1541af946SStephan Mueller /* 2541af946SStephan Mueller * DRBG: Deterministic Random Bits Generator 3541af946SStephan Mueller * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4541af946SStephan Mueller * properties: 5541af946SStephan Mueller * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6541af946SStephan Mueller * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7541af946SStephan Mueller * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8541af946SStephan Mueller * * with and without prediction resistance 9541af946SStephan Mueller * 10541af946SStephan Mueller * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11541af946SStephan Mueller * 12541af946SStephan Mueller * Redistribution and use in source and binary forms, with or without 13541af946SStephan Mueller * modification, are permitted provided that the following conditions 14541af946SStephan Mueller * are met: 15541af946SStephan Mueller * 1. Redistributions of source code must retain the above copyright 16541af946SStephan Mueller * notice, and the entire permission notice in its entirety, 17541af946SStephan Mueller * including the disclaimer of warranties. 18541af946SStephan Mueller * 2. Redistributions in binary form must reproduce the above copyright 19541af946SStephan Mueller * notice, this list of conditions and the following disclaimer in the 20541af946SStephan Mueller * documentation and/or other materials provided with the distribution. 21541af946SStephan Mueller * 3. The name of the author may not be used to endorse or promote 22541af946SStephan Mueller * products derived from this software without specific prior 23541af946SStephan Mueller * written permission. 24541af946SStephan Mueller * 25541af946SStephan Mueller * ALTERNATIVELY, this product may be distributed under the terms of 26541af946SStephan Mueller * the GNU General Public License, in which case the provisions of the GPL are 27541af946SStephan Mueller * required INSTEAD OF the above restrictions. (This clause is 28541af946SStephan Mueller * necessary due to a potential bad interaction between the GPL and 29541af946SStephan Mueller * the restrictions contained in a BSD-style copyright.) 30541af946SStephan Mueller * 31541af946SStephan Mueller * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32541af946SStephan Mueller * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33541af946SStephan Mueller * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34541af946SStephan Mueller * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35541af946SStephan Mueller * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36541af946SStephan Mueller * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37541af946SStephan Mueller * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38541af946SStephan Mueller * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39541af946SStephan Mueller * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40541af946SStephan Mueller * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41541af946SStephan Mueller * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42541af946SStephan Mueller * DAMAGE. 43541af946SStephan Mueller * 44541af946SStephan Mueller * DRBG Usage 45541af946SStephan Mueller * ========== 46541af946SStephan Mueller * The SP 800-90A DRBG allows the user to specify a personalization string 47541af946SStephan Mueller * for initialization as well as an additional information string for each 48541af946SStephan Mueller * random number request. The following code fragments show how a caller 49541af946SStephan Mueller * uses the kernel crypto API to use the full functionality of the DRBG. 50541af946SStephan Mueller * 51541af946SStephan Mueller * Usage without any additional data 52541af946SStephan Mueller * --------------------------------- 53541af946SStephan Mueller * struct crypto_rng *drng; 54541af946SStephan Mueller * int err; 55541af946SStephan Mueller * char data[DATALEN]; 56541af946SStephan Mueller * 57541af946SStephan Mueller * drng = crypto_alloc_rng(drng_name, 0, 0); 58541af946SStephan Mueller * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59541af946SStephan Mueller * crypto_free_rng(drng); 60541af946SStephan Mueller * 61541af946SStephan Mueller * 62541af946SStephan Mueller * Usage with personalization string during initialization 63541af946SStephan Mueller * ------------------------------------------------------- 64541af946SStephan Mueller * struct crypto_rng *drng; 65541af946SStephan Mueller * int err; 66541af946SStephan Mueller * char data[DATALEN]; 67541af946SStephan Mueller * struct drbg_string pers; 68541af946SStephan Mueller * char personalization[11] = "some-string"; 69541af946SStephan Mueller * 70541af946SStephan Mueller * drbg_string_fill(&pers, personalization, strlen(personalization)); 71541af946SStephan Mueller * drng = crypto_alloc_rng(drng_name, 0, 0); 72541af946SStephan Mueller * // The reset completely re-initializes the DRBG with the provided 73541af946SStephan Mueller * // personalization string 74541af946SStephan Mueller * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75541af946SStephan Mueller * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76541af946SStephan Mueller * crypto_free_rng(drng); 77541af946SStephan Mueller * 78541af946SStephan Mueller * 79541af946SStephan Mueller * Usage with additional information string during random number request 80541af946SStephan Mueller * --------------------------------------------------------------------- 81541af946SStephan Mueller * struct crypto_rng *drng; 82541af946SStephan Mueller * int err; 83541af946SStephan Mueller * char data[DATALEN]; 84541af946SStephan Mueller * char addtl_string[11] = "some-string"; 85541af946SStephan Mueller * string drbg_string addtl; 86541af946SStephan Mueller * 87541af946SStephan Mueller * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88541af946SStephan Mueller * drng = crypto_alloc_rng(drng_name, 0, 0); 89541af946SStephan Mueller * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90541af946SStephan Mueller * // the same error codes. 91541af946SStephan Mueller * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92541af946SStephan Mueller * crypto_free_rng(drng); 93541af946SStephan Mueller * 94541af946SStephan Mueller * 95541af946SStephan Mueller * Usage with personalization and additional information strings 96541af946SStephan Mueller * ------------------------------------------------------------- 97541af946SStephan Mueller * Just mix both scenarios above. 98541af946SStephan Mueller */ 99541af946SStephan Mueller 100541af946SStephan Mueller #include <crypto/drbg.h> 10157225e67SStephan Mueller #include <linux/kernel.h> 102541af946SStephan Mueller 103541af946SStephan Mueller /*************************************************************** 104541af946SStephan Mueller * Backend cipher definitions available to DRBG 105541af946SStephan Mueller ***************************************************************/ 106541af946SStephan Mueller 107541af946SStephan Mueller /* 108541af946SStephan Mueller * The order of the DRBG definitions here matter: every DRBG is registered 109541af946SStephan Mueller * as stdrng. Each DRBG receives an increasing cra_priority values the later 110541af946SStephan Mueller * they are defined in this array (see drbg_fill_array). 111541af946SStephan Mueller * 112541af946SStephan Mueller * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and 113541af946SStephan Mueller * the SHA256 / AES 256 over other ciphers. Thus, the favored 114541af946SStephan Mueller * DRBGs are the latest entries in this array. 115541af946SStephan Mueller */ 116541af946SStephan Mueller static const struct drbg_core drbg_cores[] = { 117541af946SStephan Mueller #ifdef CONFIG_CRYPTO_DRBG_CTR 118541af946SStephan Mueller { 119541af946SStephan Mueller .flags = DRBG_CTR | DRBG_STRENGTH128, 120541af946SStephan Mueller .statelen = 32, /* 256 bits as defined in 10.2.1 */ 121541af946SStephan Mueller .blocklen_bytes = 16, 122541af946SStephan Mueller .cra_name = "ctr_aes128", 12304bcbfcfSStephan Mueller .backend_cra_name = "aes", 124541af946SStephan Mueller }, { 125541af946SStephan Mueller .flags = DRBG_CTR | DRBG_STRENGTH192, 126541af946SStephan Mueller .statelen = 40, /* 320 bits as defined in 10.2.1 */ 127541af946SStephan Mueller .blocklen_bytes = 16, 128541af946SStephan Mueller .cra_name = "ctr_aes192", 12904bcbfcfSStephan Mueller .backend_cra_name = "aes", 130541af946SStephan Mueller }, { 131541af946SStephan Mueller .flags = DRBG_CTR | DRBG_STRENGTH256, 132541af946SStephan Mueller .statelen = 48, /* 384 bits as defined in 10.2.1 */ 133541af946SStephan Mueller .blocklen_bytes = 16, 134541af946SStephan Mueller .cra_name = "ctr_aes256", 13504bcbfcfSStephan Mueller .backend_cra_name = "aes", 136541af946SStephan Mueller }, 137541af946SStephan Mueller #endif /* CONFIG_CRYPTO_DRBG_CTR */ 138541af946SStephan Mueller #ifdef CONFIG_CRYPTO_DRBG_HASH 139541af946SStephan Mueller { 140541af946SStephan Mueller .flags = DRBG_HASH | DRBG_STRENGTH128, 141541af946SStephan Mueller .statelen = 55, /* 440 bits */ 142541af946SStephan Mueller .blocklen_bytes = 20, 143541af946SStephan Mueller .cra_name = "sha1", 144541af946SStephan Mueller .backend_cra_name = "sha1", 145541af946SStephan Mueller }, { 146541af946SStephan Mueller .flags = DRBG_HASH | DRBG_STRENGTH256, 147541af946SStephan Mueller .statelen = 111, /* 888 bits */ 148541af946SStephan Mueller .blocklen_bytes = 48, 149541af946SStephan Mueller .cra_name = "sha384", 150541af946SStephan Mueller .backend_cra_name = "sha384", 151541af946SStephan Mueller }, { 152541af946SStephan Mueller .flags = DRBG_HASH | DRBG_STRENGTH256, 153541af946SStephan Mueller .statelen = 111, /* 888 bits */ 154541af946SStephan Mueller .blocklen_bytes = 64, 155541af946SStephan Mueller .cra_name = "sha512", 156541af946SStephan Mueller .backend_cra_name = "sha512", 157541af946SStephan Mueller }, { 158541af946SStephan Mueller .flags = DRBG_HASH | DRBG_STRENGTH256, 159541af946SStephan Mueller .statelen = 55, /* 440 bits */ 160541af946SStephan Mueller .blocklen_bytes = 32, 161541af946SStephan Mueller .cra_name = "sha256", 162541af946SStephan Mueller .backend_cra_name = "sha256", 163541af946SStephan Mueller }, 164541af946SStephan Mueller #endif /* CONFIG_CRYPTO_DRBG_HASH */ 165541af946SStephan Mueller #ifdef CONFIG_CRYPTO_DRBG_HMAC 166541af946SStephan Mueller { 1675b635e28SStephan Mueller .flags = DRBG_HMAC | DRBG_STRENGTH128, 168541af946SStephan Mueller .statelen = 20, /* block length of cipher */ 169541af946SStephan Mueller .blocklen_bytes = 20, 170541af946SStephan Mueller .cra_name = "hmac_sha1", 171541af946SStephan Mueller .backend_cra_name = "hmac(sha1)", 172541af946SStephan Mueller }, { 173541af946SStephan Mueller .flags = DRBG_HMAC | DRBG_STRENGTH256, 174541af946SStephan Mueller .statelen = 48, /* block length of cipher */ 175541af946SStephan Mueller .blocklen_bytes = 48, 176541af946SStephan Mueller .cra_name = "hmac_sha384", 177541af946SStephan Mueller .backend_cra_name = "hmac(sha384)", 178541af946SStephan Mueller }, { 179541af946SStephan Mueller .flags = DRBG_HMAC | DRBG_STRENGTH256, 180541af946SStephan Mueller .statelen = 64, /* block length of cipher */ 181541af946SStephan Mueller .blocklen_bytes = 64, 182541af946SStephan Mueller .cra_name = "hmac_sha512", 183541af946SStephan Mueller .backend_cra_name = "hmac(sha512)", 184541af946SStephan Mueller }, { 185541af946SStephan Mueller .flags = DRBG_HMAC | DRBG_STRENGTH256, 186541af946SStephan Mueller .statelen = 32, /* block length of cipher */ 187541af946SStephan Mueller .blocklen_bytes = 32, 188541af946SStephan Mueller .cra_name = "hmac_sha256", 189541af946SStephan Mueller .backend_cra_name = "hmac(sha256)", 190541af946SStephan Mueller }, 191541af946SStephan Mueller #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 192541af946SStephan Mueller }; 193541af946SStephan Mueller 19457225e67SStephan Mueller static int drbg_uninstantiate(struct drbg_state *drbg); 19557225e67SStephan Mueller 196541af946SStephan Mueller /****************************************************************** 197541af946SStephan Mueller * Generic helper functions 198541af946SStephan Mueller ******************************************************************/ 199541af946SStephan Mueller 200541af946SStephan Mueller /* 201541af946SStephan Mueller * Return strength of DRBG according to SP800-90A section 8.4 202541af946SStephan Mueller * 203541af946SStephan Mueller * @flags DRBG flags reference 204541af946SStephan Mueller * 205541af946SStephan Mueller * Return: normalized strength in *bytes* value or 32 as default 206541af946SStephan Mueller * to counter programming errors 207541af946SStephan Mueller */ 208541af946SStephan Mueller static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 209541af946SStephan Mueller { 210541af946SStephan Mueller switch (flags & DRBG_STRENGTH_MASK) { 211541af946SStephan Mueller case DRBG_STRENGTH128: 212541af946SStephan Mueller return 16; 213541af946SStephan Mueller case DRBG_STRENGTH192: 214541af946SStephan Mueller return 24; 215541af946SStephan Mueller case DRBG_STRENGTH256: 216541af946SStephan Mueller return 32; 217541af946SStephan Mueller default: 218541af946SStephan Mueller return 32; 219541af946SStephan Mueller } 220541af946SStephan Mueller } 221541af946SStephan Mueller 222541af946SStephan Mueller /* 223541af946SStephan Mueller * FIPS 140-2 continuous self test 224541af946SStephan Mueller * The test is performed on the result of one round of the output 225541af946SStephan Mueller * function. Thus, the function implicitly knows the size of the 226541af946SStephan Mueller * buffer. 