Linux/crypto/drbg.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 /* 2 * DRBG: Deterministic Random Bits Generator 3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following 4 * properties: 5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores 6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores 8 * * with and without prediction resistance 9 * 10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, and the entire permission notice in its entirety, 17 * including the disclaimer of warranties. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The name of the author may not be used to endorse or promote 22 * products derived from this software without specific prior 23 * written permission. 24 * 25 * ALTERNATIVELY, this product may be distributed under the terms of 26 * the GNU General Public License, in which case the provisions of the GPL are 27 * required INSTEAD OF the above restrictions. (This clause is 28 * necessary due to a potential bad interaction between the GPL and 29 * the restrictions contained in a BSD-style copyright.) 30 * 31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF 34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE 35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH 42 * DAMAGE. 43 * 44 * DRBG Usage 45 * ========== 46 * The SP 800-90A DRBG allows the user to specify a personalization string 47 * for initialization as well as an additional information string for each 48 * random number request. The following code fragments show how a caller 49 * uses the kernel crypto API to use the full functionality of the DRBG. 50 * 51 * Usage without any additional data 52 * --------------------------------- 53 * struct crypto_rng *drng; 54 * int err; 55 * char data[DATALEN]; 56 * 57 * drng = crypto_alloc_rng(drng_name, 0, 0); 58 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 59 * crypto_free_rng(drng); 60 * 61 * 62 * Usage with personalization string during initialization 63 * ------------------------------------------------------- 64 * struct crypto_rng *drng; 65 * int err; 66 * char data[DATALEN]; 67 * struct drbg_string pers; 68 * char personalization[11] = "some-string"; 69 * 70 * drbg_string_fill(&pers, personalization, strlen(personalization)); 71 * drng = crypto_alloc_rng(drng_name, 0, 0); 72 * // The reset completely re-initializes the DRBG with the provided 73 * // personalization string 74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization)); 75 * err = crypto_rng_get_bytes(drng, &data, DATALEN); 76 * crypto_free_rng(drng); 77 * 78 * 79 * Usage with additional information string during random number request 80 * --------------------------------------------------------------------- 81 * struct crypto_rng *drng; 82 * int err; 83 * char data[DATALEN]; 84 * char addtl_string[11] = "some-string"; 85 * string drbg_string addtl; 86 * 87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string)); 88 * drng = crypto_alloc_rng(drng_name, 0, 0); 89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns 90 * // the same error codes. 91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl); 92 * crypto_free_rng(drng); 93 * 94 * 95 * Usage with personalization and additional information strings 96 * ------------------------------------------------------------- 97 * Just mix both scenarios above. 98 */ 99 100 #include <crypto/drbg.h> 101 #include <crypto/internal/cipher.h> 102 #include <linux/kernel.h> 103 #include <linux/jiffies.h> 104 105 /*************************************************************** 106 * Backend cipher definitions available to DRBG 107 ***************************************************************/ 108 109 /* 110 * The order of the DRBG definitions here matter: every DRBG is registered 111 * as stdrng. Each DRBG receives an increasing cra_priority values the later 112 * they are defined in this array (see drbg_fill_array). 113 * 114 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and the 115 * HMAC-SHA512 / SHA256 / AES 256 over other ciphers. Thus, the 116 * favored DRBGs are the latest entries in this array. 117 */ 118 static const struct drbg_core drbg_cores[] = { 119 #ifdef CONFIG_CRYPTO_DRBG_CTR 120 { 121 .flags = DRBG_CTR | DRBG_STRENGTH128, 122 .statelen = 32, /* 256 bits as defined in 10.2.1 */ 123 .blocklen_bytes = 16, 124 .cra_name = "ctr_aes128", 125 .backend_cra_name = "aes", 126 }, { 127 .flags = DRBG_CTR | DRBG_STRENGTH192, 128 .statelen = 40, /* 320 bits as defined in 10.2.1 */ 129 .blocklen_bytes = 16, 130 .cra_name = "ctr_aes192", 131 .backend_cra_name = "aes", 132 }, { 133 .flags = DRBG_CTR | DRBG_STRENGTH256, 134 .statelen = 48, /* 384 bits as defined in 10.2.1 */ 135 .blocklen_bytes = 16, 136 .cra_name = "ctr_aes256", 137 .backend_cra_name = "aes", 138 }, 139 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 140 #ifdef CONFIG_CRYPTO_DRBG_HASH 141 { 142 .flags = DRBG_HASH | DRBG_STRENGTH256, 143 .statelen = 111, /* 888 bits */ 144 .blocklen_bytes = 48, 145 .cra_name = "sha384", 146 .backend_cra_name = "sha384", 147 }, { 148 .flags = DRBG_HASH | DRBG_STRENGTH256, 149 .statelen = 111, /* 888 bits */ 150 .blocklen_bytes = 64, 151 .cra_name = "sha512", 152 .backend_cra_name = "sha512", 153 }, { 154 .flags = DRBG_HASH | DRBG_STRENGTH256, 155 .statelen = 55, /* 440 bits */ 156 .blocklen_bytes = 32, 157 .cra_name = "sha256", 158 .backend_cra_name = "sha256", 159 }, 160 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 161 #ifdef CONFIG_CRYPTO_DRBG_HMAC 162 { 163 .flags = DRBG_HMAC | DRBG_STRENGTH256, 164 .statelen = 48, /* block length of cipher */ 165 .blocklen_bytes = 48, 166 .cra_name = "hmac_sha384", 167 .backend_cra_name = "hmac(sha384)", 168 }, { 169 .flags = DRBG_HMAC | DRBG_STRENGTH256, 170 .statelen = 32, /* block length of cipher */ 171 .blocklen_bytes = 32, 172 .cra_name = "hmac_sha256", 173 .backend_cra_name = "hmac(sha256)", 174 }, { 175 .flags = DRBG_HMAC | DRBG_STRENGTH256, 176 .statelen = 64, /* block length of cipher */ 177 .blocklen_bytes = 64, 178 .cra_name = "hmac_sha512", 179 .backend_cra_name = "hmac(sha512)", 180 }, 181 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 182 }; 183 184 static int drbg_uninstantiate(struct drbg_state *drbg); 185 186 /****************************************************************** 187 * Generic helper functions 188 ******************************************************************/ 189 190 /* 191 * Return strength of DRBG according to SP800-90A section 8.4 192 * 193 * @flags DRBG flags reference 194 * 195 * Return: normalized strength in *bytes* value or 32 as default 196 * to counter programming errors 197 */ 198 static inline unsigned short drbg_sec_strength(drbg_flag_t flags) 199 { 200 switch (flags & DRBG_STRENGTH_MASK) { 201 case DRBG_STRENGTH128: 202 return 16; 203 case DRBG_STRENGTH192: 204 return 24; 205 case DRBG_STRENGTH256: 206 return 32; 207 default: 208 return 32; 209 } 210 } 211 212 /* 213 * FIPS 140-2 continuous self test for the noise source 214 * The test is performed on the noise source input data. Thus, the function 215 * implicitly knows the size of the buffer to be equal to the security 216 * strength. 217 * 218 * Note, this function disregards the nonce trailing the entropy data during 219 * initial seeding. 220 * 221 * drbg->drbg_mutex must have been taken. 222 * 223 * @drbg DRBG handle 224 * @entropy buffer of seed data to be checked 225 * 226 * return: 227 * 0 on success 228 * -EAGAIN on when the CTRNG is not yet primed 229 * < 0 on error 230 */ 231 static int drbg_fips_continuous_test(struct drbg_state *drbg, 232 const unsigned char *entropy) 233 { 234 unsigned short entropylen = drbg_sec_strength(drbg->core->flags); 235 int ret = 0; 236 237 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) 238 return 0; 239 240 /* skip test if we test the overall system */ 241 if (list_empty(&drbg->test_data.list)) 242 return 0; 243 /* only perform test in FIPS mode */ 244 if (!fips_enabled) 245 return 0; 246 247 if (!drbg->fips_primed) { 248 /* Priming of FIPS test */ 249 memcpy(drbg->prev, entropy, entropylen); 250 drbg->fips_primed = true; 251 /* priming: another round is needed */ 252 return -EAGAIN; 253 } 254 ret = memcmp(drbg->prev, entropy, entropylen); 255 if (!ret) 256 panic("DRBG continuous self test failed\n"); 257 memcpy(drbg->prev, entropy, entropylen); 258 259 /* the test shall pass when the two values are not equal */ 260 return 0; 261 } 262 263 /* 264 * Convert an integer into a byte representation of this integer. 