This source file includes following definitions.
- drbg_sec_strength
- drbg_fips_continuous_test
- drbg_cpu_to_be32
- drbg_ctr_bcc
- drbg_ctr_df
- drbg_ctr_update
- drbg_ctr_generate
- drbg_hmac_update
- drbg_hmac_generate
- drbg_add_buf
- drbg_hash_df
- drbg_hash_update
- drbg_hash_process_addtl
- drbg_hash_hashgen
- drbg_hash_generate
- __drbg_seed
- drbg_get_random_bytes
- drbg_async_seed
- drbg_seed
- drbg_dealloc_state
- drbg_alloc_state
- drbg_generate
- drbg_generate_long
- drbg_schedule_async_seed
- drbg_prepare_hrng
- drbg_instantiate
- drbg_uninstantiate
- drbg_kcapi_set_entropy
- drbg_init_hash_kernel
- drbg_fini_hash_kernel
- drbg_kcapi_hmacsetkey
- drbg_kcapi_hash
- drbg_fini_sym_kernel
- drbg_init_sym_kernel
- drbg_kcapi_symsetkey
- drbg_kcapi_sym
- drbg_kcapi_sym_ctr
- drbg_convert_tfm_core
- drbg_kcapi_init
- drbg_kcapi_cleanup
- drbg_kcapi_random
- drbg_kcapi_seed
- drbg_healthcheck_sanity
- drbg_fill_array
- drbg_init
- drbg_exit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100 #include <crypto/drbg.h>
101 #include <linux/kernel.h>
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116 static const struct drbg_core drbg_cores[] = {
117 #ifdef CONFIG_CRYPTO_DRBG_CTR
118 {
119 .flags = DRBG_CTR | DRBG_STRENGTH128,
120 .statelen = 32,
121 .blocklen_bytes = 16,
122 .cra_name = "ctr_aes128",
123 .backend_cra_name = "aes",
124 }, {
125 .flags = DRBG_CTR | DRBG_STRENGTH192,
126 .statelen = 40,
127 .blocklen_bytes = 16,
128 .cra_name = "ctr_aes192",
129 .backend_cra_name = "aes",
130 }, {
131 .flags = DRBG_CTR | DRBG_STRENGTH256,
132 .statelen = 48,
133 .blocklen_bytes = 16,
134 .cra_name = "ctr_aes256",
135 .backend_cra_name = "aes",
136 },
137 #endif
138 #ifdef CONFIG_CRYPTO_DRBG_HASH
139 {
140 .flags = DRBG_HASH | DRBG_STRENGTH128,
141 .statelen = 55,
142 .blocklen_bytes = 20,
143 .cra_name = "sha1",
144 .backend_cra_name = "sha1",
145 }, {
146 .flags = DRBG_HASH | DRBG_STRENGTH256,
147 .statelen = 111,
148 .blocklen_bytes = 48,
149 .cra_name = "sha384",
150 .backend_cra_name = "sha384",
151 }, {
152 .flags = DRBG_HASH | DRBG_STRENGTH256,
153 .statelen = 111,
154 .blocklen_bytes = 64,
155 .cra_name = "sha512",
156 .backend_cra_name = "sha512",
157 }, {
158 .flags = DRBG_HASH | DRBG_STRENGTH256,
159 .statelen = 55,
160 .blocklen_bytes = 32,
161 .cra_name = "sha256",
162 .backend_cra_name = "sha256",
163 },
164 #endif
165 #ifdef CONFIG_CRYPTO_DRBG_HMAC
166 {
167 .flags = DRBG_HMAC | DRBG_STRENGTH128,
168 .statelen = 20,
169 .blocklen_bytes = 20,
170 .cra_name = "hmac_sha1",
171 .backend_cra_name = "hmac(sha1)",
172 }, {
173 .flags = DRBG_HMAC | DRBG_STRENGTH256,
174 .statelen = 48,
175 .blocklen_bytes = 48,
176 .cra_name = "hmac_sha384",
177 .backend_cra_name = "hmac(sha384)",
178 }, {
179 .flags = DRBG_HMAC | DRBG_STRENGTH256,
180 .statelen = 64,
181 .blocklen_bytes = 64,
182 .cra_name = "hmac_sha512",
183 .backend_cra_name = "hmac(sha512)",
184 }, {
185 .flags = DRBG_HMAC | DRBG_STRENGTH256,
186 .statelen = 32,
187 .blocklen_bytes = 32,
188 .cra_name = "hmac_sha256",
189 .backend_cra_name = "hmac(sha256)",
190 },
191 #endif
192 };
193
194 static int drbg_uninstantiate(struct drbg_state *drbg);
195
196
197
198
199
200
201
202
203
204
205
206
207
208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
209 {
210 switch (flags & DRBG_STRENGTH_MASK) {
211 case DRBG_STRENGTH128:
212 return 16;
213 case DRBG_STRENGTH192:
214 return 24;
215 case DRBG_STRENGTH256:
216 return 32;
217 default:
218 return 32;
219 }
220 }
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241 static int drbg_fips_continuous_test(struct drbg_state *drbg,
242 const unsigned char *entropy)
243 {
244 unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
245 int ret = 0;
246
247 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
248 return 0;
249
250
251 if (list_empty(&drbg->test_data.list))
252 return 0;
253
254 if (!fips_enabled)
255 return 0;
256
257 if (!drbg->fips_primed) {
258
259 memcpy(drbg->prev, entropy, entropylen);
260 drbg->fips_primed = true;
261
262 return -EAGAIN;
263 }
264 ret = memcmp(drbg->prev, entropy, entropylen);
265 if (!ret)
266 panic("DRBG continuous self test failed\n");
267 memcpy(drbg->prev, entropy, entropylen);
268
269
270 return 0;
271 }
272
273
274
275
276
277
278
279
280
281 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
282 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
283 {
284 struct s {
285 __be32 conv;
286 };
287 struct s *conversion = (struct s *) buf;
288
289 conversion->conv = cpu_to_be32(val);
290 }
291 #endif
292
293
294
295
296
297 #ifdef CONFIG_CRYPTO_DRBG_CTR
298 #define CRYPTO_DRBG_CTR_STRING "CTR "
299 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
300 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
301 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
302 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
303 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
304 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
305
306 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
307 const unsigned char *key);
308 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
309 const struct drbg_string *in);
310 static int drbg_init_sym_kernel(struct drbg_state *drbg);
311 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
312 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
313 u8 *inbuf, u32 inbuflen,
314 u8 *outbuf, u32 outlen);
315 #define DRBG_OUTSCRATCHLEN 256
316
317
318 static int drbg_ctr_bcc(struct drbg_state *drbg,
319 unsigned char *out, const unsigned char *key,
320 struct list_head *in)
321 {