227541af946SStephan Mueller * 228541af946SStephan Mueller * @drbg DRBG handle 229541af946SStephan Mueller * @buf output buffer of random data to be checked 230541af946SStephan Mueller * 231541af946SStephan Mueller * return: 232541af946SStephan Mueller * true on success 233541af946SStephan Mueller * false on error 234541af946SStephan Mueller */ 235541af946SStephan Mueller static bool drbg_fips_continuous_test(struct drbg_state *drbg, 236541af946SStephan Mueller const unsigned char *buf) 237541af946SStephan Mueller { 238541af946SStephan Mueller #ifdef CONFIG_CRYPTO_FIPS 239541af946SStephan Mueller int ret = 0; 240541af946SStephan Mueller /* skip test if we test the overall system */ 2418fded592SHerbert Xu if (list_empty(&drbg->test_data.list)) 242541af946SStephan Mueller return true; 243541af946SStephan Mueller /* only perform test in FIPS mode */ 244541af946SStephan Mueller if (0 == fips_enabled) 245541af946SStephan Mueller return true; 246541af946SStephan Mueller if (!drbg->fips_primed) { 247541af946SStephan Mueller /* Priming of FIPS test */ 248541af946SStephan Mueller memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 249541af946SStephan Mueller drbg->fips_primed = true; 250541af946SStephan Mueller /* return false due to priming, i.e. another round is needed */ 251541af946SStephan Mueller return false; 252541af946SStephan Mueller } 253541af946SStephan Mueller ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg)); 254905b42e5SStephan Mueller if (!ret) 255905b42e5SStephan Mueller panic("DRBG continuous self test failed\n"); 256541af946SStephan Mueller memcpy(drbg->prev, buf, drbg_blocklen(drbg)); 257541af946SStephan Mueller /* the test shall pass when the two compared values are not equal */ 258541af946SStephan Mueller return ret != 0; 259541af946SStephan Mueller #else 260541af946SStephan Mueller return true; 261541af946SStephan Mueller #endif /* CONFIG_CRYPTO_FIPS */ 262541af946SStephan Mueller } 263541af946SStephan Mueller 264541af946SStephan Mueller /* 265541af946SStephan Mueller * Convert an integer into a byte representation of this integer. 266541af946SStephan Mueller * The byte representation is big-endian 267541af946SStephan Mueller * 268541af946SStephan Mueller * @val value to be converted 26972f3e00dSStephan Mueller * @buf buffer holding the converted integer -- caller must ensure that 27072f3e00dSStephan Mueller * buffer size is at least 32 bit 271541af946SStephan Mueller */ 272541af946SStephan Mueller #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 27372f3e00dSStephan Mueller static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 274541af946SStephan Mueller { 27572f3e00dSStephan Mueller struct s { 2767c8ae03fSStephan Mueller __be32 conv; 27772f3e00dSStephan Mueller }; 27872f3e00dSStephan Mueller struct s *conversion = (struct s *) buf; 279541af946SStephan Mueller 28072f3e00dSStephan Mueller conversion->conv = cpu_to_be32(val); 281541af946SStephan Mueller } 282541af946SStephan Mueller #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 283541af946SStephan Mueller 284541af946SStephan Mueller /****************************************************************** 285541af946SStephan Mueller * CTR DRBG callback functions 286541af946SStephan Mueller ******************************************************************/ 287541af946SStephan Mueller 288541af946SStephan Mueller #ifdef CONFIG_CRYPTO_DRBG_CTR 289e25e47ecSStephan Mueller #define CRYPTO_DRBG_CTR_STRING "CTR " 2900653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 2910653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 2920653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 2930653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 2940653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 2950653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 29662b62b6eSStephan Mueller 297541af946SStephan Mueller static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 298541af946SStephan Mueller unsigned char *outval, const struct drbg_string *in); 299541af946SStephan Mueller static int drbg_init_sym_kernel(struct drbg_state *drbg); 300541af946SStephan Mueller static int drbg_fini_sym_kernel(struct drbg_state *drbg); 301541af946SStephan Mueller 302541af946SStephan Mueller /* BCC function for CTR DRBG as defined in 10.4.3 */ 303541af946SStephan Mueller static int drbg_ctr_bcc(struct drbg_state *drbg, 304541af946SStephan Mueller unsigned char *out, const unsigned char *key, 3058c987166SStephan Mueller struct list_head *in) 306541af946SStephan Mueller { 3078c987166SStephan Mueller int ret = 0; 3088c987166SStephan Mueller struct drbg_string *curr = NULL; 309541af946SStephan Mueller struct drbg_string data; 3108c987166SStephan Mueller short cnt = 0; 311541af946SStephan Mueller 312541af946SStephan Mueller drbg_string_fill(&data, out, drbg_blocklen(drbg)); 313541af946SStephan Mueller 314541af946SStephan Mueller /* 10.4.3 step 2 / 4 */ 3158c987166SStephan Mueller list_for_each_entry(curr, in, list) { 3168c987166SStephan Mueller const unsigned char *pos = curr->buf; 3178c987166SStephan Mueller size_t len = curr->len; 318541af946SStephan Mueller /* 10.4.3 step 4.1 */ 3198c987166SStephan Mueller while (len) { 320541af946SStephan Mueller /* 10.4.3 step 4.2 */ 3218c987166SStephan Mueller if (drbg_blocklen(drbg) == cnt) { 3228c987166SStephan Mueller cnt = 0; 323541af946SStephan Mueller ret = drbg_kcapi_sym(drbg, key, out, &data); 324541af946SStephan Mueller if (ret) 325541af946SStephan Mueller return ret; 326541af946SStephan Mueller } 3278c987166SStephan Mueller out[cnt] ^= *pos; 3288c987166SStephan Mueller pos++; 3298c987166SStephan Mueller cnt++; 3308c987166SStephan Mueller len--; 3318c987166SStephan Mueller } 3328c987166SStephan Mueller } 3338c987166SStephan Mueller /* 10.4.3 step 4.2 for last block */ 3348c987166SStephan Mueller if (cnt) 3358c987166SStephan Mueller ret = drbg_kcapi_sym(drbg, key, out, &data); 3368c987166SStephan Mueller 3378c987166SStephan Mueller return ret; 338541af946SStephan Mueller } 339541af946SStephan Mueller 340541af946SStephan Mueller /* 341541af946SStephan Mueller * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 342541af946SStephan Mueller * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 343541af946SStephan Mueller * the scratchpad is used as follows: 344541af946SStephan Mueller * drbg_ctr_update: 345541af946SStephan Mueller * temp 346541af946SStephan Mueller * start: drbg->scratchpad 347541af946SStephan Mueller * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 348541af946SStephan Mueller * note: the cipher writing into this variable works 349541af946SStephan Mueller * blocklen-wise. Now, when the statelen is not a multiple 350541af946SStephan Mueller * of blocklen, the generateion loop below "spills over" 351541af946SStephan Mueller * by at most blocklen. Thus, we need to give sufficient 352541af946SStephan Mueller * memory. 353541af946SStephan Mueller * df_data 354541af946SStephan Mueller * start: drbg->scratchpad + 355541af946SStephan Mueller * drbg_statelen(drbg) + drbg_blocklen(drbg) 356541af946SStephan Mueller * length: drbg_statelen(drbg) 357541af946SStephan Mueller * 358541af946SStephan Mueller * drbg_ctr_df: 359541af946SStephan Mueller * pad 360541af946SStephan Mueller * start: df_data + drbg_statelen(drbg) 361541af946SStephan Mueller * length: drbg_blocklen(drbg) 362541af946SStephan Mueller * iv 363541af946SStephan Mueller * start: pad + drbg_blocklen(drbg) 364541af946SStephan Mueller * length: drbg_blocklen(drbg) 365541af946SStephan Mueller * temp 366541af946SStephan Mueller * start: iv + drbg_blocklen(drbg) 3678fecaad7SStephan Mueller * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 3688fecaad7SStephan Mueller * note: temp is the buffer that the BCC function operates 3698fecaad7SStephan Mueller * on. BCC operates blockwise. drbg_statelen(drbg) 3708fecaad7SStephan Mueller * is sufficient when the DRBG state length is a multiple 3718fecaad7SStephan Mueller * of the block size. For AES192 (and maybe other ciphers) 3728fecaad7SStephan Mueller * this is not correct and the length for temp is 3738fecaad7SStephan Mueller * insufficient (yes, that also means for such ciphers, 3748fecaad7SStephan Mueller * the final output of all BCC rounds are truncated). 3758fecaad7SStephan Mueller * Therefore, add drbg_blocklen(drbg) to cover all 3768fecaad7SStephan Mueller * possibilities. 377541af946SStephan Mueller */ 378541af946SStephan Mueller 379541af946SStephan Mueller /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 380541af946SStephan Mueller static int drbg_ctr_df(struct drbg_state *drbg, 381541af946SStephan Mueller unsigned char *df_data, size_t bytes_to_return, 3828c987166SStephan Mueller struct list_head *seedlist) 383541af946SStephan Mueller { 384541af946SStephan Mueller int ret = -EFAULT; 385541af946SStephan Mueller unsigned char L_N[8]; 386541af946SStephan Mueller /* S3 is input */ 387541af946SStephan Mueller struct drbg_string S1, S2, S4, cipherin; 3888c987166SStephan Mueller LIST_HEAD(bcc_list); 389541af946SStephan Mueller unsigned char *pad = df_data + drbg_statelen(drbg); 390541af946SStephan Mueller unsigned char *iv = pad + drbg_blocklen(drbg); 391541af946SStephan Mueller unsigned char *temp = iv + drbg_blocklen(drbg); 392541af946SStephan Mueller size_t padlen = 0; 393541af946SStephan Mueller unsigned int templen = 0; 394541af946SStephan Mueller /* 10.4.2 step 7 */ 395541af946SStephan Mueller unsigned int i = 0; 396541af946SStephan Mueller /* 10.4.2 step 8 */ 397541af946SStephan Mueller const unsigned char *K = (unsigned char *) 398541af946SStephan Mueller "\x00\x01\x02\x03\x04\x05\x06\x07" 399541af946SStephan Mueller "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 400541af946SStephan Mueller "\x10\x11\x12\x13\x14\x15\x16\x17" 401541af946SStephan Mueller "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 402541af946SStephan Mueller unsigned char *X; 403541af946SStephan Mueller size_t generated_len = 0; 404541af946SStephan Mueller size_t inputlen = 0; 4058c987166SStephan Mueller struct drbg_string *seed = NULL; 406541af946SStephan Mueller 407541af946SStephan Mueller memset(pad, 0, drbg_blocklen(drbg)); 408541af946SStephan Mueller memset(iv, 0, drbg_blocklen(drbg)); 409541af946SStephan Mueller 410541af946SStephan Mueller /* 10.4.2 step 1 is implicit as we work byte-wise */ 411541af946SStephan Mueller 412541af946SStephan Mueller /* 10.4.2 step 2 */ 413541af946SStephan Mueller if ((512/8) < bytes_to_return) 414541af946SStephan Mueller return -EINVAL; 415541af946SStephan Mueller 416541af946SStephan Mueller /* 10.4.2 step 2 -- calculate the entire length of all input data */ 4178c987166SStephan Mueller list_for_each_entry(seed, seedlist, list) 4188c987166SStephan Mueller inputlen += seed->len; 41972f3e00dSStephan Mueller drbg_cpu_to_be32(inputlen, &L_N[0]); 420541af946SStephan Mueller 421541af946SStephan Mueller /* 10.4.2 step 3 */ 42272f3e00dSStephan Mueller drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 423541af946SStephan Mueller 424541af946SStephan Mueller /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 425541af946SStephan Mueller padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 426541af946SStephan Mueller /* wrap the padlen appropriately */ 427541af946SStephan Mueller if (padlen) 428541af946SStephan Mueller padlen = drbg_blocklen(drbg) - padlen; 429541af946SStephan Mueller /* 430541af946SStephan Mueller * pad / padlen contains the 0x80 byte and the following zero bytes. 431541af946SStephan Mueller * As the calculated padlen value only covers the number of zero 432541af946SStephan Mueller * bytes, this value has to be incremented by one for the 0x80 byte. 433541af946SStephan Mueller */ 434541af946SStephan Mueller padlen++; 435541af946SStephan Mueller pad[0] = 0x80; 436541af946SStephan Mueller 437541af946SStephan Mueller /* 10.4.2 step 4 -- first fill the linked list and then order it */ 438541af946SStephan Mueller drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 4398c987166SStephan Mueller list_add_tail(&S1.list, &bcc_list); 440541af946SStephan Mueller drbg_string_fill(&S2, L_N, sizeof(L_N)); 4418c987166SStephan Mueller list_add_tail(&S2.list, &bcc_list); 4428c987166SStephan Mueller list_splice_tail(seedlist, &bcc_list); 443541af946SStephan Mueller drbg_string_fill(&S4, pad, padlen); 4448c987166SStephan Mueller list_add_tail(&S4.list, &bcc_list); 445541af946SStephan Mueller 446541af946SStephan Mueller /* 10.4.2 step 9 */ 447541af946SStephan Mueller while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 448541af946SStephan Mueller /* 449541af946SStephan Mueller * 10.4.2 step 9.1 - the padding is implicit as the buffer 450541af946SStephan Mueller * holds zeros after allocation -- even the increment of i 451541af946SStephan Mueller * is irrelevant as the increment remains within length of i 452541af946SStephan Mueller */ 45372f3e00dSStephan Mueller drbg_cpu_to_be32(i, iv); 454541af946SStephan Mueller /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 4558c987166SStephan Mueller ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 456541af946SStephan Mueller if (ret) 457541af946SStephan Mueller goto out; 458541af946SStephan Mueller /* 10.4.2 step 9.3 */ 459541af946SStephan Mueller i++; 460541af946SStephan Mueller templen += drbg_blocklen(drbg); 461541af946SStephan Mueller } 462541af946SStephan Mueller 463541af946SStephan Mueller /* 10.4.2 step 11 */ 464541af946SStephan Mueller X = temp + (drbg_keylen(drbg)); 465541af946SStephan Mueller drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 466541af946SStephan Mueller 467541af946SStephan Mueller /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 468541af946SStephan Mueller 469541af946SStephan Mueller /* 10.4.2 step 13 */ 470541af946SStephan Mueller while (generated_len < bytes_to_return) { 471541af946SStephan Mueller short blocklen = 0; 472541af946SStephan Mueller /* 473541af946SStephan Mueller * 10.4.2 step 13.1: the truncation of the key length is 474541af946SStephan Mueller * implicit as the key is only drbg_blocklen in size based on 475541af946SStephan Mueller * the implementation of the cipher function callback 476541af946SStephan Mueller */ 477541af946SStephan Mueller ret = drbg_kcapi_sym(drbg, temp, X, &cipherin); 478541af946SStephan Mueller if (ret) 479541af946SStephan Mueller goto out; 480541af946SStephan Mueller blocklen = (drbg_blocklen(drbg) < 481541af946SStephan Mueller (bytes_to_return - generated_len)) ? 