1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100#include <crypto/drbg.h>
101#include <crypto/internal/cipher.h>
102#include <linux/kernel.h>
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117static const struct drbg_core drbg_cores[] = {
118#ifdef CONFIG_CRYPTO_DRBG_CTR
119 {
120 .flags = DRBG_CTR | DRBG_STRENGTH128,
121 .statelen = 32,
122 .blocklen_bytes = 16,
123 .cra_name = "ctr_aes128",
124 .backend_cra_name = "aes",
125 }, {
126 .flags = DRBG_CTR | DRBG_STRENGTH192,
127 .statelen = 40,
128 .blocklen_bytes = 16,
129 .cra_name = "ctr_aes192",
130 .backend_cra_name = "aes",
131 }, {
132 .flags = DRBG_CTR | DRBG_STRENGTH256,
133 .statelen = 48,
134 .blocklen_bytes = 16,
135 .cra_name = "ctr_aes256",
136 .backend_cra_name = "aes",
137 },
138#endif
139#ifdef CONFIG_CRYPTO_DRBG_HASH
140 {
141 .flags = DRBG_HASH | DRBG_STRENGTH128,
142 .statelen = 55,
143 .blocklen_bytes = 20,
144 .cra_name = "sha1",
145 .backend_cra_name = "sha1",
146 }, {
147 .flags = DRBG_HASH | DRBG_STRENGTH256,
148 .statelen = 111,
149 .blocklen_bytes = 48,
150 .cra_name = "sha384",
151 .backend_cra_name = "sha384",
152 }, {
153 .flags = DRBG_HASH | DRBG_STRENGTH256,
154 .statelen = 111,
155 .blocklen_bytes = 64,
156 .cra_name = "sha512",
157 .backend_cra_name = "sha512",
158 }, {
159 .flags = DRBG_HASH | DRBG_STRENGTH256,
160 .statelen = 55,
161 .blocklen_bytes = 32,
162 .cra_name = "sha256",
163 .backend_cra_name = "sha256",
164 },
165#endif
166#ifdef CONFIG_CRYPTO_DRBG_HMAC
167 {
168 .flags = DRBG_HMAC | DRBG_STRENGTH128,
169 .statelen = 20,
170 .blocklen_bytes = 20,
171 .cra_name = "hmac_sha1",
172 .backend_cra_name = "hmac(sha1)",
173 }, {
174 .flags = DRBG_HMAC | DRBG_STRENGTH256,
175 .statelen = 48,
176 .blocklen_bytes = 48,
177 .cra_name = "hmac_sha384",
178 .backend_cra_name = "hmac(sha384)",
179 }, {
180 .flags = DRBG_HMAC | DRBG_STRENGTH256,
181 .statelen = 32,
182 .blocklen_bytes = 32,
183 .cra_name = "hmac_sha256",
184 .backend_cra_name = "hmac(sha256)",
185 }, {
186 .flags = DRBG_HMAC | DRBG_STRENGTH256,
187 .statelen = 64,
188 .blocklen_bytes = 64,
189 .cra_name = "hmac_sha512",
190 .backend_cra_name = "hmac(sha512)",
191 },
192#endif
193};
194
195static int drbg_uninstantiate(struct drbg_state *drbg);
196
197
198
199
200
201
202
203
204
205
206
207
208
209static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
210{
211 switch (flags & DRBG_STRENGTH_MASK) {
212 case DRBG_STRENGTH128:
213 return 16;
214 case DRBG_STRENGTH192:
215 return 24;
216 case DRBG_STRENGTH256:
217 return 32;
218 default:
219 return 32;
220 }
221}
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242static int drbg_fips_continuous_test(struct drbg_state *drbg,
243 const unsigned char *entropy)
244{
245 unsigned short entropylen = drbg_sec_strength(drbg->core->flags);
246 int ret = 0;
247
248 if (!IS_ENABLED(CONFIG_CRYPTO_FIPS))
249 return 0;
250
251
252 if (list_empty(&drbg->test_data.list))
253 return 0;
254
255 if (!fips_enabled)
256 return 0;
257
258 if (!drbg->fips_primed) {
259
260 memcpy(drbg->prev, entropy, entropylen);
261 drbg->fips_primed = true;
262
263 return -EAGAIN;
264 }
265 ret = memcmp(drbg->prev, entropy, entropylen);
266 if (!ret)
267 panic("DRBG continuous self test failed\n");
268 memcpy(drbg->prev, entropy, entropylen);
269
270
271 return 0;
272}
273
274
275
276
277
278
279
280
281
282#if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
283static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
284{
285 struct s {
286 __be32 conv;
287 };
288 struct s *conversion = (struct s *) buf;
289
290 conversion->conv = cpu_to_be32(val);
291}
292#endif
293
294
295
296
297
298#ifdef CONFIG_CRYPTO_DRBG_CTR
299#define CRYPTO_DRBG_CTR_STRING "CTR "
300MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
301MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
302MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
303MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
304MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
305MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
306
307static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
308 const unsigned char *key);
309static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
310 const struct drbg_string *in);
311static int drbg_init_sym_kernel(struct drbg_state *drbg);
312static int drbg_fini_sym_kernel(struct drbg_state *drbg);
313static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
314 u8 *inbuf, u32 inbuflen,
315 u8 *outbuf, u32 outlen);
316#define DRBG_OUTSCRATCHLEN 256
317
318
319static int drbg_ctr_bcc(struct drbg_state *drbg,
320 unsigned char *out, const unsigned char *key,
321 struct list_head *in)
322{
323 int ret = 0;
324 struct drbg_string *curr = NULL;
325 struct drbg_string data;
326 short cnt = 0;
327
328 drbg_string_fill(&data, out, drbg_blocklen(drbg));
329
330
331 drbg_kcapi_symsetkey(drbg, key);
332 list_for_each_entry(curr, in, list) {
333 const unsigned char *pos = curr->buf;
334 size_t len = curr->len;
335
336 while (len) {
337
338 if (drbg_blocklen(drbg) == cnt) {
339 cnt = 0;
340 ret = drbg_kcapi_sym(drbg, out, &data);
341 if (ret)
342 return ret;
343 }
344 out[cnt] ^= *pos;
345 pos++;
346 cnt++;
347 len--;
348 }
349 }
350
351 if (cnt)
352 ret = drbg_kcapi_sym(drbg, out, &data);
353
354 return ret;
355}
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397static int drbg_ctr_df(struct drbg_state *drbg,
398 unsigned char *df_data, size_t bytes_to_return,
399 struct list_head *seedlist)
400{
