Lines Matching defs:drbg
100 #include <crypto/drbg.h>
194 static int drbg_uninstantiate(struct drbg_state *drbg);
231 * drbg->drbg_mutex must have been taken.
233 * @drbg DRBG handle
241 static int drbg_fips_continuous_test(struct drbg_state *drbg,
244 unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
251 if (list_empty(&drbg->test_data.list))
257 if (!drbg->fips_primed) {
259 memcpy(drbg->prev, entropy, entropylen);
260 drbg->fips_primed = true;
264 ret = memcmp(drbg->prev, entropy, entropylen);
267 memcpy(drbg->prev, entropy, entropylen);
306 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
308 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
310 static int drbg_init_sym_kernel(struct drbg_state *drbg);
311 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
312 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
318 static int drbg_ctr_bcc(struct drbg_state *drbg,
327 drbg_string_fill(&data, out, drbg_blocklen(drbg));
330 drbg_kcapi_symsetkey(drbg, key);
337 if (drbg_blocklen(drbg) == cnt) {
339 ret = drbg_kcapi_sym(drbg, out, &data);
351 ret = drbg_kcapi_sym(drbg, out, &data);
362 * start: drbg->scratchpad
363 * length: drbg_statelen(drbg) + drbg_blocklen(drbg)
370 * start: drbg->scratchpad +
371 * drbg_statelen(drbg) + drbg_blocklen(drbg)
372 * length: drbg_statelen(drbg)
376 * start: df_data + drbg_statelen(drbg)
377 * length: drbg_blocklen(drbg)
379 * start: pad + drbg_blocklen(drbg)
380 * length: drbg_blocklen(drbg)
382 * start: iv + drbg_blocklen(drbg)
383 * length: drbg_satelen(drbg) + drbg_blocklen(drbg)
385 * on. BCC operates blockwise. drbg_statelen(drbg)
391 * Therefore, add drbg_blocklen(drbg) to cover all
396 static int drbg_ctr_df(struct drbg_state *drbg,
405 unsigned char *pad = df_data + drbg_statelen(drbg);
406 unsigned char *iv = pad + drbg_blocklen(drbg);
407 unsigned char *temp = iv + drbg_blocklen(drbg);
423 memset(pad, 0, drbg_blocklen(drbg));
424 memset(iv, 0, drbg_blocklen(drbg));
441 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
444 padlen = drbg_blocklen(drbg) - padlen;
454 drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
463 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
471 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
476 templen += drbg_blocklen(drbg);
480 X = temp + (drbg_keylen(drbg));
481 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
486 drbg_kcapi_symsetkey(drbg, temp);
494 ret = drbg_kcapi_sym(drbg, X, &cipherin);
497 blocklen = (drbg_blocklen(drbg) <
499 drbg_blocklen(drbg) :
509 memset(iv, 0, drbg_blocklen(drbg));
510 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
511 memset(pad, 0, drbg_blocklen(drbg));
530 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
535 unsigned char *temp = drbg->scratchpad;
536 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
537 drbg_blocklen(drbg);
540 memset(df_data, 0, drbg_statelen(drbg));
550 crypto_inc(drbg->V, drbg_blocklen(drbg));
552 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
553 drbg_keylen(drbg));
560 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
565 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
566 temp, drbg_statelen(drbg));
571 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
572 drbg_keylen(drbg));
576 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
578 crypto_inc(drbg->V, drbg_blocklen(drbg));
582 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
584 memset(df_data, 0, drbg_statelen(drbg));
593 static int drbg_ctr_generate(struct drbg_state *drbg,
602 ret = drbg_ctr_update(drbg, addtl, 2);
608 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
613 ret = drbg_ctr_update(drbg, NULL, 3);
633 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
635 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
637 static int drbg_init_hash_kernel(struct drbg_state *drbg);
638 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
653 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
664 memset(drbg->V, 1, drbg_statelen(drbg));
665 drbg_kcapi_hmacsetkey(drbg, drbg->C);
668 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
677 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
686 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
689 drbg_kcapi_hmacsetkey(drbg, drbg->C);
692 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
705 static int drbg_hmac_generate(struct drbg_state *drbg,
717 ret = drbg_hmac_update(drbg, addtl, 1);
722 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
727 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
730 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
731 drbg_blocklen(drbg) : (buflen - len);
734 memcpy(buf + len, drbg->V, outlen);
740 ret = drbg_hmac_update(drbg, addtl, 1);
742 ret = drbg_hmac_update(drbg, NULL, 1);
808 * start: drbg->scratchpad
809 * length: drbg_statelen(drbg)
811 * start: drbg->scratchpad + drbg_statelen(drbg)
812 * length: drbg_blocklen(drbg)
820 static int drbg_hash_df(struct drbg_state *drbg,
827 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
842 ret = drbg_kcapi_hash(drbg, tmp, entropylist);
847 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
848 drbg_blocklen(drbg) : (outlen - len);
854 memset(tmp, 0, drbg_blocklen(drbg));
859 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
866 unsigned char *V = drbg->scratchpad;