482541af946SStephan Mueller drbg_blocklen(drbg) : 483541af946SStephan Mueller (bytes_to_return - generated_len); 484541af946SStephan Mueller /* 10.4.2 step 13.2 and 14 */ 485541af946SStephan Mueller memcpy(df_data + generated_len, X, blocklen); 486541af946SStephan Mueller generated_len += blocklen; 487541af946SStephan Mueller } 488541af946SStephan Mueller 489541af946SStephan Mueller ret = 0; 490541af946SStephan Mueller 491541af946SStephan Mueller out: 4921471f09fSHerbert Xu memset(iv, 0, drbg_blocklen(drbg)); 4938e0498d9SStephan Mueller memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 4941471f09fSHerbert Xu memset(pad, 0, drbg_blocklen(drbg)); 495541af946SStephan Mueller return ret; 496541af946SStephan Mueller } 497541af946SStephan Mueller 49872e7c25aSStephan Mueller /* 49972e7c25aSStephan Mueller * update function of CTR DRBG as defined in 10.2.1.2 50072e7c25aSStephan Mueller * 50172e7c25aSStephan Mueller * The reseed variable has an enhanced meaning compared to the update 50272e7c25aSStephan Mueller * functions of the other DRBGs as follows: 50372e7c25aSStephan Mueller * 0 => initial seed from initialization 50472e7c25aSStephan Mueller * 1 => reseed via drbg_seed 50572e7c25aSStephan Mueller * 2 => first invocation from drbg_ctr_update when addtl is present. In 50672e7c25aSStephan Mueller * this case, the df_data scratchpad is not deleted so that it is 50772e7c25aSStephan Mueller * available for another calls to prevent calling the DF function 50872e7c25aSStephan Mueller * again. 50972e7c25aSStephan Mueller * 3 => second invocation from drbg_ctr_update. When the update function 51072e7c25aSStephan Mueller * was called with addtl, the df_data memory already contains the 51172e7c25aSStephan Mueller * DFed addtl information and we do not need to call DF again. 51272e7c25aSStephan Mueller */ 5138c987166SStephan Mueller static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 5148c987166SStephan Mueller int reseed) 515541af946SStephan Mueller { 516541af946SStephan Mueller int ret = -EFAULT; 517541af946SStephan Mueller /* 10.2.1.2 step 1 */ 518541af946SStephan Mueller unsigned char *temp = drbg->scratchpad; 519541af946SStephan Mueller unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 520541af946SStephan Mueller drbg_blocklen(drbg); 521541af946SStephan Mueller unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */ 522541af946SStephan Mueller unsigned int len = 0; 523541af946SStephan Mueller struct drbg_string cipherin; 524541af946SStephan Mueller 52572e7c25aSStephan Mueller if (3 > reseed) 526541af946SStephan Mueller memset(df_data, 0, drbg_statelen(drbg)); 527541af946SStephan Mueller 528541af946SStephan Mueller /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 5298c987166SStephan Mueller if (seed) { 5308c987166SStephan Mueller ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 531541af946SStephan Mueller if (ret) 532541af946SStephan Mueller goto out; 533541af946SStephan Mueller } 534541af946SStephan Mueller 535541af946SStephan Mueller drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg)); 536541af946SStephan Mueller /* 537541af946SStephan Mueller * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation 538541af946SStephan Mueller * zeroizes all memory during initialization 539541af946SStephan Mueller */ 540541af946SStephan Mueller while (len < (drbg_statelen(drbg))) { 541541af946SStephan Mueller /* 10.2.1.2 step 2.1 */ 54241a84982SStephan Mueller crypto_inc(drbg->V, drbg_blocklen(drbg)); 543541af946SStephan Mueller /* 544541af946SStephan Mueller * 10.2.1.2 step 2.2 */ 545541af946SStephan Mueller ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin); 546541af946SStephan Mueller if (ret) 547541af946SStephan Mueller goto out; 548541af946SStephan Mueller /* 10.2.1.2 step 2.3 and 3 */ 549541af946SStephan Mueller len += drbg_blocklen(drbg); 550541af946SStephan Mueller } 551541af946SStephan Mueller 552541af946SStephan Mueller /* 10.2.1.2 step 4 */ 553541af946SStephan Mueller temp_p = temp; 554541af946SStephan Mueller df_data_p = df_data; 555541af946SStephan Mueller for (len = 0; len < drbg_statelen(drbg); len++) { 556541af946SStephan Mueller *temp_p ^= *df_data_p; 557541af946SStephan Mueller df_data_p++; temp_p++; 558541af946SStephan Mueller } 559541af946SStephan Mueller 560541af946SStephan Mueller /* 10.2.1.2 step 5 */ 561541af946SStephan Mueller memcpy(drbg->C, temp, drbg_keylen(drbg)); 562541af946SStephan Mueller /* 10.2.1.2 step 6 */ 563541af946SStephan Mueller memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 564541af946SStephan Mueller ret = 0; 565541af946SStephan Mueller 566541af946SStephan Mueller out: 5671471f09fSHerbert Xu memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 56872e7c25aSStephan Mueller if (2 != reseed) 5691471f09fSHerbert Xu memset(df_data, 0, drbg_statelen(drbg)); 570541af946SStephan Mueller return ret; 571541af946SStephan Mueller } 572541af946SStephan Mueller 573541af946SStephan Mueller /* 574541af946SStephan Mueller * scratchpad use: drbg_ctr_update is called independently from 575541af946SStephan Mueller * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 576541af946SStephan Mueller */ 577541af946SStephan Mueller /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 578541af946SStephan Mueller static int drbg_ctr_generate(struct drbg_state *drbg, 579541af946SStephan Mueller unsigned char *buf, unsigned int buflen, 58027e4de2bSStephan Mueller struct list_head *addtl) 581541af946SStephan Mueller { 582541af946SStephan Mueller int len = 0; 583541af946SStephan Mueller int ret = 0; 584541af946SStephan Mueller struct drbg_string data; 585541af946SStephan Mueller 586541af946SStephan Mueller /* 10.2.1.5.2 step 2 */ 58727e4de2bSStephan Mueller if (addtl && !list_empty(addtl)) { 58827e4de2bSStephan Mueller ret = drbg_ctr_update(drbg, addtl, 2); 589541af946SStephan Mueller if (ret) 590541af946SStephan Mueller return 0; 591541af946SStephan Mueller } 592541af946SStephan Mueller 593541af946SStephan Mueller /* 10.2.1.5.2 step 4.1 */ 59441a84982SStephan Mueller crypto_inc(drbg->V, drbg_blocklen(drbg)); 595541af946SStephan Mueller drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg)); 596541af946SStephan Mueller while (len < buflen) { 597541af946SStephan Mueller int outlen = 0; 598541af946SStephan Mueller /* 10.2.1.5.2 step 4.2 */ 599541af946SStephan Mueller ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data); 600541af946SStephan Mueller if (ret) { 601541af946SStephan Mueller len = ret; 602541af946SStephan Mueller goto out; 603541af946SStephan Mueller } 604541af946SStephan Mueller outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 605541af946SStephan Mueller drbg_blocklen(drbg) : (buflen - len); 606541af946SStephan Mueller if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) { 607541af946SStephan Mueller /* 10.2.1.5.2 step 6 */ 60841a84982SStephan Mueller crypto_inc(drbg->V, drbg_blocklen(drbg)); 609541af946SStephan Mueller continue; 610541af946SStephan Mueller } 611541af946SStephan Mueller /* 10.2.1.5.2 step 4.3 */ 612541af946SStephan Mueller memcpy(buf + len, drbg->scratchpad, outlen); 613541af946SStephan Mueller len += outlen; 614541af946SStephan Mueller /* 10.2.1.5.2 step 6 */ 615541af946SStephan Mueller if (len < buflen) 61641a84982SStephan Mueller crypto_inc(drbg->V, drbg_blocklen(drbg)); 617541af946SStephan Mueller } 618541af946SStephan Mueller 61972e7c25aSStephan Mueller /* 10.2.1.5.2 step 6 */ 62072e7c25aSStephan Mueller ret = drbg_ctr_update(drbg, NULL, 3); 621541af946SStephan Mueller if (ret) 622541af946SStephan Mueller len = ret; 623541af946SStephan Mueller 624541af946SStephan Mueller out: 6251471f09fSHerbert Xu memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 626541af946SStephan Mueller return len; 627541af946SStephan Mueller } 628541af946SStephan Mueller 629541af946SStephan Mueller static struct drbg_state_ops drbg_ctr_ops = { 630541af946SStephan Mueller .update = drbg_ctr_update, 631541af946SStephan Mueller .generate = drbg_ctr_generate, 632541af946SStephan Mueller .crypto_init = drbg_init_sym_kernel, 633541af946SStephan Mueller .crypto_fini = drbg_fini_sym_kernel, 634541af946SStephan Mueller }; 635541af946SStephan Mueller #endif /* CONFIG_CRYPTO_DRBG_CTR */ 636541af946SStephan Mueller 637541af946SStephan Mueller /****************************************************************** 638541af946SStephan Mueller * HMAC DRBG callback functions 639541af946SStephan Mueller ******************************************************************/ 640541af946SStephan Mueller 641541af946SStephan Mueller #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 642541af946SStephan Mueller static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 6438c987166SStephan Mueller unsigned char *outval, const struct list_head *in); 644541af946SStephan Mueller static int drbg_init_hash_kernel(struct drbg_state *drbg); 645541af946SStephan Mueller static int drbg_fini_hash_kernel(struct drbg_state *drbg); 646541af946SStephan Mueller #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 647541af946SStephan Mueller 648541af946SStephan Mueller #ifdef CONFIG_CRYPTO_DRBG_HMAC 649e25e47ecSStephan Mueller #define CRYPTO_DRBG_HMAC_STRING "HMAC " 6500653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 6510653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 6520653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 6530653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 6540653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 6550653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 6560653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1"); 6570653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1"); 65862b62b6eSStephan Mueller 659541af946SStephan Mueller /* update function of HMAC DRBG as defined in 10.1.2.2 */ 6608c987166SStephan Mueller static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 6618c987166SStephan Mueller int reseed) 662541af946SStephan Mueller { 663541af946SStephan Mueller int ret = -EFAULT; 664541af946SStephan Mueller int i = 0; 6658c987166SStephan Mueller struct drbg_string seed1, seed2, vdata; 6668c987166SStephan Mueller LIST_HEAD(seedlist); 6678c987166SStephan Mueller LIST_HEAD(vdatalist); 668541af946SStephan Mueller 669f072f0e0SStephan Mueller if (!reseed) 670f072f0e0SStephan Mueller /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 671541af946SStephan Mueller memset(drbg->V, 1, drbg_statelen(drbg)); 672541af946SStephan Mueller 673541af946SStephan Mueller drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 6748c987166SStephan Mueller list_add_tail(&seed1.list, &seedlist); 675541af946SStephan Mueller /* buffer of seed2 will be filled in for loop below with one byte */ 676541af946SStephan Mueller drbg_string_fill(&seed2, NULL, 1); 6778c987166SStephan Mueller list_add_tail(&seed2.list, &seedlist); 678541af946SStephan Mueller /* input data of seed is allowed to be NULL at this point */ 6798c987166SStephan Mueller if (seed) 6808c987166SStephan Mueller list_splice_tail(seed, &seedlist); 681541af946SStephan Mueller 6828c987166SStephan Mueller drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 6838c987166SStephan Mueller list_add_tail(&vdata.list, &vdatalist); 684541af946SStephan Mueller for (i = 2; 0 < i; i--) { 685541af946SStephan Mueller /* first round uses 0x0, second 0x1 */ 686541af946SStephan Mueller unsigned char prefix = DRBG_PREFIX0; 687541af946SStephan Mueller if (1 == i) 688541af946SStephan Mueller prefix = DRBG_PREFIX1; 689541af946SStephan Mueller /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 690541af946SStephan Mueller seed2.buf = &prefix; 6918c987166SStephan Mueller ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist); 692541af946SStephan Mueller if (ret) 693541af946SStephan Mueller return ret; 694541af946SStephan Mueller 695541af946SStephan Mueller /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 6968c987166SStephan Mueller ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist); 697541af946SStephan Mueller if (ret) 698541af946SStephan Mueller return ret; 699541af946SStephan Mueller 700541af946SStephan Mueller /* 10.1.2.2 step 3 */ 7018c987166SStephan Mueller if (!seed) 702541af946SStephan Mueller return ret; 703541af946SStephan Mueller } 704541af946SStephan Mueller 705541af946SStephan Mueller return 0; 706541af946SStephan Mueller } 707541af946SStephan Mueller 708541af946SStephan Mueller /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 709541af946SStephan Mueller static int drbg_hmac_generate(struct drbg_state *drbg, 710541af946SStephan Mueller unsigned char *buf, 711541af946SStephan Mueller unsigned int buflen, 71227e4de2bSStephan Mueller struct list_head *addtl) 713541af946SStephan Mueller { 714541af946SStephan Mueller int len = 0; 715541af946SStephan Mueller int ret = 0; 716541af946SStephan Mueller struct drbg_string data; 7178c987166SStephan Mueller LIST_HEAD(datalist); 718541af946SStephan Mueller 719541af946SStephan Mueller /* 10.1.2.5 step 2 */ 72027e4de2bSStephan Mueller if (addtl && !list_empty(addtl)) { 72127e4de2bSStephan Mueller ret = drbg_hmac_update(drbg, addtl, 1); 722541af946SStephan Mueller if (ret) 723541af946SStephan Mueller return ret; 724541af946SStephan Mueller } 725541af946SStephan Mueller 726541af946SStephan Mueller drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 7278c987166SStephan