1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100#include <crypto/drbg.h>
101#include <linux/kernel.h>
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116static const struct drbg_core drbg_cores[] = {
117#ifdef CONFIG_CRYPTO_DRBG_CTR
118 {
119 .flags = DRBG_CTR | DRBG_STRENGTH128,
120 .statelen = 32,
121 .blocklen_bytes = 16,
122 .cra_name = "ctr_aes128",
123 .backend_cra_name = "aes",
124 }, {
125 .flags = DRBG_CTR | DRBG_STRENGTH192,
126 .statelen = 40,
127 .blocklen_bytes = 16,
128 .cra_name = "ctr_aes192",
129 .backend_cra_name = "aes",
130 }, {
131 .flags = DRBG_CTR | DRBG_STRENGTH256,
132 .statelen = 48,
133 .blocklen_bytes = 16,
134 .cra_name = "ctr_aes256",
135 .backend_cra_name = "aes",
136 },
137#endif
138#ifdef CONFIG_CRYPTO_DRBG_HASH
139 {
140 .flags = DRBG_HASH | DRBG_STRENGTH128,
141 .statelen = 55,
142 .blocklen_bytes = 20,
143 .cra_name = "sha1",
144 .backend_cra_name = "sha1",
145 }, {
146 .flags = DRBG_HASH | DRBG_STRENGTH256,
147 .statelen = 111,
148 .blocklen_bytes = 48,
149 .cra_name = "sha384",
150 .backend_cra_name = "sha384",
151 }, {
152 .flags = DRBG_HASH | DRBG_STRENGTH256,
153 .statelen = 111,
154 .blocklen_bytes = 64,
155 .cra_name = "sha512",
156 .backend_cra_name = "sha512",
157 }, {
158 .flags = DRBG_HASH | DRBG_STRENGTH256,
159 .statelen = 55,
160 .blocklen_bytes = 32,
161 .cra_name = "sha256",
162 .backend_cra_name = "sha256",
163 },
164#endif
165#ifdef CONFIG_CRYPTO_DRBG_HMAC
166 {
167 .flags = DRBG_HMAC | DRBG_STRENGTH128,
168 .statelen = 20,
169 .blocklen_bytes = 20,
170 .cra_name = "hmac_sha1",
171 .backend_cra_name = "hmac(sha1)",
172 }, {
173 .flags = DRBG_HMAC | DRBG_STRENGTH256,
174 .statelen = 48,
175 .blocklen_bytes = 48,
176 .cra_name = "hmac_sha384",
177 .backend_cra_name = "hmac(sha384)",
178 }, {
179 .flags = DRBG_HMAC | DRBG_STRENGTH256,
180 .statelen = 64,
181 .blocklen_bytes = 64,
182 .cra_name = "hmac_sha512",
183 .backend_cra_name = "hmac(sha512)",
184 }, {
185 .flags = DRBG_HMAC | DRBG_STRENGTH256,
186 .statelen = 32,
187 .blocklen_bytes = 32,
188 .cra_name = "hmac_sha256",
189 .backend_cra_name = "hmac(sha256)",
190 },
191#endif
192};
193
194static int drbg_uninstantiate(struct drbg_state *drbg);
195
196
197
198
199
200
201
202
203
204
205
206
207
208static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
209{
210 switch (flags & DRBG_STRENGTH_MASK) {
211 case DRBG_STRENGTH128:
212 return 16;
213 case DRBG_STRENGTH192:
214 return 24;
215 case DRBG_STRENGTH256:
216 return 32;
217 default:
218 return 32;
219 }
220}
221
222
223
224
225
226
227
228
229
230#if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
231static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
232{
233 struct s {
234 __be32 conv;
235 };
236 struct s *conversion = (struct s *) buf;
237
238 conversion->conv = cpu_to_be32(val);
239}
240#endif
241
242
243
244
245
246#ifdef CONFIG_CRYPTO_DRBG_CTR
247#define CRYPTO_DRBG_CTR_STRING "CTR "
248MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
249MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
250MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
251MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
252MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
253MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
254
255static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
256 const unsigned char *key);
257static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
258 const struct drbg_string *in);
259static int drbg_init_sym_kernel(struct drbg_state *drbg);
260static int drbg_fini_sym_kernel(struct drbg_state *drbg);
261static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
262 u8 *inbuf, u32 inbuflen,
263 u8 *outbuf, u32 outlen);
264#define DRBG_CTR_NULL_LEN 128
265#define DRBG_OUTSCRATCHLEN DRBG_CTR_NULL_LEN
266
267
268static int drbg_ctr_bcc(struct drbg_state *drbg,
269 unsigned char *out, const unsigned char *key,
270 struct list_head *in)
271{
272 int ret = 0;
273 struct drbg_string *curr = NULL;
274 struct drbg_string data;
275 short cnt = 0;
276
277 drbg_string_fill(&data, out, drbg_blocklen(drbg));
278
279
280 drbg_kcapi_symsetkey(drbg, key);
281 list_for_each_entry(curr, in, list) {
282 const unsigned char *pos = curr->buf;
283 size_t len = curr->len;
284
285 while (len) {
286
287 if (drbg_blocklen(drbg) == cnt) {
288 cnt = 0;
289 ret = drbg_kcapi_sym(drbg, out, &data);
290 if (ret)
291 return ret;
292 }
293 out[cnt] ^= *pos;
294 pos++;
295 cnt++;
296 len--;
297 }
298 }
299
300 if (cnt)
301 ret = drbg_kcapi_sym(drbg, out, &data);
302
303 return ret;
304}
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346static int drbg_ctr_df(struct drbg_state *drbg,
347 unsigned char *df_data, size_t bytes_to_return,
348 struct list_head *seedlist)
349{
350 int ret = -EFAULT;
351 unsigned char L_N[8];
352
353 struct drbg_string S1, S2, S4, cipherin;
354 LIST_HEAD(bcc_list);
355 unsigned char *pad = df_data + drbg_statelen(drbg);
356 unsigned char *iv = pad + drbg_blocklen(drbg);
357 unsigned char *temp = iv + drbg_blocklen(drbg);
358 size_t padlen = 0;
359 unsigned int templen = 0;
360
361 unsigned int i = 0;
362
363 const unsigned char *K = (unsigned char *)
364 "\x00\x01\x02\x03\x04\x05\x06\x07"
365 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
