1 /*
2  * DRBG: Deterministic Random Bits Generator
3  *       Based on NIST Recommended DRBG from NIST SP800-90A with the following
4  *       properties:
5  *		* CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6  *		* Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7  *		* HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8  *		* with and without prediction resistance
9  *
10  * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, and the entire permission notice in its entirety,
17  *    including the disclaimer of warranties.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior
23  *    written permission.
24  *
25  * ALTERNATIVELY, this product may be distributed under the terms of
26  * the GNU General Public License, in which case the provisions of the GPL are
27  * required INSTEAD OF the above restrictions.  (This clause is
28  * necessary due to a potential bad interaction between the GPL and
29  * the restrictions contained in a BSD-style copyright.)
30  *
31  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34  * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
35  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38  * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41  * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42  * DAMAGE.
43  *
44  * DRBG Usage
45  * ==========
46  * The SP 800-90A DRBG allows the user to specify a personalization string
47  * for initialization as well as an additional information string for each
48  * random number request. The following code fragments show how a caller
49  * uses the kernel crypto API to use the full functionality of the DRBG.
50  *
51  * Usage without any additional data
52  * ---------------------------------
53  * struct crypto_rng *drng;
54  * int err;
55  * char data[DATALEN];
56  *
57  * drng = crypto_alloc_rng(drng_name, 0, 0);
58  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59  * crypto_free_rng(drng);
60  *
61  *
62  * Usage with personalization string during initialization
63  * -------------------------------------------------------
64  * struct crypto_rng *drng;
65  * int err;
66  * char data[DATALEN];
67  * struct drbg_string pers;
68  * char personalization[11] = "some-string";
69  *
70  * drbg_string_fill(&pers, personalization, strlen(personalization));
71  * drng = crypto_alloc_rng(drng_name, 0, 0);
72  * // The reset completely re-initializes the DRBG with the provided
73  * // personalization string
74  * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75  * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76  * crypto_free_rng(drng);
77  *
78  *
79  * Usage with additional information string during random number request
80  * ---------------------------------------------------------------------
81  * struct crypto_rng *drng;
82  * int err;
83  * char data[DATALEN];
84  * char addtl_string[11] = "some-string";
85  * string drbg_string addtl;
86  *
87  * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88  * drng = crypto_alloc_rng(drng_name, 0, 0);
89  * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90  * // the same error codes.
91  * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92  * crypto_free_rng(drng);
93  *
94  *
95  * Usage with personalization and additional information strings
96  * -------------------------------------------------------------
97  * Just mix both scenarios above.
98  */
99 
100 #include <crypto/drbg.h>
101 #include <linux/kernel.h>
102 
103 /***************************************************************
104  * Backend cipher definitions available to DRBG
105  ***************************************************************/
106 
107 /*
108  * The order of the DRBG definitions here matter: every DRBG is registered
109  * as stdrng. Each DRBG receives an increasing cra_priority values the later
110  * they are defined in this array (see drbg_fill_array).
111  *
112  * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
113  * the SHA256 / AES 256 over other ciphers. Thus, the favored
114  * DRBGs are the latest entries in this array.
115  */
116 static const struct drbg_core drbg_cores[] = {
117 #ifdef CONFIG_CRYPTO_DRBG_CTR
118 	{
119 		.flags = DRBG_CTR | DRBG_STRENGTH128,
120 		.statelen = 32, /* 256 bits as defined in 10.2.1 */
121 		.blocklen_bytes = 16,
122 		.cra_name = "ctr_aes128",
123 		.backend_cra_name = "aes",
124 	}, {
125 		.flags = DRBG_CTR | DRBG_STRENGTH192,
126 		.statelen = 40, /* 320 bits as defined in 10.2.1 */
127 		.blocklen_bytes = 16,
128 		.cra_name = "ctr_aes192",
129 		.backend_cra_name = "aes",
130 	}, {
131 		.flags = DRBG_CTR | DRBG_STRENGTH256,
132 		.statelen = 48, /* 384 bits as defined in 10.2.1 */
133 		.blocklen_bytes = 16,
134 		.cra_name = "ctr_aes256",
135 		.backend_cra_name = "aes",
136 	},
137 #endif /* CONFIG_CRYPTO_DRBG_CTR */
138 #ifdef CONFIG_CRYPTO_DRBG_HASH
139 	{
140 		.flags = DRBG_HASH | DRBG_STRENGTH128,
141 		.statelen = 55, /* 440 bits */
142 		.blocklen_bytes = 20,
143 		.cra_name = "sha1",
144 		.backend_cra_name = "sha1",
145 	}, {
146 		.flags = DRBG_HASH | DRBG_STRENGTH256,
147 		.statelen = 111, /* 888 bits */
148 		.blocklen_bytes = 48,
149 		.cra_name = "sha384",
150 		.backend_cra_name = "sha384",
151 	}, {
152 		.flags = DRBG_HASH | DRBG_STRENGTH256,
153 		.statelen = 111, /* 888 bits */
154 		.blocklen_bytes = 64,
155 		.cra_name = "sha512",
156 		.backend_cra_name = "sha512",
157 	}, {
158 		.flags = DRBG_HASH | DRBG_STRENGTH256,
159 		.statelen = 55, /* 440 bits */
160 		.blocklen_bytes = 32,
161 		.cra_name = "sha256",
162 		.backend_cra_name = "sha256",
163 	},
164 #endif /* CONFIG_CRYPTO_DRBG_HASH */
165 #ifdef CONFIG_CRYPTO_DRBG_HMAC
166 	{
167 		.flags = DRBG_HMAC | DRBG_STRENGTH128,
168 		.statelen = 20, /* block length of cipher */
169 		.blocklen_bytes = 20,
170 		.cra_name = "hmac_sha1",
171 		.backend_cra_name = "hmac(sha1)",
172 	}, {
173 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
174 		.statelen = 48, /* block length of cipher */
175 		.blocklen_bytes = 48,
176 		.cra_name = "hmac_sha384",
177 		.backend_cra_name = "hmac(sha384)",
178 	}, {
179 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
180 		.statelen = 64, /* block length of cipher */
181 		.blocklen_bytes = 64,
182 		.cra_name = "hmac_sha512",
183 		.backend_cra_name = "hmac(sha512)",
184 	}, {
185 		.flags = DRBG_HMAC | DRBG_STRENGTH256,
186 		.statelen = 32, /* block length of cipher */
187 		.blocklen_bytes = 32,
188 		.cra_name = "hmac_sha256",
189 		.backend_cra_name = "hmac(sha256)",
190 	},
191 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
192 };
193 
194 static int drbg_uninstantiate(struct drbg_state *drbg);
195 
196 /******************************************************************
197  * Generic helper functions
198  ******************************************************************/
199 
200 /*
201  * Return strength of DRBG according to SP800-90A section 8.4
202  *
203  * @flags DRBG flags reference
204  *
205  * Return: normalized strength in *bytes* value or 32 as default
206  *	   to counter programming errors
207  */
drbg_sec_strength(drbg_flag_t flags)208 static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
209 {
210 	switch (flags & DRBG_STRENGTH_MASK) {
211 	case DRBG_STRENGTH128:
212 		return 16;
213 	case DRBG_STRENGTH192:
214 		return 24;
215 	case DRBG_STRENGTH256:
216 		return 32;
217 	default:
218 		return 32;
219 	}
220 }
221 
222 /*
223  * Convert an integer into a byte representation of this integer.
224  * The byte representation is big-endian
225  *
226  * @val value to be converted
227  * @buf buffer holding the converted integer -- caller must ensure that
228  *      buffer size is at least 32 bit
229  */
230 #if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
drbg_cpu_to_be32(__u32 val,unsigned char * buf)231 static inline void drbg_cpu_to_be32(__u32 val, unsigned char *buf)
232 {
233 	struct s {
234 		__be32 conv;
235 	};
236 	struct s *conversion = (struct s *) buf;
237 
238 	conversion->conv = cpu_to_be32(val);
239 }
240 #endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
241 
242 /******************************************************************
243  * CTR DRBG callback functions
244  ******************************************************************/
245 
246 #ifdef CONFIG_CRYPTO_DRBG_CTR
247 #define CRYPTO_DRBG_CTR_STRING "CTR "
248 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes256");
249 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes256");
250 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes192");
251 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes192");
252 MODULE_ALIAS_CRYPTO("drbg_pr_ctr_aes128");
253 MODULE_ALIAS_CRYPTO("drbg_nopr_ctr_aes128");
254 
255 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
256 				 const unsigned char *key);
257 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
258 			  const struct drbg_string *in);
259 static int drbg_init_sym_kernel(struct drbg_state *drbg);
260 static int drbg_fini_sym_kernel(struct drbg_state *drbg);
261 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
262 			      u8 *inbuf, u32 inbuflen,
263 			      u8 *outbuf, u32 outlen);
264 #define DRBG_OUTSCRATCHLEN 256
265 
266 /* BCC function for CTR DRBG as defined in 10.4.3 */
drbg_ctr_bcc(struct drbg_state * drbg,unsigned char * out,const unsigned char * key,struct list_head * in)267 static int drbg_ctr_bcc(struct drbg_state *drbg,
268 			unsigned char *out, const unsigned char *key,
269 			struct list_head *in)
270 {
271 	int ret = 0;
272 	struct drbg_string *curr = NULL;
273 	struct drbg_string data;
274 	short cnt = 0;
275 
276 	drbg_string_fill(&data, out, drbg_blocklen(drbg));
277 
278 	/* 10.4.3 step 2 / 4 */
279 	drbg_kcapi_symsetkey(drbg, key);
280 	list_for_each_entry(curr, in, list) {
281 		const unsigned char *pos = curr->buf;
282 		size_t len = curr->len;
283 		/* 10.4.3 step 4.1 */
284 		while (len) {
285 			/* 10.4.3 step 4.2 */
286 			if (drbg_blocklen(drbg) == cnt) {
287 				cnt = 0;
288 				ret = drbg_kcapi_sym(drbg, out, &data);
289 				if (ret)
290 					return ret;
291 			}
292 			out[cnt] ^= *pos;
293 			pos++;
294 			cnt++;
295 			len--;
296 		}
297 	}
298 	/* 10.4.3 step 4.2 for last block */
299 	if (cnt)
300 		ret = drbg_kcapi_sym(drbg, out, &data);
301 
302 	return ret;
303 }
304 
305 /*
306  * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
307  * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
308  * the scratchpad is used as follows:
309  * drbg_ctr_update:
310  *	temp
311  *		start: drbg->scratchpad
312  *		length: drbg_statelen(drbg) + drbg_blocklen(drbg)
313  *			note: the cipher writing into this variable works
314  *			blocklen-wise. Now, when the statelen is not a multiple
315  *			of blocklen, the generateion loop below "spills over"
316  *			by at most blocklen. Thus, we need to give sufficient
317  *			memory.