Mueller list_add_tail(&data.list, &datalist); 728541af946SStephan Mueller while (len < buflen) { 729541af946SStephan Mueller unsigned int outlen = 0; 730541af946SStephan Mueller /* 10.1.2.5 step 4.1 */ 7318c987166SStephan Mueller ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist); 732541af946SStephan Mueller if (ret) 733541af946SStephan Mueller return ret; 734541af946SStephan Mueller outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 735541af946SStephan Mueller drbg_blocklen(drbg) : (buflen - len); 736541af946SStephan Mueller if (!drbg_fips_continuous_test(drbg, drbg->V)) 737541af946SStephan Mueller continue; 738541af946SStephan Mueller 739541af946SStephan Mueller /* 10.1.2.5 step 4.2 */ 740541af946SStephan Mueller memcpy(buf + len, drbg->V, outlen); 741541af946SStephan Mueller len += outlen; 742541af946SStephan Mueller } 743541af946SStephan Mueller 744541af946SStephan Mueller /* 10.1.2.5 step 6 */ 74527e4de2bSStephan Mueller if (addtl && !list_empty(addtl)) 74627e4de2bSStephan Mueller ret = drbg_hmac_update(drbg, addtl, 1); 74727e4de2bSStephan Mueller else 7488c987166SStephan Mueller ret = drbg_hmac_update(drbg, NULL, 1); 749541af946SStephan Mueller if (ret) 750541af946SStephan Mueller return ret; 751541af946SStephan Mueller 752541af946SStephan Mueller return len; 753541af946SStephan Mueller } 754541af946SStephan Mueller 755541af946SStephan Mueller static struct drbg_state_ops drbg_hmac_ops = { 756541af946SStephan Mueller .update = drbg_hmac_update, 757541af946SStephan Mueller .generate = drbg_hmac_generate, 758541af946SStephan Mueller .crypto_init = drbg_init_hash_kernel, 759541af946SStephan Mueller .crypto_fini = drbg_fini_hash_kernel, 760541af946SStephan Mueller }; 761541af946SStephan Mueller #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 762541af946SStephan Mueller 763541af946SStephan Mueller /****************************************************************** 764541af946SStephan Mueller * Hash DRBG callback functions 765541af946SStephan Mueller ******************************************************************/ 766541af946SStephan Mueller 767541af946SStephan Mueller #ifdef CONFIG_CRYPTO_DRBG_HASH 768e25e47ecSStephan Mueller #define CRYPTO_DRBG_HASH_STRING "HASH " 7690653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 7700653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 7710653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 7720653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 7730653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 7740653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 7750653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_pr_sha1"); 7760653a7cfSStephan Mueller MODULE_ALIAS_CRYPTO("drbg_nopr_sha1"); 77762b62b6eSStephan Mueller 778541af946SStephan Mueller /* 77941a84982SStephan Mueller * Increment buffer 78041a84982SStephan Mueller * 78141a84982SStephan Mueller * @dst buffer to increment 78241a84982SStephan Mueller * @add value to add 78341a84982SStephan Mueller */ 78441a84982SStephan Mueller static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 78541a84982SStephan Mueller const unsigned char *add, size_t addlen) 78641a84982SStephan Mueller { 78741a84982SStephan Mueller /* implied: dstlen > addlen */ 78841a84982SStephan Mueller unsigned char *dstptr; 78941a84982SStephan Mueller const unsigned char *addptr; 79041a84982SStephan Mueller unsigned int remainder = 0; 79141a84982SStephan Mueller size_t len = addlen; 79241a84982SStephan Mueller 79341a84982SStephan Mueller dstptr = dst + (dstlen-1); 79441a84982SStephan Mueller addptr = add + (addlen-1); 79541a84982SStephan Mueller while (len) { 79641a84982SStephan Mueller remainder += *dstptr + *addptr; 79741a84982SStephan Mueller *dstptr = remainder & 0xff; 79841a84982SStephan Mueller remainder >>= 8; 79941a84982SStephan Mueller len--; dstptr--; addptr--; 80041a84982SStephan Mueller } 80141a84982SStephan Mueller len = dstlen - addlen; 80241a84982SStephan Mueller while (len && remainder > 0) { 80341a84982SStephan Mueller remainder = *dstptr + 1; 80441a84982SStephan Mueller *dstptr = remainder & 0xff; 80541a84982SStephan Mueller remainder >>= 8; 80641a84982SStephan Mueller len--; dstptr--; 80741a84982SStephan Mueller } 80841a84982SStephan Mueller } 80941a84982SStephan Mueller 81041a84982SStephan Mueller /* 811541af946SStephan Mueller * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 812541af946SStephan Mueller * interlinked, the scratchpad is used as follows: 813541af946SStephan Mueller * drbg_hash_update 814541af946SStephan Mueller * start: drbg->scratchpad 815541af946SStephan Mueller * length: drbg_statelen(drbg) 816541af946SStephan Mueller * drbg_hash_df: 817541af946SStephan Mueller * start: drbg->scratchpad + drbg_statelen(drbg) 818541af946SStephan Mueller * length: drbg_blocklen(drbg) 819541af946SStephan Mueller * 820541af946SStephan Mueller * drbg_hash_process_addtl uses the scratchpad, but fully completes 821541af946SStephan Mueller * before either of the functions mentioned before are invoked. Therefore, 822541af946SStephan Mueller * drbg_hash_process_addtl does not need to be specifically considered. 823541af946SStephan Mueller */ 824541af946SStephan Mueller 825541af946SStephan Mueller /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 826541af946SStephan Mueller static int drbg_hash_df(struct drbg_state *drbg, 827541af946SStephan Mueller unsigned char *outval, size_t outlen, 8288c987166SStephan Mueller struct list_head *entropylist) 829541af946SStephan Mueller { 830541af946SStephan Mueller int ret = 0; 831541af946SStephan Mueller size_t len = 0; 832541af946SStephan Mueller unsigned char input[5]; 833541af946SStephan Mueller unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 8348c987166SStephan Mueller struct drbg_string data; 835541af946SStephan Mueller 836541af946SStephan Mueller /* 10.4.1 step 3 */ 837541af946SStephan Mueller input[0] = 1; 83872f3e00dSStephan Mueller drbg_cpu_to_be32((outlen * 8), &input[1]); 839541af946SStephan Mueller 840541af946SStephan Mueller /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 8418c987166SStephan Mueller drbg_string_fill(&data, input, 5); 8428c987166SStephan Mueller list_add(&data.list, entropylist); 843541af946SStephan Mueller 844541af946SStephan Mueller /* 10.4.1 step 4 */ 845541af946SStephan Mueller while (len < outlen) { 846541af946SStephan Mueller short blocklen = 0; 847541af946SStephan Mueller /* 10.4.1 step 4.1 */ 8488c987166SStephan Mueller ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist); 849541af946SStephan Mueller if (ret) 850541af946SStephan Mueller goto out; 851541af946SStephan Mueller /* 10.4.1 step 4.2 */ 852541af946SStephan Mueller input[0]++; 853541af946SStephan Mueller blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 854541af946SStephan Mueller drbg_blocklen(drbg) : (outlen - len); 855541af946SStephan Mueller memcpy(outval + len, tmp, blocklen); 856541af946SStephan Mueller len += blocklen; 857541af946SStephan Mueller } 858541af946SStephan Mueller 859541af946SStephan Mueller out: 8601471f09fSHerbert Xu memset(tmp, 0, drbg_blocklen(drbg)); 861541af946SStephan Mueller return ret; 862541af946SStephan Mueller } 863541af946SStephan Mueller 864541af946SStephan Mueller /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 8658c987166SStephan Mueller static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 866541af946SStephan Mueller int reseed) 867541af946SStephan Mueller { 868541af946SStephan Mueller int ret = 0; 869541af946SStephan Mueller struct drbg_string data1, data2; 8708c987166SStephan Mueller LIST_HEAD(datalist); 8718c987166SStephan Mueller LIST_HEAD(datalist2); 872541af946SStephan Mueller unsigned char *V = drbg->scratchpad; 873541af946SStephan Mueller unsigned char prefix = DRBG_PREFIX1; 874541af946SStephan Mueller 875541af946SStephan Mueller if (!seed) 876541af946SStephan Mueller return -EINVAL; 877541af946SStephan Mueller 878541af946SStephan Mueller if (reseed) { 879541af946SStephan Mueller /* 10.1.1.3 step 1 */ 880541af946SStephan Mueller memcpy(V, drbg->V, drbg_statelen(drbg)); 881541af946SStephan Mueller drbg_string_fill(&data1, &prefix, 1); 8828c987166SStephan Mueller list_add_tail(&data1.list, &datalist); 883541af946SStephan Mueller drbg_string_fill(&data2, V, drbg_statelen(drbg)); 8848c987166SStephan Mueller list_add_tail(&data2.list, &datalist); 885541af946SStephan Mueller } 8868c987166SStephan Mueller list_splice_tail(seed, &datalist); 887541af946SStephan Mueller 888541af946SStephan Mueller /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 8898c987166SStephan Mueller ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 890541af946SStephan Mueller if (ret) 891541af946SStephan Mueller goto out; 892541af946SStephan Mueller 893541af946SStephan Mueller /* 10.1.1.2 / 10.1.1.3 step 4 */ 894541af946SStephan Mueller prefix = DRBG_PREFIX0; 895541af946SStephan Mueller drbg_string_fill(&data1, &prefix, 1); 8968c987166SStephan Mueller list_add_tail(&data1.list, &datalist2); 897541af946SStephan Mueller drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 8988c987166SStephan Mueller list_add_tail(&data2.list, &datalist2); 899541af946SStephan Mueller /* 10.1.1.2 / 10.1.1.3 step 4 */ 9008c987166SStephan Mueller ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 901541af946SStephan Mueller 902541af946SStephan Mueller out: 9031471f09fSHerbert Xu memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 904541af946SStephan Mueller return ret; 905541af946SStephan Mueller } 906541af946SStephan Mueller 907541af946SStephan Mueller /* processing of additional information string for Hash DRBG */ 908541af946SStephan Mueller static int drbg_hash_process_addtl(struct drbg_state *drbg, 90927e4de2bSStephan Mueller struct list_head *addtl) 910541af946SStephan Mueller { 911541af946SStephan Mueller int ret = 0; 912541af946SStephan Mueller struct drbg_string data1, data2; 9138c987166SStephan Mueller LIST_HEAD(datalist); 914541af946SStephan Mueller unsigned char prefix = DRBG_PREFIX2; 915541af946SStephan Mueller 916541af946SStephan Mueller /* 10.1.1.4 step 2 */ 91727e4de2bSStephan Mueller if (!addtl || list_empty(addtl)) 918541af946SStephan Mueller return 0; 919541af946SStephan Mueller 920541af946SStephan Mueller /* 10.1.1.4 step 2a */ 921541af946SStephan Mueller drbg_string_fill(&data1, &prefix, 1); 922541af946SStephan Mueller drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 9238c987166SStephan Mueller list_add_tail(&data1.list, &datalist); 9248c987166SStephan Mueller list_add_tail(&data2.list, &datalist); 92527e4de2bSStephan Mueller list_splice_tail(addtl, &datalist); 9268c987166SStephan Mueller ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 927541af946SStephan Mueller if (ret) 928541af946SStephan Mueller goto out; 929541af946SStephan Mueller 930541af946SStephan Mueller /* 10.1.1.4 step 2b */ 931541af946SStephan Mueller drbg_add_buf(drbg->V, drbg_statelen(drbg), 932541af946SStephan Mueller drbg->scratchpad, drbg_blocklen(drbg)); 933541af946SStephan Mueller 934541af946SStephan Mueller out: 9351471f09fSHerbert Xu memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 936541af946SStephan Mueller return ret; 937541af946SStephan Mueller } 938541af946SStephan Mueller 939541af946SStephan Mueller /* Hashgen defined in 10.1.1.4 */ 940541af946SStephan Mueller static int drbg_hash_hashgen(struct drbg_state *drbg, 941541af946SStephan Mueller unsigned char *buf, 942541af946SStephan Mueller unsigned int buflen) 943541af946SStephan Mueller { 944541af946SStephan Mueller int len = 0; 945541af946SStephan Mueller int ret = 0; 946541af946SStephan Mueller unsigned char *src = drbg->scratchpad; 947541af946SStephan Mueller unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 948541af946SStephan Mueller struct drbg_string data; 9498c987166SStephan Mueller LIST_HEAD(datalist); 950541af946SStephan Mueller 951541af946SStephan Mueller /* 10.1.1.4 step hashgen 2 */ 952541af946SStephan Mueller memcpy(src, drbg->V, drbg_statelen(drbg)); 953541af946SStephan Mueller 954541af946SStephan Mueller drbg_string_fill(&data, src, drbg_statelen(drbg)); 9558c987166SStephan Mueller list_add_tail(&data.list, &datalist); 956541af946SStephan Mueller while (len < buflen) { 957541af946SStephan Mueller unsigned int outlen = 0; 958541af946SStephan Mueller /* 10.1.1.4 step hashgen 4.1 */ 9598c987166SStephan Mueller ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist); 960541af946SStephan Mueller if (ret) { 961541af946SStephan Mueller len = ret; 962541af946SStephan Mueller goto out; 963541af946SStephan Mueller } 964541af946SStephan Mueller outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 965541af946SStephan Mueller drbg_blocklen(drbg) : (buflen - len); 966541af946SStephan Mueller if (!drbg_fips_continuous_test(drbg, dst)) { 96741a84982SStephan Mueller crypto_inc(src, drbg_statelen(drbg)); 968541af946SStephan Mueller continue; 969541af946SStephan Mueller } 970541af946SStephan Mueller /* 10.1.1.4 step hashgen 4.2 */ 971541af946SStephan Mueller memcpy(buf + len, dst, outlen); 972541af946SStephan Mueller len += outlen; 973541af946SStephan Mueller /* 10.1.1.4 hashgen step 4.3 */ 974541af946SStephan Mueller if (len < buflen) 97541a84982SStephan Mueller crypto_inc(src, drbg_statelen(drbg)); 976541af946SStephan Mueller } 977541af946SStephan Mueller 978541af946SStephan Mueller out: 9791471f09fSHerbert Xu memset(drbg->scratchpad, 0, 980541af946SStephan Mueller (drbg_statelen(drbg) + drbg_blocklen(drbg))); 981541af946SStephan Mueller return len; 982541af946SStephan Mueller } 983541af946SStephan Mueller 984541af946SStephan Mueller /* generate function for Hash DRBG as defined in 10.1.1.4 */ 985541af946SStephan Mueller static int drbg_hash_generate(struct drbg_state *drbg, 986541af946SStephan Mueller unsigned char *buf, unsigned