1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100#include <crypto/drbg.h>
101#include <linux/kernel.h>
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116static const struct drbg_core drbg_cores[] = {
117#ifdef CONFIG_CRYPTO_DRBG_CTR
118 {
119 .flags = DRBG_CTR | DRBG_STRENGTH128,
120 .statelen = 32,
121 .blocklen_bytes = 16,
122 .cra_name = "ctr_aes128",
123 .backend_cra_name = "aes",
124 }, {
125 .flags = DRBG_CTR | DRBG_STRENGTH192,
126 .statelen = 40,
127 .blocklen_bytes = 16,
128 .cra_name = "ctr_aes192",
129 .backend_cra_name = "aes",
130 }, {
131 .flags = DRBG_CTR | DRBG_STRENGTH256,
132 .statelen = 48,
133 .blocklen_bytes = 16,
134 .cra_name = "ctr_aes256",
135 .backend_cra_name = "aes",
136 },
137#endif
138#ifdef CONFIG_CRYPTO_DRBG_HASH
139 {
140 .flags = DRBG_HASH | DRBG_STRENGTH128,
141 .statelen = 55,
142 .blocklen_bytes = 20,
143 .cra_name = "sha1",
144 .backend_cra_name = "sha1",
145 }, {
146 .flags = DRBG_HASH | DRBG_STRENGTH256,
147 .statelen = 111,
148 .blocklen_bytes = 48,
149 .cra_name = "sha384",
150 .backend_cra_name = "sha384",
151 }, {
152 .flags = DRBG_HASH | DRBG_STRENGTH256,
153 .statelen = 111,
154 .blocklen_bytes = 64,
155 .cra_name = "sha512",
156 .backend_cra_name = "sha512",
157 }, {
158 .flags = DRBG_HASH | DRBG_STRENGTH256,
159 .statelen = 55,
160 .blocklen_bytes = 32,
161 .cra_name = "sha256",
162 .backend_cra_name = "sha256",
163 },
164#endif
165#ifdef CONFIG_CRYPTO_DRBG_HMAC
166 {
167 .flags = DRBG_HMAC | DRBG_STRENGTH128,
168 .statelen = 20,
169 .blocklen_bytes = 20,
170 .cra_name = "hmac_sha1",
171 .backend_cra_name = "hmac(sha1)",
172 }, {
173 .flags = DRBG_HMAC | DRBG_STRENGTH256,
174 .statelen = 48,
175 .blocklen_bytes = 48,
176 .cra_name = "hmac_sha384",
177 .backend_cra_name = "hmac(sha384)",
178 }, {
179 .flags = DRBG_HMAC | DRBG_STRENGTH256,
180 .statelen = 64,
181 .blocklen_bytes = 64,
182 .cra_name = "hmac_sha512",
183 .backend_cra_name = "hmac(sha512)",
184 }, {
185 .flags = DRBG_HMAC | DRBG_STRENGTH256,
186 .statelen = 32,
187 .blocklen_bytes = 32,
188 .cra_name = "hmac_sha256",
189 .backend_cra_name = "hmac(sha256)",
190 },
191#endif
192};
193
194static int drbg_uninstantiate(struct drbg_state *drbg);
195
196
197
198
199
200
201
202
203
204
205
206
207
208static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
209{
210 switch (flags & DRBG_STRENGTH_MASK) {
211 case DRBG_STRENGTH128:
212 return 16;
213 case DRBG_STRENGTH192:
214 return 24;
215 case DRBG_STRENGTH256:
216 return 32;
217 default:
218 return 32;
219 }
220}
221
222
223
224
225
226
227
228
229
230#if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
231static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
232{
233 struct s {
234 __be32 conv;
235 };
236 struct s *conversion = (struct s *) buf;
237
238 conversion->conv = cpu_to_be32(val);
239}
240#endif
241
242
243
244
245
246#ifdef CONFIG_CRYPTO_DRBG_CTR
247#define CRYPTO_DRBG_CTR_STRING "CTR "
248MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
249MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
250MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
251MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
252MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
253MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
254
255static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
256 unsigned char *outval, const struct drbg_string *in);
257static int drbg_init_sym_kernel(struct drbg_state *drbg);
258static int drbg_fini_sym_kernel(struct drbg_state *drbg);
259
260
261static int drbg_ctr_bcc(struct drbg_state *drbg,
262 unsigned char *out, const unsigned char *key,
263 struct list_head *in)
264{
265 int ret = 0;
266 struct drbg_string *curr = NULL;
267 struct drbg_string data;
268 short cnt = 0;
269
270 drbg_string_fill(&data, out, drbg_blocklen(drbg));
271
272
273 list_for_each_entry(curr, in, list) {
274 const unsigned char *pos = curr->buf;
275 size_t len = curr->len;
276
277 while (len) {
278
279 if (drbg_blocklen(drbg) == cnt) {
280 cnt = 0;
281 ret = drbg_kcapi_sym(drbg, key, out, &data);
282 if (ret)
283 return ret;
284 }
285 out[cnt] ^= *pos;
286 pos++;
287 cnt++;
288 len--;
289 }
290 }
291
292 if (cnt)
293 ret = drbg_kcapi_sym(drbg, key, out, &data);
294
295 return ret;
296}
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338static int drbg_ctr_df(struct drbg_state *drbg,
339 unsigned char *df_data, size_t bytes_to_return,
340 struct list_head *seedlist)
341{
342 int ret = -EFAULT;
343 unsigned char L_N[8];
344
345 struct drbg_string S1, S2, S4, cipherin;
346 LIST_HEAD(bcc_list);
347 unsigned char *pad = df_data + drbg_statelen(drbg);
348 unsigned char *iv = pad + drbg_blocklen(drbg);
349 unsigned char *temp = iv + drbg_blocklen(drbg);
350 size_t padlen = 0;
351 unsigned int templen = 0;
352
353 unsigned int i = 0;
354
355 const unsigned char *K = (unsigned char *)
