1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100#include <crypto/drbg.h>
101#include <linux/kernel.h>
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116static const struct drbg_core drbg_cores[] = {
117#ifdef CONFIG_CRYPTO_DRBG_CTR
118 {
119 .flags = DRBG_CTR | DRBG_STRENGTH128,
120 .statelen = 32,
121 .blocklen_bytes = 16,
122 .cra_name = "ctr_aes128",
123 .backend_cra_name = "aes",
124 }, {
125 .flags = DRBG_CTR | DRBG_STRENGTH192,
126 .statelen = 40,
127 .blocklen_bytes = 16,
128 .cra_name = "ctr_aes192",
129 .backend_cra_name = "aes",
130 }, {
131 .flags = DRBG_CTR | DRBG_STRENGTH256,
132 .statelen = 48,
133 .blocklen_bytes = 16,
134 .cra_name = "ctr_aes256",
135 .backend_cra_name = "aes",
136 },
137#endif
138#ifdef CONFIG_CRYPTO_DRBG_HASH
139 {
140 .flags = DRBG_HASH | DRBG_STRENGTH128,
141 .statelen = 55,
142 .blocklen_bytes = 20,
143 .cra_name = "sha1",
144 .backend_cra_name = "sha1",
145 }, {
146 .flags = DRBG_HASH | DRBG_STRENGTH256,
147 .statelen = 111,
148 .blocklen_bytes = 48,
149 .cra_name = "sha384",
150 .backend_cra_name = "sha384",
151 }, {
152 .flags = DRBG_HASH | DRBG_STRENGTH256,
153 .statelen = 111,
154 .blocklen_bytes = 64,
155 .cra_name = "sha512",
156 .backend_cra_name = "sha512",
157 }, {
158 .flags = DRBG_HASH | DRBG_STRENGTH256,
159 .statelen = 55,
160 .blocklen_bytes = 32,
161 .cra_name = "sha256",
162 .backend_cra_name = "sha256",
163 },
164#endif
165#ifdef CONFIG_CRYPTO_DRBG_HMAC
166 {
167 .flags = DRBG_HMAC | DRBG_STRENGTH128,
168 .statelen = 20,
169 .blocklen_bytes = 20,
170 .cra_name = "hmac_sha1",
171 .backend_cra_name = "hmac(sha1)",
172 }, {
173 .flags = DRBG_HMAC | DRBG_STRENGTH256,
174 .statelen = 48,
175 .blocklen_bytes = 48,
176 .cra_name = "hmac_sha384",
177 .backend_cra_name = "hmac(sha384)",
178 }, {
179 .flags = DRBG_HMAC | DRBG_STRENGTH256,
180 .statelen = 64,
181 .blocklen_bytes = 64,
182 .cra_name = "hmac_sha512",
183 .backend_cra_name = "hmac(sha512)",
184 }, {
185 .flags = DRBG_HMAC | DRBG_STRENGTH256,
186 .statelen = 32,
187 .blocklen_bytes = 32,
188 .cra_name = "hmac_sha256",
189 .backend_cra_name = "hmac(sha256)",
190 },
191#endif
192};
193
194static int drbg_uninstantiate(struct drbg_state *drbg);
195
196
197
198
199
200
201
202
203
204
205
206
207
208static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
209{
210 switch (flags & DRBG_STRENGTH_MASK) {
211 case DRBG_STRENGTH128:
212 return 16;
213 case DRBG_STRENGTH192:
214 return 24;
215 case DRBG_STRENGTH256:
216 return 32;
217 default:
218 return 32;
219 }
220}
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241static int drbg_fips_continuous_test(struct drbg_state *drbg,
242 const unsigned char *entropy)
243{
244 unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
245 int ret = 0;
246
247 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
248 return 0;
249
250
251 if (list_empty(&drbg->test_data.list))
252 return 0;
253
254 if (!fips_enabled)
255 return 0;
256
257 if (!drbg->fips_primed) {
258
259 memcpy(drbg->prev, entropy, entropylen);
260 drbg->fips_primed = true;
261
262 return -EAGAIN;
263 }
264 ret = memcmp(drbg->prev, entropy, entropylen);
265 if (!ret)
266 panic("DRBG continuous self test failed\n");
267 memcpy(drbg->prev, entropy, entropylen);
268
269
270 return 0;
271}
272
273
274
275
276
277
278
279
280
281#if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
282static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
283{
284 struct s {
285 __be32 conv;
286 };
287 struct s *conversion = (struct s *) buf;
288
289 conversion->conv = cpu_to_be32(val);
290}
291#endif
292
293
294
295
296
297#ifdef CONFIG_CRYPTO_DRBG_CTR
298#define CRYPTO_DRBG_CTR_STRING "CTR "
299MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
300MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
301MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
302MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
303MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
304MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
305
306static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
307 const unsigned char *key);
308static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
309 const struct drbg_string *in);
310static int drbg_init_sym_kernel(struct drbg_state *drbg);
311static int drbg_fini_sym_kernel(struct drbg_state *drbg);
312static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
313 u8 *inbuf, u32 inbuflen,
314 u8 *outbuf, u32 outlen);
315#define DRBG_OUTSCRATCHLEN 256
316
317
318static int drbg_ctr_bcc(struct drbg_state *drbg,
319 unsigned char *out, const unsigned char *key,
320 struct list_head *in)
321{
322 int ret = 0;
323 struct drbg_string *curr = NULL;
324 struct drbg_string data;
325 short cnt = 0;
326
327 drbg_string_fill(&data, out, drbg_blocklen(drbg));
328
329
330 drbg_kcapi_symsetkey(drbg, key);
331 list_for_each_entry(curr, in, list) {
332 const unsigned char *pos = curr->buf;
333 size_t len = curr->len;
334
335 while (len) {
336
337 if (drbg_blocklen(drbg) == cnt) {
338 cnt = 0;
339 ret = drbg_kcapi_sym(drbg, out, &data);
340 if (ret)
341 return ret;
342 }
343 out[cnt] ^= *pos;
344 pos++;
345 cnt++;
346 len--;
347 }
348 }
349
350 if (cnt)
351 ret = drbg_kcapi_sym(drbg, out, &data);
352
353 return ret;
354}
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396static int drbg_ctr_df(struct drbg_state *drbg,
397 unsigned char *df_data, size_t bytes_to_return,
398 struct list_head *seedlist)