401 int ret = -EFAULT;
402 unsigned char L_N[8];
403
404 struct drbg_string S1, S2, S4, cipherin;
405 LIST_HEAD(bcc_list);
406 unsigned char *pad = df_data + drbg_statelen(drbg);
407 unsigned char *iv = pad + drbg_blocklen(drbg);
408 unsigned char *temp = iv + drbg_blocklen(drbg);
409 size_t padlen = 0;
410 unsigned int templen = 0;
411
412 unsigned int i = 0;
413
414 const unsigned char *K = (unsigned char *)
415 "\x00\x01\x02\x03\x04\x05\x06\x07"
416 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
417 "\x10\x11\x12\x13\x14\x15\x16\x17"
418 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
419 unsigned char *X;
420 size_t generated_len = 0;
421 size_t inputlen = 0;
422 struct drbg_string *seed = NULL;
423
424 memset(pad, 0, drbg_blocklen(drbg));
425 memset(iv, 0, drbg_blocklen(drbg));
426
427
428
429
430 if ((512/8) < bytes_to_return)
431 return -EINVAL;
432
433
434 list_for_each_entry(seed, seedlist, list)
435 inputlen += seed->len;
436 drbg_cpu_to_be32(inputlen, &L_N[0]);
437
438
439 drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
440
441
442 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
443
444 if (padlen)
445 padlen = drbg_blocklen(drbg) - padlen;
446
447
448
449
450
451 padlen++;
452 pad[0] = 0x80;
453
454
455 drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
456 list_add_tail(&S1.list, &bcc_list);
457 drbg_string_fill(&S2, L_N, sizeof(L_N));
458 list_add_tail(&S2.list, &bcc_list);
459 list_splice_tail(seedlist, &bcc_list);
460 drbg_string_fill(&S4, pad, padlen);
461 list_add_tail(&S4.list, &bcc_list);
462
463
464 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
465
466
467
468
469
470 drbg_cpu_to_be32(i, iv);
471
472 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
473 if (ret)
474 goto out;
475
476 i++;
477 templen += drbg_blocklen(drbg);
478 }
479
480
481 X = temp + (drbg_keylen(drbg));
482 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
483
484
485
486
487 drbg_kcapi_symsetkey(drbg, temp);
488 while (generated_len < bytes_to_return) {
489 short blocklen = 0;
490
491
492
493
494
495 ret = drbg_kcapi_sym(drbg, X, &cipherin);
496 if (ret)
497 goto out;
498 blocklen = (drbg_blocklen(drbg) <
499 (bytes_to_return - generated_len)) ?
500 drbg_blocklen(drbg) :
501 (bytes_to_return - generated_len);
502
503 memcpy(df_data + generated_len, X, blocklen);
504 generated_len += blocklen;
505 }
506
507 ret = 0;
508
509out:
510 memset(iv, 0, drbg_blocklen(drbg));
511 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
512 memset(pad, 0, drbg_blocklen(drbg));
513 return ret;
514}
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
532 int reseed)
533{
534 int ret = -EFAULT;
535
536 unsigned char *temp = drbg->scratchpad;
537 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
538 drbg_blocklen(drbg);
539
540 if (3 > reseed)
541 memset(df_data, 0, drbg_statelen(drbg));
542
543 if (!reseed) {
544
545
546
547
548
549
550
551 crypto_inc(drbg->V, drbg_blocklen(drbg));
552
553 ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
554 drbg_keylen(drbg));
555 if (ret)
556 goto out;
557 }
558
559
560 if (seed) {
561 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
562 if (ret)
563 goto out;
564 }
565
566 ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
567 temp, drbg_statelen(drbg));
568 if (ret)
569 return ret;
570
571
572 ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
573 drbg_keylen(drbg));
574 if (ret)
575 goto out;
576
577 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
578
579 crypto_inc(drbg->V, drbg_blocklen(drbg));
580 ret = 0;
581
582out:
583 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
584 if (2 != reseed)
585 memset(df_data, 0, drbg_statelen(drbg));
586 return ret;
587}
588
589
590
591
592
593
594static int drbg_ctr_generate(struct drbg_state *drbg,
595 unsigned char *buf, unsigned int buflen,
596 struct list_head *addtl)
597{
598 int ret;
599 int len = min_t(int, buflen, INT_MAX);
600
601
602 if (addtl && !list_empty(addtl)) {
603 ret = drbg_ctr_update(drbg, addtl, 2);
604 if (ret)
605 return 0;
606 }
607
608
609 ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
610 if (ret)
611 return ret;
612
613
614 ret = drbg_ctr_update(drbg, NULL, 3);
615 if (ret)
616 len = ret;
617
618 return len;
619}
620
621static const struct drbg_state_ops drbg_ctr_ops = {
622 .update = drbg_ctr_update,
623 .generate = drbg_ctr_generate,
624 .crypto_init = drbg_init_sym_kernel,
625 .crypto_fini = drbg_fini_sym_kernel,
626};
627#endif
628
629
630
631
632
633#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
634static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
635 const struct list_head *in);
636static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
637 const unsigned char *key);
638static int drbg_init_hash_kernel(struct drbg_state *drbg);
639static int drbg_fini_hash_kernel(struct drbg_state *drbg);
640#endif
641
642#ifdef CONFIG_CRYPTO_DRBG_HMAC
643#define CRYPTO_DRBG_HMAC_STRING "HMAC "
644MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
645MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
646MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
647MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
648MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
649MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
650MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
651MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
652
653
654static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