322 int ret = 0;
323 struct drbg_string *curr = NULL;
324 struct drbg_string data;
325 short cnt = 0;
326
327 drbg_string_fill(&data, out, drbg_blocklen(drbg));
328
329
330 drbg_kcapi_symsetkey(drbg, key);
331 list_for_each_entry(curr, in, list) {
332 const unsigned char *pos = curr->buf;
333 size_t len = curr->len;
334
335 while (len) {
336
337 if (drbg_blocklen(drbg) == cnt) {
338 cnt = 0;
339 ret = drbg_kcapi_sym(drbg, out, &data);
340 if (ret)
341 return ret;
342 }
343 out[cnt] ^= *pos;
344 pos++;
345 cnt++;
346 len--;
347 }
348 }
349
350 if (cnt)
351 ret = drbg_kcapi_sym(drbg, out, &data);
352
353 return ret;
354 }
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396 static int drbg_ctr_df(struct drbg_state *drbg,
397 unsigned char *df_data, size_t bytes_to_return,
398 struct list_head *seedlist)
399 {
400 int ret = -EFAULT;
401 unsigned char L_N[8];
402
403 struct drbg_string S1, S2, S4, cipherin;
404 LIST_HEAD(bcc_list);
405 unsigned char *pad = df_data + drbg_statelen(drbg);
406 unsigned char *iv = pad + drbg_blocklen(drbg);
407 unsigned char *temp = iv + drbg_blocklen(drbg);
408 size_t padlen = 0;
409 unsigned int templen = 0;
410
411 unsigned int i = 0;
412
413 const unsigned char *K = (unsigned char *)
414 "\x00\x01\x02\x03\x04\x05\x06\x07"
415 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
416 "\x10\x11\x12\x13\x14\x15\x16\x17"
417 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
418 unsigned char *X;
419 size_t generated_len = 0;
420 size_t inputlen = 0;
421 struct drbg_string *seed = NULL;
422
423 memset(pad, 0, drbg_blocklen(drbg));
424 memset(iv, 0, drbg_blocklen(drbg));
425
426
427
428
429 if ((512/8) < bytes_to_return)
430 return -EINVAL;
431
432
433 list_for_each_entry(seed, seedlist, list)
434 inputlen += seed->len;
435 drbg_cpu_to_be32(inputlen, &L_N[0]);
436
437
438 drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
439
440
441 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
442
443 if (padlen)
444 padlen = drbg_blocklen(drbg) - padlen;
445
446
447
448
449
450 padlen++;
451 pad[0] = 0x80;
452
453
454 drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
455 list_add_tail(&S1.list, &bcc_list);
456 drbg_string_fill(&S2, L_N, sizeof(L_N));
457 list_add_tail(&S2.list, &bcc_list);
458 list_splice_tail(seedlist, &bcc_list);
459 drbg_string_fill(&S4, pad, padlen);
460 list_add_tail(&S4.list, &bcc_list);
461
462
463 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
464
465
466
467
468
469 drbg_cpu_to_be32(i, iv);
470
471 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
472 if (ret)
473 goto out;
474
475 i++;
476 templen += drbg_blocklen(drbg);
477 }
478
479
480 X = temp + (drbg_keylen(drbg));
481 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
482
483
484
485
486 drbg_kcapi_symsetkey(drbg, temp);
487 while (generated_len < bytes_to_return) {
488 short blocklen = 0;
489
490
491
492
493
494 ret = drbg_kcapi_sym(drbg, X, &cipherin);
495 if (ret)
496 goto out;
497 blocklen = (drbg_blocklen(drbg) <
498 (bytes_to_return - generated_len)) ?
499 drbg_blocklen(drbg) :
500 (bytes_to_return - generated_len);
501
502 memcpy(df_data + generated_len, X, blocklen);
503 generated_len += blocklen;
504 }
505
506 ret = 0;
507
508 out:
509 memset(iv, 0, drbg_blocklen(drbg));
510 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
511 memset(pad, 0, drbg_blocklen(drbg));
512 return ret;
513 }
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
531 int reseed)
532 {
533 int ret = -EFAULT;
534
535 unsigned char *temp = drbg->scratchpad;
536 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
537 drbg_blocklen(drbg);
538
539 if (3 > reseed)
540 memset(df_data, 0, drbg_statelen(drbg));
541
542 if (!reseed) {
543
544
545
546
547
548
549
550 crypto_inc(drbg->V, drbg_blocklen(drbg));
551
552 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
553 drbg_keylen(drbg));
554 if (ret)
555 goto out;
556 }
557
558
559 if (seed) {
560 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
561 if (ret)
562 goto out;
563 }
564
565 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
566 temp, drbg_statelen(drbg));
567 if (ret)
568 return ret;
569
570
571 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
572 drbg_keylen(drbg));
573 if (ret)
574 goto out;
575
576 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
577
578 crypto_inc(drbg->V, drbg_blocklen(drbg));
579 ret = 0;
580
581 out:
582 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
583 if (2 != reseed)
584 memset(df_data, 0, drbg_statelen(drbg));
585 return ret;
586 }
587
588
589
590
591
592
593 static int drbg_ctr_generate(struct drbg_state *drbg,
594 unsigned char *buf, unsigned int buflen,
595 struct list_head *addtl)
596 {
597 int ret;
598 int len = min_t(int, buflen, INT_MAX);
599
600
601 if (addtl && !list_empty(addtl)) {
602 ret = drbg_ctr_update(drbg, addtl, 2);
603 if (ret)
604 return 0;
605 }
606
607
608 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
609 if (ret)
610 return ret;
611
612
613 ret = drbg_ctr_update(drbg, NULL, 3);
614 if (ret)
615 len = ret;
616
617 return len;
618 }
619
620 static const struct drbg_state_ops drbg_ctr_ops = {
621 .update = drbg_ctr_update,
622 .generate = drbg_ctr_generate,
623 .crypto_init = drbg_init_sym_kernel,
624 .crypto_fini = drbg_fini_sym_kernel,
625 };
626 #endif
627
628
629
630
631
632 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
633 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
634 const struct list_head *in);
635 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
636 const unsigned char *key);
