drbg.c 53 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904
  1. /*
  2. * DRBG: Deterministic Random Bits Generator
  3. * Based on NIST Recommended DRBG from NIST SP800-90A with the following
  4. * properties:
  5. * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
  6. * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
  7. * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
  8. * * with and without prediction resistance
  9. *
  10. * Copyright Stephan Mueller <smueller@chronox.de>, 2014
  11. *
  12. * Redistribution and use in source and binary forms, with or without
  13. * modification, are permitted provided that the following conditions
  14. * are met:
  15. * 1. Redistributions of source code must retain the above copyright
  16. * notice, and the entire permission notice in its entirety,
  17. * including the disclaimer of warranties.
  18. * 2. Redistributions in binary form must reproduce the above copyright
  19. * notice, this list of conditions and the following disclaimer in the
  20. * documentation and/or other materials provided with the distribution.
  21. * 3. The name of the author may not be used to endorse or promote
  22. * products derived from this software without specific prior
  23. * written permission.
  24. *
  25. * ALTERNATIVELY, this product may be distributed under the terms of
  26. * the GNU General Public License, in which case the provisions of the GPL are
  27. * required INSTEAD OF the above restrictions. (This clause is
  28. * necessary due to a potential bad interaction between the GPL and
  29. * the restrictions contained in a BSD-style copyright.)
  30. *
  31. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  32. * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  33. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
  34. * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
  35. * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  36. * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
  37. * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
  38. * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  39. * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  40. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  41. * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
  42. * DAMAGE.
  43. *
  44. * DRBG Usage
  45. * ==========
  46. * The SP 800-90A DRBG allows the user to specify a personalization string
  47. * for initialization as well as an additional information string for each
  48. * random number request. The following code fragments show how a caller
  49. * uses the kernel crypto API to use the full functionality of the DRBG.
  50. *
  51. * Usage without any additional data
  52. * ---------------------------------
  53. * struct crypto_rng *drng;
  54. * int err;
  55. * char data[DATALEN];
  56. *
  57. * drng = crypto_alloc_rng(drng_name, 0, 0);
  58. * err = crypto_rng_get_bytes(drng, &data, DATALEN);
  59. * crypto_free_rng(drng);
  60. *
  61. *
  62. * Usage with personalization string during initialization
  63. * -------------------------------------------------------
  64. * struct crypto_rng *drng;
  65. * int err;
  66. * char data[DATALEN];
  67. * struct drbg_string pers;
  68. * char personalization[11] = "some-string";
  69. *
  70. * drbg_string_fill(&pers, personalization, strlen(personalization));
  71. * drng = crypto_alloc_rng(drng_name, 0, 0);
  72. * // The reset completely re-initializes the DRBG with the provided
  73. * // personalization string
  74. * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
  75. * err = crypto_rng_get_bytes(drng, &data, DATALEN);
  76. * crypto_free_rng(drng);
  77. *
  78. *
  79. * Usage with additional information string during random number request
  80. * ---------------------------------------------------------------------
  81. * struct crypto_rng *drng;
  82. * int err;
  83. * char data[DATALEN];
  84. * char addtl_string[11] = "some-string";
  85. * string drbg_string addtl;
  86. *
  87. * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
  88. * drng = crypto_alloc_rng(drng_name, 0, 0);
  89. * // The following call is a wrapper to crypto_rng_get_bytes() and returns
  90. * // the same error codes.
  91. * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
  92. * crypto_free_rng(drng);
  93. *
  94. *
  95. * Usage with personalization and additional information strings
  96. * -------------------------------------------------------------
  97. * Just mix both scenarios above.
  98. */
  99. #include <crypto/drbg.h>
  100. #include <crypto/df_sp80090a.h>
  101. #include <crypto/internal/cipher.h>
  102. #include <linux/kernel.h>
  103. #include <linux/jiffies.h>
  104. #include <linux/string_choices.h>
  105. /***************************************************************
  106. * Backend cipher definitions available to DRBG
  107. ***************************************************************/
  108. /*
  109. * The order of the DRBG definitions here matter: every DRBG is registered
  110. * as stdrng. Each DRBG receives an increasing cra_priority values the later
  111. * they are defined in this array (see drbg_fill_array).
  112. *
  113. * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the
  114. * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the
  115. * favored DRBGs are the latest entries in this array.
  116. */
  117. static const struct drbg_core drbg_cores[] = {
  118. #ifdef CONFIG_CRYPTO_DRBG_CTR
  119. {
  120. .flags = DRBG_CTR | DRBG_STRENGTH128,
  121. .statelen = 32, /* 256 bits as defined in 10.2.1 */
  122. .blocklen_bytes = 16,
  123. .cra_name = "ctr_aes128",
  124. .backend_cra_name = "aes",
  125. }, {
  126. .flags = DRBG_CTR | DRBG_STRENGTH192,
  127. .statelen = 40, /* 320 bits as defined in 10.2.1 */
  128. .blocklen_bytes = 16,
  129. .cra_name = "ctr_aes192",
  130. .backend_cra_name = "aes",
  131. }, {
  132. .flags = DRBG_CTR | DRBG_STRENGTH256,
  133. .statelen = 48, /* 384 bits as defined in 10.2.1 */
  134. .blocklen_bytes = 16,
  135. .cra_name = "ctr_aes256",
  136. .backend_cra_name = "aes",
  137. },
  138. #endif /* CONFIG_CRYPTO_DRBG_CTR */
  139. #ifdef CONFIG_CRYPTO_DRBG_HASH
  140. {
  141. .flags = DRBG_HASH | DRBG_STRENGTH256,
  142. .statelen = 111, /* 888 bits */
  143. .blocklen_bytes = 48,
  144. .cra_name = "sha384",
  145. .backend_cra_name = "sha384",
  146. }, {
  147. .flags = DRBG_HASH | DRBG_STRENGTH256,
  148. .statelen = 111, /* 888 bits */
  149. .blocklen_bytes = 64,
  150. .cra_name = "sha512",
  151. .backend_cra_name = "sha512",
  152. }, {
  153. .flags = DRBG_HASH | DRBG_STRENGTH256,
  154. .statelen = 55, /* 440 bits */
  155. .blocklen_bytes = 32,
  156. .cra_name = "sha256",
  157. .backend_cra_name = "sha256",
  158. },
  159. #endif /* CONFIG_CRYPTO_DRBG_HASH */
  160. #ifdef CONFIG_CRYPTO_DRBG_HMAC
  161. {
  162. .flags = DRBG_HMAC | DRBG_STRENGTH256,
  163. .statelen = 48, /* block length of cipher */
  164. .blocklen_bytes = 48,
  165. .cra_name = "hmac_sha384",
  166. .backend_cra_name = "hmac(sha384)",
  167. }, {
  168. .flags = DRBG_HMAC | DRBG_STRENGTH256,
  169. .statelen = 32, /* block length of cipher */
  170. .blocklen_bytes = 32,
  171. .cra_name = "hmac_sha256",
  172. .backend_cra_name = "hmac(sha256)",
  173. }, {
  174. .flags = DRBG_HMAC | DRBG_STRENGTH256,
  175. .statelen = 64, /* block length of cipher */
  176. .blocklen_bytes = 64,
  177. .cra_name = "hmac_sha512",
  178. .backend_cra_name = "hmac(sha512)",
  179. },
  180. #endif /* CONFIG_CRYPTO_DRBG_HMAC */
  181. };
  182. static int drbg_uninstantiate(struct drbg_state *drbg);
  183. /******************************************************************
  184. * Generic helper functions
  185. ******************************************************************/
  186. /*
  187. * Return strength of DRBG according to SP800-90A section 8.4
  188. *
  189. * @flags DRBG flags reference
  190. *
  191. * Return: normalized strength in *bytes* value or 32 as default
  192. * to counter programming errors
  193. */
  194. static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
  195. {
  196. switch (flags & DRBG_STRENGTH_MASK) {
  197. case DRBG_STRENGTH128:
  198. return 16;
  199. case DRBG_STRENGTH192:
  200. return 24;
  201. case DRBG_STRENGTH256:
  202. return 32;
  203. default:
  204. return 32;
  205. }
  206. }
  207. /*
  208. * FIPS 140-2 continuous self test for the noise source
  209. * The test is performed on the noise source input data. Thus, the function
  210. * implicitly knows the size of the buffer to be equal to the security
  211. * strength.