655 int reseed)
656{
657 int ret = -EFAULT;
658 int i = 0;
659 struct drbg_string seed1, seed2, vdata;
660 LIST_HEAD(seedlist);
661 LIST_HEAD(vdatalist);
662
663 if (!reseed) {
664
665 memset(drbg->V, 1, drbg_statelen(drbg));
666 drbg_kcapi_hmacsetkey(drbg, drbg->C);
667 }
668
669 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
670 list_add_tail(&seed1.list, &seedlist);
671
672 drbg_string_fill(&seed2, NULL, 1);
673 list_add_tail(&seed2.list, &seedlist);
674
675 if (seed)
676 list_splice_tail(seed, &seedlist);
677
678 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
679 list_add_tail(&vdata.list, &vdatalist);
680 for (i = 2; 0 < i; i--) {
681
682 unsigned char prefix = DRBG_PREFIX0;
683 if (1 == i)
684 prefix = DRBG_PREFIX1;
685
686 seed2.buf = &prefix;
687 ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
688 if (ret)
689 return ret;
690 drbg_kcapi_hmacsetkey(drbg, drbg->C);
691
692
693 ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
694 if (ret)
695 return ret;
696
697
698 if (!seed)
699 return ret;
700 }
701
702 return 0;
703}
704
705
706static int drbg_hmac_generate(struct drbg_state *drbg,
707 unsigned char *buf,
708 unsigned int buflen,
709 struct list_head *addtl)
710{
711 int len = 0;
712 int ret = 0;
713 struct drbg_string data;
714 LIST_HEAD(datalist);
715
716
717 if (addtl && !list_empty(addtl)) {
718 ret = drbg_hmac_update(drbg, addtl, 1);
719 if (ret)
720 return ret;
721 }
722
723 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
724 list_add_tail(&data.list, &datalist);
725 while (len < buflen) {
726 unsigned int outlen = 0;
727
728 ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
729 if (ret)
730 return ret;
731 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
732 drbg_blocklen(drbg) : (buflen - len);
733
734
735 memcpy(buf + len, drbg->V, outlen);
736 len += outlen;
737 }
738
739
740 if (addtl && !list_empty(addtl))
741 ret = drbg_hmac_update(drbg, addtl, 1);
742 else
743 ret = drbg_hmac_update(drbg, NULL, 1);
744 if (ret)
745 return ret;
746
747 return len;
748}
749
750static const struct drbg_state_ops drbg_hmac_ops = {
751 .update = drbg_hmac_update,
752 .generate = drbg_hmac_generate,
753 .crypto_init = drbg_init_hash_kernel,
754 .crypto_fini = drbg_fini_hash_kernel,
755};
756#endif
757
758
759
760
761
762#ifdef CONFIG_CRYPTO_DRBG_HASH
763#define CRYPTO_DRBG_HASH_STRING "HASH "
764MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
765MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
766MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
767MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
768MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
769MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
770MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
771MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
772
773
774
775
776
777
778
779static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
780 const unsigned char *add, size_t addlen)
781{
782
783 unsigned char *dstptr;
784 const unsigned char *addptr;
785 unsigned int remainder = 0;
786 size_t len = addlen;
787
788 dstptr = dst + (dstlen-1);
789 addptr = add + (addlen-1);
790 while (len) {
791 remainder += *dstptr + *addptr;
792 *dstptr = remainder & 0xff;
793 remainder >>= 8;
794 len--; dstptr--; addptr--;
795 }
796 len = dstlen - addlen;
797 while (len && remainder > 0) {
798 remainder = *dstptr + 1;
799 *dstptr = remainder & 0xff;
800 remainder >>= 8;
801 len--; dstptr--;
802 }
803}
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821static int drbg_hash_df(struct drbg_state *drbg,
822 unsigned char *outval, size_t outlen,
823 struct list_head *entropylist)
824{
825 int ret = 0;
826 size_t len = 0;
827 unsigned char input[5];
828 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
829 struct drbg_string data;
830
831
832 input[0] = 1;
833 drbg_cpu_to_be32((outlen * 8), &input[1]);
834
835
836 drbg_string_fill(&data, input, 5);
837 list_add(&data.list, entropylist);
838
839
840 while (len < outlen) {
841 short blocklen = 0;
842
843 ret = drbg_kcapi_hash(drbg, tmp, entropylist);
844 if (ret)
845 goto out;
846
847 input[0]++;
848 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
849 drbg_blocklen(drbg) : (outlen - len);
850 memcpy(outval + len, tmp, blocklen);
851 len += blocklen;
852 }
853
854out:
855 memset(tmp, 0, drbg_blocklen(drbg));
856 return ret;
857}
858
859
860static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
861 int reseed)
862{
863 int ret = 0;
864 struct drbg_string data1, data2;
865 LIST_HEAD(datalist);
866 LIST_HEAD(datalist2);
867 unsigned char *V = drbg->scratchpad;
868 unsigned char prefix = DRBG_PREFIX1;
869
870 if (!seed)
871 return -EINVAL;
872
873 if (reseed) {
874
875 memcpy(V, drbg->V, drbg_statelen(drbg));
876 drbg_string_fill(&data1, &prefix, 1);
877 list_add_tail(&data1.list, &datalist);
878 drbg_string_fill(&data2, V, drbg_statelen(drbg));
879 list_add_tail(&data2.list, &datalist);
880 }
881 list_splice_tail(seed, &datalist);
882
883
884 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
885 if (ret)
886 goto out;
887
888
889 prefix = DRBG_PREFIX0;
890 drbg_string_fill(&data1, &prefix, 1);
891 list_add_tail(&data1.list, &datalist2);
892 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
893 list_add_tail(&data2.list, &datalist2);
894
895 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
896
897out:
898 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
899 return ret;
900}
901
902