356 "\x00\x01\x02\x03\x04\x05\x06\x07"
357 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
358 "\x10\x11\x12\x13\x14\x15\x16\x17"
359 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
360 unsigned char *X;
361 size_t generated_len = 0;
362 size_t inputlen = 0;
363 struct drbg_string *seed = NULL;
364
365 memset(pad, 0, drbg_blocklen(drbg));
366 memset(iv, 0, drbg_blocklen(drbg));
367
368
369
370
371 if ((512/8) < bytes_to_return)
372 return -EINVAL;
373
374
375 list_for_each_entry(seed, seedlist, list)
376 inputlen += seed->len;
377 drbg_cpu_to_be32(inputlen, &L_N[0]);
378
379
380 drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
381
382
383 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
384
385 if (padlen)
386 padlen = drbg_blocklen(drbg) - padlen;
387
388
389
390
391
392 padlen++;
393 pad[0] = 0x80;
394
395
396 drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
397 list_add_tail(&S1.list, &bcc_list);
398 drbg_string_fill(&S2, L_N, sizeof(L_N));
399 list_add_tail(&S2.list, &bcc_list);
400 list_splice_tail(seedlist, &bcc_list);
401 drbg_string_fill(&S4, pad, padlen);
402 list_add_tail(&S4.list, &bcc_list);
403
404
405 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
406
407
408
409
410
411 drbg_cpu_to_be32(i, iv);
412
413 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
414 if (ret)
415 goto out;
416
417 i++;
418 templen += drbg_blocklen(drbg);
419 }
420
421
422 X = temp + (drbg_keylen(drbg));
423 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
424
425
426
427
428 while (generated_len < bytes_to_return) {
429 short blocklen = 0;
430
431
432
433
434
435 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin);
436 if (ret)
437 goto out;
438 blocklen = (drbg_blocklen(drbg) <
439 (bytes_to_return - generated_len)) ?
440 drbg_blocklen(drbg) :
441 (bytes_to_return - generated_len);
442
443 memcpy(df_data + generated_len, X, blocklen);
444 generated_len += blocklen;
445 }
446
447 ret = 0;
448
449out:
450 memset(iv, 0, drbg_blocklen(drbg));
451 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
452 memset(pad, 0, drbg_blocklen(drbg));
453 return ret;
454}
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
472 int reseed)
473{
474 int ret = -EFAULT;
475
476 unsigned char *temp = drbg->scratchpad;
477 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
478 drbg_blocklen(drbg);
479 unsigned char *temp_p, *df_data_p;
480 unsigned int len = 0;
481 struct drbg_string cipherin;
482
483 if (3 > reseed)
484 memset(df_data, 0, drbg_statelen(drbg));
485
486
487 if (seed) {
488 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
489 if (ret)
490 goto out;
491 }
492
493 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg));
494
495
496
497
498 while (len < (drbg_statelen(drbg))) {
499
500 crypto_inc(drbg->V, drbg_blocklen(drbg));
501
502
503 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin);
504 if (ret)
505 goto out;
506
507 len += drbg_blocklen(drbg);
508 }
509
510
511 temp_p = temp;
512 df_data_p = df_data;
513 for (len = 0; len < drbg_statelen(drbg); len++) {
514 *temp_p ^= *df_data_p;
515 df_data_p++; temp_p++;
516 }
517
518
519 memcpy(drbg->C, temp, drbg_keylen(drbg));
520
521 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
522 ret = 0;
523
524out:
525 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
526 if (2 != reseed)
527 memset(df_data, 0, drbg_statelen(drbg));
528 return ret;
529}
530
531
532
533
534
535
536static int drbg_ctr_generate(struct drbg_state *drbg,
537 unsigned char *buf, unsigned int buflen,
538 struct list_head *addtl)
539{
540 int len = 0;
541 int ret = 0;
542 struct drbg_string data;
543
544
545 if (addtl && !list_empty(addtl)) {
546 ret = drbg_ctr_update(drbg, addtl, 2);
547 if (ret)
548 return 0;
549 }
550
551
552 crypto_inc(drbg->V, drbg_blocklen(drbg));
553 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg));
554 while (len < buflen) {
555 int outlen = 0;
556
557 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data);
558 if (ret) {
559 len = ret;
560 goto out;
561 }
562 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
563 drbg_blocklen(drbg) : (buflen - len);
564
565 memcpy(buf + len, drbg->scratchpad, outlen);
566 len += outlen;
567
568 if (len < buflen)
569 crypto_inc(drbg->V, drbg_blocklen(drbg));
570 }
571
572
573 ret = drbg_ctr_update(drbg, NULL, 3);
574 if (ret)
575 len = ret;
576
577out:
578 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
579 return len;
580}
581
582static const struct drbg_state_ops drbg_ctr_ops = {
583 .update = drbg_ctr_update,
584 .generate = drbg_ctr_generate,
585 .crypto_init = drbg_init_sym_kernel,
586 .crypto_fini = drbg_fini_sym_kernel,
587};
588#endif
589
590
591
592
593
594#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
595static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key,
596 unsigned char *outval, const struct list_head *in);