265 * The byte representation is big-endian 266 * 267 * @val value to be converted 268 * @buf buffer holding the converted integer -- caller must ensure that 269 * buffer size is at least 32 bit 270 */ 271 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR)) 272 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf) 273 { 274 struct s { 275 __be32 conv; 276 }; 277 struct s *conversion = (struct s *) buf; 278 279 conversion->conv = cpu_to_be32(val); 280 } 281 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */ 282 283 /****************************************************************** 284 * CTR DRBG callback functions 285 ******************************************************************/ 286 287 #ifdef CONFIG_CRYPTO_DRBG_CTR 288 #define CRYPTO_DRBG_CTR_STRING "CTR " 289 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256"); 290 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256"); 291 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192"); 292 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192"); 293 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128"); 294 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128"); 295 296 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 297 const unsigned char *key); 298 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 299 const struct drbg_string *in); 300 static int drbg_init_sym_kernel(struct drbg_state *drbg); 301 static int drbg_fini_sym_kernel(struct drbg_state *drbg); 302 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 303 u8 *inbuf, u32 inbuflen, 304 u8 *outbuf, u32 outlen); 305 #define DRBG_OUTSCRATCHLEN 256 306 307 /* BCC function for CTR DRBG as defined in 10.4.3 */ 308 static int drbg_ctr_bcc(struct drbg_state *drbg, 309 unsigned char *out, const unsigned char *key, 310 struct list_head *in) 311 { 312 int ret = 0; 313 struct drbg_string *curr = NULL; 314 struct drbg_string data; 315 short cnt = 0; 316 317 drbg_string_fill(&data, out, drbg_blocklen(drbg)); 318 319 /* 10.4.3 step 2 / 4 */ 320 drbg_kcapi_symsetkey(drbg, key); 321 list_for_each_entry(curr, in, list) { 322 const unsigned char *pos = curr->buf; 323 size_t len = curr->len; 324 /* 10.4.3 step 4.1 */ 325 while (len) { 326 /* 10.4.3 step 4.2 */ 327 if (drbg_blocklen(drbg) == cnt) { 328 cnt = 0; 329 ret = drbg_kcapi_sym(drbg, out, &data); 330 if (ret) 331 return ret; 332 } 333 out[cnt] ^= *pos; 334 pos++; 335 cnt++; 336 len--; 337 } 338 } 339 /* 10.4.3 step 4.2 for last block */ 340 if (cnt) 341 ret = drbg_kcapi_sym(drbg, out, &data); 342 343 return ret; 344 } 345 346 /* 347 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df 348 * (and drbg_ctr_bcc, but this function does not need any temporary buffers), 349 * the scratchpad is used as follows: 350 * drbg_ctr_update: 351 * temp 352 * start: drbg->scratchpad 353 * length: drbg_statelen(drbg) + drbg_blocklen(drbg) 354 * note: the cipher writing into this variable works 355 * blocklen-wise. Now, when the statelen is not a multiple 356 * of blocklen, the generateion loop below "spills over" 357 * by at most blocklen. Thus, we need to give sufficient 358 * memory. 359 * df_data 360 * start: drbg->scratchpad + 361 * drbg_statelen(drbg) + drbg_blocklen(drbg) 362 * length: drbg_statelen(drbg) 363 * 364 * drbg_ctr_df: 365 * pad 366 * start: df_data + drbg_statelen(drbg) 367 * length: drbg_blocklen(drbg) 368 * iv 369 * start: pad + drbg_blocklen(drbg) 370 * length: drbg_blocklen(drbg) 371 * temp 372 * start: iv + drbg_blocklen(drbg) 373 * length: drbg_satelen(drbg) + drbg_blocklen(drbg) 374 * note: temp is the buffer that the BCC function operates 375 * on. BCC operates blockwise. drbg_statelen(drbg) 376 * is sufficient when the DRBG state length is a multiple 377 * of the block size. For AES192 (and maybe other ciphers) 378 * this is not correct and the length for temp is 379 * insufficient (yes, that also means for such ciphers, 380 * the final output of all BCC rounds are truncated). 381 * Therefore, add drbg_blocklen(drbg) to cover all 382 * possibilities. 383 */ 384 385 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 386 static int drbg_ctr_df(struct drbg_state *drbg, 387 unsigned char *df_data, size_t bytes_to_return, 388 struct list_head *seedlist) 389 { 390 int ret = -EFAULT; 391 unsigned char L_N[8]; 392 /* S3 is input */ 393 struct drbg_string S1, S2, S4, cipherin; 394 LIST_HEAD(bcc_list); 395 unsigned char *pad = df_data + drbg_statelen(drbg); 396 unsigned char *iv = pad + drbg_blocklen(drbg); 397 unsigned char *temp = iv + drbg_blocklen(drbg); 398 size_t padlen = 0; 399 unsigned int templen = 0; 400 /* 10.4.2 step 7 */ 401 unsigned int i = 0; 402 /* 10.4.2 step 8 */ 403 const unsigned char *K = (unsigned char *) 404 "\x00\x01\x02\x03\x04\x05\x06\x07" 405 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" 406 "\x10\x11\x12\x13\x14\x15\x16\x17" 407 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"; 408 unsigned char *X; 409 size_t generated_len = 0; 410 size_t inputlen = 0; 411 struct drbg_string *seed = NULL; 412 413 memset(pad, 0, drbg_blocklen(drbg)); 414 memset(iv, 0, drbg_blocklen(drbg)); 415 416 /* 10.4.2 step 1 is implicit as we work byte-wise */ 417 418 /* 10.4.2 step 2 */ 419 if ((512/8) < bytes_to_return) 420 return -EINVAL; 421 422 /* 10.4.2 step 2 -- calculate the entire length of all input data */ 423 list_for_each_entry(seed, seedlist, list) 424 inputlen += seed->len; 425 drbg_cpu_to_be32(inputlen, &L_N[0]); 426 427 /* 10.4.2 step 3 */ 428 drbg_cpu_to_be32(bytes_to_return, &L_N[4]); 429 430 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */ 431 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg)); 432 /* wrap the padlen appropriately */ 433 if (padlen) 434 padlen = drbg_blocklen(drbg) - padlen; 435 /* 436 * pad / padlen contains the 0x80 byte and the following zero bytes. 437 * As the calculated padlen value only covers the number of zero 438 * bytes, this value has to be incremented by one for the 0x80 byte. 439 */ 440 padlen++; 441 pad[0] = 0x80; 442 443 /* 10.4.2 step 4 -- first fill the linked list and then order it */ 444 drbg_string_fill(&S1, iv, drbg_blocklen(drbg)); 445 list_add_tail(&S1.list, &bcc_list); 446 drbg_string_fill(&S2, L_N, sizeof(L_N)); 447 list_add_tail(&S2.list, &bcc_list); 448 list_splice_tail(seedlist, &bcc_list); 449 drbg_string_fill(&S4, pad, padlen); 450 list_add_tail(&S4.list, &bcc_list); 451 452 /* 10.4.2 step 9 */ 453 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) { 454 /* 455 * 10.4.2 step 9.1 - the padding is implicit as the buffer 456 * holds zeros after allocation -- even the increment of i 457 * is irrelevant as the increment remains within length of i 458 */ 459 drbg_cpu_to_be32(i, iv); 460 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 461 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list); 462 if (ret) 463 goto out; 464 /* 10.4.2 step 9.3 */ 465 i++; 466 templen += drbg_blocklen(drbg); 467 } 468 469 /* 10.4.2 step 11 */ 470 X = temp + (drbg_keylen(drbg)); 471 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg)); 472 473 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 474 475 /* 10.4.2 step 13 */ 476 drbg_kcapi_symsetkey(drbg, temp); 477 while (generated_len < bytes_to_return) { 478 short blocklen = 0; 479 /* 480 * 10.4.2 step 13.1: the truncation of the key length is 481 * implicit as the key is only drbg_blocklen in size based on 482 * the implementation of the cipher function callback 483 */ 484 ret = drbg_kcapi_sym(drbg, X, &cipherin); 485 if (ret) 486 goto out; 487 blocklen = (drbg_blocklen(drbg) < 488 (bytes_to_return - generated_len)) ? 489 drbg_blocklen(drbg) : 490 (bytes_to_return - generated_len); 491 /* 10.4.2 step 13.2 and 14 */ 492 memcpy(df_data + generated_len, X, blocklen); 493 generated_len += blocklen; 494 } 495 496 ret = 0; 497 498 out: 499 memset(iv, 0, drbg_blocklen(drbg)); 500 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 501 memset(pad, 0, drbg_blocklen(drbg)); 502 return ret; 503 } 504 505 /* 506 * update function of CTR DRBG as defined in 10.2.1.2 507 * 508 * The reseed variable has an enhanced meaning compared to the update 509 * functions of the other DRBGs as follows: 510 * 0 => initial seed from initialization 511 * 1 => reseed via drbg_seed 512 * 2 => first invocation from drbg_ctr_update when addtl is present. In 513 * this case, the df_data scratchpad is not deleted so that it is 514 * available for another calls to prevent calling the DF function 515 * again. 