state here. 1362 */ 1363 if (!drbg->test_data) { 1364 now.cycles = random_get_entropy(); 1365 drbg_string_fill(×tamp, now.char_cycles, sizeof(cycles_t)); 1366 list_add_tail(×tamp.list, &addtllist); 1367 } 1368 if (addtl && 0 < addtl->len) 1369 list_add_tail(&addtl->list, &addtllist); 1370 /* 9.3.1 step 8 and 10 */ 1371 len = shadow->d_ops->generate(shadow, buf, buflen, &addtllist); 1372 1373 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1374 shadow->reseed_ctr++; 1375 if (0 >= len) 1376 goto err; 1377 1378 /* 1379 * Section 11.3.3 requires to re-perform self tests after some 1380 * generated random numbers. The chosen value after which self 1381 * test is performed is arbitrary, but it should be reasonable. 1382 * However, we do not perform the self tests because of the following 1383 * reasons: it is mathematically impossible that the initial self tests 1384 * were successfully and the following are not. If the initial would 1385 * pass and the following would not, the kernel integrity is violated. 1386 * In this case, the entire kernel operation is questionable and it 1387 * is unlikely that the integrity violation only affects the 1388 * correct operation of the DRBG. 1389 * 1390 * Albeit the following code is commented out, it is provided in 1391 * case somebody has a need to implement the test of 11.3.3. 1392 */ 1393#if 0 1394 if (shadow->reseed_ctr && !(shadow->reseed_ctr % 4096)) { 1395 int err = 0; 1396 pr_devel("DRBG: start to perform self test\n"); 1397 if (drbg->core->flags & DRBG_HMAC) 1398 err = alg_test("drbg_pr_hmac_sha256", 1399 "drbg_pr_hmac_sha256", 0, 0); 1400 else if (drbg->core->flags & DRBG_CTR) 1401 err = alg_test("drbg_pr_ctr_aes128", 1402 "drbg_pr_ctr_aes128", 0, 0); 1403 else 1404 err = alg_test("drbg_pr_sha256", 1405 "drbg_pr_sha256", 0, 0); 1406 if (err) { 1407 pr_err("DRBG: periodical self test failed\n"); 1408 /* 1409 * uninstantiate implies that from now on, only errors 1410 * are returned when reusing this DRBG cipher handle 1411 */ 1412 drbg_uninstantiate(drbg); 1413 drbg_dealloc_state(shadow); 1414 kzfree(shadow); 1415 return 0; 1416 } else { 1417 pr_devel("DRBG: self test successful\n"); 1418 } 1419 } 1420#endif 1421 1422 /* 1423 * All operations were successful, return 0 as mandated by 1424 * the kernel crypto API interface. 1425 */ 1426 len = 0; 1427err: 1428 shadow->d_ops->crypto_fini(shadow); 1429 drbg_restore_shadow(drbg, &shadow); 1430 return len; 1431} 1432 1433/* 1434 * Wrapper around drbg_generate which can pull arbitrary long strings 1435 * from the DRBG without hitting the maximum request limitation. 1436 * 1437 * Parameters: see drbg_generate 1438 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1439 * the entire drbg_generate_long request fails 1440 */ 1441static int drbg_generate_long(struct drbg_state *drbg, 1442 unsigned char *buf, unsigned int buflen, 1443 struct drbg_string *addtl) 1444{ 1445 int len = 0; 1446 unsigned int slice = 0; 1447 do { 1448 int tmplen = 0; 1449 unsigned int chunk = 0; 1450 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1451 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1452 tmplen = drbg_generate(drbg, buf + len, chunk, addtl); 1453 if (0 >= tmplen) 1454 return tmplen; 1455 len += tmplen; 1456 } while (slice > 0 && (len < buflen)); 1457 return len; 1458} 1459 1460/* 1461 * DRBG instantiation function as required by SP800-90A - this function 1462 * sets up the DRBG handle, performs the initial seeding and all sanity 1463 * checks required by SP800-90A 1464 * 1465 * @drbg memory of state -- if NULL, new memory is allocated 1466 * @pers Personalization string that is mixed into state, may be NULL -- note 1467 * the entropy is pulled by the DRBG internally unconditionally 1468 * as defined in SP800-90A. The additional input is mixed into 1469 * the state in addition to the pulled entropy. 