597static int drbg_init_hash_kernel(struct drbg_state *drbg);
598static int drbg_fini_hash_kernel(struct drbg_state *drbg);
599#endif
600
601#ifdef CONFIG_CRYPTO_DRBG_HMAC
602#define CRYPTO_DRBG_HMAC_STRING "HMAC "
603MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
604MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
605MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
606MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
607MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
608MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
609MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
610MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
611
612
613static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
614 int reseed)
615{
616 int ret = -EFAULT;
617 int i = 0;
618 struct drbg_string seed1, seed2, vdata;
619 LIST_HEAD(seedlist);
620 LIST_HEAD(vdatalist);
621
622 if (!reseed)
623
624 memset(drbg->V, 1, drbg_statelen(drbg));
625
626 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
627 list_add_tail(&seed1.list, &seedlist);
628
629 drbg_string_fill(&seed2, NULL, 1);
630 list_add_tail(&seed2.list, &seedlist);
631
632 if (seed)
633 list_splice_tail(seed, &seedlist);
634
635 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
636 list_add_tail(&vdata.list, &vdatalist);
637 for (i = 2; 0 < i; i--) {
638
639 unsigned char prefix = DRBG_PREFIX0;
640 if (1 == i)
641 prefix = DRBG_PREFIX1;
642
643 seed2.buf = &prefix;
644 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist);
645 if (ret)
646 return ret;
647
648
649 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist);
650 if (ret)
651 return ret;
652
653
654 if (!seed)
655 return ret;
656 }
657
658 return 0;
659}
660
661
662static int drbg_hmac_generate(struct drbg_state *drbg,
663 unsigned char *buf,
664 unsigned int buflen,
665 struct list_head *addtl)
666{
667 int len = 0;
668 int ret = 0;
669 struct drbg_string data;
670 LIST_HEAD(datalist);
671
672
673 if (addtl && !list_empty(addtl)) {
674 ret = drbg_hmac_update(drbg, addtl, 1);
675 if (ret)
676 return ret;
677 }
678
679 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
680 list_add_tail(&data.list, &datalist);
681 while (len < buflen) {
682 unsigned int outlen = 0;
683
684 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist);
685 if (ret)
686 return ret;
687 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
688 drbg_blocklen(drbg) : (buflen - len);
689
690
691 memcpy(buf + len, drbg->V, outlen);
692 len += outlen;
693 }
694
695
696 if (addtl && !list_empty(addtl))
697 ret = drbg_hmac_update(drbg, addtl, 1);
698 else
699 ret = drbg_hmac_update(drbg, NULL, 1);
700 if (ret)
701 return ret;
702
703 return len;
704}
705
706static const struct drbg_state_ops drbg_hmac_ops = {
707 .update = drbg_hmac_update,
708 .generate = drbg_hmac_generate,
709 .crypto_init = drbg_init_hash_kernel,
710 .crypto_fini = drbg_fini_hash_kernel,
711};
712#endif
713
714
715
716
717
718#ifdef CONFIG_CRYPTO_DRBG_HASH
719#define CRYPTO_DRBG_HASH_STRING "HASH "
720MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
721MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
722MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
723MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
724MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
725MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
726MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
727MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
728
729
730
731
732
733
734
735static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
736 const unsigned char *add, size_t addlen)
737{
738
739 unsigned char *dstptr;
740 const unsigned char *addptr;
741 unsigned int remainder = 0;
742 size_t len = addlen;
743
744 dstptr = dst + (dstlen-1);
745 addptr = add + (addlen-1);
746 while (len) {
747 remainder += *dstptr + *addptr;
748 *dstptr = remainder & 0xff;
749 remainder >>= 8;
750 len--; dstptr--; addptr--;
751 }
752 len = dstlen - addlen;
753 while (len && remainder > 0) {
754 remainder = *dstptr + 1;
755 *dstptr = remainder & 0xff;
756 remainder >>= 8;
757 len--; dstptr--;
758 }
759}
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777static int drbg_hash_df(struct drbg_state *drbg,
778 unsigned char *outval, size_t outlen,
779 struct list_head *entropylist)
780{
781 int ret = 0;
782 size_t len = 0;
783 unsigned char input[5];
784 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
785 struct drbg_string data;
786
787
788 input[0] = 1;
789 drbg_cpu_to_be32((outlen * 8), &input[1]);
790
791
792 drbg_string_fill(&data, input, 5);
793 list_add(&data.list, entropylist);
794
795
796 while (len < outlen) {
797 short blocklen = 0;
798
799 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist);
800 if (ret)
801 goto out;
802
803 input[0]++;
804 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
