LXR linux/crypto/ansi

   1/*
   2 * PRNG: Pseudo Random Number Generator
   3 *       Based on NIST Recommended PRNG From ANSI X9.31 Appendix A.2.4 using
   4 *       AES 128 cipher
   5 *
   6 *  (C) Neil Horman <nhorman@tuxdriver.com>
   7 *
   8 *  This program is free software; you can redistribute it and/or modify it
   9 *  under the terms of the GNU General Public License as published by the
  10 *  Free Software Foundation; either version 2 of the License, or (at your
  11 *  any later version.
  12 *
  13 *
  14 */
  15
  16#include <crypto/internal/rng.h>
  17#include <linux/err.h>
  18#include <linux/init.h>
  19#include <linux/module.h>
  20#include <linux/moduleparam.h>
  21#include <linux/string.h>
  22
  23#define DEFAULT_PRNG_KEY "0123456789abcdef"
  24#define DEFAULT_PRNG_KSZ 16
  25#define DEFAULT_BLK_SZ 16
  26#define DEFAULT_V_SEED "zaybxcwdveuftgsh"
  27
  28/*
  29 * Flags for the prng_context flags field
  30 */
  31
  32#define PRNG_FIXED_SIZE 0x1
  33#define PRNG_NEED_RESET 0x2
  34
  35/*
  36 * Note: DT is our counter value
  37 *       I is our intermediate value
  38 *       V is our seed vector
  39 * See http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
  40 * for implementation details
  41 */
  42
  43
  44struct prng_context {
  45        spinlock_t prng_lock;
  46        unsigned char rand_data[DEFAULT_BLK_SZ];
  47        unsigned char last_rand_data[DEFAULT_BLK_SZ];
  48        unsigned char DT[DEFAULT_BLK_SZ];
  49        unsigned char I[DEFAULT_BLK_SZ];
  50        unsigned char V[DEFAULT_BLK_SZ];
  51        u32 rand_data_valid;
  52        struct crypto_cipher *tfm;
  53        u32 flags;
  54};
  55
  56static int dbg;
  57
  58static void hexdump(char *note, unsigned char *buf, unsigned int len)
  59{
  60        if (dbg) {
  61                printk(KERN_CRIT "%s", note);
  62                print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
  63                                16, 1,
  64                                buf, len, false);
  65        }
  66}
  67
  68#define dbgprint(format, args...) do {\
  69if (dbg)\
  70        printk(format, ##args);\
  71} while (0)
  72
  73static void xor_vectors(unsigned char *in1, unsigned char *in2,
  74                        unsigned char *out, unsigned int size)
  75{
  76        int i;
  77
  78        for (i = 0; i < size; i++)
  79                out[i] = in1[i] ^ in2[i];
  80
  81}
  82/*
  83 * Returns DEFAULT_BLK_SZ bytes of random data per call
  84 * returns 0 if generation succeeded, <0 if something went wrong
  85 */
  86static int _get_more_prng_bytes(struct prng_context *ctx, int cont_test)
  87{
  88        int i;
  89        unsigned char tmp[DEFAULT_BLK_SZ];
  90        unsigned char *output = NULL;
  91
  92
  93        dbgprint(KERN_CRIT "Calling _get_more_prng_bytes for context %p\n",
  94                ctx);
  95
  96        hexdump("Input DT: ", ctx->DT, DEFAULT_BLK_SZ);
  97        hexdump("Input I: ", ctx->I, DEFAULT_BLK_SZ);
  98        hexdump("Input V: ", ctx->V, DEFAULT_BLK_SZ);
  99
 100        /*
 101         * This algorithm is a 3 stage state machine
 102         */
 103        for (i = 0; i < 3; i++) {
 104
 105                switch (i) {
 106                case 0:
 107                        /*
 108                         * Start by encrypting the counter value
 109                         * This gives us an intermediate value I
 110                         */
 111                        memcpy(tmp, ctx->DT, DEFAULT_BLK_SZ);
 112                        output = ctx->I;
 113                        hexdump("tmp stage 0: ", tmp, DEFAULT_BLK_SZ);
 114                        break;
 115                case 1:
 116
 117                        /*
 118                         * Next xor I with our secret vector V
 119                         * encrypt that result to obtain our
 120                         * pseudo random data which we output
 121                         */
 122                        xor_vectors(ctx->I, ctx->V, tmp, DEFAULT_BLK_SZ);
 123                        hexdump("tmp stage 1: ", tmp, DEFAULT_BLK_SZ);
 124                        output = ctx->rand_data;
 125                        break;
 126                case 2:
 127                        /*