874 memcpy(V, drbg->V, drbg_statelen(drbg));
877 drbg_string_fill(&data2, V, drbg_statelen(drbg));
883 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
891 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
894 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
897 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
902 static int drbg_hash_process_addtl(struct drbg_state *drbg,
916 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
920 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
925 drbg_add_buf(drbg->V, drbg_statelen(drbg),
926 drbg->scratchpad, drbg_blocklen(drbg));
929 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
934 static int drbg_hash_hashgen(struct drbg_state *drbg,
940 unsigned char *src = drbg->scratchpad;
941 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
946 memcpy(src, drbg->V, drbg_statelen(drbg));
948 drbg_string_fill(&data, src, drbg_statelen(drbg));
953 ret = drbg_kcapi_hash(drbg, dst, &datalist);
958 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
959 drbg_blocklen(drbg) : (buflen - len);
965 crypto_inc(src, drbg_statelen(drbg));
969 memset(drbg->scratchpad, 0,
970 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
975 static int drbg_hash_generate(struct drbg_state *drbg,
990 ret = drbg_hash_process_addtl(drbg, addtl);
994 len = drbg_hash_hashgen(drbg, buf, buflen);
1000 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1002 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
1009 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1010 drbg->scratchpad, drbg_blocklen(drbg));
1011 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1012 drbg->C, drbg_statelen(drbg));
1013 u.req_int = cpu_to_be64(drbg->reseed_ctr);
1014 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1017 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1037 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1040 int ret = drbg->d_ops->update(drbg, seed, reseed);
1045 drbg->seeded = new_seed_state;
1047 drbg->reseed_ctr = 1;
1049 switch (drbg->seeded) {
1058 drbg->reseed_threshold = 50;
1066 drbg->reseed_threshold = drbg_max_requests(drbg);
1073 static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1081 ret = drbg_fips_continuous_test(drbg, entropy);
1089 static int drbg_seed_from_random(struct drbg_state *drbg)
1093 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1103 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1107 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
1117 * @drbg: DRBG state struct
1125 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1130 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1136 if (pers && pers->len > (drbg_max_addtl(drbg))) {
1142 if (list_empty(&drbg->test_data.list)) {
1143 drbg_string_fill(&data1, drbg->test_data.buf,
1144 drbg->test_data.len);
1164 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1168 if (!drbg->jent) {
1174 ret = crypto_rng_get_bytes(drbg->jent,
1216 memset(drbg->V, 0, drbg_statelen(drbg));
1217 memset(drbg->C, 0, drbg_statelen(drbg));
1220 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
1229 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1231 if (!drbg)
1233 kfree_sensitive(drbg->Vbuf);
1234 drbg->Vbuf = NULL;
1235 drbg->V = NULL;
1236 kfree_sensitive(drbg->Cbuf);
1237 drbg->Cbuf = NULL;
1238 drbg->C = NULL;
1239 kfree_sensitive(drbg->scratchpadbuf);
1240 drbg->scratchpadbuf = NULL;
1241 drbg->reseed_ctr = 0;
1242 drbg->d_ops = NULL;
1243 drbg->core = NULL;
1245 kfree_sensitive(drbg->prev);
1246 drbg->prev = NULL;
1247 drbg->fips_primed = false;
1255 static inline int drbg_alloc_state(struct drbg_state *drbg)
1260 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1263 drbg->d_ops = &drbg_hmac_ops;
1268 drbg->d_ops = &drbg_hash_ops;
1273 drbg->d_ops = &drbg_ctr_ops;
1281 ret = drbg->d_ops->crypto_init(drbg);
1285 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1286 if (!drbg->Vbuf) {
1290 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1291 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1292 if (!drbg->Cbuf) {
1296 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1298 if (drbg->core->flags & DRBG_HMAC)
1300 else if (drbg->core->flags & DRBG_CTR)
1301 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1302 drbg_statelen(drbg) + /* df_data */
1303 drbg_blocklen(drbg) + /* pad */
1304 drbg_blocklen(drbg) + /* iv */
1305 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1307 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1310 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1311 if (!drbg->scratchpadbuf) {
1315 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1319 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1321 if (!drbg->prev) {
1325 drbg->fips_primed = false;
1331 drbg->d_ops->crypto_fini(drbg);
1333 drbg_dealloc_state(drbg);
1345 * @drbg DRBG state handle
1357 static int drbg_generate(struct drbg_state *drbg,
1364 if (!drbg->core) {
1379 if (buflen > (drbg_max_request_bytes(drbg))) {
1388 if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1399 if (drbg->reseed_threshold < drbg->reseed_ctr)
1400 drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1402 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
1405 drbg->pr ? "true" : "false",
1406 (drbg->seeded == DRBG_SEED_STATE_FULL ?