805 drbg_blocklen(drbg) : (outlen - len);
806 memcpy(outval + len, tmp, blocklen);
807 len += blocklen;
808 }
809
810out:
811 memset(tmp, 0, drbg_blocklen(drbg));
812 return ret;
813}
814
815
816static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
817 int reseed)
818{
819 int ret = 0;
820 struct drbg_string data1, data2;
821 LIST_HEAD(datalist);
822 LIST_HEAD(datalist2);
823 unsigned char *V = drbg->scratchpad;
824 unsigned char prefix = DRBG_PREFIX1;
825
826 if (!seed)
827 return -EINVAL;
828
829 if (reseed) {
830
831 memcpy(V, drbg->V, drbg_statelen(drbg));
832 drbg_string_fill(&data1, &prefix, 1);
833 list_add_tail(&data1.list, &datalist);
834 drbg_string_fill(&data2, V, drbg_statelen(drbg));
835 list_add_tail(&data2.list, &datalist);
836 }
837 list_splice_tail(seed, &datalist);
838
839
840 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
841 if (ret)
842 goto out;
843
844
845 prefix = DRBG_PREFIX0;
846 drbg_string_fill(&data1, &prefix, 1);
847 list_add_tail(&data1.list, &datalist2);
848 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
849 list_add_tail(&data2.list, &datalist2);
850
851 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
852
853out:
854 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
855 return ret;
856}
857
858
859static int drbg_hash_process_addtl(struct drbg_state *drbg,
860 struct list_head *addtl)
861{
862 int ret = 0;
863 struct drbg_string data1, data2;
864 LIST_HEAD(datalist);
865 unsigned char prefix = DRBG_PREFIX2;
866
867
868 if (!addtl || list_empty(addtl))
869 return 0;
870
871
872 drbg_string_fill(&data1, &prefix, 1);
873 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
874 list_add_tail(&data1.list, &datalist);
875 list_add_tail(&data2.list, &datalist);
876 list_splice_tail(addtl, &datalist);
877 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist);
878 if (ret)
879 goto out;
880
881
882 drbg_add_buf(drbg->V, drbg_statelen(drbg),
883 drbg->scratchpad, drbg_blocklen(drbg));
884
885out:
886 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
887 return ret;
888}
889
890
891static int drbg_hash_hashgen(struct drbg_state *drbg,
892 unsigned char *buf,
893 unsigned int buflen)
894{
895 int len = 0;
896 int ret = 0;
897 unsigned char *src = drbg->scratchpad;
898 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
899 struct drbg_string data;
900 LIST_HEAD(datalist);
901
902
903 memcpy(src, drbg->V, drbg_statelen(drbg));
904
905 drbg_string_fill(&data, src, drbg_statelen(drbg));
906 list_add_tail(&data.list, &datalist);
907 while (len < buflen) {
908 unsigned int outlen = 0;
909
910 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist);
911 if (ret) {
912 len = ret;
913 goto out;
914 }
915 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
916 drbg_blocklen(drbg) : (buflen - len);
917
918 memcpy(buf + len, dst, outlen);
919 len += outlen;
920
921 if (len < buflen)
922 crypto_inc(src, drbg_statelen(drbg));
923 }
924
925out:
926 memset(drbg->scratchpad, 0,
927 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
928 return len;
929}
930
931
932static int drbg_hash_generate(struct drbg_state *drbg,
933 unsigned char *buf, unsigned int buflen,
934 struct list_head *addtl)
935{
936 int len = 0;
937 int ret = 0;
938 union {
939 unsigned char req[8];
940 __be64 req_int;
941 } u;
942 unsigned char prefix = DRBG_PREFIX3;
943 struct drbg_string data1, data2;
944 LIST_HEAD(datalist);
945
946
947 ret = drbg_hash_process_addtl(drbg, addtl);
948 if (ret)
949 return ret;
950
951 len = drbg_hash_hashgen(drbg, buf, buflen);
952
953
954
955 drbg_string_fill(&data1, &prefix, 1);
956 list_add_tail(&data1.list, &datalist);
957 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
958 list_add_tail(&data2.list, &datalist);
959 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist);
960 if (ret) {
961 len = ret;
962 goto out;
963 }
964
965
966 drbg_add_buf(drbg->V, drbg_statelen(drbg),
967 drbg->scratchpad, drbg_blocklen(drbg));
968 drbg_add_buf(drbg->V, drbg_statelen(drbg),
969 drbg->C, drbg_statelen(drbg));
970 u.req_int = cpu_to_be64(drbg->reseed_ctr);
971 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
972
973out:
974 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
975 return len;
976}
977
978
979
980
981
982static const struct drbg_state_ops drbg_hash_ops = {
983 .update = drbg_hash_update,
984 .generate = drbg_hash_generate,
985 .crypto_init = drbg_init_hash_kernel,
986 .crypto_fini = drbg_fini_hash_kernel,
987};
988#endif
989
990
991
992
993
994static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
995 int reseed)
996{
997 int ret = drbg->d_ops->update(drbg, seed, reseed);
998
999 if (ret)
1000 return ret;
1001
1002 drbg->seeded = true;
1003
1004 drbg->reseed_ctr = 1;
1005
1006 return ret;
1007}
1008
1009static void drbg_async_seed(struct work_struct *work)
1010{
1011 struct drbg_string data;