int buflen, 98727e4de2bSStephan Mueller struct list_head *addtl) 988541af946SStephan Mueller { 989541af946SStephan Mueller int len = 0; 990541af946SStephan Mueller int ret = 0; 99172f3e00dSStephan Mueller union { 992541af946SStephan Mueller unsigned char req[8]; 9937c8ae03fSStephan Mueller __be64 req_int; 99472f3e00dSStephan Mueller } u; 995541af946SStephan Mueller unsigned char prefix = DRBG_PREFIX3; 996541af946SStephan Mueller struct drbg_string data1, data2; 9978c987166SStephan Mueller LIST_HEAD(datalist); 998541af946SStephan Mueller 999541af946SStephan Mueller /* 10.1.1.4 step 2 */ 1000541af946SStephan Mueller ret = drbg_hash_process_addtl(drbg, addtl); 1001541af946SStephan Mueller if (ret) 1002541af946SStephan Mueller return ret; 1003541af946SStephan Mueller /* 10.1.1.4 step 3 */ 1004541af946SStephan Mueller len = drbg_hash_hashgen(drbg, buf, buflen); 1005541af946SStephan Mueller 1006541af946SStephan Mueller /* this is the value H as documented in 10.1.1.4 */ 1007541af946SStephan Mueller /* 10.1.1.4 step 4 */ 1008541af946SStephan Mueller drbg_string_fill(&data1, &prefix, 1); 10098c987166SStephan Mueller list_add_tail(&data1.list, &datalist); 1010541af946SStephan Mueller drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 10118c987166SStephan Mueller list_add_tail(&data2.list, &datalist); 10128c987166SStephan Mueller ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist); 1013541af946SStephan Mueller if (ret) { 1014541af946SStephan Mueller len = ret; 1015541af946SStephan Mueller goto out; 1016541af946SStephan Mueller } 1017541af946SStephan Mueller 1018541af946SStephan Mueller /* 10.1.1.4 step 5 */ 1019541af946SStephan Mueller drbg_add_buf(drbg->V, drbg_statelen(drbg), 1020541af946SStephan Mueller drbg->scratchpad, drbg_blocklen(drbg)); 1021541af946SStephan Mueller drbg_add_buf(drbg->V, drbg_statelen(drbg), 1022541af946SStephan Mueller drbg->C, drbg_statelen(drbg)); 102372f3e00dSStephan Mueller u.req_int = cpu_to_be64(drbg->reseed_ctr); 102472f3e00dSStephan Mueller drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1025541af946SStephan Mueller 1026541af946SStephan Mueller out: 10271471f09fSHerbert Xu memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1028541af946SStephan Mueller return len; 1029541af946SStephan Mueller } 1030541af946SStephan Mueller 1031541af946SStephan Mueller /* 1032541af946SStephan Mueller * scratchpad usage: as update and generate are used isolated, both 1033541af946SStephan Mueller * can use the scratchpad 1034541af946SStephan Mueller */ 1035541af946SStephan Mueller static struct drbg_state_ops drbg_hash_ops = { 1036541af946SStephan Mueller .update = drbg_hash_update, 1037541af946SStephan Mueller .generate = drbg_hash_generate, 1038541af946SStephan Mueller .crypto_init = drbg_init_hash_kernel, 1039541af946SStephan Mueller .crypto_fini = drbg_fini_hash_kernel, 1040541af946SStephan Mueller }; 1041541af946SStephan Mueller #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1042541af946SStephan Mueller 1043541af946SStephan Mueller /****************************************************************** 1044541af946SStephan Mueller * Functions common for DRBG implementations 1045541af946SStephan Mueller ******************************************************************/ 1046541af946SStephan Mueller 10473d6a5f75SStephan Mueller static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 10483d6a5f75SStephan Mueller int reseed) 10493d6a5f75SStephan Mueller { 10503d6a5f75SStephan Mueller int ret = drbg->d_ops->update(drbg, seed, reseed); 10513d6a5f75SStephan Mueller 10523d6a5f75SStephan Mueller if (ret) 10533d6a5f75SStephan Mueller return ret; 10543d6a5f75SStephan Mueller 10553d6a5f75SStephan Mueller drbg->seeded = true; 10563d6a5f75SStephan Mueller /* 10.1.1.2 / 10.1.1.3 step 5 */ 10573d6a5f75SStephan Mueller drbg->reseed_ctr = 1; 10583d6a5f75SStephan Mueller 10593d6a5f75SStephan Mueller return ret; 10603d6a5f75SStephan Mueller } 10613d6a5f75SStephan Mueller 10624c787990SStephan Mueller static void drbg_async_seed(struct work_struct *work) 10634c787990SStephan Mueller { 10644c787990SStephan Mueller struct drbg_string data; 10654c787990SStephan Mueller LIST_HEAD(seedlist); 10664c787990SStephan Mueller struct drbg_state *drbg = container_of(work, struct drbg_state, 10674c787990SStephan Mueller seed_work); 106857225e67SStephan Mueller unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 106957225e67SStephan Mueller unsigned char entropy[32]; 10704c787990SStephan Mueller 107157225e67SStephan Mueller BUG_ON(!entropylen); 107257225e67SStephan Mueller BUG_ON(entropylen > sizeof(entropy)); 107357225e67SStephan Mueller get_random_bytes(entropy, entropylen); 10744c787990SStephan Mueller 107557225e67SStephan Mueller drbg_string_fill(&data, entropy, entropylen); 10764c787990SStephan Mueller list_add_tail(&data.list, &seedlist); 107757225e67SStephan Mueller 10784c787990SStephan Mueller mutex_lock(&drbg->drbg_mutex); 107957225e67SStephan Mueller 108057225e67SStephan Mueller /* If nonblocking pool is initialized, deactivate Jitter RNG */ 1081b8ec5ba4SStephan Mueller crypto_free_rng(drbg->jent); 1082b8ec5ba4SStephan Mueller drbg->jent = NULL; 108357225e67SStephan Mueller 108457225e67SStephan Mueller /* Set seeded to false so that if __drbg_seed fails the 108557225e67SStephan Mueller * next generate call will trigger a reseed. 108657225e67SStephan Mueller */ 108757225e67SStephan Mueller drbg->seeded = false; 108857225e67SStephan Mueller 108957225e67SStephan Mueller __drbg_seed(drbg, &seedlist, true); 109057225e67SStephan Mueller 109142ea507fSStephan Mueller if (drbg->seeded) 109242ea507fSStephan Mueller drbg->reseed_threshold = drbg_max_requests(drbg); 109342ea507fSStephan Mueller 10944c787990SStephan Mueller mutex_unlock(&drbg->drbg_mutex); 109557225e67SStephan Mueller 109657225e67SStephan Mueller memzero_explicit(entropy, entropylen); 10974c787990SStephan Mueller } 10984c787990SStephan Mueller 1099541af946SStephan Mueller /* 1100541af946SStephan Mueller * Seeding or reseeding of the DRBG 1101541af946SStephan Mueller * 1102541af946SStephan Mueller * @drbg: DRBG state struct 1103541af946SStephan Mueller * @pers: personalization / additional information buffer 1104541af946SStephan Mueller * @reseed: 0 for initial seed process, 1 for reseeding 1105541af946SStephan Mueller * 1106541af946SStephan Mueller * return: 1107541af946SStephan Mueller * 0 on success 1108541af946SStephan Mueller * error value otherwise 1109541af946SStephan Mueller */ 1110541af946SStephan Mueller static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1111541af946SStephan Mueller bool reseed) 1112541af946SStephan Mueller { 111357225e67SStephan Mueller int ret; 111457225e67SStephan Mueller unsigned char entropy[((32 + 16) * 2)]; 111557225e67SStephan Mueller unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1116541af946SStephan Mueller struct drbg_string data1; 11178c987166SStephan Mueller LIST_HEAD(seedlist); 1118541af946SStephan Mueller 1119541af946SStephan Mueller /* 9.1 / 9.2 / 9.3.1 step 3 */ 1120541af946SStephan Mueller if (pers && pers->len > (drbg_max_addtl(drbg))) { 1121a9089571SStephan Mueller pr_devel("DRBG: personalization string too long %zu\n", 1122541af946SStephan Mueller pers->len); 1123541af946SStephan Mueller return -EINVAL; 1124541af946SStephan Mueller } 1125541af946SStephan Mueller 11268fded592SHerbert Xu if (list_empty(&drbg->test_data.list)) { 11278fded592SHerbert Xu drbg_string_fill(&data1, drbg->test_data.buf, 11288fded592SHerbert Xu drbg->test_data.len); 1129541af946SStephan Mueller pr_devel("DRBG: using test entropy\n"); 1130541af946SStephan Mueller } else { 113157225e67SStephan Mueller /* 113257225e67SStephan Mueller * Gather entropy equal to the security strength of the DRBG. 113357225e67SStephan Mueller * With a derivation function, a nonce is required in addition 113457225e67SStephan Mueller * to the entropy. A nonce must be at least 1/2 of the security 113557225e67SStephan Mueller * strength of the DRBG in size. Thus, entropy + nonce is 3/2 113657225e67SStephan Mueller * of the strength. The consideration of a nonce is only 113757225e67SStephan Mueller * applicable during initial seeding. 113857225e67SStephan Mueller */ 113957225e67SStephan Mueller BUG_ON(!entropylen); 114057225e67SStephan Mueller if (!reseed) 114157225e67SStephan Mueller entropylen = ((entropylen + 1) / 2) * 3; 114257225e67SStephan Mueller BUG_ON((entropylen * 2) > sizeof(entropy)); 1143b8ec5ba4SStephan Mueller 114457225e67SStephan Mueller /* Get seed from in-kernel /dev/urandom */ 114557225e67SStephan Mueller get_random_bytes(entropy, entropylen); 114657225e67SStephan Mueller 114757225e67SStephan Mueller if (!drbg->jent) { 114857225e67SStephan Mueller drbg_string_fill(&data1, entropy, entropylen); 114957225e67SStephan Mueller pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 115057225e67SStephan Mueller entropylen); 1151b8ec5ba4SStephan Mueller } else { 115257225e67SStephan Mueller /* Get seed from Jitter RNG */ 115357225e67SStephan Mueller ret = crypto_rng_get_bytes(drbg->jent, 115457225e67SStephan Mueller entropy + entropylen, 115557225e67SStephan Mueller entropylen); 115657225e67SStephan Mueller if (ret) { 115757225e67SStephan Mueller pr_devel("DRBG: jent failed with %d\n", ret); 115857225e67SStephan Mueller return ret; 115957225e67SStephan Mueller } 116057225e67SStephan Mueller 116157225e67SStephan Mueller drbg_string_fill(&data1, entropy, entropylen * 2); 116257225e67SStephan Mueller pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 116357225e67SStephan Mueller entropylen * 2); 1164b8ec5ba4SStephan Mueller } 1165541af946SStephan Mueller } 11668c987166SStephan Mueller list_add_tail(&data1.list, &seedlist); 1167541af946SStephan Mueller 1168541af946SStephan Mueller /* 1169541af946SStephan Mueller * concatenation of entropy with personalization str / addtl input) 1170541af946SStephan Mueller * the variable pers is directly handed in by the caller, so check its 1171541af946SStephan Mueller * contents whether it is appropriate 1172541af946SStephan Mueller */ 11738c987166SStephan Mueller if (pers && pers->buf && 0 < pers->len) { 11748c987166SStephan Mueller list_add_tail(&pers->list, &seedlist); 1175541af946SStephan Mueller pr_devel("DRBG: using personalization string\n"); 1176541af946SStephan Mueller } 1177541af946SStephan Mueller 1178e6c0244aSStephan Mueller if (!reseed) { 1179e6c0244aSStephan Mueller memset(drbg->V, 0, drbg_statelen(drbg)); 1180e6c0244aSStephan Mueller memset(drbg->C, 0, drbg_statelen(drbg)); 1181e6c0244aSStephan Mueller } 1182e6c0244aSStephan Mueller 11833d6a5f75SStephan Mueller ret = __drbg_seed(drbg, &seedlist, reseed); 11843d6a5f75SStephan Mueller 118557225e67SStephan Mueller memzero_explicit(entropy, entropylen * 2); 1186541af946SStephan Mueller 1187541af946SStephan Mueller return ret; 1188541af946SStephan Mueller } 1189541af946SStephan Mueller 1190541af946SStephan Mueller /* Free all substructures in a DRBG state without the DRBG state structure */ 1191541af946SStephan Mueller static inline void drbg_dealloc_state(struct drbg_state *drbg) 1192541af946SStephan Mueller { 1193541af946SStephan Mueller if (!drbg) 1194541af946SStephan Mueller return; 1195541af946SStephan Mueller kzfree(drbg->V); 1196541af946SStephan Mueller drbg->V = NULL; 1197541af946SStephan Mueller kzfree(drbg->C); 1198541af946SStephan Mueller drbg->C = NULL; 1199541af946SStephan Mueller kzfree(drbg->scratchpad); 1200541af946SStephan Mueller drbg->scratchpad = NULL; 1201541af946SStephan Mueller drbg->reseed_ctr = 0; 12022a57e424SHerbert Xu drbg->d_ops = NULL; 12032a57e424SHerbert Xu drbg->core = NULL; 1204541af946SStephan Mueller #ifdef CONFIG_CRYPTO_FIPS 1205541af946SStephan Mueller kzfree(drbg->prev); 1206541af946SStephan Mueller drbg->prev = NULL; 1207541af946SStephan Mueller drbg->fips_primed = false; 1208541af946SStephan Mueller #endif 1209541af946SStephan Mueller } 1210541af946SStephan Mueller 1211541af946SStephan Mueller /* 1212541af946SStephan Mueller * Allocate all sub-structures for a DRBG state. 1213541af946SStephan Mueller * The DRBG state structure must already be allocated. 