366 "\x10\x11\x12\x13\x14\x15\x16\x17"
367 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
368 unsigned char *X;
369 size_t generated_len = 0;
370 size_t inputlen = 0;
371 struct drbg_string *seed = NULL;
372
373 memset(pad, 0, drbg_blocklen(drbg));
374 memset(iv, 0, drbg_blocklen(drbg));
375
376
377
378
379 if ((512/8) < bytes_to_return)
380 return -EINVAL;
381
382
383 list_for_each_entry(seed, seedlist, list)
384 inputlen += seed->len;
385 drbg_cpu_to_be32(inputlen, &L_N[0]);
386
387
388 drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
389
390
391 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
392
393 if (padlen)
394 padlen = drbg_blocklen(drbg) - padlen;
395
396
397
398
399
400 padlen++;
401 pad[0] = 0x80;
402
403
404 drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
405 list_add_tail(&S1.list, &bcc_list);
406 drbg_string_fill(&S2, L_N, sizeof(L_N));
407 list_add_tail(&S2.list, &bcc_list);
408 list_splice_tail(seedlist, &bcc_list);
409 drbg_string_fill(&S4, pad, padlen);
410 list_add_tail(&S4.list, &bcc_list);
411
412
413 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
414
415
416
417
418
419 drbg_cpu_to_be32(i, iv);
420
421 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
422 if (ret)
423 goto out;
424
425 i++;
426 templen += drbg_blocklen(drbg);
427 }
428
429
430 X = temp + (drbg_keylen(drbg));
431 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
432
433
434
435
436 drbg_kcapi_symsetkey(drbg, temp);
437 while (generated_len < bytes_to_return) {
438 short blocklen = 0;
439
440
441
442
443
444 ret = drbg_kcapi_sym(drbg, X, &cipherin);
445 if (ret)
446 goto out;
447 blocklen = (drbg_blocklen(drbg) <
448 (bytes_to_return - generated_len)) ?
449 drbg_blocklen(drbg) :
450 (bytes_to_return - generated_len);
451
452 memcpy(df_data + generated_len, X, blocklen);
453 generated_len += blocklen;
454 }
455
456 ret = 0;
457
458out:
459 memset(iv, 0, drbg_blocklen(drbg));
460 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
461 memset(pad, 0, drbg_blocklen(drbg));
462 return ret;
463}
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
481 int reseed)
482{
483 int ret = -EFAULT;
484
485 unsigned char *temp = drbg->scratchpad;
486 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
487 drbg_blocklen(drbg);
488
489 if (3 > reseed)
490 memset(df_data, 0, drbg_statelen(drbg));
491
492 if (!reseed) {
493
494
495
496
497
498
499
500 crypto_inc(drbg->V, drbg_blocklen(drbg));
501
502 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
503 drbg_keylen(drbg));
504 if (ret)
505 goto out;
506 }
507
508
509 if (seed) {
510 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
511 if (ret)
512 goto out;
513 }
514
515 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
516 temp, drbg_statelen(drbg));
517 if (ret)
518 return ret;
519
520
521 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
522 drbg_keylen(drbg));
523 if (ret)
524 goto out;
525
526 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
527
528 crypto_inc(drbg->V, drbg_blocklen(drbg));
529 ret = 0;
530
531out:
532 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
533 if (2 != reseed)
534 memset(df_data, 0, drbg_statelen(drbg));
535 return ret;
536}
537
538
539
540
541
542
543static int drbg_ctr_generate(struct drbg_state *drbg,
544 unsigned char *buf, unsigned int buflen,
545 struct list_head *addtl)
546{
547 int ret;
548 int len = min_t(int, buflen, INT_MAX);
549
550
551 if (addtl && !list_empty(addtl)) {
552 ret = drbg_ctr_update(drbg, addtl, 2);
553 if (ret)
554 return 0;
555 }
556
557
558 ret = drbg_kcapi_sym_ctr(drbg, drbg->ctr_null_value, DRBG_CTR_NULL_LEN,
559 buf, len);
560 if (ret)
561 return ret;
562
563
564 ret = drbg_ctr_update(drbg, NULL, 3);
565 if (ret)
566 len = ret;
567
568 return len;
569}
570
571static const struct drbg_state_ops drbg_ctr_ops = {
572 .update = drbg_ctr_update,
573 .generate = drbg_ctr_generate,
574 .crypto_init = drbg_init_sym_kernel,
575 .crypto_fini = drbg_fini_sym_kernel,
576};
577#endif
578
579
580
581
582
583#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
584static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
585 const struct list_head *in);
586static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
587 const unsigned char *key);
588static int drbg_init_hash_kernel(struct drbg_state *drbg);
589static int drbg_fini_hash_kernel(struct drbg_state *drbg);
590#endif
591
592#ifdef CONFIG_CRYPTO_DRBG_HMAC
593#define CRYPTO_DRBG_HMAC_STRING "HMAC "
594MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
595MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
596MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
597MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
598MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
599MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
600MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
601MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
602
603
604static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
605 int reseed)
606{
607 int ret = -EFAULT;
608 int i = 0;
609 struct drbg_string seed1, seed2, vdata;
610 LIST_HEAD(seedlist);
611 LIST_HEAD(vdatalist);
612
613 if (!reseed) {
614
615 memset(drbg->V, 1, drbg_statelen(drbg));
616 drbg_kcapi_hmacsetkey(drbg, drbg->C);