399{
400 int ret = -EFAULT;
401 unsigned char L_N[8];
402
403 struct drbg_string S1, S2, S4, cipherin;
404 LIST_HEAD(bcc_list);
405 unsigned char *pad = df_data + drbg_statelen(drbg);
406 unsigned char *iv = pad + drbg_blocklen(drbg);
407 unsigned char *temp = iv + drbg_blocklen(drbg);
408 size_t padlen = 0;
409 unsigned int templen = 0;
410
411 unsigned int i = 0;
412
413 const unsigned char *K = (unsigned char *)
414 "\x00\x01\x02\x03\x04\x05\x06\x07"
415 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
416 "\x10\x11\x12\x13\x14\x15\x16\x17"
417 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
418 unsigned char *X;
419 size_t generated_len = 0;
420 size_t inputlen = 0;
421 struct drbg_string *seed = NULL;
422
423 memset(pad, 0, drbg_blocklen(drbg));
424 memset(iv, 0, drbg_blocklen(drbg));
425
426
427
428
429 if ((512/8) < bytes_to_return)
430 return -EINVAL;
431
432
433 list_for_each_entry(seed, seedlist, list)
434 inputlen += seed->len;
435 drbg_cpu_to_be32(inputlen, &L_N[0]);
436
437
438 drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
439
440
441 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
442
443 if (padlen)
444 padlen = drbg_blocklen(drbg) - padlen;
445
446
447
448
449
450 padlen++;
451 pad[0] = 0x80;
452
453
454 drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
455 list_add_tail(&S1.list, &bcc_list);
456 drbg_string_fill(&S2, L_N, sizeof(L_N));
457 list_add_tail(&S2.list, &bcc_list);
458 list_splice_tail(seedlist, &bcc_list);
459 drbg_string_fill(&S4, pad, padlen);
460 list_add_tail(&S4.list, &bcc_list);
461
462
463 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
464
465
466
467
468
469 drbg_cpu_to_be32(i, iv);
470
471 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
472 if (ret)
473 goto out;
474
475 i++;
476 templen += drbg_blocklen(drbg);
477 }
478
479
480 X = temp + (drbg_keylen(drbg));
481 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
482
483
484
485
486 drbg_kcapi_symsetkey(drbg, temp);
487 while (generated_len < bytes_to_return) {
488 short blocklen = 0;
489
490
491
492
493
494 ret = drbg_kcapi_sym(drbg, X, &cipherin);
495 if (ret)
496 goto out;
497 blocklen = (drbg_blocklen(drbg) <
498 (bytes_to_return - generated_len)) ?
499 drbg_blocklen(drbg) :
500 (bytes_to_return - generated_len);
501
502 memcpy(df_data + generated_len, X, blocklen);
503 generated_len += blocklen;
504 }
505
506 ret = 0;
507
508out:
509 memset(iv, 0, drbg_blocklen(drbg));
510 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
511 memset(pad, 0, drbg_blocklen(drbg));
512 return ret;
513}
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
531 int reseed)
532{
533 int ret = -EFAULT;
534
535 unsigned char *temp = drbg->scratchpad;
536 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
537 drbg_blocklen(drbg);
538
539 if (3 > reseed)
540 memset(df_data, 0, drbg_statelen(drbg));
541
542 if (!reseed) {
543
544
545
546
547
548
549
550 crypto_inc(drbg->V, drbg_blocklen(drbg));
551
552 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
553 drbg_keylen(drbg));
554 if (ret)
555 goto out;
556 }
557
558
559 if (seed) {
560 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
561 if (ret)
562 goto out;
563 }
564
565 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
566 temp, drbg_statelen(drbg));
567 if (ret)
568 return ret;
569
570
571 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
572 drbg_keylen(drbg));
573 if (ret)
574 goto out;
575
576 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
577
578 crypto_inc(drbg->V, drbg_blocklen(drbg));
579 ret = 0;
580
581out:
582 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
583 if (2 != reseed)
584 memset(df_data, 0, drbg_statelen(drbg));
585 return ret;
586}
587
588
589
590
591
592
593static int drbg_ctr_generate(struct drbg_state *drbg,
594 unsigned char *buf, unsigned int buflen,
595 struct list_head *addtl)
596{
597 int ret;
598 int len = min_t(int, buflen, INT_MAX);
599
600
601 if (addtl && !list_empty(addtl)) {
602 ret = drbg_ctr_update(drbg, addtl, 2);
603 if (ret)
604 return 0;
605 }
606
607
608 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
609 if (ret)
610 return ret;
611
612
613 ret = drbg_ctr_update(drbg, NULL, 3);
614 if (ret)
615 len = ret;
616
617 return len;
618}
619
620static const struct drbg_state_ops drbg_ctr_ops = {
621 .update = drbg_ctr_update,
622 .generate = drbg_ctr_generate,
623 .crypto_init = drbg_init_sym_kernel,
624 .crypto_fini = drbg_fini_sym_kernel,
625};
626#endif
627
628
629
630
631
632#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
633static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
634 const struct list_head *in);
635static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
636 const unsigned char *key);
637static int drbg_init_hash_kernel(struct drbg_state *drbg);
638static int drbg_fini_hash_kernel(struct drbg_state *drbg);
639#endif
640
641#ifdef CONFIG_CRYPTO_DRBG_HMAC
642#define CRYPTO_DRBG_HMAC_STRING "HMAC "
643MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
644MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
645MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
646MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
647MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
648MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
649MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
650MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
651
652