318  *	df_data
319  *		start: drbg->scratchpad +
320  *				drbg_statelen(drbg) + drbg_blocklen(drbg)
321  *		length: drbg_statelen(drbg)
322  *
323  * drbg_ctr_df:
324  *	pad
325  *		start: df_data + drbg_statelen(drbg)
326  *		length: drbg_blocklen(drbg)
327  *	iv
328  *		start: pad + drbg_blocklen(drbg)
329  *		length: drbg_blocklen(drbg)
330  *	temp
331  *		start: iv + drbg_blocklen(drbg)
332  *		length: drbg_satelen(drbg) + drbg_blocklen(drbg)
333  *			note: temp is the buffer that the BCC function operates
334  *			on. BCC operates blockwise. drbg_statelen(drbg)
335  *			is sufficient when the DRBG state length is a multiple
336  *			of the block size. For AES192 (and maybe other ciphers)
337  *			this is not correct and the length for temp is
338  *			insufficient (yes, that also means for such ciphers,
339  *			the final output of all BCC rounds are truncated).
340  *			Therefore, add drbg_blocklen(drbg) to cover all
341  *			possibilities.
342  */
343 
344 /* Derivation Function for CTR DRBG as defined in 10.4.2 */
drbg_ctr_df(struct drbg_state * drbg,unsigned char * df_data,size_t bytes_to_return,struct list_head * seedlist)345 static int drbg_ctr_df(struct drbg_state *drbg,
346 		       unsigned char *df_data, size_t bytes_to_return,
347 		       struct list_head *seedlist)
348 {
349 	int ret = -EFAULT;
350 	unsigned char L_N[8];
351 	/* S3 is input */
352 	struct drbg_string S1, S2, S4, cipherin;
353 	LIST_HEAD(bcc_list);
354 	unsigned char *pad = df_data + drbg_statelen(drbg);
355 	unsigned char *iv = pad + drbg_blocklen(drbg);
356 	unsigned char *temp = iv + drbg_blocklen(drbg);
357 	size_t padlen = 0;
358 	unsigned int templen = 0;
359 	/* 10.4.2 step 7 */
360 	unsigned int i = 0;
361 	/* 10.4.2 step 8 */
362 	const unsigned char *K = (unsigned char *)
363 			   "\x00\x01\x02\x03\x04\x05\x06\x07"
364 			   "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
365 			   "\x10\x11\x12\x13\x14\x15\x16\x17"
366 			   "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
367 	unsigned char *X;
368 	size_t generated_len = 0;
369 	size_t inputlen = 0;
370 	struct drbg_string *seed = NULL;
371 
372 	memset(pad, 0, drbg_blocklen(drbg));
373 	memset(iv, 0, drbg_blocklen(drbg));
374 
375 	/* 10.4.2 step 1 is implicit as we work byte-wise */
376 
377 	/* 10.4.2 step 2 */
378 	if ((512/8) < bytes_to_return)
379 		return -EINVAL;
380 
381 	/* 10.4.2 step 2 -- calculate the entire length of all input data */
382 	list_for_each_entry(seed, seedlist, list)
383 		inputlen += seed->len;
384 	drbg_cpu_to_be32(inputlen, &L_N[0]);
385 
386 	/* 10.4.2 step 3 */
387 	drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
388 
389 	/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
390 	padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
391 	/* wrap the padlen appropriately */
392 	if (padlen)
393 		padlen = drbg_blocklen(drbg) - padlen;
394 	/*
395 	 * pad / padlen contains the 0x80 byte and the following zero bytes.
396 	 * As the calculated padlen value only covers the number of zero
397 	 * bytes, this value has to be incremented by one for the 0x80 byte.
398 	 */
399 	padlen++;
400 	pad[0] = 0x80;
401 
402 	/* 10.4.2 step 4 -- first fill the linked list and then order it */
403 	drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
404 	list_add_tail(&S1.list, &bcc_list);
405 	drbg_string_fill(&S2, L_N, sizeof(L_N));
406 	list_add_tail(&S2.list, &bcc_list);
407 	list_splice_tail(seedlist, &bcc_list);
408 	drbg_string_fill(&S4, pad, padlen);
409 	list_add_tail(&S4.list, &bcc_list);
410 
411 	/* 10.4.2 step 9 */
412 	while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
413 		/*
414 		 * 10.4.2 step 9.1 - the padding is implicit as the buffer
415 		 * holds zeros after allocation -- even the increment of i
416 		 * is irrelevant as the increment remains within length of i
417 		 */
418 		drbg_cpu_to_be32(i, iv);
419 		/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
420 		ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
421 		if (ret)
422 			goto out;
423 		/* 10.4.2 step 9.3 */
424 		i++;
425 		templen += drbg_blocklen(drbg);
426 	}
427 
428 	/* 10.4.2 step 11 */
429 	X = temp + (drbg_keylen(drbg));
430 	drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
431 
432 	/* 10.4.2 step 12: overwriting of outval is implemented in next step */
433 
434 	/* 10.4.2 step 13 */
435 	drbg_kcapi_symsetkey(drbg, temp);
436 	while (generated_len < bytes_to_return) {
437 		short blocklen = 0;
438 		/*
439 		 * 10.4.2 step 13.1: the truncation of the key length is
440 		 * implicit as the key is only drbg_blocklen in size based on
441 		 * the implementation of the cipher function callback
442 		 */
443 		ret = drbg_kcapi_sym(drbg, X, &cipherin);
444 		if (ret)
445 			goto out;
446 		blocklen = (drbg_blocklen(drbg) <
447 				(bytes_to_return - generated_len)) ?
448 			    drbg_blocklen(drbg) :
449 				(bytes_to_return - generated_len);
450 		/* 10.4.2 step 13.2 and 14 */
451 		memcpy(df_data + generated_len, X, blocklen);
452 		generated_len += blocklen;
453 	}
454 
455 	ret = 0;
456 
457 out:
458 	memset(iv, 0, drbg_blocklen(drbg));
459 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
460 	memset(pad, 0, drbg_blocklen(drbg));
461 	return ret;
462 }
463 
464 /*
465  * update function of CTR DRBG as defined in 10.2.1.2
466  *
467  * The reseed variable has an enhanced meaning compared to the update
468  * functions of the other DRBGs as follows:
469  * 0 => initial seed from initialization
470  * 1 => reseed via drbg_seed
471  * 2 => first invocation from drbg_ctr_update when addtl is present. In
472  *      this case, the df_data scratchpad is not deleted so that it is
473  *      available for another calls to prevent calling the DF function
474  *      again.
475  * 3 => second invocation from drbg_ctr_update. When the update function
476  *      was called with addtl, the df_data memory already contains the
477  *      DFed addtl information and we do not need to call DF again.
478  */
drbg_ctr_update(struct drbg_state * drbg,struct list_head * seed,int reseed)479 static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
480 			   int reseed)
481 {
482 	int ret = -EFAULT;
483 	/* 10.2.1.2 step 1 */
484 	unsigned char *temp = drbg->scratchpad;
485 	unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
486 				 drbg_blocklen(drbg);
487 
488 	if (3 > reseed)
489 		memset(df_data, 0, drbg_statelen(drbg));
490 
491 	if (!reseed) {
492 		/*
493 		 * The DRBG uses the CTR mode of the underlying AES cipher. The
494 		 * CTR mode increments the counter value after the AES operation
495 		 * but SP800-90A requires that the counter is incremented before
496 		 * the AES operation. Hence, we increment it at the time we set
497 		 * it by one.