  212. *
  213. * Note, this function disregards the nonce trailing the entropy data during
  214. * initial seeding.
  215. *
  216. * drbg->drbg_mutex must have been taken.
  217. *
  218. * @drbg DRBG handle
  219. * @entropy buffer of seed data to be checked
  220. *
  221. * return:
  222. * %true on success
  223. * %false when the CTRNG is not yet primed
  224. */
  225. static bool drbg_fips_continuous_test(struct drbg_state *drbg,
  226. const unsigned char *entropy)
  227. __must_hold(&drbg->drbg_mutex)
  228. {
  229. unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
  230. if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
  231. return true;
  232. /* skip test if we test the overall system */
  233. if (list_empty(&drbg->test_data.list))
  234. return true;
  235. /* only perform test in FIPS mode */
  236. if (!fips_enabled)
  237. return true;
  238. if (!drbg->fips_primed) {
  239. /* Priming of FIPS test */
  240. memcpy(drbg->prev, entropy, entropylen);
  241. drbg->fips_primed = true;
  242. /* priming: another round is needed */
  243. return false;
  244. }
  245. if (!memcmp(drbg->prev, entropy, entropylen))
  246. panic("DRBG continuous self test failed\n");
  247. memcpy(drbg->prev, entropy, entropylen);
  248. /* the test shall pass when the two values are not equal */
  249. return true;
  250. }
  251. /******************************************************************
  252. * CTR DRBG callback functions
  253. ******************************************************************/
  254. #ifdef CONFIG_CRYPTO_DRBG_CTR
  255. #define CRYPTO_DRBG_CTR_STRING "CTR "
  256. MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
  257. MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
  258. MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
  259. MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
  260. MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
  261. MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
  262. static int drbg_init_sym_kernel(struct drbg_state *drbg);
  263. static int drbg_fini_sym_kernel(struct drbg_state *drbg);
  264. static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
  265. u8 *inbuf, u32 inbuflen,
  266. u8 *outbuf, u32 outlen);
  267. #define DRBG_OUTSCRATCHLEN 256
  268. static int drbg_ctr_df(struct drbg_state *drbg,
  269. unsigned char *df_data, size_t bytes_to_return,
  270. struct list_head *seedlist)
  271. {
  272. return crypto_drbg_ctr_df(drbg->priv_data, df_data, drbg_statelen(drbg),
  273. seedlist, drbg_blocklen(drbg), drbg_statelen(drbg));
  274. }
  275. /*
  276. * update function of CTR DRBG as defined in 10.2.1.2
  277. *
  278. * The reseed variable has an enhanced meaning compared to the update
  279. * functions of the other DRBGs as follows:
  280. * 0 => initial seed from initialization
  281. * 1 => reseed via drbg_seed
  282. * 2 => first invocation from drbg_ctr_update when addtl is present. In
  283. * this case, the df_data scratchpad is not deleted so that it is
  284. * available for another calls to prevent calling the DF function
  285. * again.
  286. * 3 => second invocation from drbg_ctr_update. When the update function
  287. * was called with addtl, the df_data memory already contains the
  288. * DFed addtl information and we do not need to call DF again.
  289. */
  290. static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
  291. int reseed)
  292. {
  293. int ret = -EFAULT;
  294. /* 10.2.1.2 step 1 */
  295. unsigned char *temp = drbg->scratchpad;
  296. unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
  297. drbg_blocklen(drbg);
  298. if (3 > reseed)
  299. memset(df_data, 0, drbg_statelen(drbg));
  300. if (!reseed) {
  301. /*
  302. * The DRBG uses the CTR mode of the underlying AES cipher. The
  303. * CTR mode increments the counter value after the AES operation
  304. * but SP800-90A requires that the counter is incremented before
  305. * the AES operation. Hence, we increment it at the time we set
  306. * it by one.
  307. */
  308. crypto_inc(drbg->V, drbg_blocklen(drbg));
  309. ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
  310. drbg_keylen(drbg));
  311. if (ret)
  312. goto out;
  313. }
  314. /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
  315. if (seed) {
  316. ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
  317. if (ret)
  318. goto out;
  319. }
  320. ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
  321. temp, drbg_statelen(drbg));
  322. if (ret)
  323. return ret;
  324. /* 10.2.1.2 step 5 */
  325. ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
  326. drbg_keylen(drbg));
  327. if (ret)
  328. goto out;
  329. /* 10.2.1.2 step 6 */
  330. memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
  331. /* See above: increment counter by one to compensate timing of CTR op */
  332. crypto_inc(drbg->V, drbg_blocklen(drbg));
  333. ret = 0;
  334. out:
  335. memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
  336. if (2 != reseed)
  337. memset(df_data, 0, drbg_statelen(drbg));
  338. return ret;
  339. }
  340. /*
  341. * scratchpad use: drbg_ctr_update is called independently from
  342. * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
  343. */
  344. /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
  345. static int drbg_ctr_generate(struct drbg_state *drbg,
  346. unsigned char *buf, unsigned int buflen,
  347. struct list_head *addtl)
  348. {
  349. int ret;
  350. int len = min_t(int, buflen, INT_MAX);
  351. /* 10.2.1.5.2 step 2 */
  352. if (addtl && !list_empty(addtl)) {
  353. ret = drbg_ctr_update(drbg, addtl, 2);
  354. if (ret)
  355. return 0;
  356. }
  357. /* 10.2.1.5.2 step 4.1 */
  358. ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
  359. if (ret)
  360. return ret;
  361. /* 10.2.1.5.2 step 6 */
  362. ret = drbg_ctr_update(drbg, NULL, 3);
  363. if (ret)
  364. len = ret;
  365. return len;
  366. }
  367. static const struct drbg_state_ops drbg_ctr_ops = {
  368. .update = drbg_ctr_update,
  369. .generate = drbg_ctr_generate,
  370. .crypto_init = drbg_init_sym_kernel,
  371. .crypto_fini = drbg_fini_sym_kernel,
  372. };
  373. #endif /* CONFIG_CRYPTO_DRBG_CTR */
  374. /******************************************************************
  375. * HMAC DRBG callback functions
  376. ******************************************************************/
  377. #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
  378. static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
  379. const struct list_head *in);
  380. static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
  381. const unsigned char *key);
  382. static int drbg_init_hash_kernel(struct drbg_state *drbg);
  383. static int drbg_fini_hash_kernel(struct drbg_state *drbg);
  384. #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
  385. #ifdef CONFIG_CRYPTO_DRBG_HMAC
  386. #define CRYPTO_DRBG_HMAC_STRING "HMAC "
  387. MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
  388. MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
  389. MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
  390. MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
  391. MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
  392. MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
  393. /* update function of HMAC DRBG as defined in 10.1.2.2 */
  394. static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
  395. int reseed)
  396. {
  397. int ret = -EFAULT;
  398. int i = 0;
  399. struct drbg_string seed1, seed2, vdata;
  400. LIST_HEAD(seedlist);
  401. LIST_HEAD(vdatalist);
  402. if (!reseed) {
  403. /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
  404. memset(drbg->V, 1, drbg_statelen(drbg));
  405. drbg_kcapi_hmacsetkey(drbg, drbg->C);
  406. }
  407. drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
  408. list_add_tail(&seed1.list, &seedlist);
  409. /* buffer of seed2 will be filled in for loop below with one byte */
  410. drbg_string_fill(&seed2, NULL, 1);
