1/* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100#include <crypto/drbg.h> 101#include <linux/kernel.h> 102 103/*************************************************************** 104 * Backend cipher definitions available to DRBG 105 ***************************************************************/ 106 107/* 108 * The order of the DRBG definitions here matter: every DRBG is registered 109 * as stdrng. Each DRBG receives an increasing cra_priority values the later 110 * they are defined in this array (see drbg_fill_array). 111 * 112 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113 * the SHA256 / AES 256 over other ciphers. Thus, the favored 114 * DRBGs are the latest entries in this array. 115 */ 116static const struct drbg_core drbg_cores[] = { 117#ifdef CONFIG_CRYPTO_DRBG_CTR 118 { 119 .flags = DRBG_CTR | DRBG_STRENGTH128, 120 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121 .blocklen_bytes = 16, 122 .cra_name = "ctr_aes128", 123 .backend_cra_name = "aes", 124 }, { 125 .flags = DRBG_CTR | DRBG_STRENGTH192, 126 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127 .blocklen_bytes = 16, 128 .cra_name = "ctr_aes192", 129 .backend_cra_name = "aes", 130 }, { 131 .flags = DRBG_CTR | DRBG_STRENGTH256, 132 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133 .blocklen_bytes = 16, 134 .cra_name = "ctr_aes256", 135 .backend_cra_name = "aes", 136 }, 137#endif /* CONFIG_CRYPTO_DRBG_CTR */ 138#ifdef CONFIG_CRYPTO_DRBG_HASH 139 { 140 .flags = DRBG_HASH | DRBG_STRENGTH128, 141 .statelen = 55, /* 440 bits */ 142 .blocklen_bytes = 20, 143 .cra_name = "sha1", 144 .backend_cra_name = "sha1", 145 }, { 146 .flags = DRBG_HASH | DRBG_STRENGTH256, 147 .statelen = 111, /* 888 bits */ 148 .blocklen_bytes = 48, 149 .cra_name = "sha384", 150 .backend_cra_name = "sha384", 151 }, { 152 .flags = DRBG_HASH | DRBG_STRENGTH256, 153 .statelen = 111, /* 888 bits */ 154 .blocklen_bytes = 64, 155 .cra_name = "sha512", 156 .backend_cra_name = "sha512", 157 }, { 158 .flags = DRBG_HASH | DRBG_STRENGTH256, 159 .statelen = 55, /* 440 bits */ 160 .blocklen_bytes = 32, 161 .cra_name = "sha256", 162 .backend_cra_name = "sha256", 163 }, 164#endif /* CONFIG_CRYPTO_DRBG_HASH */ 165#ifdef CONFIG_CRYPTO_DRBG_HMAC 166 { 167 .flags = DRBG_HMAC | DRBG_STRENGTH128, 168 .statelen = 20, /* block length of cipher */ 169 .blocklen_bytes = 20, 170 .cra_name = "hmac_sha1", 171 .backend_cra_name = "hmac(sha1)", 172 }, { 173 .flags = DRBG_HMAC | DRBG_STRENGTH256, 174 .statelen = 48, /* block length of cipher */ 175 .blocklen_bytes = 48, 176 .cra_name = "hmac_sha384", 177 .backend_cra_name = "hmac(sha384)", 178 }, { 179 .flags = DRBG_HMAC | DRBG_STRENGTH256, 180 .statelen = 64, /* block length of cipher */ 181 .blocklen_bytes = 64, 182 .cra_name = "hmac_sha512", 183 .backend_cra_name = "hmac(sha512)", 184 }, { 185 .flags = DRBG_HMAC | DRBG_STRENGTH256, 186 .statelen = 32, /* block length of cipher */ 187 .blocklen_bytes = 32, 188 .cra_name = "hmac_sha256", 189 .backend_cra_name = "hmac(sha256)", 190 }, 191#endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192}; 193 194static int drbg_uninstantiate(struct drbg_state *drbg); 195 196/****************************************************************** 197 * Generic helper functions 198 ******************************************************************/ 199 200/* 201 * Return strength of DRBG according to SP800-90A section 8.4 202 * 203 * @flags DRBG flags reference 204 * 205 * Return: normalized strength in *bytes* value or 32 as default 206 * to counter programming errors 207 */ 208static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 209{ 210 switch (flags & DRBG_STRENGTH_MASK) { 211 case DRBG_STRENGTH128: 212 return 16; 213 case DRBG_STRENGTH192: 214 return 24; 215 case DRBG_STRENGTH256: 216 return 32; 217 default: 218 return 32; 219 } 220} 221 222/* 223 * FIPS 140-2 continuous self test for the noise source 224 * The test is performed on the noise source input data. Thus, the function 225 * implicitly knows the size of the buffer to be equal to the security 226 * strength. 227 * 228 * Note, this function disregards the nonce trailing the entropy data during 229 * initial seeding. 230 * 231 * drbg->drbg_mutex must have been taken. 232 * 233 * @drbg DRBG handle 234 * @entropy buffer of seed data to be checked 235 * 236 * return: 237 * 0 on success 238 * -EAGAIN on when the CTRNG is not yet primed 239 * < 0 on error 240 */ 241static int drbg_fips_continuous_test(struct drbg_state *drbg, 242 const unsigned char *entropy) 243{ 244 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 245 int ret = 0; 246 247 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 248 return 0; 249 250 /* skip test if we test the overall system */ 251 if (list_empty(&drbg->test_data.list)) 252 return 0; 253 /* only perform test in FIPS mode */ 254 if (!fips_enabled) 255 return 0; 256 257 if (!drbg->fips_primed) { 258 /* Priming of FIPS test */ 259 memcpy(drbg->prev, entropy, entropylen); 260 drbg->fips_primed = true; 261 /* priming: another round is needed */ 262 return -EAGAIN; 263 } 264 ret = memcmp(drbg->prev, entropy, entropylen); 265 if (!ret) 266 panic("DRBG continuous self test failed\n"); 267 memcpy(drbg->prev, entropy, entropylen); 268 269 /* the test shall pass when the two values are not equal */ 270 return 0; 271} 272 273/* 274 * Convert an integer into a byte representation of this integer. 275 * The byte representation is big-endian 276 * 277 * @val value to be converted 278 * @buf buffer holding the converted integer -- caller must ensure that 279 * buffer size is at least 32 bit 280 */ 281#if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 282static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 283{ 284 struct s { 285 __be32 conv; 286 }; 287 struct s *conversion = (struct s *) buf; 288 289 conversion->conv = cpu_to_be32(val); 290} 291#endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 292 293/****************************************************************** 294 * CTR DRBG callback functions 295 ******************************************************************/ 296 297#ifdef CONFIG_CRYPTO_DRBG_CTR 298#define CRYPTO_DRBG_CTR_STRING "CTR " 299MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 300MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 301MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 302MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 303MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 304MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 305 306static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 307 const unsigned char *key); 308static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 309 const struct drbg_string *in); 310static int drbg_init_sym_kernel(struct drbg_state *drbg); 311static int drbg_fini_sym_kernel(struct drbg_state *drbg); 312static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 313 u8 *inbuf, u32 inbuflen, 314 u8 *outbuf, u32 outlen); 315#define DRBG_OUTSCRATCHLEN 256 316 317/* BCC function for CTR DRBG as defined in 10.4.3 */ 318static int drbg_ctr_bcc(struct drbg_state *drbg, 319 unsigned char *out, const unsigned char *key, 320 struct list_head *in) 321{ 322 int ret = 0; 323 struct drbg_string *curr = NULL; 324 struct drbg_string data; 325 short cnt = 0; 326 327 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 328 329 /* 10.4.3 step 2 / 4 */ 330 drbg_kcapi_symsetkey(drbg, key); 331 list_for_each_entry(curr, in, list) { 332 const unsigned char *pos = curr->buf; 333 size_t len = curr->len; 334 /* 10.4.3 step 4.1 */ 335 while (len) { 336 /* 10.4.3 step 4.2 */ 337 if (drbg_blocklen(drbg) == cnt) { 338 cnt = 0; 339 ret = drbg_kcapi_sym(drbg, out, &data); 340 if (ret) 341 return ret; 342 } 343 out[cnt] ^= *pos; 344 pos++; 345 cnt++; 346 len--; 347 } 348 } 349 /* 10.4.3 step 4.2 for last block */ 350 if (cnt) 351 ret = drbg_kcapi_sym(drbg, out, &data); 352 353 return ret; 354} 355 356/* 357 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 358 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 359 * the scratchpad is used as follows: 360 * drbg_ctr_update: 361 * temp 362 * start: drbg->scratchpad 363 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 364 * note: the cipher writing into this variable works 365 * blocklen-wise. Now, when the statelen is not a multiple 366 * of blocklen, the generateion loop below "spills over" 367 * by at most blocklen. Thus, we need to give sufficient 368 * memory. 