637 static int drbg_init_hash_kernel(struct drbg_state *drbg);
638 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
639 #endif
640
641 #ifdef CONFIG_CRYPTO_DRBG_HMAC
642 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
643 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
644 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
645 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
646 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
647 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
648 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
649 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
650 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
651
652
653 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
654 int reseed)
655 {
656 int ret = -EFAULT;
657 int i = 0;
658 struct drbg_string seed1, seed2, vdata;
659 LIST_HEAD(seedlist);
660 LIST_HEAD(vdatalist);
661
662 if (!reseed) {
663
664 memset(drbg->V, 1, drbg_statelen(drbg));
665 drbg_kcapi_hmacsetkey(drbg, drbg->C);
666 }
667
668 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
669 list_add_tail(&seed1.list, &seedlist);
670
671 drbg_string_fill(&seed2, NULL, 1);
672 list_add_tail(&seed2.list, &seedlist);
673
674 if (seed)
675 list_splice_tail(seed, &seedlist);
676
677 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
678 list_add_tail(&vdata.list, &vdatalist);
679 for (i = 2; 0 < i; i--) {
680
681 unsigned char prefix = DRBG_PREFIX0;
682 if (1 == i)
683 prefix = DRBG_PREFIX1;
684
685 seed2.buf = &prefix;
686 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
687 if (ret)
688 return ret;
689 drbg_kcapi_hmacsetkey(drbg, drbg->C);
690
691
692 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
693 if (ret)
694 return ret;
695
696
697 if (!seed)
698 return ret;
699 }
700
701 return 0;
702 }
703
704
705 static int drbg_hmac_generate(struct drbg_state *drbg,
706 unsigned char *buf,
707 unsigned int buflen,
708 struct list_head *addtl)
709 {
710 int len = 0;
711 int ret = 0;
712 struct drbg_string data;
713 LIST_HEAD(datalist);
714
715
716 if (addtl && !list_empty(addtl)) {
717 ret = drbg_hmac_update(drbg, addtl, 1);
718 if (ret)
719 return ret;
720 }
721
722 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
723 list_add_tail(&data.list, &datalist);
724 while (len < buflen) {
725 unsigned int outlen = 0;
726
727 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
728 if (ret)
729 return ret;
730 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
731 drbg_blocklen(drbg) : (buflen - len);
732
733
734 memcpy(buf + len, drbg->V, outlen);
735 len += outlen;
736 }
737
738
739 if (addtl && !list_empty(addtl))
740 ret = drbg_hmac_update(drbg, addtl, 1);
741 else
742 ret = drbg_hmac_update(drbg, NULL, 1);
743 if (ret)
744 return ret;
745
746 return len;
747 }
748
749 static const struct drbg_state_ops drbg_hmac_ops = {
750 .update = drbg_hmac_update,
751 .generate = drbg_hmac_generate,
752 .crypto_init = drbg_init_hash_kernel,
753 .crypto_fini = drbg_fini_hash_kernel,
754 };
755 #endif
756
757
758
759
760
761 #ifdef CONFIG_CRYPTO_DRBG_HASH
762 #define CRYPTO_DRBG_HASH_STRING "HASH "
763 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
764 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
765 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
766 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
767 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
768 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
769 MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
770 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
771
772
773
774
775
776
777
778 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
779 const unsigned char *add, size_t addlen)
780 {
781
782 unsigned char *dstptr;
783 const unsigned char *addptr;
784 unsigned int remainder = 0;
785 size_t len = addlen;
786
787 dstptr = dst + (dstlen-1);
788 addptr = add + (addlen-1);
789 while (len) {
790 remainder += *dstptr + *addptr;
791 *dstptr = remainder & 0xff;
792 remainder >>= 8;
793 len--; dstptr--; addptr--;
794 }
795 len = dstlen - addlen;
796 while (len && remainder > 0) {
797 remainder = *dstptr + 1;
798 *dstptr = remainder & 0xff;
799 remainder >>= 8;
800 len--; dstptr--;
801 }
802 }
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820 static int drbg_hash_df(struct drbg_state *drbg,
821 unsigned char *outval, size_t outlen,
822 struct list_head *entropylist)
823 {
824 int ret = 0;
825 size_t len = 0;
826 unsigned char input[5];
827 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
828 struct drbg_string data;
829
830
831 input[0] = 1;
832 drbg_cpu_to_be32((outlen * 8), &input[1]);
833
834
835 drbg_string_fill(&data, input, 5);
836 list_add(&data.list, entropylist);
837
838
839 while (len < outlen) {
840 short blocklen = 0;
841
842 ret = drbg_kcapi_hash(drbg, tmp, entropylist);
843 if (ret)
844 goto out;
845
846 input[0]++;
847 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
848 drbg_blocklen(drbg) : (outlen - len);
849 memcpy(outval + len, tmp, blocklen);
850 len += blocklen;
851 }
852
853 out:
854 memset(tmp, 0, drbg_blocklen(drbg));
855 return ret;
856 }
857
858
859 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
860 int reseed)
861 {
862 int ret = 0;
863 struct drbg_string data1, data2;
864 LIST_HEAD(datalist);
865 LIST_HEAD(datalist2);
866 unsigned char *V = drbg->scratchpad;
867 unsigned char prefix = DRBG_PREFIX1;
868
869 if (!seed)
870 return -EINVAL;
871
872 if (reseed) {
873
874 memcpy(V, drbg->V, drbg_statelen(drbg));
875 drbg_string_fill(&data1, &prefix, 1);
876 list_add_tail(&data1.list, &datalist);