1012 LIST_HEAD(seedlist);
1013 struct drbg_state *drbg = container_of(work, struct drbg_state,
1014 seed_work);
1015 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1016 unsigned char entropy[32];
1017
1018 BUG_ON(!entropylen);
1019 BUG_ON(entropylen > sizeof(entropy));
1020 get_random_bytes(entropy, entropylen);
1021
1022 drbg_string_fill(&data, entropy, entropylen);
1023 list_add_tail(&data.list, &seedlist);
1024
1025 mutex_lock(&drbg->drbg_mutex);
1026
1027
1028 crypto_free_rng(drbg->jent);
1029 drbg->jent = NULL;
1030
1031
1032
1033
1034 drbg->seeded = false;
1035
1036 __drbg_seed(drbg, &seedlist, true);
1037
1038 if (drbg->seeded)
1039 drbg->reseed_threshold = drbg_max_requests(drbg);
1040
1041 mutex_unlock(&drbg->drbg_mutex);
1042
1043 memzero_explicit(entropy, entropylen);
1044}
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1058 bool reseed)
1059{
1060 int ret;
1061 unsigned char entropy[((32 + 16) * 2)];
1062 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1063 struct drbg_string data1;
1064 LIST_HEAD(seedlist);
1065
1066
1067 if (pers && pers->len > (drbg_max_addtl(drbg))) {
1068 pr_devel("DRBG: personalization string too long %zu\n",
1069 pers->len);
1070 return -EINVAL;
1071 }
1072
1073 if (list_empty(&drbg->test_data.list)) {
1074 drbg_string_fill(&data1, drbg->test_data.buf,
1075 drbg->test_data.len);
1076 pr_devel("DRBG: using test entropy\n");
1077 } else {
1078
1079
1080
1081
1082
1083
1084
1085
1086 BUG_ON(!entropylen);
1087 if (!reseed)
1088 entropylen = ((entropylen + 1) / 2) * 3;
1089 BUG_ON((entropylen * 2) > sizeof(entropy));
1090
1091
1092 get_random_bytes(entropy, entropylen);
1093
1094 if (!drbg->jent) {
1095 drbg_string_fill(&data1, entropy, entropylen);
1096 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1097 entropylen);
1098 } else {
1099
1100 ret = crypto_rng_get_bytes(drbg->jent,
1101 entropy + entropylen,
1102 entropylen);
1103 if (ret) {
1104 pr_devel("DRBG: jent failed with %d\n", ret);
1105 return ret;
1106 }
1107
1108 drbg_string_fill(&data1, entropy, entropylen * 2);
1109 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1110 entropylen * 2);
1111 }
1112 }
1113 list_add_tail(&data1.list, &seedlist);
1114
1115
1116
1117
1118
1119
1120 if (pers && pers->buf && 0 < pers->len) {
1121 list_add_tail(&pers->list, &seedlist);
1122 pr_devel("DRBG: using personalization string\n");
1123 }
1124
1125 if (!reseed) {
1126 memset(drbg->V, 0, drbg_statelen(drbg));
1127 memset(drbg->C, 0, drbg_statelen(drbg));
1128 }
1129
1130 ret = __drbg_seed(drbg, &seedlist, reseed);
1131
1132 memzero_explicit(entropy, entropylen * 2);
1133
1134 return ret;
1135}
1136
1137
1138static inline void drbg_dealloc_state(struct drbg_state *drbg)
1139{
1140 if (!drbg)
1141 return;
1142 kzfree(drbg->V);
1143 drbg->V = NULL;
1144 kzfree(drbg->C);
1145 drbg->C = NULL;
1146 kzfree(drbg->scratchpad);
1147 drbg->scratchpad = NULL;
1148 drbg->reseed_ctr = 0;
1149 drbg->d_ops = NULL;
1150 drbg->core = NULL;
1151}
1152
1153
1154
1155
1156
1157static inline int drbg_alloc_state(struct drbg_state *drbg)
1158{
1159 int ret = -ENOMEM;
1160 unsigned int sb_size = 0;
1161
1162 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1163#ifdef CONFIG_CRYPTO_DRBG_HMAC
1164 case DRBG_HMAC:
1165 drbg->d_ops = &drbg_hmac_ops;
1166 break;
1167#endif
1168#ifdef CONFIG_CRYPTO_DRBG_HASH
1169 case DRBG_HASH:
1170 drbg->d_ops = &drbg_hash_ops;
1171 break;
1172#endif
1173#ifdef CONFIG_CRYPTO_DRBG_CTR
1174 case DRBG_CTR:
1175 drbg->d_ops = &drbg_ctr_ops;
1176 break;
1177#endif
1178 default:
1179 ret = -EOPNOTSUPP;
1180 goto err;
1181 }
1182
1183 drbg->V = kmalloc(drbg_statelen(drbg), GFP_KERNEL);
1184 if (!drbg->V)
1185 goto err;
1186 drbg->C = kmalloc(drbg_statelen(drbg), GFP_KERNEL);
1187 if (!drbg->C)
1188 goto err;
1189
1190 if (drbg->core->flags & DRBG_HMAC)
1191 sb_size = 0;
1192 else if (drbg->core->flags & DRBG_CTR)
1193 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) +
1194 drbg_statelen(drbg) +
1195 drbg_blocklen(drbg) +
1196 drbg_blocklen(drbg) +
1197 drbg_statelen(drbg) + drbg_blocklen(drbg);
1198 else
1199 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1200
1201 if (0 < sb_size) {
1202 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL);
1203 if (!drbg->scratchpad)
1204 goto err;
1205 }
1206
1207 return 0;
1208
1209err:
1210 drbg_dealloc_state(drbg);
1211 return ret;
1212}
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234static int drbg_generate(struct drbg_state *drbg,
1235 unsigned char *buf, unsigned int buflen,
1236 struct drbg_string *addtl)
1237{
1238 int len = 0;
1239 LIST_HEAD(addtllist);
1240
1241 if (!drbg->core) {
1242 pr_devel("DRBG: not yet seeded\n");
1243 return -EINVAL;
1244 }
1245 if (0 == buflen || !buf) {
1246 pr_devel("DRBG: no output buffer provided\n");
1247 return -EINVAL;
1248 }