369 * df_data 370 * start: drbg->scratchpad + 371 * drbg_statelen(drbg) + drbg_blocklen(drbg) 372 * length: drbg_statelen(drbg) 373 * 374 * drbg_ctr_df: 375 * pad 376 * start: df_data + drbg_statelen(drbg) 377 * length: drbg_blocklen(drbg) 378 * iv 379 * start: pad + drbg_blocklen(drbg) 380 * length: drbg_blocklen(drbg) 381 * temp 382 * start: iv + drbg_blocklen(drbg) 383 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 384 * note: temp is the buffer that the BCC function operates 385 * on. BCC operates blockwise. drbg_statelen(drbg) 386 * is sufficient when the DRBG state length is a multiple 387 * of the block size. For AES192 (and maybe other ciphers) 388 * this is not correct and the length for temp is 389 * insufficient (yes, that also means for such ciphers, 390 * the final output of all BCC rounds are truncated). 391 * Therefore, add drbg_blocklen(drbg) to cover all 392 * possibilities. 393 */ 394 395/* Derivation Function for CTR DRBG as defined in 10.4.2 */ 396static int drbg_ctr_df(struct drbg_state *drbg, 397 unsigned char *df_data, size_t bytes_to_return, 398 struct list_head *seedlist) 399{ 400 int ret = -EFAULT; 401 unsigned char L_N[8]; 402 /* S3 is input */ 403 struct drbg_string S1, S2, S4, cipherin; 404 LIST_HEAD(bcc_list); 405 unsigned char *pad = df_data + drbg_statelen(drbg); 406 unsigned char *iv = pad + drbg_blocklen(drbg); 407 unsigned char *temp = iv + drbg_blocklen(drbg); 408 size_t padlen = 0; 409 unsigned int templen = 0; 410 /* 10.4.2 step 7 */ 411 unsigned int i = 0; 412 /* 10.4.2 step 8 */ 413 const unsigned char *K = (unsigned char *) 414 "\x00\x01\x02\x03\x04\x05\x06\x07" 415 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 416 "\x10\x11\x12\x13\x14\x15\x16\x17" 417 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 418 unsigned char *X; 419 size_t generated_len = 0; 420 size_t inputlen = 0; 421 struct drbg_string *seed = NULL; 422 423 memset(pad, 0, drbg_blocklen(drbg)); 424 memset(iv, 0, drbg_blocklen(drbg)); 425 426 /* 10.4.2 step 1 is implicit as we work byte-wise */ 427 428 /* 10.4.2 step 2 */ 429 if ((512/8) < bytes_to_return) 430 return -EINVAL; 431 432 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 433 list_for_each_entry(seed, seedlist, list) 434 inputlen += seed->len; 435 drbg_cpu_to_be32(inputlen, &L_N[0]); 436 437 /* 10.4.2 step 3 */ 438 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 439 440 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 441 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 442 /* wrap the padlen appropriately */ 443 if (padlen) 444 padlen = drbg_blocklen(drbg) - padlen; 445 /* 446 * pad / padlen contains the 0x80 byte and the following zero bytes. 447 * As the calculated padlen value only covers the number of zero 448 * bytes, this value has to be incremented by one for the 0x80 byte. 449 */ 450 padlen++; 451 pad[0] = 0x80; 452 453 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 454 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 455 list_add_tail(&S1.list, &bcc_list); 456 drbg_string_fill(&S2, L_N, sizeof(L_N)); 457 list_add_tail(&S2.list, &bcc_list); 458 list_splice_tail(seedlist, &bcc_list); 459 drbg_string_fill(&S4, pad, padlen); 460 list_add_tail(&S4.list, &bcc_list); 461 462 /* 10.4.2 step 9 */ 463 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 464 /* 465 * 10.4.2 step 9.1 - the padding is implicit as the buffer 466 * holds zeros after allocation -- even the increment of i 467 * is irrelevant as the increment remains within length of i 468 */ 469 drbg_cpu_to_be32(i, iv); 470 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 471 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 472 if (ret) 473 goto out; 474 /* 10.4.2 step 9.3 */ 475 i++; 476 templen += drbg_blocklen(drbg); 477 } 478 479 /* 10.4.2 step 11 */ 480 X = temp + (drbg_keylen(drbg)); 481 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 482 483 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 484 485 /* 10.4.2 step 13 */ 486 drbg_kcapi_symsetkey(drbg, temp); 487 while (generated_len < bytes_to_return) { 488 short blocklen = 0; 489 /* 490 * 10.4.2 step 13.1: the truncation of the key length is 491 * implicit as the key is only drbg_blocklen in size based on 492 * the implementation of the cipher function callback 493 */ 494 ret = drbg_kcapi_sym(drbg, X, &cipherin); 495 if (ret) 496 goto out; 497 blocklen = (drbg_blocklen(drbg) < 498 (bytes_to_return - generated_len)) ? 499 drbg_blocklen(drbg) : 500 (bytes_to_return - generated_len); 501 /* 10.4.2 step 13.2 and 14 */ 502 memcpy(df_data + generated_len, X, blocklen); 503 generated_len += blocklen; 504 } 505 506 ret = 0; 507 508out: 509 memset(iv, 0, drbg_blocklen(drbg)); 510 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 511 memset(pad, 0, drbg_blocklen(drbg)); 512 return ret; 513} 514 515/* 516 * update function of CTR DRBG as defined in 10.2.1.2 517 * 518 * The reseed variable has an enhanced meaning compared to the update 519 * functions of the other DRBGs as follows: 520 * 0 => initial seed from initialization 521 * 1 => reseed via drbg_seed 522 * 2 => first invocation from drbg_ctr_update when addtl is present. In 523 * this case, the df_data scratchpad is not deleted so that it is 524 * available for another calls to prevent calling the DF function 525 * again. 526 * 3 => second invocation from drbg_ctr_update. When the update function 527 * was called with addtl, the df_data memory already contains the 528 * DFed addtl information and we do not need to call DF again. 529 */ 530static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 531 int reseed) 532{ 533 int ret = -EFAULT; 534 /* 10.2.1.2 step 1 */ 535 unsigned char *temp = drbg->scratchpad; 536 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 537 drbg_blocklen(drbg); 538 539 if (3 > reseed) 540 memset(df_data, 0, drbg_statelen(drbg)); 541 542 if (!reseed) { 543 /* 544 * The DRBG uses the CTR mode of the underlying AES cipher. The 545 * CTR mode increments the counter value after the AES operation 546 * but SP800-90A requires that the counter is incremented before 547 * the AES operation. Hence, we increment it at the time we set 548 * it by one. 549 */ 550 crypto_inc(drbg->V, drbg_blocklen(drbg)); 551 552 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 553 drbg_keylen(drbg)); 554 if (ret) 555 goto out; 556 } 557 558 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 559 if (seed) { 560 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 561 if (ret) 562 goto out; 563 } 564 565 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 566 temp, drbg_statelen(drbg)); 567 if (ret) 568 return ret; 569 570 /* 10.2.1.2 step 5 */ 571 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 572 drbg_keylen(drbg)); 573 if (ret) 574 goto out; 575 /* 10.2.1.2 step 6 */ 576 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 577 /* See above: increment counter by one to compensate timing of CTR op */ 578 crypto_inc(drbg->V, drbg_blocklen(drbg)); 579 ret = 0; 580 581out: 582 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 