903static int drbg_hash_process_addtl(struct drbg_state *drbg,
904 struct list_head *addtl)
905{
906 int ret = 0;
907 struct drbg_string data1, data2;
908 LIST_HEAD(datalist);
909 unsigned char prefix = DRBG_PREFIX2;
910
911
912 if (!addtl || list_empty(addtl))
913 return 0;
914
915
916 drbg_string_fill(&data1, &prefix, 1);
917 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
918 list_add_tail(&data1.list, &datalist);
919 list_add_tail(&data2.list, &datalist);
920 list_splice_tail(addtl, &datalist);
921 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
922 if (ret)
923 goto out;
924
925
926 drbg_add_buf(drbg->V, drbg_statelen(drbg),
927 drbg->scratchpad, drbg_blocklen(drbg));
928
929out:
930 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
931 return ret;
932}
933
934
935static int drbg_hash_hashgen(struct drbg_state *drbg,
936 unsigned char *buf,
937 unsigned int buflen)
938{
939 int len = 0;
940 int ret = 0;
941 unsigned char *src = drbg->scratchpad;
942 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
943 struct drbg_string data;
944 LIST_HEAD(datalist);
945
946
947 memcpy(src, drbg->V, drbg_statelen(drbg));
948
949 drbg_string_fill(&data, src, drbg_statelen(drbg));
950 list_add_tail(&data.list, &datalist);
951 while (len < buflen) {
952 unsigned int outlen = 0;
953
954 ret = drbg_kcapi_hash(drbg, dst, &datalist);
955 if (ret) {
956 len = ret;
957 goto out;
958 }
959 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
960 drbg_blocklen(drbg) : (buflen - len);
961
962 memcpy(buf + len, dst, outlen);
963 len += outlen;
964
965 if (len < buflen)
966 crypto_inc(src, drbg_statelen(drbg));
967 }
968
969out:
970 memset(drbg->scratchpad, 0,
971 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
972 return len;
973}
974
975
976static int drbg_hash_generate(struct drbg_state *drbg,
977 unsigned char *buf, unsigned int buflen,
978 struct list_head *addtl)
979{
980 int len = 0;
981 int ret = 0;
982 union {
983 unsigned char req[8];
984 __be64 req_int;
985 } u;
986 unsigned char prefix = DRBG_PREFIX3;
987 struct drbg_string data1, data2;
988 LIST_HEAD(datalist);
989
990
991 ret = drbg_hash_process_addtl(drbg, addtl);
992 if (ret)
993 return ret;
994
995 len = drbg_hash_hashgen(drbg, buf, buflen);
996
997
998
999 drbg_string_fill(&data1, &prefix, 1);
1000 list_add_tail(&data1.list, &datalist);
1001 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1002 list_add_tail(&data2.list, &datalist);
1003 ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
1004 if (ret) {
1005 len = ret;
1006 goto out;
1007 }
1008
1009
1010 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1011 drbg->scratchpad, drbg_blocklen(drbg));
1012 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1013 drbg->C, drbg_statelen(drbg));
1014 u.req_int = cpu_to_be64(drbg->reseed_ctr);
1015 drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
1016
1017out:
1018 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1019 return len;
1020}
1021
1022
1023
1024
1025
1026static const struct drbg_state_ops drbg_hash_ops = {
1027 .update = drbg_hash_update,
1028 .generate = drbg_hash_generate,
1029 .crypto_init = drbg_init_hash_kernel,
1030 .crypto_fini = drbg_fini_hash_kernel,
1031};
1032#endif
1033
1034
1035
1036
1037
1038static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
1039 int reseed)
1040{
1041 int ret = drbg->d_ops->update(drbg, seed, reseed);
1042
1043 if (ret)
1044 return ret;
1045
1046 drbg->seeded = true;
1047
1048 drbg->reseed_ctr = 1;
1049
1050 return ret;
1051}
1052
1053static inline int drbg_get_random_bytes(struct drbg_state *drbg,
1054 unsigned char *entropy,
1055 unsigned int entropylen)
1056{
1057 int ret;
1058
1059 do {
1060 get_random_bytes(entropy, entropylen);
1061 ret = drbg_fips_continuous_test(drbg, entropy);
1062 if (ret && ret != -EAGAIN)
1063 return ret;
1064 } while (ret);
1065
1066 return 0;
1067}
1068
1069static void drbg_async_seed(struct work_struct *work)
1070{
1071 struct drbg_string data;
1072 LIST_HEAD(seedlist);
1073 struct drbg_state *drbg = container_of(work, struct drbg_state,
1074 seed_work);
1075 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1076 unsigned char entropy[32];
1077 int ret;
1078
1079 BUG_ON(!entropylen);
1080 BUG_ON(entropylen > sizeof(entropy));
1081
1082 drbg_string_fill(&data, entropy, entropylen);
1083 list_add_tail(&data.list, &seedlist);
1084
1085 mutex_lock(&drbg->drbg_mutex);
1086
1087 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1088 if (ret)
1089 goto unlock;
1090
1091
1092
1093
1094 drbg->seeded = false;
1095
1096 __drbg_seed(drbg, &seedlist, true);
1097
1098 if (drbg->seeded)
1099 drbg->reseed_threshold = drbg_max_requests(drbg);
1100
1101unlock:
1102 mutex_unlock(&drbg->drbg_mutex);
1103
1104 memzero_explicit(entropy, entropylen);
1105}
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1119 bool reseed)
1120{
1121 int ret;
1122 unsigned char entropy[((32 + 16) * 2)];
1123 unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1124 struct drbg_string data1;
1125 LIST_HEAD(seedlist);
1126
1127
1128 if (pers && pers->len > (drbg_max_addtl(drbg))) {
1129 pr_devel("DRBG: personalization string too long %zu\n",
1130 pers->len);
1131 return -EINVAL;
1132 }
1133
1134 if (list_empty(&drbg->test_data.list)) {
1135 drbg_string_fill(&data1, drbg->test_data.buf,
1136 drbg->test_data.len);
1137 pr_devel("DRBG: using test entropy\n");
1138 } else {
1139
1140
1141
1142
1143
1144
1145
1146
1147 BUG_ON(!entropylen);
1148 if (!reseed)