1249 if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1250 pr_devel("DRBG: wrong format of additional information\n");
1251 return -EINVAL;
1252 }
1253
1254
1255 len = -EINVAL;
1256 if (buflen > (drbg_max_request_bytes(drbg))) {
1257 pr_devel("DRBG: requested random numbers too large %u\n",
1258 buflen);
1259 goto err;
1260 }
1261
1262
1263
1264
1265 if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1266 pr_devel("DRBG: additional information string too long %zu\n",
1267 addtl->len);
1268 goto err;
1269 }
1270
1271
1272
1273
1274
1275
1276 if (drbg->reseed_threshold < drbg->reseed_ctr)
1277 drbg->seeded = false;
1278
1279 if (drbg->pr || !drbg->seeded) {
1280 pr_devel("DRBG: reseeding before generation (prediction "
1281 "resistance: %s, state %s)\n",
1282 drbg->pr ? "true" : "false",
1283 drbg->seeded ? "seeded" : "unseeded");
1284
1285 len = drbg_seed(drbg, addtl, true);
1286 if (len)
1287 goto err;
1288
1289 addtl = NULL;
1290 }
1291
1292 if (addtl && 0 < addtl->len)
1293 list_add_tail(&addtl->list, &addtllist);
1294
1295 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1296
1297
1298 drbg->reseed_ctr++;
1299 if (0 >= len)
1300 goto err;
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317#if 0
1318 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1319 int err = 0;
1320 pr_devel("DRBG: start to perform self test\n");
1321 if (drbg->core->flags & DRBG_HMAC)
1322 err = alg_test("drbg_pr_hmac_sha256",
1323 "drbg_pr_hmac_sha256", 0, 0);
1324 else if (drbg->core->flags & DRBG_CTR)
1325 err = alg_test("drbg_pr_ctr_aes128",
1326 "drbg_pr_ctr_aes128", 0, 0);
1327 else
1328 err = alg_test("drbg_pr_sha256",
1329 "drbg_pr_sha256", 0, 0);
1330 if (err) {
1331 pr_err("DRBG: periodical self test failed\n");
1332
1333
1334
1335
1336 drbg_uninstantiate(drbg);
1337 return 0;
1338 } else {
1339 pr_devel("DRBG: self test successful\n");
1340 }
1341 }
1342#endif
1343
1344
1345
1346
1347
1348 len = 0;
1349err:
1350 return len;
1351}
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361static int drbg_generate_long(struct drbg_state *drbg,
1362 unsigned char *buf, unsigned int buflen,
1363 struct drbg_string *addtl)
1364{
1365 unsigned int len = 0;
1366 unsigned int slice = 0;
1367 do {
1368 int err = 0;
1369 unsigned int chunk = 0;
1370 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1371 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1372 mutex_lock(&drbg->drbg_mutex);
1373 err = drbg_generate(drbg, buf + len, chunk, addtl);
1374 mutex_unlock(&drbg->drbg_mutex);
1375 if (0 > err)
1376 return err;
1377 len += chunk;
1378 } while (slice > 0 && (len < buflen));
1379 return 0;
1380}
1381
1382static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1383{
1384 struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1385 random_ready);
1386
1387 schedule_work(&drbg->seed_work);
1388}
1389
1390static int drbg_prepare_hrng(struct drbg_state *drbg)
1391{
1392 int err;
1393
1394
1395 if (list_empty(&drbg->test_data.list))
1396 return 0;
1397
1398 INIT_WORK(&drbg->seed_work, drbg_async_seed);
1399
1400 drbg->random_ready.owner = THIS_MODULE;
1401 drbg->random_ready.func = drbg_schedule_async_seed;
1402
1403 err = add_random_ready_callback(&drbg->random_ready);
1404
1405 switch (err) {
1406 case 0:
1407 break;
1408
1409 case -EALREADY:
1410 err = 0;
1411
1412
1413 default:
1414 drbg->random_ready.func = NULL;
1415 return err;
1416 }
1417
1418 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1419
1420
1421
1422
1423
1424 drbg->reseed_threshold = 50;
1425
1426 return err;
1427}
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1447 int coreref, bool pr)
1448{
1449 int ret;
1450 bool reseed = true;
1451
1452 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1453 "%s\n", coreref, pr ? "enabled" : "disabled");
1454 mutex_lock(&drbg->drbg_mutex);
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466 if (!drbg->core) {
1467 drbg->core = &drbg_cores[coreref];
1468 drbg->pr = pr;
1469 drbg->seeded = false;
1470 drbg->reseed_threshold = drbg_max_requests(drbg);
1471
1472 ret = drbg_alloc_state(drbg);
1473 if (ret)
1474 goto unlock;
1475
1476 ret = -EFAULT;
1477 if (drbg->d_ops->crypto_init(drbg))
1478 goto err;
1479
1480 ret = drbg_prepare_hrng(drbg);
1481 if (ret)
1482 goto free_everything;
1483
1484 if (IS_ERR(drbg->jent)) {
1485 ret = PTR_ERR(drbg->jent);
1486 drbg->jent = NULL;
1487 if (fips_enabled || ret != -ENOENT)
1488 goto free_everything;
1489 pr_info("DRBG: Continuing without Jitter RNG\n");
1490 }
1491
1492 reseed = false;
1493 }
1494
1495 ret = drbg_seed(drbg, pers, reseed);
1496
1497 if (ret && !reseed)
1498 goto free_everything;
1499
1500 mutex_unlock(&drbg->drbg_mutex);
1501 return ret;
1502
1503err:
1504 drbg_dealloc_state(drbg);
1505unlock:
1506 mutex_unlock(&drbg->drbg_mutex);
1507 return ret;
1508
1509free_everything:
1510 mutex_unlock(&drbg->drbg_mutex);
1511 drbg_uninstantiate(drbg);
1512 return ret;