583 if (2 != reseed) 584 memset(df_data, 0, drbg_statelen(drbg)); 585 return ret; 586} 587 588/* 589 * scratchpad use: drbg_ctr_update is called independently from 590 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 591 */ 592/* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 593static int drbg_ctr_generate(struct drbg_state *drbg, 594 unsigned char *buf, unsigned int buflen, 595 struct list_head *addtl) 596{ 597 int ret; 598 int len = min_t(int, buflen, INT_MAX); 599 600 /* 10.2.1.5.2 step 2 */ 601 if (addtl && !list_empty(addtl)) { 602 ret = drbg_ctr_update(drbg, addtl, 2); 603 if (ret) 604 return 0; 605 } 606 607 /* 10.2.1.5.2 step 4.1 */ 608 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 609 if (ret) 610 return ret; 611 612 /* 10.2.1.5.2 step 6 */ 613 ret = drbg_ctr_update(drbg, NULL, 3); 614 if (ret) 615 len = ret; 616 617 return len; 618} 619 620static const struct drbg_state_ops drbg_ctr_ops = { 621 .update = drbg_ctr_update, 622 .generate = drbg_ctr_generate, 623 .crypto_init = drbg_init_sym_kernel, 624 .crypto_fini = drbg_fini_sym_kernel, 625}; 626#endif /* CONFIG_CRYPTO_DRBG_CTR */ 627 628/****************************************************************** 629 * HMAC DRBG callback functions 630 ******************************************************************/ 631 632#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 633static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 634 const struct list_head *in); 635static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 636 const unsigned char *key); 637static int drbg_init_hash_kernel(struct drbg_state *drbg); 638static int drbg_fini_hash_kernel(struct drbg_state *drbg); 639#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 640 641#ifdef CONFIG_CRYPTO_DRBG_HMAC 642#define CRYPTO_DRBG_HMAC_STRING "HMAC " 643MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 644MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 645MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 646MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 647MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 648MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 649MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 650MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 651 652/* update function of HMAC DRBG as defined in 10.1.2.2 */ 653static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 654 int reseed) 655{ 656 int ret = -EFAULT; 657 int i = 0; 658 struct drbg_string seed1, seed2, vdata; 659 LIST_HEAD(seedlist); 660 LIST_HEAD(vdatalist); 661 662 if (!reseed) { 663 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 664 memset(drbg->V, 1, drbg_statelen(drbg)); 665 drbg_kcapi_hmacsetkey(drbg, drbg->C); 666 } 667 668 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 669 list_add_tail(&seed1.list, &seedlist); 670 /* buffer of seed2 will be filled in for loop below with one byte */ 671 drbg_string_fill(&seed2, NULL, 1); 672 list_add_tail(&seed2.list, &seedlist); 673 /* input data of seed is allowed to be NULL at this point */ 674 if (seed) 675 list_splice_tail(seed, &seedlist); 676 677 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 678 list_add_tail(&vdata.list, &vdatalist); 679 for (i = 2; 0 < i; i--) { 680 /* first round uses 0x0, second 0x1 */ 681 unsigned char prefix = DRBG_PREFIX0; 682 if (1 == i) 683 prefix = DRBG_PREFIX1; 684 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 685 seed2.buf = &prefix; 686 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 687 if (ret) 688 return ret; 689 drbg_kcapi_hmacsetkey(drbg, drbg->C); 690 691 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 692 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 693 if (ret) 694 return ret; 695 696 /* 10.1.2.2 step 3 */ 697 if (!seed) 698 return ret; 699 } 700 701 return 0; 702} 703 704/* generate function of HMAC DRBG as defined in 10.1.2.5 */ 705static int drbg_hmac_generate(struct drbg_state *drbg, 706 unsigned char *buf, 707 unsigned int buflen, 708 struct list_head *addtl) 709{ 710 int len = 0; 711 int ret = 0; 712 struct drbg_string data; 713 LIST_HEAD(datalist); 714 715 /* 10.1.2.5 step 2 */ 716 if (addtl && !list_empty(addtl)) { 717 ret = drbg_hmac_update(drbg, addtl, 1); 718 if (ret) 719 return ret; 720 } 721 722 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 723 list_add_tail(&data.list, &datalist); 724 while (len < buflen) { 725 unsigned int outlen = 0; 726 /* 10.1.2.5 step 4.1 */ 727 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 728 if (ret) 729 return ret; 730 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 731 drbg_blocklen(drbg) : (buflen - len); 732 733 /* 10.1.2.5 step 4.2 */ 734 memcpy(buf + len, drbg->V, outlen); 735 len += outlen; 736 } 737 738 /* 10.1.2.5 step 6 */ 739 if (addtl && !list_empty(addtl)) 740 ret = drbg_hmac_update(drbg, addtl, 1); 741 else 742 ret = drbg_hmac_update(drbg, NULL, 1); 743 if (ret) 744 return ret; 745 746 return len; 747} 748 749static const struct drbg_state_ops drbg_hmac_ops = { 750 .update = drbg_hmac_update, 751 .generate = drbg_hmac_generate, 752 .crypto_init = drbg_init_hash_kernel, 753 .crypto_fini = drbg_fini_hash_kernel, 754}; 755#endif /* CONFIG_CRYPTO_DRBG_HMAC */ 756 757/****************************************************************** 758 * Hash DRBG callback functions 759 ******************************************************************/ 760 761#ifdef CONFIG_CRYPTO_DRBG_HASH 762#define CRYPTO_DRBG_HASH_STRING "HASH " 763MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 764MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 765MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 766MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 767MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 768MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 769MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 770MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 771 772/* 773 * Increment buffer 774 * 775 * @dst buffer to increment 776 * @add value to add 777 */ 778static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 779 const unsigned char *add, size_t addlen) 780{ 781 /* implied: dstlen > addlen */ 782 unsigned char *dstptr; 783 const unsigned char *addptr; 784 unsigned int remainder = 0; 785 size_t len = addlen; 786 787 dstptr = dst + (dstlen-1); 788 addptr = add + (addlen-1); 789 while (len) { 790 remainder += *dstptr + *addptr; 791 *dstptr = remainder & 0xff; 792 remainder >>= 8; 793 len--; dstptr--; addptr--; 794 } 795 len = dstlen - addlen; 796 while (len && remainder > 0) { 797 remainder = *dstptr + 1; 798 *dstptr = remainder & 0xff; 799 remainder >>= 8; 800 len--; dstptr--; 801 } 802} 803 804/* 805 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 806 * interlinked, the scratchpad is used as follows: 807 * drbg_hash_update 808 * start: drbg->scratchpad 809 * length: drbg_statelen(drbg) 810 * drbg_hash_df: 811 * start: drbg->scratchpad + drbg_statelen(drbg) 812 * length: drbg_blocklen(drbg) 813 * 814 * drbg_hash_process_addtl uses the scratchpad, but fully completes 815 * before either of the functions mentioned before are invoked. Therefore, 816 * drbg_hash_process_addtl does not need to be specifically considered. 