1470 * @coreref reference to core 1471 * @pr prediction resistance enabled 1472 * 1473 * return 1474 * 0 on success 1475 * error value otherwise 1476 */ 1477static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1478 int coreref, bool pr) 1479{ 1480 int ret = -ENOMEM; 1481 1482 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1483 "%s\n", coreref, pr ? "enabled" : "disabled"); 1484 drbg->core = &drbg_cores[coreref]; 1485 drbg->pr = pr; 1486 drbg->seeded = false; 1487 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1488#ifdef CONFIG_CRYPTO_DRBG_HMAC 1489 case DRBG_HMAC: 1490 drbg->d_ops = &drbg_hmac_ops; 1491 break; 1492#endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1493#ifdef CONFIG_CRYPTO_DRBG_HASH 1494 case DRBG_HASH: 1495 drbg->d_ops = &drbg_hash_ops; 1496 break; 1497#endif /* CONFIG_CRYPTO_DRBG_HASH */ 1498#ifdef CONFIG_CRYPTO_DRBG_CTR 1499 case DRBG_CTR: 1500 drbg->d_ops = &drbg_ctr_ops; 1501 break; 1502#endif /* CONFIG_CRYPTO_DRBG_CTR */ 1503 default: 1504 return -EOPNOTSUPP; 1505 } 1506 1507 /* 9.1 step 1 is implicit with the selected DRBG type */ 1508 1509 /* 1510 * 9.1 step 2 is implicit as caller can select prediction resistance 1511 * and the flag is copied into drbg->flags -- 1512 * all DRBG types support prediction resistance 1513 */ 1514 1515 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1516 1517 ret = drbg_alloc_state(drbg); 1518 if (ret) 1519 return ret; 1520 1521 ret = -EFAULT; 1522 if (drbg->d_ops->crypto_init(drbg)) 1523 goto err; 1524 ret = drbg_seed(drbg, pers, false); 1525 drbg->d_ops->crypto_fini(drbg); 1526 if (ret) 1527 goto err; 1528 1529 return 0; 1530 1531err: 1532 drbg_dealloc_state(drbg); 1533 return ret; 1534} 1535 1536/* 1537 * DRBG uninstantiate function as required by SP800-90A - this function 1538 * frees all buffers and the DRBG handle 1539 * 1540 * @drbg DRBG state handle 1541 * 1542 * return 1543 * 0 on success 1544 */ 1545static int drbg_uninstantiate(struct drbg_state *drbg) 1546{ 1547 spin_lock_bh(&drbg->drbg_lock); 1548 drbg_dealloc_state(drbg); 1549 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1550 spin_unlock_bh(&drbg->drbg_lock); 1551 return 0; 1552} 1553 1554/* 1555 * Helper function for setting the test data in the DRBG 1556 * 1557 * @drbg DRBG state handle 1558 * @test_data test data to sets 1559 */ 1560static inline void drbg_set_testdata(struct drbg_state *drbg, 1561 struct drbg_test_data *test_data) 1562{ 1563 if (!test_data || !test_data->testentropy) 1564 return; 1565 spin_lock_bh(&drbg->drbg_lock); 1566 drbg->test_data = test_data; 1567 spin_unlock_bh(&drbg->drbg_lock); 1568} 1569 1570/*************************************************************** 1571 * Kernel crypto API cipher invocations requested by DRBG 1572 ***************************************************************/ 1573 1574#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1575struct sdesc { 1576 struct shash_desc shash; 1577 char ctx[]; 1578}; 1579 1580static int drbg_init_hash_kernel(struct drbg_state *drbg) 1581{ 1582 struct sdesc *sdesc; 1583 struct crypto_shash *tfm; 1584 1585 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1586 if (IS_ERR(tfm)) { 1587 pr_info("DRBG: could not allocate digest TFM handle\n"); 1588 return PTR_ERR(tfm); 1589 } 1590 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1591 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1592 GFP_KERNEL); 1593 if (!sdesc) { 1594 crypto_free_shash(tfm); 1595 return -ENOMEM; 1596 } 1597 1598 sdesc->shash.tfm = tfm; 1599 sdesc->shash.flags = 0; 1600 drbg->priv_data = sdesc; 1601 return 0; 1602} 1603 1604static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1605{ 1606 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1607 if (sdesc) { 1608 crypto_free_shash(sdesc->shash.tfm); 1609 kzfree(sdesc); 1610 } 1611 drbg->priv_data = NULL; 1612 return 0; 1613} 1614 1615static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 1616 unsigned char *outval, const struct list_head *in) 1617{ 1618 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1619 struct drbg_string *input = NULL; 1620 1621 if (key) 1622 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1623 crypto_shash_init(&sdesc->shash); 1624 list_for_each_entry(input, in, list) 1625 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1626 return crypto_shash_final(&sdesc->shash, outval); 1627} 1628#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1629 1630#ifdef CONFIG_CRYPTO_DRBG_CTR 1631static int drbg_init_sym_kernel(struct drbg_state *drbg) 1632{ 1633 int ret = 0; 1634 struct crypto_cipher *tfm; 1635 1636 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1637 if (IS_ERR(tfm)) { 1638 pr_info("DRBG: could not allocate cipher TFM handle\n"); 1639 return PTR_ERR(tfm); 1640 } 1641 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1642 drbg->priv_data = tfm; 1643 return ret; 1644} 1645 1646static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1647{ 1648 struct crypto_cipher *tfm = 1649 (struct crypto_cipher *)drbg->priv_data; 1650 if (tfm) 1651 crypto_free_cipher(tfm); 1652 drbg->priv_data = NULL; 1653 return 0; 1654} 1655 1656static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1657 unsigned char *outval, const struct drbg_string *in) 1658{ 1659 struct crypto_cipher *tfm = 1660 (struct crypto_cipher *)drbg->priv_data; 1661 1662 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1663 /* there is only component in *in */ 1664 BUG_ON(in->len < drbg_blocklen(drbg)); 1665 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1666 return 0; 1667} 1668#endif /* CONFIG_CRYPTO_DRBG_CTR */ 1669 1670/*************************************************************** 1671 * Kernel crypto API interface to register DRBG 1672 ***************************************************************/ 1673 1674/* 1675 * Look up the DRBG flags by given kernel crypto API cra_name 1676 * The code uses the drbg_cores definition to do this 1677 * 1678 * @cra_name kernel crypto API cra_name 1679 * @coreref reference to integer which is filled with the pointer to 1680 * the applicable core 1681 * @pr reference for setting prediction resistance 1682 * 1683 * return: flags 1684 */ 1685static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1686 int *coreref, bool *pr) 1687{ 1688 int i = 0; 1689 size_t start = 0; 1690 int len = 0; 1691 1692 *pr = true; 1693 /* disassemble the names */ 1694 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1695 start = 10; 1696 *pr = false; 1697 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1698 start = 8; 1699 } else { 1700 return; 1701 } 1702 1703 /* remove the first part */ 1704 len = strlen(cra_driver_name) - start; 1705 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1706 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1707 len)) { 1708 *coreref = i; 1709 return; 1710 } 1711 } 1712} 1713 1714static int drbg_kcapi_init(struct crypto_tfm *tfm) 1715{ 1716 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1717 bool pr = false; 1718 int coreref = 0; 1719 1720 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm), &coreref, &pr); 1721 /* 1722 * when personalization string is needed, the caller must call reset 1723 * and provide the personalization string as seed information 1724 */ 1725 return drbg_instantiate(drbg, NULL, coreref, pr); 1726} 1727 1728static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1729{ 1730 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1731} 1732 1733/* 1734 * Generate random numbers invoked by the kernel crypto API: 1735 * The API of the kernel crypto API is extended as follows: 1736 * 1737 * If dlen is larger than zero, rdata is interpreted as the output buffer 1738 * where random data is to be stored. 