617 }
618
619 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
620 list_add_tail(&seed1.list, &seedlist);
621
622 drbg_string_fill(&seed2, NULL, 1);
623 list_add_tail(&seed2.list, &seedlist);
624
625 if (seed)
626 list_splice_tail(seed, &seedlist);
627
628 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
629 list_add_tail(&vdata.list, &vdatalist);
630 for (i = 2; 0 < i; i--) {
631
632 unsigned char prefix = DRBG_PREFIX0;
633 if (1 == i)
634 prefix = DRBG_PREFIX1;
635
636 seed2.buf = &prefix;
637 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
638 if (ret)
639 return ret;
640 drbg_kcapi_hmacsetkey(drbg, drbg->C);
641
642
643 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
644 if (ret)
645 return ret;
646
647
648 if (!seed)
649 return ret;
650 }
651
652 return 0;
653}
654
655
656static int drbg_hmac_generate(struct drbg_state *drbg,
657 unsigned char *buf,
658 unsigned int buflen,
659 struct list_head *addtl)
660{
661 int len = 0;
662 int ret = 0;
663 struct drbg_string data;
664 LIST_HEAD(datalist);
665
666
667 if (addtl && !list_empty(addtl)) {
668 ret = drbg_hmac_update(drbg, addtl, 1);
669 if (ret)
670 return ret;
671 }
672
673 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
674 list_add_tail(&data.list, &datalist);
675 while (len < buflen) {
676 unsigned int outlen = 0;
677
678 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
679 if (ret)
680 return ret;
681 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
682 drbg_blocklen(drbg) : (buflen - len);
683
684
685 memcpy(buf + len, drbg->V, outlen);
686 len += outlen;
687 }
688
689
690 if (addtl && !list_empty(addtl))
691 ret = drbg_hmac_update(drbg, addtl, 1);
692 else
693 ret = drbg_hmac_update(drbg, NULL, 1);
694 if (ret)
695 return ret;
696
697 return len;
698}
699
700static const struct drbg_state_ops drbg_hmac_ops = {
701 .update = drbg_hmac_update,
702 .generate = drbg_hmac_generate,
703 .crypto_init = drbg_init_hash_kernel,
704 .crypto_fini = drbg_fini_hash_kernel,
705};
706#endif
707
708
709
710
711
712#ifdef CONFIG_CRYPTO_DRBG_HASH
713#define CRYPTO_DRBG_HASH_STRING "HASH "
714MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
715MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
716MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
717MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
718MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
719MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
720MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
721MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
722
723
724
725
726
727
728
729static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
730 const unsigned char *add, size_t addlen)
731{
732
733 unsigned char *dstptr;
734 const unsigned char *addptr;
735 unsigned int remainder = 0;
736 size_t len = addlen;
737
738 dstptr = dst + (dstlen-1);
739 addptr = add + (addlen-1);
740 while (len) {
741 remainder += *dstptr + *addptr;
742 *dstptr = remainder & 0xff;
743 remainder >>= 8;
744 len--; dstptr--; addptr--;
745 }
746 len = dstlen - addlen;
747 while (len && remainder > 0) {
748 remainder = *dstptr + 1;
749 *dstptr = remainder & 0xff;
750 remainder >>= 8;
751 len--; dstptr--;
752 }
753}
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771static int drbg_hash_df(struct drbg_state *drbg,
772 unsigned char *outval, size_t outlen,
773 struct list_head *entropylist)
774{
775 int ret = 0;
776 size_t len = 0;
777 unsigned char input[5];
778 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
779 struct drbg_string data;
780
781
782 input[0] = 1;
783 drbg_cpu_to_be32((outlen * 8), &input[1]);
784
785
786 drbg_string_fill(&data, input, 5);
787 list_add(&data.list, entropylist);
788
789
790 while (len < outlen) {
791 short blocklen = 0;
792
793 ret = drbg_kcapi_hash(drbg, tmp, entropylist);
794 if (ret)
795 goto out;
796
797 input[0]++;
798 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
799 drbg_blocklen(drbg) : (outlen - len);
800 memcpy(outval + len, tmp, blocklen);
801 len += blocklen;
802 }
803
804out:
805 memset(tmp, 0, drbg_blocklen(drbg));
806 return ret;
807}
808
809
810static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
811 int reseed)
812{
813 int ret = 0;
814 struct drbg_string data1, data2;
815 LIST_HEAD(datalist);
816 LIST_HEAD(datalist2);
817 unsigned char *V = drbg->scratchpad;
818 unsigned char prefix = DRBG_PREFIX1;
819
820 if (!seed)
821 return -EINVAL;
822
823 if (reseed) {
824
825 memcpy(V, drbg->V, drbg_statelen(drbg));
826 drbg_string_fill(&data1, &prefix, 1);
827 list_add_tail(&data1.list, &datalist);
828 drbg_string_fill(&data2, V, drbg_statelen(drbg));
829 list_add_tail(&data2.list, &datalist);
830 }
831 list_splice_tail(seed, &datalist);
832
833
834 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
835 if (ret)
836 goto out;
837
838
839 prefix = DRBG_PREFIX0;
840 drbg_string_fill(&data1, &prefix, 1);
841 list_add_tail(&data1.list, &datalist2);
842 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
843 list_add_tail(&data2.list, &datalist2);
844
845 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
846
847out:
848 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
849 return ret;
850}
851
852
853static int drbg_hash_process_addtl(struct drbg_state *drbg,