1513}
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524static int drbg_uninstantiate(struct drbg_state *drbg)
1525{
1526 if (drbg->random_ready.func) {
1527 del_random_ready_callback(&drbg->random_ready);
1528 cancel_work_sync(&drbg->seed_work);
1529 crypto_free_rng(drbg->jent);
1530 drbg->jent = NULL;
1531 }
1532
1533 if (drbg->d_ops)
1534 drbg->d_ops->crypto_fini(drbg);
1535 drbg_dealloc_state(drbg);
1536
1537 return 0;
1538}
1539
1540
1541
1542
1543
1544
1545
1546
1547static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1548 const u8 *data, unsigned int len)
1549{
1550 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1551
1552 mutex_lock(&drbg->drbg_mutex);
1553 drbg_string_fill(&drbg->test_data, data, len);
1554 mutex_unlock(&drbg->drbg_mutex);
1555}
1556
1557
1558
1559
1560
1561#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1562struct sdesc {
1563 struct shash_desc shash;
1564 char ctx[];
1565};
1566
1567static int drbg_init_hash_kernel(struct drbg_state *drbg)
1568{
1569 struct sdesc *sdesc;
1570 struct crypto_shash *tfm;
1571
1572 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1573 if (IS_ERR(tfm)) {
1574 pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1575 drbg->core->backend_cra_name);
1576 return PTR_ERR(tfm);
1577 }
1578 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1579 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1580 GFP_KERNEL);
1581 if (!sdesc) {
1582 crypto_free_shash(tfm);
1583 return -ENOMEM;
1584 }
1585
1586 sdesc->shash.tfm = tfm;
1587 sdesc->shash.flags = 0;
1588 drbg->priv_data = sdesc;
1589 return 0;
1590}
1591
1592static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1593{
1594 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1595 if (sdesc) {
1596 crypto_free_shash(sdesc->shash.tfm);
1597 kzfree(sdesc);
1598 }
1599 drbg->priv_data = NULL;
1600 return 0;
1601}
1602
1603static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key,
1604 unsigned char *outval, const struct list_head *in)
1605{
1606 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1607 struct drbg_string *input = NULL;
1608
1609 if (key)
1610 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1611 crypto_shash_init(&sdesc->shash);
1612 list_for_each_entry(input, in, list)
1613 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1614 return crypto_shash_final(&sdesc->shash, outval);
1615}
1616#endif
1617
1618#ifdef CONFIG_CRYPTO_DRBG_CTR
1619static int drbg_init_sym_kernel(struct drbg_state *drbg)
1620{
1621 int ret = 0;
1622 struct crypto_cipher *tfm;
1623
1624 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1625 if (IS_ERR(tfm)) {
1626 pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1627 drbg->core->backend_cra_name);
1628 return PTR_ERR(tfm);
1629 }
1630 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1631 drbg->priv_data = tfm;
1632 return ret;
1633}
1634
1635static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1636{
1637 struct crypto_cipher *tfm =
1638 (struct crypto_cipher *)drbg->priv_data;
1639 if (tfm)
1640 crypto_free_cipher(tfm);
1641 drbg->priv_data = NULL;
1642 return 0;
1643}
1644
1645static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
1646 unsigned char *outval, const struct drbg_string *in)
1647{
1648 struct crypto_cipher *tfm =
1649 (struct crypto_cipher *)drbg->priv_data;
1650
1651 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1652
1653 BUG_ON(in->len < drbg_blocklen(drbg));
1654 crypto_cipher_encrypt_one(tfm, outval, in->buf);
1655 return 0;
1656}
1657#endif
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1675 int *coreref, bool *pr)
1676{
1677 int i = 0;
1678 size_t start = 0;
1679 int len = 0;
1680
1681 *pr = true;
1682
1683 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1684 start = 10;
1685 *pr = false;
1686 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1687 start = 8;
1688 } else {
1689 return;
1690 }
1691
1692
1693 len = strlen(cra_driver_name) - start;
1694 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1695 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1696 len)) {
1697 *coreref = i;
1698 return;
1699 }
1700 }
1701}
1702
1703static int drbg_kcapi_init(struct crypto_tfm *tfm)
1704{
1705 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1706
1707 mutex_init(&drbg->drbg_mutex);
1708
1709 return 0;
1710}
1711
1712static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1713{
1714 drbg_uninstantiate(crypto_tfm_ctx(tfm));
1715}
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726static int drbg_kcapi_random(struct crypto_rng *tfm,
1727 const u8 *src, unsigned int slen,
1728 u8 *dst, unsigned int dlen)
1729{
1730 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1731 struct drbg_string *addtl = NULL;
1732 struct drbg_string string;
1733
1734 if (slen) {
1735
1736 drbg_string_fill(&string, src, slen);
1737 addtl = &string;
1738 }