1149 entropylen = ((entropylen + 1) / 2) * 3;
1150 BUG_ON((entropylen * 2) > sizeof(entropy));
1151
1152
1153 ret = drbg_get_random_bytes(drbg, entropy, entropylen);
1154 if (ret)
1155 goto out;
1156
1157 if (!drbg->jent) {
1158 drbg_string_fill(&data1, entropy, entropylen);
1159 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1160 entropylen);
1161 } else {
1162
1163 ret = crypto_rng_get_bytes(drbg->jent,
1164 entropy + entropylen,
1165 entropylen);
1166 if (ret) {
1167 pr_devel("DRBG: jent failed with %d\n", ret);
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183 if (!reseed || ret != -EAGAIN)
1184 goto out;
1185 }
1186
1187 drbg_string_fill(&data1, entropy, entropylen * 2);
1188 pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1189 entropylen * 2);
1190 }
1191 }
1192 list_add_tail(&data1.list, &seedlist);
1193
1194
1195
1196
1197
1198
1199 if (pers && pers->buf && 0 < pers->len) {
1200 list_add_tail(&pers->list, &seedlist);
1201 pr_devel("DRBG: using personalization string\n");
1202 }
1203
1204 if (!reseed) {
1205 memset(drbg->V, 0, drbg_statelen(drbg));
1206 memset(drbg->C, 0, drbg_statelen(drbg));
1207 }
1208
1209 ret = __drbg_seed(drbg, &seedlist, reseed);
1210
1211out:
1212 memzero_explicit(entropy, entropylen * 2);
1213
1214 return ret;
1215}
1216
1217
1218static inline void drbg_dealloc_state(struct drbg_state *drbg)
1219{
1220 if (!drbg)
1221 return;
1222 kfree_sensitive(drbg->Vbuf);
1223 drbg->Vbuf = NULL;
1224 drbg->V = NULL;
1225 kfree_sensitive(drbg->Cbuf);
1226 drbg->Cbuf = NULL;
1227 drbg->C = NULL;
1228 kfree_sensitive(drbg->scratchpadbuf);
1229 drbg->scratchpadbuf = NULL;
1230 drbg->reseed_ctr = 0;
1231 drbg->d_ops = NULL;
1232 drbg->core = NULL;
1233 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1234 kfree_sensitive(drbg->prev);
1235 drbg->prev = NULL;
1236 drbg->fips_primed = false;
1237 }
1238}
1239
1240
1241
1242
1243
1244static inline int drbg_alloc_state(struct drbg_state *drbg)
1245{
1246 int ret = -ENOMEM;
1247 unsigned int sb_size = 0;
1248
1249 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1250#ifdef CONFIG_CRYPTO_DRBG_HMAC
1251 case DRBG_HMAC:
1252 drbg->d_ops = &drbg_hmac_ops;
1253 break;
1254#endif
1255#ifdef CONFIG_CRYPTO_DRBG_HASH
1256 case DRBG_HASH:
1257 drbg->d_ops = &drbg_hash_ops;
1258 break;
1259#endif
1260#ifdef CONFIG_CRYPTO_DRBG_CTR
1261 case DRBG_CTR:
1262 drbg->d_ops = &drbg_ctr_ops;
1263 break;
1264#endif
1265 default:
1266 ret = -EOPNOTSUPP;
1267 goto err;
1268 }
1269
1270 ret = drbg->d_ops->crypto_init(drbg);
1271 if (ret < 0)
1272 goto err;
1273
1274 drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1275 if (!drbg->Vbuf) {
1276 ret = -ENOMEM;
1277 goto fini;
1278 }
1279 drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1280 drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1281 if (!drbg->Cbuf) {
1282 ret = -ENOMEM;
1283 goto fini;
1284 }
1285 drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1286
1287 if (drbg->core->flags & DRBG_HMAC)
1288 sb_size = 0;
1289 else if (drbg->core->flags & DRBG_CTR)
1290 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) +
1291 drbg_statelen(drbg) +
1292 drbg_blocklen(drbg) +
1293 drbg_blocklen(drbg) +
1294 drbg_statelen(drbg) + drbg_blocklen(drbg);
1295 else
1296 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1297
1298 if (0 < sb_size) {
1299 drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1300 if (!drbg->scratchpadbuf) {
1301 ret = -ENOMEM;
1302 goto fini;
1303 }
1304 drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1305 }
1306
1307 if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
1308 drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags),
1309 GFP_KERNEL);
1310 if (!drbg->prev) {
1311 ret = -ENOMEM;
1312 goto fini;
1313 }
1314 drbg->fips_primed = false;
1315 }
1316
1317 return 0;
1318
1319fini:
1320 drbg->d_ops->crypto_fini(drbg);
1321err:
1322 drbg_dealloc_state(drbg);
1323 return ret;
1324}
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346static int drbg_generate(struct drbg_state *drbg,
1347 unsigned char *buf, unsigned int buflen,
1348 struct drbg_string *addtl)
1349{
1350 int len = 0;
1351 LIST_HEAD(addtllist);
1352
1353 if (!drbg->core) {
1354 pr_devel("DRBG: not yet seeded\n");
1355 return -EINVAL;
1356 }
1357 if (0 == buflen || !buf) {
1358 pr_devel("DRBG: no output buffer provided\n");
1359 return -EINVAL;
1360 }
1361 if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1362 pr_devel("DRBG: wrong format of additional information\n");
1363 return -EINVAL;
1364 }
1365
1366
1367 len = -EINVAL;
1368 if (buflen > (drbg_max_request_bytes(drbg))) {
1369 pr_devel("DRBG: requested random numbers too large %u\n",
1370 buflen);
1371 goto err;
1372 }
1373
1374
1375
1376
1377 if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1378 pr_devel("DRBG: additional information string too long %zu\n",
1379 addtl->len);
1380 goto err;
1381 }
1382
1383
1384
1385
1386
1387
1388 if (drbg->reseed_threshold < drbg->reseed_ctr)
1389 drbg->seeded = false;
1390
1391 if (drbg->pr || !drbg->seeded) {
1392 pr_devel("DRBG: reseeding before generation (prediction "
1393 "resistance: %s, state %s)\n",
1394 drbg->pr ? "true" : "false",
1395 drbg->seeded ? "seeded" : "unseeded");
1396
1397 len = drbg_seed(drbg, addtl, true);
1398 if (len)
1399 goto err;
1400
1401 addtl = NULL;
1402 }
1403
1404 if (addtl && 0 < addtl->len)
1405 list_add_tail(&addtl->list, &addtllist);
1406
1407 len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1408
1409
1410 drbg->reseed_ctr++;