854 struct list_head *addtl)
855{
856 int ret = 0;
857 struct drbg_string data1, data2;
858 LIST_HEAD(datalist);
859 unsigned char prefix = DRBG_PREFIX2;
860
861
862 if (!addtl || list_empty(addtl))
863 return 0;
864
865
866 drbg_string_fill(&data1, &prefix, 1);
867 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
868 list_add_tail(&data1.list, &datalist);
869 list_add_tail(&data2.list, &datalist);
870 list_splice_tail(addtl, &datalist);
871 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
872 if (ret)
873 goto out;
874
875
876 drbg_add_buf(drbg->V, drbg_statelen(drbg),
877 drbg->scratchpad, drbg_blocklen(drbg));
878
879out:
880 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
881 return ret;
882}
883
884
885static int drbg_hash_hashgen(struct drbg_state *drbg,
886 unsigned char *buf,
887 unsigned int buflen)
888{
889 int len = 0;
890 int ret = 0;
891 unsigned char *src = drbg->scratchpad;
892 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
893 struct drbg_string data;
894 LIST_HEAD(datalist);
895
896
897 memcpy(src, drbg->V, drbg_statelen(drbg));
898
899 drbg_string_fill(&data, src, drbg_statelen(drbg));
900 list_add_tail(&data.list, &datalist);
901 while (len < buflen) {
902 unsigned int outlen = 0;
903
904 ret = drbg_kcapi_hash(drbg, dst, &datalist);
905 if (ret) {
906 len = ret;
907 goto out;
908 }
909 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
910 drbg_blocklen(drbg) : (buflen - len);
911
912 memcpy(buf + len, dst, outlen);
913 len += outlen;
914
915 if (len < buflen)
916 crypto_inc(src, drbg_statelen(drbg));
917 }
918
919out:
920 memset(drbg->scratchpad, 0,
921 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
922 return len;
923}
924
925
926static int drbg_hash_generate(struct drbg_state *drbg,
927 unsigned char *buf, unsigned int buflen,
928 struct list_head *addtl)
929{
930 int len = 0;
931 int ret = 0;
932 union {
933 unsigned char req[8];
934 __be64 req_int;
935 } u;
936 unsigned char prefix = DRBG_PREFIX3;
937 struct drbg_string data1, data2;
938 LIST_HEAD(datalist);
939
940
941 ret = drbg_hash_process_addtl(drbg, addtl);
942 if (ret)
943 return ret;
944
945 len = drbg_hash_hashgen(drbg, buf, buflen);
946
947
948
949 drbg_string_fill(&data1, &prefix, 1);
950 list_add_tail(&data1.list, &datalist);
951 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
952 list_add_tail(&data2.list, &datalist);
953 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
954 if (ret) {
955 len = ret;
956 goto out;
957 }
958
959
960 drbg_add_buf(drbg->V, drbg_statelen(drbg),
961 drbg->scratchpad, drbg_blocklen(drbg));
962 drbg_add_buf(drbg->V, drbg_statelen(drbg),
963 drbg->C, drbg_statelen(drbg));
964 u.req_int = cpu_to_be64(drbg->reseed_ctr);
965 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
966
967out:
968 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
969 return len;
970}
971
972
973
974
975
976static const struct drbg_state_ops drbg_hash_ops = {
977 .update = drbg_hash_update,
978 .generate = drbg_hash_generate,
979 .crypto_init = drbg_init_hash_kernel,
980 .crypto_fini = drbg_fini_hash_kernel,
981};
982#endif
983
984
985
986
987
988static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
989 int reseed)
990{
991 int ret = drbg->d_ops->update(drbg, seed, reseed);
992
993 if (ret)
994 return ret;
995
996 drbg->seeded = true;
997
998 drbg->reseed_ctr = 1;
999
1000 return ret;
1001}
1002
1003static void drbg_async_seed(struct work_struct *work)
1004{
1005 struct drbg_string data;
1006 LIST_HEAD(seedlist);
1007 struct drbg_state *drbg = container_of(work, struct drbg_state,
1008 seed_work);
1009 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1010 unsigned char entropy[32];
1011
1012 BUG_ON(!entropylen);
1013 BUG_ON(entropylen > sizeof(entropy));
1014 get_random_bytes(entropy, entropylen);
1015
1016 drbg_string_fill(&data, entropy, entropylen);
1017 list_add_tail(&data.list, &seedlist);
1018
1019 mutex_lock(&drbg->drbg_mutex);
1020
1021
1022 crypto_free_rng(drbg->jent);
1023 drbg->jent = NULL;
1024
1025
1026
1027
1028 drbg->seeded = false;
1029
1030 __drbg_seed(drbg, &seedlist, true);
1031
1032 if (drbg->seeded)
1033 drbg->reseed_threshold = drbg_max_requests(drbg);
1034
1035 mutex_unlock(&drbg->drbg_mutex);
1036
1037 memzero_explicit(entropy, entropylen);
1038}
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1052 bool reseed)
1053{
1054 int ret;
1055 unsigned char entropy[((32 + 16) * 2)];
1056 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1057 struct drbg_string data1;
1058 LIST_HEAD(seedlist);
1059
1060
1061 if (pers && pers->len > (drbg_max_addtl(drbg))) {
1062 pr_devel("DRBG: personalization string too long %zu\n",
1063 pers->len);
1064 return -EINVAL;
1065 }
1066
1067 if (list_empty(&drbg->test_data.list)) {
1068 drbg_string_fill(&data1, drbg->test_data.buf,
1069 drbg->test_data.len);
1070 pr_devel("DRBG: using test entropy\n");
1071 } else {
1072
1073
1074
1075
1076
1077
1078
1079
1080 BUG_ON(!entropylen);
1081 if (!reseed)
1082 entropylen = ((entropylen + 1) / 2) * 3;
1083 BUG_ON((entropylen * 2) > sizeof(entropy));
1084
1085
1086 get_random_bytes(entropy, entropylen);
1087
1088 if (!drbg->jent) {
1089 drbg_string_fill(&data1, entropy, entropylen);
1090 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1091 entropylen);