653static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
654 int reseed)
655{
656 int ret = -EFAULT;
657 int i = 0;
658 struct drbg_string seed1, seed2, vdata;
659 LIST_HEAD(seedlist);
660 LIST_HEAD(vdatalist);
661
662 if (!reseed) {
663
664 memset(drbg->V, 1, drbg_statelen(drbg));
665 drbg_kcapi_hmacsetkey(drbg, drbg->C);
666 }
667
668 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
669 list_add_tail(&seed1.list, &seedlist);
670
671 drbg_string_fill(&seed2, NULL, 1);
672 list_add_tail(&seed2.list, &seedlist);
673
674 if (seed)
675 list_splice_tail(seed, &seedlist);
676
677 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
678 list_add_tail(&vdata.list, &vdatalist);
679 for (i = 2; 0 < i; i--) {
680
681 unsigned char prefix = DRBG_PREFIX0;
682 if (1 == i)
683 prefix = DRBG_PREFIX1;
684
685 seed2.buf = &prefix;
686 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
687 if (ret)
688 return ret;
689 drbg_kcapi_hmacsetkey(drbg, drbg->C);
690
691
692 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
693 if (ret)
694 return ret;
695
696
697 if (!seed)
698 return ret;
699 }
700
701 return 0;
702}
703
704
705static int drbg_hmac_generate(struct drbg_state *drbg,
706 unsigned char *buf,
707 unsigned int buflen,
708 struct list_head *addtl)
709{
710 int len = 0;
711 int ret = 0;
712 struct drbg_string data;
713 LIST_HEAD(datalist);
714
715
716 if (addtl && !list_empty(addtl)) {
717 ret = drbg_hmac_update(drbg, addtl, 1);
718 if (ret)
719 return ret;
720 }
721
722 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
723 list_add_tail(&data.list, &datalist);
724 while (len < buflen) {
725 unsigned int outlen = 0;
726
727 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
728 if (ret)
729 return ret;
730 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
731 drbg_blocklen(drbg) : (buflen - len);
732
733
734 memcpy(buf + len, drbg->V, outlen);
735 len += outlen;
736 }
737
738
739 if (addtl && !list_empty(addtl))
740 ret = drbg_hmac_update(drbg, addtl, 1);
741 else
742 ret = drbg_hmac_update(drbg, NULL, 1);
743 if (ret)
744 return ret;
745
746 return len;
747}
748
749static const struct drbg_state_ops drbg_hmac_ops = {
750 .update = drbg_hmac_update,
751 .generate = drbg_hmac_generate,
752 .crypto_init = drbg_init_hash_kernel,
753 .crypto_fini = drbg_fini_hash_kernel,
754};
755#endif
756
757
758
759
760
761#ifdef CONFIG_CRYPTO_DRBG_HASH
762#define CRYPTO_DRBG_HASH_STRING "HASH "
763MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
764MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
765MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
766MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
767MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
768MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
769MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
770MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
771
772
773
774
775
776
777
778static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
779 const unsigned char *add, size_t addlen)
780{
781
782 unsigned char *dstptr;
783 const unsigned char *addptr;
784 unsigned int remainder = 0;
785 size_t len = addlen;
786
787 dstptr = dst + (dstlen-1);
788 addptr = add + (addlen-1);
789 while (len) {
790 remainder += *dstptr + *addptr;
791 *dstptr = remainder & 0xff;
792 remainder >>= 8;
793 len--; dstptr--; addptr--;
794 }
795 len = dstlen - addlen;
796 while (len && remainder > 0) {
797 remainder = *dstptr + 1;
798 *dstptr = remainder & 0xff;
799 remainder >>= 8;
800 len--; dstptr--;
801 }
802}
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820static int drbg_hash_df(struct drbg_state *drbg,
821 unsigned char *outval, size_t outlen,
822 struct list_head *entropylist)
823{
824 int ret = 0;
825 size_t len = 0;
826 unsigned char input[5];
827 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
828 struct drbg_string data;
829
830
831 input[0] = 1;
832 drbg_cpu_to_be32((outlen * 8), &input[1]);
833
834
835 drbg_string_fill(&data, input, 5);
836 list_add(&data.list, entropylist);
837
838
839 while (len < outlen) {
840 short blocklen = 0;
841
842 ret = drbg_kcapi_hash(drbg, tmp, entropylist);
843 if (ret)
844 goto out;
845
846 input[0]++;
847 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
848 drbg_blocklen(drbg) : (outlen - len);
849 memcpy(outval + len, tmp, blocklen);
850 len += blocklen;
851 }
852
853out:
854 memset(tmp, 0, drbg_blocklen(drbg));
855 return ret;
856}
857
858
859static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
860 int reseed)
861{
862 int ret = 0;
863 struct drbg_string data1, data2;
864 LIST_HEAD(datalist);
865 LIST_HEAD(datalist2);
866 unsigned char *V = drbg->scratchpad;
867 unsigned char prefix = DRBG_PREFIX1;
868
869 if (!seed)
870 return -EINVAL;
871
872 if (reseed) {
873
874 memcpy(V, drbg->V, drbg_statelen(drbg));
875 drbg_string_fill(&data1, &prefix, 1);
876 list_add_tail(&data1.list, &datalist);
877 drbg_string_fill(&data2, V, drbg_statelen(drbg));
878 list_add_tail(&data2.list, &datalist);
879 }
880 list_splice_tail(seed, &datalist);
881
882
883 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
884 if (ret)
885 goto out;
886
887
888 prefix = DRBG_PREFIX0;
889 drbg_string_fill(&data1, &prefix, 1);
890 list_add_tail(&data1.list, &datalist2);
891 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
892 list_add_tail(&data2.list, &datalist2);
893
894 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
895
896out:
