Lines Matching defs:drbg
100 #include <crypto/drbg.h>
196 static int drbg_uninstantiate(struct drbg_state *drbg);
233 * drbg->drbg_mutex must have been taken.
235 * @drbg DRBG handle
243 static int drbg_fips_continuous_test(struct drbg_state *drbg,
246 unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
253 if (list_empty(&drbg->test_data.list))
259 if (!drbg->fips_primed) {
261 memcpy(drbg->prev, entropy, entropylen);
262 drbg->fips_primed = true;
266 ret = memcmp(drbg->prev, entropy, entropylen);
269 memcpy(drbg->prev, entropy, entropylen);
308 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
310 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
312 static int drbg_init_sym_kernel(struct drbg_state *drbg);
313 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
314 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
320 static int drbg_ctr_bcc(struct drbg_state *drbg,
329 drbg_string_fill(&data, out, drbg_blocklen(drbg));
332 drbg_kcapi_symsetkey(drbg, key);
339 if (drbg_blocklen(drbg) == cnt) {
341 ret = drbg_kcapi_sym(drbg, out, &data);
353 ret = drbg_kcapi_sym(drbg, out, &data);
364 * start: drbg->scratchpad
365 * length: drbg_statelen(drbg) + drbg_blocklen(drbg)
372 * start: drbg->scratchpad +
373 * drbg_statelen(drbg) + drbg_blocklen(drbg)
374 * length: drbg_statelen(drbg)
378 * start: df_data + drbg_statelen(drbg)
379 * length: drbg_blocklen(drbg)
381 * start: pad + drbg_blocklen(drbg)
382 * length: drbg_blocklen(drbg)
384 * start: iv + drbg_blocklen(drbg)
385 * length: drbg_satelen(drbg) + drbg_blocklen(drbg)
387 * on. BCC operates blockwise. drbg_statelen(drbg)
393 * Therefore, add drbg_blocklen(drbg) to cover all
398 static int drbg_ctr_df(struct drbg_state *drbg,
407 unsigned char *pad = df_data + drbg_statelen(drbg);
408 unsigned char *iv = pad + drbg_blocklen(drbg);
409 unsigned char *temp = iv + drbg_blocklen(drbg);
425 memset(pad, 0, drbg_blocklen(drbg));
426 memset(iv, 0, drbg_blocklen(drbg));
443 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
446 padlen = drbg_blocklen(drbg) - padlen;
456 drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
465 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
473 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
478 templen += drbg_blocklen(drbg);
482 X = temp + (drbg_keylen(drbg));
483 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
488 drbg_kcapi_symsetkey(drbg, temp);
496 ret = drbg_kcapi_sym(drbg, X, &cipherin);
499 blocklen = (drbg_blocklen(drbg) <
501 drbg_blocklen(drbg) :
511 memset(iv, 0, drbg_blocklen(drbg));
512 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
513 memset(pad, 0, drbg_blocklen(drbg));
532 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
537 unsigned char *temp = drbg->scratchpad;
538 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
539 drbg_blocklen(drbg);
542 memset(df_data, 0, drbg_statelen(drbg));
552 crypto_inc(drbg->V, drbg_blocklen(drbg));
554 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
555 drbg_keylen(drbg));
562 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
567 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
568 temp, drbg_statelen(drbg));
573 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
574 drbg_keylen(drbg));
578 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
580 crypto_inc(drbg->V, drbg_blocklen(drbg));
584 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
586 memset(df_data, 0, drbg_statelen(drbg));
595 static int drbg_ctr_generate(struct drbg_state *drbg,
604 ret = drbg_ctr_update(drbg, addtl, 2);
610 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
615 ret = drbg_ctr_update(drbg, NULL, 3);
635 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
637 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
639 static int drbg_init_hash_kernel(struct drbg_state *drbg);
640 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
655 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
666 memset(drbg->V, 1, drbg_statelen(drbg));
667 drbg_kcapi_hmacsetkey(drbg, drbg->C);
670 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
679 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