877 drbg_string_fill(&data2, V, drbg_statelen(drbg));
878 list_add_tail(&data2.list, &datalist);
879 }
880 list_splice_tail(seed, &datalist);
881
882
883 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
884 if (ret)
885 goto out;
886
887
888 prefix = DRBG_PREFIX0;
889 drbg_string_fill(&data1, &prefix, 1);
890 list_add_tail(&data1.list, &datalist2);
891 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
892 list_add_tail(&data2.list, &datalist2);
893
894 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
895
896 out:
897 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
898 return ret;
899 }
900
901
902 static int drbg_hash_process_addtl(struct drbg_state *drbg,
903 struct list_head *addtl)
904 {
905 int ret = 0;
906 struct drbg_string data1, data2;
907 LIST_HEAD(datalist);
908 unsigned char prefix = DRBG_PREFIX2;
909
910
911 if (!addtl || list_empty(addtl))
912 return 0;
913
914
915 drbg_string_fill(&data1, &prefix, 1);
916 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
917 list_add_tail(&data1.list, &datalist);
918 list_add_tail(&data2.list, &datalist);
919 list_splice_tail(addtl, &datalist);
920 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
921 if (ret)
922 goto out;
923
924
925 drbg_add_buf(drbg->V, drbg_statelen(drbg),
926 drbg->scratchpad, drbg_blocklen(drbg));
927
928 out:
929 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
930 return ret;
931 }
932
933
934 static int drbg_hash_hashgen(struct drbg_state *drbg,
935 unsigned char *buf,
936 unsigned int buflen)
937 {
938 int len = 0;
939 int ret = 0;
940 unsigned char *src = drbg->scratchpad;
941 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
942 struct drbg_string data;
943 LIST_HEAD(datalist);
944
945
946 memcpy(src, drbg->V, drbg_statelen(drbg));
947
948 drbg_string_fill(&data, src, drbg_statelen(drbg));
949 list_add_tail(&data.list, &datalist);
950 while (len < buflen) {
951 unsigned int outlen = 0;
952
953 ret = drbg_kcapi_hash(drbg, dst, &datalist);
954 if (ret) {
955 len = ret;
956 goto out;
957 }
958 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
959 drbg_blocklen(drbg) : (buflen - len);
960
961 memcpy(buf + len, dst, outlen);
962 len += outlen;
963
964 if (len < buflen)
965 crypto_inc(src, drbg_statelen(drbg));
966 }
967
968 out:
969 memset(drbg->scratchpad, 0,
970 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
971 return len;
972 }
973
974
975 static int drbg_hash_generate(struct drbg_state *drbg,
976 unsigned char *buf, unsigned int buflen,
977 struct list_head *addtl)
978 {
979 int len = 0;
980 int ret = 0;
981 union {
982 unsigned char req[8];
983 __be64 req_int;
984 } u;
985 unsigned char prefix = DRBG_PREFIX3;
986 struct drbg_string data1, data2;
987 LIST_HEAD(datalist);
988
989
990 ret = drbg_hash_process_addtl(drbg, addtl);
991 if (ret)
992 return ret;
993
994 len = drbg_hash_hashgen(drbg, buf, buflen);
995
996
997
998 drbg_string_fill(&data1, &prefix, 1);
999 list_add_tail(&data1.list, &datalist);
1000 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1001 list_add_tail(&data2.list, &datalist);
1002 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
1003 if (ret) {
1004 len = ret;
1005 goto out;
1006 }
1007
1008
1009 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1010 drbg->scratchpad, drbg_blocklen(drbg));
1011 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1012 drbg->C, drbg_statelen(drbg));
1013 u.req_int = cpu_to_be64(drbg->reseed_ctr);
1014 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1015
1016 out:
1017 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1018 return len;
1019 }
1020
1021
1022
1023
1024
1025 static const struct drbg_state_ops drbg_hash_ops = {
1026 .update = drbg_hash_update,
1027 .generate = drbg_hash_generate,
1028 .crypto_init = drbg_init_hash_kernel,
1029 .crypto_fini = drbg_fini_hash_kernel,
1030 };
1031 #endif
1032
1033
1034
1035
1036
1037 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1038 int reseed)
1039 {
1040 int ret = drbg->d_ops->update(drbg, seed, reseed);
1041
1042 if (ret)
1043 return ret;
1044
1045 drbg->seeded = true;
1046
1047 drbg->reseed_ctr = 1;
1048
1049 return ret;
1050 }
1051
1052 static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1053 unsigned char *entropy,
1054 unsigned int entropylen)
1055 {
1056 int ret;
1057
1058 do {
1059 get_random_bytes(entropy, entropylen);
1060 ret = drbg_fips_continuous_test(drbg, entropy);
1061 if (ret && ret != -EAGAIN)
1062 return ret;
1063 } while (ret);
1064
1065 return 0;
1066 }
1067
1068 static void drbg_async_seed(struct work_struct *work)
1069 {
1070 struct drbg_string data;
1071 LIST_HEAD(seedlist);
1072 struct drbg_state *drbg = container_of(work, struct drbg_state,
1073 seed_work);
1074 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1075 unsigned char entropy[32];
1076 int ret;
1077
1078 BUG_ON(!entropylen);
1079 BUG_ON(entropylen > sizeof(entropy));
1080
1081 drbg_string_fill(&data, entropy, entropylen);
1082 list_add_tail(&data.list, &seedlist);
1083
1084 mutex_lock(&drbg->drbg_mutex);
1085
1086 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1087 if (ret)
1088 goto unlock;
1089
1090
1091 crypto_free_rng(drbg->jent);
1092 drbg->jent = NULL;
1093
1094
1095
1096
1097 drbg->seeded = false;
1098
1099 __drbg_seed(drbg, &seedlist, true);
1100
1101 if (drbg->seeded)
1102 drbg->reseed_threshold = drbg_max_requests(drbg);
1103
1104 unlock:
1105 mutex_unlock(&drbg->drbg_mutex);
1106
1107 memzero_explicit(entropy, entropylen);
1108 }
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1122 bool reseed)
1123 {