897 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
898 return ret;
899}
900
901
902static int drbg_hash_process_addtl(struct drbg_state *drbg,
903 struct list_head *addtl)
904{
905 int ret = 0;
906 struct drbg_string data1, data2;
907 LIST_HEAD(datalist);
908 unsigned char prefix = DRBG_PREFIX2;
909
910
911 if (!addtl || list_empty(addtl))
912 return 0;
913
914
915 drbg_string_fill(&data1, &prefix, 1);
916 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
917 list_add_tail(&data1.list, &datalist);
918 list_add_tail(&data2.list, &datalist);
919 list_splice_tail(addtl, &datalist);
920 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
921 if (ret)
922 goto out;
923
924
925 drbg_add_buf(drbg->V, drbg_statelen(drbg),
926 drbg->scratchpad, drbg_blocklen(drbg));
927
928out:
929 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
930 return ret;
931}
932
933
934static int drbg_hash_hashgen(struct drbg_state *drbg,
935 unsigned char *buf,
936 unsigned int buflen)
937{
938 int len = 0;
939 int ret = 0;
940 unsigned char *src = drbg->scratchpad;
941 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
942 struct drbg_string data;
943 LIST_HEAD(datalist);
944
945
946 memcpy(src, drbg->V, drbg_statelen(drbg));
947
948 drbg_string_fill(&data, src, drbg_statelen(drbg));
949 list_add_tail(&data.list, &datalist);
950 while (len < buflen) {
951 unsigned int outlen = 0;
952
953 ret = drbg_kcapi_hash(drbg, dst, &datalist);
954 if (ret) {
955 len = ret;
956 goto out;
957 }
958 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
959 drbg_blocklen(drbg) : (buflen - len);
960
961 memcpy(buf + len, dst, outlen);
962 len += outlen;
963
964 if (len < buflen)
965 crypto_inc(src, drbg_statelen(drbg));
966 }
967
968out:
969 memset(drbg->scratchpad, 0,
970 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
971 return len;
972}
973
974
975static int drbg_hash_generate(struct drbg_state *drbg,
976 unsigned char *buf, unsigned int buflen,
977 struct list_head *addtl)
978{
979 int len = 0;
980 int ret = 0;
981 union {
982 unsigned char req[8];
983 __be64 req_int;
984 } u;
985 unsigned char prefix = DRBG_PREFIX3;
986 struct drbg_string data1, data2;
987 LIST_HEAD(datalist);
988
989
990 ret = drbg_hash_process_addtl(drbg, addtl);
991 if (ret)
992 return ret;
993
994 len = drbg_hash_hashgen(drbg, buf, buflen);
995
996
997
998 drbg_string_fill(&data1, &prefix, 1);
999 list_add_tail(&data1.list, &datalist);
1000 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1001 list_add_tail(&data2.list, &datalist);
1002 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
1003 if (ret) {
1004 len = ret;
1005 goto out;
1006 }
1007
1008
1009 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1010 drbg->scratchpad, drbg_blocklen(drbg));
1011 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1012 drbg->C, drbg_statelen(drbg));
1013 u.req_int = cpu_to_be64(drbg->reseed_ctr);
1014 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1015
1016out:
1017 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1018 return len;
1019}
1020
1021
1022
1023
1024
1025static const struct drbg_state_ops drbg_hash_ops = {
1026 .update = drbg_hash_update,
1027 .generate = drbg_hash_generate,
1028 .crypto_init = drbg_init_hash_kernel,
1029 .crypto_fini = drbg_fini_hash_kernel,
1030};
1031#endif
1032
1033
1034
1035
1036
1037static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1038 int reseed)
1039{
1040 int ret = drbg->d_ops->update(drbg, seed, reseed);
1041
1042 if (ret)
1043 return ret;
1044
1045 drbg->seeded = true;
1046
1047 drbg->reseed_ctr = 1;
1048
1049 return ret;
1050}
1051
1052static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1053 unsigned char *entropy,
1054 unsigned int entropylen)
1055{
1056 int ret;
1057
1058 do {
1059 get_random_bytes(entropy, entropylen);
1060 ret = drbg_fips_continuous_test(drbg, entropy);
1061 if (ret && ret != -EAGAIN)
1062 return ret;
1063 } while (ret);
1064
1065 return 0;
1066}
1067
1068static void drbg_async_seed(struct work_struct *work)
1069{
1070 struct drbg_string data;
1071 LIST_HEAD(seedlist);
1072 struct drbg_state *drbg = container_of(work, struct drbg_state,
1073 seed_work);
1074 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1075 unsigned char entropy[32];
1076 int ret;
1077
1078 BUG_ON(!entropylen);
1079 BUG_ON(entropylen > sizeof(entropy));
1080
1081 drbg_string_fill(&data, entropy, entropylen);
1082 list_add_tail(&data.list, &seedlist);
1083
1084 mutex_lock(&drbg->drbg_mutex);
1085
1086 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1087 if (ret)
1088 goto unlock;
1089
1090
1091 crypto_free_rng(drbg->jent);
1092 drbg->jent = NULL;
1093
1094
1095
1096
1097 drbg->seeded = false;
1098
1099 __drbg_seed(drbg, &seedlist, true);
1100
1101 if (drbg->seeded)
1102 drbg->reseed_threshold = drbg_max_requests(drbg);
1103
1104unlock:
1105 mutex_unlock(&drbg->drbg_mutex);
1106
1107 memzero_explicit(entropy, entropylen);
1108}
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1122 bool reseed)
1123{
1124 int ret;
1125 unsigned char entropy[((32 + 16) * 2)];
1126 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1127 struct drbg_string data1;
1128 LIST_HEAD(seedlist);
1129
1130
1131 if (pers && pers->len > (drbg_max_addtl(drbg))) {
1132 pr_devel("DRBG: personalization string too long %zu\n",
1133 pers->len);
1134 return -EINVAL;
1135 }
1136
1137 if (list_empty(&drbg->test_data.list)) {
1138 drbg_string_fill(&data1, drbg->test_data.buf,