498 		 */
499 		crypto_inc(drbg->V, drbg_blocklen(drbg));
500 
501 		ret = crypto_skcipher_setkey(drbg->ctr_handle, drbg->C,
502 					     drbg_keylen(drbg));
503 		if (ret)
504 			goto out;
505 	}
506 
507 	/* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
508 	if (seed) {
509 		ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
510 		if (ret)
511 			goto out;
512 	}
513 
514 	ret = drbg_kcapi_sym_ctr(drbg, df_data, drbg_statelen(drbg),
515 				 temp, drbg_statelen(drbg));
516 	if (ret)
517 		return ret;
518 
519 	/* 10.2.1.2 step 5 */
520 	ret = crypto_skcipher_setkey(drbg->ctr_handle, temp,
521 				     drbg_keylen(drbg));
522 	if (ret)
523 		goto out;
524 	/* 10.2.1.2 step 6 */
525 	memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
526 	/* See above: increment counter by one to compensate timing of CTR op */
527 	crypto_inc(drbg->V, drbg_blocklen(drbg));
528 	ret = 0;
529 
530 out:
531 	memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
532 	if (2 != reseed)
533 		memset(df_data, 0, drbg_statelen(drbg));
534 	return ret;
535 }
536 
537 /*
538  * scratchpad use: drbg_ctr_update is called independently from
539  * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
540  */
541 /* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
drbg_ctr_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)542 static int drbg_ctr_generate(struct drbg_state *drbg,
543 			     unsigned char *buf, unsigned int buflen,
544 			     struct list_head *addtl)
545 {
546 	int ret;
547 	int len = min_t(int, buflen, INT_MAX);
548 
549 	/* 10.2.1.5.2 step 2 */
550 	if (addtl && !list_empty(addtl)) {
551 		ret = drbg_ctr_update(drbg, addtl, 2);
552 		if (ret)
553 			return 0;
554 	}
555 
556 	/* 10.2.1.5.2 step 4.1 */
557 	ret = drbg_kcapi_sym_ctr(drbg, NULL, 0, buf, len);
558 	if (ret)
559 		return ret;
560 
561 	/* 10.2.1.5.2 step 6 */
562 	ret = drbg_ctr_update(drbg, NULL, 3);
563 	if (ret)
564 		len = ret;
565 
566 	return len;
567 }
568 
569 static const struct drbg_state_ops drbg_ctr_ops = {
570 	.update		= drbg_ctr_update,
571 	.generate	= drbg_ctr_generate,
572 	.crypto_init	= drbg_init_sym_kernel,
573 	.crypto_fini	= drbg_fini_sym_kernel,
574 };
575 #endif /* CONFIG_CRYPTO_DRBG_CTR */
576 
577 /******************************************************************
578  * HMAC DRBG callback functions
579  ******************************************************************/
580 
581 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
582 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
583 			   const struct list_head *in);
584 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
585 				  const unsigned char *key);
586 static int drbg_init_hash_kernel(struct drbg_state *drbg);
587 static int drbg_fini_hash_kernel(struct drbg_state *drbg);
588 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
589 
590 #ifdef CONFIG_CRYPTO_DRBG_HMAC
591 #define CRYPTO_DRBG_HMAC_STRING "HMAC "
592 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha512");
593 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha512");
594 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha384");
595 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha384");
596 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha256");
597 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha256");
598 MODULE_ALIAS_CRYPTO("drbg_pr_hmac_sha1");
599 MODULE_ALIAS_CRYPTO("drbg_nopr_hmac_sha1");
600 
601 /* update function of HMAC DRBG as defined in 10.1.2.2 */
drbg_hmac_update(struct drbg_state * drbg,struct list_head * seed,int reseed)602 static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
603 			    int reseed)
604 {
605 	int ret = -EFAULT;
606 	int i = 0;
607 	struct drbg_string seed1, seed2, vdata;
608 	LIST_HEAD(seedlist);
609 	LIST_HEAD(vdatalist);
610 
611 	if (!reseed) {
612 		/* 10.1.2.3 step 2 -- memset(0) of C is implicit with kzalloc */
613 		memset(drbg->V, 1, drbg_statelen(drbg));
614 		drbg_kcapi_hmacsetkey(drbg, drbg->C);
615 	}
616 
617 	drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
618 	list_add_tail(&seed1.list, &seedlist);
619 	/* buffer of seed2 will be filled in for loop below with one byte */
620 	drbg_string_fill(&seed2, NULL, 1);
621 	list_add_tail(&seed2.list, &seedlist);
622 	/* input data of seed is allowed to be NULL at this point */
623 	if (seed)
624 		list_splice_tail(seed, &seedlist);
625 
626 	drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
627 	list_add_tail(&vdata.list, &vdatalist);
628 	for (i = 2; 0 < i; i--) {
629 		/* first round uses 0x0, second 0x1 */
630 		unsigned char prefix = DRBG_PREFIX0;
631 		if (1 == i)
632 			prefix = DRBG_PREFIX1;
633 		/* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
634 		seed2.buf = &prefix;
635 		ret = drbg_kcapi_hash(drbg, drbg->C, &seedlist);
636 		if (ret)
637 			return ret;
638 		drbg_kcapi_hmacsetkey(drbg, drbg->C);
639 
640 		/* 10.1.2.2 step 2 and 5 -- HMAC for V */
641 		ret = drbg_kcapi_hash(drbg, drbg->V, &vdatalist);
642 		if (ret)
643 			return ret;
644 
645 		/* 10.1.2.2 step 3 */
646 		if (!seed)
647 			return ret;
648 	}
649 
650 	return 0;
651 }
652 
653 /* generate function of HMAC DRBG as defined in 10.1.2.5 */
drbg_hmac_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)654 static int drbg_hmac_generate(struct drbg_state *drbg,
655 			      unsigned char *buf,
656 			      unsigned int buflen,
657 			      struct list_head *addtl)
658 {
659 	int len = 0;
660 	int ret = 0;
661 	struct drbg_string data;
662 	LIST_HEAD(datalist);
663 
664 	/* 10.1.2.5 step 2 */
665 	if (addtl && !list_empty(addtl)) {
666 		ret = drbg_hmac_update(drbg, addtl, 1);
667 		if (ret)
668 			return ret;
669 	}
670 
671 	drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
672 	list_add_tail(&data.list, &datalist);
673 	while (len < buflen) {
674 		unsigned int outlen = 0;
675 		/* 10.1.2.5 step 4.1 */
676 		ret = drbg_kcapi_hash(drbg, drbg->V, &datalist);
677 		if (ret)
678 			return ret;
679 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
680 			  drbg_blocklen(drbg) : (buflen - len);
681 
682 		/* 10.1.2.5 step 4.2 */
683 		memcpy(buf + len, drbg->V, outlen);
684 		len += outlen;
685 	}
686 
687 	/* 10.1.2.5 step 6 */
688 	if (addtl && !list_empty(addtl))
689 		ret = drbg_hmac_update(drbg, addtl, 1);
690 	else
691 		ret = drbg_hmac_update(drbg, NULL, 1);
692 	if (ret)
693 		return ret;
694 
695 	return len;
696 }
697 
698 static const struct drbg_state_ops drbg_hmac_ops = {
699 	.update		= drbg_hmac_update,
700 	.generate	= drbg_hmac_generate,
701 	.crypto_init	= drbg_init_hash_kernel,
702 	.crypto_fini	= drbg_fini_hash_kernel,
703 };
704 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
705 
706 /******************************************************************
707  * Hash DRBG callback functions
708  ******************************************************************/
709 
710 #ifdef CONFIG_CRYPTO_DRBG_HASH
711 #define CRYPTO_DRBG_HASH_STRING "HASH "
712 MODULE_ALIAS_CRYPTO("drbg_pr_sha512");
713 MODULE_ALIAS_CRYPTO("drbg_nopr_sha512");
714 MODULE_ALIAS_CRYPTO("drbg_pr_sha384");
715 MODULE_ALIAS_CRYPTO("drbg_nopr_sha384");
716 MODULE_ALIAS_CRYPTO("drbg_pr_sha256");
717 MODULE_ALIAS_CRYPTO("drbg_nopr_sha256");
718 MODULE_ALIAS_CRYPTO("drbg_pr_sha1");
719 MODULE_ALIAS_CRYPTO("drbg_nopr_sha1");
720 
721 /*
722  * Increment buffer
723  *
724  * @dst buffer to increment
725  * @add value to add
726  */
drbg_add_buf(unsigned char * dst,size_t dstlen,const unsigned char * add,size_t addlen)727 static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
728 				const unsigned char *add, size_t addlen)
729 {
730 	/* implied: dstlen > addlen */
731 	unsigned char *dstptr;
732 	const unsigned char *addptr;
733 	unsigned int remainder = 0;
734 	size_t len = addlen;
735 
736 	dstptr = dst + (dstlen-1);
737 	addptr = add + (addlen-1);
738 	while (len) {
739 		remainder += *dstptr + *addptr;
740 		*dstptr = remainder & 0xff;
741 		remainder >>= 8;
742 		len--; dstptr--; addptr--;
743 	}
744 	len = dstlen - addlen;
745 	while (len && remainder > 0) {
746 		remainder = *dstptr + 1;
747 		*dstptr = remainder & 0xff;
748 		remainder >>= 8;
749 		len--; dstptr--;
750 	}
751 }
752 
753 /*
754  * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
755  * interlinked, the scratchpad is used as follows:
756  * drbg_hash_update
757  *	start: drbg->scratchpad
758  *	length: drbg_statelen(drbg)
759  * drbg_hash_df:
760  *	start: drbg->scratchpad + drbg_statelen(drbg)
761  *	length: drbg_blocklen(drbg)
762  *
763  * drbg_hash_process_addtl uses the scratchpad, but fully completes
764  * before either of the functions mentioned before are invoked. Therefore,
765  * drbg_hash_process_addtl does not need to be specifically considered.