1409 len = drbg_seed(drbg, addtl, true);
1415 drbg->seeded == DRBG_SEED_STATE_PARTIAL) {
1416 len = drbg_seed_from_random(drbg);
1424 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1427 drbg->reseed_ctr++;
1447 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1450 if (drbg->core->flags & DRBG_HMAC)
1453 else if (drbg->core->flags & DRBG_CTR)
1465 drbg_uninstantiate(drbg);
1490 static int drbg_generate_long(struct drbg_state *drbg,
1499 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1500 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1501 mutex_lock(&drbg->drbg_mutex);
1502 err = drbg_generate(drbg, buf + len, chunk, addtl);
1503 mutex_unlock(&drbg->drbg_mutex);
1511 static int drbg_prepare_hrng(struct drbg_state *drbg)
1514 if (list_empty(&drbg->test_data.list))
1517 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1518 if (IS_ERR(drbg->jent)) {
1519 const int err = PTR_ERR(drbg->jent);
1521 drbg->jent = NULL;
1535 * @drbg memory of state -- if NULL, new memory is allocated
1547 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1555 mutex_lock(&drbg->drbg_mutex);
1561 * and the flag is copied into drbg->flags --
1567 if (!drbg->core) {
1568 drbg->core = &drbg_cores[coreref];
1569 drbg->pr = pr;
1570 drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1571 drbg->reseed_threshold = drbg_max_requests(drbg);
1573 ret = drbg_alloc_state(drbg);
1577 ret = drbg_prepare_hrng(drbg);
1584 ret = drbg_seed(drbg, pers, reseed);
1589 mutex_unlock(&drbg->drbg_mutex);
1593 mutex_unlock(&drbg->drbg_mutex);
1597 mutex_unlock(&drbg->drbg_mutex);
1598 drbg_uninstantiate(drbg);
1606 * @drbg DRBG state handle
1611 static int drbg_uninstantiate(struct drbg_state *drbg)
1613 if (!IS_ERR_OR_NULL(drbg->jent))
1614 crypto_free_rng(drbg->jent);
1615 drbg->jent = NULL;
1617 if (drbg->d_ops)
1618 drbg->d_ops->crypto_fini(drbg);
1619 drbg_dealloc_state(drbg);
1627 * @drbg DRBG state handle
1634 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1636 mutex_lock(&drbg->drbg_mutex);
1637 drbg_string_fill(&drbg->test_data, data, len);
1638 mutex_unlock(&drbg->drbg_mutex);
1651 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1656 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1659 drbg->core->backend_cra_name);
1662 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1671 drbg->priv_data = sdesc;
1676 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1678 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1683 drbg->priv_data = NULL;
1687 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1690 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1692 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1695 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1698 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1709 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1712 (struct crypto_cipher *)drbg->priv_data;
1715 drbg->priv_data = NULL;
1717 if (drbg->ctr_handle)
1718 crypto_free_skcipher(drbg->ctr_handle);
1719 drbg->ctr_handle = NULL;
1721 if (drbg->ctr_req)
1722 skcipher_request_free(drbg->ctr_req);
1723 drbg->ctr_req = NULL;
1725 kfree(drbg->outscratchpadbuf);
1726 drbg->outscratchpadbuf = NULL;
1731 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1739 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1742 drbg->core->backend_cra_name);
1745 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1746 drbg->priv_data = tfm;
1749 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1750 drbg_fini_sym_kernel(drbg);
1757 drbg_fini_sym_kernel(drbg);
1760 drbg->ctr_handle = sk_tfm;
1761 crypto_init_wait(&drbg->ctr_wait);
1766 drbg_fini_sym_kernel(drbg);
1769 drbg->ctr_req = req;
1772 crypto_req_done, &drbg->ctr_wait);
1775 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1777 if (!drbg->outscratchpadbuf) {
1778 drbg_fini_sym_kernel(drbg);
1781 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1784 sg_init_table(&drbg->sg_in, 1);
1785 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1790 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1794 (struct crypto_cipher *)drbg->priv_data;
1796 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1799 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1803 (struct crypto_cipher *)drbg->priv_data;
1806 BUG_ON(in->len < drbg_blocklen(drbg));
1811 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1815 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1825 memset(drbg->outscratchpad, 0, scratchpad_use);
1826 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1833 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1834 cryptlen, drbg->V);
1835 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1836 &drbg->ctr_wait);
1840 crypto_init_wait(&drbg->ctr_wait);
1842 memcpy(outbuf, drbg->outscratchpad, cryptlen);
1843 memzero_explicit(drbg->outscratchpad, cryptlen);
1901 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1903 mutex_init(&drbg->drbg_mutex);
1926 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1936 return drbg_generate_long(drbg, dst, dlen, addtl);
1945 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1959 return drbg_instantiate(drbg, seed_string, coreref, pr);
1981 struct drbg_state *drbg = NULL;
2001 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2002 if (!drbg)
2005 mutex_init(&drbg->drbg_mutex);
2006 drbg->core = &drbg_cores[coreref];
2007 drbg->reseed_threshold = drbg_max_requests(drbg);
2017 max_addtllen = drbg_max_addtl(drbg);
2018 max_request_bytes = drbg_max_request_bytes(drbg);
2021 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2024 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2028 ret = drbg_seed(drbg, &addtl, false);
2036 kfree(drbg);