1739
1740 return drbg_generate_long(drbg, dst, dlen, addtl);
1741}
1742
1743
1744
1745
1746static int drbg_kcapi_seed(struct crypto_rng *tfm,
1747 const u8 *seed, unsigned int slen)
1748{
1749 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1750 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1751 bool pr = false;
1752 struct drbg_string string;
1753 struct drbg_string *seed_string = NULL;
1754 int coreref = 0;
1755
1756 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1757 &pr);
1758 if (0 < slen) {
1759 drbg_string_fill(&string, seed, slen);
1760 seed_string = &string;
1761 }
1762
1763 return drbg_instantiate(drbg, seed_string, coreref, pr);
1764}
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780static inline int __init drbg_healthcheck_sanity(void)
1781{
1782 int len = 0;
1783#define OUTBUFLEN 16
1784 unsigned char buf[OUTBUFLEN];
1785 struct drbg_state *drbg = NULL;
1786 int ret = -EFAULT;
1787 int rc = -EFAULT;
1788 bool pr = false;
1789 int coreref = 0;
1790 struct drbg_string addtl;
1791 size_t max_addtllen, max_request_bytes;
1792
1793
1794 if (!fips_enabled)
1795 return 0;
1796
1797#ifdef CONFIG_CRYPTO_DRBG_CTR
1798 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
1799#elif defined CONFIG_CRYPTO_DRBG_HASH
1800 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1801#else
1802 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
1803#endif
1804
1805 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1806 if (!drbg)
1807 return -ENOMEM;
1808
1809 mutex_init(&drbg->drbg_mutex);
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820 ret = drbg_instantiate(drbg, NULL, coreref, pr);
1821 if (ret) {
1822 rc = ret;
1823 goto outbuf;
1824 }
1825 max_addtllen = drbg_max_addtl(drbg);
1826 max_request_bytes = drbg_max_request_bytes(drbg);
1827 drbg_string_fill(&addtl, buf, max_addtllen + 1);
1828
1829 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1830 BUG_ON(0 < len);
1831
1832 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1833 BUG_ON(0 < len);
1834 drbg_uninstantiate(drbg);
1835
1836
1837 ret = drbg_instantiate(drbg, &addtl, coreref, pr);
1838 BUG_ON(0 == ret);
1839
1840 rc = 0;
1841
1842 pr_devel("DRBG: Sanity tests for failure code paths successfully "
1843 "completed\n");
1844
1845 drbg_uninstantiate(drbg);
1846outbuf:
1847 kzfree(drbg);
1848 return rc;
1849}
1850
1851static struct rng_alg drbg_algs[22];
1852
1853
1854
1855
1856
1857
1858static inline void __init drbg_fill_array(struct rng_alg *alg,
1859 const struct drbg_core *core, int pr)
1860{
1861 int pos = 0;
1862 static int priority = 200;
1863
1864 memcpy(alg->base.cra_name, "stdrng", 6);
1865 if (pr) {
1866 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
1867 pos = 8;
1868 } else {
1869 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
1870 pos = 10;
1871 }
1872 memcpy(alg->base.cra_driver_name + pos, core->cra_name,
1873 strlen(core->cra_name));
1874
1875 alg->base.cra_priority = priority;
1876 priority++;
1877
1878
1879
1880
1881
1882 if (fips_enabled)
1883 alg->base.cra_priority += 200;
1884
1885 alg->base.cra_ctxsize = sizeof(struct drbg_state);
1886 alg->base.cra_module = THIS_MODULE;
1887 alg->base.cra_init = drbg_kcapi_init;
1888 alg->base.cra_exit = drbg_kcapi_cleanup;
1889 alg->generate = drbg_kcapi_random;
1890 alg->seed = drbg_kcapi_seed;
1891 alg->set_ent = drbg_kcapi_set_entropy;
1892 alg->seedsize = 0;
1893}
1894
1895static int __init drbg_init(void)
1896{
1897 unsigned int i = 0;
1898 unsigned int j = 0;
1899 int ret = -EFAULT;
1900
1901 ret = drbg_healthcheck_sanity();
1902 if (ret)
1903 return ret;
1904
1905 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
1906 pr_info("DRBG: Cannot register all DRBG types"
1907 "(slots needed: %zu, slots available: %zu)\n",
1908 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
1909 return ret;
1910 }
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1922 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
1923 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
1924 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
1925 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1926}
1927
1928static void __exit drbg_exit(void)
1929{
1930 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
1931}
1932
1933module_init(drbg_init);
1934module_exit(drbg_exit);
1935#ifndef CRYPTO_DRBG_HASH_STRING
1936#define CRYPTO_DRBG_HASH_STRING ""
1937#endif
1938#ifndef CRYPTO_DRBG_HMAC_STRING
1939#define CRYPTO_DRBG_HMAC_STRING ""
1940#endif
1941#ifndef CRYPTO_DRBG_CTR_STRING
1942#define CRYPTO_DRBG_CTR_STRING ""
1943#endif
1944MODULE_LICENSE("GPL");
1945MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
1946MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
1947 "using following cores: "
1948 CRYPTO_DRBG_HASH_STRING
1949 CRYPTO_DRBG_HMAC_STRING
1950 CRYPTO_DRBG_CTR_STRING);
1951MODULE_ALIAS_CRYPTO("stdrng");
1952