df_sp80090a.c 6.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * NIST SP800-90A DRBG derivation function
  4. *
  5. * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
  6. */
  7. #include <linux/errno.h>
  8. #include <linux/kernel.h>
  9. #include <linux/module.h>
  10. #include <linux/string.h>
  11. #include <crypto/aes.h>
  12. #include <crypto/df_sp80090a.h>
  13. #include <crypto/internal/drbg.h>
  14. static void drbg_kcapi_sym(struct aes_enckey *aeskey, unsigned char *outval,
  15. const struct drbg_string *in, u8 blocklen_bytes)
  16. {
  17. /* there is only component in *in */
  18. BUG_ON(in->len < blocklen_bytes);
  19. aes_encrypt(aeskey, outval, in->buf);
  20. }
  21. /* BCC function for CTR DRBG as defined in 10.4.3 */
  22. static void drbg_ctr_bcc(struct aes_enckey *aeskey,
  23. unsigned char *out, const unsigned char *key,
  24. struct list_head *in,
  25. u8 blocklen_bytes,
  26. u8 keylen)
  27. {
  28. struct drbg_string *curr = NULL;
  29. struct drbg_string data;
  30. short cnt = 0;
  31. drbg_string_fill(&data, out, blocklen_bytes);
  32. /* 10.4.3 step 2 / 4 */
  33. aes_prepareenckey(aeskey, key, keylen);
  34. list_for_each_entry(curr, in, list) {
  35. const unsigned char *pos = curr->buf;
  36. size_t len = curr->len;
  37. /* 10.4.3 step 4.1 */
  38. while (len) {
  39. /* 10.4.3 step 4.2 */
  40. if (blocklen_bytes == cnt) {
  41. cnt = 0;
  42. drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes);
  43. }
  44. out[cnt] ^= *pos;
  45. pos++;
  46. cnt++;
  47. len--;
  48. }
  49. }
  50. /* 10.4.3 step 4.2 for last block */
  51. if (cnt)
  52. drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes);
  53. }
  54. /*
  55. * scratchpad usage: drbg_ctr_update is interlinked with crypto_drbg_ctr_df
  56. * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
  57. * the scratchpad is used as follows:
  58. * drbg_ctr_update:
  59. * temp
  60. * start: drbg->scratchpad
  61. * length: drbg_statelen(drbg) + drbg_blocklen(drbg)
  62. * note: the cipher writing into this variable works
  63. * blocklen-wise. Now, when the statelen is not a multiple
  64. * of blocklen, the generateion loop below "spills over"
  65. * by at most blocklen. Thus, we need to give sufficient
  66. * memory.
  67. * df_data
  68. * start: drbg->scratchpad +
  69. * drbg_statelen(drbg) + drbg_blocklen(drbg)
  70. * length: drbg_statelen(drbg)
  71. *
  72. * crypto_drbg_ctr_df:
  73. * pad
  74. * start: df_data + drbg_statelen(drbg)
  75. * length: drbg_blocklen(drbg)
  76. * iv
  77. * start: pad + drbg_blocklen(drbg)
  78. * length: drbg_blocklen(drbg)
  79. * temp
  80. * start: iv + drbg_blocklen(drbg)
  81. * length: drbg_satelen(drbg) + drbg_blocklen(drbg)
  82. * note: temp is the buffer that the BCC function operates
  83. * on. BCC operates blockwise. drbg_statelen(drbg)
  84. * is sufficient when the DRBG state length is a multiple
  85. * of the block size. For AES192 (and maybe other ciphers)
  86. * this is not correct and the length for temp is
  87. * insufficient (yes, that also means for such ciphers,
  88. * the final output of all BCC rounds are truncated).
  89. * Therefore, add drbg_blocklen(drbg) to cover all
  90. * possibilities.