766  */
767 
768 /* Derivation Function for Hash DRBG as defined in 10.4.1 */
drbg_hash_df(struct drbg_state * drbg,unsigned char * outval,size_t outlen,struct list_head * entropylist)769 static int drbg_hash_df(struct drbg_state *drbg,
770 			unsigned char *outval, size_t outlen,
771 			struct list_head *entropylist)
772 {
773 	int ret = 0;
774 	size_t len = 0;
775 	unsigned char input[5];
776 	unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
777 	struct drbg_string data;
778 
779 	/* 10.4.1 step 3 */
780 	input[0] = 1;
781 	drbg_cpu_to_be32((outlen * 8), &input[1]);
782 
783 	/* 10.4.1 step 4.1 -- concatenation of data for input into hash */
784 	drbg_string_fill(&data, input, 5);
785 	list_add(&data.list, entropylist);
786 
787 	/* 10.4.1 step 4 */
788 	while (len < outlen) {
789 		short blocklen = 0;
790 		/* 10.4.1 step 4.1 */
791 		ret = drbg_kcapi_hash(drbg, tmp, entropylist);
792 		if (ret)
793 			goto out;
794 		/* 10.4.1 step 4.2 */
795 		input[0]++;
796 		blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
797 			    drbg_blocklen(drbg) : (outlen - len);
798 		memcpy(outval + len, tmp, blocklen);
799 		len += blocklen;
800 	}
801 
802 out:
803 	memset(tmp, 0, drbg_blocklen(drbg));
804 	return ret;
805 }
806 
807 /* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
drbg_hash_update(struct drbg_state * drbg,struct list_head * seed,int reseed)808 static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
809 			    int reseed)
810 {
811 	int ret = 0;
812 	struct drbg_string data1, data2;
813 	LIST_HEAD(datalist);
814 	LIST_HEAD(datalist2);
815 	unsigned char *V = drbg->scratchpad;
816 	unsigned char prefix = DRBG_PREFIX1;
817 
818 	if (!seed)
819 		return -EINVAL;
820 
821 	if (reseed) {
822 		/* 10.1.1.3 step 1 */
823 		memcpy(V, drbg->V, drbg_statelen(drbg));
824 		drbg_string_fill(&data1, &prefix, 1);
825 		list_add_tail(&data1.list, &datalist);
826 		drbg_string_fill(&data2, V, drbg_statelen(drbg));
827 		list_add_tail(&data2.list, &datalist);
828 	}
829 	list_splice_tail(seed, &datalist);
830 
831 	/* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
832 	ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
833 	if (ret)
834 		goto out;
835 
836 	/* 10.1.1.2 / 10.1.1.3 step 4  */
837 	prefix = DRBG_PREFIX0;
838 	drbg_string_fill(&data1, &prefix, 1);
839 	list_add_tail(&data1.list, &datalist2);
840 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
841 	list_add_tail(&data2.list, &datalist2);
842 	/* 10.1.1.2 / 10.1.1.3 step 4 */
843 	ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
844 
845 out:
846 	memset(drbg->scratchpad, 0, drbg_statelen(drbg));
847 	return ret;
848 }
849 
850 /* processing of additional information string for Hash DRBG */
drbg_hash_process_addtl(struct drbg_state * drbg,struct list_head * addtl)851 static int drbg_hash_process_addtl(struct drbg_state *drbg,
852 				   struct list_head *addtl)
853 {
854 	int ret = 0;
855 	struct drbg_string data1, data2;
856 	LIST_HEAD(datalist);
857 	unsigned char prefix = DRBG_PREFIX2;
858 
859 	/* 10.1.1.4 step 2 */
860 	if (!addtl || list_empty(addtl))
861 		return 0;
862 
863 	/* 10.1.1.4 step 2a */
864 	drbg_string_fill(&data1, &prefix, 1);
865 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
866 	list_add_tail(&data1.list, &datalist);
867 	list_add_tail(&data2.list, &datalist);
868 	list_splice_tail(addtl, &datalist);
869 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
870 	if (ret)
871 		goto out;
872 
873 	/* 10.1.1.4 step 2b */
874 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
875 		     drbg->scratchpad, drbg_blocklen(drbg));
876 
877 out:
878 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
879 	return ret;
880 }
881 
882 /* Hashgen defined in 10.1.1.4 */
drbg_hash_hashgen(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen)883 static int drbg_hash_hashgen(struct drbg_state *drbg,
884 			     unsigned char *buf,
885 			     unsigned int buflen)
886 {
887 	int len = 0;
888 	int ret = 0;
889 	unsigned char *src = drbg->scratchpad;
890 	unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
891 	struct drbg_string data;
892 	LIST_HEAD(datalist);
893 
894 	/* 10.1.1.4 step hashgen 2 */
895 	memcpy(src, drbg->V, drbg_statelen(drbg));
896 
897 	drbg_string_fill(&data, src, drbg_statelen(drbg));
898 	list_add_tail(&data.list, &datalist);
899 	while (len < buflen) {
900 		unsigned int outlen = 0;
901 		/* 10.1.1.4 step hashgen 4.1 */
902 		ret = drbg_kcapi_hash(drbg, dst, &datalist);
903 		if (ret) {
904 			len = ret;
905 			goto out;
906 		}
907 		outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
908 			  drbg_blocklen(drbg) : (buflen - len);
909 		/* 10.1.1.4 step hashgen 4.2 */
910 		memcpy(buf + len, dst, outlen);
911 		len += outlen;
912 		/* 10.1.1.4 hashgen step 4.3 */
913 		if (len < buflen)
914 			crypto_inc(src, drbg_statelen(drbg));
915 	}
916 
917 out:
918 	memset(drbg->scratchpad, 0,
919 	       (drbg_statelen(drbg) + drbg_blocklen(drbg)));
920 	return len;
921 }
922 
923 /* generate function for Hash DRBG as defined in  10.1.1.4 */
drbg_hash_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct list_head * addtl)924 static int drbg_hash_generate(struct drbg_state *drbg,
925 			      unsigned char *buf, unsigned int buflen,
926 			      struct list_head *addtl)
927 {
928 	int len = 0;
929 	int ret = 0;
930 	union {
931 		unsigned char req[8];
932 		__be64 req_int;
933 	} u;
934 	unsigned char prefix = DRBG_PREFIX3;
935 	struct drbg_string data1, data2;
936 	LIST_HEAD(datalist);
937 
938 	/* 10.1.1.4 step 2 */
939 	ret = drbg_hash_process_addtl(drbg, addtl);
940 	if (ret)
941 		return ret;
942 	/* 10.1.1.4 step 3 */
943 	len = drbg_hash_hashgen(drbg, buf, buflen);
944 
945 	/* this is the value H as documented in 10.1.1.4 */
946 	/* 10.1.1.4 step 4 */
947 	drbg_string_fill(&data1, &prefix, 1);
948 	list_add_tail(&data1.list, &datalist);
949 	drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
950 	list_add_tail(&data2.list, &datalist);
951 	ret = drbg_kcapi_hash(drbg, drbg->scratchpad, &datalist);
952 	if (ret) {
953 		len = ret;
954 		goto out;
955 	}
956 
957 	/* 10.1.1.4 step 5 */
958 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
959 		     drbg->scratchpad, drbg_blocklen(drbg));
960 	drbg_add_buf(drbg->V, drbg_statelen(drbg),
961 		     drbg->C, drbg_statelen(drbg));
962 	u.req_int = cpu_to_be64(drbg->reseed_ctr);
963 	drbg_add_buf(drbg->V, drbg_statelen(drbg), u.req, 8);
964 
965 out:
966 	memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
967 	return len;
968 }
969 
970 /*
971  * scratchpad usage: as update and generate are used isolated, both
972  * can use the scratchpad
973  */
974 static const struct drbg_state_ops drbg_hash_ops = {
975 	.update		= drbg_hash_update,
976 	.generate	= drbg_hash_generate,
977 	.crypto_init	= drbg_init_hash_kernel,
978 	.crypto_fini	= drbg_fini_hash_kernel,
979 };
980 #endif /* CONFIG_CRYPTO_DRBG_HASH */
981 
982 /******************************************************************
983  * Functions common for DRBG implementations
984  ******************************************************************/
985 
__drbg_seed(struct drbg_state * drbg,struct list_head * seed,int reseed)986 static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed,
987 			      int reseed)
988 {
989 	int ret = drbg->d_ops->update(drbg, seed, reseed);
990 
991 	if (ret)
992 		return ret;
993 
994 	drbg->seeded = true;
995 	/* 10.1.1.2 / 10.1.1.3 step 5 */
996 	drbg->reseed_ctr = 1;
997 
998 	return ret;
999 }
1000 
drbg_async_seed(struct work_struct * work)1001 static void drbg_async_seed(struct work_struct *work)
1002 {
1003 	struct drbg_string data;
1004 	LIST_HEAD(seedlist);
1005 	struct drbg_state *drbg = container_of(work, struct drbg_state,
1006 					       seed_work);
1007 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1008 	unsigned char entropy[32];
1009 
1010 	BUG_ON(!entropylen);
1011 	BUG_ON(entropylen > sizeof(entropy));
1012 	get_random_bytes(entropy, entropylen);
1013 
1014 	drbg_string_fill(&data, entropy, entropylen);
1015 	list_add_tail(&data.list, &seedlist);
1016 
1017 	mutex_lock(&drbg->drbg_mutex);
1018 
1019 	/* If nonblocking pool is initialized, deactivate Jitter RNG */
1020 	crypto_free_rng(drbg->jent);
1021 	drbg->jent = NULL;
1022 
1023 	/* Set seeded to false so that if __drbg_seed fails the
1024 	 * next generate call will trigger a reseed.
1025 	 */
1026 	drbg->seeded = false;
1027 
1028 	__drbg_seed(drbg, &seedlist, true);
1029 
1030 	if (drbg->seeded)
1031 		drbg->reseed_threshold = drbg_max_requests(drbg);
1032 
1033 	mutex_unlock(&drbg->drbg_mutex);
1034 
1035 	memzero_explicit(entropy, entropylen);
1036 }
1037 
1038 /*
1039  * Seeding or reseeding of the DRBG
1040  *
1041  * @drbg: DRBG state struct
1042  * @pers: personalization / additional information buffer
1043  * @reseed: 0 for initial seed process, 1 for reseeding
1044  *
1045  * return:
1046  *	0 on success
1047  *	error value otherwise
1048  */
drbg_seed(struct drbg_state * drbg,struct drbg_string * pers,bool reseed)1049 static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1050 		     bool reseed)
1051 {
1052 	int ret;
1053 	unsigned char entropy[((32 + 16) * 2)];
1054 	unsigned int entropylen = drbg_sec_strength(drbg->core->flags);
1055 	struct drbg_string data1;
1056 	LIST_HEAD(seedlist);
1057 
1058 	/* 9.1 / 9.2 / 9.3.1 step 3 */
1059 	if (pers && pers->len > (drbg_max_addtl(drbg))) {
1060 		pr_devel("DRBG: personalization string too long %zu\n",
1061 			 pers->len);
1062 		return -EINVAL;
1063 	}
1064 
1065 	if (list_empty(&drbg->test_data.list)) {
1066 		drbg_string_fill(&data1, drbg->test_data.buf,
1067 				 drbg->test_data.len);
1068 		pr_devel("DRBG: using test entropy\n");
1069 	} else {
1070 		/*
1071 		 * Gather entropy equal to the security strength of the DRBG.