817 */ 818 819/* Derivation Function for Hash DRBG as defined in 10.4.1 */ 820static int drbg_hash_df(struct drbg_state *drbg, 821 unsigned char *outval, size_t outlen, 822 struct list_head *entropylist) 823{ 824 int ret = 0; 825 size_t len = 0; 826 unsigned char input[5]; 827 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 828 struct drbg_string data; 829 830 /* 10.4.1 step 3 */ 831 input[0] = 1; 832 drbg_cpu_to_be32((outlen * 8), &input[1]); 833 834 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 835 drbg_string_fill(&data, input, 5); 836 list_add(&data.list, entropylist); 837 838 /* 10.4.1 step 4 */ 839 while (len < outlen) { 840 short blocklen = 0; 841 /* 10.4.1 step 4.1 */ 842 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 843 if (ret) 844 goto out; 845 /* 10.4.1 step 4.2 */ 846 input[0]++; 847 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 848 drbg_blocklen(drbg) : (outlen - len); 849 memcpy(outval + len, tmp, blocklen); 850 len += blocklen; 851 } 852 853out: 854 memset(tmp, 0, drbg_blocklen(drbg)); 855 return ret; 856} 857 858/* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 859static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 860 int reseed) 861{ 862 int ret = 0; 863 struct drbg_string data1, data2; 864 LIST_HEAD(datalist); 865 LIST_HEAD(datalist2); 866 unsigned char *V = drbg->scratchpad; 867 unsigned char prefix = DRBG_PREFIX1; 868 869 if (!seed) 870 return -EINVAL; 871 872 if (reseed) { 873 /* 10.1.1.3 step 1 */ 874 memcpy(V, drbg->V, drbg_statelen(drbg)); 875 drbg_string_fill(&data1, &prefix, 1); 876 list_add_tail(&data1.list, &datalist); 877 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 878 list_add_tail(&data2.list, &datalist); 879 } 880 list_splice_tail(seed, &datalist); 881 882 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 883 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 884 if (ret) 885 goto out; 886 887 /* 10.1.1.2 / 10.1.1.3 step 4 */ 888 prefix = DRBG_PREFIX0; 889 drbg_string_fill(&data1, &prefix, 1); 890 list_add_tail(&data1.list, &datalist2); 891 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 892 list_add_tail(&data2.list, &datalist2); 893 /* 10.1.1.2 / 10.1.1.3 step 4 */ 894 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 895 896out: 897 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 898 return ret; 899} 900 901/* processing of additional information string for Hash DRBG */ 902static int drbg_hash_process_addtl(struct drbg_state *drbg, 903 struct list_head *addtl) 904{ 905 int ret = 0; 906 struct drbg_string data1, data2; 907 LIST_HEAD(datalist); 908 unsigned char prefix = DRBG_PREFIX2; 909 910 /* 10.1.1.4 step 2 */ 911 if (!addtl || list_empty(addtl)) 912 return 0; 913 914 /* 10.1.1.4 step 2a */ 915 drbg_string_fill(&data1, &prefix, 1); 916 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 917 list_add_tail(&data1.list, &datalist); 918 list_add_tail(&data2.list, &datalist); 919 list_splice_tail(addtl, &datalist); 920 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 921 if (ret) 922 goto out; 923 924 /* 10.1.1.4 step 2b */ 925 drbg_add_buf(drbg->V, drbg_statelen(drbg), 926 drbg->scratchpad, drbg_blocklen(drbg)); 927 928out: 929 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 930 return ret; 931} 932 933/* Hashgen defined in 10.1.1.4 */ 934static int drbg_hash_hashgen(struct drbg_state *drbg, 935 unsigned char *buf, 936 unsigned int buflen) 937{ 938 int len = 0; 939 int ret = 0; 940 unsigned char *src = drbg->scratchpad; 941 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 942 struct drbg_string data; 943 LIST_HEAD(datalist); 944 945 /* 10.1.1.4 step hashgen 2 */ 946 memcpy(src, drbg->V, drbg_statelen(drbg)); 947 948 drbg_string_fill(&data, src, drbg_statelen(drbg)); 949 list_add_tail(&data.list, &datalist); 950 while (len < buflen) { 951 unsigned int outlen = 0; 952 /* 10.1.1.4 step hashgen 4.1 */ 953 ret = drbg_kcapi_hash(drbg, dst, &datalist); 954 if (ret) { 955 len = ret; 956 goto out; 957 } 958 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 959 drbg_blocklen(drbg) : (buflen - len); 960 /* 10.1.1.4 step hashgen 4.2 */ 961 memcpy(buf + len, dst, outlen); 962 len += outlen; 963 /* 10.1.1.4 hashgen step 4.3 */ 964 if (len < buflen) 965 crypto_inc(src, drbg_statelen(drbg)); 966 } 967 968out: 969 memset(drbg->scratchpad, 0, 970 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 971 return len; 972} 973 974/* generate function for Hash DRBG as defined in 10.1.1.4 */ 975static int drbg_hash_generate(struct drbg_state *drbg, 976 unsigned char *buf, unsigned int buflen, 977 struct list_head *addtl) 978{ 979 int len = 0; 980 int ret = 0; 981 union { 982 unsigned char req[8]; 983 __be64 req_int; 984 } u; 985 unsigned char prefix = DRBG_PREFIX3; 986 struct drbg_string data1, data2; 987 LIST_HEAD(datalist); 988 989 /* 10.1.1.4 step 2 */ 990 ret = drbg_hash_process_addtl(drbg, addtl); 991 if (ret) 992 return ret; 993 /* 10.1.1.4 step 3 */ 994 len = drbg_hash_hashgen(drbg, buf, buflen); 995 996 /* this is the value H as documented in 10.1.1.4 */ 997 /* 10.1.1.4 step 4 */ 998 drbg_string_fill(&data1, &prefix, 1); 999 list_add_tail(&data1.list, &datalist); 1000 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 1001 list_add_tail(&data2.list, &datalist); 1002 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 1003 if (ret) { 1004 len = ret; 1005 goto out; 1006 } 1007 1008 /* 10.1.1.4 step 5 */ 1009 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1010 drbg->scratchpad, drbg_blocklen(drbg)); 1011 drbg_add_buf(drbg->V, drbg_statelen(drbg), 1012 drbg->C, drbg_statelen(drbg)); 1013 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1014 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1015 1016out: 1017 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1018 return len; 1019} 1020 1021/* 1022 * scratchpad usage: as update and generate are used isolated, both 1023 * can use the scratchpad 1024 */ 1025static const struct drbg_state_ops drbg_hash_ops = { 1026 .update = drbg_hash_update, 1027 .generate = drbg_hash_generate, 1028 .crypto_init = drbg_init_hash_kernel, 1029 .crypto_fini = drbg_fini_hash_kernel, 1030}; 1031#endif /* CONFIG_CRYPTO_DRBG_HASH */ 1032 1033/****************************************************************** 1034 * Functions common for DRBG implementations 1035 ******************************************************************/ 1036 1037static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 1038 int reseed, enum drbg_seed_state new_seed_state) 1039{ 1040 int ret = drbg->d_ops->update(drbg, seed, reseed); 1041 1042 if (ret) 1043 return ret; 1044 1045 drbg->seeded = new_seed_state; 1046 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1047 drbg->reseed_ctr = 1; 1048 1049 switch (drbg->seeded) { 1050 case DRBG_SEED_STATE_UNSEEDED: 1051 /* Impossible, but handle it to silence compiler warnings. */ 1052 fallthrough; 1053 case DRBG_SEED_STATE_PARTIAL: 1054 /* 1055 * Require frequent reseeds until the seed source is 1056 * fully initialized. 1057 */ 1058 drbg->reseed_threshold = 50; 1059 break; 1060 1061 case DRBG_SEED_STATE_FULL: 1062 /* 1063 * Seed source has become fully initialized, frequent 1064 * reseeds no longer required. 