  91. * refer to crypto_drbg_ctr_df_datalen() to get required length
  92. */
  93. /* Derivation Function for CTR DRBG as defined in 10.4.2 */
  94. int crypto_drbg_ctr_df(struct aes_enckey *aeskey,
  95. unsigned char *df_data, size_t bytes_to_return,
  96. struct list_head *seedlist,
  97. u8 blocklen_bytes,
  98. u8 statelen)
  99. {
  100. unsigned char L_N[8];
  101. /* S3 is input */
  102. struct drbg_string S1, S2, S4, cipherin;
  103. LIST_HEAD(bcc_list);
  104. unsigned char *pad = df_data + statelen;
  105. unsigned char *iv = pad + blocklen_bytes;
  106. unsigned char *temp = iv + blocklen_bytes;
  107. size_t padlen = 0;
  108. unsigned int templen = 0;
  109. /* 10.4.2 step 7 */
  110. unsigned int i = 0;
  111. /* 10.4.2 step 8 */
  112. const unsigned char *K = (unsigned char *)
  113. "\x00\x01\x02\x03\x04\x05\x06\x07"
  114. "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
  115. "\x10\x11\x12\x13\x14\x15\x16\x17"
  116. "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
  117. unsigned char *X;
  118. size_t generated_len = 0;
  119. size_t inputlen = 0;
  120. struct drbg_string *seed = NULL;
  121. u8 keylen;
  122. memset(pad, 0, blocklen_bytes);
  123. memset(iv, 0, blocklen_bytes);
  124. keylen = statelen - blocklen_bytes;
  125. /* 10.4.2 step 1 is implicit as we work byte-wise */
  126. /* 10.4.2 step 2 */
  127. if ((512 / 8) < bytes_to_return)
  128. return -EINVAL;
  129. /* 10.4.2 step 2 -- calculate the entire length of all input data */
  130. list_for_each_entry(seed, seedlist, list)
  131. inputlen += seed->len;
  132. drbg_cpu_to_be32(inputlen, &L_N[0]);
  133. /* 10.4.2 step 3 */
  134. drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
  135. /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
  136. padlen = (inputlen + sizeof(L_N) + 1) % (blocklen_bytes);
  137. /* wrap the padlen appropriately */
  138. if (padlen)
  139. padlen = blocklen_bytes - padlen;
  140. /*
  141. * pad / padlen contains the 0x80 byte and the following zero bytes.
  142. * As the calculated padlen value only covers the number of zero
  143. * bytes, this value has to be incremented by one for the 0x80 byte.
  144. */
  145. padlen++;
  146. pad[0] = 0x80;
  147. /* 10.4.2 step 4 -- first fill the linked list and then order it */
  148. drbg_string_fill(&S1, iv, blocklen_bytes);
  149. list_add_tail(&S1.list, &bcc_list);
  150. drbg_string_fill(&S2, L_N, sizeof(L_N));
  151. list_add_tail(&S2.list, &bcc_list);
  152. list_splice_tail(seedlist, &bcc_list);
  153. drbg_string_fill(&S4, pad, padlen);
  154. list_add_tail(&S4.list, &bcc_list);
  155. /* 10.4.2 step 9 */
  156. while (templen < (keylen + (blocklen_bytes))) {
  157. /*
  158. * 10.4.2 step 9.1 - the padding is implicit as the buffer
  159. * holds zeros after allocation -- even the increment of i
  160. * is irrelevant as the increment remains within length of i
  161. */
  162. drbg_cpu_to_be32(i, iv);
  163. /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
  164. drbg_ctr_bcc(aeskey, temp + templen, K, &bcc_list,
  165. blocklen_bytes, keylen);
  166. /* 10.4.2 step 9.3 */
  167. i++;
  168. templen += blocklen_bytes;
  169. }
  170. /* 10.4.2 step 11 */
  171. X = temp + (keylen);
  172. drbg_string_fill(&cipherin, X, blocklen_bytes);
  173. /* 10.4.2 step 12: overwriting of outval is implemented in next step */
  174. /* 10.4.2 step 13 */
  175. aes_prepareenckey(aeskey, temp, keylen);
  176. while (generated_len < bytes_to_return) {
  177. short blocklen = 0;
  178. /*
  179. * 10.4.2 step 13.1: the truncation of the key length is
  180. * implicit as the key is only drbg_blocklen in size based on
  181. * the implementation of the cipher function callback
  182. */
  183. drbg_kcapi_sym(aeskey, X, &cipherin, blocklen_bytes);
  184. blocklen = (blocklen_bytes <
  185. (bytes_to_return - generated_len)) ?
  186. blocklen_bytes :
  187. (bytes_to_return - generated_len);
  188. /* 10.4.2 step 13.2 and 14 */
  189. memcpy(df_data + generated_len, X, blocklen);
  190. generated_len += blocklen;
  191. }
  192. memset(iv, 0, blocklen_bytes);
  193. memset(temp, 0, statelen + blocklen_bytes);
  194. memset(pad, 0, blocklen_bytes);
  195. return 0;
  196. }
  197. EXPORT_SYMBOL_GPL(crypto_drbg_ctr_df);
  198. MODULE_IMPORT_NS("CRYPTO_INTERNAL");
  199. MODULE_LICENSE("GPL v2");
  200. MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
  201. MODULE_DESCRIPTION("Derivation Function conformant to SP800-90A");