1072 		 * With a derivation function, a nonce is required in addition
1073 		 * to the entropy. A nonce must be at least 1/2 of the security
1074 		 * strength of the DRBG in size. Thus, entropy + nonce is 3/2
1075 		 * of the strength. The consideration of a nonce is only
1076 		 * applicable during initial seeding.
1077 		 */
1078 		BUG_ON(!entropylen);
1079 		if (!reseed)
1080 			entropylen = ((entropylen + 1) / 2) * 3;
1081 		BUG_ON((entropylen * 2) > sizeof(entropy));
1082 
1083 		/* Get seed from in-kernel /dev/urandom */
1084 		get_random_bytes(entropy, entropylen);
1085 
1086 		if (!drbg->jent) {
1087 			drbg_string_fill(&data1, entropy, entropylen);
1088 			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1089 				 entropylen);
1090 		} else {
1091 			/* Get seed from Jitter RNG */
1092 			ret = crypto_rng_get_bytes(drbg->jent,
1093 						   entropy + entropylen,
1094 						   entropylen);
1095 			if (ret) {
1096 				pr_devel("DRBG: jent failed with %d\n", ret);
1097 				return ret;
1098 			}
1099 
1100 			drbg_string_fill(&data1, entropy, entropylen * 2);
1101 			pr_devel("DRBG: (re)seeding with %u bytes of entropy\n",
1102 				 entropylen * 2);
1103 		}
1104 	}
1105 	list_add_tail(&data1.list, &seedlist);
1106 
1107 	/*
1108 	 * concatenation of entropy with personalization str / addtl input)
1109 	 * the variable pers is directly handed in by the caller, so check its
1110 	 * contents whether it is appropriate
1111 	 */
1112 	if (pers && pers->buf && 0 < pers->len) {
1113 		list_add_tail(&pers->list, &seedlist);
1114 		pr_devel("DRBG: using personalization string\n");
1115 	}
1116 
1117 	if (!reseed) {
1118 		memset(drbg->V, 0, drbg_statelen(drbg));
1119 		memset(drbg->C, 0, drbg_statelen(drbg));
1120 	}
1121 
1122 	ret = __drbg_seed(drbg, &seedlist, reseed);
1123 
1124 	memzero_explicit(entropy, entropylen * 2);
1125 
1126 	return ret;
1127 }
1128 
1129 /* Free all substructures in a DRBG state without the DRBG state structure */
drbg_dealloc_state(struct drbg_state * drbg)1130 static inline void drbg_dealloc_state(struct drbg_state *drbg)
1131 {
1132 	if (!drbg)
1133 		return;
1134 	kzfree(drbg->Vbuf);
1135 	drbg->Vbuf = NULL;
1136 	drbg->V = NULL;
1137 	kzfree(drbg->Cbuf);
1138 	drbg->Cbuf = NULL;
1139 	drbg->C = NULL;
1140 	kzfree(drbg->scratchpadbuf);
1141 	drbg->scratchpadbuf = NULL;
1142 	drbg->reseed_ctr = 0;
1143 	drbg->d_ops = NULL;
1144 	drbg->core = NULL;
1145 }
1146 
1147 /*
1148  * Allocate all sub-structures for a DRBG state.
1149  * The DRBG state structure must already be allocated.
1150  */
drbg_alloc_state(struct drbg_state * drbg)1151 static inline int drbg_alloc_state(struct drbg_state *drbg)
1152 {
1153 	int ret = -ENOMEM;
1154 	unsigned int sb_size = 0;
1155 
1156 	switch (drbg->core->flags & DRBG_TYPE_MASK) {
1157 #ifdef CONFIG_CRYPTO_DRBG_HMAC
1158 	case DRBG_HMAC:
1159 		drbg->d_ops = &drbg_hmac_ops;
1160 		break;
1161 #endif /* CONFIG_CRYPTO_DRBG_HMAC */
1162 #ifdef CONFIG_CRYPTO_DRBG_HASH
1163 	case DRBG_HASH:
1164 		drbg->d_ops = &drbg_hash_ops;
1165 		break;
1166 #endif /* CONFIG_CRYPTO_DRBG_HASH */
1167 #ifdef CONFIG_CRYPTO_DRBG_CTR
1168 	case DRBG_CTR:
1169 		drbg->d_ops = &drbg_ctr_ops;
1170 		break;
1171 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1172 	default:
1173 		ret = -EOPNOTSUPP;
1174 		goto err;
1175 	}
1176 
1177 	ret = drbg->d_ops->crypto_init(drbg);
1178 	if (ret < 0)
1179 		goto err;
1180 
1181 	drbg->Vbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1182 	if (!drbg->Vbuf) {
1183 		ret = -ENOMEM;
1184 		goto fini;
1185 	}
1186 	drbg->V = PTR_ALIGN(drbg->Vbuf, ret + 1);
1187 	drbg->Cbuf = kmalloc(drbg_statelen(drbg) + ret, GFP_KERNEL);
1188 	if (!drbg->Cbuf) {
1189 		ret = -ENOMEM;
1190 		goto fini;
1191 	}
1192 	drbg->C = PTR_ALIGN(drbg->Cbuf, ret + 1);
1193 	/* scratchpad is only generated for CTR and Hash */
1194 	if (drbg->core->flags & DRBG_HMAC)
1195 		sb_size = 0;
1196 	else if (drbg->core->flags & DRBG_CTR)
1197 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1198 			  drbg_statelen(drbg) +	/* df_data */
1199 			  drbg_blocklen(drbg) +	/* pad */
1200 			  drbg_blocklen(drbg) +	/* iv */
1201 			  drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1202 	else
1203 		sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1204 
1205 	if (0 < sb_size) {
1206 		drbg->scratchpadbuf = kzalloc(sb_size + ret, GFP_KERNEL);
1207 		if (!drbg->scratchpadbuf) {
1208 			ret = -ENOMEM;
1209 			goto fini;
1210 		}
1211 		drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1);
1212 	}
1213 
1214 	return 0;
1215 
1216 fini:
1217 	drbg->d_ops->crypto_fini(drbg);
1218 err:
1219 	drbg_dealloc_state(drbg);
1220 	return ret;
1221 }
1222 
1223 /*************************************************************************
1224  * DRBG interface functions
1225  *************************************************************************/
1226 
1227 /*
1228  * DRBG generate function as required by SP800-90A - this function
1229  * generates random numbers
1230  *
1231  * @drbg DRBG state handle
1232  * @buf Buffer where to store the random numbers -- the buffer must already
1233  *      be pre-allocated by caller
1234  * @buflen Length of output buffer - this value defines the number of random
1235  *	   bytes pulled from DRBG
1236  * @addtl Additional input that is mixed into state, may be NULL -- note
1237  *	  the entropy is pulled by the DRBG internally unconditionally
1238  *	  as defined in SP800-90A. The additional input is mixed into
1239  *	  the state in addition to the pulled entropy.
1240  *
1241  * return: 0 when all bytes are generated; < 0 in case of an error
1242  */
drbg_generate(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct drbg_string * addtl)1243 static int drbg_generate(struct drbg_state *drbg,
1244 			 unsigned char *buf, unsigned int buflen,
1245 			 struct drbg_string *addtl)
1246 {
1247 	int len = 0;
1248 	LIST_HEAD(addtllist);
1249 
1250 	if (!drbg->core) {
1251 		pr_devel("DRBG: not yet seeded\n");
1252 		return -EINVAL;
1253 	}
1254 	if (0 == buflen || !buf) {
1255 		pr_devel("DRBG: no output buffer provided\n");
1256 		return -EINVAL;
1257 	}
1258 	if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1259 		pr_devel("DRBG: wrong format of additional information\n");
1260 		return -EINVAL;
1261 	}
1262 
1263 	/* 9.3.1 step 2 */
1264 	len = -EINVAL;
1265 	if (buflen > (drbg_max_request_bytes(drbg))) {
1266 		pr_devel("DRBG: requested random numbers too large %u\n",
1267 			 buflen);
1268 		goto err;
1269 	}
1270 
1271 	/* 9.3.1 step 3 is implicit with the chosen DRBG */
1272 
1273 	/* 9.3.1 step 4 */
1274 	if (addtl && addtl->len > (drbg_max_addtl(drbg))) {
1275 		pr_devel("DRBG: additional information string too long %zu\n",
1276 			 addtl->len);
1277 		goto err;
1278 	}
1279 	/* 9.3.1 step 5 is implicit with the chosen DRBG */
1280 
1281 	/*
1282 	 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1283 	 * here. The spec is a bit convoluted here, we make it simpler.