1139 drbg->test_data.len);
1140 pr_devel("DRBG: using test entropy\n");
1141 } else {
1142
1143
1144
1145
1146
1147
1148
1149
1150 BUG_ON(!entropylen);
1151 if (!reseed)
1152 entropylen = ((entropylen + 1) / 2) * 3;
1153 BUG_ON((entropylen * 2) > sizeof(entropy));
1154
1155
1156 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1157 if (ret)
1158 goto out;
1159
1160 if (!drbg->jent) {
1161 drbg_string_fill(&data1, entropy, entropylen);
1162 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1163 entropylen);
1164 } else {
1165
1166 ret = crypto_rng_get_bytes(drbg->jent,
1167 entropy + entropylen,
1168 entropylen);
1169 if (ret) {
1170 pr_devel("DRBG: jent failed with %d\n", ret);
1171 goto out;
1172 }
1173
1174 drbg_string_fill(&data1, entropy, entropylen * 2);
1175 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1176 entropylen * 2);
1177 }
1178 }
1179 list_add_tail(&data1.list, &seedlist);
1180
1181
1182
1183
1184
1185
1186 if (pers && pers->buf && 0 < pers->len) {
1187 list_add_tail(&pers->list, &seedlist);
1188 pr_devel("DRBG: using personalization string\n");
1189 }
1190
1191 if (!reseed) {
1192 memset(drbg->V, 0, drbg_statelen(drbg));
1193 memset(drbg->C, 0, drbg_statelen(drbg));
1194 }
1195
1196 ret = __drbg_seed(drbg, &seedlist, reseed);
1197
1198out:
1199 memzero_explicit(entropy, entropylen * 2);
1200
1201 return ret;
1202}
1203
1204
1205static inline void drbg_dealloc_state(struct drbg_state *drbg)
1206{
1207 if (!drbg)
1208 return;
1209 kzfree(drbg->Vbuf);
1210 drbg->Vbuf = NULL;
1211 drbg->V = NULL;
1212 kzfree(drbg->Cbuf);
1213 drbg->Cbuf = NULL;
1214 drbg->C = NULL;
1215 kzfree(drbg->scratchpadbuf);
1216 drbg->scratchpadbuf = NULL;
1217 drbg->reseed_ctr = 0;
1218 drbg->d_ops = NULL;
1219 drbg->core = NULL;
1220 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1221 kzfree(drbg->prev);
1222 drbg->prev = NULL;
1223 drbg->fips_primed = false;
1224 }
1225}
1226
1227
1228
1229
1230
1231static inline int drbg_alloc_state(struct drbg_state *drbg)
1232{
1233 int ret = -ENOMEM;
1234 unsigned int sb_size = 0;
1235
1236 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1237#ifdef CONFIG_CRYPTO_DRBG_HMAC
1238 case DRBG_HMAC:
1239 drbg->d_ops = &drbg_hmac_ops;
1240 break;
1241#endif
1242#ifdef CONFIG_CRYPTO_DRBG_HASH
1243 case DRBG_HASH:
1244 drbg->d_ops = &drbg_hash_ops;
1245 break;
1246#endif
1247#ifdef CONFIG_CRYPTO_DRBG_CTR
1248 case DRBG_CTR:
1249 drbg->d_ops = &drbg_ctr_ops;
1250 break;
1251#endif
1252 default:
1253 ret = -EOPNOTSUPP;
1254 goto err;
1255 }
1256
1257 ret = drbg->d_ops->crypto_init(drbg);
1258 if (ret < 0)
1259 goto err;
1260
1261 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1262 if (!drbg->Vbuf) {
1263 ret = -ENOMEM;
1264 goto fini;
1265 }
1266 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1267 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1268 if (!drbg->Cbuf) {
1269 ret = -ENOMEM;
1270 goto fini;
1271 }
1272 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1273
1274 if (drbg->core->flags & DRBG_HMAC)
1275 sb_size = 0;
1276 else if (drbg->core->flags & DRBG_CTR)
1277 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) +
1278 drbg_statelen(drbg) +
1279 drbg_blocklen(drbg) +
1280 drbg_blocklen(drbg) +
1281 drbg_statelen(drbg) + drbg_blocklen(drbg);
1282 else
1283 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1284
1285 if (0 < sb_size) {
1286 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1287 if (!drbg->scratchpadbuf) {
1288 ret = -ENOMEM;
1289 goto fini;
1290 }
1291 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1292 }
1293
1294 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1295 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1296 GFP_KERNEL);
1297 if (!drbg->prev)
1298 goto fini;
1299 drbg->fips_primed = false;
1300 }
1301
1302 return 0;
1303
1304fini:
1305 drbg->d_ops->crypto_fini(drbg);
1306err:
1307 drbg_dealloc_state(drbg);
1308 return ret;
1309}
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331static int drbg_generate(struct drbg_state *drbg,
1332 unsigned char *buf, unsigned int buflen,
1333 struct drbg_string *addtl)
1334{
1335 int len = 0;
1336 LIST_HEAD(addtllist);
1337
1338 if (!drbg->core) {
1339 pr_devel("DRBG: not yet seeded\n");
1340 return -EINVAL;
1341 }
1342 if (0 == buflen || !buf) {
1343 pr_devel("DRBG: no output buffer provided\n");
1344 return -EINVAL;
1345 }
1346 if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1347 pr_devel("DRBG: wrong format of additional information\n");
1348 return -EINVAL;
1349 }
1350
1351
1352 len = -EINVAL;
1353 if (buflen > (drbg_max_request_bytes(drbg))) {
1354 pr_devel("DRBG: requested random numbers too large %u\n",
1355 buflen);
1356 goto err;
1357 }
1358
1359
1360
1361
1362 if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1363 pr_devel("DRBG: additional information string too long %zu\n",
1364 addtl->len);
1365 goto err;
1366 }
1367
1368
1369
1370
1371
1372
1373 if (drbg->reseed_threshold < drbg->reseed_ctr)
1374 drbg->seeded = false;
1375
1376 if (drbg->pr || !drbg->seeded) {
1377 pr_devel("DRBG: reseeding before generation (prediction "
1378 "resistance: %s, state %s)\n",
1379 drbg->pr ? "true" : "false",
1380 drbg->seeded ? "seeded" : "unseeded");
1381
1382 len = drbg_seed(drbg, addtl, true);
1383 if (len)
1384 goto err;
1385
1386 addtl = NULL;
1387 }
1388
1389 if (addtl && 0 < addtl->len)
1390 list_add_tail(&addtl->list, &addtllist);
1391
1392 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1393