1124 int ret;
1125 unsigned char entropy[((32 + 16) * 2)];
1126 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1127 struct drbg_string data1;
1128 LIST_HEAD(seedlist);
1129
1130
1131 if (pers && pers->len > (drbg_max_addtl(drbg))) {
1132 pr_devel("DRBG: personalization string too long %zu\n",
1133 pers->len);
1134 return -EINVAL;
1135 }
1136
1137 if (list_empty(&drbg->test_data.list)) {
1138 drbg_string_fill(&data1, drbg->test_data.buf,
1139 drbg->test_data.len);
1140 pr_devel("DRBG: using test entropy\n");
1141 } else {
1142
1143
1144
1145
1146
1147
1148
1149
1150 BUG_ON(!entropylen);
1151 if (!reseed)
1152 entropylen = ((entropylen + 1) / 2) * 3;
1153 BUG_ON((entropylen * 2) > sizeof(entropy));
1154
1155
1156 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1157 if (ret)
1158 goto out;
1159
1160 if (!drbg->jent) {
1161 drbg_string_fill(&data1, entropy, entropylen);
1162 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1163 entropylen);
1164 } else {
1165
1166 ret = crypto_rng_get_bytes(drbg->jent,
1167 entropy + entropylen,
1168 entropylen);
1169 if (ret) {
1170 pr_devel("DRBG: jent failed with %d\n", ret);
1171 goto out;
1172 }
1173
1174 drbg_string_fill(&data1, entropy, entropylen * 2);
1175 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1176 entropylen * 2);
1177 }
1178 }
1179 list_add_tail(&data1.list, &seedlist);
1180
1181
1182
1183
1184
1185
1186 if (pers && pers->buf && 0 < pers->len) {
1187 list_add_tail(&pers->list, &seedlist);
1188 pr_devel("DRBG: using personalization string\n");
1189 }
1190
1191 if (!reseed) {
1192 memset(drbg->V, 0, drbg_statelen(drbg));
1193 memset(drbg->C, 0, drbg_statelen(drbg));
1194 }
1195
1196 ret = __drbg_seed(drbg, &seedlist, reseed);
1197
1198 out:
1199 memzero_explicit(entropy, entropylen * 2);
1200
1201 return ret;
1202 }
1203
1204
1205 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1206 {
1207 if (!drbg)
1208 return;
1209 kzfree(drbg->Vbuf);
1210 drbg->Vbuf = NULL;
1211 drbg->V = NULL;
1212 kzfree(drbg->Cbuf);
1213 drbg->Cbuf = NULL;
1214 drbg->C = NULL;
1215 kzfree(drbg->scratchpadbuf);
1216 drbg->scratchpadbuf = NULL;
1217 drbg->reseed_ctr = 0;
1218 drbg->d_ops = NULL;
1219 drbg->core = NULL;
1220 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1221 kzfree(drbg->prev);
1222 drbg->prev = NULL;
1223 drbg->fips_primed = false;
1224 }
1225 }
1226
1227
1228
1229
1230
1231 static inline int drbg_alloc_state(struct drbg_state *drbg)
1232 {
1233 int ret = -ENOMEM;
1234 unsigned int sb_size = 0;
1235
1236 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1237 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1238 case DRBG_HMAC:
1239 drbg->d_ops = &drbg_hmac_ops;
1240 break;
1241 #endif
1242 #ifdef CONFIG_CRYPTO_DRBG_HASH
1243 case DRBG_HASH:
1244 drbg->d_ops = &drbg_hash_ops;
1245 break;
1246 #endif
1247 #ifdef CONFIG_CRYPTO_DRBG_CTR
1248 case DRBG_CTR:
1249 drbg->d_ops = &drbg_ctr_ops;
1250 break;
1251 #endif
1252 default:
1253 ret = -EOPNOTSUPP;
1254 goto err;
1255 }
1256
1257 ret = drbg->d_ops->crypto_init(drbg);
1258 if (ret < 0)
1259 goto err;
1260
1261 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1262 if (!drbg->Vbuf) {
1263 ret = -ENOMEM;
1264 goto fini;
1265 }
1266 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1267 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1268 if (!drbg->Cbuf) {
1269 ret = -ENOMEM;
1270 goto fini;
1271 }
1272 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1273
1274 if (drbg->core->flags & DRBG_HMAC)
1275 sb_size = 0;
1276 else if (drbg->core->flags & DRBG_CTR)
1277 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) +
1278 drbg_statelen(drbg) +
1279 drbg_blocklen(drbg) +
1280 drbg_blocklen(drbg) +
1281 drbg_statelen(drbg) + drbg_blocklen(drbg);
1282 else
1283 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1284
1285 if (0 < sb_size) {
1286 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1287 if (!drbg->scratchpadbuf) {
1288 ret = -ENOMEM;
1289 goto fini;
1290 }
1291 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1292 }
1293
1294 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1295 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1296 GFP_KERNEL);
1297 if (!drbg->prev) {
1298 ret = -ENOMEM;
1299 goto fini;
1300 }
1301 drbg->fips_primed = false;
1302 }
1303
1304 return 0;
1305
1306 fini:
1307 drbg->d_ops->crypto_fini(drbg);
1308 err:
1309 drbg_dealloc_state(drbg);
1310 return ret;
1311 }
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333 static int drbg_generate(struct drbg_state *drbg,
1334 unsigned char *buf, unsigned int buflen,
1335 struct drbg_string *addtl)
1336 {
1337 int len = 0;
1338 LIST_HEAD(addtllist);
1339
1340 if (!drbg->core) {
1341 pr_devel("DRBG: not yet seeded\n");
1342 return -EINVAL;
1343 }
1344 if (0 == buflen || !buf) {
1345 pr_devel("DRBG: no output buffer provided\n");
1346 return -EINVAL;
1347 }
1348 if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1349 pr_devel("DRBG: wrong format of additional information\n");
1350 return -EINVAL;
1351 }
1352
1353
1354 len = -EINVAL;
1355 if (buflen > (drbg_max_request_bytes(drbg))) {
1356 pr_devel("DRBG: requested random numbers too large %u\n",
1357 buflen);
1358 goto err;
1359 }
1360
1361
1362
1363
1364 if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1365 pr_devel("DRBG: additional information string too long %zu\n",
1366 addtl->len);
1367 goto err;
1368 }
1369
1370
1371
1372
1373
1374
1375 if (drbg->reseed_threshold < drbg->reseed_ctr)
1376 drbg->seeded = false;
1377
1378 if (drbg->pr || !drbg->seeded) {
1379 pr_devel("DRBG: reseeding before generation (prediction "