1739 * 1740 * If dlen is zero, rdata is interpreted as a pointer to a struct drbg_gen 1741 * which holds the additional information string that is used for the 1742 * DRBG generation process. The output buffer that is to be used to store 1743 * data is also pointed to by struct drbg_gen. 1744 */ 1745static int drbg_kcapi_random(struct crypto_rng *tfm, u8 *rdata, 1746 unsigned int dlen) 1747{ 1748 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1749 if (0 < dlen) { 1750 return drbg_generate_long(drbg, rdata, dlen, NULL); 1751 } else { 1752 struct drbg_gen *data = (struct drbg_gen *)rdata; 1753 struct drbg_string addtl; 1754 /* catch NULL pointer */ 1755 if (!data) 1756 return 0; 1757 drbg_set_testdata(drbg, data->test_data); 1758 /* linked list variable is now local to allow modification */ 1759 drbg_string_fill(&addtl, data->addtl->buf, data->addtl->len); 1760 return drbg_generate_long(drbg, data->outbuf, data->outlen, 1761 &addtl); 1762 } 1763} 1764 1765/* 1766 * Reset the DRBG invoked by the kernel crypto API 1767 * The reset implies a full re-initialization of the DRBG. Similar to the 1768 * generate function of drbg_kcapi_random, this function extends the 1769 * kernel crypto API interface with struct drbg_gen 1770 */ 1771static int drbg_kcapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen) 1772{ 1773 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1774 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1775 bool pr = false; 1776 struct drbg_string seed_string; 1777 int coreref = 0; 1778 1779 drbg_uninstantiate(drbg); 1780 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1781 &pr); 1782 if (0 < slen) { 1783 drbg_string_fill(&seed_string, seed, slen); 1784 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1785 } else { 1786 struct drbg_gen *data = (struct drbg_gen *)seed; 1787 /* allow invocation of API call with NULL, 0 */ 1788 if (!data) 1789 return drbg_instantiate(drbg, NULL, coreref, pr); 1790 drbg_set_testdata(drbg, data->test_data); 1791 /* linked list variable is now local to allow modification */ 1792 drbg_string_fill(&seed_string, data->addtl->buf, 1793 data->addtl->len); 1794 return drbg_instantiate(drbg, &seed_string, coreref, pr); 1795 } 1796} 1797 1798/*************************************************************** 1799 * Kernel module: code to load the module 1800 ***************************************************************/ 1801 1802/* 1803 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1804 * of the error handling. 1805 * 1806 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1807 * as seed source of get_random_bytes does not fail. 1808 * 1809 * Note 2: There is no sensible way of testing the reseed counter 1810 * enforcement, so skip it. 1811 */ 1812static inline int __init drbg_healthcheck_sanity(void) 1813{ 1814#ifdef CONFIG_CRYPTO_FIPS 1815 int len = 0; 1816#define OUTBUFLEN 16 1817 unsigned char buf[OUTBUFLEN]; 1818 struct drbg_state *drbg = NULL; 1819 int ret = -EFAULT; 1820 int rc = -EFAULT; 1821 bool pr = false; 1822 int coreref = 0; 1823 struct drbg_string addtl; 1824 size_t max_addtllen, max_request_bytes; 1825 1826 /* only perform test in FIPS mode */ 1827 if (!fips_enabled) 1828 return 0; 1829 1830#ifdef CONFIG_CRYPTO_DRBG_CTR 1831 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1832#elif defined CONFIG_CRYPTO_DRBG_HASH 1833 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1834#else 1835 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1836#endif 1837 1838 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1839 if (!drbg) 1840 return -ENOMEM; 1841 1842 /* 1843 * if the following tests fail, it is likely that there is a buffer 1844 * overflow as buf is much smaller than the requested or provided 1845 * string lengths -- in case the error handling does not succeed 1846 * we may get an OOPS. And we want to get an OOPS as this is a 1847 * grave bug. 1848 */ 1849 1850 /* get a valid instance of DRBG for following tests */ 1851 ret = drbg_instantiate(drbg, NULL, coreref, pr); 1852 if (ret) { 1853 rc = ret; 1854 goto outbuf; 1855 } 1856 max_addtllen = drbg_max_addtl(drbg); 1857 max_request_bytes = drbg_max_request_bytes(drbg); 1858 drbg_string_fill(&addtl, buf, max_addtllen + 1); 1859 /* overflow addtllen with additonal info string */ 1860 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1861 