1214541af946SStephan Mueller */ 1215541af946SStephan Mueller static inline int drbg_alloc_state(struct drbg_state *drbg) 1216541af946SStephan Mueller { 1217541af946SStephan Mueller int ret = -ENOMEM; 1218541af946SStephan Mueller unsigned int sb_size = 0; 1219541af946SStephan Mueller 12202a57e424SHerbert Xu switch (drbg->core->flags & DRBG_TYPE_MASK) { 12212a57e424SHerbert Xu #ifdef CONFIG_CRYPTO_DRBG_HMAC 12222a57e424SHerbert Xu case DRBG_HMAC: 12232a57e424SHerbert Xu drbg->d_ops = &drbg_hmac_ops; 12242a57e424SHerbert Xu break; 12252a57e424SHerbert Xu #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 12262a57e424SHerbert Xu #ifdef CONFIG_CRYPTO_DRBG_HASH 12272a57e424SHerbert Xu case DRBG_HASH: 12282a57e424SHerbert Xu drbg->d_ops = &drbg_hash_ops; 12292a57e424SHerbert Xu break; 12302a57e424SHerbert Xu #endif /* CONFIG_CRYPTO_DRBG_HASH */ 12312a57e424SHerbert Xu #ifdef CONFIG_CRYPTO_DRBG_CTR 12322a57e424SHerbert Xu case DRBG_CTR: 12332a57e424SHerbert Xu drbg->d_ops = &drbg_ctr_ops; 12342a57e424SHerbert Xu break; 12352a57e424SHerbert Xu #endif /* CONFIG_CRYPTO_DRBG_CTR */ 12362a57e424SHerbert Xu default: 12372a57e424SHerbert Xu ret = -EOPNOTSUPP; 12382a57e424SHerbert Xu goto err; 12392a57e424SHerbert Xu } 12402a57e424SHerbert Xu 1241e6c0244aSStephan Mueller drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1242541af946SStephan Mueller if (!drbg->V) 1243541af946SStephan Mueller goto err; 1244e6c0244aSStephan Mueller drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL); 1245541af946SStephan Mueller if (!drbg->C) 1246541af946SStephan Mueller goto err; 1247541af946SStephan Mueller #ifdef CONFIG_CRYPTO_FIPS 1248e6c0244aSStephan Mueller drbg->prev = kmalloc(drbg_blocklen(drbg), GFP_KERNEL); 1249541af946SStephan Mueller if (!drbg->prev) 1250541af946SStephan Mueller goto err; 1251541af946SStephan Mueller drbg->fips_primed = false; 1252541af946SStephan Mueller #endif 1253541af946SStephan Mueller /* scratchpad is only generated for CTR and Hash */ 1254541af946SStephan Mueller if (drbg->core->flags & DRBG_HMAC) 1255541af946SStephan Mueller sb_size = 0; 1256541af946SStephan Mueller else if (drbg->core->flags & DRBG_CTR) 1257541af946SStephan Mueller sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1258541af946SStephan Mueller drbg_statelen(drbg) + /* df_data */ 1259541af946SStephan Mueller drbg_blocklen(drbg) + /* pad */ 1260541af946SStephan Mueller drbg_blocklen(drbg) + /* iv */ 12618fecaad7SStephan Mueller drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1262541af946SStephan Mueller else 1263541af946SStephan Mueller sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1264541af946SStephan Mueller 1265541af946SStephan Mueller if (0 < sb_size) { 1266541af946SStephan Mueller drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL); 1267541af946SStephan Mueller if (!drbg->scratchpad) 1268541af946SStephan Mueller goto err; 1269541af946SStephan Mueller } 12703d6a5f75SStephan Mueller 1271541af946SStephan Mueller return 0; 1272541af946SStephan Mueller 1273541af946SStephan Mueller err: 1274541af946SStephan Mueller drbg_dealloc_state(drbg); 1275541af946SStephan Mueller return ret; 1276541af946SStephan Mueller } 1277541af946SStephan Mueller 1278541af946SStephan Mueller /************************************************************************* 1279541af946SStephan Mueller * DRBG interface functions 1280541af946SStephan Mueller *************************************************************************/ 1281541af946SStephan Mueller 1282541af946SStephan Mueller /* 1283541af946SStephan Mueller * DRBG generate function as required by SP800-90A - this function 1284541af946SStephan Mueller * generates random numbers 1285541af946SStephan Mueller * 1286541af946SStephan Mueller * @drbg DRBG state handle 1287541af946SStephan Mueller * @buf Buffer where to store the random numbers -- the buffer must already 1288541af946SStephan Mueller * be pre-allocated by caller 1289541af946SStephan Mueller * @buflen Length of output buffer - this value defines the number of random 1290541af946SStephan Mueller * bytes pulled from DRBG 1291541af946SStephan Mueller * @addtl Additional input that is mixed into state, may be NULL -- note 1292541af946SStephan Mueller * the entropy is pulled by the DRBG internally unconditionally 1293541af946SStephan Mueller * as defined in SP800-90A. The additional input is mixed into 1294541af946SStephan Mueller * the state in addition to the pulled entropy. 1295541af946SStephan Mueller * 1296cde001e4SStephan Mueller * return: 0 when all bytes are generated; < 0 in case of an error 1297541af946SStephan Mueller */ 1298541af946SStephan Mueller static int drbg_generate(struct drbg_state *drbg, 1299541af946SStephan Mueller unsigned char *buf, unsigned int buflen, 1300541af946SStephan Mueller struct drbg_string *addtl) 1301541af946SStephan Mueller { 1302541af946SStephan Mueller int len = 0; 130327e4de2bSStephan Mueller LIST_HEAD(addtllist); 1304541af946SStephan Mueller 13052a57e424SHerbert Xu if (!drbg->core) { 13062a57e424SHerbert Xu pr_devel("DRBG: not yet seeded\n"); 13072a57e424SHerbert Xu return -EINVAL; 13082a57e424SHerbert Xu } 1309541af946SStephan Mueller if (0 == buflen || !buf) { 1310541af946SStephan Mueller pr_devel("DRBG: no output buffer provided\n"); 1311541af946SStephan Mueller return -EINVAL; 1312541af946SStephan Mueller } 1313541af946SStephan Mueller if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1314541af946SStephan Mueller pr_devel("DRBG: wrong format of additional information\n"); 1315541af946SStephan Mueller return -EINVAL; 1316541af946SStephan Mueller } 1317541af946SStephan Mueller 1318541af946SStephan Mueller /* 9.3.1 step 2 */ 1319541af946SStephan Mueller len = -EINVAL; 132076899a41SStephan Mueller if (buflen > (drbg_max_request_bytes(drbg))) { 1321541af946SStephan Mueller pr_devel("DRBG: requested random numbers too large %u\n", 1322541af946SStephan Mueller buflen); 1323541af946SStephan Mueller goto err; 1324541af946SStephan Mueller } 1325541af946SStephan Mueller 1326541af946SStephan Mueller /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1327541af946SStephan Mueller 1328541af946SStephan Mueller /* 9.3.1 step 4 */ 132976899a41SStephan Mueller if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1330541af946SStephan Mueller pr_devel("DRBG: additional information string too long %zu\n", 1331541af946SStephan Mueller addtl->len); 1332541af946SStephan Mueller goto err; 1333541af946SStephan Mueller } 1334541af946SStephan Mueller /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1335541af946SStephan Mueller 1336541af946SStephan Mueller /* 1337541af946SStephan Mueller * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1338541af946SStephan Mueller * here. The spec is a bit convoluted here, we make it simpler. 1339541af946SStephan Mueller */ 134042ea507fSStephan Mueller if (drbg->reseed_threshold < drbg->reseed_ctr) 134176899a41SStephan Mueller drbg->seeded = false; 1342541af946SStephan Mueller 134376899a41SStephan Mueller if (drbg->pr || !drbg->seeded) { 1344541af946SStephan Mueller pr_devel("DRBG: reseeding before generation (prediction " 1345541af946SStephan Mueller "resistance: %s, state %s)\n", 1346541af946SStephan Mueller drbg->pr ? "true" : "false", 1347541af946SStephan Mueller drbg->seeded ? "seeded" : "unseeded"); 1348541af946SStephan Mueller /* 9.3.1 steps 7.1 through 7.3 */ 134976899a41SStephan Mueller len = drbg_seed(drbg, addtl, true); 1350541af946SStephan Mueller if (len) 1351541af946SStephan Mueller goto err; 1352541af946SStephan Mueller /* 9.3.1 step 7.4 */ 1353541af946SStephan Mueller addtl = NULL; 1354541af946SStephan Mueller } 135527e4de2bSStephan Mueller 135627e4de2bSStephan Mueller if (addtl && 0 < addtl->len) 135727e4de2bSStephan Mueller list_add_tail(&addtl->list, &addtllist); 1358541af946SStephan Mueller /* 9.3.1 step 8 and 10 */ 135976899a41SStephan Mueller len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1360541af946SStephan Mueller 1361541af946SStephan Mueller /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 136276899a41SStephan Mueller drbg->reseed_ctr++; 1363541af946SStephan Mueller if (0 >= len) 1364541af946SStephan Mueller goto err; 1365541af946SStephan Mueller 1366541af946SStephan Mueller /* 1367541af946SStephan Mueller * Section 11.3.3 requires to re-perform self tests after some 1368541af946SStephan Mueller * generated random numbers. The chosen value after which self 1369541af946SStephan Mueller * test is performed is arbitrary, but it should be reasonable. 1370541af946SStephan Mueller * However, we do not perform the self tests because of the following 1371541af946SStephan Mueller * reasons: it is mathematically impossible that the initial self tests 1372541af946SStephan Mueller * were successfully and the following are not. If the initial would 1373541af946SStephan Mueller * pass and the following would not, the kernel integrity is violated. 1374541af946SStephan Mueller * In this case, the entire kernel operation is questionable and it 1375541af946SStephan Mueller * is unlikely that the integrity violation only affects the 1376541af946SStephan Mueller * correct operation of the DRBG. 1377541af946SStephan Mueller * 1378541af946SStephan Mueller * Albeit the following code is commented out, it is provided in 1379541af946SStephan Mueller * case somebody has a need to implement the test of 11.3.3. 1380541af946SStephan Mueller */ 1381541af946SStephan Mueller #if 0 138276899a41SStephan Mueller if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1383541af946SStephan Mueller int err = 0; 1384541af946SStephan Mueller pr_devel("DRBG: start to perform self test\n"); 1385541af946SStephan Mueller if (drbg->core->flags & DRBG_HMAC) 1386541af946SStephan Mueller err = alg_test("drbg_pr_hmac_sha256", 1387541af946SStephan Mueller "drbg_pr_hmac_sha256", 0, 0); 1388541af946SStephan Mueller else if (drbg->core->flags & DRBG_CTR) 1389541af946SStephan Mueller err = alg_test("drbg_pr_ctr_aes128", 1390541af946SStephan Mueller "drbg_pr_ctr_aes128", 0, 0); 1391541af946SStephan Mueller else 1392541af946SStephan Mueller err = alg_test("drbg_pr_sha256", 1393541af946SStephan Mueller "drbg_pr_sha256", 0, 0); 1394541af946SStephan Mueller if (err) { 1395541af946SStephan Mueller pr_err("DRBG: periodical self test failed\n"); 1396541af946SStephan Mueller /* 1397541af946SStephan Mueller * uninstantiate implies that from now on, only errors 1398541af946SStephan Mueller * are returned when reusing this DRBG cipher handle 1399541af946SStephan Mueller */ 1400541af946SStephan Mueller drbg_uninstantiate(drbg); 1401541af946SStephan Mueller return 0; 1402541af946SStephan Mueller } else { 1403541af946SStephan Mueller pr_devel("DRBG: self test successful\n"); 1404541af946SStephan Mueller } 1405541af946SStephan Mueller } 1406541af946SStephan Mueller #endif 1407541af946SStephan Mueller 1408cde001e4SStephan Mueller /* 1409cde001e4SStephan Mueller * All operations were successful, return 0 as mandated by 1410cde001e4SStephan Mueller * the kernel crypto API interface. 1411cde001e4SStephan Mueller */ 1412cde001e4SStephan Mueller len = 0; 1413541af946SStephan Mueller err: 1414541af946SStephan Mueller return len; 1415541af946SStephan Mueller } 1416541af946SStephan Mueller 1417541af946SStephan Mueller /* 1418541af946SStephan Mueller * Wrapper around drbg_generate which can pull arbitrary long strings 1419541af946SStephan Mueller * from the DRBG without hitting the maximum request limitation. 1420541af946SStephan Mueller * 1421541af946SStephan Mueller * Parameters: see drbg_generate 1422541af946SStephan Mueller * Return codes: see drbg_generate -- if one drbg_generate request fails, 1423541af946SStephan Mueller * the entire drbg_generate_long request fails 1424541af946SStephan Mueller */ 1425541af946SStephan Mueller static int drbg_generate_long(struct drbg_state *drbg, 1426541af946SStephan Mueller unsigned char *buf, unsigned int buflen, 1427541af946SStephan Mueller struct drbg_string *addtl) 1428541af946SStephan Mueller { 1429082eb10bSStephan Mueller unsigned int len = 0; 1430541af946SStephan Mueller unsigned int slice = 0; 1431541af946SStephan Mueller do { 1432082eb10bSStephan Mueller int err = 0; 1433541af946SStephan Mueller unsigned int chunk = 0; 1434541af946SStephan Mueller slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1435541af946SStephan Mueller chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 143676899a41SStephan Mueller mutex_lock(&drbg->drbg_mutex); 1437082eb10bSStephan Mueller err = drbg_generate(drbg, buf + len, chunk, addtl); 143876899a41SStephan Mueller mutex_unlock(&drbg->drbg_mutex); 1439082eb10bSStephan Mueller if (0 > err) 1440082eb10bSStephan Mueller return err; 1441082eb10bSStephan Mueller len += chunk; 1442ce5481d0SStephan Mueller } while (slice > 0 && (len < buflen)); 1443082eb10bSStephan Mueller return 0; 1444541af946SStephan Mueller } 1445541af946SStephan Mueller 144657225e67SStephan Mueller static void drbg_schedule_async_seed(struct random_ready_callback *rdy) 144757225e67SStephan Mueller { 144857225e67SStephan Mueller struct drbg_state *drbg = container_of(rdy, struct drbg_state, 144957225e67SStephan Mueller random_ready); 145057225e67SStephan Mueller 145157225e67SStephan Mueller schedule_work(&drbg->seed_work); 145257225e67SStephan Mueller } 145357225e67SStephan Mueller 145457225e67SStephan Mueller static int drbg_prepare_hrng(struct drbg_state *drbg) 145557225e67SStephan Mueller { 145657225e67SStephan Mueller int err; 145757225e67SStephan Mueller 145857225e67SStephan Mueller /* We do not need an HRNG in test mode. */ 145957225e67SStephan Mueller if (list_empty(&drbg->test_data.list)) 146057225e67SStephan Mueller return 0; 146157225e67SStephan Mueller 146257225e67SStephan Mueller INIT_WORK(&drbg->seed_work, drbg_async_seed); 146357225e67SStephan Mueller 146457225e67SStephan Mueller drbg->random_ready.owner = THIS_MODULE; 146557225e67SStephan Mueller drbg->random_ready.func = drbg_schedule_async_seed; 146657225e67SStephan Mueller 146757225e67SStephan Mueller err = add_random_ready_callback(&drbg->random_ready); 146857225e67SStephan Mueller 146957225e67SStephan Mueller switch (err) { 147057225e67SStephan Mueller case 0: 147157225e67SStephan Mueller break; 147257225e67SStephan Mueller 147357225e67SStephan Mueller case -EALREADY: 147457225e67SStephan Mueller err = 0; 147557225e67SStephan Mueller /* fall through */ 147657225e67SStephan Mueller 147757225e67SStephan Mueller default: 147857225e67SStephan Mueller drbg->random_ready.func = NULL; 147957225e67SStephan Mueller return err; 148057225e67SStephan Mueller } 148157225e67SStephan Mueller 148257225e67SStephan Mueller drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 148357225e67SStephan Mueller 148442ea507fSStephan Mueller /* 148542ea507fSStephan Mueller * Require frequent reseeds until the seed source is fully 148642ea507fSStephan Mueller * initialized. 148742ea507fSStephan Mueller */ 148842ea507fSStephan Mueller drbg->reseed_threshold = 50; 148942ea507fSStephan Mueller 149057225e67SStephan Mueller return err; 149157225e67SStephan Mueller } 149257225e67SStephan Mueller 1493541af946SStephan Mueller /* 1494541af946SStephan Mueller * DRBG instantiation function as required by SP800-90A - this function 1495541af946SStephan Mueller * sets up the DRBG handle, performs the initial seeding and all sanity 1496541af946SStephan Mueller * checks required by SP800-90A 1497541af946SStephan Mueller * 1498541af946SStephan Mueller * @drbg memory of state -- if NULL, new memory is allocated 1499541af946SStephan Mueller * @pers Personalization string that is mixed into state, may be NULL -- note 1500541af946SStephan Mueller * the entropy is pulled by the DRBG internally unconditionally 1501541af946SStephan Mueller * as defined in SP800-90A. The additional input is mixed into 1502541af946SStephan Mueller * the state in addition to the pulled entropy. 