  411. list_add_tail(&seed2.list, &seedlist);
  412. /* input data of seed is allowed to be NULL at this point */
  413. if (seed)
  414. list_splice_tail(seed, &seedlist);
  415. drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
  416. list_add_tail(&vdata.list, &vdatalist);
  417. for (i = 2; 0 < i; i--) {
  418. /* first round uses 0x0, second 0x1 */
  419. unsigned char prefix = DRBG_PREFIX0;
  420. if (1 == i)
  421. prefix = DRBG_PREFIX1;
  422. /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
  423. seed2.buf = &prefix;
  424. ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
  425. if (ret)
  426. return ret;
  427. drbg_kcapi_hmacsetkey(drbg, drbg->C);
  428. /* 10.1.2.2 step 2 and 5 -- HMAC for V */
  429. ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
  430. if (ret)
  431. return ret;
  432. /* 10.1.2.2 step 3 */
  433. if (!seed)
  434. return ret;
  435. }
  436. return 0;
  437. }
  438. /* generate function of HMAC DRBG as defined in 10.1.2.5 */
  439. static int drbg_hmac_generate(struct drbg_state *drbg,
  440. unsigned char *buf,
  441. unsigned int buflen,
  442. struct list_head *addtl)
  443. {
  444. int len = 0;
  445. int ret = 0;
  446. struct drbg_string data;
  447. LIST_HEAD(datalist);
  448. /* 10.1.2.5 step 2 */
  449. if (addtl && !list_empty(addtl)) {
  450. ret = drbg_hmac_update(drbg, addtl, 1);
  451. if (ret)
  452. return ret;
  453. }
  454. drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
  455. list_add_tail(&data.list, &datalist);
  456. while (len < buflen) {
  457. unsigned int outlen = 0;
  458. /* 10.1.2.5 step 4.1 */
  459. ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
  460. if (ret)
  461. return ret;
  462. outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
  463. drbg_blocklen(drbg) : (buflen - len);
  464. /* 10.1.2.5 step 4.2 */
  465. memcpy(buf + len, drbg->V, outlen);
  466. len += outlen;
  467. }
  468. /* 10.1.2.5 step 6 */
  469. if (addtl && !list_empty(addtl))
  470. ret = drbg_hmac_update(drbg, addtl, 1);
  471. else
  472. ret = drbg_hmac_update(drbg, NULL, 1);
  473. if (ret)
  474. return ret;
  475. return len;
  476. }
  477. static const struct drbg_state_ops drbg_hmac_ops = {
  478. .update = drbg_hmac_update,
  479. .generate = drbg_hmac_generate,
  480. .crypto_init = drbg_init_hash_kernel,
  481. .crypto_fini = drbg_fini_hash_kernel,
  482. };
  483. #endif /* CONFIG_CRYPTO_DRBG_HMAC */
  484. /******************************************************************
  485. * Hash DRBG callback functions
  486. ******************************************************************/
  487. #ifdef CONFIG_CRYPTO_DRBG_HASH
  488. #define CRYPTO_DRBG_HASH_STRING "HASH "
  489. MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
  490. MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
  491. MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
  492. MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
  493. MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
  494. MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
  495. /*
  496. * Increment buffer
  497. *
  498. * @dst buffer to increment
  499. * @add value to add
  500. */
  501. static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
  502. const unsigned char *add, size_t addlen)
  503. {
  504. /* implied: dstlen > addlen */
  505. unsigned char *dstptr;
  506. const unsigned char *addptr;
  507. unsigned int remainder = 0;
  508. size_t len = addlen;
  509. dstptr = dst + (dstlen-1);
  510. addptr = add + (addlen-1);
  511. while (len) {
  512. remainder += *dstptr + *addptr;
  513. *dstptr = remainder & 0xff;
  514. remainder >>= 8;
  515. len--; dstptr--; addptr--;
  516. }
  517. len = dstlen - addlen;
  518. while (len && remainder > 0) {
  519. remainder = *dstptr + 1;
  520. *dstptr = remainder & 0xff;
  521. remainder >>= 8;
  522. len--; dstptr--;
  523. }
  524. }
  525. /*
  526. * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
  527. * interlinked, the scratchpad is used as follows:
  528. * drbg_hash_update
  529. * start: drbg->scratchpad
  530. * length: drbg_statelen(drbg)
  531. * drbg_hash_df:
  532. * start: drbg->scratchpad + drbg_statelen(drbg)
  533. * length: drbg_blocklen(drbg)
  534. *
  535. * drbg_hash_process_addtl uses the scratchpad, but fully completes
  536. * before either of the functions mentioned before are invoked. Therefore,
  537. * drbg_hash_process_addtl does not need to be specifically considered.
  538. */
  539. /* Derivation Function for Hash DRBG as defined in 10.4.1 */
  540. static int drbg_hash_df(struct drbg_state *drbg,
  541. unsigned char *outval, size_t outlen,
  542. struct list_head *entropylist)
  543. {
  544. int ret = 0;
  545. size_t len = 0;
  546. unsigned char input[5];
  547. unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
  548. struct drbg_string data;
  549. /* 10.4.1 step 3 */
  550. input[0] = 1;
  551. drbg_cpu_to_be32((outlen * 8), &input[1]);
  552. /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
  553. drbg_string_fill(&data, input, 5);
  554. list_add(&data.list, entropylist);
  555. /* 10.4.1 step 4 */
  556. while (len < outlen) {
  557. short blocklen = 0;
  558. /* 10.4.1 step 4.1 */
  559. ret = drbg_kcapi_hash(drbg, tmp, entropylist);
  560. if (ret)
  561. goto out;
  562. /* 10.4.1 step 4.2 */
  563. input[0]++;
  564. blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
  565. drbg_blocklen(drbg) : (outlen - len);
  566. memcpy(outval + len, tmp, blocklen);
  567. len += blocklen;
  568. }
  569. out:
  570. memset(tmp, 0, drbg_blocklen(drbg));
  571. return ret;
  572. }
  573. /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
  574. static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
  575. int reseed)
  576. {
  577. int ret = 0;
  578. struct drbg_string data1, data2;
  579. LIST_HEAD(datalist);
  580. LIST_HEAD(datalist2);
  581. unsigned char *V = drbg->scratchpad;
  582. unsigned char prefix = DRBG_PREFIX1;
  583. if (!seed)
  584. return -EINVAL;
  585. if (reseed) {
  586. /* 10.1.1.3 step 1 */
  587. memcpy(V, drbg->V, drbg_statelen(drbg));
  588. drbg_string_fill(&data1, &prefix, 1);
  589. list_add_tail(&data1.list, &datalist);
  590. drbg_string_fill(&data2, V, drbg_statelen(drbg));
  591. list_add_tail(&data2.list, &datalist);
  592. }
  593. list_splice_tail(seed, &datalist);
  594. /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
  595. ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
  596. if (ret)
  597. goto out;
  598. /* 10.1.1.2 / 10.1.1.3 step 4 */
  599. prefix = DRBG_PREFIX0;
  600. drbg_string_fill(&data1, &prefix, 1);
  601. list_add_tail(&data1.list, &datalist2);
  602. drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
  603. list_add_tail(&data2.list, &datalist2);
  604. /* 10.1.1.2 / 10.1.1.3 step 4 */
  605. ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
  606. out:
  607. memset(drbg->scratchpad, 0, drbg_statelen(drbg));
  608. return ret;
  609. }
  610. /* processing of additional information string for Hash DRBG */
  611. static int drbg_hash_process_addtl(struct drbg_state *drbg,
  612. struct list_head *addtl)
  613. {
  614. int ret = 0;
  615. struct drbg_string data1, data2;
  616. LIST_HEAD(datalist);
  617. unsigned char prefix = DRBG_PREFIX2;
  618. /* 10.1.1.4 step 2 */
  619. if (!addtl || list_empty(addtl))
  620. return 0;
  621. /* 10.1.1.4 step 2a */
  622. drbg_string_fill(&data1, &prefix, 1);
  623. drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
  624. list_add_tail(&data1.list, &datalist);
  625. list_add_tail(&data2.list, &datalist);
  626. list_splice_tail(addtl, &datalist);
  627. ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
  628. if (ret)
  629. goto out;
  630. /* 10.1.1.4 step 2b */
  631. drbg_add_buf(drbg->V, drbg_statelen(drbg),
  632. drbg->scratchpad, drbg_blocklen(drbg));
  633. out:
  634. memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
  635. return ret;
  636. }
  637. /* Hashgen defined in 10.1.1.4 */