1284 	 */
1285 	if (drbg->reseed_threshold < drbg->reseed_ctr)
1286 		drbg->seeded = false;
1287 
1288 	if (drbg->pr || !drbg->seeded) {
1289 		pr_devel("DRBG: reseeding before generation (prediction "
1290 			 "resistance: %s, state %s)\n",
1291 			 drbg->pr ? "true" : "false",
1292 			 drbg->seeded ? "seeded" : "unseeded");
1293 		/* 9.3.1 steps 7.1 through 7.3 */
1294 		len = drbg_seed(drbg, addtl, true);
1295 		if (len)
1296 			goto err;
1297 		/* 9.3.1 step 7.4 */
1298 		addtl = NULL;
1299 	}
1300 
1301 	if (addtl && 0 < addtl->len)
1302 		list_add_tail(&addtl->list, &addtllist);
1303 	/* 9.3.1 step 8 and 10 */
1304 	len = drbg->d_ops->generate(drbg, buf, buflen, &addtllist);
1305 
1306 	/* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1307 	drbg->reseed_ctr++;
1308 	if (0 >= len)
1309 		goto err;
1310 
1311 	/*
1312 	 * Section 11.3.3 requires to re-perform self tests after some
1313 	 * generated random numbers. The chosen value after which self
1314 	 * test is performed is arbitrary, but it should be reasonable.
1315 	 * However, we do not perform the self tests because of the following
1316 	 * reasons: it is mathematically impossible that the initial self tests
1317 	 * were successfully and the following are not. If the initial would
1318 	 * pass and the following would not, the kernel integrity is violated.
1319 	 * In this case, the entire kernel operation is questionable and it
1320 	 * is unlikely that the integrity violation only affects the
1321 	 * correct operation of the DRBG.
1322 	 *
1323 	 * Albeit the following code is commented out, it is provided in
1324 	 * case somebody has a need to implement the test of 11.3.3.
1325 	 */
1326 #if 0
1327 	if (drbg->reseed_ctr && !(drbg->reseed_ctr % 4096)) {
1328 		int err = 0;
1329 		pr_devel("DRBG: start to perform self test\n");
1330 		if (drbg->core->flags & DRBG_HMAC)
1331 			err = alg_test("drbg_pr_hmac_sha256",
1332 				       "drbg_pr_hmac_sha256", 0, 0);
1333 		else if (drbg->core->flags & DRBG_CTR)
1334 			err = alg_test("drbg_pr_ctr_aes128",
1335 				       "drbg_pr_ctr_aes128", 0, 0);
1336 		else
1337 			err = alg_test("drbg_pr_sha256",
1338 				       "drbg_pr_sha256", 0, 0);
1339 		if (err) {
1340 			pr_err("DRBG: periodical self test failed\n");
1341 			/*
1342 			 * uninstantiate implies that from now on, only errors
1343 			 * are returned when reusing this DRBG cipher handle
1344 			 */
1345 			drbg_uninstantiate(drbg);
1346 			return 0;
1347 		} else {
1348 			pr_devel("DRBG: self test successful\n");
1349 		}
1350 	}
1351 #endif
1352 
1353 	/*
1354 	 * All operations were successful, return 0 as mandated by
1355 	 * the kernel crypto API interface.
1356 	 */
1357 	len = 0;
1358 err:
1359 	return len;
1360 }
1361 
1362 /*
1363  * Wrapper around drbg_generate which can pull arbitrary long strings
1364  * from the DRBG without hitting the maximum request limitation.
1365  *
1366  * Parameters: see drbg_generate
1367  * Return codes: see drbg_generate -- if one drbg_generate request fails,
1368  *		 the entire drbg_generate_long request fails
1369  */
drbg_generate_long(struct drbg_state * drbg,unsigned char * buf,unsigned int buflen,struct drbg_string * addtl)1370 static int drbg_generate_long(struct drbg_state *drbg,
1371 			      unsigned char *buf, unsigned int buflen,
1372 			      struct drbg_string *addtl)
1373 {
1374 	unsigned int len = 0;
1375 	unsigned int slice = 0;
1376 	do {
1377 		int err = 0;
1378 		unsigned int chunk = 0;
1379 		slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1380 		chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1381 		mutex_lock(&drbg->drbg_mutex);
1382 		err = drbg_generate(drbg, buf + len, chunk, addtl);
1383 		mutex_unlock(&drbg->drbg_mutex);
1384 		if (0 > err)
1385 			return err;
1386 		len += chunk;
1387 	} while (slice > 0 && (len < buflen));
1388 	return 0;
1389 }
1390 
drbg_schedule_async_seed(struct random_ready_callback * rdy)1391 static void drbg_schedule_async_seed(struct random_ready_callback *rdy)
1392 {
1393 	struct drbg_state *drbg = container_of(rdy, struct drbg_state,
1394 					       random_ready);
1395 
1396 	schedule_work(&drbg->seed_work);
1397 }
1398 
drbg_prepare_hrng(struct drbg_state * drbg)1399 static int drbg_prepare_hrng(struct drbg_state *drbg)
1400 {
1401 	int err;
1402 
1403 	/* We do not need an HRNG in test mode. */
1404 	if (list_empty(&drbg->test_data.list))
1405 		return 0;
1406 
1407 	INIT_WORK(&drbg->seed_work, drbg_async_seed);
1408 
1409 	drbg->random_ready.owner = THIS_MODULE;
1410 	drbg->random_ready.func = drbg_schedule_async_seed;
1411 
1412 	err = add_random_ready_callback(&drbg->random_ready);
1413 
1414 	switch (err) {
1415 	case 0:
1416 		break;
1417 
1418 	case -EALREADY:
1419 		err = 0;
1420 		/* fall through */
1421 
1422 	default:
1423 		drbg->random_ready.func = NULL;
1424 		return err;
1425 	}
1426 
1427 	drbg->jent = crypto_alloc_rng("jitterentropy_rng", 0, 0);
1428 
1429 	/*
1430 	 * Require frequent reseeds until the seed source is fully
1431 	 * initialized.
1432 	 */
1433 	drbg->reseed_threshold = 50;
1434 
1435 	return err;
1436 }
1437 
1438 /*
1439  * DRBG instantiation function as required by SP800-90A - this function
1440  * sets up the DRBG handle, performs the initial seeding and all sanity
1441  * checks required by SP800-90A
1442  *
1443  * @drbg memory of state -- if NULL, new memory is allocated
1444  * @pers Personalization string that is mixed into state, may be NULL -- note
1445  *	 the entropy is pulled by the DRBG internally unconditionally
1446  *	 as defined in SP800-90A. The additional input is mixed into
1447  *	 the state in addition to the pulled entropy.
1448  * @coreref reference to core
1449  * @pr prediction resistance enabled
1450  *
1451  * return
1452  *	0 on success
1453  *	error value otherwise
1454  */
drbg_instantiate(struct drbg_state * drbg,struct drbg_string * pers,int coreref,bool pr)1455 static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1456 			    int coreref, bool pr)
1457 {
1458 	int ret;
1459 	bool reseed = true;
1460 
1461 	pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1462 		 "%s\n", coreref, pr ? "enabled" : "disabled");
1463 	mutex_lock(&drbg->drbg_mutex);
1464 
1465 	/* 9.1 step 1 is implicit with the selected DRBG type */
1466 
1467 	/*
1468 	 * 9.1 step 2 is implicit as caller can select prediction resistance
1469 	 * and the flag is copied into drbg->flags --
1470 	 * all DRBG types support prediction resistance
1471 	 */
1472 
1473 	/* 9.1 step 4 is implicit in  drbg_sec_strength */
1474 
1475 	if (!drbg->core) {
1476 		drbg->core = &drbg_cores[coreref];
1477 		drbg->pr = pr;
1478 		drbg->seeded = false;
1479 		drbg->reseed_threshold = drbg_max_requests(drbg);
1480 
1481 		ret = drbg_alloc_state(drbg);
1482 		if (ret)
1483 			goto unlock;
1484 
1485 		ret = drbg_prepare_hrng(drbg);
1486 		if (ret)
1487 			goto free_everything;
1488 
1489 		if (IS_ERR(drbg->jent)) {
1490 			ret = PTR_ERR(drbg->jent);
1491 			drbg->jent = NULL;
1492 			if (fips_enabled || ret != -ENOENT)
1493 				goto free_everything;
1494 			pr_info("DRBG: Continuing without Jitter RNG\n");
1495 		}
1496 
1497 		reseed = false;
1498 	}
1499 
1500 	ret = drbg_seed(drbg, pers, reseed);
1501 
1502 	if (ret && !reseed)
1503 		goto free_everything;
1504 
1505 	mutex_unlock(&drbg->drbg_mutex);
1506 	return ret;
1507 
1508 unlock:
1509 	mutex_unlock(&drbg->drbg_mutex);
1510 	return ret;
1511 
1512 free_everything:
1513 	mutex_unlock(&drbg->drbg_mutex);
1514 	drbg_uninstantiate(drbg);
1515 	return ret;
1516 }
1517 
1518 /*
1519  * DRBG uninstantiate function as required by SP800-90A - this function
1520  * frees all buffers and the DRBG handle
1521  *
1522  * @drbg DRBG state handle
1523  *
1524  * return
1525  *	0 on success
1526  */
drbg_uninstantiate(struct drbg_state * drbg)1527 static int drbg_uninstantiate(struct drbg_state *drbg)
1528 {
1529 	if (drbg->random_ready.func) {
1530 		del_random_ready_callback(&drbg->random_ready);
1531 		cancel_work_sync(&drbg->seed_work);
1532 		crypto_free_rng(drbg->jent);
1533 		drbg->jent = NULL;
1534 	}
1535 
1536 	if (drbg->d_ops)
1537 		drbg->d_ops->crypto_fini(drbg);
1538 	drbg_dealloc_state(drbg);
1539 	/* no scrubbing of test_data -- this shall survive an uninstantiate */
1540 	return 0;
1541 }
1542 
1543 /*
1544  * Helper function for setting the test data in the DRBG
1545  *
1546  * @drbg DRBG state handle
1547  * @data test data
1548  * @len test data length
1549  */
drbg_kcapi_set_entropy(struct crypto_rng * tfm,const u8 * data,unsigned int len)1550 static void drbg_kcapi_set_entropy(struct crypto_rng *tfm,
1551 				   const u8 *data, unsigned int len)
1552 {
1553 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1554 
1555 	mutex_lock(&drbg->drbg_mutex);
1556 	drbg_string_fill(&drbg->test_data, data, len);
1557 	mutex_unlock(&drbg->drbg_mutex);
1558 }
1559 
1560 /***************************************************************
1561  * Kernel crypto API cipher invocations requested by DRBG
1562  ***************************************************************/
1563 