516 * 3 => second invocation from drbg_ctr_update. When the update function 517 * was called with addtl, the df_data memory already contains the 518 * DFed addtl information and we do not need to call DF again. 519 */ 520 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed, 521 int reseed) 522 { 523 int ret = -EFAULT; 524 /* 10.2.1.2 step 1 */ 525 unsigned char *temp = drbg->scratchpad; 526 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) + 527 drbg_blocklen(drbg); 528 529 if (3 > reseed) 530 memset(df_data, 0, drbg_statelen(drbg)); 531 532 if (!reseed) { 533 /* 534 * The DRBG uses the CTR mode of the underlying AES cipher. The 535 * CTR mode increments the counter value after the AES operation 536 * but SP800-90A requires that the counter is incremented before 537 * the AES operation. Hence, we increment it at the time we set 538 * it by one. 539 */ 540 crypto_inc(drbg->V, drbg_blocklen(drbg)); 541 542 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C, 543 drbg_keylen(drbg)); 544 if (ret) 545 goto out; 546 } 547 548 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */ 549 if (seed) { 550 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed); 551 if (ret) 552 goto out; 553 } 554 555 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg), 556 temp, drbg_statelen(drbg)); 557 if (ret) 558 return ret; 559 560 /* 10.2.1.2 step 5 */ 561 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp, 562 drbg_keylen(drbg)); 563 if (ret) 564 goto out; 565 /* 10.2.1.2 step 6 */ 566 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg)); 567 /* See above: increment counter by one to compensate timing of CTR op */ 568 crypto_inc(drbg->V, drbg_blocklen(drbg)); 569 ret = 0; 570 571 out: 572 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg)); 573 if (2 != reseed) 574 memset(df_data, 0, drbg_statelen(drbg)); 575 return ret; 576 } 577 578 /* 579 * scratchpad use: drbg_ctr_update is called independently from 580 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused 581 */ 582 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */ 583 static int drbg_ctr_generate(struct drbg_state *drbg, 584 unsigned char *buf, unsigned int buflen, 585 struct list_head *addtl) 586 { 587 int ret; 588 int len = min_t(int, buflen, INT_MAX); 589 590 /* 10.2.1.5.2 step 2 */ 591 if (addtl && !list_empty(addtl)) { 592 ret = drbg_ctr_update(drbg, addtl, 2); 593 if (ret) 594 return 0; 595 } 596 597 /* 10.2.1.5.2 step 4.1 */ 598 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len); 599 if (ret) 600 return ret; 601 602 /* 10.2.1.5.2 step 6 */ 603 ret = drbg_ctr_update(drbg, NULL, 3); 604 if (ret) 605 len = ret; 606 607 return len; 608 } 609 610 static const struct drbg_state_ops drbg_ctr_ops = { 611 .update = drbg_ctr_update, 612 .generate = drbg_ctr_generate, 613 .crypto_init = drbg_init_sym_kernel, 614 .crypto_fini = drbg_fini_sym_kernel, 615 }; 616 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 617 618 /****************************************************************** 619 * HMAC DRBG callback functions 620 ******************************************************************/ 621 622 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 623 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 624 const struct list_head *in); 625 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 626 const unsigned char *key); 627 static int drbg_init_hash_kernel(struct drbg_state *drbg); 628 static int drbg_fini_hash_kernel(struct drbg_state *drbg); 629 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 630 631 #ifdef CONFIG_CRYPTO_DRBG_HMAC 632 #define CRYPTO_DRBG_HMAC_STRING "HMAC " 633 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512"); 634 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512"); 635 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384"); 636 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384"); 637 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256"); 638 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256"); 639 640 /* update function of HMAC DRBG as defined in 10.1.2.2 */ 641 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed, 642 int reseed) 643 { 644 int ret = -EFAULT; 645 int i = 0; 646 struct drbg_string seed1, seed2, vdata; 647 LIST_HEAD(seedlist); 648 LIST_HEAD(vdatalist); 649 650 if (!reseed) { 651 /* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */ 652 memset(drbg->V, 1, drbg_statelen(drbg)); 653 drbg_kcapi_hmacsetkey(drbg, drbg->C); 654 } 655 656 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg)); 657 list_add_tail(&seed1.list, &seedlist); 658 /* buffer of seed2 will be filled in for loop below with one byte */ 659 drbg_string_fill(&seed2, NULL, 1); 660 list_add_tail(&seed2.list, &seedlist); 661 /* input data of seed is allowed to be NULL at this point */ 662 if (seed) 663 list_splice_tail(seed, &seedlist); 664 665 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg)); 666 list_add_tail(&vdata.list, &vdatalist); 667 for (i = 2; 0 < i; i--) { 668 /* first round uses 0x0, second 0x1 */ 669 unsigned char prefix = DRBG_PREFIX0; 670 if (1 == i) 671 prefix = DRBG_PREFIX1; 672 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */ 673 seed2.buf = &prefix; 674 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist); 675 if (ret) 676 return ret; 677 drbg_kcapi_hmacsetkey(drbg, drbg->C); 678 679 /* 10.1.2.2 step 2 and 5 -- HMAC for V */ 680 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist); 681 if (ret) 682 return ret; 683 684 /* 10.1.2.2 step 3 */ 685 if (!seed) 686 return ret; 687 } 688 689 return 0; 690 } 691 692 /* generate function of HMAC DRBG as defined in 10.1.2.5 */ 693 static int drbg_hmac_generate(struct drbg_state *drbg, 694 unsigned char *buf, 695 unsigned int buflen, 696 struct list_head *addtl) 697 { 698 int len = 0; 699 int ret = 0; 700 struct drbg_string data; 701 LIST_HEAD(datalist); 702 703 /* 10.1.2.5 step 2 */ 704 if (addtl && !list_empty(addtl)) { 705 ret = drbg_hmac_update(drbg, addtl, 1); 706 if (ret) 707 return ret; 708 } 709 710 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg)); 711 list_add_tail(&data.list, &datalist); 712 while (len < buflen) { 713 unsigned int outlen = 0; 714 /* 10.1.2.5 step 4.1 */ 715 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist); 716 if (ret) 717 return ret; 718 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 719 drbg_blocklen(drbg) : (buflen - len); 720 721 /* 10.1.2.5 step 4.2 */ 722 memcpy(buf + len, drbg->V, outlen); 723 len += outlen; 724 } 725 726 /* 10.1.2.5 step 6 */ 727 if (addtl && !list_empty(addtl)) 728 ret = drbg_hmac_update(drbg, addtl, 1); 729 else 730 ret = drbg_hmac_update(drbg, NULL, 1); 731 if (ret) 732 return ret; 733 734 return len; 735 } 736 737 static const struct drbg_state_ops drbg_hmac_ops = { 738 .update = drbg_hmac_update, 739 .generate = drbg_hmac_generate, 740 .crypto_init = drbg_init_hash_kernel, 741 .crypto_fini = drbg_fini_hash_kernel, 742 }; 743 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 744 745 /****************************************************************** 746 * Hash DRBG callback functions 747 ******************************************************************/ 748 749 #ifdef CONFIG_CRYPTO_DRBG_HASH 750 #define CRYPTO_DRBG_HASH_STRING "HASH " 751 MODULE_ALIAS_CRYPTO("drbg_pr_sha512"); 752 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512"); 753 MODULE_ALIAS_CRYPTO("drbg_pr_sha384"); 754 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384"); 755 MODULE_ALIAS_CRYPTO("drbg_pr_sha256"); 756 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256"); 757 758 /* 759 * Increment buffer 760 * 761 * @dst buffer to increment 762 * @add value to add 763 */ 764 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen, 765 const unsigned char *add, size_t addlen) 766 { 767 /* implied: dstlen > addlen */ 768 unsigned char *dstptr; 769 const unsigned char *addptr; 770 unsigned int remainder = 0; 771 size_t len = addlen; 772 773 dstptr = dst + (dstlen-1); 774 addptr = add + (addlen-1); 775 while (len) { 776 remainder += *dstptr + *addptr; 777 *dstptr = remainder & 0xff; 778 remainder >>= 8; 779 len--; dstptr--; addptr--; 780 } 781 len = dstlen - addlen; 782 while (len && remainder > 0) { 783 remainder = *dstptr + 1; 784 *dstptr = remainder & 0xff; 785 remainder >>= 8; 786 len--; dstptr--; 787 } 788 } 789 790 /* 791 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used 792 * interlinked, the scratchpad is used as follows: 793 * drbg_hash_update 794 * start: drbg->scratchpad 795 * length: drbg_statelen(drbg) 796 * drbg_hash_df: 797 * start: drbg->scratchpad + drbg_statelen(drbg) 798 * length: drbg_blocklen(drbg) 799 * 800 * drbg_hash_process_addtl uses the scratchpad, but fully completes 801 * before either of the functions mentioned before are invoked. Therefore, 802 * drbg_hash_process_addtl does not need to be specifically considered. 