  638. static int drbg_hash_hashgen(struct drbg_state *drbg,
  639. unsigned char *buf,
  640. unsigned int buflen)
  641. {
  642. int len = 0;
  643. int ret = 0;
  644. unsigned char *src = drbg->scratchpad;
  645. unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
  646. struct drbg_string data;
  647. LIST_HEAD(datalist);
  648. /* 10.1.1.4 step hashgen 2 */
  649. memcpy(src, drbg->V, drbg_statelen(drbg));
  650. drbg_string_fill(&data, src, drbg_statelen(drbg));
  651. list_add_tail(&data.list, &datalist);
  652. while (len < buflen) {
  653. unsigned int outlen = 0;
  654. /* 10.1.1.4 step hashgen 4.1 */
  655. ret = drbg_kcapi_hash(drbg, dst, &datalist);
  656. if (ret) {
  657. len = ret;
  658. goto out;
  659. }
  660. outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
  661. drbg_blocklen(drbg) : (buflen - len);
  662. /* 10.1.1.4 step hashgen 4.2 */
  663. memcpy(buf + len, dst, outlen);
  664. len += outlen;
  665. /* 10.1.1.4 hashgen step 4.3 */
  666. if (len < buflen)
  667. crypto_inc(src, drbg_statelen(drbg));
  668. }
  669. out:
  670. memset(drbg->scratchpad, 0,
  671. (drbg_statelen(drbg) + drbg_blocklen(drbg)));
  672. return len;
  673. }
  674. /* generate function for Hash DRBG as defined in 10.1.1.4 */
  675. static int drbg_hash_generate(struct drbg_state *drbg,
  676. unsigned char *buf, unsigned int buflen,
  677. struct list_head *addtl)
  678. {
  679. int len = 0;
  680. int ret = 0;
  681. union {
  682. unsigned char req[8];
  683. __be64 req_int;
  684. } u;
  685. unsigned char prefix = DRBG_PREFIX3;
  686. struct drbg_string data1, data2;
  687. LIST_HEAD(datalist);
  688. /* 10.1.1.4 step 2 */
  689. ret = drbg_hash_process_addtl(drbg, addtl);
  690. if (ret)
  691. return ret;
  692. /* 10.1.1.4 step 3 */
  693. len = drbg_hash_hashgen(drbg, buf, buflen);
  694. /* this is the value H as documented in 10.1.1.4 */
  695. /* 10.1.1.4 step 4 */
  696. drbg_string_fill(&data1, &prefix, 1);
  697. list_add_tail(&data1.list, &datalist);
  698. drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
  699. list_add_tail(&data2.list, &datalist);
  700. ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
  701. if (ret) {
  702. len = ret;
  703. goto out;
  704. }
  705. /* 10.1.1.4 step 5 */
  706. drbg_add_buf(drbg->V, drbg_statelen(drbg),
  707. drbg->scratchpad, drbg_blocklen(drbg));
  708. drbg_add_buf(drbg->V, drbg_statelen(drbg),
  709. drbg->C, drbg_statelen(drbg));
  710. u.req_int = cpu_to_be64(drbg->reseed_ctr);
  711. drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
  712. out:
  713. memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
  714. return len;
  715. }
  716. /*
  717. * scratchpad usage: as update and generate are used isolated, both
  718. * can use the scratchpad
  719. */
  720. static const struct drbg_state_ops drbg_hash_ops = {
  721. .update = drbg_hash_update,
  722. .generate = drbg_hash_generate,
  723. .crypto_init = drbg_init_hash_kernel,
  724. .crypto_fini = drbg_fini_hash_kernel,
  725. };
  726. #endif /* CONFIG_CRYPTO_DRBG_HASH */
  727. /******************************************************************
  728. * Functions common for DRBG implementations
  729. ******************************************************************/
  730. static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
  731. int reseed, enum drbg_seed_state new_seed_state)
  732. {
  733. int ret = drbg->d_ops->update(drbg, seed, reseed);
  734. if (ret)
  735. return ret;
  736. drbg->seeded = new_seed_state;
  737. drbg->last_seed_time = jiffies;
  738. /* 10.1.1.2 / 10.1.1.3 step 5 */
  739. drbg->reseed_ctr = 1;
  740. switch (drbg->seeded) {
  741. case DRBG_SEED_STATE_UNSEEDED:
  742. /* Impossible, but handle it to silence compiler warnings. */
  743. fallthrough;
  744. case DRBG_SEED_STATE_PARTIAL:
  745. /*
  746. * Require frequent reseeds until the seed source is
  747. * fully initialized.
  748. */
  749. drbg->reseed_threshold = 50;
  750. break;
  751. case DRBG_SEED_STATE_FULL:
  752. /*
  753. * Seed source has become fully initialized, frequent
  754. * reseeds no longer required.
  755. */
  756. drbg->reseed_threshold = drbg_max_requests(drbg);
  757. break;
  758. }
  759. return ret;
  760. }
  761. static inline void drbg_get_random_bytes(struct drbg_state *drbg,
  762. unsigned char *entropy,
  763. unsigned int entropylen)
  764. __must_hold(&drbg->drbg_mutex)
  765. {
  766. do
  767. get_random_bytes(entropy, entropylen);
  768. while (!drbg_fips_continuous_test(drbg, entropy));
  769. }
  770. static int drbg_seed_from_random(struct drbg_state *drbg)
  771. __must_hold(&drbg->drbg_mutex)
  772. {
  773. struct drbg_string data;
  774. LIST_HEAD(seedlist);
  775. unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
  776. unsigned char entropy[32];
  777. int ret;
  778. BUG_ON(!entropylen);
  779. BUG_ON(entropylen > sizeof(entropy));
  780. drbg_string_fill(&data, entropy, entropylen);
  781. list_add_tail(&data.list, &seedlist);
  782. drbg_get_random_bytes(drbg, entropy, entropylen);
  783. ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL);
  784. memzero_explicit(entropy, entropylen);
  785. return ret;
  786. }
  787. static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg)
  788. {
  789. unsigned long next_reseed;
  790. /* Don't ever reseed from get_random_bytes() in test mode. */
  791. if (list_empty(&drbg->test_data.list))
  792. return false;
  793. /*
  794. * Obtain fresh entropy for the nopr DRBGs after 300s have
  795. * elapsed in order to still achieve sort of partial
  796. * prediction resistance over the time domain at least. Note
  797. * that the period of 300s has been chosen to match the
  798. * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha
  799. * rngs.
  800. */
  801. next_reseed = drbg->last_seed_time + 300 * HZ;
  802. return time_after(jiffies, next_reseed);
  803. }
  804. /*
  805. * Seeding or reseeding of the DRBG
  806. *
  807. * @drbg: DRBG state struct
  808. * @pers: personalization / additional information buffer
  809. * @reseed: 0 for initial seed process, 1 for reseeding
  810. *
  811. * return:
  812. * 0 on success
  813. * error value otherwise
  814. */
  815. static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
  816. bool reseed)
  817. __must_hold(&drbg->drbg_mutex)
  818. {
  819. int ret;
  820. unsigned char entropy[((32 + 16) * 2)];
  821. unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
  822. struct drbg_string data1;
  823. LIST_HEAD(seedlist);
  824. enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL;
  825. /* 9.1 / 9.2 / 9.3.1 step 3 */
  826. if (pers && pers->len > (drbg_max_addtl(drbg))) {
  827. pr_devel("DRBG: personalization string too long %zu\n",
  828. pers->len);
  829. return -EINVAL;
  830. }
  831. if (list_empty(&drbg->test_data.list)) {
  832. drbg_string_fill(&data1, drbg->test_data.buf,
  833. drbg->test_data.len);
  834. pr_devel("DRBG: using test entropy\n");
  835. } else {
  836. /*
  837. * Gather entropy equal to the security strength of the DRBG.
  838. * With a derivation function, a nonce is required in addition
  839. * to the entropy. A nonce must be at least 1/2 of the security
  840. * strength of the DRBG in size. Thus, entropy + nonce is 3/2
  841. * of the strength. The consideration of a nonce is only
  842. * applicable during initial seeding.
  843. */
  844. BUG_ON(!entropylen);
  845. if (!reseed)
  846. entropylen = ((entropylen + 1) / 2) * 3;
  847. BUG_ON((entropylen * 2) > sizeof(entropy));
  848. /* Get seed from in-kernel /dev/urandom */
  849. if (!rng_is_initialized())
  850. new_seed_state = DRBG_SEED_STATE_PARTIAL;
  851. drbg_get_random_bytes(drbg, entropy, entropylen);
  852. if (!drbg->jent) {
  853. drbg_string_fill(&data1, entropy, entropylen);
  854. pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
  855. entropylen);
  856. } else {
  857. /*
  858. * Get seed from Jitter RNG, failures are
  859. * fatal only in FIPS mode.