1065 */ 1066 drbg->reseed_threshold = drbg_max_requests(drbg); 1067 break; 1068 } 1069 1070 return ret; 1071} 1072 1073static inline int drbg_get_random_bytes(struct drbg_state *drbg, 1074 unsigned char *entropy, 1075 unsigned int entropylen) 1076{ 1077 int ret; 1078 1079 do { 1080 get_random_bytes(entropy, entropylen); 1081 ret = drbg_fips_continuous_test(drbg, entropy); 1082 if (ret && ret != -EAGAIN) 1083 return ret; 1084 } while (ret); 1085 1086 return 0; 1087} 1088 1089static int drbg_seed_from_random(struct drbg_state *drbg) 1090{ 1091 struct drbg_string data; 1092 LIST_HEAD(seedlist); 1093 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1094 unsigned char entropy[32]; 1095 int ret; 1096 1097 BUG_ON(!entropylen); 1098 BUG_ON(entropylen > sizeof(entropy)); 1099 1100 drbg_string_fill(&data, entropy, entropylen); 1101 list_add_tail(&data.list, &seedlist); 1102 1103 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1104 if (ret) 1105 goto out; 1106 1107 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); 1108 1109out: 1110 memzero_explicit(entropy, entropylen); 1111 return ret; 1112} 1113 1114/* 1115 * Seeding or reseeding of the DRBG 1116 * 1117 * @drbg: DRBG state struct 1118 * @pers: personalization / additional information buffer 1119 * @reseed: 0 for initial seed process, 1 for reseeding 1120 * 1121 * return: 1122 * 0 on success 1123 * error value otherwise 1124 */ 1125static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1126 bool reseed) 1127{ 1128 int ret; 1129 unsigned char entropy[((32 + 16) * 2)]; 1130 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1131 struct drbg_string data1; 1132 LIST_HEAD(seedlist); 1133 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; 1134 1135 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1136 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1137 pr_devel("DRBG: personalization string too long %zu\n", 1138 pers->len); 1139 return -EINVAL; 1140 } 1141 1142 if (list_empty(&drbg->test_data.list)) { 1143 drbg_string_fill(&data1, drbg->test_data.buf, 1144 drbg->test_data.len); 1145 pr_devel("DRBG: using test entropy\n"); 1146 } else { 1147 /* 1148 * Gather entropy equal to the security strength of the DRBG. 1149 * With a derivation function, a nonce is required in addition 1150 * to the entropy. A nonce must be at least 1/2 of the security 1151 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1152 * of the strength. The consideration of a nonce is only 1153 * applicable during initial seeding. 1154 */ 1155 BUG_ON(!entropylen); 1156 if (!reseed) 1157 entropylen = ((entropylen + 1) / 2) * 3; 1158 BUG_ON((entropylen * 2) > sizeof(entropy)); 1159 1160 /* Get seed from in-kernel /dev/urandom */ 1161 if (!rng_is_initialized()) 1162 new_seed_state = DRBG_SEED_STATE_PARTIAL; 1163 1164 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1165 if (ret) 1166 goto out; 1167 1168 if (!drbg->jent) { 1169 drbg_string_fill(&data1, entropy, entropylen); 1170 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1171 entropylen); 1172 } else { 1173 /* Get seed from Jitter RNG */ 1174 ret = crypto_rng_get_bytes(drbg->jent, 1175 entropy + entropylen, 1176 entropylen); 1177 if (ret) { 1178 pr_devel("DRBG: jent failed with %d\n", ret); 1179 1180 /* 1181 * Do not treat the transient failure of the 1182 * Jitter RNG as an error that needs to be 1183 * reported. The combined number of the 1184 * maximum reseed threshold times the maximum 1185 * number of Jitter RNG transient errors is 1186 * less than the reseed threshold required by 1187 * SP800-90A allowing us to treat the 1188 * transient errors as such. 1189 * 1190 * However, we mandate that at least the first 1191 * seeding operation must succeed with the 1192 * Jitter RNG. 1193 */ 1194 if (!reseed || ret != -EAGAIN) 1195 goto out; 1196 } 1197 1198 drbg_string_fill(&data1, entropy, entropylen * 2); 1199 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1200 entropylen * 2); 1201 } 1202 } 1203 list_add_tail(&data1.list, &seedlist); 1204 1205 /* 1206 * concatenation of entropy with personalization str / addtl input) 1207 * the variable pers is directly handed in by the caller, so check its 1208 * contents whether it is appropriate 1209 */ 1210 if (pers && pers->buf && 0 < pers->len) { 1211 list_add_tail(&pers->list, &seedlist); 1212 pr_devel("DRBG: using personalization string\n"); 1213 } 1214 1215 if (!reseed) { 1216 memset(drbg->V, 0, drbg_statelen(drbg)); 1217 memset(drbg->C, 0, drbg_statelen(drbg)); 1218 } 1219 1220 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); 1221 1222out: 1223 memzero_explicit(entropy, entropylen * 2); 1224 1225 return ret; 1226} 1227 1228/* Free all substructures in a DRBG state without the DRBG state structure */ 1229static inline void drbg_dealloc_state(struct drbg_state *drbg) 1230{ 1231 if (!drbg) 1232 return; 1233 kfree_sensitive(drbg->Vbuf); 1234 drbg->Vbuf = NULL; 1235 drbg->V = NULL; 1236 kfree_sensitive(drbg->Cbuf); 1237 drbg->Cbuf = NULL; 1238 drbg->C = NULL; 1239 kfree_sensitive(drbg->scratchpadbuf); 1240 drbg->scratchpadbuf = NULL; 1241 drbg->reseed_ctr = 0; 1242 drbg->d_ops = NULL; 1243 drbg->core = NULL; 1244 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1245 kfree_sensitive(drbg->prev); 1246 drbg->prev = NULL; 1247 drbg->fips_primed = false; 1248 } 1249} 1250 1251/* 1252 * Allocate all sub-structures for a DRBG state. 1253 * The DRBG state structure must already be allocated. 1254 */ 1255static inline int drbg_alloc_state(struct drbg_state *drbg) 1256{ 1257 int ret = -ENOMEM; 1258 unsigned int sb_size = 0; 1259 1260 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1261#ifdef CONFIG_CRYPTO_DRBG_HMAC 1262 case DRBG_HMAC: 1263 drbg->d_ops = &drbg_hmac_ops; 1264 break; 1265#endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1266#ifdef CONFIG_CRYPTO_DRBG_HASH 1267 case DRBG_HASH: 1268 drbg->d_ops = &drbg_hash_ops; 1269 break; 1270#endif /* CONFIG_CRYPTO_DRBG_HASH */ 1271#ifdef CONFIG_CRYPTO_DRBG_CTR 1272 case DRBG_CTR: 1273 drbg->d_ops = &drbg_ctr_ops; 1274 break; 1275#endif /* CONFIG_CRYPTO_DRBG_CTR */ 1276 default: 1277 ret = -EOPNOTSUPP; 1278 goto err; 1279 } 1280 1281 ret = drbg->d_ops->crypto_init(drbg); 1282 if (ret < 0) 1283 goto err; 1284 1285 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1286 if (!drbg->Vbuf) { 1287 ret = -ENOMEM; 1288 goto fini; 1289 } 1290 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1291 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1292 if (!drbg->Cbuf) { 1293 ret = -ENOMEM; 1294 goto fini; 1295 } 1296 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1297 /* scratchpad is only generated for CTR and Hash */ 1298 if (drbg->core->flags & DRBG_HMAC) 1299 sb_size = 0; 1300 else if (drbg->core->flags & DRBG_CTR) 1301 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1302 drbg_statelen(drbg) + /* df_data */ 1303 drbg_blocklen(drbg) + /* pad */ 1304 drbg_blocklen(drbg) + /* iv */ 1305 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1306 else 1307 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1308 1309 if (0 < sb_size) { 1310 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1311 if (!drbg->scratchpadbuf) { 1312 ret = -ENOMEM; 1313 goto fini; 1314 } 1315 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1316 } 1317 1318 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1319 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1320 GFP_KERNEL); 1321 if (!drbg->prev) { 1322 ret = -ENOMEM; 1323 goto fini; 1324 } 1325 drbg->fips_primed = false; 1326 } 1327 1328 return 0; 1329 1330fini: 1331 drbg->d_ops->crypto_fini(drbg); 1332err: 1333 drbg_dealloc_state(drbg); 1334 return ret; 1335} 1336 1337/************************************************************************* 1338 * DRBG interface functions 1339 *************************************************************************/ 1340 1341/* 1342 * DRBG generate function as required by SP800-90A - this function 1343 * generates random numbers 1344 * 1345 * @drbg DRBG state handle 1346 * @buf Buffer where to store the random numbers -- the buffer must already 1347 * be pre-allocated by caller 1348 * @buflen Length of output buffer - this value defines the number of random 1349 * bytes pulled from DRBG 1350 * @addtl Additional input that is mixed into state, may be NULL -- note 1351 * the entropy is pulled by the DRBG internally unconditionally 1352 * as defined in SP800-90A. The additional input is mixed into 1353 * the state in addition to the pulled entropy. 