1380 "resistance: %s, state %s)\n",
1381 drbg->pr ? "true" : "false",
1382 drbg->seeded ? "seeded" : "unseeded");
1383
1384 len = drbg_seed(drbg, addtl, true);
1385 if (len)
1386 goto err;
1387
1388 addtl = NULL;
1389 }
1390
1391 if (addtl && 0 < addtl->len)
1392 list_add_tail(&addtl->list, &addtllist);
1393
1394 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1395
1396
1397 drbg->reseed_ctr++;
1398 if (0 >= len)
1399 goto err;
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416 #if 0
1417 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1418 int err = 0;
1419 pr_devel("DRBG: start to perform self test\n");
1420 if (drbg->core->flags & DRBG_HMAC)
1421 err = alg_test("drbg_pr_hmac_sha256",
1422 "drbg_pr_hmac_sha256", 0, 0);
1423 else if (drbg->core->flags & DRBG_CTR)
1424 err = alg_test("drbg_pr_ctr_aes128",
1425 "drbg_pr_ctr_aes128", 0, 0);
1426 else
1427 err = alg_test("drbg_pr_sha256",
1428 "drbg_pr_sha256", 0, 0);
1429 if (err) {
1430 pr_err("DRBG: periodical self test failed\n");
1431
1432
1433
1434
1435 drbg_uninstantiate(drbg);
1436 return 0;
1437 } else {
1438 pr_devel("DRBG: self test successful\n");
1439 }
1440 }
1441 #endif
1442
1443
1444
1445
1446
1447 len = 0;
1448 err:
1449 return len;
1450 }
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460 static int drbg_generate_long(struct drbg_state *drbg,
1461 unsigned char *buf, unsigned int buflen,
1462 struct drbg_string *addtl)
1463 {
1464 unsigned int len = 0;
1465 unsigned int slice = 0;
1466 do {
1467 int err = 0;
1468 unsigned int chunk = 0;
1469 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1470 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1471 mutex_lock(&drbg->drbg_mutex);
1472 err = drbg_generate(drbg, buf + len, chunk, addtl);
1473 mutex_unlock(&drbg->drbg_mutex);
1474 if (0 > err)
1475 return err;
1476 len += chunk;
1477 } while (slice > 0 && (len < buflen));
1478 return 0;
1479 }
1480
1481 static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1482 {
1483 struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1484 random_ready);
1485
1486 schedule_work(&drbg->seed_work);
1487 }
1488
1489 static int drbg_prepare_hrng(struct drbg_state *drbg)
1490 {
1491 int err;
1492
1493
1494 if (list_empty(&drbg->test_data.list))
1495 return 0;
1496
1497 INIT_WORK(&drbg->seed_work, drbg_async_seed);
1498
1499 drbg->random_ready.owner = THIS_MODULE;
1500 drbg->random_ready.func = drbg_schedule_async_seed;
1501
1502 err = add_random_ready_callback(&drbg->random_ready);
1503
1504 switch (err) {
1505 case 0:
1506 break;
1507
1508 case -EALREADY:
1509 err = 0;
1510
1511
1512 default:
1513 drbg->random_ready.func = NULL;
1514 return err;
1515 }
1516
1517 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1518
1519
1520
1521
1522
1523 drbg->reseed_threshold = 50;
1524
1525 return err;
1526 }
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1546 int coreref, bool pr)
1547 {
1548 int ret;
1549 bool reseed = true;
1550
1551 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1552 "%s\n", coreref, pr ? "enabled" : "disabled");
1553 mutex_lock(&drbg->drbg_mutex);
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565 if (!drbg->core) {
1566 drbg->core = &drbg_cores[coreref];
1567 drbg->pr = pr;
1568 drbg->seeded = false;
1569 drbg->reseed_threshold = drbg_max_requests(drbg);
1570
1571 ret = drbg_alloc_state(drbg);
1572 if (ret)
1573 goto unlock;
1574
1575 ret = drbg_prepare_hrng(drbg);
1576 if (ret)
1577 goto free_everything;
1578
1579 if (IS_ERR(drbg->jent)) {
1580 ret = PTR_ERR(drbg->jent);
1581 drbg->jent = NULL;
1582 if (fips_enabled || ret != -ENOENT)
1583 goto free_everything;
1584 pr_info("DRBG: Continuing without Jitter RNG\n");
1585 }
1586
1587 reseed = false;
1588 }
1589
1590 ret = drbg_seed(drbg, pers, reseed);
1591
1592 if (ret && !reseed)
1593 goto free_everything;
1594
1595 mutex_unlock(&drbg->drbg_mutex);
1596 return ret;
1597
1598 unlock:
1599 mutex_unlock(&drbg->drbg_mutex);
1600 return ret;
1601
1602 free_everything:
1603 mutex_unlock(&drbg->drbg_mutex);
1604 drbg_uninstantiate(drbg);
1605 return ret;
1606 }
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617 static int drbg_uninstantiate(struct drbg_state *drbg)
1618 {
1619 if (drbg->random_ready.func) {
1620 del_random_ready_callback(&drbg->random_ready);
1621 cancel_work_sync(&drbg->seed_work);
1622 crypto_free_rng(drbg->jent);
1623 drbg->jent = NULL;
1624 }
1625
1626 if (drbg->d_ops)
1627 drbg->d_ops->crypto_fini(drbg);
1628 drbg_dealloc_state(drbg);
1629
1630 return 0;
1631 }
1632
1633
1634
1635
1636
1637
1638
1639
1640 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1641 const u8 *data, unsigned int len)
1642 {
1643 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1644
1645 mutex_lock(&drbg->drbg_mutex);
1646 drbg_string_fill(&drbg->test_data, data, len);
1647 mutex_unlock(&drbg->drbg_mutex);
1648 }
1649
1650
1651
1652
1653
1654 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1655 struct sdesc {
1656 struct shash_desc shash;
1657 char ctx[];
1658 };
1659
1660 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1661 {
1662 struct sdesc *sdesc;
1663 struct crypto_shash *tfm;
1664
1665 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1666 if (IS_ERR(tfm)) {
1667 pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1668 drbg->core->backend_cra_name);
1669 return PTR_ERR(tfm);
1670 }
1671 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1672 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1673 GFP_KERNEL);
1674 if (!sdesc) {
1675 crypto_free_shash(tfm);
1676 return -ENOMEM;
1677 }
