1/*
  2 * algif_rng: User-space interface for random number generators
  3 *
  4 * This file provides the user-space API for random number generators.
  5 *
  6 * Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
  7 *
  8 * Redistribution and use in source and binary forms, with or without
  9 * modification, are permitted provided that the following conditions
 10 * are met:
 11 * 1. Redistributions of source code must retain the above copyright
 12 *    notice, and the entire permission notice in its entirety,
 13 *    including the disclaimer of warranties.
 14 * 2. Redistributions in binary form must reproduce the above copyright
 15 *    notice, this list of conditions and the following disclaimer in the
 16 *    documentation and/or other materials provided with the distribution.
 17 * 3. The name of the author may not be used to endorse or promote
 18 *    products derived from this software without specific prior
 19 *    written permission.
 20 *
 21 * ALTERNATIVELY, this product may be distributed under the terms of
 22 * the GNU General Public License, in which case the provisions of the GPL2
 23 * are required INSTEAD OF the above restrictions.  (This clause is
 24 * necessary due to a potential bad interaction between the GPL and
 25 * the restrictions contained in a BSD-style copyright.)
 26 *
 27 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 28 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 29 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
 30 * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
 31 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 32 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
 33 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 34 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 35 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 36 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 37 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
 38 * DAMAGE.
 39 */
 40
 41#include <linux/capability.h>
 42#include <linux/module.h>
 43#include <crypto/rng.h>
 44#include <linux/random.h>
 45#include <crypto/if_alg.h>
 46#include <linux/net.h>
 47#include <net/sock.h>
 48
 49MODULE_LICENSE("GPL");
 50MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
 51MODULE_DESCRIPTION("User-space interface for random number generators");
 52
 53struct rng_ctx {
 54#define MAXSIZE 128
 55	unsigned int len;
 56	struct crypto_rng *drng;
 57	u8 *addtl;
 58	size_t addtl_len;
 59};
 60
 61struct rng_parent_ctx {
 62	struct crypto_rng *drng;
 63	u8 *entropy;
 64};
 65
 66static void rng_reset_addtl(struct rng_ctx *ctx)
 67{
 68	kfree_sensitive(ctx->addtl);
 69	ctx->addtl = NULL;
 70	ctx->addtl_len = 0;
 71}
 72
 73static int _rng_recvmsg(struct crypto_rng *drng, struct msghdr *msg, size_t len,
 74			u8 *addtl, size_t addtl_len)
 75{
 76	int err = 0;
 77	int genlen = 0;
 78	u8 result[MAXSIZE];
 79
 80	if (len == 0)
 81		return 0;
 82	if (len > MAXSIZE)
 83		len = MAXSIZE;
 84
 85	/*
 86	 * although not strictly needed, this is a precaution against coding
 87	 * errors
 88	 */
 89	memset(result, 0, len);
 90
 91	/*
 92	 * The enforcement of a proper seeding of an RNG is done within an
 93	 * RNG implementation. Some RNGs (DRBG, krng) do not need specific
 94	 * seeding as they automatically seed. The X9.31 DRNG will return
 95	 * an error if it was not seeded properly.
 96	 */
 97	genlen = crypto_rng_generate(drng, addtl, addtl_len, result, len);
 98	if (genlen < 0)
 99		return genlen;
100
101	err = memcpy_to_msg(msg, result, len);
102	memzero_explicit(result, len);
103
104	return err ? err : len;
105}
106
107static int rng_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
108		       int flags)
109{
110	struct sock *sk = sock->sk;
111	struct alg_sock *ask = alg_sk(sk);
112	struct rng_ctx *ctx = ask->private;
113
114	return _rng_recvmsg(ctx->drng, msg, len, NULL, 0);
115}
116
117static int rng_test_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
118			    int flags)
119{
120	struct sock *sk = sock->sk;
121	struct alg_sock *ask = alg_sk(sk);
122	struct rng_ctx *ctx = ask->private;
123	int ret;
124
125	lock_sock(sock->sk);
126	ret = _rng_recvmsg(ctx->drng, msg, len, ctx->addtl, ctx->addtl_len);
127	rng_reset_addtl(ctx);
128	release_sock(sock->sk);
129
130	return ret;
131}
132
133static int rng_test_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
134{
135	int err;
136	struct alg_sock *ask = alg_sk(sock->sk);
137	struct rng_ctx *ctx = ask->private;
138
139	lock_sock(sock->sk);
140	if (len > MAXSIZE) {
141		err = -EMSGSIZE;
142		goto unlock;
143	}
144
145	rng_reset_addtl(ctx);
146	ctx->addtl = kmalloc(len, GFP_KERNEL);
147	if (!ctx->addtl) {
148		err = -ENOMEM;
149		goto unlock;