  860. */
  861. ret = crypto_rng_get_bytes(drbg->jent,
  862. entropy + entropylen,
  863. entropylen);
  864. if (fips_enabled && ret) {
  865. pr_devel("DRBG: jent failed with %d\n", ret);
  866. /*
  867. * Do not treat the transient failure of the
  868. * Jitter RNG as an error that needs to be
  869. * reported. The combined number of the
  870. * maximum reseed threshold times the maximum
  871. * number of Jitter RNG transient errors is
  872. * less than the reseed threshold required by
  873. * SP800-90A allowing us to treat the
  874. * transient errors as such.
  875. *
  876. * However, we mandate that at least the first
  877. * seeding operation must succeed with the
  878. * Jitter RNG.
  879. */
  880. if (!reseed || ret != -EAGAIN)
  881. goto out;
  882. }
  883. drbg_string_fill(&data1, entropy, entropylen * 2);
  884. pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
  885. entropylen * 2);
  886. }
  887. }
  888. list_add_tail(&data1.list, &seedlist);
  889. /*
  890. * concatenation of entropy with personalization str / addtl input)
  891. * the variable pers is directly handed in by the caller, so check its
  892. * contents whether it is appropriate
  893. */
  894. if (pers && pers->buf && 0 < pers->len) {
  895. list_add_tail(&pers->list, &seedlist);
  896. pr_devel("DRBG: using personalization string\n");
  897. }
  898. if (!reseed) {
  899. memset(drbg->V, 0, drbg_statelen(drbg));
  900. memset(drbg->C, 0, drbg_statelen(drbg));
  901. }
  902. ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state);
  903. out:
  904. memzero_explicit(entropy, entropylen * 2);
  905. return ret;
  906. }
  907. /* Free all substructures in a DRBG state without the DRBG state structure */
  908. static inline void drbg_dealloc_state(struct drbg_state *drbg)
  909. {
  910. if (!drbg)
  911. return;
  912. kfree_sensitive(drbg->Vbuf);
  913. drbg->Vbuf = NULL;
  914. drbg->V = NULL;
  915. kfree_sensitive(drbg->Cbuf);
  916. drbg->Cbuf = NULL;
  917. drbg->C = NULL;
  918. kfree_sensitive(drbg->scratchpadbuf);
  919. drbg->scratchpadbuf = NULL;
  920. drbg->reseed_ctr = 0;
  921. drbg->d_ops = NULL;
  922. drbg->core = NULL;
  923. if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
  924. kfree_sensitive(drbg->prev);
  925. drbg->prev = NULL;
  926. drbg->fips_primed = false;
  927. }
  928. }
  929. /*
  930. * Allocate all sub-structures for a DRBG state.
  931. * The DRBG state structure must already be allocated.
  932. */
  933. static inline int drbg_alloc_state(struct drbg_state *drbg)
  934. {
  935. int ret = -ENOMEM;
  936. unsigned int sb_size = 0;
  937. switch (drbg->core->flags & DRBG_TYPE_MASK) {
  938. #ifdef CONFIG_CRYPTO_DRBG_HMAC
  939. case DRBG_HMAC:
  940. drbg->d_ops = &drbg_hmac_ops;
  941. break;
  942. #endif /* CONFIG_CRYPTO_DRBG_HMAC */
  943. #ifdef CONFIG_CRYPTO_DRBG_HASH
  944. case DRBG_HASH:
  945. drbg->d_ops = &drbg_hash_ops;
  946. break;
  947. #endif /* CONFIG_CRYPTO_DRBG_HASH */
  948. #ifdef CONFIG_CRYPTO_DRBG_CTR
  949. case DRBG_CTR:
  950. drbg->d_ops = &drbg_ctr_ops;
  951. break;
  952. #endif /* CONFIG_CRYPTO_DRBG_CTR */
  953. default:
  954. ret = -EOPNOTSUPP;
  955. goto err;
  956. }
  957. ret = drbg->d_ops->crypto_init(drbg);
  958. if (ret < 0)
  959. goto err;
  960. drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
  961. if (!drbg->Vbuf) {
  962. ret = -ENOMEM;
  963. goto fini;
  964. }
  965. drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
  966. drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
  967. if (!drbg->Cbuf) {
  968. ret = -ENOMEM;
  969. goto fini;
  970. }
  971. drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
  972. /* scratchpad is only generated for CTR and Hash */
  973. if (drbg->core->flags & DRBG_HMAC)
  974. sb_size = 0;
  975. else if (drbg->core->flags & DRBG_CTR)
  976. sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
  977. crypto_drbg_ctr_df_datalen(drbg_statelen(drbg),
  978. drbg_blocklen(drbg));
  979. else
  980. sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
  981. if (0 < sb_size) {
  982. drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
  983. if (!drbg->scratchpadbuf) {
  984. ret = -ENOMEM;
  985. goto fini;
  986. }
  987. drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
  988. }
  989. if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
  990. drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
  991. GFP_KERNEL);
  992. if (!drbg->prev) {
  993. ret = -ENOMEM;
  994. goto fini;
  995. }
  996. drbg->fips_primed = false;
  997. }
  998. return 0;
  999. fini:
  1000. drbg->d_ops->crypto_fini(drbg);
  1001. err:
  1002. drbg_dealloc_state(drbg);
  1003. return ret;
  1004. }
  1005. /*************************************************************************
  1006. * DRBG interface functions
  1007. *************************************************************************/
  1008. /*
  1009. * DRBG generate function as required by SP800-90A - this function
  1010. * generates random numbers
  1011. *
  1012. * @drbg DRBG state handle
  1013. * @buf Buffer where to store the random numbers -- the buffer must already
  1014. * be pre-allocated by caller
  1015. * @buflen Length of output buffer - this value defines the number of random
  1016. * bytes pulled from DRBG
  1017. * @addtl Additional input that is mixed into state, may be NULL -- note
  1018. * the entropy is pulled by the DRBG internally unconditionally
  1019. * as defined in SP800-90A. The additional input is mixed into
  1020. * the state in addition to the pulled entropy.
  1021. *
  1022. * return: 0 when all bytes are generated; < 0 in case of an error
  1023. */
  1024. static int drbg_generate(struct drbg_state *drbg,
  1025. unsigned char *buf, unsigned int buflen,
  1026. struct drbg_string *addtl)
  1027. __must_hold(&drbg->drbg_mutex)
  1028. {
  1029. int len = 0;
  1030. LIST_HEAD(addtllist);
  1031. if (!drbg->core) {
  1032. pr_devel("DRBG: not yet seeded\n");
  1033. return -EINVAL;
  1034. }
  1035. if (0 == buflen || !buf) {
  1036. pr_devel("DRBG: no output buffer provided\n");
  1037. return -EINVAL;
  1038. }
  1039. if (addtl && NULL == addtl->buf && 0 < addtl->len) {
  1040. pr_devel("DRBG: wrong format of additional information\n");
  1041. return -EINVAL;
  1042. }
  1043. /* 9.3.1 step 2 */
  1044. len = -EINVAL;
  1045. if (buflen > (drbg_max_request_bytes(drbg))) {
  1046. pr_devel("DRBG: requested random numbers too large %u\n",
  1047. buflen);
  1048. goto err;
  1049. }
  1050. /* 9.3.1 step 3 is implicit with the chosen DRBG */
  1051. /* 9.3.1 step 4 */
  1052. if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
  1053. pr_devel("DRBG: additional information string too long %zu\n",
  1054. addtl->len);
  1055. goto err;
  1056. }
  1057. /* 9.3.1 step 5 is implicit with the chosen DRBG */
  1058. /*
  1059. * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
  1060. * here. The spec is a bit convoluted here, we make it simpler.
  1061. */
  1062. if (drbg->reseed_threshold < drbg->reseed_ctr)
  1063. drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
  1064. if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) {
  1065. pr_devel("DRBG: reseeding before generation (prediction "
  1066. "resistance: %s, state %s)\n",
  1067. str_true_false(drbg->pr),
  1068. (drbg->seeded == DRBG_SEED_STATE_FULL ?