1503541af946SStephan Mueller * @coreref reference to core 1504541af946SStephan Mueller * @pr prediction resistance enabled 1505541af946SStephan Mueller * 1506541af946SStephan Mueller * return 1507541af946SStephan Mueller * 0 on success 1508541af946SStephan Mueller * error value otherwise 1509541af946SStephan Mueller */ 1510541af946SStephan Mueller static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1511541af946SStephan Mueller int coreref, bool pr) 1512541af946SStephan Mueller { 15132a57e424SHerbert Xu int ret; 15142a57e424SHerbert Xu bool reseed = true; 1515541af946SStephan Mueller 1516541af946SStephan Mueller pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1517541af946SStephan Mueller "%s\n", coreref, pr ? "enabled" : "disabled"); 151876899a41SStephan Mueller mutex_lock(&drbg->drbg_mutex); 1519541af946SStephan Mueller 1520541af946SStephan Mueller /* 9.1 step 1 is implicit with the selected DRBG type */ 1521541af946SStephan Mueller 1522541af946SStephan Mueller /* 1523541af946SStephan Mueller * 9.1 step 2 is implicit as caller can select prediction resistance 1524541af946SStephan Mueller * and the flag is copied into drbg->flags -- 1525541af946SStephan Mueller * all DRBG types support prediction resistance 1526541af946SStephan Mueller */ 1527541af946SStephan Mueller 1528541af946SStephan Mueller /* 9.1 step 4 is implicit in drbg_sec_strength */ 1529541af946SStephan Mueller 15302a57e424SHerbert Xu if (!drbg->core) { 15312a57e424SHerbert Xu drbg->core = &drbg_cores[coreref]; 15322a57e424SHerbert Xu drbg->pr = pr; 15332a57e424SHerbert Xu drbg->seeded = false; 153442ea507fSStephan Mueller drbg->reseed_threshold = drbg_max_requests(drbg); 15352a57e424SHerbert Xu 1536541af946SStephan Mueller ret = drbg_alloc_state(drbg); 1537541af946SStephan Mueller if (ret) 153876899a41SStephan Mueller goto unlock; 1539541af946SStephan Mueller 1540541af946SStephan Mueller ret = -EFAULT; 154145943a58SStephan Mueller if (drbg->d_ops->crypto_init(drbg)) 1542541af946SStephan Mueller goto err; 15432a57e424SHerbert Xu 154457225e67SStephan Mueller ret = drbg_prepare_hrng(drbg); 154557225e67SStephan Mueller if (ret) 154657225e67SStephan Mueller goto free_everything; 154757225e67SStephan Mueller 154857225e67SStephan Mueller if (IS_ERR(drbg->jent)) { 154957225e67SStephan Mueller ret = PTR_ERR(drbg->jent); 155057225e67SStephan Mueller drbg->jent = NULL; 155157225e67SStephan Mueller if (fips_enabled || ret != -ENOENT) 155257225e67SStephan Mueller goto free_everything; 155357225e67SStephan Mueller pr_info("DRBG: Continuing without Jitter RNG\n"); 155457225e67SStephan Mueller } 155557225e67SStephan Mueller 15562a57e424SHerbert Xu reseed = false; 15572a57e424SHerbert Xu } 15582a57e424SHerbert Xu 15592a57e424SHerbert Xu ret = drbg_seed(drbg, pers, reseed); 15602a57e424SHerbert Xu 156157225e67SStephan Mueller if (ret && !reseed) 156257225e67SStephan Mueller goto free_everything; 1563541af946SStephan Mueller 156476899a41SStephan Mueller mutex_unlock(&drbg->drbg_mutex); 15652a57e424SHerbert Xu return ret; 1566541af946SStephan Mueller 1567541af946SStephan Mueller err: 1568541af946SStephan Mueller drbg_dealloc_state(drbg); 156976899a41SStephan Mueller unlock: 157076899a41SStephan Mueller mutex_unlock(&drbg->drbg_mutex); 1571541af946SStephan Mueller return ret; 157257225e67SStephan Mueller 157357225e67SStephan Mueller free_everything: 157457225e67SStephan Mueller mutex_unlock(&drbg->drbg_mutex); 157557225e67SStephan Mueller drbg_uninstantiate(drbg); 157657225e67SStephan Mueller return ret; 1577541af946SStephan Mueller } 1578541af946SStephan Mueller 1579541af946SStephan Mueller /* 1580541af946SStephan Mueller * DRBG uninstantiate function as required by SP800-90A - this function 1581541af946SStephan Mueller * frees all buffers and the DRBG handle 1582541af946SStephan Mueller * 1583541af946SStephan Mueller * @drbg DRBG state handle 1584541af946SStephan Mueller * 1585541af946SStephan Mueller * return 1586541af946SStephan Mueller * 0 on success 1587541af946SStephan Mueller */ 1588541af946SStephan Mueller static int drbg_uninstantiate(struct drbg_state *drbg) 1589541af946SStephan Mueller { 159057225e67SStephan Mueller if (drbg->random_ready.func) { 159157225e67SStephan Mueller del_random_ready_callback(&drbg->random_ready); 15924c787990SStephan Mueller cancel_work_sync(&drbg->seed_work); 159357225e67SStephan Mueller crypto_free_rng(drbg->jent); 159457225e67SStephan Mueller drbg->jent = NULL; 159557225e67SStephan Mueller } 159657225e67SStephan Mueller 15972a57e424SHerbert Xu if (drbg->d_ops) 1598fa3ae625SStephan Mueller drbg->d_ops->crypto_fini(drbg); 1599541af946SStephan Mueller drbg_dealloc_state(drbg); 1600541af946SStephan Mueller /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1601541af946SStephan Mueller return 0; 1602541af946SStephan Mueller } 1603541af946SStephan Mueller 1604541af946SStephan Mueller /* 1605541af946SStephan Mueller * Helper function for setting the test data in the DRBG 1606541af946SStephan Mueller * 1607541af946SStephan Mueller * @drbg DRBG state handle 16088fded592SHerbert Xu * @data test data 16098fded592SHerbert Xu * @len test data length 1610541af946SStephan Mueller */ 16118fded592SHerbert Xu static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 16128fded592SHerbert Xu const u8 *data, unsigned int len) 1613541af946SStephan Mueller { 16148fded592SHerbert Xu struct drbg_state *drbg = crypto_rng_ctx(tfm); 16158fded592SHerbert Xu 16168fded592SHerbert Xu mutex_lock(&drbg->drbg_mutex); 16178fded592SHerbert Xu drbg_string_fill(&drbg->test_data, data, len); 161876899a41SStephan Mueller mutex_unlock(&drbg->drbg_mutex); 1619541af946SStephan Mueller } 1620541af946SStephan Mueller 1621541af946SStephan Mueller /*************************************************************** 1622541af946SStephan Mueller * Kernel crypto API cipher invocations requested by DRBG 1623541af946SStephan Mueller ***************************************************************/ 1624541af946SStephan Mueller 1625541af946SStephan Mueller #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1626541af946SStephan Mueller struct sdesc { 1627541af946SStephan Mueller struct shash_desc shash; 1628541af946SStephan Mueller char ctx[]; 1629541af946SStephan Mueller }; 1630541af946SStephan Mueller 1631541af946SStephan Mueller static int drbg_init_hash_kernel(struct drbg_state *drbg) 1632541af946SStephan Mueller { 1633541af946SStephan Mueller struct sdesc *sdesc; 1634541af946SStephan Mueller struct crypto_shash *tfm; 1635541af946SStephan Mueller 1636541af946SStephan Mueller tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1637541af946SStephan Mueller if (IS_ERR(tfm)) { 1638593dfbd9SSergey Senozhatsky pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1639593dfbd9SSergey Senozhatsky drbg->core->backend_cra_name); 1640541af946SStephan Mueller return PTR_ERR(tfm); 1641541af946SStephan Mueller } 1642541af946SStephan Mueller BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1643541af946SStephan Mueller sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1644541af946SStephan Mueller GFP_KERNEL); 1645541af946SStephan Mueller if (!sdesc) { 1646541af946SStephan Mueller crypto_free_shash(tfm); 1647541af946SStephan Mueller return -ENOMEM; 1648541af946SStephan Mueller } 1649541af946SStephan Mueller 1650541af946SStephan Mueller sdesc->shash.tfm = tfm; 1651541af946SStephan Mueller sdesc->shash.flags = 0; 1652541af946SStephan Mueller drbg->priv_data = sdesc; 1653541af946SStephan Mueller return 0; 1654541af946SStephan Mueller } 1655541af946SStephan Mueller 1656541af946SStephan Mueller static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1657541af946SStephan Mueller { 1658541af946SStephan Mueller struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 1659541af946SStephan Mueller if (sdesc) { 1660541af946SStephan Mueller crypto_free_shash(sdesc->shash.tfm); 1661541af946SStephan Mueller kzfree(sdesc); 1662541af946SStephan Mueller } 1663541af946SStephan Mueller drbg->priv_data = NULL; 1664541af946SStephan Mueller return 0; 1665541af946SStephan Mueller } 1666541af946SStephan Mueller 1667541af946SStephan Mueller static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key, 16688c987166SStephan Mueller unsigned char *outval, const struct list_head *in) 1669541af946SStephan Mueller { 1670541af946SStephan Mueller struct sdesc *sdesc = (struct sdesc *)drbg->priv_data; 16718c987166SStephan Mueller struct drbg_string *input = NULL; 1672541af946SStephan Mueller 1673541af946SStephan Mueller if (key) 1674541af946SStephan Mueller crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1675541af946SStephan Mueller crypto_shash_init(&sdesc->shash); 16768c987166SStephan Mueller list_for_each_entry(input, in, list) 16778c987166SStephan Mueller crypto_shash_update(&sdesc->shash, input->buf, input->len); 1678541af946SStephan Mueller return crypto_shash_final(&sdesc->shash, outval); 1679541af946SStephan Mueller } 1680541af946SStephan Mueller #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1681541af946SStephan Mueller 1682541af946SStephan Mueller #ifdef CONFIG_CRYPTO_DRBG_CTR 1683541af946SStephan Mueller static int drbg_init_sym_kernel(struct drbg_state *drbg) 1684541af946SStephan Mueller { 1685541af946SStephan Mueller int ret = 0; 168604bcbfcfSStephan Mueller struct crypto_cipher *tfm; 1687541af946SStephan Mueller 168804bcbfcfSStephan Mueller tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1689541af946SStephan Mueller if (IS_ERR(tfm)) { 1690593dfbd9SSergey Senozhatsky pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1691593dfbd9SSergey Senozhatsky drbg->core->backend_cra_name); 1692541af946SStephan Mueller return PTR_ERR(tfm); 1693541af946SStephan Mueller } 169404bcbfcfSStephan Mueller BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1695541af946SStephan Mueller drbg->priv_data = tfm; 1696541af946SStephan Mueller return ret; 1697541af946SStephan Mueller } 1698541af946SStephan Mueller 1699541af946SStephan Mueller static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1700541af946SStephan Mueller { 170104bcbfcfSStephan Mueller struct crypto_cipher *tfm = 170204bcbfcfSStephan Mueller (struct crypto_cipher *)drbg->priv_data; 1703541af946SStephan Mueller if (tfm) 170404bcbfcfSStephan Mueller crypto_free_cipher(tfm); 1705541af946SStephan Mueller drbg->priv_data = NULL; 1706541af946SStephan Mueller return 0; 1707541af946SStephan Mueller } 1708541af946SStephan Mueller 1709541af946SStephan Mueller static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key, 1710541af946SStephan Mueller unsigned char *outval, const struct drbg_string *in) 1711541af946SStephan Mueller { 171204bcbfcfSStephan Mueller struct crypto_cipher *tfm = 171304bcbfcfSStephan Mueller (struct crypto_cipher *)drbg->priv_data; 1714541af946SStephan Mueller 171504bcbfcfSStephan Mueller crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1716541af946SStephan Mueller /* there is only component in *in */ 171704bcbfcfSStephan Mueller BUG_ON(in->len < drbg_blocklen(drbg)); 171804bcbfcfSStephan Mueller crypto_cipher_encrypt_one(tfm, outval, in->buf); 171904bcbfcfSStephan Mueller return 0; 1720541af946SStephan Mueller } 1721541af946SStephan Mueller #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1722541af946SStephan Mueller 1723541af946SStephan Mueller /*************************************************************** 1724541af946SStephan Mueller * Kernel crypto API interface to register DRBG 1725541af946SStephan Mueller ***************************************************************/ 1726541af946SStephan Mueller 1727541af946SStephan Mueller /* 1728541af946SStephan Mueller * Look up the DRBG flags by given kernel crypto API cra_name 1729541af946SStephan Mueller * The code uses the drbg_cores definition to do this 1730541af946SStephan Mueller * 1731541af946SStephan Mueller * @cra_name kernel crypto API cra_name 1732541af946SStephan Mueller * @coreref reference to integer which is filled with the pointer to 1733541af946SStephan Mueller * the applicable core 1734541af946SStephan Mueller * @pr reference for setting prediction resistance 1735541af946SStephan Mueller * 1736541af946SStephan Mueller * return: flags 1737541af946SStephan Mueller */ 1738541af946SStephan Mueller static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1739541af946SStephan Mueller int *coreref, bool *pr) 1740541af946SStephan Mueller { 1741541af946SStephan Mueller int i = 0; 1742541af946SStephan Mueller size_t start = 0; 1743541af946SStephan Mueller int len = 0; 1744541af946SStephan Mueller 1745541af946SStephan Mueller *pr = true; 1746541af946SStephan Mueller /* disassemble the names */ 1747541af946SStephan Mueller if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1748541af946SStephan Mueller start = 10; 1749541af946SStephan Mueller *pr = false; 1750541af946SStephan Mueller } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1751541af946SStephan Mueller start = 8; 1752541af946SStephan Mueller } else { 1753541af946SStephan Mueller return; 1754541af946SStephan Mueller } 1755541af946SStephan Mueller 1756541af946SStephan Mueller /* remove the first part */ 1757541af946SStephan Mueller len = strlen(cra_driver_name) - start; 1758541af946SStephan Mueller for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1759541af946SStephan Mueller if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1760541af946SStephan Mueller len)) { 1761541af946SStephan Mueller *coreref = i; 1762541af946SStephan Mueller return; 1763541af946SStephan Mueller } 1764541af946SStephan Mueller } 1765541af946SStephan Mueller } 1766541af946SStephan Mueller 1767541af946SStephan Mueller static int drbg_kcapi_init(struct crypto_tfm *tfm) 1768541af946SStephan Mueller { 1769541af946SStephan Mueller struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1770541af946SStephan Mueller 177176899a41SStephan Mueller mutex_init(&drbg->drbg_mutex); 17722a57e424SHerbert Xu 17732a57e424SHerbert Xu return 0; 1774541af946SStephan Mueller } 1775541af946SStephan Mueller 1776541af946SStephan Mueller static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1777541af946SStephan Mueller { 1778541af946SStephan Mueller drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1779541af946SStephan Mueller } 1780541af946SStephan Mueller 1781541af946SStephan Mueller /* 1782541af946SStephan Mueller * Generate random numbers invoked by the kernel crypto API: 1783541af946SStephan Mueller * The API of the kernel crypto API is extended as follows: 1784541af946SStephan Mueller * 17858fded592SHerbert Xu * src is additional input supplied to the RNG. 17868fded592SHerbert Xu * slen is the length of src. 17878fded592SHerbert Xu * dst is the output buffer where random data is to be stored. 