algif_rng.c 8.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339
  1. /*
  2. * algif_rng: User-space interface for random number generators
  3. *
  4. * This file provides the user-space API for random number generators.
  5. *
  6. * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. * 1. Redistributions of source code must retain the above copyright
  12. * notice, and the entire permission notice in its entirety,
  13. * including the disclaimer of warranties.
  14. * 2. Redistributions in binary form must reproduce the above copyright
  15. * notice, this list of conditions and the following disclaimer in the
  16. * documentation and/or other materials provided with the distribution.
  17. * 3. The name of the author may not be used to endorse or promote
  18. * products derived from this software without specific prior
  19. * written permission.
  20. *
  21. * ALTERNATIVELY, this product may be distributed under the terms of
  22. * the GNU General Public License, in which case the provisions of the GPL2
  23. * are required INSTEAD OF the above restrictions. (This clause is
  24. * necessary due to a potential bad interaction between the GPL and
  25. * the restrictions contained in a BSD-style copyright.)
  26. *
  27. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  28. * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  29. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
  30. * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
  31. * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  32. * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  33. * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  34. * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  35. * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  36. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  37. * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
  38. * DAMAGE.
  39. */
  40. #include <linux/capability.h>
  41. #include <linux/module.h>
  42. #include <crypto/rng.h>
  43. #include <linux/random.h>
  44. #include <crypto/if_alg.h>
  45. #include <linux/net.h>
  46. #include <net/sock.h>
  47. MODULE_LICENSE("GPL");
  48. MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
  49. MODULE_DESCRIPTION("User-space interface for random number generators");
  50. struct rng_ctx {
  51. #define MAXSIZE 128
  52. unsigned int len;
  53. struct crypto_rng *drng;
  54. u8 *addtl;
  55. size_t addtl_len;
  56. };
  57. struct rng_parent_ctx {
  58. struct crypto_rng *drng;
  59. u8 *entropy;
  60. };
  61. static void rng_reset_addtl(struct rng_ctx *ctx)
  62. {
  63. kfree_sensitive(ctx->addtl);
  64. ctx->addtl = NULL;
  65. ctx->addtl_len = 0;
  66. }
  67. static int _rng_recvmsg(struct crypto_rng *drng, struct msghdr *msg, size_t len,
  68. u8 *addtl, size_t addtl_len)
  69. {
  70. int err = 0;
  71. int genlen = 0;
  72. u8 result[MAXSIZE];
  73. if (len == 0)
  74. return 0;
  75. if (len > MAXSIZE)
  76. len = MAXSIZE;
  77. /*
  78. * although not strictly needed, this is a precaution against coding
  79. * errors
  80. */
  81. memset(result, 0, len);
  82. /*
  83. * The enforcement of a proper seeding of an RNG is done within an
  84. * RNG implementation. Some RNGs (DRBG, krng) do not need specific
  85. * seeding as they automatically seed. The X9.31 DRNG will return
  86. * an error if it was not seeded properly.
  87. */
  88. genlen = crypto_rng_generate(drng, addtl, addtl_len, result, len);
  89. if (genlen < 0)
  90. return genlen;
  91. err = memcpy_to_msg(msg, result, len);
  92. memzero_explicit(result, len);
  93. return err ? err : len;
  94. }
  95. static int rng_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
  96. int flags)
  97. {
  98. struct sock *sk = sock->sk;
  99. struct alg_sock *ask = alg_sk(sk);
  100. struct rng_ctx *ctx = ask->private;
  101. return _rng_recvmsg(ctx->drng, msg, len, NULL, 0);
  102. }
  103. static int rng_test_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
  104. int flags)
  105. {
  106. struct sock *sk = sock->sk;
  107. struct alg_sock *ask = alg_sk(sk);
  108. struct rng_ctx *ctx = ask->private;
  109. int ret;
  110. lock_sock(sock->sk);
  111. ret = _rng_recvmsg(ctx->drng, msg, len, ctx->addtl, ctx->addtl_len);
  112. rng_reset_addtl(ctx);
  113. release_sock(sock->sk);
  114. return ret;
  115. }
  116. static int rng_test_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
  117. {
  118. int err;
  119. struct alg_sock *ask = alg_sk(sock->sk);
  120. struct rng_ctx *ctx = ask->private;
  121. lock_sock(sock->sk);
  122. if (len > MAXSIZE) {
  123. err = -EMSGSIZE;
  124. goto unlock;
  125. }
  126. rng_reset_addtl(ctx);
  127. ctx->addtl = kmalloc(len, GFP_KERNEL);
  128. if (!ctx->addtl) {
  129. err = -ENOMEM;
  130. goto unlock;
  131. }
  132. err = memcpy_from_msg(ctx->addtl, msg, len);