1411 if (0 >= len)
1412 goto err;
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429#if 0
1430 if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1431 int err = 0;
1432 pr_devel("DRBG: start to perform self test\n");
1433 if (drbg->core->flags & DRBG_HMAC)
1434 err = alg_test("drbg_pr_hmac_sha256",
1435 "drbg_pr_hmac_sha256", 0, 0);
1436 else if (drbg->core->flags & DRBG_CTR)
1437 err = alg_test("drbg_pr_ctr_aes128",
1438 "drbg_pr_ctr_aes128", 0, 0);
1439 else
1440 err = alg_test("drbg_pr_sha256",
1441 "drbg_pr_sha256", 0, 0);
1442 if (err) {
1443 pr_err("DRBG: periodical self test failed\n");
1444
1445
1446
1447
1448 drbg_uninstantiate(drbg);
1449 return 0;
1450 } else {
1451 pr_devel("DRBG: self test successful\n");
1452 }
1453 }
1454#endif
1455
1456
1457
1458
1459
1460 len = 0;
1461err:
1462 return len;
1463}
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473static int drbg_generate_long(struct drbg_state *drbg,
1474 unsigned char *buf, unsigned int buflen,
1475 struct drbg_string *addtl)
1476{
1477 unsigned int len = 0;
1478 unsigned int slice = 0;
1479 do {
1480 int err = 0;
1481 unsigned int chunk = 0;
1482 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1483 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1484 mutex_lock(&drbg->drbg_mutex);
1485 err = drbg_generate(drbg, buf + len, chunk, addtl);
1486 mutex_unlock(&drbg->drbg_mutex);
1487 if (0 > err)
1488 return err;
1489 len += chunk;
1490 } while (slice > 0 && (len < buflen));
1491 return 0;
1492}
1493
1494static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1495{
1496 struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1497 random_ready);
1498
1499 schedule_work(&drbg->seed_work);
1500}
1501
1502static int drbg_prepare_hrng(struct drbg_state *drbg)
1503{
1504 int err;
1505
1506
1507 if (list_empty(&drbg->test_data.list))
1508 return 0;
1509
1510 drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1511
1512 INIT_WORK(&drbg->seed_work, drbg_async_seed);
1513
1514 drbg->random_ready.owner = THIS_MODULE;
1515 drbg->random_ready.func = drbg_schedule_async_seed;
1516
1517 err = add_random_ready_callback(&drbg->random_ready);
1518
1519 switch (err) {
1520 case 0:
1521 break;
1522
1523 case -EALREADY:
1524 err = 0;
1525 fallthrough;
1526
1527 default:
1528 drbg->random_ready.func = NULL;
1529 return err;
1530 }
1531
1532
1533
1534
1535
1536 drbg->reseed_threshold = 50;
1537
1538 return err;
1539}
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1559 int coreref, bool pr)
1560{
1561 int ret;
1562 bool reseed = true;
1563
1564 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1565 "%s\n", coreref, pr ? "enabled" : "disabled");
1566 mutex_lock(&drbg->drbg_mutex);
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578 if (!drbg->core) {
1579 drbg->core = &drbg_cores[coreref];
1580 drbg->pr = pr;
1581 drbg->seeded = false;
1582 drbg->reseed_threshold = drbg_max_requests(drbg);
1583
1584 ret = drbg_alloc_state(drbg);
1585 if (ret)
1586 goto unlock;
1587
1588 ret = drbg_prepare_hrng(drbg);
1589 if (ret)
1590 goto free_everything;
1591
1592 if (IS_ERR(drbg->jent)) {
1593 ret = PTR_ERR(drbg->jent);
1594 drbg->jent = NULL;
1595 if (fips_enabled || ret != -ENOENT)
1596 goto free_everything;
1597 pr_info("DRBG: Continuing without Jitter RNG\n");
1598 }
1599
1600 reseed = false;
1601 }
1602
1603 ret = drbg_seed(drbg, pers, reseed);
1604
1605 if (ret && !reseed)
1606 goto free_everything;
1607
1608 mutex_unlock(&drbg->drbg_mutex);
1609 return ret;
1610
1611unlock:
1612 mutex_unlock(&drbg->drbg_mutex);
1613 return ret;
1614
1615free_everything:
1616 mutex_unlock(&drbg->drbg_mutex);
1617 drbg_uninstantiate(drbg);
1618 return ret;
1619}
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630static int drbg_uninstantiate(struct drbg_state *drbg)
1631{
1632 if (drbg->random_ready.func) {
1633 del_random_ready_callback(&drbg->random_ready);
1634 cancel_work_sync(&drbg->seed_work);
1635 }
1636
1637 if (!IS_ERR_OR_NULL(drbg->jent))
1638 crypto_free_rng(drbg->jent);
1639 drbg->jent = NULL;
1640
1641 if (drbg->d_ops)
1642 drbg->d_ops->crypto_fini(drbg);
1643 drbg_dealloc_state(drbg);
1644
1645 return 0;
1646}
1647
1648
1649
1650
1651
1652
1653
1654
1655static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1656 const u8 *data, unsigned int len)
1657{
1658 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1659
1660 mutex_lock(&drbg->drbg_mutex);
1661 drbg_string_fill(&drbg->test_data, data, len);
1662 mutex_unlock(&drbg->drbg_mutex);
1663}
1664
1665
1666
1667
1668
1669#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1670struct sdesc {
1671 struct shash_desc shash;
1672 char ctx[];
1673};
1674
1675static int drbg_init_hash_kernel(struct drbg_state *drbg)
1676{
1677 struct sdesc *sdesc;
1678 struct crypto_shash *tfm;
1679
1680 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1681 if (IS_ERR(tfm)) {
1682 pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1683 drbg->core->backend_cra_name);
1684 return PTR_ERR(tfm);
1685 }
1686 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1687 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1688 GFP_KERNEL);
1689 if (!sdesc) {
1690 crypto_free_shash(tfm);
1691 return -ENOMEM;
1692 }
1693
1694 sdesc->shash.tfm = tfm;
1695 drbg->priv_data = sdesc;
1696
1697 return crypto_shash_alignmask(tfm);
1698}
1699
1700static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1701{
1702 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1703 if (sdesc) {