1092 } else {
1093
1094 ret = crypto_rng_get_bytes(drbg->jent,
1095 entropy + entropylen,
1096 entropylen);
1097 if (ret) {
1098 pr_devel("DRBG: jent failed with %d\n", ret);
1099 return ret;
1100 }
1101
1102 drbg_string_fill(&data1, entropy, entropylen * 2);
1103 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1104 entropylen * 2);
1105 }
1106 }
1107 list_add_tail(&data1.list, &seedlist);
1108
1109
1110
1111
1112
1113
1114 if (pers && pers->buf && 0 < pers->len) {
1115 list_add_tail(&pers->list, &seedlist);
1116 pr_devel("DRBG: using personalization string\n");
1117 }
1118
1119 if (!reseed) {
1120 memset(drbg->V, 0, drbg_statelen(drbg));
1121 memset(drbg->C, 0, drbg_statelen(drbg));
1122 }
1123
1124 ret = __drbg_seed(drbg, &seedlist, reseed);
1125
1126 memzero_explicit(entropy, entropylen * 2);
1127
1128 return ret;
1129}
1130
1131
1132static inline void drbg_dealloc_state(struct drbg_state *drbg)
1133{
1134 if (!drbg)
1135 return;
1136 kzfree(drbg->Vbuf);
1137 drbg->Vbuf = NULL;
1138 drbg->V = NULL;
1139 kzfree(drbg->Cbuf);
1140 drbg->Cbuf = NULL;
1141 drbg->C = NULL;
1142 kzfree(drbg->scratchpadbuf);
1143 drbg->scratchpadbuf = NULL;
1144 drbg->reseed_ctr = 0;
1145 drbg->d_ops = NULL;
1146 drbg->core = NULL;
1147}
1148
1149
1150
1151
1152
1153static inline int drbg_alloc_state(struct drbg_state *drbg)
1154{
1155 int ret = -ENOMEM;
1156 unsigned int sb_size = 0;
1157
1158 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1159#ifdef CONFIG_CRYPTO_DRBG_HMAC
1160 case DRBG_HMAC:
1161 drbg->d_ops = &drbg_hmac_ops;
1162 break;
1163#endif
1164#ifdef CONFIG_CRYPTO_DRBG_HASH
1165 case DRBG_HASH:
1166 drbg->d_ops = &drbg_hash_ops;
1167 break;
1168#endif
1169#ifdef CONFIG_CRYPTO_DRBG_CTR
1170 case DRBG_CTR:
1171 drbg->d_ops = &drbg_ctr_ops;
1172 break;
1173#endif
1174 default:
1175 ret = -EOPNOTSUPP;
1176 goto err;
1177 }
1178
1179 ret = drbg->d_ops->crypto_init(drbg);
1180 if (ret < 0)
1181 goto err;
1182
1183 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1184 if (!drbg->Vbuf) {
1185 ret = -ENOMEM;
1186 goto fini;
1187 }
1188 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1189 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1190 if (!drbg->Cbuf) {
1191 ret = -ENOMEM;
1192 goto fini;
1193 }
1194 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1195
1196 if (drbg->core->flags & DRBG_HMAC)
1197 sb_size = 0;
1198 else if (drbg->core->flags & DRBG_CTR)
1199 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) +
1200 drbg_statelen(drbg) +
1201 drbg_blocklen(drbg) +
1202 drbg_blocklen(drbg) +
1203 drbg_statelen(drbg) + drbg_blocklen(drbg);
1204 else
1205 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1206
1207 if (0 < sb_size) {
1208 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1209 if (!drbg->scratchpadbuf) {
1210 ret = -ENOMEM;
1211 goto fini;
1212 }
1213 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1214 }
1215
1216 return 0;
1217
1218fini:
1219 drbg->d_ops->crypto_fini(drbg);
1220err:
1221 drbg_dealloc_state(drbg);
1222 return ret;
1223}
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245static int drbg_generate(struct drbg_state *drbg,
1246 unsigned char *buf, unsigned int buflen,
1247 struct drbg_string *addtl)
1248{
1249 int len = 0;
1250 LIST_HEAD(addtllist);
1251
1252 if (!drbg->core) {
1253 pr_devel("DRBG: not yet seeded\n");
1254 return -EINVAL;
1255 }
1256 if (0 == buflen || !buf) {
1257 pr_devel("DRBG: no output buffer provided\n");
1258 return -EINVAL;
1259 }
1260 if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1261 pr_devel("DRBG: wrong format of additional information\n");
1262 return -EINVAL;
1263 }
1264
1265
1266 len = -EINVAL;
1267 if (buflen > (drbg_max_request_bytes(drbg))) {
1268 pr_devel("DRBG: requested random numbers too large %u\n",
1269 buflen);
1270 goto err;
1271 }
1272
1273
1274
1275
1276 if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1277 pr_devel("DRBG: additional information string too long %zu\n",
1278 addtl->len);
1279 goto err;
1280 }
1281
1282
1283
1284
1285
1286
1287 if (drbg->reseed_threshold < drbg->reseed_ctr)
1288 drbg->seeded = false;
1289
1290 if (drbg->pr || !drbg->seeded) {
1291 pr_devel("DRBG: reseeding before generation (prediction "
1292 "resistance: %s, state %s)\n",
1293 drbg->pr ? "true" : "false",
1294 drbg->seeded ? "seeded" : "unseeded");
1295
1296 len = drbg_seed(drbg, addtl, true);
1297 if (len)
1298 goto err;
1299
1300 addtl = NULL;
1301 }
1302
1303 if (addtl && 0 < addtl->len)
1304 list_add_tail(&addtl->list, &addtllist);
1305
1306 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1307
1308
1309 drbg->reseed_ctr++;
1310 if (0 >= len)
1311 goto err;
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328#if 0
1329 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1330 int err = 0;
1331 pr_devel("DRBG: start to perform self test\n");
1332 if (drbg->core->flags & DRBG_HMAC)
1333 err = alg_test("drbg_pr_hmac_sha256",
1334 "drbg_pr_hmac_sha256", 0, 0);
1335 else if (drbg->core->flags & DRBG_CTR)
1336 err = alg_test("drbg_pr_ctr_aes128",
1337 "drbg_pr_ctr_aes128", 0, 0);
1338 else
1339 err = alg_test("drbg_pr_sha256",
1340 "drbg_pr_sha256", 0, 0);
1341 if (err) {
1342 pr_err("DRBG: periodical self test failed\n");
1343
1344
1345