BUG_ON(0 < len); 1862 /* overflow max_bits */ 1863 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1864 BUG_ON(0 < len); 1865 drbg_uninstantiate(drbg); 1866 1867 /* overflow max addtllen with personalization string */ 1868 ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1869 BUG_ON(0 == ret); 1870 /* all tests passed */ 1871 rc = 0; 1872 1873 pr_devel("DRBG: Sanity tests for failure code paths successfully " 1874 "completed\n"); 1875 1876 drbg_uninstantiate(drbg); 1877outbuf: 1878 kzfree(drbg); 1879 return rc; 1880#else /* CONFIG_CRYPTO_FIPS */ 1881 return 0; 1882#endif /* CONFIG_CRYPTO_FIPS */ 1883} 1884 1885static struct crypto_alg drbg_algs[22]; 1886 1887/* 1888 * Fill the array drbg_algs used to register the different DRBGs 1889 * with the kernel crypto API. To fill the array, the information 1890 * from drbg_cores[] is used. 1891 */ 1892static inline void __init drbg_fill_array(struct crypto_alg *alg, 1893 const struct drbg_core *core, int pr) 1894{ 1895 int pos = 0; 1896 static int priority = 100; 1897 1898 memset(alg, 0, sizeof(struct crypto_alg)); 1899 memcpy(alg->cra_name, "stdrng", 6); 1900 if (pr) { 1901 memcpy(alg->cra_driver_name, "drbg_pr_", 8); 1902 pos = 8; 1903 } else { 1904 memcpy(alg->cra_driver_name, "drbg_nopr_", 10); 1905 pos = 10; 1906 } 1907 memcpy(alg->cra_driver_name + pos, core->cra_name, 1908 strlen(core->cra_name)); 1909 1910 alg->cra_priority = priority; 1911 priority++; 1912 /* 1913 * If FIPS mode enabled, the selected DRBG shall have the 1914 * highest cra_priority over other stdrng instances to ensure 1915 * it is selected. 1916 */ 1917 if (fips_enabled) 1918 alg->cra_priority += 200; 1919 1920 alg->cra_flags = CRYPTO_ALG_TYPE_RNG; 1921 alg->cra_ctxsize = sizeof(struct drbg_state); 1922 alg->cra_type = &crypto_rng_type; 1923 alg->cra_module = THIS_MODULE; 1924 alg->cra_init = drbg_kcapi_init; 1925 alg->cra_exit = drbg_kcapi_cleanup; 1926 alg->cra_u.rng.rng_make_random = drbg_kcapi_random; 1927 alg->cra_u.rng.rng_reset = drbg_kcapi_reset; 1928 alg->cra_u.rng.seedsize = 0; 1929} 1930 1931static int __init drbg_init(void) 1932{ 1933 unsigned int i = 0; /* pointer to drbg_algs */ 1934 unsigned int j = 0; /* pointer to drbg_cores */ 1935 int ret = -EFAULT; 1936 1937 ret = drbg_healthcheck_sanity(); 1938 if (ret) 1939 return ret; 1940 1941 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1942 pr_info("DRBG: Cannot register all DRBG types" 1943 "(slots needed: %zu, slots available: %zu)\n", 1944 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1945 return ret; 1946 } 1947 1948 /* 1949 * each DRBG definition can be used with PR and without PR, thus 1950 * we instantiate each DRBG in drbg_cores[] twice. 1951 * 1952 * As the order of placing them into the drbg_algs array matters 1953 * (the later DRBGs receive a higher cra_priority) we register the 1954 * prediction resistance DRBGs first as the should not be too 1955 * interesting. 1956 */ 1957 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1958 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1959 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1960 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 1961 return crypto_register_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1962} 1963 1964static void __exit drbg_exit(void) 1965{ 1966 crypto_unregister_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1967} 1968 1969module_init(drbg_init); 1970module_exit(drbg_exit); 1971#ifndef CRYPTO_DRBG_HASH_STRING 1972#define CRYPTO_DRBG_HASH_STRING "" 1973#endif 1974#ifndef CRYPTO_DRBG_HMAC_STRING 1975#define CRYPTO_DRBG_HMAC_STRING "" 1976#endif 1977#ifndef CRYPTO_DRBG_CTR_STRING 1978#define CRYPTO_DRBG_CTR_STRING "" 1979#endif 1980MODULE_LICENSE("GPL"); 1981MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 1982MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 1983 "using following cores: " 1984 CRYPTO_DRBG_HASH_STRING 1985 CRYPTO_DRBG_HMAC_STRING 1986 CRYPTO_DRBG_CTR_STRING); 1987