17888fded592SHerbert Xu * dlen is the length of dst. 1789541af946SStephan Mueller */ 17908fded592SHerbert Xu static int drbg_kcapi_random(struct crypto_rng *tfm, 17918fded592SHerbert Xu const u8 *src, unsigned int slen, 17928fded592SHerbert Xu u8 *dst, unsigned int dlen) 1793541af946SStephan Mueller { 1794541af946SStephan Mueller struct drbg_state *drbg = crypto_rng_ctx(tfm); 17958fded592SHerbert Xu struct drbg_string *addtl = NULL; 17968fded592SHerbert Xu struct drbg_string string; 17978fded592SHerbert Xu 17988fded592SHerbert Xu if (slen) { 17998c987166SStephan Mueller /* linked list variable is now local to allow modification */ 18008fded592SHerbert Xu drbg_string_fill(&string, src, slen); 18018fded592SHerbert Xu addtl = &string; 1802541af946SStephan Mueller } 18038fded592SHerbert Xu 18048fded592SHerbert Xu return drbg_generate_long(drbg, dst, dlen, addtl); 1805541af946SStephan Mueller } 1806541af946SStephan Mueller 1807541af946SStephan Mueller /* 18082a57e424SHerbert Xu * Seed the DRBG invoked by the kernel crypto API 1809541af946SStephan Mueller */ 18108fded592SHerbert Xu static int drbg_kcapi_seed(struct crypto_rng *tfm, 18118fded592SHerbert Xu const u8 *seed, unsigned int slen) 1812541af946SStephan Mueller { 1813541af946SStephan Mueller struct drbg_state *drbg = crypto_rng_ctx(tfm); 1814541af946SStephan Mueller struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1815541af946SStephan Mueller bool pr = false; 18168fded592SHerbert Xu struct drbg_string string; 18178fded592SHerbert Xu struct drbg_string *seed_string = NULL; 1818541af946SStephan Mueller int coreref = 0; 1819541af946SStephan Mueller 1820541af946SStephan Mueller drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1821541af946SStephan Mueller &pr); 1822541af946SStephan Mueller if (0 < slen) { 18238fded592SHerbert Xu drbg_string_fill(&string, seed, slen); 18248fded592SHerbert Xu seed_string = &string; 1825541af946SStephan Mueller } 18268fded592SHerbert Xu 18278fded592SHerbert Xu return drbg_instantiate(drbg, seed_string, coreref, pr); 1828541af946SStephan Mueller } 1829541af946SStephan Mueller 1830541af946SStephan Mueller /*************************************************************** 1831541af946SStephan Mueller * Kernel module: code to load the module 1832541af946SStephan Mueller ***************************************************************/ 1833541af946SStephan Mueller 1834541af946SStephan Mueller /* 1835541af946SStephan Mueller * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1836541af946SStephan Mueller * of the error handling. 1837541af946SStephan Mueller * 1838541af946SStephan Mueller * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1839541af946SStephan Mueller * as seed source of get_random_bytes does not fail. 1840541af946SStephan Mueller * 1841541af946SStephan Mueller * Note 2: There is no sensible way of testing the reseed counter 1842541af946SStephan Mueller * enforcement, so skip it. 1843541af946SStephan Mueller */ 1844541af946SStephan Mueller static inline int __init drbg_healthcheck_sanity(void) 1845541af946SStephan Mueller { 1846541af946SStephan Mueller int len = 0; 1847541af946SStephan Mueller #define OUTBUFLEN 16 1848541af946SStephan Mueller unsigned char buf[OUTBUFLEN]; 1849541af946SStephan Mueller struct drbg_state *drbg = NULL; 1850541af946SStephan Mueller int ret = -EFAULT; 1851541af946SStephan Mueller int rc = -EFAULT; 1852541af946SStephan Mueller bool pr = false; 1853541af946SStephan Mueller int coreref = 0; 1854541af946SStephan Mueller struct drbg_string addtl; 1855541af946SStephan Mueller size_t max_addtllen, max_request_bytes; 1856541af946SStephan Mueller 1857541af946SStephan Mueller /* only perform test in FIPS mode */ 1858541af946SStephan Mueller if (!fips_enabled) 1859541af946SStephan Mueller return 0; 1860541af946SStephan Mueller 1861541af946SStephan Mueller #ifdef CONFIG_CRYPTO_DRBG_CTR 1862541af946SStephan Mueller drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr); 1863e25e47ecSStephan Mueller #elif defined CONFIG_CRYPTO_DRBG_HASH 1864541af946SStephan Mueller drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 1865541af946SStephan Mueller #else 1866541af946SStephan Mueller drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr); 1867541af946SStephan Mueller #endif 1868541af946SStephan Mueller 1869541af946SStephan Mueller drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 1870541af946SStephan Mueller if (!drbg) 1871541af946SStephan Mueller return -ENOMEM; 1872541af946SStephan Mueller 1873e11a7548SHerbert Xu mutex_init(&drbg->drbg_mutex); 1874e11a7548SHerbert Xu 1875541af946SStephan Mueller /* 1876541af946SStephan Mueller * if the following tests fail, it is likely that there is a buffer 1877541af946SStephan Mueller * overflow as buf is much smaller than the requested or provided 1878541af946SStephan Mueller * string lengths -- in case the error handling does not succeed 1879541af946SStephan Mueller * we may get an OOPS. And we want to get an OOPS as this is a 1880541af946SStephan Mueller * grave bug. 1881541af946SStephan Mueller */ 1882541af946SStephan Mueller 1883541af946SStephan Mueller /* get a valid instance of DRBG for following tests */ 1884541af946SStephan Mueller ret = drbg_instantiate(drbg, NULL, coreref, pr); 1885541af946SStephan Mueller if (ret) { 1886541af946SStephan Mueller rc = ret; 1887541af946SStephan Mueller goto outbuf; 1888541af946SStephan Mueller } 1889541af946SStephan Mueller max_addtllen = drbg_max_addtl(drbg); 1890541af946SStephan Mueller max_request_bytes = drbg_max_request_bytes(drbg); 1891541af946SStephan Mueller drbg_string_fill(&addtl, buf, max_addtllen + 1); 1892541af946SStephan Mueller /* overflow addtllen with additonal info string */ 1893541af946SStephan Mueller len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 1894541af946SStephan Mueller BUG_ON(0 < len); 1895541af946SStephan Mueller /* overflow max_bits */ 1896541af946SStephan Mueller len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 1897541af946SStephan Mueller BUG_ON(0 < len); 1898541af946SStephan Mueller drbg_uninstantiate(drbg); 1899541af946SStephan Mueller 1900541af946SStephan Mueller /* overflow max addtllen with personalization string */ 1901541af946SStephan Mueller ret = drbg_instantiate(drbg, &addtl, coreref, pr); 1902541af946SStephan Mueller BUG_ON(0 == ret); 1903541af946SStephan Mueller /* all tests passed */ 1904541af946SStephan Mueller rc = 0; 1905541af946SStephan Mueller 1906541af946SStephan Mueller pr_devel("DRBG: Sanity tests for failure code paths successfully " 1907541af946SStephan Mueller "completed\n"); 1908541af946SStephan Mueller 1909541af946SStephan Mueller drbg_uninstantiate(drbg); 1910541af946SStephan Mueller outbuf: 1911541af946SStephan Mueller kzfree(drbg); 1912541af946SStephan Mueller return rc; 1913541af946SStephan Mueller } 1914541af946SStephan Mueller 19158fded592SHerbert Xu static struct rng_alg drbg_algs[22]; 1916541af946SStephan Mueller 1917541af946SStephan Mueller /* 1918541af946SStephan Mueller * Fill the array drbg_algs used to register the different DRBGs 1919541af946SStephan Mueller * with the kernel crypto API. To fill the array, the information 1920541af946SStephan Mueller * from drbg_cores[] is used. 1921541af946SStephan Mueller */ 19228fded592SHerbert Xu static inline void __init drbg_fill_array(struct rng_alg *alg, 1923541af946SStephan Mueller const struct drbg_core *core, int pr) 1924541af946SStephan Mueller { 1925541af946SStephan Mueller int pos = 0; 192651ee1422SHerbert Xu static int priority = 200; 1927541af946SStephan Mueller 19288fded592SHerbert Xu memcpy(alg->base.cra_name, "stdrng", 6); 1929541af946SStephan Mueller if (pr) { 19308fded592SHerbert Xu memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 1931541af946SStephan Mueller pos = 8; 1932541af946SStephan Mueller } else { 19338fded592SHerbert Xu memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 1934541af946SStephan Mueller pos = 10; 1935541af946SStephan Mueller } 19368fded592SHerbert Xu memcpy(alg->base.cra_driver_name + pos, core->cra_name, 1937541af946SStephan Mueller strlen(core->cra_name)); 1938541af946SStephan Mueller 19398fded592SHerbert Xu alg->base.cra_priority = priority; 1940541af946SStephan Mueller priority++; 1941541af946SStephan Mueller /* 1942541af946SStephan Mueller * If FIPS mode enabled, the selected DRBG shall have the 1943541af946SStephan Mueller * highest cra_priority over other stdrng instances to ensure 1944541af946SStephan Mueller * it is selected. 1945541af946SStephan Mueller */ 1946541af946SStephan Mueller if (fips_enabled) 19478fded592SHerbert Xu alg->base.cra_priority += 200; 1948541af946SStephan Mueller 19498fded592SHerbert Xu alg->base.cra_ctxsize = sizeof(struct drbg_state); 19508fded592SHerbert Xu alg->base.cra_module = THIS_MODULE; 19518fded592SHerbert Xu alg->base.cra_init = drbg_kcapi_init; 19528fded592SHerbert Xu alg->base.cra_exit = drbg_kcapi_cleanup; 19538fded592SHerbert Xu alg->generate = drbg_kcapi_random; 19548fded592SHerbert Xu alg->seed = drbg_kcapi_seed; 19558fded592SHerbert Xu alg->set_ent = drbg_kcapi_set_entropy; 19568fded592SHerbert Xu alg->seedsize = 0; 1957541af946SStephan Mueller } 1958541af946SStephan Mueller 1959541af946SStephan Mueller static int __init drbg_init(void) 1960541af946SStephan Mueller { 1961541af946SStephan Mueller unsigned int i = 0; /* pointer to drbg_algs */ 1962541af946SStephan Mueller unsigned int j = 0; /* pointer to drbg_cores */ 1963541af946SStephan Mueller int ret = -EFAULT; 1964541af946SStephan Mueller 1965541af946SStephan Mueller ret = drbg_healthcheck_sanity(); 1966541af946SStephan Mueller if (ret) 1967541af946SStephan Mueller return ret; 1968541af946SStephan Mueller 1969541af946SStephan Mueller if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 1970541af946SStephan Mueller pr_info("DRBG: Cannot register all DRBG types" 1971a9089571SStephan Mueller "(slots needed: %zu, slots available: %zu)\n", 1972541af946SStephan Mueller ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 1973541af946SStephan Mueller return ret; 1974541af946SStephan Mueller } 1975541af946SStephan Mueller 1976541af946SStephan Mueller /* 1977541af946SStephan Mueller * each DRBG definition can be used with PR and without PR, thus 1978541af946SStephan Mueller * we instantiate each DRBG in drbg_cores[] twice. 1979541af946SStephan Mueller * 1980541af946SStephan Mueller * As the order of placing them into the drbg_algs array matters 1981541af946SStephan Mueller * (the later DRBGs receive a higher cra_priority) we register the 1982541af946SStephan Mueller * prediction resistance DRBGs first as the should not be too 1983541af946SStephan Mueller * interesting. 1984541af946SStephan Mueller */ 1985541af946SStephan Mueller for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1986541af946SStephan Mueller drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 1987541af946SStephan Mueller for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 1988541af946SStephan Mueller drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 19898fded592SHerbert Xu return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1990541af946SStephan Mueller } 1991541af946SStephan Mueller 199296956aefSFengguang Wu static void __exit drbg_exit(void) 1993541af946SStephan Mueller { 19948fded592SHerbert Xu crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 1995541af946SStephan Mueller } 1996541af946SStephan Mueller 1997541af946SStephan Mueller module_init(drbg_init); 1998541af946SStephan Mueller module_exit(drbg_exit); 1999e25e47ecSStephan Mueller #ifndef CRYPTO_DRBG_HASH_STRING 2000e25e47ecSStephan Mueller #define CRYPTO_DRBG_HASH_STRING "" 2001e25e47ecSStephan Mueller #endif 2002e25e47ecSStephan Mueller #ifndef CRYPTO_DRBG_HMAC_STRING 2003e25e47ecSStephan Mueller #define CRYPTO_DRBG_HMAC_STRING "" 2004e25e47ecSStephan Mueller #endif 2005e25e47ecSStephan Mueller #ifndef CRYPTO_DRBG_CTR_STRING 2006e25e47ecSStephan Mueller #define CRYPTO_DRBG_CTR_STRING "" 2007e25e47ecSStephan Mueller #endif 2008541af946SStephan Mueller MODULE_LICENSE("GPL"); 2009541af946SStephan Mueller MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2010e25e47ecSStephan Mueller MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2011e25e47ecSStephan Mueller "using following cores: " 2012e25e47ecSStephan Mueller CRYPTO_DRBG_HASH_STRING 2013e25e47ecSStephan Mueller CRYPTO_DRBG_HMAC_STRING 2014e25e47ecSStephan Mueller CRYPTO_DRBG_CTR_STRING); 201551ee1422SHerbert Xu MODULE_ALIAS_CRYPTO("stdrng"); 2016