1704 crypto_free_shash(sdesc->shash.tfm);
1705 kfree_sensitive(sdesc);
1706 }
1707 drbg->priv_data = NULL;
1708 return 0;
1709}
1710
1711static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1712 const unsigned char *key)
1713{
1714 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1715
1716 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1717}
1718
1719static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1720 const struct list_head *in)
1721{
1722 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1723 struct drbg_string *input = NULL;
1724
1725 crypto_shash_init(&sdesc->shash);
1726 list_for_each_entry(input, in, list)
1727 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1728 return crypto_shash_final(&sdesc->shash, outval);
1729}
1730#endif
1731
1732#ifdef CONFIG_CRYPTO_DRBG_CTR
1733static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1734{
1735 struct crypto_cipher *tfm =
1736 (struct crypto_cipher *)drbg->priv_data;
1737 if (tfm)
1738 crypto_free_cipher(tfm);
1739 drbg->priv_data = NULL;
1740
1741 if (drbg->ctr_handle)
1742 crypto_free_skcipher(drbg->ctr_handle);
1743 drbg->ctr_handle = NULL;
1744
1745 if (drbg->ctr_req)
1746 skcipher_request_free(drbg->ctr_req);
1747 drbg->ctr_req = NULL;
1748
1749 kfree(drbg->outscratchpadbuf);
1750 drbg->outscratchpadbuf = NULL;
1751
1752 return 0;
1753}
1754
1755static int drbg_init_sym_kernel(struct drbg_state *drbg)
1756{
1757 struct crypto_cipher *tfm;
1758 struct crypto_skcipher *sk_tfm;
1759 struct skcipher_request *req;
1760 unsigned int alignmask;
1761 char ctr_name[CRYPTO_MAX_ALG_NAME];
1762
1763 tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1764 if (IS_ERR(tfm)) {
1765 pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1766 drbg->core->backend_cra_name);
1767 return PTR_ERR(tfm);
1768 }
1769 BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1770 drbg->priv_data = tfm;
1771
1772 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1773 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1774 drbg_fini_sym_kernel(drbg);
1775 return -EINVAL;
1776 }
1777 sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1778 if (IS_ERR(sk_tfm)) {
1779 pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1780 ctr_name);
1781 drbg_fini_sym_kernel(drbg);
1782 return PTR_ERR(sk_tfm);
1783 }
1784 drbg->ctr_handle = sk_tfm;
1785 crypto_init_wait(&drbg->ctr_wait);
1786
1787 req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1788 if (!req) {
1789 pr_info("DRBG: could not allocate request queue\n");
1790 drbg_fini_sym_kernel(drbg);
1791 return -ENOMEM;
1792 }
1793 drbg->ctr_req = req;
1794 skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1795 CRYPTO_TFM_REQ_MAY_SLEEP,
1796 crypto_req_done, &drbg->ctr_wait);
1797
1798 alignmask = crypto_skcipher_alignmask(sk_tfm);
1799 drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1800 GFP_KERNEL);
1801 if (!drbg->outscratchpadbuf) {
1802 drbg_fini_sym_kernel(drbg);
1803 return -ENOMEM;
1804 }
1805 drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1806 alignmask + 1);
1807
1808 sg_init_table(&drbg->sg_in, 1);
1809 sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1810
1811 return alignmask;
1812}
1813
1814static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1815 const unsigned char *key)
1816{
1817 struct crypto_cipher *tfm =
1818 (struct crypto_cipher *)drbg->priv_data;
1819
1820 crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1821}
1822
1823static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1824 const struct drbg_string *in)
1825{
1826 struct crypto_cipher *tfm =
1827 (struct crypto_cipher *)drbg->priv_data;
1828
1829
1830 BUG_ON(in->len < drbg_blocklen(drbg));
1831 crypto_cipher_encrypt_one(tfm, outval, in->buf);
1832 return 0;
1833}
1834
1835static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1836 u8 *inbuf, u32 inlen,
1837 u8 *outbuf, u32 outlen)
1838{
1839 struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1840 u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1841 int ret;
1842
1843 if (inbuf) {
1844
1845 sg_set_buf(sg_in, inbuf, inlen);
1846 } else {
1847
1848 inlen = scratchpad_use;
1849 memset(drbg->outscratchpad, 0, scratchpad_use);
1850 sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1851 }
1852
1853 while (outlen) {
1854 u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1855
1856
1857 skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1858 cryptlen, drbg->V);
1859 ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1860 &drbg->ctr_wait);
1861 if (ret)
1862 goto out;
1863
1864 crypto_init_wait(&drbg->ctr_wait);
1865
1866 memcpy(outbuf, drbg->outscratchpad, cryptlen);
1867 memzero_explicit(drbg->outscratchpad, cryptlen);
1868
1869 outlen -= cryptlen;
1870 outbuf += cryptlen;
1871 }
1872 ret = 0;
1873
1874out:
1875 return ret;
1876}
1877#endif
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1895 int *coreref, bool *pr)
1896{
1897 int i = 0;
1898 size_t start = 0;
1899 int len = 0;
1900
1901 *pr = true;
1902
1903 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1904 start = 10;
1905 *pr = false;
1906 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1907 start = 8;
1908 } else {
1909 return;
1910 }
1911
1912
1913 len = strlen(cra_driver_name) - start;
1914 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1915 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1916 len)) {
1917 *coreref = i;
1918 return;
1919 }
1920 }
1921}
1922
1923static int drbg_kcapi_init(struct crypto_tfm *tfm)