 128                         * First check that we didn't produce the same
 129                         * random data that we did last time around through this
 130                         */
 131                        if (!memcmp(ctx->rand_data, ctx->last_rand_data,
 132                                        DEFAULT_BLK_SZ)) {
 133                                if (cont_test) {
 134                                        panic("cprng %p Failed repetition check!\n",
 135                                                ctx);
 136                                }
 137
 138                                printk(KERN_ERR
 139                                        "ctx %p Failed repetition check!\n",
 140                                        ctx);
 141
 142                                ctx->flags |= PRNG_NEED_RESET;
 143                                return -EINVAL;
 144                        }
 145                        memcpy(ctx->last_rand_data, ctx->rand_data,
 146                                DEFAULT_BLK_SZ);
 147
 148                        /*
 149                         * Lastly xor the random data with I
 150                         * and encrypt that to obtain a new secret vector V
 151                         */
 152                        xor_vectors(ctx->rand_data, ctx->I, tmp,
 153                                DEFAULT_BLK_SZ);
 154                        output = ctx->V;
 155                        hexdump("tmp stage 2: ", tmp, DEFAULT_BLK_SZ);
 156                        break;
 157                }
 158
 159
 160                /* do the encryption */
 161                crypto_cipher_encrypt_one(ctx->tfm, output, tmp);
 162
 163        }
 164
 165        /*
 166         * Now update our DT value
 167         */
 168        for (i = DEFAULT_BLK_SZ - 1; i >= 0; i--) {
 169                ctx->DT[i] += 1;
 170                if (ctx->DT[i] != 0)
 171                        break;
 172        }
 173
 174        dbgprint("Returning new block for context %p\n", ctx);
 175        ctx->rand_data_valid = 0;
 176
 177        hexdump("Output DT: ", ctx->DT, DEFAULT_BLK_SZ);
 178        hexdump("Output I: ", ctx->I, DEFAULT_BLK_SZ);
 179        hexdump("Output V: ", ctx->V, DEFAULT_BLK_SZ);
 180        hexdump("New Random Data: ", ctx->rand_data, DEFAULT_BLK_SZ);
 181
 182        return 0;
 183}
 184
 185/* Our exported functions */
 186static int get_prng_bytes(char *buf, size_t nbytes, struct prng_context *ctx,
 187                                int do_cont_test)
 188{
 189        unsigned char *ptr = buf;
 190        unsigned int byte_count = (unsigned int)nbytes;
 191        int err;
 192
 193
 194        spin_lock_bh(&ctx->prng_lock);
 195
 196        err = -EINVAL;
 197        if (ctx->flags & PRNG_NEED_RESET)
 198                goto done;
 199
 200        /*
 201         * If the FIXED_SIZE flag is on, only return whole blocks of
 202         * pseudo random data
 203         */
 204        err = -EINVAL;
 205        if (ctx->flags & PRNG_FIXED_SIZE) {
 206                if (nbytes < DEFAULT_BLK_SZ)
 207                        goto done;
 208                byte_count = DEFAULT_BLK_SZ;
 209        }
 210
 211        /*
 212         * Return 0 in case of success as mandated by the kernel
 213         * crypto API interface definition.
 214         */
 215        err = 0;
 216
 217        dbgprint(KERN_CRIT "getting %d random bytes for context %p\n",
 218                byte_count, ctx);
 219
 220
 221remainder:
 222        if (ctx->rand_data_valid == DEFAULT_BLK_SZ) {
 223                if (_get_more_prng_bytes(ctx, do_cont_test) < 0) {
 224                        memset(buf, 0, nbytes);
 225                        err = -EINVAL;
 226                        goto done;
 227                }
 228        }
 229
 230        /*
 231         * Copy any data less than an entire block
 232         */
 233        if (byte_count < DEFAULT_BLK_SZ) {
 234empty_rbuf:
 235                while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
 236                        *ptr = ctx->rand_data[ctx->rand_data_valid];
 237                        ptr++;
 238                        byte_count--;
 239                        ctx->rand_data_valid++;