1678
1679 sdesc->shash.tfm = tfm;
1680 drbg->priv_data = sdesc;
1681
1682 return crypto_shash_alignmask(tfm);
1683 }
1684
1685 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1686 {
1687 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1688 if (sdesc) {
1689 crypto_free_shash(sdesc->shash.tfm);
1690 kzfree(sdesc);
1691 }
1692 drbg->priv_data = NULL;
1693 return 0;
1694 }
1695
1696 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1697 const unsigned char *key)
1698 {
1699 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1700
1701 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1702 }
1703
1704 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1705 const struct list_head *in)
1706 {
1707 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1708 struct drbg_string *input = NULL;
1709
1710 crypto_shash_init(&sdesc->shash);
1711 list_for_each_entry(input, in, list)
1712 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1713 return crypto_shash_final(&sdesc->shash, outval);
1714 }
1715 #endif
1716
1717 #ifdef CONFIG_CRYPTO_DRBG_CTR
1718 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1719 {
1720 struct crypto_cipher *tfm =
1721 (struct crypto_cipher *)drbg->priv_data;
1722 if (tfm)
1723 crypto_free_cipher(tfm);
1724 drbg->priv_data = NULL;
1725
1726 if (drbg->ctr_handle)
1727 crypto_free_skcipher(drbg->ctr_handle);
1728 drbg->ctr_handle = NULL;
1729
1730 if (drbg->ctr_req)
1731 skcipher_request_free(drbg->ctr_req);
1732 drbg->ctr_req = NULL;
1733
1734 kfree(drbg->outscratchpadbuf);
1735 drbg->outscratchpadbuf = NULL;
1736
1737 return 0;
1738 }
1739
1740 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1741 {
1742 struct crypto_cipher *tfm;
1743 struct crypto_skcipher *sk_tfm;
1744 struct skcipher_request *req;
1745 unsigned int alignmask;
1746 char ctr_name[CRYPTO_MAX_ALG_NAME];
1747
1748 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1749 if (IS_ERR(tfm)) {
1750 pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1751 drbg->core->backend_cra_name);
1752 return PTR_ERR(tfm);
1753 }
1754 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1755 drbg->priv_data = tfm;
1756
1757 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1758 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1759 drbg_fini_sym_kernel(drbg);
1760 return -EINVAL;
1761 }
1762 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1763 if (IS_ERR(sk_tfm)) {
1764 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1765 ctr_name);
1766 drbg_fini_sym_kernel(drbg);
1767 return PTR_ERR(sk_tfm);
1768 }
1769 drbg->ctr_handle = sk_tfm;
1770 crypto_init_wait(&drbg->ctr_wait);
1771
1772 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1773 if (!req) {
1774 pr_info("DRBG: could not allocate request queue\n");
1775 drbg_fini_sym_kernel(drbg);
1776 return -ENOMEM;
1777 }
1778 drbg->ctr_req = req;
1779 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1780 CRYPTO_TFM_REQ_MAY_SLEEP,
1781 crypto_req_done, &drbg->ctr_wait);
1782
1783 alignmask = crypto_skcipher_alignmask(sk_tfm);
1784 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1785 GFP_KERNEL);
1786 if (!drbg->outscratchpadbuf) {
1787 drbg_fini_sym_kernel(drbg);
1788 return -ENOMEM;
1789 }
1790 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1791 alignmask + 1);
1792
1793 sg_init_table(&drbg->sg_in, 1);
1794 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1795
1796 return alignmask;
1797 }
1798
1799 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1800 const unsigned char *key)
1801 {
1802 struct crypto_cipher *tfm =
1803 (struct crypto_cipher *)drbg->priv_data;
1804
1805 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1806 }
1807
1808 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1809 const struct drbg_string *in)
1810 {
1811 struct crypto_cipher *tfm =
1812 (struct crypto_cipher *)drbg->priv_data;
1813
1814
1815 BUG_ON(in->len < drbg_blocklen(drbg));
1816 crypto_cipher_encrypt_one(tfm, outval, in->buf);
1817 return 0;
1818 }
1819
1820 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1821 u8 *inbuf, u32 inlen,
1822 u8 *outbuf, u32 outlen)
1823 {
1824 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1825 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1826 int ret;
1827
1828 if (inbuf) {
1829
1830 sg_set_buf(sg_in, inbuf, inlen);
1831 } else {
1832
1833 inlen = scratchpad_use;
1834 memset(drbg->outscratchpad, 0, scratchpad_use);
1835 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1836 }
1837
1838 while (outlen) {
1839 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1840
1841
1842 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1843 cryptlen, drbg->V);
1844 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1845 &drbg->ctr_wait);
1846 if (ret)
1847 goto out;
1848
1849 crypto_init_wait(&drbg->ctr_wait);
1850
1851 memcpy(outbuf, drbg->outscratchpad, cryptlen);
1852 memzero_explicit(drbg->outscratchpad, cryptlen);
1853
1854 outlen -= cryptlen;
1855 outbuf += cryptlen;
1856 }
1857 ret = 0;
1858
1859 out:
1860 return ret;
1861 }
1862 #endif
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1880 int *coreref, bool *pr)
1881 {
1882 int i = 0;
1883 size_t start = 0;
1884 int len = 0;
1885
1886 *pr = true;
1887
1888 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1889 start = 10;
1890 *pr = false;
1891 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1892 start = 8;
1893 } else {
1894 return;
1895 }
1896
1897
1898 len = strlen(cra_driver_name) - start;
1899 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1900 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1901 len)) {