150	}
151
152	err = memcpy_from_msg(ctx->addtl, msg, len);
153	if (err) {
154		rng_reset_addtl(ctx);
155		goto unlock;
156	}
157	ctx->addtl_len = len;
158
159unlock:
160	release_sock(sock->sk);
161	return err ? err : len;
162}
163
164static struct proto_ops algif_rng_ops = {
165	.family		=	PF_ALG,
166
167	.connect	=	sock_no_connect,
168	.socketpair	=	sock_no_socketpair,
169	.getname	=	sock_no_getname,
170	.ioctl		=	sock_no_ioctl,
171	.listen		=	sock_no_listen,
172	.shutdown	=	sock_no_shutdown,
173	.mmap		=	sock_no_mmap,
174	.bind		=	sock_no_bind,
175	.accept		=	sock_no_accept,
176	.sendmsg	=	sock_no_sendmsg,
177	.sendpage	=	sock_no_sendpage,
178
179	.release	=	af_alg_release,
180	.recvmsg	=	rng_recvmsg,
181};
182
183static struct proto_ops __maybe_unused algif_rng_test_ops = {
184	.family		=	PF_ALG,
185
186	.connect	=	sock_no_connect,
187	.socketpair	=	sock_no_socketpair,
188	.getname	=	sock_no_getname,
189	.ioctl		=	sock_no_ioctl,
190	.listen		=	sock_no_listen,
191	.shutdown	=	sock_no_shutdown,
192	.mmap		=	sock_no_mmap,
193	.bind		=	sock_no_bind,
194	.accept		=	sock_no_accept,
195	.sendpage	=	sock_no_sendpage,
196
197	.release	=	af_alg_release,
198	.recvmsg	=	rng_test_recvmsg,
199	.sendmsg	=	rng_test_sendmsg,
200};
201
202static void *rng_bind(const char *name, u32 type, u32 mask)
203{
204	struct rng_parent_ctx *pctx;
205	struct crypto_rng *rng;
206
207	pctx = kzalloc(sizeof(*pctx), GFP_KERNEL);
208	if (!pctx)
209		return ERR_PTR(-ENOMEM);
210
211	rng = crypto_alloc_rng(name, type, mask);
212	if (IS_ERR(rng)) {
213		kfree(pctx);
214		return ERR_CAST(rng);
215	}
216
217	pctx->drng = rng;
218	return pctx;
219}
220
221static void rng_release(void *private)
222{
223	struct rng_parent_ctx *pctx = private;
224
225	if (unlikely(!pctx))
226		return;
227	crypto_free_rng(pctx->drng);
228	kfree_sensitive(pctx->entropy);
229	kfree_sensitive(pctx);
230}
231
232static void rng_sock_destruct(struct sock *sk)
233{
234	struct alg_sock *ask = alg_sk(sk);
235	struct rng_ctx *ctx = ask->private;
236
237	rng_reset_addtl(ctx);
238	sock_kfree_s(sk, ctx, ctx->len);
239	af_alg_release_parent(sk);
240}
241
242static int rng_accept_parent(void *private, struct sock *sk)
243{
244	struct rng_ctx *ctx;
245	struct rng_parent_ctx *pctx = private;
246	struct alg_sock *ask = alg_sk(sk);
247	unsigned int len = sizeof(*ctx);
248
249	ctx = sock_kmalloc(sk, len, GFP_KERNEL);
250	if (!ctx)
251		return -ENOMEM;
252
253	ctx->len = len;
254	ctx->addtl = NULL;
255	ctx->addtl_len = 0;
256
257	/*
258	 * No seeding done at that point -- if multiple accepts are
259	 * done on one RNG instance, each resulting FD points to the same
260	 * state of the RNG.
261	 */
262
263	ctx->drng = pctx->drng;
264	ask->private = ctx;
265	sk->sk_destruct = rng_sock_destruct;
266
267	/*
268	 * Non NULL pctx->entropy means that CAVP test has been initiated on
269	 * this socket, replace proto_ops algif_rng_ops with algif_rng_test_ops.
270	 */
271	if (IS_ENABLED(CONFIG_CRYPTO_USER_API_RNG_CAVP) && pctx->entropy)
272		sk->sk_socket->ops = &algif_rng_test_ops;
273
274	return 0;
275}
276
277static int rng_setkey(void *private, const u8 *seed, unsigned int seedlen)
278{
279	struct rng_parent_ctx *pctx = private;
280	/*
281	 * Check whether seedlen is of sufficient size is done in RNG
282	 * implementations.
283	 */
284	return crypto_rng_reset(pctx->drng, seed, seedlen);
285}
286
287static int __maybe_unused rng_setentropy(void *private, sockptr_t entropy,
288					 unsigned int len)
289{
290	struct rng_parent_ctx *pctx = private;
291	u8 *kentropy = NULL;
292
293	if (!capable(CAP_SYS_ADMIN))
294		return -EACCES;
295
296	if (pctx->entropy)
297		return -EINVAL;
298
299	if (len > MAXSIZE)
300		return -EMSGSIZE;
301
302	if (len) {
303		kentropy = memdup_sockptr(entropy, len);
304		if (IS_ERR(kentropy))
305			return PTR_ERR(kentropy);
306	}
307
308	crypto_rng_alg(pctx->drng)->set_ent(pctx->drng, kentropy, len);
309	/*
310	 * Since rng doesn't perform any memory management for the entropy
311	 * buffer, save kentropy pointer to pctx now to free it after use.
312	 */
313	pctx->entropy = kentropy;
314	return 0;
315}
316
317static const struct af_alg_type algif_type_rng = {
318	.bind		=	rng_bind,
319	.release	=	rng_release,
320	.accept		=	rng_accept_parent,
321	.setkey		=	rng_setkey,
322#ifdef CONFIG_CRYPTO_USER_API_RNG_CAVP
323	.setentropy	=	rng_setentropy,
324#endif
325	.ops		=	&algif_rng_ops,
326	.name		=	"rng",
327	.owner		=	THIS_MODULE
328};
329
330static int __init rng_init(void)
331{
332	return af_alg_register_type(&algif_type_rng);
333}
334
335static void __exit rng_exit(void)
336{
337	int err = af_alg_unregister_type(&algif_type_rng);
338	BUG_ON(err);
339}
340
341module_init(rng_init);
342module_exit(rng_exit);