803 */ 804 805 /* Derivation Function for Hash DRBG as defined in 10.4.1 */ 806 static int drbg_hash_df(struct drbg_state *drbg, 807 unsigned char *outval, size_t outlen, 808 struct list_head *entropylist) 809 { 810 int ret = 0; 811 size_t len = 0; 812 unsigned char input[5]; 813 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg); 814 struct drbg_string data; 815 816 /* 10.4.1 step 3 */ 817 input[0] = 1; 818 drbg_cpu_to_be32((outlen * 8), &input[1]); 819 820 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */ 821 drbg_string_fill(&data, input, 5); 822 list_add(&data.list, entropylist); 823 824 /* 10.4.1 step 4 */ 825 while (len < outlen) { 826 short blocklen = 0; 827 /* 10.4.1 step 4.1 */ 828 ret = drbg_kcapi_hash(drbg, tmp, entropylist); 829 if (ret) 830 goto out; 831 /* 10.4.1 step 4.2 */ 832 input[0]++; 833 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ? 834 drbg_blocklen(drbg) : (outlen - len); 835 memcpy(outval + len, tmp, blocklen); 836 len += blocklen; 837 } 838 839 out: 840 memset(tmp, 0, drbg_blocklen(drbg)); 841 return ret; 842 } 843 844 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */ 845 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed, 846 int reseed) 847 { 848 int ret = 0; 849 struct drbg_string data1, data2; 850 LIST_HEAD(datalist); 851 LIST_HEAD(datalist2); 852 unsigned char *V = drbg->scratchpad; 853 unsigned char prefix = DRBG_PREFIX1; 854 855 if (!seed) 856 return -EINVAL; 857 858 if (reseed) { 859 /* 10.1.1.3 step 1 */ 860 memcpy(V, drbg->V, drbg_statelen(drbg)); 861 drbg_string_fill(&data1, &prefix, 1); 862 list_add_tail(&data1.list, &datalist); 863 drbg_string_fill(&data2, V, drbg_statelen(drbg)); 864 list_add_tail(&data2.list, &datalist); 865 } 866 list_splice_tail(seed, &datalist); 867 868 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */ 869 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist); 870 if (ret) 871 goto out; 872 873 /* 10.1.1.2 / 10.1.1.3 step 4 */ 874 prefix = DRBG_PREFIX0; 875 drbg_string_fill(&data1, &prefix, 1); 876 list_add_tail(&data1.list, &datalist2); 877 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 878 list_add_tail(&data2.list, &datalist2); 879 /* 10.1.1.2 / 10.1.1.3 step 4 */ 880 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2); 881 882 out: 883 memset(drbg->scratchpad, 0, drbg_statelen(drbg)); 884 return ret; 885 } 886 887 /* processing of additional information string for Hash DRBG */ 888 static int drbg_hash_process_addtl(struct drbg_state *drbg, 889 struct list_head *addtl) 890 { 891 int ret = 0; 892 struct drbg_string data1, data2; 893 LIST_HEAD(datalist); 894 unsigned char prefix = DRBG_PREFIX2; 895 896 /* 10.1.1.4 step 2 */ 897 if (!addtl || list_empty(addtl)) 898 return 0; 899 900 /* 10.1.1.4 step 2a */ 901 drbg_string_fill(&data1, &prefix, 1); 902 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 903 list_add_tail(&data1.list, &datalist); 904 list_add_tail(&data2.list, &datalist); 905 list_splice_tail(addtl, &datalist); 906 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 907 if (ret) 908 goto out; 909 910 /* 10.1.1.4 step 2b */ 911 drbg_add_buf(drbg->V, drbg_statelen(drbg), 912 drbg->scratchpad, drbg_blocklen(drbg)); 913 914 out: 915 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 916 return ret; 917 } 918 919 /* Hashgen defined in 10.1.1.4 */ 920 static int drbg_hash_hashgen(struct drbg_state *drbg, 921 unsigned char *buf, 922 unsigned int buflen) 923 { 924 int len = 0; 925 int ret = 0; 926 unsigned char *src = drbg->scratchpad; 927 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg); 928 struct drbg_string data; 929 LIST_HEAD(datalist); 930 931 /* 10.1.1.4 step hashgen 2 */ 932 memcpy(src, drbg->V, drbg_statelen(drbg)); 933 934 drbg_string_fill(&data, src, drbg_statelen(drbg)); 935 list_add_tail(&data.list, &datalist); 936 while (len < buflen) { 937 unsigned int outlen = 0; 938 /* 10.1.1.4 step hashgen 4.1 */ 939 ret = drbg_kcapi_hash(drbg, dst, &datalist); 940 if (ret) { 941 len = ret; 942 goto out; 943 } 944 outlen = (drbg_blocklen(drbg) < (buflen - len)) ? 945 drbg_blocklen(drbg) : (buflen - len); 946 /* 10.1.1.4 step hashgen 4.2 */ 947 memcpy(buf + len, dst, outlen); 948 len += outlen; 949 /* 10.1.1.4 hashgen step 4.3 */ 950 if (len < buflen) 951 crypto_inc(src, drbg_statelen(drbg)); 952 } 953 954 out: 955 memset(drbg->scratchpad, 0, 956 (drbg_statelen(drbg) + drbg_blocklen(drbg))); 957 return len; 958 } 959 960 /* generate function for Hash DRBG as defined in 10.1.1.4 */ 961 static int drbg_hash_generate(struct drbg_state *drbg, 962 unsigned char *buf, unsigned int buflen, 963 struct list_head *addtl) 964 { 965 int len = 0; 966 int ret = 0; 967 union { 968 unsigned char req[8]; 969 __be64 req_int; 970 } u; 971 unsigned char prefix = DRBG_PREFIX3; 972 struct drbg_string data1, data2; 973 LIST_HEAD(datalist); 974 975 /* 10.1.1.4 step 2 */ 976 ret = drbg_hash_process_addtl(drbg, addtl); 977 if (ret) 978 return ret; 979 /* 10.1.1.4 step 3 */ 980 len = drbg_hash_hashgen(drbg, buf, buflen); 981 982 /* this is the value H as documented in 10.1.1.4 */ 983 /* 10.1.1.4 step 4 */ 984 drbg_string_fill(&data1, &prefix, 1); 985 list_add_tail(&data1.list, &datalist); 986 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg)); 987 list_add_tail(&data2.list, &datalist); 988 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist); 989 if (ret) { 990 len = ret; 991 goto out; 992 } 993 994 /* 10.1.1.4 step 5 */ 995 drbg_add_buf(drbg->V, drbg_statelen(drbg), 996 drbg->scratchpad, drbg_blocklen(drbg)); 997 drbg_add_buf(drbg->V, drbg_statelen(drbg), 998 drbg->C, drbg_statelen(drbg)); 999 u.req_int = cpu_to_be64(drbg->reseed_ctr); 1000 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8); 1001 1002 out: 1003 memset(drbg->scratchpad, 0, drbg_blocklen(drbg)); 1004 return len; 1005 } 1006 1007 /* 1008 * scratchpad usage: as update and generate are used isolated, both 1009 * can use the scratchpad 1010 */ 1011 static const struct drbg_state_ops drbg_hash_ops = { 1012 .update = drbg_hash_update, 1013 .generate = drbg_hash_generate, 1014 .crypto_init = drbg_init_hash_kernel, 1015 .crypto_fini = drbg_fini_hash_kernel, 1016 }; 1017 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1018 1019 /****************************************************************** 1020 * Functions common for DRBG implementations 1021 ******************************************************************/ 1022 1023 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, 1024 int reseed, enum drbg_seed_state new_seed_state) 1025 { 1026 int ret = drbg->d_ops->update(drbg, seed, reseed); 1027 1028 if (ret) 1029 return ret; 1030 1031 drbg->seeded = new_seed_state; 1032 drbg->last_seed_time = jiffies; 1033 /* 10.1.1.2 / 10.1.1.3 step 5 */ 1034 drbg->reseed_ctr = 1; 1035 1036 switch (drbg->seeded) { 1037 case DRBG_SEED_STATE_UNSEEDED: 1038 /* Impossible, but handle it to silence compiler warnings. */ 1039 fallthrough; 1040 case DRBG_SEED_STATE_PARTIAL: 1041 /* 1042 * Require frequent reseeds until the seed source is 1043 * fully initialized. 1044 */ 1045 drbg->reseed_threshold = 50; 1046 break; 1047 1048 case DRBG_SEED_STATE_FULL: 1049 /* 1050 * Seed source has become fully initialized, frequent 1051 * reseeds no longer required. 