 240                        if (byte_count == 0)
 241                                goto done;
 242                }
 243        }
 244
 245        /*
 246         * Now copy whole blocks
 247         */
 248        for (; byte_count >= DEFAULT_BLK_SZ; byte_count -= DEFAULT_BLK_SZ) {
 249                if (ctx->rand_data_valid == DEFAULT_BLK_SZ) {
 250                        if (_get_more_prng_bytes(ctx, do_cont_test) < 0) {
 251                                memset(buf, 0, nbytes);
 252                                err = -EINVAL;
 253                                goto done;
 254                        }
 255                }
 256                if (ctx->rand_data_valid > 0)
 257                        goto empty_rbuf;
 258                memcpy(ptr, ctx->rand_data, DEFAULT_BLK_SZ);
 259                ctx->rand_data_valid += DEFAULT_BLK_SZ;
 260                ptr += DEFAULT_BLK_SZ;
 261        }
 262
 263        /*
 264         * Now go back and get any remaining partial block
 265         */
 266        if (byte_count)
 267                goto remainder;
 268
 269done:
 270        spin_unlock_bh(&ctx->prng_lock);
 271        dbgprint(KERN_CRIT "returning %d from get_prng_bytes in context %p\n",
 272                err, ctx);
 273        return err;
 274}
 275
 276static void free_prng_context(struct prng_context *ctx)
 277{
 278        crypto_free_cipher(ctx->tfm);
 279}
 280
 281static int reset_prng_context(struct prng_context *ctx,
 282                              const unsigned char *key, size_t klen,
 283                              const unsigned char *V, const unsigned char *DT)
 284{
 285        int ret;
 286        const unsigned char *prng_key;
 287
 288        spin_lock_bh(&ctx->prng_lock);
 289        ctx->flags |= PRNG_NEED_RESET;
 290
 291        prng_key = (key != NULL) ? key : (unsigned char *)DEFAULT_PRNG_KEY;
 292
 293        if (!key)
 294                klen = DEFAULT_PRNG_KSZ;
 295
 296        if (V)
 297                memcpy(ctx->V, V, DEFAULT_BLK_SZ);
 298        else
 299                memcpy(ctx->V, DEFAULT_V_SEED, DEFAULT_BLK_SZ);
 300
 301        if (DT)
 302                memcpy(ctx->DT, DT, DEFAULT_BLK_SZ);
 303        else
 304                memset(ctx->DT, 0, DEFAULT_BLK_SZ);
 305
 306        memset(ctx->rand_data, 0, DEFAULT_BLK_SZ);
 307        memset(ctx->last_rand_data, 0, DEFAULT_BLK_SZ);
 308
 309        ctx->rand_data_valid = DEFAULT_BLK_SZ;
 310
 311        ret = crypto_cipher_setkey(ctx->tfm, prng_key, klen);
 312        if (ret) {
 313                dbgprint(KERN_CRIT "PRNG: setkey() failed flags=%x\n",
 314                        crypto_cipher_get_flags(ctx->tfm));
 315                goto out;
 316        }
 317
 318        ret = 0;
 319        ctx->flags &= ~PRNG_NEED_RESET;
 320out:
 321        spin_unlock_bh(&ctx->prng_lock);
 322        return ret;
 323}
 324
 325static int cprng_init(struct crypto_tfm *tfm)
 326{
 327        struct prng_context *ctx = crypto_tfm_ctx(tfm);
 328
 329        spin_lock_init(&ctx->prng_lock);
 330        ctx->tfm = crypto_alloc_cipher("aes", 0, 0);
 331        if (IS_ERR(ctx->tfm)) {
 332                dbgprint(KERN_CRIT "Failed to alloc tfm for context %p\n",
 333                                ctx);
 334                return PTR_ERR(ctx->tfm);
 335        }
 336
 337        if (reset_prng_context(ctx, NULL, DEFAULT_PRNG_KSZ, NULL, NULL) < 0)
 338                return -EINVAL;
 339
 340        /*
 341         * after allocation, we should always force the user to reset
 342         * so they don't inadvertently use the insecure default values
 343         * without specifying them intentially
 344         */
 345        ctx->flags |= PRNG_NEED_RESET;
 346        return 0;
 347}
 348
 349static void cprng_exit(struct crypto_tfm *tfm)
 350{
 351        free_prng_context(crypto_tfm_ctx(tfm));
 352}
 353
 354static int cprng_get_random(struct crypto_rng *tfm,
 355                            const u8 *src, unsigned int slen,
 356                            u8 *rdata, unsigned int dlen)
 357{
 358        struct prng_context *prng = crypto_rng_ctx(tfm);
 359
 360        return get_prng_bytes(rdata, dlen, prng, 0);
 361}
 362
 363/*
 364 *  This is the cprng_registered reset method the seed value is