1354 * 1355 * return: 0 when all bytes are generated; < 0 in case of an error 1356 */ 1357static int drbg_generate(struct drbg_state *drbg, 1358 unsigned char *buf, unsigned int buflen, 1359 struct drbg_string *addtl) 1360{ 1361 int len = 0; 1362 LIST_HEAD(addtllist); 1363 1364 if (!drbg->core) { 1365 pr_devel("DRBG: not yet seeded\n"); 1366 return -EINVAL; 1367 } 1368 if (0 == buflen || !buf) { 1369 pr_devel("DRBG: no output buffer provided\n"); 1370 return -EINVAL; 1371 } 1372 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1373 pr_devel("DRBG: wrong format of additional information\n"); 1374 return -EINVAL; 1375 } 1376 1377 /* 9.3.1 step 2 */ 1378 len = -EINVAL; 1379 if (buflen > (drbg_max_request_bytes(drbg))) { 1380 pr_devel("DRBG: requested random numbers too large %u\n", 1381 buflen); 1382 goto err; 1383 } 1384 1385 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1386 1387 /* 9.3.1 step 4 */ 1388 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1389 pr_devel("DRBG: additional information string too long %zu\n", 1390 addtl->len); 1391 goto err; 1392 } 1393 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1394 1395 /* 1396 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1397 * here. The spec is a bit convoluted here, we make it simpler. 1398 */ 1399 if (drbg->reseed_threshold < drbg->reseed_ctr) 1400 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1401 1402 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { 1403 pr_devel("DRBG: reseeding before generation (prediction " 1404 "resistance: %s, state %s)\n", 1405 drbg->pr ? "true" : "false", 1406 (drbg->seeded == DRBG_SEED_STATE_FULL ? 1407 "seeded" : "unseeded")); 1408 /* 9.3.1 steps 7.1 through 7.3 */ 1409 len = drbg_seed(drbg, addtl, true); 1410 if (len) 1411 goto err; 1412 /* 9.3.1 step 7.4 */ 1413 addtl = NULL; 1414 } else if (rng_is_initialized() && 1415 drbg->seeded == DRBG_SEED_STATE_PARTIAL) { 1416 len = drbg_seed_from_random(drbg); 1417 if (len) 1418 goto err; 1419 } 1420 1421 if (addtl && 0 < addtl->len) 1422 list_add_tail(&addtl->list, &addtllist); 1423 /* 9.3.1 step 8 and 10 */ 1424 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1425 1426 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1427 drbg->reseed_ctr++; 1428 if (0 >= len) 1429 goto err; 1430 1431 /* 1432 * Section 11.3.3 requires to re-perform self tests after some 1433 * generated random numbers. The chosen value after which self 1434 * test is performed is arbitrary, but it should be reasonable. 1435 * However, we do not perform the self tests because of the following 1436 * reasons: it is mathematically impossible that the initial self tests 1437 * were successfully and the following are not. If the initial would 1438 * pass and the following would not, the kernel integrity is violated. 1439 * In this case, the entire kernel operation is questionable and it 1440 * is unlikely that the integrity violation only affects the 1441 * correct operation of the DRBG. 1442 * 1443 * Albeit the following code is commented out, it is provided in 1444 * case somebody has a need to implement the test of 11.3.3. 1445 */ 1446#if 0 1447 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1448 int err = 0; 1449 pr_devel("DRBG: start to perform self test\n"); 1450 if (drbg->core->flags & DRBG_HMAC) 1451 err = alg_test("drbg_pr_hmac_sha256", 1452 "drbg_pr_hmac_sha256", 0, 0); 1453 else if (drbg->core->flags & DRBG_CTR) 1454 err = alg_test("drbg_pr_ctr_aes128", 1455 "drbg_pr_ctr_aes128", 0, 0); 1456 else 1457 err = alg_test("drbg_pr_sha256", 1458 "drbg_pr_sha256", 0, 0); 1459 if (err) { 1460 pr_err("DRBG: periodical self test failed\n"); 1461 /* 1462 * uninstantiate implies that from now on, only errors 1463 * are returned when reusing this DRBG cipher handle 1464 */ 1465 drbg_uninstantiate(drbg); 1466 return 0; 1467 } else { 1468 pr_devel("DRBG: self test successful\n"); 1469 } 1470 } 1471#endif 1472 1473 /* 1474 * All operations were successful, return 0 as mandated by 1475 * the kernel crypto API interface. 1476 */ 1477 len = 0; 1478err: 1479 return len; 1480} 1481 1482/* 1483 * Wrapper around drbg_generate which can pull arbitrary long strings 1484 * from the DRBG without hitting the maximum request limitation. 1485 * 1486 * Parameters: see drbg_generate 1487 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1488 * the entire drbg_generate_long request fails 1489 */ 1490static int drbg_generate_long(struct drbg_state *drbg, 1491 unsigned char *buf, unsigned int buflen, 1492 struct drbg_string *addtl) 1493{ 1494 unsigned int len = 0; 1495 unsigned int slice = 0; 1496 do { 1497 int err = 0; 1498 unsigned int chunk = 0; 1499 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1500 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1501 mutex_lock(&drbg->drbg_mutex); 1502 err = drbg_generate(drbg, buf + len, chunk, addtl); 1503 mutex_unlock(&drbg->drbg_mutex); 1504 if (0 > err) 1505 return err; 1506 len += chunk; 1507 } while (slice > 0 && (len < buflen)); 1508 return 0; 1509} 1510 1511static int drbg_prepare_hrng(struct drbg_state *drbg) 1512{ 1513 /* We do not need an HRNG in test mode. */ 1514 if (list_empty(&drbg->test_data.list)) 1515 return 0; 1516 1517 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1518 if (IS_ERR(drbg->jent)) { 1519 const int err = PTR_ERR(drbg->jent); 1520 1521 drbg->jent = NULL; 1522 if (fips_enabled) 1523 return err; 1524 pr_info("DRBG: Continuing without Jitter RNG\n"); 1525 } 1526 1527 return 0; 1528} 1529 1530/* 1531 * DRBG instantiation function as required by SP800-90A - this function 1532 * sets up the DRBG handle, performs the initial seeding and all sanity 1533 * checks required by SP800-90A 1534 * 1535 * @drbg memory of state -- if NULL, new memory is allocated 1536 * @pers Personalization string that is mixed into state, may be NULL -- note 1537 * the entropy is pulled by the DRBG internally unconditionally 1538 * as defined in SP800-90A. The additional input is mixed into 1539 * the state in addition to the pulled entropy. 1540 * @coreref reference to core 1541 * @pr prediction resistance enabled 1542 * 1543 * return 1544 * 0 on success 1545 * error value otherwise 1546 */ 1547static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1548 int coreref, bool pr) 1549{ 1550 int ret; 1551 bool reseed = true; 1552 1553 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1554 "%s\n", coreref, pr ? "enabled" : "disabled"); 1555 mutex_lock(&drbg->drbg_mutex); 1556 1557 /* 9.1 step 1 is implicit with the selected DRBG type */ 1558 1559 /* 1560 * 9.1 step 2 is implicit as caller can select prediction resistance 1561 * and the flag is copied into drbg->flags -- 1562 * all DRBG types support prediction resistance 1563 */ 1564 1565 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1566 1567 if (!drbg->core) { 1568 drbg->core = &drbg_cores[coreref]; 1569 drbg->pr = pr; 1570 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1571 drbg->reseed_threshold = drbg_max_requests(drbg); 1572 1573 ret = drbg_alloc_state(drbg); 1574 if (ret) 1575 goto unlock; 1576 1577 ret = drbg_prepare_hrng(drbg); 1578 if (ret) 1579 goto free_everything; 1580 1581 reseed = false; 1582 } 1583 1584 ret = drbg_seed(drbg, pers, reseed); 1585 1586 if (ret && !reseed) 1587 goto free_everything; 1588 1589 mutex_unlock(&drbg->drbg_mutex); 1590 return ret; 1591 1592unlock: 1593 mutex_unlock(&drbg->drbg_mutex); 1594 return ret; 1595 1596free_everything: 1597 mutex_unlock(&drbg->drbg_mutex); 1598 drbg_uninstantiate(drbg); 1599 return ret; 1600} 1601 1602/* 1603 * DRBG uninstantiate function as required by SP800-90A - this function 1604 * frees all buffers and the DRBG handle 1605 * 1606 * @drbg DRBG state handle 1607 * 1608 * return 1609 * 0 on success 1610 */ 1611static int drbg_uninstantiate(struct drbg_state *drbg) 1612{ 1613 if (!IS_ERR_OR_NULL(drbg->jent)) 1614 crypto_free_rng(drbg->jent); 1615 drbg->jent = NULL; 1616 1617 if (drbg->d_ops) 1618 drbg->d_ops->crypto_fini(drbg); 1619 drbg_dealloc_state(drbg); 1620 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1621 return 0; 1622} 1623 1624/* 1625 * Helper function for setting the test data in the DRBG 1626 * 1627 * @drbg DRBG state handle 1628 * @data test data 1629 * @len test data length 1630 */ 1631static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1632 const u8 *data, unsigned int len) 1633{ 1634 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1635 1636 mutex_lock(&drbg->drbg_mutex); 1637 drbg_string_fill(&drbg->test_data, data, len); 1638 mutex_unlock(&drbg->drbg_mutex); 1639} 1640 1641/*************************************************************** 1642 * Kernel crypto API cipher invocations requested by DRBG 1643 ***************************************************************/ 1644 1645#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1646struct sdesc { 1647 struct shash_desc shash; 1648 char ctx[]; 1649}; 1650 1651static int drbg_init_hash_kernel(struct drbg_state *drbg) 1652{ 1653 struct sdesc *sdesc; 1654 struct crypto_shash *tfm; 1655 1656 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1657 if (IS_ERR(tfm)) { 1658 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1659 drbg->core->backend_cra_name); 1660 return PTR_ERR(tfm); 1661 } 1662 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1663 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1664 GFP_KERNEL); 1665 if (!sdesc) { 1666 crypto_free_shash(tfm); 1667 return -ENOMEM; 1668 } 1669 1670 sdesc->shash.tfm = tfm; 1671 drbg->priv_data = sdesc; 1672 1673 return crypto_shash_alignmask(tfm); 1674} 1675 1676static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1677{ 1678 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1679 if (sdesc) { 1680 crypto_free_shash(sdesc->shash.tfm); 1681 kfree_sensitive(sdesc); 1682 } 1683 drbg->priv_data = NULL; 1684 return 0; 1685} 1686 1687static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1688 const unsigned char *key) 1689{ 1690 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1691 1692 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1693} 1694 1695static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1696 const struct list_head *in) 1697{ 1698 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1699 struct drbg_string *input = NULL; 1700 1701 crypto_shash_init(&sdesc->shash); 1702 list_for_each_entry(input, in, list) 1703 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1704 return crypto_shash_final(&sdesc->shash, outval); 1705} 1706#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1707 1708#ifdef CONFIG_CRYPTO_DRBG_CTR 1709static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1710{ 1711 struct crypto_cipher *tfm = 1712 (struct crypto_cipher *)drbg->priv_data; 1713 if (tfm) 1714 crypto_free_cipher(tfm); 1715 drbg->priv_data = NULL; 1716 1717 if (drbg->ctr_handle) 1718 crypto_free_skcipher(drbg->ctr_handle); 1719 drbg->ctr_handle = NULL; 1720 1721 if (drbg->ctr_req) 1722 skcipher_request_free(drbg->ctr_req); 1723 drbg->ctr_req = NULL; 1724 1725 kfree(drbg->outscratchpadbuf); 1726 drbg->outscratchpadbuf = NULL; 1727 1728 return 0; 1729} 1730 1731static int drbg_init_sym_kernel(struct drbg_state *drbg) 1732{ 1733 struct crypto_cipher *tfm; 1734 struct crypto_skcipher *sk_tfm; 1735 struct skcipher_request *req; 1736 unsigned int alignmask; 1737 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1738 1739 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1740 if (IS_ERR(tfm)) { 1741 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1742 drbg->core->backend_cra_name); 1743 return PTR_ERR(tfm); 1744 } 1745 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1746 drbg->priv_data = tfm; 1747 1748 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1749 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1750 drbg_fini_sym_kernel(drbg); 1751 return -EINVAL; 1752 } 1753 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1754 if (IS_ERR(sk_tfm)) { 1755 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1756 ctr_name); 1757 drbg_fini_sym_kernel(drbg); 1758 return PTR_ERR(sk_tfm); 1759 } 1760 drbg->ctr_handle = sk_tfm; 1761 crypto_init_wait(&drbg->ctr_wait); 1762 1763 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1764 if (!req) { 1765 pr_info("DRBG: could not allocate request queue\n"); 1766 drbg_fini_sym_kernel(drbg); 1767 return -ENOMEM; 1768 } 1769 drbg->ctr_req = req; 1770 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1771 CRYPTO_TFM_REQ_MAY_SLEEP, 1772 crypto_req_done, &drbg->ctr_wait); 1773 1774 alignmask = crypto_skcipher_alignmask(sk_tfm); 1775 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1776 GFP_KERNEL); 1777 if (!drbg->outscratchpadbuf) { 1778 drbg_fini_sym_kernel(drbg); 1779 return -ENOMEM; 1780 } 1781 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1782 alignmask + 1); 1783 1784 sg_init_table(&drbg->sg_in, 1); 1785 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1786 1787 return alignmask; 1788} 1789 1790static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1791 const unsigned char *key) 1792{ 1793 struct crypto_cipher *tfm = 1794 (struct crypto_cipher *)drbg->priv_data; 1795 1796 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1797} 1798 1799static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1800 const struct drbg_string *in) 1801{ 1802 struct crypto_cipher *tfm = 1803 (struct crypto_cipher *)drbg->priv_data; 1804 1805 /* there is only component in *in */ 1806 BUG_ON(in->len < drbg_blocklen(drbg)); 1807 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1808 return 0; 1809} 1810 1811static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1812 u8 *inbuf, u32 inlen, 1813 u8 *outbuf, u32 outlen) 1814{ 1815 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1816 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1817 int ret; 1818 1819 if (inbuf) { 1820 /* Use caller-provided input buffer */ 1821 sg_set_buf(sg_in, inbuf, inlen); 1822 } else { 1823 /* Use scratchpad for in-place operation */ 1824 inlen = scratchpad_use; 1825 memset(drbg->outscratchpad, 0, scratchpad_use); 1826 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1827 } 1828 1829 while (outlen) { 1830 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1831 1832 /* Output buffer may not be valid for SGL, use scratchpad */ 1833 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1834 cryptlen, drbg->V); 1835 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1836 &drbg->ctr_wait); 1837 if (ret) 1838 goto out; 1839 1840 crypto_init_wait(&drbg->ctr_wait); 1841 1842 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1843 memzero_explicit(drbg->outscratchpad, cryptlen); 1844 1845 outlen -= cryptlen; 1846 outbuf += cryptlen; 1847 } 1848 ret = 0; 1849 1850out: 1851 return ret; 1852} 1853#endif /* CONFIG_CRYPTO_DRBG_CTR */ 1854 1855/*************************************************************** 1856 * Kernel crypto API interface to register DRBG 1857 ***************************************************************/ 1858 1859/* 1860 * Look up the DRBG flags by given kernel crypto API cra_name 1861 * The code uses the drbg_cores definition to do this 1862 * 1863 * @cra_name kernel crypto API cra_name 1864 * @coreref reference to integer which is filled with the pointer to 1865 * the applicable core 1866 * @pr reference for setting prediction resistance 1867 * 1868 * return: flags 1869 */ 1870static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1871 int *coreref, bool *pr) 1872{ 1873 int i = 0; 1874 size_t start = 0; 1875 int len = 0; 1876 1877 *pr = true; 1878 /* disassemble the names */ 1879 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1880 start = 10; 1881 *pr = false; 1882 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1883 start = 8; 1884 } else { 1885 return; 1886 } 1887 1888 /* remove the first part */ 1889 len = strlen(cra_driver_name) - start; 1890 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1891 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1892 len)) { 1893 *coreref = i; 1894 return; 1895 } 1896 } 1897} 1898 1899static int drbg_kcapi_init(struct crypto_tfm *tfm) 1900{ 1901 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1902 1903 mutex_init(&drbg->drbg_mutex); 1904 1905 return 0; 1906} 1907 1908static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1909{ 1910 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1911} 1912 1913/* 1914 * Generate random numbers invoked by the kernel crypto API: 1915 * The API of the kernel crypto API is extended as follows: 1916 * 1917 * src is additional input supplied to the RNG. 1918 * slen is the length of src. 1919 * dst is the output buffer where random data is to be stored. 