1052 */ 1053 drbg->reseed_threshold = drbg_max_requests(drbg); 1054 break; 1055 } 1056 1057 return ret; 1058 } 1059 1060 static inline int drbg_get_random_bytes(struct drbg_state *drbg, 1061 unsigned char *entropy, 1062 unsigned int entropylen) 1063 { 1064 int ret; 1065 1066 do { 1067 get_random_bytes(entropy, entropylen); 1068 ret = drbg_fips_continuous_test(drbg, entropy); 1069 if (ret && ret != -EAGAIN) 1070 return ret; 1071 } while (ret); 1072 1073 return 0; 1074 } 1075 1076 static int drbg_seed_from_random(struct drbg_state *drbg) 1077 { 1078 struct drbg_string data; 1079 LIST_HEAD(seedlist); 1080 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1081 unsigned char entropy[32]; 1082 int ret; 1083 1084 BUG_ON(!entropylen); 1085 BUG_ON(entropylen > sizeof(entropy)); 1086 1087 drbg_string_fill(&data, entropy, entropylen); 1088 list_add_tail(&data.list, &seedlist); 1089 1090 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1091 if (ret) 1092 goto out; 1093 1094 ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); 1095 1096 out: 1097 memzero_explicit(entropy, entropylen); 1098 return ret; 1099 } 1100 1101 static bool drbg_nopr_reseed_interval_elapsed(struct drbg_state *drbg) 1102 { 1103 unsigned long next_reseed; 1104 1105 /* Don't ever reseed from get_random_bytes() in test mode. */ 1106 if (list_empty(&drbg->test_data.list)) 1107 return false; 1108 1109 /* 1110 * Obtain fresh entropy for the nopr DRBGs after 300s have 1111 * elapsed in order to still achieve sort of partial 1112 * prediction resistance over the time domain at least. Note 1113 * that the period of 300s has been chosen to match the 1114 * CRNG_RESEED_INTERVAL of the get_random_bytes()' chacha 1115 * rngs. 1116 */ 1117 next_reseed = drbg->last_seed_time + 300 * HZ; 1118 return time_after(jiffies, next_reseed); 1119 } 1120 1121 /* 1122 * Seeding or reseeding of the DRBG 1123 * 1124 * @drbg: DRBG state struct 1125 * @pers: personalization / additional information buffer 1126 * @reseed: 0 for initial seed process, 1 for reseeding 1127 * 1128 * return: 1129 * 0 on success 1130 * error value otherwise 1131 */ 1132 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, 1133 bool reseed) 1134 { 1135 int ret; 1136 unsigned char entropy[((32 + 16) * 2)]; 1137 unsigned int entropylen = drbg_sec_strength(drbg->core->flags); 1138 struct drbg_string data1; 1139 LIST_HEAD(seedlist); 1140 enum drbg_seed_state new_seed_state = DRBG_SEED_STATE_FULL; 1141 1142 /* 9.1 / 9.2 / 9.3.1 step 3 */ 1143 if (pers && pers->len > (drbg_max_addtl(drbg))) { 1144 pr_devel("DRBG: personalization string too long %zu\n", 1145 pers->len); 1146 return -EINVAL; 1147 } 1148 1149 if (list_empty(&drbg->test_data.list)) { 1150 drbg_string_fill(&data1, drbg->test_data.buf, 1151 drbg->test_data.len); 1152 pr_devel("DRBG: using test entropy\n"); 1153 } else { 1154 /* 1155 * Gather entropy equal to the security strength of the DRBG. 1156 * With a derivation function, a nonce is required in addition 1157 * to the entropy. A nonce must be at least 1/2 of the security 1158 * strength of the DRBG in size. Thus, entropy + nonce is 3/2 1159 * of the strength. The consideration of a nonce is only 1160 * applicable during initial seeding. 1161 */ 1162 BUG_ON(!entropylen); 1163 if (!reseed) 1164 entropylen = ((entropylen + 1) / 2) * 3; 1165 BUG_ON((entropylen * 2) > sizeof(entropy)); 1166 1167 /* Get seed from in-kernel /dev/urandom */ 1168 if (!rng_is_initialized()) 1169 new_seed_state = DRBG_SEED_STATE_PARTIAL; 1170 1171 ret = drbg_get_random_bytes(drbg, entropy, entropylen); 1172 if (ret) 1173 goto out; 1174 1175 if (!drbg->jent) { 1176 drbg_string_fill(&data1, entropy, entropylen); 1177 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1178 entropylen); 1179 } else { 1180 /* 1181 * Get seed from Jitter RNG, failures are 1182 * fatal only in FIPS mode. 1183 */ 1184 ret = crypto_rng_get_bytes(drbg->jent, 1185 entropy + entropylen, 1186 entropylen); 1187 if (fips_enabled && ret) { 1188 pr_devel("DRBG: jent failed with %d\n", ret); 1189 1190 /* 1191 * Do not treat the transient failure of the 1192 * Jitter RNG as an error that needs to be 1193 * reported. The combined number of the 1194 * maximum reseed threshold times the maximum 1195 * number of Jitter RNG transient errors is 1196 * less than the reseed threshold required by 1197 * SP800-90A allowing us to treat the 1198 * transient errors as such. 1199 * 1200 * However, we mandate that at least the first 1201 * seeding operation must succeed with the 1202 * Jitter RNG. 1203 */ 1204 if (!reseed || ret != -EAGAIN) 1205 goto out; 1206 } 1207 1208 drbg_string_fill(&data1, entropy, entropylen * 2); 1209 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n", 1210 entropylen * 2); 1211 } 1212 } 1213 list_add_tail(&data1.list, &seedlist); 1214 1215 /* 1216 * concatenation of entropy with personalization str / addtl input) 1217 * the variable pers is directly handed in by the caller, so check its 1218 * contents whether it is appropriate 1219 */ 1220 if (pers && pers->buf && 0 < pers->len) { 1221 list_add_tail(&pers->list, &seedlist); 1222 pr_devel("DRBG: using personalization string\n"); 1223 } 1224 1225 if (!reseed) { 1226 memset(drbg->V, 0, drbg_statelen(drbg)); 1227 memset(drbg->C, 0, drbg_statelen(drbg)); 1228 } 1229 1230 ret = __drbg_seed(drbg, &seedlist, reseed, new_seed_state); 1231 1232 out: 1233 memzero_explicit(entropy, entropylen * 2); 1234 1235 return ret; 1236 } 1237 1238 /* Free all substructures in a DRBG state without the DRBG state structure */ 1239 static inline void drbg_dealloc_state(struct drbg_state *drbg) 1240 { 1241 if (!drbg) 1242 return; 1243 kfree_sensitive(drbg->Vbuf); 1244 drbg->Vbuf = NULL; 1245 drbg->V = NULL; 1246 kfree_sensitive(drbg->Cbuf); 1247 drbg->Cbuf = NULL; 1248 drbg->C = NULL; 1249 kfree_sensitive(drbg->scratchpadbuf); 1250 drbg->scratchpadbuf = NULL; 1251 drbg->reseed_ctr = 0; 1252 drbg->d_ops = NULL; 1253 drbg->core = NULL; 1254 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1255 kfree_sensitive(drbg->prev); 1256 drbg->prev = NULL; 1257 drbg->fips_primed = false; 1258 } 1259 } 1260 1261 /* 1262 * Allocate all sub-structures for a DRBG state. 1263 * The DRBG state structure must already be allocated. 1264 */ 1265 static inline int drbg_alloc_state(struct drbg_state *drbg) 1266 { 1267 int ret = -ENOMEM; 1268 unsigned int sb_size = 0; 1269 1270 switch (drbg->core->flags & DRBG_TYPE_MASK) { 1271 #ifdef CONFIG_CRYPTO_DRBG_HMAC 1272 case DRBG_HMAC: 1273 drbg->d_ops = &drbg_hmac_ops; 1274 break; 1275 #endif /* CONFIG_CRYPTO_DRBG_HMAC */ 1276 #ifdef CONFIG_CRYPTO_DRBG_HASH 1277 case DRBG_HASH: 1278 drbg->d_ops = &drbg_hash_ops; 1279 break; 1280 #endif /* CONFIG_CRYPTO_DRBG_HASH */ 1281 #ifdef CONFIG_CRYPTO_DRBG_CTR 1282 case DRBG_CTR: 1283 drbg->d_ops = &drbg_ctr_ops; 1284 break; 1285 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1286 default: 1287 ret = -EOPNOTSUPP; 1288 goto err; 1289 } 1290 1291 ret = drbg->d_ops->crypto_init(drbg); 1292 if (ret < 0) 1293 goto err; 1294 1295 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1296 if (!drbg->Vbuf) { 1297 ret = -ENOMEM; 1298 goto fini; 1299 } 1300 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1); 1301 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL); 1302 if (!drbg->Cbuf) { 1303 ret = -ENOMEM; 1304 goto fini; 1305 } 1306 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1); 1307 /* scratchpad is only generated for CTR and Hash */ 1308 if (drbg->core->flags & DRBG_HMAC) 1309 sb_size = 0; 1310 else if (drbg->core->flags & DRBG_CTR) 1311 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */ 1312 drbg_statelen(drbg) + /* df_data */ 1313 drbg_blocklen(drbg) + /* pad */ 1314 drbg_blocklen(drbg) + /* iv */ 1315 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ 1316 else 1317 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); 1318 1319 if (0 < sb_size) { 1320 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL); 1321 if (!drbg->scratchpadbuf) { 1322 ret = -ENOMEM; 1323 goto fini; 1324 } 1325 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); 1326 } 1327 1328 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { 1329 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), 1330 GFP_KERNEL); 1331 if (!drbg->prev) { 1332 ret = -ENOMEM; 1333 goto fini; 1334 } 1335 drbg->fips_primed = false; 1336 } 1337 1338 return 0; 1339 1340 fini: 1341 drbg->d_ops->crypto_fini(drbg); 1342 err: 1343 drbg_dealloc_state(drbg); 1344 return ret; 1345 } 1346 1347 /************************************************************************* 1348 * DRBG interface functions 1349 *************************************************************************/ 1350 1351 /* 1352 * DRBG generate function as required by SP800-90A - this function 1353 * generates random numbers 1354 * 1355 * @drbg DRBG state handle 1356 * @buf Buffer where to store the random numbers -- the buffer must already 1357 * be pre-allocated by caller 1358 * @buflen Length of output buffer - this value defines the number of random 1359 * bytes pulled from DRBG 1360 * @addtl Additional input that is mixed into state, may be NULL -- note 1361 * the entropy is pulled by the DRBG internally unconditionally 1362 * as defined in SP800-90A. The additional input is mixed into 1363 * the state in addition to the pulled entropy. 