 365 *  interpreted as the tuple { V KEY DT}
 366 *  V and KEY are required during reset, and DT is optional, detected
 367 *  as being present by testing the length of the seed
 368 */
 369static int cprng_reset(struct crypto_rng *tfm,
 370                       const u8 *seed, unsigned int slen)
 371{
 372        struct prng_context *prng = crypto_rng_ctx(tfm);
 373        const u8 *key = seed + DEFAULT_BLK_SZ;
 374        const u8 *dt = NULL;
 375
 376        if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
 377                return -EINVAL;
 378
 379        if (slen >= (2 * DEFAULT_BLK_SZ + DEFAULT_PRNG_KSZ))
 380                dt = key + DEFAULT_PRNG_KSZ;
 381
 382        reset_prng_context(prng, key, DEFAULT_PRNG_KSZ, seed, dt);
 383
 384        if (prng->flags & PRNG_NEED_RESET)
 385                return -EINVAL;
 386        return 0;
 387}
 388
 389#ifdef CONFIG_CRYPTO_FIPS
 390static int fips_cprng_get_random(struct crypto_rng *tfm,
 391                                 const u8 *src, unsigned int slen,
 392                                 u8 *rdata, unsigned int dlen)
 393{
 394        struct prng_context *prng = crypto_rng_ctx(tfm);
 395
 396        return get_prng_bytes(rdata, dlen, prng, 1);
 397}
 398
 399static int fips_cprng_reset(struct crypto_rng *tfm,
 400                            const u8 *seed, unsigned int slen)
 401{
 402        u8 rdata[DEFAULT_BLK_SZ];
 403        const u8 *key = seed + DEFAULT_BLK_SZ;
 404        int rc;
 405
 406        struct prng_context *prng = crypto_rng_ctx(tfm);
 407
 408        if (slen < DEFAULT_PRNG_KSZ + DEFAULT_BLK_SZ)
 409                return -EINVAL;
 410
 411        /* fips strictly requires seed != key */
 412        if (!memcmp(seed, key, DEFAULT_PRNG_KSZ))
 413                return -EINVAL;
 414
 415        rc = cprng_reset(tfm, seed, slen);
 416
 417        if (!rc)
 418                goto out;
 419
 420        /* this primes our continuity test */
 421        rc = get_prng_bytes(rdata, DEFAULT_BLK_SZ, prng, 0);
 422        prng->rand_data_valid = DEFAULT_BLK_SZ;
 423
 424out:
 425        return rc;
 426}
 427#endif
 428
 429static struct rng_alg rng_algs[] = { {
 430        .generate               = cprng_get_random,
 431        .seed                   = cprng_reset,
 432        .seedsize               = DEFAULT_PRNG_KSZ + 2 * DEFAULT_BLK_SZ,
 433        .base                   =       {
 434                .cra_name               = "stdrng",
 435                .cra_driver_name        = "ansi_cprng",
 436                .cra_priority           = 100,
 437                .cra_ctxsize            = sizeof(struct prng_context),
 438                .cra_module             = THIS_MODULE,
 439                .cra_init               = cprng_init,
 440                .cra_exit               = cprng_exit,
 441        }
 442#ifdef CONFIG_CRYPTO_FIPS
 443}, {
 444        .generate               = fips_cprng_get_random,
 445        .seed                   = fips_cprng_reset,
 446        .seedsize               = DEFAULT_PRNG_KSZ + 2 * DEFAULT_BLK_SZ,
 447        .base                   =       {
 448                .cra_name               = "fips(ansi_cprng)",
 449                .cra_driver_name        = "fips_ansi_cprng",
 450                .cra_priority           = 300,
 451                .cra_ctxsize            = sizeof(struct prng_context),
 452                .cra_module             = THIS_MODULE,
 453                .cra_init               = cprng_init,
 454                .cra_exit               = cprng_exit,
 455        }
 456#endif
 457} };
 458
 459/* Module initalization */
 460static int __init prng_mod_init(void)
 461{
 462        return crypto_register_rngs(rng_algs, ARRAY_SIZE(rng_algs));
 463}
 464
 465static void __exit prng_mod_fini(void)
 466{
 467        crypto_unregister_rngs(rng_algs, ARRAY_SIZE(rng_algs));
 468}
 469
 470MODULE_LICENSE("GPL");
 471MODULE_DESCRIPTION("Software Pseudo Random Number Generator");
 472MODULE_AUTHOR("Neil Horman <nhorman@tuxdriver.com>");
 473module_param(dbg, int, 0);
 474MODULE_PARM_DESC(dbg, "Boolean to enable debugging (0/1 == off/on)");
 475module_init(prng_mod_init);
 476module_exit(prng_mod_fini);
 477MODULE_ALIAS_CRYPTO("stdrng");
 478MODULE_ALIAS_CRYPTO("ansi_cprng");
 479