1564 #if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1565 struct sdesc {
1566 	struct shash_desc shash;
1567 	char ctx[];
1568 };
1569 
drbg_init_hash_kernel(struct drbg_state * drbg)1570 static int drbg_init_hash_kernel(struct drbg_state *drbg)
1571 {
1572 	struct sdesc *sdesc;
1573 	struct crypto_shash *tfm;
1574 
1575 	tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1576 	if (IS_ERR(tfm)) {
1577 		pr_info("DRBG: could not allocate digest TFM handle: %s\n",
1578 				drbg->core->backend_cra_name);
1579 		return PTR_ERR(tfm);
1580 	}
1581 	BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1582 	sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1583 			GFP_KERNEL);
1584 	if (!sdesc) {
1585 		crypto_free_shash(tfm);
1586 		return -ENOMEM;
1587 	}
1588 
1589 	sdesc->shash.tfm = tfm;
1590 	sdesc->shash.flags = 0;
1591 	drbg->priv_data = sdesc;
1592 
1593 	return crypto_shash_alignmask(tfm);
1594 }
1595 
drbg_fini_hash_kernel(struct drbg_state * drbg)1596 static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1597 {
1598 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1599 	if (sdesc) {
1600 		crypto_free_shash(sdesc->shash.tfm);
1601 		kzfree(sdesc);
1602 	}
1603 	drbg->priv_data = NULL;
1604 	return 0;
1605 }
1606 
drbg_kcapi_hmacsetkey(struct drbg_state * drbg,const unsigned char * key)1607 static void drbg_kcapi_hmacsetkey(struct drbg_state *drbg,
1608 				  const unsigned char *key)
1609 {
1610 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1611 
1612 	crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1613 }
1614 
drbg_kcapi_hash(struct drbg_state * drbg,unsigned char * outval,const struct list_head * in)1615 static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
1616 			   const struct list_head *in)
1617 {
1618 	struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1619 	struct drbg_string *input = NULL;
1620 
1621 	crypto_shash_init(&sdesc->shash);
1622 	list_for_each_entry(input, in, list)
1623 		crypto_shash_update(&sdesc->shash, input->buf, input->len);
1624 	return crypto_shash_final(&sdesc->shash, outval);
1625 }
1626 #endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1627 
1628 #ifdef CONFIG_CRYPTO_DRBG_CTR
drbg_fini_sym_kernel(struct drbg_state * drbg)1629 static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1630 {
1631 	struct crypto_cipher *tfm =
1632 		(struct crypto_cipher *)drbg->priv_data;
1633 	if (tfm)
1634 		crypto_free_cipher(tfm);
1635 	drbg->priv_data = NULL;
1636 
1637 	if (drbg->ctr_handle)
1638 		crypto_free_skcipher(drbg->ctr_handle);
1639 	drbg->ctr_handle = NULL;
1640 
1641 	if (drbg->ctr_req)
1642 		skcipher_request_free(drbg->ctr_req);
1643 	drbg->ctr_req = NULL;
1644 
1645 	kfree(drbg->outscratchpadbuf);
1646 	drbg->outscratchpadbuf = NULL;
1647 
1648 	return 0;
1649 }
1650 
drbg_init_sym_kernel(struct drbg_state * drbg)1651 static int drbg_init_sym_kernel(struct drbg_state *drbg)
1652 {
1653 	struct crypto_cipher *tfm;
1654 	struct crypto_skcipher *sk_tfm;
1655 	struct skcipher_request *req;
1656 	unsigned int alignmask;
1657 	char ctr_name[CRYPTO_MAX_ALG_NAME];
1658 
1659 	tfm = crypto_alloc_cipher(drbg->core->backend_cra_name, 0, 0);
1660 	if (IS_ERR(tfm)) {
1661 		pr_info("DRBG: could not allocate cipher TFM handle: %s\n",
1662 				drbg->core->backend_cra_name);
1663 		return PTR_ERR(tfm);
1664 	}
1665 	BUG_ON(drbg_blocklen(drbg) != crypto_cipher_blocksize(tfm));
1666 	drbg->priv_data = tfm;
1667 
1668 	if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
1669 	    drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
1670 		drbg_fini_sym_kernel(drbg);
1671 		return -EINVAL;
1672 	}
1673 	sk_tfm = crypto_alloc_skcipher(ctr_name, 0, 0);
1674 	if (IS_ERR(sk_tfm)) {
1675 		pr_info("DRBG: could not allocate CTR cipher TFM handle: %s\n",
1676 				ctr_name);
1677 		drbg_fini_sym_kernel(drbg);
1678 		return PTR_ERR(sk_tfm);
1679 	}
1680 	drbg->ctr_handle = sk_tfm;
1681 	crypto_init_wait(&drbg->ctr_wait);
1682 
1683 	req = skcipher_request_alloc(sk_tfm, GFP_KERNEL);
1684 	if (!req) {
1685 		pr_info("DRBG: could not allocate request queue\n");
1686 		drbg_fini_sym_kernel(drbg);
1687 		return -ENOMEM;
1688 	}
1689 	drbg->ctr_req = req;
1690 	skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
1691 						CRYPTO_TFM_REQ_MAY_SLEEP,
1692 					crypto_req_done, &drbg->ctr_wait);
1693 
1694 	alignmask = crypto_skcipher_alignmask(sk_tfm);
1695 	drbg->outscratchpadbuf = kmalloc(DRBG_OUTSCRATCHLEN + alignmask,
1696 					 GFP_KERNEL);
1697 	if (!drbg->outscratchpadbuf) {
1698 		drbg_fini_sym_kernel(drbg);
1699 		return -ENOMEM;
1700 	}
1701 	drbg->outscratchpad = (u8 *)PTR_ALIGN(drbg->outscratchpadbuf,
1702 					      alignmask + 1);
1703 
1704 	sg_init_table(&drbg->sg_in, 1);
1705 	sg_init_one(&drbg->sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
1706 
1707 	return alignmask;
1708 }
1709 
drbg_kcapi_symsetkey(struct drbg_state * drbg,const unsigned char * key)1710 static void drbg_kcapi_symsetkey(struct drbg_state *drbg,
1711 				 const unsigned char *key)
1712 {
1713 	struct crypto_cipher *tfm =
1714 		(struct crypto_cipher *)drbg->priv_data;
1715 
1716 	crypto_cipher_setkey(tfm, key, (drbg_keylen(drbg)));
1717 }
1718 
drbg_kcapi_sym(struct drbg_state * drbg,unsigned char * outval,const struct drbg_string * in)1719 static int drbg_kcapi_sym(struct drbg_state *drbg, unsigned char *outval,
1720 			  const struct drbg_string *in)
1721 {
1722 	struct crypto_cipher *tfm =
1723 		(struct crypto_cipher *)drbg->priv_data;
1724 
1725 	/* there is only component in *in */
1726 	BUG_ON(in->len < drbg_blocklen(drbg));
1727 	crypto_cipher_encrypt_one(tfm, outval, in->buf);
1728 	return 0;
1729 }
1730 
drbg_kcapi_sym_ctr(struct drbg_state * drbg,u8 * inbuf,u32 inlen,u8 * outbuf,u32 outlen)1731 static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
1732 			      u8 *inbuf, u32 inlen,
1733 			      u8 *outbuf, u32 outlen)
1734 {
1735 	struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
1736 	u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
1737 	int ret;
1738 
1739 	if (inbuf) {
1740 		/* Use caller-provided input buffer */
1741 		sg_set_buf(sg_in, inbuf, inlen);
1742 	} else {
1743 		/* Use scratchpad for in-place operation */
1744 		inlen = scratchpad_use;
1745 		memset(drbg->outscratchpad, 0, scratchpad_use);
1746 		sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
1747 	}
1748 
1749 	while (outlen) {
1750 		u32 cryptlen = min3(inlen, outlen, (u32)DRBG_OUTSCRATCHLEN);
1751 
1752 		/* Output buffer may not be valid for SGL, use scratchpad */
1753 		skcipher_request_set_crypt(drbg->ctr_req, sg_in, sg_out,
1754 					   cryptlen, drbg->V);
1755 		ret = crypto_wait_req(crypto_skcipher_encrypt(drbg->ctr_req),
1756 					&drbg->ctr_wait);
1757 		if (ret)
1758 			goto out;
1759 
1760 		crypto_init_wait(&drbg->ctr_wait);
1761 
1762 		memcpy(outbuf, drbg->outscratchpad, cryptlen);
1763 		memzero_explicit(drbg->outscratchpad, cryptlen);
1764 
1765 		outlen -= cryptlen;
1766 		outbuf += cryptlen;
1767 	}
1768 	ret = 0;
1769 
1770 out:
1771 	return ret;
1772 }
1773 #endif /* CONFIG_CRYPTO_DRBG_CTR */
1774 
1775 /***************************************************************
1776  * Kernel crypto API interface to register DRBG
1777  ***************************************************************/
1778 
1779 /*
1780  * Look up the DRBG flags by given kernel crypto API cra_name
1781  * The code uses the drbg_cores definition to do this
1782  *
1783  * @cra_name kernel crypto API cra_name
1784  * @coreref reference to integer which is filled with the pointer to
1785  *  the applicable core
1786  * @pr reference for setting prediction resistance
1787  *
1788  * return: flags
1789  */
drbg_convert_tfm_core(const char * cra_driver_name,int * coreref,bool * pr)1790 static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1791 					 int *coreref, bool *pr)
1792 {
1793 	int i = 0;
1794 	size_t start = 0;
1795 	int len = 0;
1796 
1797 	*pr = true;
1798 	/* disassemble the names */
1799 	if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1800 		start = 10;
1801 		*pr = false;
1802 	} else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1803 		start = 8;
1804 	} else {
1805 		return;
1806 	}
1807 
1808 	/* remove the first part */
1809 	len = strlen(cra_driver_name) - start;
1810 	for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1811 		if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1812 			    len)) {
1813 			*coreref = i;
1814 			return;
1815 		}
1816 	}
1817 }
1818 
drbg_kcapi_init(struct crypto_tfm * tfm)1819 static int drbg_kcapi_init(struct crypto_tfm *tfm)
1820 {
1821 	struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1822 
1823 	mutex_init(&drbg->drbg_mutex);
1824 
1825 	return 0;
1826 }
1827 
drbg_kcapi_cleanup(struct crypto_tfm * tfm)1828 static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1829 {
1830 	drbg_uninstantiate(crypto_tfm_ctx(tfm));
1831 }
1832 
1833 /*
1834  * Generate random numbers invoked by the kernel crypto API:
1835  * The API of the kernel crypto API is extended as follows:
1836  *
1837  * src is additional input supplied to the RNG.