1902 *coreref = i;
1903 return;
1904 }
1905 }
1906 }
1907
1908 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1909 {
1910 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1911
1912 mutex_init(&drbg->drbg_mutex);
1913
1914 return 0;
1915 }
1916
1917 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1918 {
1919 drbg_uninstantiate(crypto_tfm_ctx(tfm));
1920 }
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931 static int drbg_kcapi_random(struct crypto_rng *tfm,
1932 const u8 *src, unsigned int slen,
1933 u8 *dst, unsigned int dlen)
1934 {
1935 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1936 struct drbg_string *addtl = NULL;
1937 struct drbg_string string;
1938
1939 if (slen) {
1940
1941 drbg_string_fill(&string, src, slen);
1942 addtl = &string;
1943 }
1944
1945 return drbg_generate_long(drbg, dst, dlen, addtl);
1946 }
1947
1948
1949
1950
1951 static int drbg_kcapi_seed(struct crypto_rng *tfm,
1952 const u8 *seed, unsigned int slen)
1953 {
1954 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1955 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1956 bool pr = false;
1957 struct drbg_string string;
1958 struct drbg_string *seed_string = NULL;
1959 int coreref = 0;
1960
1961 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1962 &pr);
1963 if (0 < slen) {
1964 drbg_string_fill(&string, seed, slen);
1965 seed_string = &string;
1966 }
1967
1968 return drbg_instantiate(drbg, seed_string, coreref, pr);
1969 }
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985 static inline int __init drbg_healthcheck_sanity(void)
1986 {
1987 int len = 0;
1988 #define OUTBUFLEN 16
1989 unsigned char buf[OUTBUFLEN];
1990 struct drbg_state *drbg = NULL;
1991 int ret = -EFAULT;
1992 int rc = -EFAULT;
1993 bool pr = false;
1994 int coreref = 0;
1995 struct drbg_string addtl;
1996 size_t max_addtllen, max_request_bytes;
1997
1998
1999 if (!fips_enabled)
2000 return 0;
2001
2002 #ifdef CONFIG_CRYPTO_DRBG_CTR
2003 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
2004 #elif defined CONFIG_CRYPTO_DRBG_HASH
2005 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
2006 #else
2007 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
2008 #endif
2009
2010 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2011 if (!drbg)
2012 return -ENOMEM;
2013
2014 mutex_init(&drbg->drbg_mutex);
2015 drbg->core = &drbg_cores[coreref];
2016 drbg->reseed_threshold = drbg_max_requests(drbg);
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026 max_addtllen = drbg_max_addtl(drbg);
2027 max_request_bytes = drbg_max_request_bytes(drbg);
2028 drbg_string_fill(&addtl, buf, max_addtllen + 1);
2029
2030 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2031 BUG_ON(0 < len);
2032
2033 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2034 BUG_ON(0 < len);
2035
2036
2037 ret = drbg_seed(drbg, &addtl, false);
2038 BUG_ON(0 == ret);
2039
2040 rc = 0;
2041
2042 pr_devel("DRBG: Sanity tests for failure code paths successfully "
2043 "completed\n");
2044
2045 kfree(drbg);
2046 return rc;
2047 }
2048
2049 static struct rng_alg drbg_algs[22];
2050
2051
2052
2053
2054
2055
2056 static inline void __init drbg_fill_array(struct rng_alg *alg,
2057 const struct drbg_core *core, int pr)
2058 {
2059 int pos = 0;
2060 static int priority = 200;
2061
2062 memcpy(alg->base.cra_name, "stdrng", 6);
2063 if (pr) {
2064 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
2065 pos = 8;
2066 } else {
2067 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
2068 pos = 10;
2069 }
2070 memcpy(alg->base.cra_driver_name + pos, core->cra_name,
2071 strlen(core->cra_name));
2072
2073 alg->base.cra_priority = priority;
2074 priority++;
2075
2076
2077
2078
2079
2080 if (fips_enabled)
2081 alg->base.cra_priority += 200;
2082
2083 alg->base.cra_ctxsize = sizeof(struct drbg_state);
2084 alg->base.cra_module = THIS_MODULE;
2085 alg->base.cra_init = drbg_kcapi_init;
2086 alg->base.cra_exit = drbg_kcapi_cleanup;
2087 alg->generate = drbg_kcapi_random;
2088 alg->seed = drbg_kcapi_seed;
2089 alg->set_ent = drbg_kcapi_set_entropy;
2090 alg->seedsize = 0;
2091 }
2092
2093 static int __init drbg_init(void)
2094 {
2095 unsigned int i = 0;
2096 unsigned int j = 0;
2097 int ret;
2098
2099 ret = drbg_healthcheck_sanity();
2100 if (ret)
2101 return ret;
2102
2103 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2104 pr_info("DRBG: Cannot register all DRBG types"
2105 "(slots needed: %zu, slots available: %zu)\n",
2106 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2107 return -EFAULT;
2108 }
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2120 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2121 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2122 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2123 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2124 }
2125
2126 static void __exit drbg_exit(void)
2127 {
2128 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2129 }
2130
2131 subsys_initcall(drbg_init);
2132 module_exit(drbg_exit);
2133 #ifndef CRYPTO_DRBG_HASH_STRING
2134 #define CRYPTO_DRBG_HASH_STRING ""
2135 #endif
2136 #ifndef CRYPTO_DRBG_HMAC_STRING
2137 #define CRYPTO_DRBG_HMAC_STRING ""
2138 #endif
2139 #ifndef CRYPTO_DRBG_CTR_STRING
2140 #define CRYPTO_DRBG_CTR_STRING ""
2141 #endif
2142 MODULE_LICENSE("GPL");
2143 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2144 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2145 "using following cores: "
2146 CRYPTO_DRBG_HASH_STRING
2147 CRYPTO_DRBG_HMAC_STRING
2148 CRYPTO_DRBG_CTR_STRING);
2149 MODULE_ALIAS_CRYPTO("stdrng");