1394
1395 drbg->reseed_ctr++;
1396 if (0 >= len)
1397 goto err;
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414#if 0
1415 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1416 int err = 0;
1417 pr_devel("DRBG: start to perform self test\n");
1418 if (drbg->core->flags & DRBG_HMAC)
1419 err = alg_test("drbg_pr_hmac_sha256",
1420 "drbg_pr_hmac_sha256", 0, 0);
1421 else if (drbg->core->flags & DRBG_CTR)
1422 err = alg_test("drbg_pr_ctr_aes128",
1423 "drbg_pr_ctr_aes128", 0, 0);
1424 else
1425 err = alg_test("drbg_pr_sha256",
1426 "drbg_pr_sha256", 0, 0);
1427 if (err) {
1428 pr_err("DRBG: periodical self test failed\n");
1429
1430
1431
1432
1433 drbg_uninstantiate(drbg);
1434 return 0;
1435 } else {
1436 pr_devel("DRBG: self test successful\n");
1437 }
1438 }
1439#endif
1440
1441
1442
1443
1444
1445 len = 0;
1446err:
1447 return len;
1448}
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458static int drbg_generate_long(struct drbg_state *drbg,
1459 unsigned char *buf, unsigned int buflen,
1460 struct drbg_string *addtl)
1461{
1462 unsigned int len = 0;
1463 unsigned int slice = 0;
1464 do {
1465 int err = 0;
1466 unsigned int chunk = 0;
1467 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1468 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1469 mutex_lock(&drbg->drbg_mutex);
1470 err = drbg_generate(drbg, buf + len, chunk, addtl);
1471 mutex_unlock(&drbg->drbg_mutex);
1472 if (0 > err)
1473 return err;
1474 len += chunk;
1475 } while (slice > 0 && (len < buflen));
1476 return 0;
1477}
1478
1479static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1480{
1481 struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1482 random_ready);
1483
1484 schedule_work(&drbg->seed_work);
1485}
1486
1487static int drbg_prepare_hrng(struct drbg_state *drbg)
1488{
1489 int err;
1490
1491
1492 if (list_empty(&drbg->test_data.list))
1493 return 0;
1494
1495 INIT_WORK(&drbg->seed_work, drbg_async_seed);
1496
1497 drbg->random_ready.owner = THIS_MODULE;
1498 drbg->random_ready.func = drbg_schedule_async_seed;
1499
1500 err = add_random_ready_callback(&drbg->random_ready);
1501
1502 switch (err) {
1503 case 0:
1504 break;
1505
1506 case -EALREADY:
1507 err = 0;
1508
1509
1510 default:
1511 drbg->random_ready.func = NULL;
1512 return err;
1513 }
1514
1515 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1516
1517
1518
1519
1520
1521 drbg->reseed_threshold = 50;
1522
1523 return err;
1524}
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1544 int coreref, bool pr)
1545{
1546 int ret;
1547 bool reseed = true;
1548
1549 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1550 "%s\n", coreref, pr ? "enabled" : "disabled");
1551 mutex_lock(&drbg->drbg_mutex);
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563 if (!drbg->core) {
1564 drbg->core = &drbg_cores[coreref];
1565 drbg->pr = pr;
1566 drbg->seeded = false;
1567 drbg->reseed_threshold = drbg_max_requests(drbg);
1568
1569 ret = drbg_alloc_state(drbg);
1570 if (ret)
1571 goto unlock;
1572
1573 ret = drbg_prepare_hrng(drbg);
1574 if (ret)
1575 goto free_everything;
1576
1577 if (IS_ERR(drbg->jent)) {
1578 ret = PTR_ERR(drbg->jent);
1579 drbg->jent = NULL;
1580 if (fips_enabled || ret != -ENOENT)
1581 goto free_everything;
1582 pr_info("DRBG: Continuing without Jitter RNG\n");
1583 }
1584
1585 reseed = false;
1586 }
1587
1588 ret = drbg_seed(drbg, pers, reseed);
1589
1590 if (ret && !reseed)
1591 goto free_everything;
1592
1593 mutex_unlock(&drbg->drbg_mutex);
1594 return ret;
1595
1596unlock:
1597 mutex_unlock(&drbg->drbg_mutex);
1598 return ret;
1599
1600free_everything:
1601 mutex_unlock(&drbg->drbg_mutex);
1602 drbg_uninstantiate(drbg);
1603 return ret;
1604}
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615static int drbg_uninstantiate(struct drbg_state *drbg)
1616{
1617 if (drbg->random_ready.func) {
1618 del_random_ready_callback(&drbg->random_ready);
1619 cancel_work_sync(&drbg->seed_work);
1620 crypto_free_rng(drbg->jent);
1621 drbg->jent = NULL;
1622 }
1623
1624 if (drbg->d_ops)
1625 drbg->d_ops->crypto_fini(drbg);
1626 drbg_dealloc_state(drbg);
1627
1628 return 0;
1629}
1630
1631
1632
1633
1634
1635
1636
1637
1638static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1639 const u8 *data, unsigned int len)
1640{
1641 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1642
1643 mutex_lock(&drbg->drbg_mutex);
1644 drbg_string_fill(&drbg->test_data, data, len);
1645 mutex_unlock(&drbg->drbg_mutex);
1646}
1647
1648
1649
1650
1651
1652#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1653struct sdesc {
1654 struct shash_desc shash;
1655 char ctx[];
1656};
1657
1658static int drbg_init_hash_kernel(struct drbg_state *drbg)
1659{
1660 struct sdesc *sdesc;
1661 struct crypto_shash *tfm;
1662
1663 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1664 if (IS_ERR(tfm)) {
1665 pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1666 drbg->core->backend_cra_name);
1667 return PTR_ERR(tfm);
1668 }
1669 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1670 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1671 GFP_KERNEL);
1672 if (!sdesc) {
1673 crypto_free_shash(tfm);
1674 return -ENOMEM;
1675 }
1676
1677 sdesc->shash.tfm = tfm;
1678 drbg->priv_data = sdesc;
1679
1680 return crypto_shash_alignmask(tfm);
1681}
1682
1683static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1684{
1685 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1686 if (sdesc) {