1364 * 1365 * return: 0 when all bytes are generated; < 0 in case of an error 1366 */ 1367 static int drbg_generate(struct drbg_state *drbg, 1368 unsigned char *buf, unsigned int buflen, 1369 struct drbg_string *addtl) 1370 { 1371 int len = 0; 1372 LIST_HEAD(addtllist); 1373 1374 if (!drbg->core) { 1375 pr_devel("DRBG: not yet seeded\n"); 1376 return -EINVAL; 1377 } 1378 if (0 == buflen || !buf) { 1379 pr_devel("DRBG: no output buffer provided\n"); 1380 return -EINVAL; 1381 } 1382 if (addtl && NULL == addtl->buf && 0 < addtl->len) { 1383 pr_devel("DRBG: wrong format of additional information\n"); 1384 return -EINVAL; 1385 } 1386 1387 /* 9.3.1 step 2 */ 1388 len = -EINVAL; 1389 if (buflen > (drbg_max_request_bytes(drbg))) { 1390 pr_devel("DRBG: requested random numbers too large %u\n", 1391 buflen); 1392 goto err; 1393 } 1394 1395 /* 9.3.1 step 3 is implicit with the chosen DRBG */ 1396 1397 /* 9.3.1 step 4 */ 1398 if (addtl && addtl->len > (drbg_max_addtl(drbg))) { 1399 pr_devel("DRBG: additional information string too long %zu\n", 1400 addtl->len); 1401 goto err; 1402 } 1403 /* 9.3.1 step 5 is implicit with the chosen DRBG */ 1404 1405 /* 1406 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented 1407 * here. The spec is a bit convoluted here, we make it simpler. 1408 */ 1409 if (drbg->reseed_threshold < drbg->reseed_ctr) 1410 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1411 1412 if (drbg->pr || drbg->seeded == DRBG_SEED_STATE_UNSEEDED) { 1413 pr_devel("DRBG: reseeding before generation (prediction " 1414 "resistance: %s, state %s)\n", 1415 drbg->pr ? "true" : "false", 1416 (drbg->seeded == DRBG_SEED_STATE_FULL ? 1417 "seeded" : "unseeded")); 1418 /* 9.3.1 steps 7.1 through 7.3 */ 1419 len = drbg_seed(drbg, addtl, true); 1420 if (len) 1421 goto err; 1422 /* 9.3.1 step 7.4 */ 1423 addtl = NULL; 1424 } else if (rng_is_initialized() && 1425 (drbg->seeded == DRBG_SEED_STATE_PARTIAL || 1426 drbg_nopr_reseed_interval_elapsed(drbg))) { 1427 len = drbg_seed_from_random(drbg); 1428 if (len) 1429 goto err; 1430 } 1431 1432 if (addtl && 0 < addtl->len) 1433 list_add_tail(&addtl->list, &addtllist); 1434 /* 9.3.1 step 8 and 10 */ 1435 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist); 1436 1437 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */ 1438 drbg->reseed_ctr++; 1439 if (0 >= len) 1440 goto err; 1441 1442 /* 1443 * Section 11.3.3 requires to re-perform self tests after some 1444 * generated random numbers. The chosen value after which self 1445 * test is performed is arbitrary, but it should be reasonable. 1446 * However, we do not perform the self tests because of the following 1447 * reasons: it is mathematically impossible that the initial self tests 1448 * were successfully and the following are not. If the initial would 1449 * pass and the following would not, the kernel integrity is violated. 1450 * In this case, the entire kernel operation is questionable and it 1451 * is unlikely that the integrity violation only affects the 1452 * correct operation of the DRBG. 1453 * 1454 * Albeit the following code is commented out, it is provided in 1455 * case somebody has a need to implement the test of 11.3.3. 1456 */ 1457 #if 0 1458 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) { 1459 int err = 0; 1460 pr_devel("DRBG: start to perform self test\n"); 1461 if (drbg->core->flags & DRBG_HMAC) 1462 err = alg_test("drbg_pr_hmac_sha512", 1463 "drbg_pr_hmac_sha512", 0, 0); 1464 else if (drbg->core->flags & DRBG_CTR) 1465 err = alg_test("drbg_pr_ctr_aes256", 1466 "drbg_pr_ctr_aes256", 0, 0); 1467 else 1468 err = alg_test("drbg_pr_sha256", 1469 "drbg_pr_sha256", 0, 0); 1470 if (err) { 1471 pr_err("DRBG: periodical self test failed\n"); 1472 /* 1473 * uninstantiate implies that from now on, only errors 1474 * are returned when reusing this DRBG cipher handle 1475 */ 1476 drbg_uninstantiate(drbg); 1477 return 0; 1478 } else { 1479 pr_devel("DRBG: self test successful\n"); 1480 } 1481 } 1482 #endif 1483 1484 /* 1485 * All operations were successful, return 0 as mandated by 1486 * the kernel crypto API interface. 1487 */ 1488 len = 0; 1489 err: 1490 return len; 1491 } 1492 1493 /* 1494 * Wrapper around drbg_generate which can pull arbitrary long strings 1495 * from the DRBG without hitting the maximum request limitation. 1496 * 1497 * Parameters: see drbg_generate 1498 * Return codes: see drbg_generate -- if one drbg_generate request fails, 1499 * the entire drbg_generate_long request fails 1500 */ 1501 static int drbg_generate_long(struct drbg_state *drbg, 1502 unsigned char *buf, unsigned int buflen, 1503 struct drbg_string *addtl) 1504 { 1505 unsigned int len = 0; 1506 unsigned int slice = 0; 1507 do { 1508 int err = 0; 1509 unsigned int chunk = 0; 1510 slice = ((buflen - len) / drbg_max_request_bytes(drbg)); 1511 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); 1512 mutex_lock(&drbg->drbg_mutex); 1513 err = drbg_generate(drbg, buf + len, chunk, addtl); 1514 mutex_unlock(&drbg->drbg_mutex); 1515 if (0 > err) 1516 return err; 1517 len += chunk; 1518 } while (slice > 0 && (len < buflen)); 1519 return 0; 1520 } 1521 1522 static int drbg_prepare_hrng(struct drbg_state *drbg) 1523 { 1524 /* We do not need an HRNG in test mode. */ 1525 if (list_empty(&drbg->test_data.list)) 1526 return 0; 1527 1528 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0); 1529 if (IS_ERR(drbg->jent)) { 1530 const int err = PTR_ERR(drbg->jent); 1531 1532 drbg->jent = NULL; 1533 if (fips_enabled) 1534 return err; 1535 pr_info("DRBG: Continuing without Jitter RNG\n"); 1536 } 1537 1538 return 0; 1539 } 1540 1541 /* 1542 * DRBG instantiation function as required by SP800-90A - this function 1543 * sets up the DRBG handle, performs the initial seeding and all sanity 1544 * checks required by SP800-90A 1545 * 1546 * @drbg memory of state -- if NULL, new memory is allocated 1547 * @pers Personalization string that is mixed into state, may be NULL -- note 1548 * the entropy is pulled by the DRBG internally unconditionally 1549 * as defined in SP800-90A. The additional input is mixed into 1550 * the state in addition to the pulled entropy. 1551 * @coreref reference to core 1552 * @pr prediction resistance enabled 1553 * 1554 * return 1555 * 0 on success 1556 * error value otherwise 1557 */ 1558 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, 1559 int coreref, bool pr) 1560 { 1561 int ret; 1562 bool reseed = true; 1563 1564 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance " 1565 "%s\n", coreref, pr ? "enabled" : "disabled"); 1566 mutex_lock(&drbg->drbg_mutex); 1567 1568 /* 9.1 step 1 is implicit with the selected DRBG type */ 1569 1570 /* 1571 * 9.1 step 2 is implicit as caller can select prediction resistance 1572 * and the flag is copied into drbg->flags -- 1573 * all DRBG types support prediction resistance 1574 */ 1575 1576 /* 9.1 step 4 is implicit in drbg_sec_strength */ 1577 1578 if (!drbg->core) { 1579 drbg->core = &drbg_cores[coreref]; 1580 drbg->pr = pr; 1581 drbg->seeded = DRBG_SEED_STATE_UNSEEDED; 1582 drbg->last_seed_time = 0; 1583 drbg->reseed_threshold = drbg_max_requests(drbg); 1584 1585 ret = drbg_alloc_state(drbg); 1586 if (ret) 1587 goto unlock; 1588 1589 ret = drbg_prepare_hrng(drbg); 1590 if (ret) 1591 goto free_everything; 1592 1593 reseed = false; 1594 } 1595 1596 ret = drbg_seed(drbg, pers, reseed); 1597 1598 if (ret && !reseed) 1599 goto free_everything; 1600 1601 mutex_unlock(&drbg->drbg_mutex); 1602 return ret; 1603 1604 unlock: 1605 mutex_unlock(&drbg->drbg_mutex); 