1838  * slen is the length of src.
1839  * dst is the output buffer where random data is to be stored.
1840  * dlen is the length of dst.
1841  */
drbg_kcapi_random(struct crypto_rng * tfm,const u8 * src,unsigned int slen,u8 * dst,unsigned int dlen)1842 static int drbg_kcapi_random(struct crypto_rng *tfm,
1843 			     const u8 *src, unsigned int slen,
1844 			     u8 *dst, unsigned int dlen)
1845 {
1846 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1847 	struct drbg_string *addtl = NULL;
1848 	struct drbg_string string;
1849 
1850 	if (slen) {
1851 		/* linked list variable is now local to allow modification */
1852 		drbg_string_fill(&string, src, slen);
1853 		addtl = &string;
1854 	}
1855 
1856 	return drbg_generate_long(drbg, dst, dlen, addtl);
1857 }
1858 
1859 /*
1860  * Seed the DRBG invoked by the kernel crypto API
1861  */
drbg_kcapi_seed(struct crypto_rng * tfm,const u8 * seed,unsigned int slen)1862 static int drbg_kcapi_seed(struct crypto_rng *tfm,
1863 			   const u8 *seed, unsigned int slen)
1864 {
1865 	struct drbg_state *drbg = crypto_rng_ctx(tfm);
1866 	struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1867 	bool pr = false;
1868 	struct drbg_string string;
1869 	struct drbg_string *seed_string = NULL;
1870 	int coreref = 0;
1871 
1872 	drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1873 			      &pr);
1874 	if (0 < slen) {
1875 		drbg_string_fill(&string, seed, slen);
1876 		seed_string = &string;
1877 	}
1878 
1879 	return drbg_instantiate(drbg, seed_string, coreref, pr);
1880 }
1881 
1882 /***************************************************************
1883  * Kernel module: code to load the module
1884  ***************************************************************/
1885 
1886 /*
1887  * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1888  * of the error handling.
1889  *
1890  * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1891  * as seed source of get_random_bytes does not fail.
1892  *
1893  * Note 2: There is no sensible way of testing the reseed counter
1894  * enforcement, so skip it.
1895  */
drbg_healthcheck_sanity(void)1896 static inline int __init drbg_healthcheck_sanity(void)
1897 {
1898 	int len = 0;
1899 #define OUTBUFLEN 16
1900 	unsigned char buf[OUTBUFLEN];
1901 	struct drbg_state *drbg = NULL;
1902 	int ret = -EFAULT;
1903 	int rc = -EFAULT;
1904 	bool pr = false;
1905 	int coreref = 0;
1906 	struct drbg_string addtl;
1907 	size_t max_addtllen, max_request_bytes;
1908 
1909 	/* only perform test in FIPS mode */
1910 	if (!fips_enabled)
1911 		return 0;
1912 
1913 #ifdef CONFIG_CRYPTO_DRBG_CTR
1914 	drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
1915 #elif defined CONFIG_CRYPTO_DRBG_HASH
1916 	drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1917 #else
1918 	drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
1919 #endif
1920 
1921 	drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1922 	if (!drbg)
1923 		return -ENOMEM;
1924 
1925 	mutex_init(&drbg->drbg_mutex);
1926 	drbg->core = &drbg_cores[coreref];
1927 	drbg->reseed_threshold = drbg_max_requests(drbg);
1928 
1929 	/*
1930 	 * if the following tests fail, it is likely that there is a buffer
1931 	 * overflow as buf is much smaller than the requested or provided
1932 	 * string lengths -- in case the error handling does not succeed
1933 	 * we may get an OOPS. And we want to get an OOPS as this is a
1934 	 * grave bug.
1935 	 */
1936 
1937 	max_addtllen = drbg_max_addtl(drbg);
1938 	max_request_bytes = drbg_max_request_bytes(drbg);
1939 	drbg_string_fill(&addtl, buf, max_addtllen + 1);
1940 	/* overflow addtllen with additonal info string */
1941 	len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1942 	BUG_ON(0 < len);
1943 	/* overflow max_bits */
1944 	len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1945 	BUG_ON(0 < len);
1946 
1947 	/* overflow max addtllen with personalization string */
1948 	ret = drbg_seed(drbg, &addtl, false);
1949 	BUG_ON(0 == ret);
1950 	/* all tests passed */
1951 	rc = 0;
1952 
1953 	pr_devel("DRBG: Sanity tests for failure code paths successfully "
1954 		 "completed\n");
1955 
1956 	kfree(drbg);
1957 	return rc;
1958 }
1959 
1960 static struct rng_alg drbg_algs[22];
1961 
1962 /*
1963  * Fill the array drbg_algs used to register the different DRBGs
1964  * with the kernel crypto API. To fill the array, the information
1965  * from drbg_cores[] is used.
1966  */
drbg_fill_array(struct rng_alg * alg,const struct drbg_core * core,int pr)1967 static inline void __init drbg_fill_array(struct rng_alg *alg,
1968 					  const struct drbg_core *core, int pr)
1969 {
1970 	int pos = 0;
1971 	static int priority = 200;
1972 
1973 	memcpy(alg->base.cra_name, "stdrng", 6);
1974 	if (pr) {
1975 		memcpy(alg->base.cra_driver_name, "drbg_pr_", 8);
1976 		pos = 8;
1977 	} else {
1978 		memcpy(alg->base.cra_driver_name, "drbg_nopr_", 10);
1979 		pos = 10;
1980 	}
1981 	memcpy(alg->base.cra_driver_name + pos, core->cra_name,
1982 	       strlen(core->cra_name));
1983 
1984 	alg->base.cra_priority = priority;
1985 	priority++;
1986 	/*
1987 	 * If FIPS mode enabled, the selected DRBG shall have the
1988 	 * highest cra_priority over other stdrng instances to ensure
1989 	 * it is selected.
1990 	 */
1991 	if (fips_enabled)
1992 		alg->base.cra_priority += 200;
1993 
1994 	alg->base.cra_ctxsize 	= sizeof(struct drbg_state);
1995 	alg->base.cra_module	= THIS_MODULE;
1996 	alg->base.cra_init	= drbg_kcapi_init;
1997 	alg->base.cra_exit	= drbg_kcapi_cleanup;
1998 	alg->generate		= drbg_kcapi_random;
1999 	alg->seed		= drbg_kcapi_seed;
2000 	alg->set_ent		= drbg_kcapi_set_entropy;
2001 	alg->seedsize		= 0;
2002 }
2003 
drbg_init(void)2004 static int __init drbg_init(void)
2005 {
2006 	unsigned int i = 0; /* pointer to drbg_algs */
2007 	unsigned int j = 0; /* pointer to drbg_cores */
2008 	int ret;
2009 
2010 	ret = drbg_healthcheck_sanity();
2011 	if (ret)
2012 		return ret;
2013 
2014 	if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2015 		pr_info("DRBG: Cannot register all DRBG types"
2016 			"(slots needed: %zu, slots available: %zu)\n",
2017 			ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2018 		return -EFAULT;
2019 	}
2020 
2021 	/*
2022 	 * each DRBG definition can be used with PR and without PR, thus
2023 	 * we instantiate each DRBG in drbg_cores[] twice.
2024 	 *
2025 	 * As the order of placing them into the drbg_algs array matters
2026 	 * (the later DRBGs receive a higher cra_priority) we register the
2027 	 * prediction resistance DRBGs first as the should not be too
2028 	 * interesting.
2029 	 */
2030 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2031 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2032 	for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2033 		drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2034 	return crypto_register_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2035 }
2036 
drbg_exit(void)2037 static void __exit drbg_exit(void)
2038 {
2039 	crypto_unregister_rngs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2040 }
2041 
2042 module_init(drbg_init);
2043 module_exit(drbg_exit);
2044 #ifndef CRYPTO_DRBG_HASH_STRING
2045 #define CRYPTO_DRBG_HASH_STRING ""
2046 #endif
2047 #ifndef CRYPTO_DRBG_HMAC_STRING
2048 #define CRYPTO_DRBG_HMAC_STRING ""
2049 #endif
2050 #ifndef CRYPTO_DRBG_CTR_STRING
2051 #define CRYPTO_DRBG_CTR_STRING ""
2052 #endif
2053 MODULE_LICENSE("GPL");
2054 MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2055 MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2056 		   "using following cores: "
2057 		   CRYPTO_DRBG_HASH_STRING
2058 		   CRYPTO_DRBG_HMAC_STRING
2059 		   CRYPTO_DRBG_CTR_STRING);
2060 MODULE_ALIAS_CRYPTO("stdrng");
2061