  1069. "seeded" : "unseeded"));
  1070. /* 9.3.1 steps 7.1 through 7.3 */
  1071. len = drbg_seed(drbg, addtl, true);
  1072. if (len)
  1073. goto err;
  1074. /* 9.3.1 step 7.4 */
  1075. addtl = NULL;
  1076. } else if (rng_is_initialized() &&
  1077. (drbg->seeded == DRBG_SEED_STATE_PARTIAL ||
  1078. drbg_nopr_reseed_interval_elapsed(drbg))) {
  1079. len = drbg_seed_from_random(drbg);
  1080. if (len)
  1081. goto err;
  1082. }
  1083. if (addtl && 0 < addtl->len)
  1084. list_add_tail(&addtl->list, &addtllist);
  1085. /* 9.3.1 step 8 and 10 */
  1086. len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
  1087. /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
  1088. drbg->reseed_ctr++;
  1089. if (0 >= len)
  1090. goto err;
  1091. /*
  1092. * Section 11.3.3 requires to re-perform self tests after some
  1093. * generated random numbers. The chosen value after which self
  1094. * test is performed is arbitrary, but it should be reasonable.
  1095. * However, we do not perform the self tests because of the following
  1096. * reasons: it is mathematically impossible that the initial self tests
  1097. * were successfully and the following are not. If the initial would
  1098. * pass and the following would not, the kernel integrity is violated.
  1099. * In this case, the entire kernel operation is questionable and it
  1100. * is unlikely that the integrity violation only affects the
  1101. * correct operation of the DRBG.
  1102. *
  1103. * Albeit the following code is commented out, it is provided in
  1104. * case somebody has a need to implement the test of 11.3.3.
  1105. */
  1106. #if 0
  1107. if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
  1108. int err = 0;
  1109. pr_devel("DRBG: start to perform self test\n");
  1110. if (drbg->core->flags & DRBG_HMAC)
  1111. err = alg_test("drbg_pr_hmac_sha512",
  1112. "drbg_pr_hmac_sha512", 0, 0);
  1113. else if (drbg->core->flags & DRBG_CTR)
  1114. err = alg_test("drbg_pr_ctr_aes256",
  1115. "drbg_pr_ctr_aes256", 0, 0);
  1116. else
  1117. err = alg_test("drbg_pr_sha256",
  1118. "drbg_pr_sha256", 0, 0);
  1119. if (err) {
  1120. pr_err("DRBG: periodical self test failed\n");
  1121. /*
  1122. * uninstantiate implies that from now on, only errors
  1123. * are returned when reusing this DRBG cipher handle
  1124. */
  1125. drbg_uninstantiate(drbg);
  1126. return 0;
  1127. } else {
  1128. pr_devel("DRBG: self test successful\n");
  1129. }
  1130. }
  1131. #endif
  1132. /*
  1133. * All operations were successful, return 0 as mandated by
  1134. * the kernel crypto API interface.
  1135. */
  1136. len = 0;
  1137. err:
  1138. return len;
  1139. }
  1140. /*
  1141. * Wrapper around drbg_generate which can pull arbitrary long strings
  1142. * from the DRBG without hitting the maximum request limitation.
  1143. *
  1144. * Parameters: see drbg_generate
  1145. * Return codes: see drbg_generate -- if one drbg_generate request fails,
  1146. * the entire drbg_generate_long request fails
  1147. */
  1148. static int drbg_generate_long(struct drbg_state *drbg,
  1149. unsigned char *buf, unsigned int buflen,
  1150. struct drbg_string *addtl)
  1151. {
  1152. unsigned int len = 0;
  1153. unsigned int slice = 0;
  1154. do {
  1155. int err = 0;
  1156. unsigned int chunk = 0;
  1157. slice = ((buflen - len) / drbg_max_request_bytes(drbg));
  1158. chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
  1159. mutex_lock(&drbg->drbg_mutex);
  1160. err = drbg_generate(drbg, buf + len, chunk, addtl);
  1161. mutex_unlock(&drbg->drbg_mutex);
  1162. if (0 > err)
  1163. return err;
  1164. len += chunk;
  1165. } while (slice > 0 && (len < buflen));
  1166. return 0;
  1167. }
  1168. static int drbg_prepare_hrng(struct drbg_state *drbg)
  1169. {
  1170. /* We do not need an HRNG in test mode. */
  1171. if (list_empty(&drbg->test_data.list))
  1172. return 0;
  1173. drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
  1174. if (IS_ERR(drbg->jent)) {
  1175. const int err = PTR_ERR(drbg->jent);
  1176. drbg->jent = NULL;
  1177. if (fips_enabled)
  1178. return err;
  1179. pr_info("DRBG: Continuing without Jitter RNG\n");
  1180. }
  1181. return 0;
  1182. }
  1183. /*
  1184. * DRBG instantiation function as required by SP800-90A - this function
  1185. * sets up the DRBG handle, performs the initial seeding and all sanity
  1186. * checks required by SP800-90A
  1187. *
  1188. * @drbg memory of state -- if NULL, new memory is allocated
  1189. * @pers Personalization string that is mixed into state, may be NULL -- note
  1190. * the entropy is pulled by the DRBG internally unconditionally
  1191. * as defined in SP800-90A. The additional input is mixed into
  1192. * the state in addition to the pulled entropy.
  1193. * @coreref reference to core
  1194. * @pr prediction resistance enabled
  1195. *
  1196. * return
  1197. * 0 on success
  1198. * error value otherwise
  1199. */
  1200. static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
  1201. int coreref, bool pr)
  1202. {
  1203. int ret;
  1204. bool reseed = true;
  1205. pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
  1206. "%s\n", coreref, str_enabled_disabled(pr));
  1207. mutex_lock(&drbg->drbg_mutex);
  1208. /* 9.1 step 1 is implicit with the selected DRBG type */
  1209. /*
  1210. * 9.1 step 2 is implicit as caller can select prediction resistance
  1211. * and the flag is copied into drbg->flags --
  1212. * all DRBG types support prediction resistance
  1213. */
  1214. /* 9.1 step 4 is implicit in drbg_sec_strength */
  1215. if (!drbg->core) {
  1216. drbg->core = &drbg_cores[coreref];
  1217. drbg->pr = pr;
  1218. drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
  1219. drbg->last_seed_time = 0;
  1220. drbg->reseed_threshold = drbg_max_requests(drbg);
  1221. ret = drbg_alloc_state(drbg);
  1222. if (ret)
  1223. goto unlock;
  1224. ret = drbg_prepare_hrng(drbg);
  1225. if (ret)
  1226. goto free_everything;
  1227. reseed = false;
  1228. }
  1229. ret = drbg_seed(drbg, pers, reseed);
  1230. if (ret && !reseed)
  1231. goto free_everything;
  1232. mutex_unlock(&drbg->drbg_mutex);
  1233. return ret;
  1234. unlock:
  1235. mutex_unlock(&drbg->drbg_mutex);
  1236. return ret;
  1237. free_everything:
  1238. mutex_unlock(&drbg->drbg_mutex);
  1239. drbg_uninstantiate(drbg);
  1240. return ret;
  1241. }
  1242. /*
  1243. * DRBG uninstantiate function as required by SP800-90A - this function
  1244. * frees all buffers and the DRBG handle
  1245. *
  1246. * @drbg DRBG state handle
  1247. *
  1248. * return
  1249. * 0 on success
  1250. */
  1251. static int drbg_uninstantiate(struct drbg_state *drbg)
  1252. {
  1253. if (!IS_ERR_OR_NULL(drbg->jent))
  1254. crypto_free_rng(drbg->jent);
  1255. drbg->jent = NULL;
  1256. if (drbg->d_ops)
  1257. drbg->d_ops->crypto_fini(drbg);
  1258. drbg_dealloc_state(drbg);
  1259. /* no scrubbing of test_data -- this shall survive an uninstantiate */
  1260. return 0;
  1261. }
  1262. /*
  1263. * Helper function for setting the test data in the DRBG
  1264. *
  1265. * @drbg DRBG state handle
  1266. * @data test data
  1267. * @len test data length
  1268. */
  1269. static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
  1270. const u8 *data, unsigned int len)
  1271. {
  1272. struct drbg_state *drbg = crypto_rng_ctx(tfm);
  1273. mutex_lock(&drbg->drbg_mutex);
  1274. drbg_string_fill(&drbg->test_data, data, len);
  1275. mutex_unlock(&drbg->drbg_mutex);
  1276. }
  1277. /***************************************************************