1346
1347 drbg_uninstantiate(drbg);
1348 return 0;
1349 } else {
1350 pr_devel("DRBG: self test successful\n");
1351 }
1352 }
1353#endif
1354
1355
1356
1357
1358
1359 len = 0;
1360err:
1361 return len;
1362}
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372static int drbg_generate_long(struct drbg_state *drbg,
1373 unsigned char *buf, unsigned int buflen,
1374 struct drbg_string *addtl)
1375{
1376 unsigned int len = 0;
1377 unsigned int slice = 0;
1378 do {
1379 int err = 0;
1380 unsigned int chunk = 0;
1381 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1382 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1383 mutex_lock(&drbg->drbg_mutex);
1384 err = drbg_generate(drbg, buf + len, chunk, addtl);
1385 mutex_unlock(&drbg->drbg_mutex);
1386 if (0 > err)
1387 return err;
1388 len += chunk;
1389 } while (slice > 0 && (len < buflen));
1390 return 0;
1391}
1392
1393static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1394{
1395 struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1396 random_ready);
1397
1398 schedule_work(&drbg->seed_work);
1399}
1400
1401static int drbg_prepare_hrng(struct drbg_state *drbg)
1402{
1403 int err;
1404
1405
1406 if (list_empty(&drbg->test_data.list))
1407 return 0;
1408
1409 INIT_WORK(&drbg->seed_work, drbg_async_seed);
1410
1411 drbg->random_ready.owner = THIS_MODULE;
1412 drbg->random_ready.func = drbg_schedule_async_seed;
1413
1414 err = add_random_ready_callback(&drbg->random_ready);
1415
1416 switch (err) {
1417 case 0:
1418 break;
1419
1420 case -EALREADY:
1421 err = 0;
1422
1423
1424 default:
1425 drbg->random_ready.func = NULL;
1426 return err;
1427 }
1428
1429 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1430
1431
1432
1433
1434
1435 drbg->reseed_threshold = 50;
1436
1437 return err;
1438}
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1458 int coreref, bool pr)
1459{
1460 int ret;
1461 bool reseed = true;
1462
1463 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1464 "%s\n", coreref, pr ? "enabled" : "disabled");
1465 mutex_lock(&drbg->drbg_mutex);
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477 if (!drbg->core) {
1478 drbg->core = &drbg_cores[coreref];
1479 drbg->pr = pr;
1480 drbg->seeded = false;
1481 drbg->reseed_threshold = drbg_max_requests(drbg);
1482
1483 ret = drbg_alloc_state(drbg);
1484 if (ret)
1485 goto unlock;
1486
1487 ret = drbg_prepare_hrng(drbg);
1488 if (ret)
1489 goto free_everything;
1490
1491 if (IS_ERR(drbg->jent)) {
1492 ret = PTR_ERR(drbg->jent);
1493 drbg->jent = NULL;
1494 if (fips_enabled || ret != -ENOENT)
1495 goto free_everything;
1496 pr_info("DRBG: Continuing without Jitter RNG\n");
1497 }
1498
1499 reseed = false;
1500 }
1501
1502 ret = drbg_seed(drbg, pers, reseed);
1503
1504 if (ret && !reseed)
1505 goto free_everything;
1506
1507 mutex_unlock(&drbg->drbg_mutex);
1508 return ret;
1509
1510unlock:
1511 mutex_unlock(&drbg->drbg_mutex);
1512 return ret;
1513
1514free_everything:
1515 mutex_unlock(&drbg->drbg_mutex);
1516 drbg_uninstantiate(drbg);
1517 return ret;
1518}
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529static int drbg_uninstantiate(struct drbg_state *drbg)
1530{
1531 if (drbg->random_ready.func) {
1532 del_random_ready_callback(&drbg->random_ready);
1533 cancel_work_sync(&drbg->seed_work);
1534 crypto_free_rng(drbg->jent);
1535 drbg->jent = NULL;
1536 }
1537
1538 if (drbg->d_ops)
1539 drbg->d_ops->crypto_fini(drbg);
1540 drbg_dealloc_state(drbg);
1541
1542 return 0;
1543}
1544
1545
1546
1547
1548
1549
1550
1551
1552static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1553 const u8 *data, unsigned int len)
1554{
1555 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1556
1557 mutex_lock(&drbg->drbg_mutex);
1558 drbg_string_fill(&drbg->test_data, data, len);
1559 mutex_unlock(&drbg->drbg_mutex);
1560}
1561
1562
1563
1564
1565
1566#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1567struct sdesc {
1568 struct shash_desc shash;
1569 char ctx[];
1570};
1571
1572static int drbg_init_hash_kernel(struct drbg_state *drbg)
1573{
1574 struct sdesc *sdesc;
1575 struct crypto_shash *tfm;
1576
1577 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1578 if (IS_ERR(tfm)) {
1579 pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1580 drbg->core->backend_cra_name);
1581 return PTR_ERR(tfm);
1582 }
1583 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1584 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1585 GFP_KERNEL);
1586 if (!sdesc) {
1587 crypto_free_shash(tfm);
1588 return -ENOMEM;
1589 }
1590
1591 sdesc->shash.tfm = tfm;
1592 sdesc->shash.flags = 0;
1593 drbg->priv_data = sdesc;
1594
1595 return crypto_shash_alignmask(tfm);
1596}
1597
1598static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1599{
1600 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1601 if (sdesc) {
1602 crypto_free_shash(sdesc->shash.tfm);
1603 kzfree(sdesc);
1604 }
1605 drbg->priv_data = NULL;
1606 return 0;
1607}
1608
1609static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1610 const unsigned char *key)
1611{
1612 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1613
1614 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1615}
1616
1617static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1618 const struct list_head *in)