1920 * dlen is the length of dst. 1921 */ 1922static int drbg_kcapi_random(struct crypto_rng *tfm, 1923 const u8 *src, unsigned int slen, 1924 u8 *dst, unsigned int dlen) 1925{ 1926 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1927 struct drbg_string *addtl = NULL; 1928 struct drbg_string string; 1929 1930 if (slen) { 1931 /* linked list variable is now local to allow modification */ 1932 drbg_string_fill(&string, src, slen); 1933 addtl = &string; 1934 } 1935 1936 return drbg_generate_long(drbg, dst, dlen, addtl); 1937} 1938 1939/* 1940 * Seed the DRBG invoked by the kernel crypto API 1941 */ 1942static int drbg_kcapi_seed(struct crypto_rng *tfm, 1943 const u8 *seed, unsigned int slen) 1944{ 1945 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1946 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1947 bool pr = false; 1948 struct drbg_string string; 1949 struct drbg_string *seed_string = NULL; 1950 int coreref = 0; 1951 1952 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1953 &pr); 1954 if (0 < slen) { 1955 drbg_string_fill(&string, seed, slen); 1956 seed_string = &string; 1957 } 1958 1959 return drbg_instantiate(drbg, seed_string, coreref, pr); 1960} 1961 1962/*************************************************************** 1963 * Kernel module: code to load the module 1964 ***************************************************************/ 1965 1966/* 1967 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1968 * of the error handling. 1969 * 1970 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1971 * as seed source of get_random_bytes does not fail. 1972 * 1973 * Note 2: There is no sensible way of testing the reseed counter 1974 * enforcement, so skip it. 1975 */ 1976static inline int __init drbg_healthcheck_sanity(void) 1977{ 1978 int len = 0; 1979#define OUTBUFLEN 16 1980 unsigned char buf[OUTBUFLEN]; 1981 struct drbg_state *drbg = NULL; 1982 int ret = -EFAULT; 1983 int rc = -EFAULT; 1984 bool pr = false; 1985 int coreref = 0; 1986 struct drbg_string addtl; 1987 size_t max_addtllen, max_request_bytes; 1988 1989 /* only perform test in FIPS mode */ 1990 if (!fips_enabled) 1991 return 0; 1992 1993#ifdef CONFIG_CRYPTO_DRBG_CTR 1994 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1995#elif defined CONFIG_CRYPTO_DRBG_HASH 1996 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1997#else 1998 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1999#endif 2000 2001 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 2002 if (!drbg) 2003 return -ENOMEM; 2004 2005 mutex_init(&drbg->drbg_mutex); 2006 drbg->core = &drbg_cores[coreref]; 2007 drbg->reseed_threshold = drbg_max_requests(drbg); 2008 2009 /* 2010 * if the following tests fail, it is likely that there is a buffer 2011 * overflow as buf is much smaller than the requested or provided 2012 * string lengths -- in case the error handling does not succeed 2013 * we may get an OOPS. And we want to get an OOPS as this is a 2014 * grave bug. 2015 */ 2016 2017 max_addtllen = drbg_max_addtl(drbg); 2018 max_request_bytes = drbg_max_request_bytes(drbg); 2019 drbg_string_fill(&addtl, buf, max_addtllen + 1); 2020 /* overflow addtllen with additonal info string */ 2021 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 2022 BUG_ON(0 < len); 2023 /* overflow max_bits */ 2024 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 2025 BUG_ON(0 < len); 2026 2027 /* overflow max addtllen with personalization string */ 2028 ret = drbg_seed(drbg, &addtl, false); 2029 BUG_ON(0 == ret); 2030 /* all tests passed */ 2031 rc = 0; 2032 2033 pr_devel("DRBG: Sanity tests for failure code paths successfully " 2034 "completed\n"); 2035 2036 kfree(drbg); 2037 return rc; 2038} 2039 2040static struct rng_alg drbg_algs[22]; 2041 2042/* 2043 * Fill the array drbg_algs used to register the different DRBGs 2044 * with the kernel crypto API. To fill the array, the information 2045 * from drbg_cores[] is used. 2046 */ 2047static inline void __init drbg_fill_array(struct rng_alg *alg, 2048 const struct drbg_core *core, int pr) 2049{ 2050 int pos = 0; 2051 static int priority = 200; 2052 2053 memcpy(alg->base.cra_name, "stdrng", 6); 2054 if (pr) { 2055 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 2056 pos = 8; 2057 } else { 2058 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 2059 pos = 10; 2060 } 2061 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 2062 strlen(core->cra_name)); 2063 2064 alg->base.cra_priority = priority; 2065 priority++; 2066 /* 2067 * If FIPS mode enabled, the selected DRBG shall have the 2068 * highest cra_priority over other stdrng instances to ensure 2069 * it is selected. 2070 */ 2071 if (fips_enabled) 2072 alg->base.cra_priority += 200; 2073 2074 alg->base.cra_ctxsize = sizeof(struct drbg_state); 2075 alg->base.cra_module = THIS_MODULE; 2076 alg->base.cra_init = drbg_kcapi_init; 2077 alg->base.cra_exit = drbg_kcapi_cleanup; 2078 alg->generate = drbg_kcapi_random; 2079 alg->seed = drbg_kcapi_seed; 2080 alg->set_ent = drbg_kcapi_set_entropy; 2081 alg->seedsize = 0; 2082} 2083 2084static int __init drbg_init(void) 2085{ 2086 unsigned int i = 0; /* pointer to drbg_algs */ 2087 unsigned int j = 0; /* pointer to drbg_cores */ 2088 int ret; 2089 2090 ret = drbg_healthcheck_sanity(); 2091 if (ret) 2092 return ret; 2093 2094 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2095 pr_info("DRBG: Cannot register all DRBG types" 2096 "(slots needed: %zu, slots available: %zu)\n", 2097 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2098 return -EFAULT; 2099 } 2100 2101 /* 2102 * each DRBG definition can be used with PR and without PR, thus 2103 * we instantiate each DRBG in drbg_cores[] twice. 2104 * 2105 * As the order of placing them into the drbg_algs array matters 2106 * (the later DRBGs receive a higher cra_priority) we register the 2107 * prediction resistance DRBGs first as the should not be too 2108 * interesting. 2109 */ 2110 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2111 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2112 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2113 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2114 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2115} 2116 2117static void __exit drbg_exit(void) 2118{ 2119 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2120} 2121 2122subsys_initcall(drbg_init); 2123module_exit(drbg_exit); 2124#ifndef CRYPTO_DRBG_HASH_STRING 2125#define CRYPTO_DRBG_HASH_STRING "" 2126#endif 2127#ifndef CRYPTO_DRBG_HMAC_STRING 2128#define CRYPTO_DRBG_HMAC_STRING "" 2129#endif 2130#ifndef CRYPTO_DRBG_CTR_STRING 2131#define CRYPTO_DRBG_CTR_STRING "" 2132#endif 2133MODULE_LICENSE("GPL"); 2134MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2135MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2136 "using following cores: " 2137 CRYPTO_DRBG_HASH_STRING 2138 CRYPTO_DRBG_HMAC_STRING 2139 CRYPTO_DRBG_CTR_STRING); 2140MODULE_ALIAS_CRYPTO("stdrng"); 2141