688 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
691 drbg_kcapi_hmacsetkey(drbg, drbg->C);
694 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
707 static int drbg_hmac_generate(struct drbg_state *drbg,
719 ret = drbg_hmac_update(drbg, addtl, 1);
724 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
729 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
732 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
733 drbg_blocklen(drbg) : (buflen - len);
736 memcpy(buf + len, drbg->V, outlen);
742 ret = drbg_hmac_update(drbg, addtl, 1);
744 ret = drbg_hmac_update(drbg, NULL, 1);
810 * start: drbg->scratchpad
811 * length: drbg_statelen(drbg)
813 * start: drbg->scratchpad + drbg_statelen(drbg)
814 * length: drbg_blocklen(drbg)
822 static int drbg_hash_df(struct drbg_state *drbg,
829 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
844 ret = drbg_kcapi_hash(drbg, tmp, entropylist);
849 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
850 drbg_blocklen(drbg) : (outlen - len);
856 memset(tmp, 0, drbg_blocklen(drbg));
861 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
868 unsigned char *V = drbg->scratchpad;
876 memcpy(V, drbg->V, drbg_statelen(drbg));
879 drbg_string_fill(&data2, V, drbg_statelen(drbg));
885 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
893 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
896 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
899 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
904 static int drbg_hash_process_addtl(struct drbg_state *drbg,
918 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
922 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
927 drbg_add_buf(drbg->V, drbg_statelen(drbg),
928 drbg->scratchpad, drbg_blocklen(drbg));
931 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
936 static int drbg_hash_hashgen(struct drbg_state *drbg,
942 unsigned char *src = drbg->scratchpad;
943 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
948 memcpy(src, drbg->V, drbg_statelen(drbg));
950 drbg_string_fill(&data, src, drbg_statelen(drbg));
955 ret = drbg_kcapi_hash(drbg, dst, &datalist);
960 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
961 drbg_blocklen(drbg) : (buflen - len);
967 crypto_inc(src, drbg_statelen(drbg));
971 memset(drbg->scratchpad, 0,
972 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
977 static int drbg_hash_generate(struct drbg_state *drbg,
992 ret = drbg_hash_process_addtl(drbg, addtl);
996 len = drbg_hash_hashgen(drbg, buf, buflen);
1002 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1004 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
1011 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1012 drbg->scratchpad, drbg_blocklen(drbg));
1013 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1014 drbg->C, drbg_statelen(drbg));
1015 u.req_int = cpu_to_be64(drbg->reseed_ctr);
1016 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1019 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1039 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1042 int ret = drbg->d_ops->update(drbg, seed, reseed);
1047 drbg->seeded = new_seed_state;
1048 drbg->last_seed_time = jiffies;
1050 drbg->reseed_ctr = 1;
1052 switch (drbg->seeded) {
1061 drbg->reseed_threshold = 50;
1069 drbg->reseed_threshold = drbg_max_requests(drbg);
1076 static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1084 ret = drbg_fips_continuous_test(drbg, entropy);
1092 static int drbg_seed_from_random(struct drbg_state *drbg)
1096 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1106 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1110 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
1117 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg)
1122 if (list_empty(&drbg->test_data.list))
1133 next_reseed = drbg->last_seed_time + 300 * HZ;
1140 * @drbg: DRBG state struct
1148 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1153 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1159 if (pers && pers->len > (drbg_max_addtl(drbg))) {
1165 if (list_empty(&drbg->test_data.list)) {
1166 drbg_string_fill(&data1, drbg->test_data.buf,