1606 return ret; 1607 1608 free_everything: 1609 mutex_unlock(&drbg->drbg_mutex); 1610 drbg_uninstantiate(drbg); 1611 return ret; 1612 } 1613 1614 /* 1615 * DRBG uninstantiate function as required by SP800-90A - this function 1616 * frees all buffers and the DRBG handle 1617 * 1618 * @drbg DRBG state handle 1619 * 1620 * return 1621 * 0 on success 1622 */ 1623 static int drbg_uninstantiate(struct drbg_state *drbg) 1624 { 1625 if (!IS_ERR_OR_NULL(drbg->jent)) 1626 crypto_free_rng(drbg->jent); 1627 drbg->jent = NULL; 1628 1629 if (drbg->d_ops) 1630 drbg->d_ops->crypto_fini(drbg); 1631 drbg_dealloc_state(drbg); 1632 /* no scrubbing of test_data -- this shall survive an uninstantiate */ 1633 return 0; 1634 } 1635 1636 /* 1637 * Helper function for setting the test data in the DRBG 1638 * 1639 * @drbg DRBG state handle 1640 * @data test data 1641 * @len test data length 1642 */ 1643 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm, 1644 const u8 *data, unsigned int len) 1645 { 1646 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1647 1648 mutex_lock(&drbg->drbg_mutex); 1649 drbg_string_fill(&drbg->test_data, data, len); 1650 mutex_unlock(&drbg->drbg_mutex); 1651 } 1652 1653 /*************************************************************** 1654 * Kernel crypto API cipher invocations requested by DRBG 1655 ***************************************************************/ 1656 1657 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC) 1658 struct sdesc { 1659 struct shash_desc shash; 1660 char ctx[]; 1661 }; 1662 1663 static int drbg_init_hash_kernel(struct drbg_state *drbg) 1664 { 1665 struct sdesc *sdesc; 1666 struct crypto_shash *tfm; 1667 1668 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0); 1669 if (IS_ERR(tfm)) { 1670 pr_info("DRBG: could not allocate digest TFM handle: %s\n", 1671 drbg->core->backend_cra_name); 1672 return PTR_ERR(tfm); 1673 } 1674 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm)); 1675 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm), 1676 GFP_KERNEL); 1677 if (!sdesc) { 1678 crypto_free_shash(tfm); 1679 return -ENOMEM; 1680 } 1681 1682 sdesc->shash.tfm = tfm; 1683 drbg->priv_data = sdesc; 1684 1685 return 0; 1686 } 1687 1688 static int drbg_fini_hash_kernel(struct drbg_state *drbg) 1689 { 1690 struct sdesc *sdesc = drbg->priv_data; 1691 if (sdesc) { 1692 crypto_free_shash(sdesc->shash.tfm); 1693 kfree_sensitive(sdesc); 1694 } 1695 drbg->priv_data = NULL; 1696 return 0; 1697 } 1698 1699 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg, 1700 const unsigned char *key) 1701 { 1702 struct sdesc *sdesc = drbg->priv_data; 1703 1704 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg)); 1705 } 1706 1707 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval, 1708 const struct list_head *in) 1709 { 1710 struct sdesc *sdesc = drbg->priv_data; 1711 struct drbg_string *input = NULL; 1712 1713 crypto_shash_init(&sdesc->shash); 1714 list_for_each_entry(input, in, list) 1715 crypto_shash_update(&sdesc->shash, input->buf, input->len); 1716 return crypto_shash_final(&sdesc->shash, outval); 1717 } 1718 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */ 1719 1720 #ifdef CONFIG_CRYPTO_DRBG_CTR 1721 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1722 { 1723 struct crypto_cipher *tfm = 1724 (struct crypto_cipher *)drbg->priv_data; 1725 if (tfm) 1726 crypto_free_cipher(tfm); 1727 drbg->priv_data = NULL; 1728 1729 if (drbg->ctr_handle) 1730 crypto_free_skcipher(drbg->ctr_handle); 1731 drbg->ctr_handle = NULL; 1732 1733 if (drbg->ctr_req) 1734 skcipher_request_free(drbg->ctr_req); 1735 drbg->ctr_req = NULL; 1736 1737 kfree(drbg->outscratchpadbuf); 1738 drbg->outscratchpadbuf = NULL; 1739 1740 return 0; 1741 } 1742 1743 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1744 { 1745 struct crypto_cipher *tfm; 1746 struct crypto_skcipher *sk_tfm; 1747 struct skcipher_request *req; 1748 unsigned int alignmask; 1749 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1750 1751 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0); 1752 if (IS_ERR(tfm)) { 1753 pr_info("DRBG: could not allocate cipher TFM handle: %s\n", 1754 drbg->core->backend_cra_name); 1755 return PTR_ERR(tfm); 1756 } 1757 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm)); 1758 drbg->priv_data = tfm; 1759 1760 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1761 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) { 1762 drbg_fini_sym_kernel(drbg); 1763 return -EINVAL; 1764 } 1765 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0); 1766 if (IS_ERR(sk_tfm)) { 1767 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n", 1768 ctr_name); 1769 drbg_fini_sym_kernel(drbg); 1770 return PTR_ERR(sk_tfm); 1771 } 1772 drbg->ctr_handle = sk_tfm; 1773 crypto_init_wait(&drbg->ctr_wait); 1774 1775 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL); 1776 if (!req) { 1777 pr_info("DRBG: could not allocate request queue\n"); 1778 drbg_fini_sym_kernel(drbg); 1779 return -ENOMEM; 1780 } 1781 drbg->ctr_req = req; 1782 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | 1783 CRYPTO_TFM_REQ_MAY_SLEEP, 1784 crypto_req_done, &drbg->ctr_wait); 1785 1786 alignmask = crypto_skcipher_alignmask(sk_tfm); 1787 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask, 1788 GFP_KERNEL); 1789 if (!drbg->outscratchpadbuf) { 1790 drbg_fini_sym_kernel(drbg); 1791 return -ENOMEM; 1792 } 1793 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf, 1794 alignmask + 1); 1795 1796 sg_init_table(&drbg->sg_in, 1); 1797 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN); 1798 1799 return alignmask; 1800 } 1801 1802 static void drbg_kcapi_symsetkey(struct drbg_state *drbg, 1803 const unsigned char *key) 1804 { 1805 struct crypto_cipher *tfm = drbg->priv_data; 1806 1807 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg))); 1808 } 1809 1810 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval, 1811 const struct drbg_string *in) 1812 { 1813 struct crypto_cipher *tfm = drbg->priv_data; 1814 1815 /* there is only component in *in */ 1816 BUG_ON(in->len < drbg_blocklen(drbg)); 1817 crypto_cipher_encrypt_one(tfm, outval, in->buf); 1818 return 0; 1819 } 1820 1821 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, 1822 u8 *inbuf, u32 inlen, 1823 u8 *outbuf, u32 outlen) 1824 { 1825 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out; 1826 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN); 1827 int ret; 1828 1829 if (inbuf) { 1830 /* Use caller-provided input buffer */ 1831 sg_set_buf(sg_in, inbuf, inlen); 1832 } else { 1833 /* Use scratchpad for in-place operation */ 1834 inlen = scratchpad_use; 1835 memset(drbg->outscratchpad, 0, scratchpad_use); 1836 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); 1837 } 1838 1839 while (outlen) { 1840 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN); 1841 1842 /* Output buffer may not be valid for SGL, use scratchpad */ 1843 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out, 1844 cryptlen, drbg->V); 1845 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req), 1846 &drbg->ctr_wait); 1847 if (ret) 1848 goto out; 1849 1850 crypto_init_wait(&drbg->ctr_wait); 1851 1852 memcpy(outbuf, drbg->outscratchpad, cryptlen); 1853 memzero_explicit(drbg->outscratchpad, cryptlen); 1854 1855 outlen -= cryptlen; 1856 outbuf += cryptlen; 1857 } 1858 ret = 0; 1859 1860 out: 1861 return ret; 1862 } 1863 #endif /* CONFIG_CRYPTO_DRBG_CTR */ 1864 1865 /*************************************************************** 1866 * Kernel crypto API interface to register DRBG 1867 ***************************************************************/ 1868 1869 /* 1870 * Look up the DRBG flags by given kernel crypto API cra_name 1871 * The code uses the drbg_cores definition to do this 1872 * 1873 * @cra_name kernel crypto API cra_name 1874 * @coreref reference to integer which is filled with the pointer to 1875 * the applicable core 1876 * @pr reference for setting prediction resistance 1877 * 1878 * return: flags 1879 */ 1880 static inline void drbg_convert_tfm_core(const char *cra_driver_name, 1881 int *coreref, bool *pr) 1882 { 1883 int i = 0; 1884 size_t start = 0; 1885 int len = 0; 1886 1887 *pr = true; 1888 /* disassemble the names */ 1889 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) { 1890 start = 10; 1891 *pr = false; 1892 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) { 1893 start = 8; 1894 } else { 1895 return; 1896 } 1897 1898 /* remove the first part */ 1899 len = strlen(cra_driver_name) - start; 1900 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) { 1901 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name, 1902 len)) { 1903 *coreref = i; 1904 return; 1905 } 1906 } 1907 } 1908 1909 static int drbg_kcapi_init(struct crypto_tfm *tfm) 1910 { 1911 struct drbg_state *drbg = crypto_tfm_ctx(tfm); 1912 1913 mutex_init(&drbg->drbg_mutex); 1914 1915 return 0; 1916 } 1917 1918 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm) 1919 { 1920 drbg_uninstantiate(crypto_tfm_ctx(tfm)); 1921 } 1922 1923 /* 1924 * Generate random numbers invoked by the kernel crypto API: 1925 * The API of the kernel crypto API is extended as follows: 1926 * 1927 * src is additional input supplied to the RNG. 1928 * slen is the length of src. 1929 * dst is the output buffer where random data is to be stored. 