1687 crypto_free_shash(sdesc->shash.tfm);
1688 kzfree(sdesc);
1689 }
1690 drbg->priv_data = NULL;
1691 return 0;
1692}
1693
1694static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1695 const unsigned char *key)
1696{
1697 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1698
1699 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1700}
1701
1702static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1703 const struct list_head *in)
1704{
1705 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1706 struct drbg_string *input = NULL;
1707
1708 crypto_shash_init(&sdesc->shash);
1709 list_for_each_entry(input, in, list)
1710 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1711 return crypto_shash_final(&sdesc->shash, outval);
1712}
1713#endif
1714
1715#ifdef CONFIG_CRYPTO_DRBG_CTR
1716static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1717{
1718 struct crypto_cipher *tfm =
1719 (struct crypto_cipher *)drbg->priv_data;
1720 if (tfm)
1721 crypto_free_cipher(tfm);
1722 drbg->priv_data = NULL;
1723
1724 if (drbg->ctr_handle)
1725 crypto_free_skcipher(drbg->ctr_handle);
1726 drbg->ctr_handle = NULL;
1727
1728 if (drbg->ctr_req)
1729 skcipher_request_free(drbg->ctr_req);
1730 drbg->ctr_req = NULL;
1731
1732 kfree(drbg->outscratchpadbuf);
1733 drbg->outscratchpadbuf = NULL;
1734
1735 return 0;
1736}
1737
1738static int drbg_init_sym_kernel(struct drbg_state *drbg)
1739{
1740 struct crypto_cipher *tfm;
1741 struct crypto_skcipher *sk_tfm;
1742 struct skcipher_request *req;
1743 unsigned int alignmask;
1744 char ctr_name[CRYPTO_MAX_ALG_NAME];
1745
1746 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1747 if (IS_ERR(tfm)) {
1748 pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1749 drbg->core->backend_cra_name);
1750 return PTR_ERR(tfm);
1751 }
1752 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1753 drbg->priv_data = tfm;
1754
1755 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1756 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1757 drbg_fini_sym_kernel(drbg);
1758 return -EINVAL;
1759 }
1760 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1761 if (IS_ERR(sk_tfm)) {
1762 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1763 ctr_name);
1764 drbg_fini_sym_kernel(drbg);
1765 return PTR_ERR(sk_tfm);
1766 }
1767 drbg->ctr_handle = sk_tfm;
1768 crypto_init_wait(&drbg->ctr_wait);
1769
1770 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1771 if (!req) {
1772 pr_info("DRBG: could not allocate request queue\n");
1773 drbg_fini_sym_kernel(drbg);
1774 return -ENOMEM;
1775 }
1776 drbg->ctr_req = req;
1777 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1778 CRYPTO_TFM_REQ_MAY_SLEEP,
1779 crypto_req_done, &drbg->ctr_wait);
1780
1781 alignmask = crypto_skcipher_alignmask(sk_tfm);
1782 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1783 GFP_KERNEL);
1784 if (!drbg->outscratchpadbuf) {
1785 drbg_fini_sym_kernel(drbg);
1786 return -ENOMEM;
1787 }
1788 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1789 alignmask + 1);
1790
1791 sg_init_table(&drbg->sg_in, 1);
1792 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1793
1794 return alignmask;
1795}
1796
1797static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1798 const unsigned char *key)
1799{
1800 struct crypto_cipher *tfm =
1801 (struct crypto_cipher *)drbg->priv_data;
1802
1803 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1804}
1805
1806static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1807 const struct drbg_string *in)
1808{
1809 struct crypto_cipher *tfm =
1810 (struct crypto_cipher *)drbg->priv_data;
1811
1812
1813 BUG_ON(in->len < drbg_blocklen(drbg));
1814 crypto_cipher_encrypt_one(tfm, outval, in->buf);
1815 return 0;
1816}
1817
1818static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1819 u8 *inbuf, u32 inlen,
1820 u8 *outbuf, u32 outlen)
1821{
1822 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1823 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1824 int ret;
1825
1826 if (inbuf) {
1827
1828 sg_set_buf(sg_in, inbuf, inlen);
1829 } else {
1830
1831 inlen = scratchpad_use;
1832 memset(drbg->outscratchpad, 0, scratchpad_use);
1833 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1834 }
1835
1836 while (outlen) {
1837 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1838
1839
1840 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1841 cryptlen, drbg->V);
1842 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1843 &drbg->ctr_wait);
1844 if (ret)
1845 goto out;
1846
1847 crypto_init_wait(&drbg->ctr_wait);
1848
1849 memcpy(outbuf, drbg->outscratchpad, cryptlen);
1850 memzero_explicit(drbg->outscratchpad, cryptlen);
1851
1852 outlen -= cryptlen;
1853 outbuf += cryptlen;
1854 }
1855 ret = 0;
1856
1857out:
1858 return ret;
1859}
1860#endif
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1878 int *coreref, bool *pr)
1879{
1880 int i = 0;
1881 size_t start = 0;
1882 int len = 0;
1883
1884 *pr = true;
1885
1886 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1887 start = 10;
1888 *pr = false;
1889 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1890 start = 8;
1891 } else {
1892 return;
1893 }
1894
1895
1896 len = strlen(cra_driver_name) - start;
1897 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1898 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1899 len)) {
1900 *coreref = i;
1901 return;
1902 }
1903 }
1904}
1905
1906static int drbg_kcapi_init(struct crypto_tfm *tfm)