1619{
1620 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1621 struct drbg_string *input = NULL;
1622
1623 crypto_shash_init(&sdesc->shash);
1624 list_for_each_entry(input, in, list)
1625 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1626 return crypto_shash_final(&sdesc->shash, outval);
1627}
1628#endif
1629
1630#ifdef CONFIG_CRYPTO_DRBG_CTR
1631static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1632{
1633 struct crypto_cipher *tfm =
1634 (struct crypto_cipher *)drbg->priv_data;
1635 if (tfm)
1636 crypto_free_cipher(tfm);
1637 drbg->priv_data = NULL;
1638
1639 if (drbg->ctr_handle)
1640 crypto_free_skcipher(drbg->ctr_handle);
1641 drbg->ctr_handle = NULL;
1642
1643 if (drbg->ctr_req)
1644 skcipher_request_free(drbg->ctr_req);
1645 drbg->ctr_req = NULL;
1646
1647 kfree(drbg->ctr_null_value_buf);
1648 drbg->ctr_null_value = NULL;
1649
1650 kfree(drbg->outscratchpadbuf);
1651 drbg->outscratchpadbuf = NULL;
1652
1653 return 0;
1654}
1655
1656static int drbg_init_sym_kernel(struct drbg_state *drbg)
1657{
1658 struct crypto_cipher *tfm;
1659 struct crypto_skcipher *sk_tfm;
1660 struct skcipher_request *req;
1661 unsigned int alignmask;
1662 char ctr_name[CRYPTO_MAX_ALG_NAME];
1663
1664 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1665 if (IS_ERR(tfm)) {
1666 pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1667 drbg->core->backend_cra_name);
1668 return PTR_ERR(tfm);
1669 }
1670 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1671 drbg->priv_data = tfm;
1672
1673 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1674 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1675 drbg_fini_sym_kernel(drbg);
1676 return -EINVAL;
1677 }
1678 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1679 if (IS_ERR(sk_tfm)) {
1680 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1681 ctr_name);
1682 drbg_fini_sym_kernel(drbg);
1683 return PTR_ERR(sk_tfm);
1684 }
1685 drbg->ctr_handle = sk_tfm;
1686 crypto_init_wait(&drbg->ctr_wait);
1687
1688 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1689 if (!req) {
1690 pr_info("DRBG: could not allocate request queue\n");
1691 drbg_fini_sym_kernel(drbg);
1692 return -ENOMEM;
1693 }
1694 drbg->ctr_req = req;
1695 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1696 CRYPTO_TFM_REQ_MAY_SLEEP,
1697 crypto_req_done, &drbg->ctr_wait);
1698
1699 alignmask = crypto_skcipher_alignmask(sk_tfm);
1700 drbg->ctr_null_value_buf = kzalloc(DRBG_CTR_NULL_LEN + alignmask,
1701 GFP_KERNEL);
1702 if (!drbg->ctr_null_value_buf) {
1703 drbg_fini_sym_kernel(drbg);
1704 return -ENOMEM;
1705 }
1706 drbg->ctr_null_value = (u8 *)PTR_ALIGN(drbg->ctr_null_value_buf,
1707 alignmask + 1);
1708
1709 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1710 GFP_KERNEL);
1711 if (!drbg->outscratchpadbuf) {
1712 drbg_fini_sym_kernel(drbg);
1713 return -ENOMEM;
1714 }
1715 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1716 alignmask + 1);
1717
1718 return alignmask;
1719}
1720
1721static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1722 const unsigned char *key)
1723{
1724 struct crypto_cipher *tfm =
1725 (struct crypto_cipher *)drbg->priv_data;
1726
1727 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1728}
1729
1730static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1731 const struct drbg_string *in)
1732{
1733 struct crypto_cipher *tfm =
1734 (struct crypto_cipher *)drbg->priv_data;
1735
1736
1737 BUG_ON(in->len < drbg_blocklen(drbg));
1738 crypto_cipher_encrypt_one(tfm, outval, in->buf);
1739 return 0;
1740}
1741
1742static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1743 u8 *inbuf, u32 inlen,
1744 u8 *outbuf, u32 outlen)
1745{
1746 struct scatterlist sg_in, sg_out;
1747 int ret;
1748
1749 sg_init_one(&sg_in, inbuf, inlen);
1750 sg_init_one(&sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1751
1752 while (outlen) {
1753 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1754
1755
1756 skcipher_request_set_crypt(drbg->ctr_req, &sg_in, &sg_out,
1757 cryptlen, drbg->V);
1758 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1759 &drbg->ctr_wait);
1760 if (ret)
1761 goto out;
1762
1763 crypto_init_wait(&drbg->ctr_wait);
1764
1765 memcpy(outbuf, drbg->outscratchpad, cryptlen);
1766
1767 outlen -= cryptlen;
1768 outbuf += cryptlen;
1769 }
1770 ret = 0;
1771
1772out:
1773 memzero_explicit(drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1774 return ret;
1775}
1776#endif
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1794 int *coreref, bool *pr)
1795{
1796 int i = 0;
1797 size_t start = 0;
1798 int len = 0;
1799
1800 *pr = true;
1801
1802 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1803 start = 10;
1804 *pr = false;
1805 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1806 start = 8;
1807 } else {
1808 return;
1809 }
1810
1811
1812 len = strlen(cra_driver_name) - start;
1813 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1814 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1815 len)) {
1816 *coreref = i;
1817 return;
1818 }
1819 }
1820}
1821
1822static int drbg_kcapi_init(struct crypto_tfm *tfm)
1823{
1824 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1825
1826 mutex_init(&drbg->drbg_mutex);
1827
1828 return 0;
1829}
1830