  1278. * Kernel crypto API cipher invocations requested by DRBG
  1279. ***************************************************************/
  1280. #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
  1281. struct sdesc {
  1282. struct shash_desc shash;
  1283. };
  1284. static int drbg_init_hash_kernel(struct drbg_state *drbg)
  1285. {
  1286. struct sdesc *sdesc;
  1287. struct crypto_shash *tfm;
  1288. tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
  1289. if (IS_ERR(tfm)) {
  1290. pr_info("DRBG: could not allocate digest TFM handle: %s\n",
  1291. drbg->core->backend_cra_name);
  1292. return PTR_ERR(tfm);
  1293. }
  1294. BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
  1295. sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
  1296. GFP_KERNEL);
  1297. if (!sdesc) {
  1298. crypto_free_shash(tfm);
  1299. return -ENOMEM;
  1300. }
  1301. sdesc->shash.tfm = tfm;
  1302. drbg->priv_data = sdesc;
  1303. return 0;
  1304. }
  1305. static int drbg_fini_hash_kernel(struct drbg_state *drbg)
  1306. {
  1307. struct sdesc *sdesc = drbg->priv_data;
  1308. if (sdesc) {
  1309. crypto_free_shash(sdesc->shash.tfm);
  1310. kfree_sensitive(sdesc);
  1311. }
  1312. drbg->priv_data = NULL;
  1313. return 0;
  1314. }
  1315. static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
  1316. const unsigned char *key)
  1317. {
  1318. struct sdesc *sdesc = drbg->priv_data;
  1319. crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
  1320. }
  1321. static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
  1322. const struct list_head *in)
  1323. {
  1324. struct sdesc *sdesc = drbg->priv_data;
  1325. struct drbg_string *input = NULL;
  1326. crypto_shash_init(&sdesc->shash);
  1327. list_for_each_entry(input, in, list)
  1328. crypto_shash_update(&sdesc->shash, input->buf, input->len);
  1329. return crypto_shash_final(&sdesc->shash, outval);
  1330. }
  1331. #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
  1332. #ifdef CONFIG_CRYPTO_DRBG_CTR
  1333. static int drbg_fini_sym_kernel(struct drbg_state *drbg)
  1334. {
  1335. struct aes_enckey *aeskey = drbg->priv_data;
  1336. kfree(aeskey);
  1337. drbg->priv_data = NULL;
  1338. if (drbg->ctr_handle)
  1339. crypto_free_skcipher(drbg->ctr_handle);
  1340. drbg->ctr_handle = NULL;
  1341. if (drbg->ctr_req)
  1342. skcipher_request_free(drbg->ctr_req);
  1343. drbg->ctr_req = NULL;
  1344. kfree(drbg->outscratchpadbuf);
  1345. drbg->outscratchpadbuf = NULL;
  1346. return 0;
  1347. }
  1348. static int drbg_init_sym_kernel(struct drbg_state *drbg)
  1349. {
  1350. struct aes_enckey *aeskey;
  1351. struct crypto_skcipher *sk_tfm;
  1352. struct skcipher_request *req;
  1353. unsigned int alignmask;
  1354. char ctr_name[CRYPTO_MAX_ALG_NAME];
  1355. aeskey = kzalloc_obj(*aeskey);
  1356. if (!aeskey)
  1357. return -ENOMEM;
  1358. drbg->priv_data = aeskey;
  1359. if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
  1360. drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
  1361. drbg_fini_sym_kernel(drbg);
  1362. return -EINVAL;
  1363. }
  1364. sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
  1365. if (IS_ERR(sk_tfm)) {
  1366. pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
  1367. ctr_name);
  1368. drbg_fini_sym_kernel(drbg);
  1369. return PTR_ERR(sk_tfm);
  1370. }
  1371. drbg->ctr_handle = sk_tfm;
  1372. crypto_init_wait(&drbg->ctr_wait);
  1373. req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
  1374. if (!req) {
  1375. pr_info("DRBG: could not allocate request queue\n");
  1376. drbg_fini_sym_kernel(drbg);
  1377. return -ENOMEM;
  1378. }
  1379. drbg->ctr_req = req;
  1380. skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
  1381. CRYPTO_TFM_REQ_MAY_SLEEP,
  1382. crypto_req_done, &drbg->ctr_wait);
  1383. alignmask = crypto_skcipher_alignmask(sk_tfm);
  1384. drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
  1385. GFP_KERNEL);
  1386. if (!drbg->outscratchpadbuf) {
  1387. drbg_fini_sym_kernel(drbg);
  1388. return -ENOMEM;
  1389. }
  1390. drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
  1391. alignmask + 1);
  1392. sg_init_table(&drbg->sg_in, 1);
  1393. sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
  1394. return alignmask;
  1395. }
  1396. static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
  1397. u8 *inbuf, u32 inlen,
  1398. u8 *outbuf, u32 outlen)
  1399. {
  1400. struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
  1401. u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
  1402. int ret;
  1403. if (inbuf) {
  1404. /* Use caller-provided input buffer */
  1405. sg_set_buf(sg_in, inbuf, inlen);
  1406. } else {
  1407. /* Use scratchpad for in-place operation */
  1408. inlen = scratchpad_use;
  1409. memset(drbg->outscratchpad, 0, scratchpad_use);
  1410. sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
  1411. }
  1412. while (outlen) {
  1413. u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
  1414. /* Output buffer may not be valid for SGL, use scratchpad */
  1415. skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
  1416. cryptlen, drbg->V);
  1417. ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
  1418. &drbg->ctr_wait);
  1419. if (ret)
  1420. goto out;
  1421. crypto_init_wait(&drbg->ctr_wait);
  1422. memcpy(outbuf, drbg->outscratchpad, cryptlen);
  1423. memzero_explicit(drbg->outscratchpad, cryptlen);
  1424. outlen -= cryptlen;
  1425. outbuf += cryptlen;
  1426. }
  1427. ret = 0;
  1428. out:
  1429. return ret;
  1430. }
  1431. #endif /* CONFIG_CRYPTO_DRBG_CTR */
  1432. /***************************************************************
  1433. * Kernel crypto API interface to register DRBG
  1434. ***************************************************************/
  1435. /*
  1436. * Look up the DRBG flags by given kernel crypto API cra_name
  1437. * The code uses the drbg_cores definition to do this
  1438. *
  1439. * @cra_name kernel crypto API cra_name
  1440. * @coreref reference to integer which is filled with the pointer to
  1441. * the applicable core
  1442. * @pr reference for setting prediction resistance
  1443. *
  1444. * return: flags
  1445. */
  1446. static inline void drbg_convert_tfm_core(const char *cra_driver_name,
  1447. int *coreref, bool *pr)
  1448. {
  1449. int i = 0;
  1450. size_t start = 0;
  1451. int len = 0;
  1452. *pr = true;
  1453. /* disassemble the names */
  1454. if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
  1455. start = 10;
  1456. *pr = false;
  1457. } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
  1458. start = 8;
  1459. } else {
  1460. return;
  1461. }
  1462. /* remove the first part */
  1463. len = strlen(cra_driver_name) - start;
  1464. for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
  1465. if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
  1466. len)) {
  1467. *coreref = i;
  1468. return;
  1469. }
  1470. }
  1471. }
  1472. static int drbg_kcapi_init(struct crypto_tfm *tfm)
  1473. {
  1474. struct drbg_state *drbg = crypto_tfm_ctx(tfm);
  1475. mutex_init(&drbg->drbg_mutex);
  1476. return 0;
  1477. }
  1478. static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
  1479. {
  1480. drbg_uninstantiate(crypto_tfm_ctx(tfm));
  1481. }
  1482. /*
  1483. * Generate random numbers invoked by the kernel crypto API:
  1484. * The API of the kernel crypto API is extended as follows:
  1485. *
  1486. * src is additional input supplied to the RNG.
  1487. * slen is the length of src.