1930 * dlen is the length of dst. 1931 */ 1932 static int drbg_kcapi_random(struct crypto_rng *tfm, 1933 const u8 *src, unsigned int slen, 1934 u8 *dst, unsigned int dlen) 1935 { 1936 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1937 struct drbg_string *addtl = NULL; 1938 struct drbg_string string; 1939 1940 if (slen) { 1941 /* linked list variable is now local to allow modification */ 1942 drbg_string_fill(&string, src, slen); 1943 addtl = &string; 1944 } 1945 1946 return drbg_generate_long(drbg, dst, dlen, addtl); 1947 } 1948 1949 /* 1950 * Seed the DRBG invoked by the kernel crypto API 1951 */ 1952 static int drbg_kcapi_seed(struct crypto_rng *tfm, 1953 const u8 *seed, unsigned int slen) 1954 { 1955 struct drbg_state *drbg = crypto_rng_ctx(tfm); 1956 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm); 1957 bool pr = false; 1958 struct drbg_string string; 1959 struct drbg_string *seed_string = NULL; 1960 int coreref = 0; 1961 1962 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref, 1963 &pr); 1964 if (0 < slen) { 1965 drbg_string_fill(&string, seed, slen); 1966 seed_string = &string; 1967 } 1968 1969 return drbg_instantiate(drbg, seed_string, coreref, pr); 1970 } 1971 1972 /*************************************************************** 1973 * Kernel module: code to load the module 1974 ***************************************************************/ 1975 1976 /* 1977 * Tests as defined in 11.3.2 in addition to the cipher tests: testing 1978 * of the error handling. 1979 * 1980 * Note: testing of failing seed source as defined in 11.3.2 is not applicable 1981 * as seed source of get_random_bytes does not fail. 1982 * 1983 * Note 2: There is no sensible way of testing the reseed counter 1984 * enforcement, so skip it. 1985 */ 1986 static inline int __init drbg_healthcheck_sanity(void) 1987 { 1988 int len = 0; 1989 #define OUTBUFLEN 16 1990 unsigned char buf[OUTBUFLEN]; 1991 struct drbg_state *drbg = NULL; 1992 int ret; 1993 int rc = -EFAULT; 1994 bool pr = false; 1995 int coreref = 0; 1996 struct drbg_string addtl; 1997 size_t max_addtllen, max_request_bytes; 1998 1999 /* only perform test in FIPS mode */ 2000 if (!fips_enabled) 2001 return 0; 2002 2003 #ifdef CONFIG_CRYPTO_DRBG_CTR 2004 drbg_convert_tfm_core("drbg_nopr_ctr_aes256", &coreref, &pr); 2005 #endif 2006 #ifdef CONFIG_CRYPTO_DRBG_HASH 2007 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr); 2008 #endif 2009 #ifdef CONFIG_CRYPTO_DRBG_HMAC 2010 drbg_convert_tfm_core("drbg_nopr_hmac_sha512", &coreref, &pr); 2011 #endif 2012 2013 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL); 2014 if (!drbg) 2015 return -ENOMEM; 2016 2017 mutex_init(&drbg->drbg_mutex); 2018 drbg->core = &drbg_cores[coreref]; 2019 drbg->reseed_threshold = drbg_max_requests(drbg); 2020 2021 /* 2022 * if the following tests fail, it is likely that there is a buffer 2023 * overflow as buf is much smaller than the requested or provided 2024 * string lengths -- in case the error handling does not succeed 2025 * we may get an OOPS. And we want to get an OOPS as this is a 2026 * grave bug. 2027 */ 2028 2029 max_addtllen = drbg_max_addtl(drbg); 2030 max_request_bytes = drbg_max_request_bytes(drbg); 2031 drbg_string_fill(&addtl, buf, max_addtllen + 1); 2032 /* overflow addtllen with additonal info string */ 2033 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl); 2034 BUG_ON(0 < len); 2035 /* overflow max_bits */ 2036 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL); 2037 BUG_ON(0 < len); 2038 2039 /* overflow max addtllen with personalization string */ 2040 ret = drbg_seed(drbg, &addtl, false); 2041 BUG_ON(0 == ret); 2042 /* all tests passed */ 2043 rc = 0; 2044 2045 pr_devel("DRBG: Sanity tests for failure code paths successfully " 2046 "completed\n"); 2047 2048 kfree(drbg); 2049 return rc; 2050 } 2051 2052 static struct rng_alg drbg_algs[22]; 2053 2054 /* 2055 * Fill the array drbg_algs used to register the different DRBGs 2056 * with the kernel crypto API. To fill the array, the information 2057 * from drbg_cores[] is used. 2058 */ 2059 static inline void __init drbg_fill_array(struct rng_alg *alg, 2060 const struct drbg_core *core, int pr) 2061 { 2062 int pos = 0; 2063 static int priority = 200; 2064 2065 memcpy(alg->base.cra_name, "stdrng", 6); 2066 if (pr) { 2067 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8); 2068 pos = 8; 2069 } else { 2070 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10); 2071 pos = 10; 2072 } 2073 memcpy(alg->base.cra_driver_name + pos, core->cra_name, 2074 strlen(core->cra_name)); 2075 2076 alg->base.cra_priority = priority; 2077 priority++; 2078 /* 2079 * If FIPS mode enabled, the selected DRBG shall have the 2080 * highest cra_priority over other stdrng instances to ensure 2081 * it is selected. 2082 */ 2083 if (fips_enabled) 2084 alg->base.cra_priority += 200; 2085 2086 alg->base.cra_ctxsize = sizeof(struct drbg_state); 2087 alg->base.cra_module = THIS_MODULE; 2088 alg->base.cra_init = drbg_kcapi_init; 2089 alg->base.cra_exit = drbg_kcapi_cleanup; 2090 alg->generate = drbg_kcapi_random; 2091 alg->seed = drbg_kcapi_seed; 2092 alg->set_ent = drbg_kcapi_set_entropy; 2093 alg->seedsize = 0; 2094 } 2095 2096 static int __init drbg_init(void) 2097 { 2098 unsigned int i = 0; /* pointer to drbg_algs */ 2099 unsigned int j = 0; /* pointer to drbg_cores */ 2100 int ret; 2101 2102 ret = drbg_healthcheck_sanity(); 2103 if (ret) 2104 return ret; 2105 2106 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) { 2107 pr_info("DRBG: Cannot register all DRBG types" 2108 "(slots needed: %zu, slots available: %zu)\n", 2109 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs)); 2110 return -EFAULT; 2111 } 2112 2113 /* 2114 * each DRBG definition can be used with PR and without PR, thus 2115 * we instantiate each DRBG in drbg_cores[] twice. 2116 * 2117 * As the order of placing them into the drbg_algs array matters 2118 * (the later DRBGs receive a higher cra_priority) we register the 2119 * prediction resistance DRBGs first as the should not be too 2120 * interesting. 2121 */ 2122 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2123 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1); 2124 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++) 2125 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0); 2126 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2127 } 2128 2129 static void __exit drbg_exit(void) 2130 { 2131 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2)); 2132 } 2133 2134 subsys_initcall(drbg_init); 2135 module_exit(drbg_exit); 2136 #ifndef CRYPTO_DRBG_HASH_STRING 2137 #define CRYPTO_DRBG_HASH_STRING "" 2138 #endif 2139 #ifndef CRYPTO_DRBG_HMAC_STRING 2140 #define CRYPTO_DRBG_HMAC_STRING "" 2141 #endif 2142 #ifndef CRYPTO_DRBG_CTR_STRING 2143 #define CRYPTO_DRBG_CTR_STRING "" 2144 #endif 2145 MODULE_LICENSE("GPL"); 2146 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>"); 2147 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) " 2148 "using following cores: " 2149 CRYPTO_DRBG_HASH_STRING 2150 CRYPTO_DRBG_HMAC_STRING 2151 CRYPTO_DRBG_CTR_STRING); 2152 MODULE_ALIAS_CRYPTO("stdrng"); 2153 MODULE_IMPORT_NS(CRYPTO_INTERNAL); 2154

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/crypto/drbg.c

TOMOYO Linux Cross Reference
Linux/crypto/drbg.c