1831static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1832{
1833 drbg_uninstantiate(crypto_tfm_ctx(tfm));
1834}
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845static int drbg_kcapi_random(struct crypto_rng *tfm,
1846 const u8 *src, unsigned int slen,
1847 u8 *dst, unsigned int dlen)
1848{
1849 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1850 struct drbg_string *addtl = NULL;
1851 struct drbg_string string;
1852
1853 if (slen) {
1854
1855 drbg_string_fill(&string, src, slen);
1856 addtl = &string;
1857 }
1858
1859 return drbg_generate_long(drbg, dst, dlen, addtl);
1860}
1861
1862
1863
1864
1865static int drbg_kcapi_seed(struct crypto_rng *tfm,
1866 const u8 *seed, unsigned int slen)
1867{
1868 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1869 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1870 bool pr = false;
1871 struct drbg_string string;
1872 struct drbg_string *seed_string = NULL;
1873 int coreref = 0;
1874
1875 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1876 &pr);
1877 if (0 < slen) {
1878 drbg_string_fill(&string, seed, slen);
1879 seed_string = &string;
1880 }
1881
1882 return drbg_instantiate(drbg, seed_string, coreref, pr);
1883}
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899static inline int __init drbg_healthcheck_sanity(void)
1900{
1901 int len = 0;
1902#define OUTBUFLEN 16
1903 unsigned char buf[OUTBUFLEN];
1904 struct drbg_state *drbg = NULL;
1905 int ret = -EFAULT;
1906 int rc = -EFAULT;
1907 bool pr = false;
1908 int coreref = 0;
1909 struct drbg_string addtl;
1910 size_t max_addtllen, max_request_bytes;
1911
1912
1913 if (!fips_enabled)
1914 return 0;
1915
1916#ifdef CONFIG_CRYPTO_DRBG_CTR
1917 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
1918#elif defined CONFIG_CRYPTO_DRBG_HASH
1919 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1920#else
1921 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
1922#endif
1923
1924 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1925 if (!drbg)
1926 return -ENOMEM;
1927
1928 mutex_init(&drbg->drbg_mutex);
1929 drbg->core = &drbg_cores[coreref];
1930 drbg->reseed_threshold = drbg_max_requests(drbg);
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940 max_addtllen = drbg_max_addtl(drbg);
1941 max_request_bytes = drbg_max_request_bytes(drbg);
1942 drbg_string_fill(&addtl, buf, max_addtllen + 1);
1943
1944 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1945 BUG_ON(0 < len);
1946
1947 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1948 BUG_ON(0 < len);
1949
1950
1951 ret = drbg_seed(drbg, &addtl, false);
1952 BUG_ON(0 == ret);
1953
1954 rc = 0;
1955
1956 pr_devel("DRBG: Sanity tests for failure code paths successfully "
1957 "completed\n");
1958
1959 kfree(drbg);
1960 return rc;
1961}
1962
1963static struct rng_alg drbg_algs[22];
1964
1965
1966
1967
1968
1969
1970static inline void __init drbg_fill_array(struct rng_alg *alg,
1971 const struct drbg_core *core, int pr)
1972{
1973 int pos = 0;
1974 static int priority = 200;
1975
1976 memcpy(alg->base.cra_name, "stdrng", 6);
1977 if (pr) {
1978 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
1979 pos = 8;
1980 } else {
1981 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
1982 pos = 10;
1983 }
1984 memcpy(alg->base.cra_driver_name + pos, core->cra_name,
1985 strlen(core->cra_name));
1986
1987 alg->base.cra_priority = priority;
1988 priority++;
1989
1990
1991
1992
1993
1994 if (fips_enabled)
1995 alg->base.cra_priority += 200;
1996
1997 alg->base.cra_ctxsize = sizeof(struct drbg_state);
1998 alg->base.cra_module = THIS_MODULE;
1999 alg->base.cra_init = drbg_kcapi_init;
2000 alg->base.cra_exit = drbg_kcapi_cleanup;
2001 alg->generate = drbg_kcapi_random;
2002 alg->seed = drbg_kcapi_seed;
2003 alg->set_ent = drbg_kcapi_set_entropy;
2004 alg->seedsize = 0;
2005}
2006
2007static int __init drbg_init(void)
2008{
2009 unsigned int i = 0;
2010 unsigned int j = 0;
2011 int ret;
2012
2013 ret = drbg_healthcheck_sanity();
2014 if (ret)
2015 return ret;
2016
2017 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2018 pr_info("DRBG: Cannot register all DRBG types"
2019 "(slots needed: %zu, slots available: %zu)\n",
2020 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2021 return -EFAULT;
2022 }
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2034 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2035 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2036 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2037 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2038}
2039
2040static void __exit drbg_exit(void)
2041{
2042 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2043}
2044
2045module_init(drbg_init);
2046module_exit(drbg_exit);
2047#ifndef CRYPTO_DRBG_HASH_STRING
2048#define CRYPTO_DRBG_HASH_STRING ""
2049#endif
2050#ifndef CRYPTO_DRBG_HMAC_STRING
2051#define CRYPTO_DRBG_HMAC_STRING ""
2052#endif
2053#ifndef CRYPTO_DRBG_CTR_STRING
2054#define CRYPTO_DRBG_CTR_STRING ""
2055#endif
2056MODULE_LICENSE("GPL");
2057MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2058MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2059 "using following cores: "
2060 CRYPTO_DRBG_HASH_STRING
2061 CRYPTO_DRBG_HMAC_STRING
2062 CRYPTO_DRBG_CTR_STRING);
2063MODULE_ALIAS_CRYPTO("stdrng");
2064