  1488. * dst is the output buffer where random data is to be stored.
  1489. * dlen is the length of dst.
  1490. */
  1491. static int drbg_kcapi_random(struct crypto_rng *tfm,
  1492. const u8 *src, unsigned int slen,
  1493. u8 *dst, unsigned int dlen)
  1494. {
  1495. struct drbg_state *drbg = crypto_rng_ctx(tfm);
  1496. struct drbg_string *addtl = NULL;
  1497. struct drbg_string string;
  1498. if (slen) {
  1499. /* linked list variable is now local to allow modification */
  1500. drbg_string_fill(&string, src, slen);
  1501. addtl = &string;
  1502. }
  1503. return drbg_generate_long(drbg, dst, dlen, addtl);
  1504. }
  1505. /*
  1506. * Seed the DRBG invoked by the kernel crypto API
  1507. */
  1508. static int drbg_kcapi_seed(struct crypto_rng *tfm,
  1509. const u8 *seed, unsigned int slen)
  1510. {
  1511. struct drbg_state *drbg = crypto_rng_ctx(tfm);
  1512. struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
  1513. bool pr = false;
  1514. struct drbg_string string;
  1515. struct drbg_string *seed_string = NULL;
  1516. int coreref = 0;
  1517. drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
  1518. &pr);
  1519. if (0 < slen) {
  1520. drbg_string_fill(&string, seed, slen);
  1521. seed_string = &string;
  1522. }
  1523. return drbg_instantiate(drbg, seed_string, coreref, pr);
  1524. }
  1525. /***************************************************************
  1526. * Kernel module: code to load the module
  1527. ***************************************************************/
  1528. /*
  1529. * Tests as defined in 11.3.2 in addition to the cipher tests: testing
  1530. * of the error handling.
  1531. *
  1532. * Note: testing of failing seed source as defined in 11.3.2 is not applicable
  1533. * as seed source of get_random_bytes does not fail.
  1534. *
  1535. * Note 2: There is no sensible way of testing the reseed counter
  1536. * enforcement, so skip it.
  1537. */
  1538. static inline int __init drbg_healthcheck_sanity(void)
  1539. {
  1540. int len = 0;
  1541. #define OUTBUFLEN 16
  1542. unsigned char buf[OUTBUFLEN];
  1543. struct drbg_state *drbg = NULL;
  1544. int ret;
  1545. int rc = -EFAULT;
  1546. bool pr = false;
  1547. int coreref = 0;
  1548. struct drbg_string addtl;
  1549. size_t max_addtllen, max_request_bytes;
  1550. /* only perform test in FIPS mode */
  1551. if (!fips_enabled)
  1552. return 0;
  1553. #ifdef CONFIG_CRYPTO_DRBG_CTR
  1554. drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr);
  1555. #endif
  1556. #ifdef CONFIG_CRYPTO_DRBG_HASH
  1557. drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
  1558. #endif
  1559. #ifdef CONFIG_CRYPTO_DRBG_HMAC
  1560. drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr);
  1561. #endif
  1562. drbg = kzalloc_obj(struct drbg_state);
  1563. if (!drbg)
  1564. return -ENOMEM;
  1565. guard(mutex_init)(&drbg->drbg_mutex);
  1566. drbg->core = &drbg_cores[coreref];
  1567. drbg->reseed_threshold = drbg_max_requests(drbg);
  1568. /*
  1569. * if the following tests fail, it is likely that there is a buffer
  1570. * overflow as buf is much smaller than the requested or provided
  1571. * string lengths -- in case the error handling does not succeed
  1572. * we may get an OOPS. And we want to get an OOPS as this is a
  1573. * grave bug.
  1574. */
  1575. max_addtllen = drbg_max_addtl(drbg);
  1576. max_request_bytes = drbg_max_request_bytes(drbg);
  1577. drbg_string_fill(&addtl, buf, max_addtllen + 1);
  1578. /* overflow addtllen with additonal info string */
  1579. len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
  1580. BUG_ON(0 < len);
  1581. /* overflow max_bits */
  1582. len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
  1583. BUG_ON(0 < len);
  1584. /* overflow max addtllen with personalization string */
  1585. ret = drbg_seed(drbg, &addtl, false);
  1586. BUG_ON(0 == ret);
  1587. /* all tests passed */
  1588. rc = 0;
  1589. pr_devel("DRBG: Sanity tests for failure code paths successfully "
  1590. "completed\n");
  1591. kfree(drbg);
  1592. return rc;
  1593. }
  1594. static struct rng_alg drbg_algs[22];
  1595. /*
  1596. * Fill the array drbg_algs used to register the different DRBGs
  1597. * with the kernel crypto API. To fill the array, the information
  1598. * from drbg_cores[] is used.
  1599. */
  1600. static inline void __init drbg_fill_array(struct rng_alg *alg,
  1601. const struct drbg_core *core, int pr)
  1602. {
  1603. int pos = 0;
  1604. static int priority = 200;
  1605. memcpy(alg->base.cra_name, "stdrng", 6);
  1606. if (pr) {
  1607. memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
  1608. pos = 8;
  1609. } else {
  1610. memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
  1611. pos = 10;
  1612. }
  1613. memcpy(alg->base.cra_driver_name + pos, core->cra_name,
  1614. strlen(core->cra_name));
  1615. alg->base.cra_priority = priority;
  1616. priority++;
  1617. /*
  1618. * If FIPS mode enabled, the selected DRBG shall have the
  1619. * highest cra_priority over other stdrng instances to ensure
  1620. * it is selected.
  1621. */
  1622. if (fips_enabled)
  1623. alg->base.cra_priority += 200;
  1624. alg->base.cra_ctxsize = sizeof(struct drbg_state);
  1625. alg->base.cra_module = THIS_MODULE;
  1626. alg->base.cra_init = drbg_kcapi_init;
  1627. alg->base.cra_exit = drbg_kcapi_cleanup;
  1628. alg->generate = drbg_kcapi_random;
  1629. alg->seed = drbg_kcapi_seed;
  1630. alg->set_ent = drbg_kcapi_set_entropy;
  1631. alg->seedsize = 0;
  1632. }
  1633. static int __init drbg_init(void)
  1634. {
  1635. unsigned int i = 0; /* pointer to drbg_algs */
  1636. unsigned int j = 0; /* pointer to drbg_cores */
  1637. int ret;
  1638. ret = drbg_healthcheck_sanity();
  1639. if (ret)
  1640. return ret;
  1641. if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
  1642. pr_info("DRBG: Cannot register all DRBG types"
  1643. "(slots needed: %zu, slots available: %zu)\n",
  1644. ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
  1645. return -EFAULT;
  1646. }
  1647. /*
  1648. * each DRBG definition can be used with PR and without PR, thus
  1649. * we instantiate each DRBG in drbg_cores[] twice.
  1650. *
  1651. * As the order of placing them into the drbg_algs array matters
  1652. * (the later DRBGs receive a higher cra_priority) we register the
  1653. * prediction resistance DRBGs first as the should not be too
  1654. * interesting.
  1655. */
  1656. for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
  1657. drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
  1658. for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
  1659. drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
  1660. return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
  1661. }
  1662. static void __exit drbg_exit(void)
  1663. {
  1664. crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
  1665. }
  1666. module_init(drbg_init);
  1667. module_exit(drbg_exit);
  1668. #ifndef CRYPTO_DRBG_HASH_STRING
  1669. #define CRYPTO_DRBG_HASH_STRING ""
  1670. #endif
  1671. #ifndef CRYPTO_DRBG_HMAC_STRING
  1672. #define CRYPTO_DRBG_HMAC_STRING ""
  1673. #endif
  1674. #ifndef CRYPTO_DRBG_CTR_STRING
  1675. #define CRYPTO_DRBG_CTR_STRING ""
  1676. #endif
  1677. MODULE_LICENSE("GPL");
  1678. MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
  1679. MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
  1680. "using following cores: "
  1681. CRYPTO_DRBG_HASH_STRING
  1682. CRYPTO_DRBG_HMAC_STRING
  1683. CRYPTO_DRBG_CTR_STRING);
  1684. MODULE_ALIAS_CRYPTO("stdrng");
  1685. MODULE_IMPORT_NS("CRYPTO_INTERNAL");