1924{
1925 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1926
1927 mutex_init(&drbg->drbg_mutex);
1928
1929 return 0;
1930}
1931
1932static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1933{
1934 drbg_uninstantiate(crypto_tfm_ctx(tfm));
1935}
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946static int drbg_kcapi_random(struct crypto_rng *tfm,
1947 const u8 *src, unsigned int slen,
1948 u8 *dst, unsigned int dlen)
1949{
1950 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1951 struct drbg_string *addtl = NULL;
1952 struct drbg_string string;
1953
1954 if (slen) {
1955
1956 drbg_string_fill(&string, src, slen);
1957 addtl = &string;
1958 }
1959
1960 return drbg_generate_long(drbg, dst, dlen, addtl);
1961}
1962
1963
1964
1965
1966static int drbg_kcapi_seed(struct crypto_rng *tfm,
1967 const u8 *seed, unsigned int slen)
1968{
1969 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1970 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1971 bool pr = false;
1972 struct drbg_string string;
1973 struct drbg_string *seed_string = NULL;
1974 int coreref = 0;
1975
1976 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1977 &pr);
1978 if (0 < slen) {
1979 drbg_string_fill(&string, seed, slen);
1980 seed_string = &string;
1981 }
1982
1983 return drbg_instantiate(drbg, seed_string, coreref, pr);
1984}
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000static inline int __init drbg_healthcheck_sanity(void)
2001{
2002 int len = 0;
2003#define OUTBUFLEN 16
2004 unsigned char buf[OUTBUFLEN];
2005 struct drbg_state *drbg = NULL;
2006 int ret = -EFAULT;
2007 int rc = -EFAULT;
2008 bool pr = false;
2009 int coreref = 0;
2010 struct drbg_string addtl;
2011 size_t max_addtllen, max_request_bytes;
2012
2013
2014 if (!fips_enabled)
2015 return 0;
2016
2017#ifdef CONFIG_CRYPTO_DRBG_CTR
2018 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
2019#elif defined CONFIG_CRYPTO_DRBG_HASH
2020 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
2021#else
2022 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
2023#endif
2024
2025 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
2026 if (!drbg)
2027 return -ENOMEM;
2028
2029 mutex_init(&drbg->drbg_mutex);
2030 drbg->core = &drbg_cores[coreref];
2031 drbg->reseed_threshold = drbg_max_requests(drbg);
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041 max_addtllen = drbg_max_addtl(drbg);
2042 max_request_bytes = drbg_max_request_bytes(drbg);
2043 drbg_string_fill(&addtl, buf, max_addtllen + 1);
2044
2045 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
2046 BUG_ON(0 < len);
2047
2048 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
2049 BUG_ON(0 < len);
2050
2051
2052 ret = drbg_seed(drbg, &addtl, false);
2053 BUG_ON(0 == ret);
2054
2055 rc = 0;
2056
2057 pr_devel("DRBG: Sanity tests for failure code paths successfully "
2058 "completed\n");
2059
2060 kfree(drbg);
2061 return rc;
2062}
2063
2064static struct rng_alg drbg_algs[22];
2065
2066
2067
2068
2069
2070
2071static inline void __init drbg_fill_array(struct rng_alg *alg,
2072 const struct drbg_core *core, int pr)
2073{
2074 int pos = 0;
2075 static int priority = 200;
2076
2077 memcpy(alg->base.cra_name, "stdrng", 6);
2078 if (pr) {
2079 memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
2080 pos = 8;
2081 } else {
2082 memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
2083 pos = 10;
2084 }
2085 memcpy(alg->base.cra_driver_name + pos, core->cra_name,
2086 strlen(core->cra_name));
2087
2088 alg->base.cra_priority = priority;
2089 priority++;
2090
2091
2092
2093
2094
2095 if (fips_enabled)
2096 alg->base.cra_priority += 200;
2097
2098 alg->base.cra_ctxsize = sizeof(struct drbg_state);
2099 alg->base.cra_module = THIS_MODULE;
2100 alg->base.cra_init = drbg_kcapi_init;
2101 alg->base.cra_exit = drbg_kcapi_cleanup;
2102 alg->generate = drbg_kcapi_random;
2103 alg->seed = drbg_kcapi_seed;
2104 alg->set_ent = drbg_kcapi_set_entropy;
2105 alg->seedsize = 0;
2106}
2107
2108static int __init drbg_init(void)
2109{
2110 unsigned int i = 0;
2111 unsigned int j = 0;
2112 int ret;
2113
2114 ret = drbg_healthcheck_sanity();
2115 if (ret)
2116 return ret;
2117
2118 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2119 pr_info("DRBG: Cannot register all DRBG types"
2120 "(slots needed: %zu, slots available: %zu)\n",
2121 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2122 return -EFAULT;
2123 }
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2135 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2136 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2137 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2138 return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2139}
2140
2141static void __exit drbg_exit(void)
2142{
2143 crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2144}
2145
2146subsys_initcall(drbg_init);
2147module_exit(drbg_exit);
2148#ifndef CRYPTO_DRBG_HASH_STRING
2149#define CRYPTO_DRBG_HASH_STRING ""
2150#endif
2151#ifndef CRYPTO_DRBG_HMAC_STRING
2152#define CRYPTO_DRBG_HMAC_STRING ""
2153#endif
2154#ifndef CRYPTO_DRBG_CTR_STRING
2155#define CRYPTO_DRBG_CTR_STRING ""
2156#endif
2157MODULE_LICENSE("GPL");
2158MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2159MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2160 "using following cores: "
2161 CRYPTO_DRBG_HASH_STRING
2162 CRYPTO_DRBG_HMAC_STRING
2163 CRYPTO_DRBG_CTR_STRING);
2164MODULE_ALIAS_CRYPTO("stdrng");
2165MODULE_IMPORT_NS(CRYPTO_INTERNAL);
2166