  133. if (err) {
  134. rng_reset_addtl(ctx);
  135. goto unlock;
  136. }
  137. ctx->addtl_len = len;
  138. unlock:
  139. release_sock(sock->sk);
  140. return err ? err : len;
  141. }
  142. static struct proto_ops algif_rng_ops = {
  143. .family = PF_ALG,
  144. .connect = sock_no_connect,
  145. .socketpair = sock_no_socketpair,
  146. .getname = sock_no_getname,
  147. .ioctl = sock_no_ioctl,
  148. .listen = sock_no_listen,
  149. .shutdown = sock_no_shutdown,
  150. .mmap = sock_no_mmap,
  151. .bind = sock_no_bind,
  152. .accept = sock_no_accept,
  153. .sendmsg = sock_no_sendmsg,
  154. .release = af_alg_release,
  155. .recvmsg = rng_recvmsg,
  156. };
  157. static struct proto_ops __maybe_unused algif_rng_test_ops = {
  158. .family = PF_ALG,
  159. .connect = sock_no_connect,
  160. .socketpair = sock_no_socketpair,
  161. .getname = sock_no_getname,
  162. .ioctl = sock_no_ioctl,
  163. .listen = sock_no_listen,
  164. .shutdown = sock_no_shutdown,
  165. .mmap = sock_no_mmap,
  166. .bind = sock_no_bind,
  167. .accept = sock_no_accept,
  168. .release = af_alg_release,
  169. .recvmsg = rng_test_recvmsg,
  170. .sendmsg = rng_test_sendmsg,
  171. };
  172. static void *rng_bind(const char *name, u32 type, u32 mask)
  173. {
  174. struct rng_parent_ctx *pctx;
  175. struct crypto_rng *rng;
  176. pctx = kzalloc_obj(*pctx);
  177. if (!pctx)
  178. return ERR_PTR(-ENOMEM);
  179. rng = crypto_alloc_rng(name, type, mask);
  180. if (IS_ERR(rng)) {
  181. kfree(pctx);
  182. return ERR_CAST(rng);
  183. }
  184. pctx->drng = rng;
  185. return pctx;
  186. }
  187. static void rng_release(void *private)
  188. {
  189. struct rng_parent_ctx *pctx = private;
  190. if (unlikely(!pctx))
  191. return;
  192. crypto_free_rng(pctx->drng);
  193. kfree_sensitive(pctx->entropy);
  194. kfree_sensitive(pctx);
  195. }
  196. static void rng_sock_destruct(struct sock *sk)
  197. {
  198. struct alg_sock *ask = alg_sk(sk);
  199. struct rng_ctx *ctx = ask->private;
  200. rng_reset_addtl(ctx);
  201. sock_kfree_s(sk, ctx, ctx->len);
  202. af_alg_release_parent(sk);
  203. }
  204. static int rng_accept_parent(void *private, struct sock *sk)
  205. {
  206. struct rng_ctx *ctx;
  207. struct rng_parent_ctx *pctx = private;
  208. struct alg_sock *ask = alg_sk(sk);
  209. unsigned int len = sizeof(*ctx);
  210. ctx = sock_kmalloc(sk, len, GFP_KERNEL);
  211. if (!ctx)
  212. return -ENOMEM;
  213. memset(ctx, 0, len);
  214. ctx->len = len;
  215. /*
  216. * No seeding done at that point -- if multiple accepts are
  217. * done on one RNG instance, each resulting FD points to the same
  218. * state of the RNG.
  219. */
  220. ctx->drng = pctx->drng;
  221. ask->private = ctx;
  222. sk->sk_destruct = rng_sock_destruct;
  223. /*
  224. * Non NULL pctx->entropy means that CAVP test has been initiated on
  225. * this socket, replace proto_ops algif_rng_ops with algif_rng_test_ops.
  226. */
  227. if (IS_ENABLED(CONFIG_CRYPTO_USER_API_RNG_CAVP) && pctx->entropy)
  228. sk->sk_socket->ops = &algif_rng_test_ops;
  229. return 0;
  230. }
  231. static int rng_setkey(void *private, const u8 *seed, unsigned int seedlen)
  232. {
  233. struct rng_parent_ctx *pctx = private;
  234. /*
  235. * Check whether seedlen is of sufficient size is done in RNG
  236. * implementations.
  237. */
  238. return crypto_rng_reset(pctx->drng, seed, seedlen);
  239. }
  240. static int __maybe_unused rng_setentropy(void *private, sockptr_t entropy,
  241. unsigned int len)
  242. {
  243. struct rng_parent_ctx *pctx = private;
  244. u8 *kentropy = NULL;
  245. if (!capable(CAP_SYS_ADMIN))
  246. return -EACCES;
  247. if (pctx->entropy)
  248. return -EINVAL;
  249. if (len > MAXSIZE)
  250. return -EMSGSIZE;
  251. if (len) {
  252. kentropy = memdup_sockptr(entropy, len);
  253. if (IS_ERR(kentropy))
  254. return PTR_ERR(kentropy);
  255. }
  256. crypto_rng_alg(pctx->drng)->set_ent(pctx->drng, kentropy, len);
  257. /*
  258. * Since rng doesn't perform any memory management for the entropy
  259. * buffer, save kentropy pointer to pctx now to free it after use.
  260. */
  261. pctx->entropy = kentropy;
  262. return 0;
  263. }
  264. static const struct af_alg_type algif_type_rng = {
  265. .bind = rng_bind,
  266. .release = rng_release,
  267. .accept = rng_accept_parent,
  268. .setkey = rng_setkey,
  269. #ifdef CONFIG_CRYPTO_USER_API_RNG_CAVP
  270. .setentropy = rng_setentropy,
  271. #endif
  272. .ops = &algif_rng_ops,
  273. .name = "rng",
  274. .owner = THIS_MODULE
  275. };
  276. static int __init rng_init(void)
  277. {
  278. return af_alg_register_type(&algif_type_rng);
  279. }
  280. static void __exit rng_exit(void)
  281. {
  282. int err = af_alg_unregister_type(&algif_type_rng);
  283. BUG_ON(err);
  284. }
  285. module_init(rng_init);
  286. module_exit(rng_exit);