1167 drbg->test_data.len);
1187 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1191 if (!drbg->jent) {
1200 ret = crypto_rng_get_bytes(drbg->jent,
1242 memset(drbg->V, 0, drbg_statelen(drbg));
1243 memset(drbg->C, 0, drbg_statelen(drbg));
1246 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
1255 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1257 if (!drbg)
1259 kfree_sensitive(drbg->Vbuf);
1260 drbg->Vbuf = NULL;
1261 drbg->V = NULL;
1262 kfree_sensitive(drbg->Cbuf);
1263 drbg->Cbuf = NULL;
1264 drbg->C = NULL;
1265 kfree_sensitive(drbg->scratchpadbuf);
1266 drbg->scratchpadbuf = NULL;
1267 drbg->reseed_ctr = 0;
1268 drbg->d_ops = NULL;
1269 drbg->core = NULL;
1271 kfree_sensitive(drbg->prev);
1272 drbg->prev = NULL;
1273 drbg->fips_primed = false;
1281 static inline int drbg_alloc_state(struct drbg_state *drbg)
1286 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1289 drbg->d_ops = &drbg_hmac_ops;
1294 drbg->d_ops = &drbg_hash_ops;
1299 drbg->d_ops = &drbg_ctr_ops;
1307 ret = drbg->d_ops->crypto_init(drbg);
1311 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1312 if (!drbg->Vbuf) {
1316 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1317 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1318 if (!drbg->Cbuf) {
1322 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1324 if (drbg->core->flags & DRBG_HMAC)
1326 else if (drbg->core->flags & DRBG_CTR)
1327 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1328 drbg_statelen(drbg) + /* df_data */
1329 drbg_blocklen(drbg) + /* pad */
1330 drbg_blocklen(drbg) + /* iv */
1331 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1333 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1336 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1337 if (!drbg->scratchpadbuf) {
1341 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1345 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1347 if (!drbg->prev) {
1351 drbg->fips_primed = false;
1357 drbg->d_ops->crypto_fini(drbg);
1359 drbg_dealloc_state(drbg);
1371 * @drbg DRBG state handle
1383 static int drbg_generate(struct drbg_state *drbg,
1390 if (!drbg->core) {
1405 if (buflen > (drbg_max_request_bytes(drbg))) {
1414 if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1425 if (drbg->reseed_threshold < drbg->reseed_ctr)
1426 drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1428 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
1431 drbg->pr ? "true" : "false",
1432 (drbg->seeded == DRBG_SEED_STATE_FULL ?
1435 len = drbg_seed(drbg, addtl, true);
1441 (drbg->seeded == DRBG_SEED_STATE_PARTIAL ||
1442 drbg_nopr_reseed_interval_elapsed(drbg))) {
1443 len = drbg_seed_from_random(drbg);
1451 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1454 drbg->reseed_ctr++;
1474 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1477 if (drbg->core->flags & DRBG_HMAC)
1480 else if (drbg->core->flags & DRBG_CTR)
1492 drbg_uninstantiate(drbg);
1517 static int drbg_generate_long(struct drbg_state *drbg,
1526 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1527 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1528 mutex_lock(&drbg->drbg_mutex);
1529 err = drbg_generate(drbg, buf + len, chunk, addtl);
1530 mutex_unlock(&drbg->drbg_mutex);
1538 static int drbg_prepare_hrng(struct drbg_state *drbg)
1541 if (list_empty(&drbg->test_data.list))
1544 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1545 if (IS_ERR(drbg->jent)) {
1546 const int err = PTR_ERR(drbg->jent);
1548 drbg->jent = NULL;
1562 * @drbg memory of state -- if NULL, new memory is allocated
1574 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1582 mutex_lock(&drbg->drbg_mutex);
1588 * and the flag is copied into drbg->flags --
1594 if (!drbg->core) {
1595 drbg->core = &drbg_cores[coreref];
1596 drbg->pr = pr;
1597 drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
1598 drbg->last_seed_time = 0;
1599 drbg->reseed_threshold = drbg_max_requests(drbg);
1601 ret = drbg_alloc_state(drbg);
1605 ret = drbg_prepare_hrng(drbg);
1612 ret = drbg_seed(drbg, pers, reseed);
1617 mutex_unlock(&drbg->drbg_mutex);