1907{
1908 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1909
1910 mutex_init(&drbg->drbg_mutex);
1911
1912 return 0;
1913}
1914
1915static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1916{
1917 drbg_uninstantiate(crypto_tfm_ctx(tfm));
1918}
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929static int drbg_kcapi_random(struct crypto_rng *tfm,
1930 const u8 *src, unsigned int slen,
1931 u8 *dst, unsigned int dlen)
1932{
1933 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1934 struct drbg_string *addtl = NULL;
1935 struct drbg_string string;
1936
1937 if (slen) {
1938
1939 drbg_string_fill(&string, src, slen);
1940 addtl = &string;
1941 }
1942
1943 return drbg_generate_long(drbg, dst, dlen, addtl);
1944}
1945
1946
1947
1948
1949static int drbg_kcapi_seed(struct crypto_rng *tfm,
1950 const u8 *seed, unsigned int slen)
1951{
1952 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1953 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1954 bool pr = false;
1955 struct drbg_string string;
1956 struct drbg_string *seed_string = NULL;
1957 int coreref = 0;
1958
1959 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1960 &pr);
1961 if (0 < slen) {
1962 drbg_string_fill(&string, seed, slen);
1963 seed_string = &string;
1964 }
1965
1966 return drbg_instantiate(drbg, seed_string, coreref, pr);
1967}
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983static inline int __init drbg_healthcheck_sanity(void)
1984{
1985 int len = 0;
1986#define OUTBUFLEN 16
1987 unsigned char buf[OUTBUFLEN];
1988 struct drbg_state *drbg = NULL;
1989 int ret = -EFAULT;
1990 int rc = -EFAULT;
1991 bool pr = false;
1992 int coreref = 0;
1993 struct drbg_string addtl;
1994 size_t max_addtllen, max_request_bytes;
1995
1996
1997 if (!fips_enabled)
1998 return 0;
1999
2000#ifdef CONFIG_CRYPTO_DRBG_CTR
2001 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
2002#elif defined CONFIG_CRYPTO_DRBG_HASH
2003 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
2004#else
2005 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
2006#endif
2007
2008 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2009 if (!drbg)
2010 return -ENOMEM;
2011
2012 mutex_init(&drbg->drbg_mutex);
2013 drbg->core = &drbg_cores[coreref];
2014 drbg->reseed_threshold = drbg_max_requests(drbg);
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024 max_addtllen = drbg_max_addtl(drbg);
2025 max_request_bytes = drbg_max_request_bytes(drbg);
2026 drbg_string_fill(&addtl, buf, max_addtllen + 1);
2027
2028 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2029 BUG_ON(0 < len);
2030
2031 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2032 BUG_ON(0 < len);
2033
2034
2035 ret = drbg_seed(drbg, &addtl, false);
2036 BUG_ON(0 == ret);
2037
2038 rc = 0;
2039
2040 pr_devel("DRBG: Sanity tests for failure code paths successfully "
2041 "completed\n");
2042
2043 kfree(drbg);
2044 return rc;
2045}
2046
2047static struct rng_alg drbg_algs[22];
2048
2049
2050
2051
2052
2053
2054static inline void __init drbg_fill_array(struct rng_alg *alg,
2055 const struct drbg_core *core, int pr)
2056{
2057 int pos = 0;
2058 static int priority = 200;
2059
2060 memcpy(alg->base.cra_name, "stdrng", 6);
2061 if (pr) {
2062 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
2063 pos = 8;
2064 } else {
2065 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
2066 pos = 10;
2067 }
2068 memcpy(alg->base.cra_driver_name + pos, core->cra_name,
2069 strlen(core->cra_name));
2070
2071 alg->base.cra_priority = priority;
2072 priority++;
2073
2074
2075
2076
2077
2078 if (fips_enabled)
2079 alg->base.cra_priority += 200;
2080
2081 alg->base.cra_ctxsize = sizeof(struct drbg_state);
2082 alg->base.cra_module = THIS_MODULE;
2083 alg->base.cra_init = drbg_kcapi_init;
2084 alg->base.cra_exit = drbg_kcapi_cleanup;
2085 alg->generate = drbg_kcapi_random;
2086 alg->seed = drbg_kcapi_seed;
2087 alg->set_ent = drbg_kcapi_set_entropy;
2088 alg->seedsize = 0;
2089}
2090
2091static int __init drbg_init(void)
2092{
2093 unsigned int i = 0;
2094 unsigned int j = 0;
2095 int ret;
2096
2097 ret = drbg_healthcheck_sanity();
2098 if (ret)
2099 return ret;
2100
2101 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2102 pr_info("DRBG: Cannot register all DRBG types"
2103 "(slots needed: %zu, slots available: %zu)\n",
2104 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2105 return -EFAULT;
2106 }
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2118 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2119 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2120 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2121 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2122}
2123
2124static void __exit drbg_exit(void)
2125{
2126 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2127}
2128
2129subsys_initcall(drbg_init);
2130module_exit(drbg_exit);
2131#ifndef CRYPTO_DRBG_HASH_STRING
2132#define CRYPTO_DRBG_HASH_STRING ""
2133#endif
2134#ifndef CRYPTO_DRBG_HMAC_STRING
2135#define CRYPTO_DRBG_HMAC_STRING ""
2136#endif
2137#ifndef CRYPTO_DRBG_CTR_STRING
2138#define CRYPTO_DRBG_CTR_STRING ""
2139#endif
2140MODULE_LICENSE("GPL");
2141MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2142MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2143 "using following cores: "
2144 CRYPTO_DRBG_HASH_STRING
2145 CRYPTO_DRBG_HMAC_STRING
2146 CRYPTO_DRBG_CTR_STRING);
2147MODULE_ALIAS_CRYPTO("stdrng");
2148