1621 mutex_unlock(&drbg->drbg_mutex);
1625 mutex_unlock(&drbg->drbg_mutex);
1626 drbg_uninstantiate(drbg);
1634 * @drbg DRBG state handle
1639 static int drbg_uninstantiate(struct drbg_state *drbg)
1641 if (!IS_ERR_OR_NULL(drbg->jent))
1642 crypto_free_rng(drbg->jent);
1643 drbg->jent = NULL;
1645 if (drbg->d_ops)
1646 drbg->d_ops->crypto_fini(drbg);
1647 drbg_dealloc_state(drbg);
1655 * @drbg DRBG state handle
1662 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1664 mutex_lock(&drbg->drbg_mutex);
1665 drbg_string_fill(&drbg->test_data, data, len);
1666 mutex_unlock(&drbg->drbg_mutex);
1679 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1684 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1687 drbg->core->backend_cra_name);
1690 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1699 drbg->priv_data = sdesc;
1704 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1706 struct sdesc *sdesc = drbg->priv_data;
1711 drbg->priv_data = NULL;
1715 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1718 struct sdesc *sdesc = drbg->priv_data;
1720 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1723 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1726 struct sdesc *sdesc = drbg->priv_data;
1737 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1740 (struct crypto_cipher *)drbg->priv_data;
1743 drbg->priv_data = NULL;
1745 if (drbg->ctr_handle)
1746 crypto_free_skcipher(drbg->ctr_handle);
1747 drbg->ctr_handle = NULL;
1749 if (drbg->ctr_req)
1750 skcipher_request_free(drbg->ctr_req);
1751 drbg->ctr_req = NULL;
1753 kfree(drbg->outscratchpadbuf);
1754 drbg->outscratchpadbuf = NULL;
1759 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1767 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1770 drbg->core->backend_cra_name);
1773 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1774 drbg->priv_data = tfm;
1777 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1778 drbg_fini_sym_kernel(drbg);
1785 drbg_fini_sym_kernel(drbg);
1788 drbg->ctr_handle = sk_tfm;
1789 crypto_init_wait(&drbg->ctr_wait);
1794 drbg_fini_sym_kernel(drbg);
1797 drbg->ctr_req = req;
1800 crypto_req_done, &drbg->ctr_wait);
1803 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1805 if (!drbg->outscratchpadbuf) {
1806 drbg_fini_sym_kernel(drbg);
1809 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1812 sg_init_table(&drbg->sg_in, 1);
1813 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1818 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1821 struct crypto_cipher *tfm = drbg->priv_data;
1823 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1826 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1829 struct crypto_cipher *tfm = drbg->priv_data;
1832 BUG_ON(in->len < drbg_blocklen(drbg));
1837 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1841 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1851 memset(drbg->outscratchpad, 0, scratchpad_use);
1852 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1859 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1860 cryptlen, drbg->V);
1861 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1862 &drbg->ctr_wait);
1866 crypto_init_wait(&drbg->ctr_wait);
1868 memcpy(outbuf, drbg->outscratchpad, cryptlen);
1869 memzero_explicit(drbg->outscratchpad, cryptlen);
1927 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1929 mutex_init(&drbg->drbg_mutex);
1952 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1962 return drbg_generate_long(drbg, dst, dlen, addtl);
1971 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1985 return drbg_instantiate(drbg, seed_string, coreref, pr);
2007 struct drbg_state *drbg = NULL;
2027 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2028 if (!drbg)
2031 mutex_init(&drbg->drbg_mutex);
2032 drbg->core = &drbg_cores[coreref];
2033 drbg->reseed_threshold = drbg_max_requests(drbg);
2043 max_addtllen = drbg_max_addtl(drbg);
2044 max_request_bytes = drbg_max_request_bytes(drbg);
2047 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2050 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2054 ret = drbg_seed(drbg, &addtl, false);
2062 kfree(drbg);